X CLOSE

Enter your email below to sign up for latest updates from Appcheck NG.

Advisories & Alerts

Advisory: Remote Code Execution Traccar Server <=4.0 (AC-2018-10-8-1)

Our security team discovered a Remote Code Execution (RCE) vulnerability in the GPS vehicle tracking system Traccar (version <= 4.0).  This allows an attacker to compromise the server’s host via a self-registered user account. If you use Traccar server, please update to >= v4.1 as soon as possible. Vulnerability Identification AppCheck ID: AC-2018-10-8-1 CVE: TBC Traccar Traccar […]

Read More

BlackHat & Defcon 2018 Updates

Each year at the beginning of August the world’s best security researchers and hackers get together for two annual security conferences; Black hat and Defcon. Each conference takes place over three days where the latest and greatest new hacking techniques are presented. One thing is for sure, malicious actors are paying attention, and hope to […]

Read More

AppCheck Discovers Vulnerability in Auth0 Library (CVE-2017-17068).

AppCheck discovered a security flaw within the auth0.js JavaScript library that could be exploited by a malicious website to read sensitive access tokens cross-domain. About Auth0 Auth0 provides authentication solutions for a variety of platforms including the ability to integrate social media authentication into an application. “We solve the most complex identity use cases with […]

Read More

Critical Joomla 3.7 SQL Injection Vulnerability Patched

On the 17th of May 2017, the Joomla team issued a patch for a high severity security flaw that could allow a remote unauthenticated attacker to execute arbitrary SQL queries on the target system. A malicious attacker could exploit this flaw to read, create, modify and delete data stored within the database. It is also […]

Read More

Detecting and Exploiting the PHPMailer RCE

On the 25th of December 2016, a security researcher disclosed a critical security flaw within a popular PHP library used to send emails. The PHPMailer library is used by more than 9 million websites worldwide and is bundled with popular open source PHP content management systems such as WordPress. At worst the flaw could be […]

Read More

High Severity Joomla Vulnerability Patched

On the 25th of October 2016, the Joomla team issued a patch for a high severity security flaw that could allow a remote unauthenticated attacker to create administrative accounts on the target system. AppCheck was updated on the same day to detect and safely exploit the vulnerability. Our security researchers observed scanning for this flaw […]

Read More

Hunting HTML 5 PostMessage Vulnerabilities

Download Paper: Hunting postMessage Vulnerabilities Download Sample Code: sample code AppCheck partnered with Sec-1 Ltd (http://www.sec-1.com) to undertake a research project investigating the security challenges posed by next generation web applications. The project included an investigation of Cross-Origin communication mechanisms provided via HTML5 including postMessage and CORS. One of the key findings from the research […]

Read More

WordPress 4.5.1 Cross-Site Scripting (CVE-2016-4566)

WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues. Scanning WordPress AppCheck NG includes […]

Read More

Critical Security Flaw in ImageMagick (imagetragick)

A vulnerability with a widely deployed image processing library was disclosed on the 5th of May 2016. Within an hour of the disclosure AppCheck NG was updated to detect the flaw. From the original advisory: “There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can […]

Read More

Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker to execute arbitrary code on a target server.   In order to be vulnerable Dynamic Method Invocation must be enabled for the target application. The flaw was disclosed on April 22 2016 19:38 GMT. AppCheck NG was updated on the April 23rd 2016 with a plugin […]

Read More