What's new at Detectify

New tests released based on submissions by our Detectify Crowdsource hackers:

• CVE-2024-38856: Apache OFBiz RCE [9.8 / Critical]
• CVE-2024-3273: D-Link NAS Storage Backdoor & RCE [9.8 / Critical]
• CVE-2024-28987: SolarWinds Web Help Desk (WHD) Hardcoded Credentials [9.1 / Critical]
• CVE-2019-1653: Cisco RV320/RV325 Unauthenticated Configuration Export [7.5 / High]
• AriaNg Dashboard Exposure [7.0 / High] 
• Abyss Web Server Unfinished Install [9.4 / Critical]
• Carel pCOWeb Default Credentials [9.4 / Critical]
• Carel pCOWeb Dashboard Exposure [6.4 / Medium]

New tests released by Detectify staff:

• CVE-2024-9463: Palo Alto Networks Expedition RCE [7.5 / High]
• CVE-2024-6893: Journyx XXE [7.5 / High]
• CVE-2024-44000: WordPress Plugin "LiteSpeed Cache" Sensitive Information Exposure [9.8 / Critical]
• CVE-2024-3274: D-LINK DNS-320L, DNS-320LW and DNS-327L Information Disclosure [5.3 / Medium]
• CVE-2024-3272: D-Link Network Attached Storage Backdoor & RCE [9.8 / Critical]
• CVE-2024-27348: Apache HugeGraph-Server RCE [9.8 / Critical]
• CVE-2024-21644: pyLoad Flask Config Exposure [7.5 / High]
• CVE-2024-0195: SpiderFlow Crawler Platform RCE [9.8 / Critical]
• CVE-2023-3368: Chamilo LMS <= v1.11.20 RCE [9.8 / Critical]
• CVE-2019-1653: Cisco RV320/RV325 Unauthenticated Configuration Export [7.5 / High]
• CVE-2018-12998: Zoho ManageEngine Netflow Analyzer Reflected XSS [6.1 / Medium]
• CVE-2017-12098: Ruby on Rails rails_admin XSS [6.1 / Medium]
• CVE-2017-12097: Ruby on Rails delayed_job_web XSS [6.1 / Medium]

Improved tests to reduce false negatives:

• CVE-2024-38475: Apache HTTP Server Improper escaping of output in mod_rewrite

• CVE-2020-13662: Drupal Core Open Redirect
• CVE-2014-6271: Shellshock
• Apache Tomcat Open Redirect v1
• Apache Tomcat Open Redirect v2* Open Redirect

Improved finding information:

• CVE-2024-34102: Adobe Commerce & Magento XXE
• CVE-2024-1709: ScreenConnect Authentication Bypass
• Jenkins Username Disclosure