Cross-Site Request Forgery (CSRF) vulnerability in the user interface of Fortinet FortiSIEM 5.2.5
| Overview : | ||||
|
||||
| Affected Product(s) : |
CVE-2019-17653 |
| References: Each reference used in CVE has the following structure: |
Posts by:
Rajaneesh
TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server
| Overview : |
| The Spotfire library component of TIBCO Software Inc.’s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not “Script Author” group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes. Affected releases are TIBCO Software Inc.’s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.8.0 and below and TIBCO Spotfire Server: versions 7.11.9 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6, versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0. |
| Affected Product(s) : |
The following component is affected: |
Apache ShardingSphere(incubator) deserialization vulnerability
| Overview : |
| In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere’s web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE. |
| Affected Product(s) : |
ShardingSphere 4.0.0-RC3, 4.0.0 |
| Solution : |
Puppet Server and PuppetDB may leak sensitive information via metrics API
| Overview : |
| Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects Puppet Enterprise 2018.1.x stream prior to 2018.1.13, and prior to 2019.4.0; Puppet Server prior to 6.9.1, and prior to 5.3.12; PuppetDB prior to 6.9.1, and prior to 5.2.13. |
| Affected Product(s) : |
|
| Vulnerability Details : |
| Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. |
vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020
| Overview : |
| An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. |
| Affected Product(s) : |
|
Bot Detection
Bot Detection
The Problems
IoT WAF
Securing IoT APIs
Prophaze Raspberry PI based custom appliance can be hooked at the gateway of your IoT interface . It can be any control system , let it be CCTV Camera’s , or a Advanced Data fetching and parsing device . Prophaze can secure your api end points against OWASP Top 10 and many other threats including Zero days
WAF API Gateway
WAF for your API Gateway
Prophaze EagleEye can secure your API end points against OWASP TOP 10 threats and API Abusing . Prophaze’s Customized and self learning machine learning models can identify user’s behaviours and can profile your api against most common and un-common methods of attacks
Google Chrome Marks ICICI Bank’s Banking site as Unsafe – Attack or False Positive?
Google chrome’s anti-phishing algorithms show false positives? While trying to login to the internet banking website of India’s No:1 Private Bank (icicibank.com). It stopped the browser showing the below page
API Security Web Application Firewall
How can you secure your Exposed services without installing the patch by the vendor?
Have a look at the use case below about recent security updates by router giant cisco. Recently 12 severe security vulnerabilities and Patches issued by Cisco. Among those three of them are critical authentication bypass issues.