This week saw the publication of 360 new CVE IDs. Of those, 74 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 30% were of critical severity, 37% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• HyperSQL, a hugely popular relational database utilized by many massive Java projects was found to be affected by a remote code execution vulnerability.
• VMWare has released a rare out-of-band patch for its VMWare NSX product which is considered end-of-life to fix an unauthenticated remote code execution vulnerability.
• The French e-commerce and content management system Melis was found to be affected by a remote code execution vulnerability stemming from improper deserialization.
• The adversary emulation tool Cobalt Strike was found to be vulnerable to remote code execution after researchers at IBM found a bypass for a previously patched XSS vulnerability.

This week saw the publication of 540 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 44% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day vulnerability affecting Windows ability to detect files which have the “mark of the web” was discovered by threat analysts researching malware which was appearing “in the wild”.
• A vulnerability affecting Apache Commons Text dubbed “Text4Shell” was disclosed this week. Researchers do not believe the impact to be close to the same magnitude as “Log4Shell”.
• Oracle Web Applications Desktop Integrator is affected by an unauthenticated remote code execution vulnerability which could allow for an attacker to completely compromise the integrator.
• A little known reporting application Anji-Plus AJ Report was found to have an authentication bypass vulnerability stemming from a common development mistake, a hardcoded JWT key.

This week saw the publication of 632 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 48% were high, 36% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s October 11th Patch Tuesday addresses 85 vulnerabilities including multiple escalation of privilege, remote code execution, security bypass, information disclosure, denial of service, and impersonation vulnerabilities. The “ProxyNotShell” vulnerabilities we wrote about last week were not addressed.
• A remote code execution vulnerability in the Community and Enterprise editions of GitLab could allow attackers with a valid API key to completely takeover standalone deployments of the software. This is the second significant GitLab RCE this quarter.
• Continuing the trend, multiple Python Package Index packages have been found to have had remote code execution backdoors inserted by an unknown third-party.
• Aruba EdgeConnect Enterprise Orchestrator had multiple vulnerabilities published which include authentication bypass and unauthenticated remote code execution vulnerabilities.

This week saw the publication of 237 new CVE IDs. Of those, 94 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 38% were high, 36% were medium, and 4% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day reincarnation of 2021’s ProxyShell Microsoft Exchange vulnerabilities dubbed “ProxyNotShell” which could allow authenticated attackers to execute arbitrary code on effected Exchange products has been published. Initial mitigations were found to be ineffective, and Microsoft is urging administrators to take further remedial action.
• An authentication bypass vulnerability affecting multiple Fortinet products was disclosed this week. Due to its ability to be exploited remotely, Fortinet is urging customers to act immediately.
• Veritas NetBackup had multiple high impact vulnerabilities published this week prompting Veritas to release 4 separate security advisories.
• ZKteco ZKBioSecurity, biometric security solutions had two vulnerabilities published this week, including an escalation of privilege vulnerability which allows authenticated users to create admin accounts.

This week saw the publication of 587 new CVE IDs. Of those, 126 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 36% were high, 41% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Sophos firewall unauthenticated remote code execution vulnerability was disclosed and immediately added to CISA’s KEVC.
• Oracle Cloud Infrastructure vulnerability that allowed for the violation of cloud segmentation controls and mounting of storage volumes with full read/write access.
• Previously undisclosed WhatsApp vulnerabilities which could lead to remote code execution under certain conditions are publicly acknowledged by WhatsApp.
• A Python package vulnerability from 2007 has resurfaced after Trellix, a security firm, found that approximately 350,000 GitHub projects are affected.

This week saw the publication of 655 new CVE IDs. Of those, 239 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 53% were high, 31% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple versions of Microsoft SharePoint server are affected by several authenticated remote code execution vulnerabilities.
• Tesla Model 3s using phone key authentication are vulnerable to authentication bypass which could allow an attacker to unlock, start, and drive away the vehicle.
• OASES, a software used to manage aviation maintenance and engineering is vulnerable to an authenticated remote code execution vulnerability.
• Watchdog anti-virus does not enforce access control lists on key application files allowing an attacker to execute arbitrary code in the context of the anti-virus software.

This week saw the publication of 432 new CVE IDs. Of those, 204 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• In a growing pattern, another Python package index package has been backdoored with a remote code execution vulnerability by an unknown third party.
• Japanese company Hytech Inter saw multiple vulnerabilities released for one of their products this week, the affected device, an industrial application LTE router would pose a significant security risk if compromised.
• 23 total vulnerabilities were identified for Snapdragon Auto modules involving memory management, while the impact of these disclosures is still unclear the global adoption of these products could imply far reaching risk.
• An open redirect vulnerability in IBM’s Security Identity Manager could empower threat actors to conduct powerful phishing attacks.

Businesses of all sizes have increasingly been developing and deploying complex internet-facing web applications to provide consumers with richer experiences. While richer web experiences represent an opportunity for businesses to interact with and provide value to consumers in new and exciting ways, they also represent new attack surface for hackers. Many applications today exist to facilitate the storage, processing, and presentation of some variety of data, which is often compartmentalized through the use of roles and user accounts. Unauthorized access to web applications can often provide hackers with valuable information to sell on the darkweb or to use in future attacks against the organization or that organization’s users/clients. It’s important for developers building web applications to understand common web application attacks, their implications, and corresponding defences to architect robust and secure web applications that consumers can trust to keep their data secure.

In this article we’ll explore three authentication-related vulnerabilities we discovered in the PlexTrac platform (now described by CVE-2022-37144 through CVE-2022-37146), outline how these vulnerabilities could be combined to potentially bypass each step of the authentication process to gain access to sensitive data, and discuss how to build web applications that defend against such vulnerabilities.

This week saw the publication of 565 new CVE IDs. Of those, 170 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Atlassian BitBucket remote code execution vulnerability allows user with read permissions on any public/private repository to execute arbitrary code through a crafted HTTP request.
• GitLab community edition and enterprise editions are affected by a remote code execution vulnerability in which an authenticated user who can “import from GitHub” can execute arbitrary code in the context of the affected server.
• BlackHat presenters found variations of similar vulnerabilities in automotive remote keyless entry systems which allow for “time-agnostic” exploitation of keyless entry systems.
• The restaurant management software Tabit had multiple vulnerabilities published this week including information disclosure, weak password generation, database injection, unauthorized account modification, and arbitrary SMS messaging as the Tabit server.

This week saw the publication of 455 new CVE IDs. Of those, 93 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 17% were of critical severity, 36% were high, 46% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Softing Secure Integration Server had multiple vulnerabilities published this week prompting a CISA advisory warning users to upgrade to a patched version of the software as soon as possible.
• The very popular Zoho Manage Engine Analytics Plus software suite had two vulnerabilities published this week including remote code execution and information disclosure.
• The open-source Chinese configuration server AgileConfig was found to have a hard-coded JWT secret key which would allow attackers to take control of the server.
• Qualys Cloud Agent had two vulnerabilities published which include privilege escalation and information disclosure. The information disclosure vulnerability is currently contested by Qualys with several strong justifications.
• A strange CVE was published this week regarding product research done in 2005. Specific hard drives could be crashed by the music in the Janet Jackson music video for “Rhythm Nation” due to the music lining up with the resonant frequency of the hard drive itself.