Loading...
Security Resources

Software Updates

Trustwave App Scanner Updates for October 2019

**Our Knowledgebase Articles can now be viewed at: https://www3.trustwave.com/support/kb/

===== ===== ===== ===== ===== ==
Web Server Vulnerabilities Updates
===== ===== ===== ===== ===== ==
Apache HTTP Server Buffer Overflow Vulnerability

CVE-2019-10097

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Apache HTTP Server Cross Site Scripting Vulnerability

CVE-2019-10092

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

Apache HTTP Server Read After Free Memory Vulnerability

CVE-2019-10082

In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.

Apache HTTP Server Open Redirect Vulnerability

CVE-2019-10098

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

IBM WebSphere Application Server Sensitive Information Disclosure Vulnerability

CVE-2019-4505

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Network Deployment could allow a remote attacker to obtain sensitive information, caused by sending a specially-crafted URL. This can lead the attacker to view any file in a certain directory.
IBM X-Force ID: 164364.

IBM WebSphere Application Server Sensitive Information Disclosure Vulnerability

CVE-2019-4477

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information, caused by improper handling of command line options.
IBM X-Force ID: 163997.

IBM WebSphere Application Server Directory Listing Vulnerability

CVE-2019-4442

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system. An attacker could send a specially-crafted URL request to view arbitrary files on the system but not content.
IBM X-Force ID: 163226.

IBM WebSphere Application Server HTTP Parameter Pollution Vulnerability

CVE-2019-4271

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable to a Client-side HTTP parameter pollution vulnerability.
IBM X-Force ID: 160243.

IBM WebSphere Application Server Cross Site Scripting Vulnerability

CVE-2019-4270

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
IBM X-Force ID: 160203

IBM WebSphere Application Server Directory Listing Vulnerability

CVE-2019-4468

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL containing "dot dot" sequences (/../) to view arbitrary files on the system.
IBM X-Force ID: 160201.

WordPress Cross-Site Scripting Vulnerability

CVE-2019-16223

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

WordPress Cross-Site Scripting Vulnerability

CVE-2019-16222

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

WordPress Cross-Site Scripting Vulnerability

CVE-2019-16221

WordPress before 5.2.3 allows reflected XSS in the dashboard.

WordPress Open Redirect Vulnerability

CVE-2019-16220

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.

WordPress Cross-Site Scripting Vulnerability

CVE-2019-16219

WordPress before 5.2.3 allows XSS in shortcode previews.

WordPress Cross-Site Scripting Vulnerability

CVE-2019-16218

WordPress before 5.2.3 allows XSS in stored comments.

WordPress Cross-Site Scripting Vulnerability

CVE-2019-16217

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

Engine: 1001.48 and 1000.110