Vulnerability Disclosure and CVE assign
I. VULNERABILITY - Reflected XSS due to lack of input filtering in MicroStrategy Library II. CVE REFERENCE - CVE-2019-18957 III. VENDOR - https://www.microstrategy.com/ IV. TIMELINE - 05/07/2019 Vulnerability discovered 06/07/2019 Vendor contacted 06/09/2018 MicroStrategy Fix the vulnerability at the release V11.1.3 V. CREDIT - Alphan Yavas from Biznet Bilisim A.S. VI. DESCRIPTION - Reflected XSS due to lack of input filtering in MicroStrategy Library (before 11.1.3) which allow a remote attacker to conduct reflected cross-site scripting attacks.
Vulnerability Disclosure
I. VULNERABILITY - Reflected XSS due to lack of input filtering in MicroStrategy Library II. CVE REFERENCE - Not Assigned yet III. VENDOR - https://www.microstrategy.com/ IV. TIMELINE - 05/07/2019 Vulnerability discovered 06/07/2019 Vendor contacted 06/09/2018 MicroStrategy Fix the vulnerability at the release V11.1.3 V. CREDIT - Alphan Yavas from Biznet Bilisim A.S. VI. DESCRIPTION - Reflected XSS due to lack of input filtering in MicroStrategy Library (before 11.1.3) which allow a remote attacker to conduct reflected cross-site scripting attacks.
Vulnerability Disclosure (Web Apps)-Bravo Tejari Web Portal-Unrestricted File Upload
-- Vulnerability Type: Unrestricted File Upload Vendor of Product: Tejari Affected Product Code Base: Bravo Solution Affected Component: Web Interface Management. Attack Type: Local - Authenticated Impact: Malicous File Upload - Product description: Brao Tejari is a strategic procurement platform that enables organizations to generate more value, influence innovation and reduce risk powered by a unique supplier-centered approach that integrates supplier lifetime value throughout the entire procurement process Attack Scenario: The Web Interface of the Bravo Tejari procurement portal does not use perform server-side check on uploaded files. An attacker who has access to the application can bypass client-side checks and uploads malicious executable, pdf's and web-shells on the web-server. Affected Product Link: https://xx..com/esop/evm/OPPreliminaryForms.do?formId=857 Impact: The uploaded files are not properly validated by the application. An attacker can take advantage of this vulnerability and upload malicious executable files to compromise the application. Recommendation: All uploaded files must be validated on both the client and server side before storing them on the server. Credit: Arvind Vishwakarma http://ultimateone1.blogspot.ae/ Vulnerability Timeline: 12th December 2017 – Vulnerability Discovered 23rd December 2017 – Contacted Vendor – No Response 7th January 2018 – Contacted Vendor again – No Response 15th February 2018 – Vulnerability Disclosed
Vulnerability Disclosure (Web Apps)-Bravo Tejari Web Portal-CSRF
- Vulnerability Type: Cross Site Request Forgery (CSRF) Vendor of Product: Tejari Affected Product Code Base: Bravo Solution Affected Component: Web Interface Management. Attack Type: Local - Authenticated Impact: Unauthorised Access -- Product description: Bravo Tejari is a strategic procurement platform that enables organizations to generate more value, influence innovation and reduce risk powered by a unique supplier-centered approach that integrates supplier lifetime value throughout the entire procurement process Attack Scenario: The Web Interface of the Bravo Tejari procurement portal does not use random tokens to block any kind of forged requests. An atacker can take advantage of this scenario and create a forged request to edit user account details like name, address of the company/individual, email address etc. He then uses social engineering techniques to target specific individuals whose account details he would like to change. He simply sends the link and tricks the user into clicking the forged http request. The request is executed and user account details are changed without his knowledge. Proof of Concept Code: Forged HTTP Request used by the attacker: https://..com/esop/toolkit/profile/regData.do; method="POST"> Impact: The affected product is a procurement portal and so all communication regarding the contract lifecycle process is sent