A week in security (April 15 – 21)

Last week, Malwarebytes Labs revealed multiple giveaway online scam campaigns banking on the popularity and generosity of Ellen DeGeneres, weighed in on the hack that compromised legacy Microsoft email service accounts like Hotmail and MSN, explained what “like-farming” means and how to spot it o...

Freddy - Automatically Identify Deserialisation Issues In Java And .NET Applications By Using Active And Passive Scans

A Burp Suite extension to aid in detecting and exploiting serialisation libraries/APIs. This useful extension was originally developed by Nick Bloor @nickstadb for NCC Group and is mainly based on the work of Alvaro Muñoz and Oleksandr Mirosh, Friday the 13th: JSON Attacks, which they presented a...

GHSA-FVX3-G627-PHM2 Server-Side Request Forgery (SSRF) in com.ctrip.framework.apollo:apollo

An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled...

Server-Side Request Forgery (SSRF) in com.ctrip.framework.apollo:apollo

An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled...

[SECURITY] Fedora 30 Update: simple-scan-3.32.2-2.fc30

Simple Scan is an easy-to-use application, designed to let users connect th eir scanner and quickly have the image/document in an appropriate format...

CloudBees Jenkins Netsparker Cloud Scan Plugin Cross-Site Request Forgery Vulnerability

CloudBees Jenkins Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools. The product is mainly used to monitor the continuous software version release/testing project and some timed tasks . Netsparker Cloud Scan Plugin is used in one of...

CVE-2018-1356

A reflected Cross-Site-Scripting XSS vulnerability in Fortinet FortiSandbox before 3.0 may allow an attacker to execute unauthorized code or commands via the backurl parameter in the file scan component...

Cross site scripting

A reflected Cross-Site-Scripting XSS vulnerability in Fortinet FortiSandbox before 3.0 may allow an attacker to execute unauthorized code or commands via the backurl parameter in the file scan component...

CVE-2018-1356

A reflected Cross-Site-Scripting XSS vulnerability in Fortinet FortiSandbox before 3.0 may allow an attacker to execute unauthorized code or commands via the backurl parameter in the file scan component...

DefectDojo v1.5.4 - Application Vulnerability Correlation And Security Orchestration Application

DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one...

Hit the Easy Button for Your Organization’s Gmail Security

Fifteen years ago, Gmail was launched by Google. The web-based service now has 1.5 billion users a month. In addition to being the extremely popular personal email service, Gmail is also a key component of G Suite for organizations. One of the many reasons of Gmail’s popularity is its security...

DEBIAN-CVE-2019-11026

FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc...

UBUNTU-CVE-2019-1798

A vulnerability in the Portable Executable PE file scanning functionality of Clam AntiVirus ClamAV Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input a...

PT-2019-12146 · Poppler · Poppler

Name of the Vulnerable Software and Affected Versions: Poppler version 0.75.0 Description: The issue is related to infinite recursion in the FontInfoScanner::scanFonts function in FontInfo.cc, which leads to a call to the error function in Error.cc. Recommendations: For Poppler version 0.75.0, at...

CVE-2019-9489

A directory traversal vulnerability in Trend Micro Apex One, OfficeScan versions XG and 11.0, and Worry-Free Business Security versions 10.0, 9.5 and 9.0 could allow an attacker to modify arbitrary files on the affected product's management console...

CVE-2019-10291

Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system...

CVE-2019-10290

A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpldoValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server...

CVE-2019-10290

A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpldoValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server...

CVE-2019-10289

A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpldoValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server...

CVE-2019-10289

A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpldoValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server...