CVE-2019-8451: Proof-of-Concept Available for Server Side Request Forgery (SSRF) Vulnerability in Jira

Availability of proof-of-concept code for vulnerability in Jira poses a challenge, as the Jira 7.x branch did not appear to contain a fix for the flaw Background On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important security issue reported in August 2019. Analysis CVE-2019-8451 is a pre-authentication server side request forgery … [Read more...]

CVE-2019-1367: Critical Internet Explorer Memory Corruption Vulnerability Exploited In The Wild

Zero-day memory corruption vulnerability in Internet Explorer has been observed in attacks in the wild Background On September 23, Microsoft released an out-of-band patch for a zero-day vulnerability in Internet Explorer that has been exploited in the wild. Analysis CVE-2019-1367 is a memory corruption vulnerability in Internet Explorer’s scripting engine in the way that objects in memory are … [Read more...]

CVE-2019-14994: URL Path Traversal Vulnerability in Jira Service Desk Leads to Information Disclosure

Path traversal flaw in Jira Service Desk can be used by attackers to view protected information in Jira projects. Background On September 18, Atlassian published a security advisory for a vulnerability in Jira Service Desk, an IT ticketing application used by over 25,000 organizations to accept, manage and track requests from customers and employees through a web portal. Tenable Research has … [Read more...]

CVE-2017-9841: Drupal Sites Exploited Using PHPUnit Vulnerability in Mailchimp Modules (PSA-2019-0904)

Attackers are leveraging a vulnerability patched nearly three years ago to target Drupal sites. Background On September 4, Drupal published PSA-2019-09-04, a public service announcement (PSA) for a vulnerability in a third-party library in a Drupal module that’s being actively exploited in the wild. Analysis CVE-2017-9841 is a code injection vulnerability in PHPUnit, a PHP unit testing framework. … [Read more...]

CVE-2019-12643: Critical Authentication Bypass Vulnerability in REST API Container for Cisco IOS XE

Cisco releases ten advisories, including one critical advisory impacting Cisco IOS XE devices with the REST API Container enabled. Background On August 28, Cisco released 10 advisories to address vulnerabilities across multiple products, including Cisco NX-OS and FXOS, Nexus 9000 Series Fabric Switches and Unified Computing System (UCS) Fabric. The most severe vulnerability, which Cisco rates as … [Read more...]

CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild

Attackers are exploiting arbitrary file disclosure vulnerabilities in popular SSL VPNs from Fortinet and PulseSecure. Background On August 22, two reports emerged of scanning activity targeting vulnerable Secure Socket Layer (SSL) virtual private network (VPN) systems. Kevin Beaumont (@GossiTheDog) tweeted that attackers had begun exploiting vulnerabilities in FortiGate SSL VPNs, while Troy Mursch … [Read more...]

Critical Cisco Vulnerabilities Across Multiple Products, Exploit Code for CVE-2019-1913 Reportedly Released

Cisco published new advisories for Integrated Management Controller (IMC) and Unified Computing System (UCS) Director, and updates for Small Business 220 Series Smart Switches that include the existence of public exploit code.  Background On August 21, Cisco published 27 new advisories and updated six advisories across a variety of its products. Analysis Twelve of the advisories address … [Read more...]

Apple iPhone and iPad Devices Vulnerable After Reintroduction of SockPuppet Flaw in iOS 12.4 (CVE-2019-8605)

Previously disclosed and patched flaw was reintroduced in iOS 12.4, which could be used in combination with a separate vulnerability to hack into Apple mobile devices Background On August 18, unc0ver, a popular jailbreaking software, was updated to version 3.5.0 which includes a public jailbreak on a signed version of Apple’s firmware for the first time in years due to the reintroduction of a … [Read more...]

Multiple Denial of Service (DoS) Vulnerabilities in HTTP/2 Disclosed (CVE-2019-9511, CVE-2019-9518)

A variety of Denial of Service vulnerabilities were found in third-party implementations of HTTP/2. Background On August 13, researchers at Netflix published an advisory for their GitHub page detailing their discovery of eight vulnerabilities in the HTTP/2 protocol implementations by third parties. The vulnerabilities were primarily discovered by Jonathan Looney, Engineering Manager at Netflix, … [Read more...]

TikTok Scams: How Social Currency Fuels the Economy for Impersonation Accounts and Free-Followers-and-Likes Services

The economic engine on social media platforms are the followers (or fans) and likes. Scammers take advantage of this economy, while others seek out ways to grow their following inorganically by impersonating popular creators and celebrities. In part one of our two-part series on TikTok scams, we explored the tactics involved in getting users to sign up for adult dating sites and paying for phony … [Read more...]