X CLOSE

Enter your email below to sign up for latest updates from Appcheck NG.

Advisories & Alerts

Critical Joomla 3.7 SQL Injection Vulnerability Patched

On the 17th of May 2017, the Joomla team issued a patch for a high severity security flaw that could allow a remote unauthenticated attacker to execute arbitrary SQL queries on the target system. A malicious attacker could exploit this flaw to read, create, modify and delete data stored within the database. It is also […]

Read More

Detecting and Exploiting the PHPMailer RCE

On the 25th of December 2016, a security researcher disclosed a critical security flaw within a popular PHP library used to send emails. The PHPMailer library is used by more than 9 million websites worldwide and is bundled with popular open source PHP content management systems such as WordPress. At worst the flaw could be […]

Read More

High Severity Joomla Vulnerability Patched

On the 25th of October 2016, the Joomla team issued a patch for a high severity security flaw that could allow a remote unauthenticated attacker to create administrative accounts on the target system. AppCheck was updated on the same day to detect and safely exploit the vulnerability. Our security researchers observed scanning for this flaw […]

Read More

Hunting HTML 5 PostMessage Vulnerabilities

Download Paper: Hunting postMessage Vulnerabilities Download Sample Code: sample code AppCheck partnered with Sec-1 Ltd (http://www.sec-1.com) to undertake a research project investigating the security challenges posed by next generation web applications. The project included an investigation of Cross-Origin communication mechanisms provided via HTML5 including postMessage and CORS. One of the key findings from the research […]

Read More

WordPress 4.5.1 Cross-Site Scripting (CVE-2016-4566)

WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues. Scanning WordPress AppCheck NG includes […]

Read More

Critical Security Flaw in ImageMagick (imagetragick)

A vulnerability with a widely deployed image processing library was disclosed on the 5th of May 2016. Within an hour of the disclosure AppCheck NG was updated to detect the flaw. From the original advisory: “There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can […]

Read More

Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker to execute arbitrary code on a target server.   In order to be vulnerable Dynamic Method Invocation must be enabled for the target application. The flaw was disclosed on April 22 2016 19:38 GMT. AppCheck NG was updated on the April 23rd 2016 with a plugin […]

Read More

Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

On the 9th October researchers at AppCheck NG discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host.  The vulnerability was reported and fixed on the 12th October. Demonstration Video See details and […]

Read More

Adobe Fixes HTML5 PostMessage Security Flaw

AppCheck NG has identified a significant security flaw affecting a common JavaScript component provided as part of the Adobe Marketing Cloud. The flaw affected many high profile applications including several banking sites and well known .com organisations, and has now been fixed by the vendor. When imported, the affected JavaScript components adds a vulnerable postMessage […]

Read More

Critical Security Flaw Patched in Magento Blog Extension (CVE-2015-3428)

Background The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database. With almost 80,000 downloads at the time of writing, the affected component is the most popular […]

Read More