Get up-to-the-minute zero-day exposure information on your assets and respond three times faster to validated exploits.
The information on this page is the same information our customers receive in real-time when there is a new CVE impacting their assets.
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
References:
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don’t explicitly check user’s permissions because they rely on the configuration of their endpoints).
References:
The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.
References:
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.
References:
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
References:
CVE-2024-6387, also known as regreSSHion, is an unauthenticated remote code execution vulnerability in OpenSSH’s server that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk. A crude public exploit does exist for 32-bit systems, but not 64-bit systems.
This vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, reported and fixed in 2006. Due to this uncommon vector of a code regression (re)creating a vulnerability, the versions of OpenSSH sshd are affected is strange: Versions earlier than 4.4p1 are vulnerable unless they have already been patched for CVE-2006-5051 and CVE-2008-4109. Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable. Versions from 8.5p1 up to, but not including, 9.8p1 vulnerable.
To resolve the issue, upgrade to the latest version of OpenSSH.
References:
Adobe Commerce (MAGENTO) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
References:
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
References:
CVE-2024-4577 critical remote code execution vulnerability in the PHP programming language could potentially allow unauthenticated attackers to take full control of affected PHP servers.
The vulnerability arises from an oversight in the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers via an argument injection attack, enabling unauthorized access and control.
References:
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
References:
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and ‘sid’ parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References:
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
References:
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘run’ function of the ‘IG_ES_Subscribers_Query’ class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References:
CISA has added CVE-2023-7028 vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability
References:
This vulnerability in the Automatic Plugin for WordPress, allows a SQL injection (SQLi) flaw and poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.
This vulnerability is being used to perform unauthorized database queries and create new admin accounts on susceptible WordPress sites
It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it.
A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.
This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.
To determine whether a device that is running Cisco ASA Software or FTD Software is affected, use the “show asp table socket | include SSL” command and look for an SSL listen socket on any TCP port.
Customers with a Cisco Service Contract can download security fixes.
References:
A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.
This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior and persist across reboots.
Customers can detect if they are vulnerable using Cisco’s software checker. Customers with a Cisco Service Contract can download security fixes.
References:
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Public exploits for this vulnerability were published and are used by hackers.
References:
An OS Command Injection vulnerability in PAN GlobalProtect is being exploited in the wild. IONIX is now running a full exploit simulation for this vulnerability to better detect vulnerability devices.
PAN versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 impacted. loud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
PAN is in the process of releasing hotfixes to update the affected versions. At this time not all versions have a hotfix available. You should check with PAN to see if a hotfix is available.
Additionally, PAN customers with a Threat Prevention subscription can protect themselves enabling Threat ID 95187.
In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation.
References:
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Exploits are available online and attempts to exploit the vulnerability were detected.
.NET Remoting allows invocation of methods across so-called remoting boundaries. Supported transports between the client and server include HTTP and TCP. .NET Remoting was already considered a legacy technology in 2009, but it is still in use due to the wide usage of ASP. NET (e.g., IIS, Sharepoint and others) and backward compatibility.
Leakage of ObjRef instances allows hackers to remotely manipulate the server, and in some cases to remotely run code on the server.
IONIX Exploit Simulation successfully simulated the leakage via a POST request to the “/RemoteApplicationMetadata.rem?wsdl” endpoint, but did not use the leaked ObjRefs to manipulate the server.
To remediate, update the ASP.NET application and verify that it does not leak ObjRef objects that could be used for attacking the server.
ColdFusion versions 2023.6, 2021.12, and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read.
An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
Automatic, a WordPress plugin, in versions <= 3.92.0 is vulnerable to Unauthenticated Arbitrary File Download and Server-Side Request Forgery attacks. The security issue is easy to exploit and it is reported to be exploited in the wild.
Critical authentication bypass vulnerability in JetBrains TeamCity before 2023.11.4 allows to perform admin actions.
CISA recognized this vulnerability as exploited.
According to Fortinet, the Fortinet FortiOS vulnerability (affecting also Fortinet VPN) CVE-2024-21762 allows attackers to execute unauthorized code or commands via specifically crafted requests and is potentially exploited in the wild.
CISA marked the vulnerability as exploited.
While a full exploit simulation is not available, the IONIX research team used a deeper version analysis to distinguish between patched versions and older, vulnerable ones.
The analysis leverages a change that was done in the patched version that blocks “chunk-encoded” malformed requests. Our testing tool sends multiple test requests to see that the assets are live and then sends a badly formed “chunk-encoded” probe that is expected to time out only on vulnerable versions.
The Ultimate Member plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
According to CISA and other reports, an old vulnerability in Cisco ASA and FTD, CVE-2020-3259, is being exploited by the Akira Ransomware group (and others). This vulnerability involves an unauthenticated memory disclosure issue.
IONIX research team has conducted a scan for CVE-2020-3580, another Cisco ASA/FTD vulnerability. With high probability, assets that are vulnerable to CVE-2020-3580 are also vulnerable to CVE-2020-3259.
While the IONIX research team tests the feasibility of simulating a CVE-2020-3259 exploit non-intrusively, we recommend:
1. Use the IONIX platform to test whether you are vulnerable to spot assets that are vulnerable to CVE-2020-3580 (Action Items).
2. Review all the Cisco ASA assets. Notice that assets might be vulnerable to CVE-2020-3259 without being vulnerable to CVE-2020-3580.
3. For relevant assets, follow the guide by Cisco.
4. Keep an eye on security bulletins and updates from IONIX and Cisco
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x; previously known as PulseSecure), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
CISA recognized this vulnerability as exploited.
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x; previously known as PulseSecure) and Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
The vulnerability was recognized by CISA as exploitable.
The ‘HTML5 Video Player’ WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
This leads to information leakage and potentially to remote code execution on the server.
Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
References:
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
CISA recognized this vulnerability as exploited.
An issue has been discovered in GitLab CE/EE, in which user account password reset emails could be delivered to an unverified email address resulting in Account Takeover via Password Reset without user interactions.
It is strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler.
The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Discover the full extent of your online exposure so you can protect it.
