AppCheck Security Blog
Featured post
Security Advisory: Persistent XSS via Avatar Upload in Kentico CMS
/ Posted September 17, 2021
The Kentico CMS (13.0.4001.0 Xperience platform version tested locally) is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).
read moreFilter by:
Security Advisory: Persistent XSS via Avatar Upload in Kentico CMS
Security Alerts / Posted September 17, 2021
The Kentico CMS (13.0.4001.0 Xperience platform version tested locally) is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).
Read moreUmbraco Forms File Upload Vulnerability: Technical Analysis (CVE-2021-37334)
Research Security Alerts / Posted August 25, 2021
On the 15th of July 2021 Umbraco and AppCheck released a Security Advisory to alert users of a vulnerability within the Umbraco Forms component that could be exploited to gain remote code execution on the affected system.
Read moreAdvisory: CVE-2020-29045 - Unauthenticated RCE via Arbitrary Object Deserialisation in Five Star Restaurant Menu - WordPress Ordering Plugin
Research Security Alerts / Posted March 10, 2021
It is possible to gain Unauthenticated Remote Code Execution (RCE) on any WordPress instance that is using this plugin, due to the unsafe use of unserialize for the parsing of unsanitised user input, via the cookie fdm_cart used within includes/class-cart-manager.php
Read moreAdvisory: CVE-2020-29047 - Unauthenticated RCE via Arbitrary Object Deserialisation in WordPress Hotel Booking Plugin
Research Security Alerts / Posted March 03, 2021
CVE: CVE-2020-29047
Severity: HIGH
Vulnerability Type: CWE-502: Deserialization of Untrusted Data
Requires Authentication: No
vBulletin Zero Day Details & Plug-in
News Product Security Alerts / Posted August 10, 2020
Security researcher Amir Etemadieh has released a pre-authentication zero-day remote command execution (RCE) exploit in vBulletin. This exploit is bypasses the patch for a previous RCE in vBulletin 5.0 through 5.4 and has since been assigned CVE-2019-16759.
Read moreSaltStack scanning tool to detect CVE-2020-11651 & CVE-2020-11652
Product Research Security Alerts / Posted May 05, 2020
These CVE's are now being actively exploited in the wild and so we have created a free standalone scanner to detect and report on these.
Read moreCritical Vulnerabilities in SaltStack CVE-2020-11651 & CVE-2020-11652
Security Alerts / Posted May 01, 2020
Vulnerabilities within SaltStack infrastructure automation software may lead to RCE attacks and full system takeover. According to security researchers who found these vulnerabilities, attacks are expected in the wild as soon as today.
Read moreGhostCat Vulnerability - CVE-2020-1938
Security Alerts / Posted February 27, 2020
Aside from being a – by all accounts truly terrible – direct-to-TV movie about a recently deceased cat who comes back from the dead to try and stop scammers and wealthy businessmen from making unnecessary land-development deals, “Ghostcat” is also the fond nickname for vulnerability CVE-2020-1938.
Read moreAppCheck Scan Template for Pulse Secure CVE-2019-11510
Product Research Security Alerts / Posted January 09, 2020
AppCheck have released a scan template which will run a quicker scan and check for the above vulnerability. Specifically, the module will look to detect a critical security flaw in Pulse Secure’s Zero Trust Remote Access VPN.
Read moreAppCheck Scan Template for Citrix Vulnerability CVE-2019-19781
Product Research Security Alerts / Posted January 09, 2020
AppCheck have released a scan template to detect a remote code execution flaw in Citrix appliances.
Read more