Lucene search
K
SonarsourceMost viewed

38 matches found

SonarSource Blog
SonarSource Blog
added 2021/09/21 12:0 a.m.438 views

Cachet 2.4: Code Execution via Laravel Configuration Injection

Status pages are now an essential service offered by all Software-as-a-Service companies we do it too!. To help their adoption, startups quickly conceived status pages as-a-service, and open-source self-hosted alternatives were made available. Cachet, also sometimes referred to as CachetHQ, is a...

7.5CVSS0.8AI score0.81848EPSS
Exploits7
SonarSource Blog
SonarSource Blog
added 2021/06/15 12:0 a.m.233 views

7 more reasons to upgrade to SonarQube 8.9 LTS

SonarQube v8.9 LTS was just released and we hope you’ve already seen our announcement and are working on your upgrade! A new SonarQube LTS represents a huge amount of work. Since the release of the previous SonarQube LTS v7.9, in November 2019, there have been over 5200 development tickets merged...

7.5AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/08/17 12:0 a.m.202 views

elFinder - A Case Study of Web File Manager Vulnerabilities

An application’s interaction with the file system is always highly security sensitive, since minor functional bugs can easily be the source of exploitable vulnerabilities. This observation is especially true in the case of web file managers, whose role is to replicate the features of a complete...

7.5CVSS9.8AI score0.69934EPSS
Exploits6
SonarSource Blog
SonarSource Blog
added 2022/02/16 12:0 a.m.155 views

Zabbix - A Case Study of Unsafe Session Storage

Introduction Zabbix is a very popular open-source monitoring platform used to collect, centralize and track metrics like CPU load and network traffic across entire infrastructures. It is very similar to solutions like Pandora FMS and Nagios. Because of its popularity, features and its privileged...

6.5CVSS0.2AI score0.95683EPSS
Exploits11
SonarSource Blog
SonarSource Blog
added 2021/07/27 12:0 a.m.141 views

Zimbra 8.8.15 - Webmail Compromise via Email

Zimbra is a popular webmail solution for global enterprises. According to Zimbra, it is used by over 200,000 businesses and over a thousand government & financial institutions to exchange emails between millions of users every day. When attackers get access to an employees email account, it often...

7.5CVSS0.1AI score0.0297EPSS
Exploits2
SonarSource Blog
SonarSource Blog
added 2022/01/11 12:0 a.m.116 views

WordPress 5.8.2 Stored XSS Vulnerability

WordPress is the world’s most popular content management system that, according to w3techs, is used by over 40% of all websites. This wide adoption makes it a top target for cyber criminals who seek to compromise high-traffic websites or infect as many web servers as possible. Its code is heavily...

3.5CVSS7.4AI score0.63418EPSS
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/06/01 12:0 a.m.95 views

Grav CMS 1.7.10 - Code Execution Vulnerabilities

In the lineage of most recent flat-file PHP CMS, Grav CMS is a modern web platform to build fast, safe and extensible websites. It uses a modern technology stack with Twig, Symfony and Doctrine, and offers an administration dashboard that allows managing the whole website structure, pages, static...

6.5CVSS8.1AI score0.30623EPSS
Exploits5
SonarSource Blog
SonarSource Blog
added 2021/11/16 12:0 a.m.84 views

10 Unknown Security Pitfalls for Python

Python developers trust their applications to have a solid security state due to the use of standard libraries and common frameworks. However, within Python, just like in any other programming language, there are certain features that can be misleading or misused by developers. Often it is only a...

5CVSS9.9AI score0.35963EPSS
Exploits12
SonarSource Blog
SonarSource Blog
added 2022/02/22 12:0 a.m.81 views

Horde Webmail 5.2.22 - Account Takeover via Email

Horde Webmail is a free, enterprise-ready, and browser-based communication suite developed by the Horde project. It is a popular webmail solution for universities and government agencies to exchange sensitive email messages on a daily basis. It is also shipped as part of the popular hosting...

6.9AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2022/02/08 12:0 a.m.70 views

WordPress < 5.8.3 - Object Injection Vulnerability

At the time of writing, WordPress powers 43% of websites on the Internet. Its simplicity and robustness enable millions of users to host their blog, eCommerce site, forum, or static website. To protect its users, several security hardening mechanisms were introduced to the code base in the past. ...

6.5CVSS1AI score0.03695EPSS
Exploits1
SonarSource Blog
SonarSource Blog
added 2022/01/06 12:0 a.m.66 views

Vulnerability Research Highlights 2021

At SonarSource we are constantly improving our code analyzers to help developers write Clean Code. The detection of severe code vulnerabilities plays an important role in this process so that applications are protected from attacks and security breaches. For this same reason, our research team...

2.1CVSS6.7AI score0.02018EPSS
Exploits5
SonarSource Blog
SonarSource Blog
added 2021/10/27 12:0 a.m.50 views

Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD

GoCD, written in Java, is a popular CI/CD solution with a large range of users from NGOs to Fortune 500 companies with billions of dollars in revenue. Naturally, this makes it a critical piece of infrastructure and an extremely attractive target for attackers. In order to automate build and relea...