to user details provided on the portal. If this vulnerability is sucessfully exploited, the attacker will be able to change these details which will potentially affect the victim's business. Recommendation: Ensure that all sensitive CRUD Operations are appropriately protected with random tokens. Alternatively, the sensitive operations should also have an authentication layer to confirm user verification. Credit: Arvind Vishwakarma http://ultimateone1.blogspot.ae/ Vulnerability Timeline: 12th December 2017 – Vulnerability Discovered 23rd December 2017 – Contacted Vendor – No Response 7th January 2018 – Contacted Vendor again – No Response 15th February 2018 – Vulnerability Disclosed
Ellucian Banner Student Vulnerability Disclosure
Previous CVEs for Banner Student were filed under vendor SunGard. All vulnerabilities are fixed in patch pcr-000134142_bws8070102, in latest version of the product (8.7.1.2) as of November 26, 2015. - Product: Banner Student Vendor: Ellucian Company L.P. Vulnerable Version: 8.5.1.2 - 8.7 Tested Version: 8.7 Vendor Notification: June 18, 2015 Public Disclosure: December 2, 2015 Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] CVE Reference: CVE-2015-5054 Risk Level: Medium CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) CVSSv3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Mitigation: None, Upgrade to 8.7.1.2 Discovered and Provided: RiskSense, Inc. Advisory Details: Open Redirect in Ellucian Banner Student: CVE-2015-5054 A user can be redirected to a malicious page when a link is clicked from a crafted URL. References: [1] Ellucian Company L.P. - http://www.ellucian.com/ [2] Banner Student - http://www.ellucian.com/Software/Banner-Student/ [3] OWASP A10 - https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards [4] CWE-601 - https://cwe.mitre.org/data/definitions/601.html - Product: Banner Student Vendor: Ellucian Company L.P. Vulnerable Version: 8.5.1.2 Tested Version: 8.5.1.2 Vendor Notification: June 18, 2015 Public Disclosure: December 2, 2015 Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE Reference: CVE-2015-4687 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Mitigation: None, Upgrade to 8.7.1.2 Discovered and Provided: Ellucian Company L.P. Advisory Details: Reflected Cross-Site Scripting (XSS) in Ellucian Banner Student: CVE-2015-4687 Unsanitized data input from application parameters allows an attacker to execute arbitrary JavaScript code using a malicious URL. References: [1] Ellucian Company L.P. - http://www.ellucian.com/ [2] Banner Student - http://www.ellucian.com/Software/Banner-Student/ [3] OWASP A3 - https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) [4] CWE-79 - https://cwe.mitre.org/data/definitions/79.html - Product: Banner Student Vendor: Ellucian Company L.P. Vulnerable Version: 8.5.1.2 - 8.7 Tested Version: 8.7 Vendor Notification: June 18, 2015 Public Disclosure: December 2, 2015 Vulnerability Type: Information Exposure Through Discrepancy [CWE-203] CVE Reference: CVE-2015-4688 Risk Level: Medium CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Mitigation: None, Upgrade to 8.7.1.2 Discovered and Provided: Ellucian Company L.P. Advisory Details: User Enumeration in Ellucian Banner Student: CVE-2015-4688 Differences between server responses can be used to brute-force user accounts in the system. References: [1] Ellucian Company L.P. - http://www.ellucian.com/ [2] Banner Student - http://www.ellucian.com/Software/Banner-Student/ [3] OWASP A2 - https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management [4] CWE-203 - https://cwe.mitre.org/data/definitions/203.html - Product: Banner Student Vendor: Ellucian Company L.P. Vulnerable Version: 8.5.1.2 - 8.7 Tested Version: 8.7 Vendor Notification: June 18, 2015 Public Disclosure: December 2, 2015 Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password [CWE-640] CVE Reference: CVE-2015-4689 Risk Level: Medium - High CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) CVSSv3 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) Mitigation: None, Upgrade to 8.7.1.2 Discovered and Provided: Ellucian Company L.P. Advisory Details: Weak Password Reset in Ellucian Banner Student: CVE-2015-4689 An attacker is able to change login credentials of users through a weak password reset mechanism. References: [1] Ellucian Company L.P. - http://www.ellucian.com/ [2] Banner Student - http://www.ellucian.com/Software/Banner-Student/ [3] OWASP A2 - https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management [4] CWE-640 - https://cwe.mitre.org/data/definitions/640.html - RiskSense, Inc. Security Analysts: Dylan Davis, Sean Dillon, Zachary Harding
