#

[Alert] Drupal 8 Remote Code Execution Vulnerability

On February 20, 2019, the Drupal security team has announced a highly critical remote code execution vulnerability in Drupal 8, tracked as SA-CORE-2019-003 and CVE-2019-6340, in the latest security update bulletin. The official site sets this vulnerability as Highly Critical, with a 21/25 security risk score. The vulnerability is actually caused by the lack of proper data sanitization in some fields when users enable Drupal Core RESTful Web Services (rest) module. In some cases, it allows arbitrary PHP code execution, remote and complete control over the server.

Date Published:2019-02-28 Read More >>

Recent Security Event

#

[Alert] Remote Code Execution Vulnerability in Multiple ThinkPHP 5 Versions

On December 9th, 2018, ThinkPHP released the latest security update that addressing a vulnerability of remote code execution.The vulnerability was caused by the framework's insufficient checks on controller names in case forced routing is not enabled. Eventually, GetShell vulnerability in the server may be exploited by hackers, affecting ThinkPHP 5.0, ThinkPHP 5.1 versions. Although it is not hard to exploit the vulnerability, the impact could be destructive.

  • Source:SANGFOR Security Center
  • Date Published:2018-12-22
#

[Alert] WebLogic Java Deserialization Vulnerability (CVE-2018-3245)

​In October, 2018, Oracle officially released the October Critical Patch Updates, including that for a high-risk remote code execution vulnerability (CVE-2018-3245) in WebLogic Server.

  • Source:SANGFOR Security Center
  • Date Published:2018-10-24
#

[Alert] New Remote Code Execution Vulnerability in All ECShop Products

Recently ringk3y’s blog exposed a remote code execution vulnerability in all ECShop products. The vulnerability is caused by a variable in display function from user.php file in ECShop system. The variable can be remotely controlled and thus become an injection vulnerability which can be exploited by attackers to execute remote code on servers.It is very dangerous. The vulnerability allows attackers to use getshell to gain the highest privileges of servers. All versions of ECShop are affected by this vulnerability. Currently, the number of attacks exploiting the vulnerability is on the rise.

  • Source:SANGFOR Security Center
  • Date Published:2018-09-19
#

Struts2 Remote Code Execution Vulnerability (S2-057)

Apache Wiki exposed a new and high-risk remote code execution vulnerability in Struts 2, CVE-2018-11776.

  • Source:SANGFOR Security Center
  • Date Published:2018-08-24
#

[Alert] WebLogic Deserialization Vulnerability CVE-2018-2893

On March 28, 2018, a highly critical remote code execution vulnerability (CVE-2018-2893) in the popular open-source Drupal CMS was exposed.

  • Source:SANGFOR Security Center
  • Date Published:2018-07-25