0.28039EPSS
Exploits2
SonarSource Blog
SonarSource Blog
added 2021/09/28 12:0 a.m.50 views

Supercharge your C++ analysis with SonarLint for CLion

Earlier this year we launched the support for C and C++ in SonarLint for CLion to address quality and security issues for your C/C++ projects. Since then, the team has continued to bring even greater value to the C and C++ users, continuing our mission to empower the community to deliver code tha...

Exploits0
SonarSource Blog
SonarSource Blog
added 2021/06/22 12:0 a.m.43 views

CiviCRM 5.22.0 - Code Execution Vulnerability Chain Explained

During our vulnerability research on the largest CMS systems we came across CiviCRM last year. It’s an open source CRM plugin for the most popular CMS systems like Wordpress, Joomla, Drupal, and Backdrop. CiviCRM is specifically designed for the needs of non-profit, non-governmental, and advocacy...

6.5CVSS0.7AI score0.01478EPSS
Exploits2
SonarSource Blog
SonarSource Blog
added 2022/01/18 12:0 a.m.42 views

Don't be afraid of XXE vulnerabilities: understand the beast and how to detect them

Today XML External Entities XXE vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral part of security standards for years. In this post, the first in a series of three blog posts, we will try to demystify XXE vulnerabilities and...

5CVSS7.4AI score0.85719EPSS
Exploits20
SonarSource Blog
SonarSource Blog
added 2021/08/31 12:0 a.m.38 views

Ghost CMS 4.3.2 - Cross-Origin Admin Takeover

Ghost is one of the most popular Node.js-based Content Management Systems CMS. According to the vendor, there are currently more than 2.5 million installs of it and the project has more than 38k stars on GitHub. During our research on open-source applications, we analyzed the code and found a...

4.3CVSS6.9AI score0.07935EPSS
Exploits1
SonarSource Blog
SonarSource Blog
added 2021/11/02 12:0 a.m.36 views

SmartStoreNET - Malicious Message leading to E-Commerce Takeover

SmartStoreNET is the leading open-source e-commerce platform for .NET, which makes it suitable for companies running Windows Server. Next to the operation of an online business, it offers advanced features, such as CRM tools, a blog and a forum. As a result, a SmartStoreNET instance handles highl...

7.5CVSS10.2AI score0.33442EPSS
Exploits2
SonarSource Blog
SonarSource Blog
added 2021/11/30 12:0 a.m.35 views

NodeBB 1.18.4 - Remote Code Execution With One Shot

Message forums are used by many companies and open source projects to exchange with their users. NodeBB is the leading JavaScript-based forum solution, having over 12k stars on GitHub. Several popular companies are using NodeBB to establish a community around their flagship products. During recen...

5CVSS7.5AI score0.25843EPSS
Exploits3
SonarSource Blog
SonarSource Blog
added 2021/10/19 12:0 a.m.34 views

Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services

SquirrelLang is an interpreted, open-source programming language that is used by video games and cloud services for customization and plugin development. For example, the extremely popular game Counter-Strike: Global Offensive CS:GO attracts millions of players on a monthly basis and utilizes the...

0.2AI score0.02177EPSS
Exploits1
SonarSource Blog
SonarSource Blog
added 2021/07/21 12:0 a.m.31 views

Clean As You Code essentials - What are Quality Profiles and Quality Gates?

In this blog, well focus on rules, Quality Profiles and Quality Gates. These elements are the building blocks of an effective Clean As You Code strategy. After reading this article, you’ll have a better understanding of what they are and how they’re used in the pursuit of clean, quality code for...

7.3AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/08/10 12:0 a.m.27 views

Use 3rd-party plugins at your own risk

SonarQube has always had a rich plugin Marketplace, with much of SonarQubes functionality originally delivered as plugins and many additional needs being met by community-maintained plugins. But since October 2019, all SonarSource-provided functionality is bundled with SonarQube. That means any...

7.2AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2022/02/24 12:0 a.m.26 views

Review your security vulnerabilities in GitHub with code scanning alerts

Today, for GitHub repositories, our SAST analysis provides fast, precise security feedback directly inside your pull requests. You instantly know how many vulnerabilities are detected and, until now, you would systematically go to SonarCloud to start investigating. Not anymore. From this point...

7.6AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/07/13 12:0 a.m.26 views

Etherpad 1.8.13 - Code Execution Vulnerabilities

Etherpad is one of the most popular online text editors that allows collaborating on documents in real-time. It is customizable with more than 250 plugins available and features a version history as well as a chat functionality. There are thousands of instances deployed worldwide with millions of...

6.5CVSS0.4AI score0.02229EPSS
Exploits2
SonarSource Blog
SonarSource Blog
added 2022/02/01 12:0 a.m.25 views

How to restrict XXE resolving?