[CVE-2015-3253] Apache Groovy Zero-Day Vulnerability Disclosure
Severity: Important Vendor: The Apache Software Foundation Versions Affected: All unsupported versions ranging from 1.7.0 to 2.4.3. Impact Remote execution of untrusted code, DoS Description When an application has Groovy on classpath and that it uses standard Java serialization mechanims to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. Mitigation Apache Groovy 2.4.4 is the first and only supported release under the Apache Software Foundation. It is strongly recommanded that all users upgrade to this version. If you cannot upgrade or rely on an older, unsupported version of Groovy, you can apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java): public class MethodClosure extends Closure { +private Object readResolve() { +throw new UnsupportedOperationException(); +} Credit This vulnerability was discovered by: cpnrodzc7 working with HP's Zero Day Initiative References http://groovy-lang.org/security.html
Avolve Software ProjectDox Multiple Vulnerability Disclosure
- Product: ProjectDox Vendor: Avolve Software Vulnerable Version: 8.1 Tested Version: 8.1 Vendor Notification: May 30, 2014 Public Disclosure: September 3, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-5129 Risk Level: Medium CVSSv2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Cross-Site Scripting in ProjectDox: CVE-2014-5129 Reflected and Persistent Cross-Site Scripting were found in the ProjectDox application. Unsanitized data input from application query parameters and other vectors exist to execute arbitrary JavaScript code in the context of the victim browser. References: [1] Avolve Software - http://www.avolvesoftware.com/ [2] ProjectDox - http://www.avolvesoftware.com/projectdox/electronic-plan-review/ [3] Cross-Site Scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) - Product: ProjectDox Vendor: Avolve Software Vulnerable Version: 8.1 Tested Version: 8.1 Vendor Notification: May 30, 2014 Public Disclosure: September 3, 2014 Vulnerability Type: Insecure Direct Object Reference [CWE-639] CVE Reference: CVE-2014-5130 Risk Level: Medium CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Insecure Direct Object Reference in ProjectDox: CVE-2014-5130 The application allows users to access other users' information using a direct access token. If a user can guess or visually inspect the token, a user can directly access this data without authorization. References: [1] Avolve Software - http://www.avolvesoftware.com/ [2] ProjectDox - http://www.avolvesoftware.com/projectdox/electronic-plan-review/ [3] Insecure Direct Object Reference - https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004) - Product: ProjectDox Vendor: Avolve Software Vulnerable Version: 8.1 Tested Version: 8.1 Vendor Notification: May 30, 2014 Public Disclosure: September 3, 2014 Vulnerability Type: Ciphertext Reuse [CWE-329] CVE Reference: CVE-2014-5131 Risk Level: Medium CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Ciphertext Reuse in ProjectDox: CVE-2014-5131 The application encrypts data identifiers without IV or identical IV in multiple locations. By substituting ciphertext in one location of the application into another location, an attacker is able to gain access to other users' information. References: [1] Avolve Software - http://www.avolvesoftware.com/ [2] ProjectDox - http://www.avolvesoftware.com/projectdox/electronic-plan-review/ [3] Missing IV with Cipher Block Chaining - https://www.owasp.org/index.php/Not_using_a_random_initialization_vector_with_cipher_block_chaining_mode [4] Inadequate Encryption Strength - http://cwe.mitre.org/data/definitions/326.html - Product: ProjectDox Vendor: Avolve Software Vulnerable Version: 8.1 Tested Version: 8.1 Vendor Notification: May 30, 2014 Public Disclosure: September 3, 2014 Vulnerability Type: User Enumeration [CWE-203] CVE Reference: CVE-2014-5132 Risk Level: Medium CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: User Enumeration in ProjectDox: CVE-2014-5132 The application allows an attacker to probe for valid users via email addresses. References: [1] Avolve Software - http://www.avolvesoftware.com/ [2] ProjectDox - http://www.avolvesoftware.com/projectdox/electronic-plan-review/ [3] User Enumeration - https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) -
Sierra Library Services Platform Multiple Vulnerability Disclosure
Product: Sierra Library Services Platform Vendor: Innovative Interfaces Inc Vulnerable Version: 1.2_3 Tested Version: 1.2_3 Vendor Notification: June 19, 2014 Public Disclosure: August 26, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-5136 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Reflected Cross-Site Scripting in Library Services Platform: CVE-2014-5136 Unsanitized data input from application query parameters allows an attacker to execute arbitrary JavaScript code in the context of a victim browser using a malicious URL link. The application at the time of test had the Webpac Pro submodule enabled. References: [1] Innovative Interfaces Inc - http://www.iii.com/ [2] Sierra Library Services Platform - http://www.iii.com/products/sierra [3] Cross-Site Scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Product: Sierra Library Services Platform Vendor: Innovative Interfaces Inc Vulnerable Version: 1.2_3 Tested Version: 1.2_3 Vendor Notification: June 19, 2014 Public Disclosure: August 26, 2014 Vulnerability Type: User Enumeration [CWE-204] CVE Reference: CVE-2014-5137 Risk Level: Medium CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: User Enumeration in Library Services Platform: CVE-2014-5137 A response discrepancy in the application login allows an attacker to determine valid user accounts tested. The application at the time of test had the Webpac Pro submodule enabled. References: [1] Innovative Interfaces Inc - http://www.iii.com/ [2] Sierra Library Services Platform - http://www.iii.com/products/sierra [3] User Enumeration - https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) Product: Sierra Library Services Platform Vendor: Innovative Interfaces Inc Vulnerable Version: 1.2_3 Tested Version: 1.2_3 Vendor Notification: June 19, 2014 Public Disclosure: August 26, 2014 Vulnerability Type: HTTP Parameter Pollution [CWE-235] CVE Reference: CVE-2014-5138 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: HTTP Parameter Pollution in Library Services Platform: CVE-2014-5138 The application allows multiple instances of the same query parameter. The last instance of the parameter provided is used by the application. As the application logic or any web application firewall may interpret the parameters differently, an attacker may be able to bypass the normal verification of parameter safety. The weakness was not found to pose an immediate threat to application users in the tested configuration. The Webpac Pro submodule was enabled at the time of the test. References: [1] Innovative Interfaces Inc - http://www.iii.com/ [2] Sierra Library Services Platform - http://www.iii.com/products/sierra [3] HTTP Parameter Pollution - https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004)
Encore Discovery Solution Multiple Vulnerability Disclosure
Product: Encore Discovery Solution Vendor: Innovative Interfaces Inc Vulnerable Version: 4.3 Tested Version: 4.3 Vendor Notification: June 19, 2014 Public Disclosure: August 26, 2014 Vulnerability Type: Open Redirect [CWE-601] CVE Reference: CVE-2014-5127 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Open Redirect in Encore Discovery Solution: CVE-2014-5127 Using a maliciously crafted URL, an attacker is able to redirect users to an attacker-controlled parameter. References: [1] Innovative Interfaces Inc - http://www.iii.com/ [2] Encore Discovery Solution - http://www.iii.com/products/encore [3] Open Redirect - https://www.owasp.org/index.php/Open_redirect Product: Encore Discovery Solution Vendor: Innovative Interfaces Inc Vulnerable Version: 4.3 Tested Version: 4.3 Vendor Notification: June 19, 2014 Public Disclosure: August 26, 2014 Vulnerability Type: Session Token in URL [CWE-598] CVE Reference: CVE-2014-5128 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Session Token in URL in Encore Discovery Solution: CVE-2014-5128 The application passes the session token within the application GET query parameters. This behavior is considered dangerous due to the potential for information leakage. References: [1] Innovative Interfaces Inc - http://www.iii.com/ [2] Encore Discovery Solution - http://www.iii.com/products/encore [3] Session Token in URL - http://www.acunetix.com/vulnerabilities/session-token-in-url/
ArcGIS for Server Vulnerability Disclosure
Product: ArcGIS for Server Vendor: ESRI Vulnerable Version: 10.1.1 Tested Version: 10.1.1 Vendor Notification: June 19, 2014 Public Disclosure: August 15, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-5121 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Reflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121 Multiple vectors of unsanitized data input from application query parameters allows an attacker to execute arbitrary JavaScript code using a malicious URL link. Product: ArcGIS for Server Vendor: ESRI Vulnerable Version: 10.1.1 Tested Version: 10.1.1 Vendor Notification: June 19, 2014 Public Disclosure: August 15, 2014 Vulnerability Type: Open Redirect [CWE-20] CVE Reference: CVE-2014-5122 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Open Redirect in ArcGIS for Server: CVE-2014-5122 Using a crafted URL, upon login, the user's browser is redirected to an attacker controlled parameter.
Vulnerability disclosure comments
Thank you to all who helped out by sharing your opinions on our vulnerability articles!
STANFORD CONFERENCE ON VULNERABILITY DISCLOSURE: Early Reg to Close Soon! (fwd)
- Forwarded message from Jennifer S. Granick [EMAIL PROTECTED] - X-Sender: [EMAIL PROTECTED] Date: Wed, 17 Apr 2002 10:05:27 -0800 To: [EMAIL PROTECTED] From: Jennifer S. Granick [EMAIL PROTECTED] Subject: STANFORD CONFERENCE ON VULNERABILITY DISCLOSURE: Early Reg to Close Soon! The early registration for Stanford's Center for Internet and Society Conference on Computer Security Vulnerability Disclosure is about to close. Register today! http://cyberlaw.stanford.edu Current Agenda: Agenda Conference on Cyber Security and Disclosure Thursday, May 9, 2002 7:30 a.m. Registration Continental Breakfast 8:30 a.m. Welcome and Introductions John Place, Stanford Center for Internet Society 8:45 a.m. Information Sharing and the Freedom of Information Act Matt Richtel, The New York Times (moderator) Harris Miller, Information Technology Association of America Alan Morrison, Stanford Law School and Public Citizen Litigation Group Paul Nicholas, President's Critical Infrastructure Protection Board, The White House Mark Rasch, Predictive Services David Sobel, Electronic Privacy Information Center 10:15 a.m. Break 10:30 a.m. The Ethics of Disclosure Edward Felten, Princeton University and Stanford Law School Steven Lipner, Microsoft Helen Nissenbaum, New York University (invited) 12:00 p.m. Keynote Luncheon Bruce Schneier Founder and Chief Technical Officer Counterpane Internet Security, Inc. Crocker Garden, Stanford Law School 1:30 p.m. Disclosure and the Computer Security Professional Edward Felten, Princeton University and Stanford Law School (moderator) Gary McGraw, Cigital Emily Sebert, @stake, Inc. 3:15 Break 3:30 p.m. Disclosure and the Computer Security Freelancer Jennifer Stisa Granick, Stanford Law School (moderator) Minh-Hang Nguyen, 7 Pillars Rain Forest Puppy, Independent Lee Tien, Electronic Frontier Foundation Michael Wilson, 7 Pillars 5:00 p.m. Closing Remarks 5:10 p.m. Conference Ends -- Jennifer Stisa Granick, Esq. Director, Law and Technology Clinic Stanford Law School Center for Internet and Society 559 Nathan Abbott Way Stanford, California 94305 (650) 724-0014 (650) 723-4426 fax [EMAIL PROTECTED] - End forwarded message -