In my last post, we saw how to configure XML parsers to globally disable XXE declarations and expansions. It was an easy but strict solution that might be difficult to implement in your project. So today, I’ll talk about how to restrict XXE precisely. Again, our code examples will be mainly in Ja...

0.4AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/08/24 12:0 a.m.25 views

Compilation database: An alternative way to configure your C or C++ analysis

Analyzing C or C++ code requires - in addition to the source code - the configuration that is used to build the code. At SonarSource, we have provided a tool to automate the extraction of this information, the build wrapper. This tool has been used successfully with many projects, yet there are...

6.7AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/08/03 12:0 a.m.25 views

Launching ‘Secret Detection’ to keep your Cloud ‘Secrets’ safe

Most digital applications we work on require some type of credentials –– to connect to a database with a username/password, to access computer programs via authorized tokens, or API keys to invoke services for authentication. Credentials a.k.a ‘Secrets’ are pieces of user or system level...

7.2AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/08/10 12:0 a.m.21 views

Use 3rd-party plugins at your own risk

SonarQube has always had a rich plugin Marketplace, with much of SonarQubes functionality originally delivered as plugins and many additional needs being met by community-maintained plugins. But since October 2019, all SonarSource-provided functionality is bundled with SonarQube. That means any...

7.2AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2022/01/25 12:0 a.m.19 views

How to disable XXE processing?

In my last post I talked about XXE vulnerabilities found on popular open-source projects and more generally how to assess this type of issue. Today, I’ll talk about the different strategies to disable XXE processing. External XXE and internal entities are useful for building concise XML documents...

0.2AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/12/07 12:0 a.m.19 views

Modernizing your code with C++20

​C++20 is here! In fact, as we head towards 2022, it’s been here a while. It may surprise some, but we’re only a few months from a freeze on new proposals for C++23! But let’s not get ahead of ourselves. C++20 is a big release - at least the biggest since C++11 - some have said it's the biggest...

7.1AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/12/14 12:0 a.m.17 views

‘Quick Fix’ your C++ issues with SonarLint

​When the team decided to implement quick fixes for C++, we committed to bringing value to the C++ user by providing more than what they had today. It appears we found multiple ways to do that. First, by providing an enhanced version of the checks natively available through the IDE and other...

0.4AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2022/03/01 12:0 a.m.16 views

5 things to consider in performance comparisons

Most people can probably relate to asking a child to handle a chore, only to have the kid come back way too soon, saying it's done. Or maybe you can relate to being that child. Either way, you know what comes next: checking shows the job was handled poorly, and it all goes downhill from there. It...

7.5AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/10/21 12:0 a.m.14 views

Meet the new project experience for SonarCloud

We are very pleased to announce that we have released a new project experience. It’s now available in SonarCloud for all users. You’ll notice a few improvements the next time you open SonarCloud. We’re going to tell you more about what this makeover is about in this article. You may be wondering...

7.4AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/11/29 12:0 a.m.12 views

Code Security Advent Calendar 2021

We are happy to announce our sixth consecutive Code Security Advent Calendar! Born at RIPS in 2016, each calendar comprises 24 little code puzzles containing hidden security vulnerabilities that wait to be spotted. This is our way to share good vibes with the community while learning and having f...

8AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/07/06 12:0 a.m.12 views

Know where your project stands with the new project overview!

In late April, I introduced the new project experience for SonarCloud, which has already been adopted by a lot of you. Today, we’re adding a brand new project overview page! We can’t wait for you to try it! Let’s discover what’s inside in this blog. Your project status & activity all in one place...

7.2AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/06/08 12:0 a.m.12 views

Broken pipelines for everyone!

With SonarQube 8.9 LTS, SonarSource has made failing the pipeline available for everyone, using any CI you want. For people watching for a long time, this might seem like a contradiction. Let me explain. Yes, we have gone back and forth for a while on this feature, but the user community has...

7.2AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/06/28 12:0 a.m.11 views

Enterprise-ready: Authentication & Authorization with SonarQube (LDAP, SSO & more)

Enterprise-ready is a series of posts focused on Enterprise expectations. You’ll discover features built on top of our developer-first foundations, that enable usage of our products at scale, and allow for company-wide adoption of Code Quality & Code Security best-practices In this first post of...

7.1AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/09/23 12:0 a.m.10 views

Modernize Code Quality with ‘Quick Fixes’

Delivering functional code that is reliable, safe, and on schedule is a high priority for most development teams. And you’ll agree that the earlier in your workflow you address quality and security issues, the better and cheaper!. Today, I’d like to give you a quick tour of how you can maximize...

7.4AI score
Exploits0
SonarSource Blog
SonarSource Blog
added 2021/09/14 12:0 a.m.8 views

Product portals open: we want your input

SonarSource was born from open source software and most of what we do remains FLOSS, so openness and transparency have always been fundamental principles. With a recent change in how we approach product management, we've gone even further. We've recently opened up product portals on Productboard...

Exploits0