Questions tagged [vulnerability-assessment]
The vulnerability-assessment tag has no usage guidance.
83 questions
3
votes
1
answer
80
views
how is CVE-2021-22044 risky
I am looking at this CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-22044
The description says:
In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to
2.2.9.RELEASE, and older unsupported ...
- 187
2
votes
0
answers
95
views
Can recent VirtualBox vulnerabilities escape to host?
I ran an unpatched VirtualBox with a Windows guest that might have been compromised. Now I'm unsure if some recent exploits can escape guest-to-host in this scenario.
An example would be CVE-2024-...
- 21
2
votes
1
answer
321
views
How to report related findings in a pentest report
I am running a pentest on a web application, and I detected a vulnerability but I am not sure how to report it. I am confused if I should split it or document it as 1 finding. I will explain below.
So ...
- 187
0
votes
1
answer
191
views
How to calculate CVSS score of a finding detected in the source code?
While I was doing source code review of API handlers for REST APIs, I found a security issue.
This issue is that some methods have the annotation @PreAuthorize("permitAll()").
If I want to ...
- 187
0
votes
1
answer
255
views
If a library has a vulnerable function, but my code doesn't call it, is my code at risk? Do I need to update?
I am trying to analyze CVE-2023-34453. As per the NVD description, there is an integer overflow error in snappy-java, specifically in the method shuffle(int[] input) in BitShuffle.java.
In a huge ...
- 187
1
vote
0
answers
137
views
Is it possible to break out of 8086 tiny from within?
We don't normally worry about old school viruses breaking out of emulators; but sometimes we worry about targeted exploit code breaking out of emulators.
8086tiny is an 8086/80186 CPU emulator. The ...
- 1,280
0
votes
1
answer
257
views
How to assess the Privilege Required?
I am calculating the CVSS score for an issue, and I am confused about the Privileges Required (PR).
The issue is, for a client desktop app that connects to a server, the logged in user allows ...
- 105
0
votes
1
answer
135
views
In case of multiple websites using a single IP, and we have been asked to perform vulnerability assessment to ensure its security, how many to target
When doing black-box vulnerability assessment (with permission of course) of a subdomain of a website, the first step is enumeration; and the first step of that is finding IP of the subdomain.
If you ...
- 139
1
vote
0
answers
101
views
How does a risk assessment for an EU project look like?
I have to add provide a draft of a risk assessment for a small EU project.
As I've never done this, I struggle with identifying assets or vulnerabilities. I'm aware of very general lists, but I wonder ...
- 111
1
vote
3
answers
209
views
Security implications of using the current session to mint new access tokens
I saw a setup recently where frontend and resource servers were hosted on subdomains of the same second level domain. E.g. ui.example.com and api.example.com.
It had an interesting authentication flow ...
- 11
0
votes
1
answer
206
views
Information leakage from a API 404 response
Our consulting company has received a VAPT from a consulting company on behalf of a financial customer.
The application has an HR/group management module.
Normally employees are created by an ...
- 5,418
1
vote
0
answers
105
views
Is there any guideline or procedure for 4G hardware equipement (4G landline phone and home Wifi router) security audit/assessment?
I need to perform a security audit/assessment on 4G LTE hardware equimements :
4G landline wireless phone (not android OS but with many features such as WiFi hotspot)
4G Wifi home router
Is there ...
- 379
2
votes
2
answers
992
views
What is dynamic code analysis? Is it the same as DAST?
I'm confused a bit between the terms. What I know is that there is SAST and DAST. SAST is scanning code statically for possible vulnerabilities, equivalent to static code analysis. This is usually ...
- 105
1
vote
1
answer
143
views
Security for a Windows application running in a corporate network
I know security is pretty important for the web application, but what about windows applications running in a corporate environment, network, not accessible from outside.
Do we need to treat security ...
- 111
2
votes
1
answer
2k
views
RCE vs ACE vulnerability families
Is RCE (Remote Code Execution) just ACE (Arbitrary Code Execution) over a network or is there an example where RCE is not ACE? Is RCE always the more severe of the two (with respect to gaining system ...
- 133
1
vote
1
answer
127
views
Is an outdated library in a Windows user mode desktop application an actual security risk?
I have an Windows 10 desktop application that runs in user mode only, and this application is a local tool only -- that is, it does not "talk to the internet".
As an example:
This ...
- 1,227
1
vote
1
answer
703
views
What is difference & link between threat modelling and vulnerability assessment?
My understanding is that, threat modelling is used at the design stage to identify the possible threats, prioritize them and help in identifying security requirements/security controls. Vulnerability ...
- 191
7
votes
1
answer
352
views
What exactly is CVE-2021-23978 (from MSFA2021-08 in Mozilla Firefox)?
A number of vulnerabilities were fixed in Firefox in the latest update. MSFA2021-08 describes it only as "memory issues that may be exploitable", and doesn't give any information:
Mozilla ...
- 67.3k
1
vote
1
answer
305
views
What are the risks associate with accessing Same web application with two different URLs?
We have done vulnerability analysis with third party security team. They have mentioned one point as critical findings but i don't understand risk associated with it and suggested remedial action also ...
- 655
0
votes
1
answer
142
views
Cryptographic File Storage scheme
First of all,I am new to security as a whole and taking my first formal course on it.So sorry if any major errors are present.
I had a scheme for remote file storage as an attempt to use my course ...
- 103
1
vote
1
answer
150
views
How to rate a CVSS Score if OS/compiler vulnerablity mitigations are highly likely but not guaranteed?
Let's consider the following code in a hypothetical C library.
uint8_t size;
uint8_t buf[128];
read(untrusted_fd, &size, 1);
read(untrusted_fd, buf, size);
In the early 2000s, it would be a ...
- 113
1
vote
0
answers
257
views
Remote file inclusion (RFI) found - vulnerability or false positive?
For educational purposes, I am pentesting an app server of mine. I am using ZAP and it reports a remote file inclusion vulnerability. I looked at it and think its a false positive but before I miss ...
- 433
2
votes
1
answer
259
views
GraphQL endpoint security testing
I am working with a team who is developing a mobile app for which they are using GraphQL.
So as part of performing security testing it, they only shared the graphql endpoint and nothing else.
Not even ...
- 343
1
vote
4
answers
1k
views
Application is validating the file extension but not file content - Is this a security vulnerability?
An application has a file extension validation at the server side and rejecting the request if the Extensions are not matching to (.pdf/.docx). But if i modify an exe file's extension to .pdf and ...
- 53
0
votes
2
answers
637
views
Are smart plugs safe? (Xiaomi in particular)
Are smart plugs safe, Xiaomi ones in particular (Zigbee and WI-FI versions)?
My main concern is that the plug is connected to Mi account and allows remote management. In case hacker gains access, can ...
- 137
1
vote
1
answer
174
views
Security assessment of a legacy SSL/TLS implementation on an IoT device
I am doing a security assessment on the communication security of a legacy IoT device. The objective is to assess and find security gaps in the current design/implementation.
The mode of assessment is ...
- 183
1
vote
0
answers
253
views
Collaboration tools [closed]
Is there any good alternatives to the lair-framework. I think that was an awesome platform, and unfortunately its not maintained anymore and no more updates to it. But i have tried all other kinds of ...
- 11
0
votes
1
answer
214
views
How vulnerability assessment is different for application and infrastructure?
I am working for a company where vulnerability assessment for infrastructure and applications are being done by different vendors. Sometimes I get confused that assessment should happen on the ...
1
vote
2
answers
7k
views
If I am using a VPN with allowed multiple connections can each user/device be able to view traffic of the other user?
If I am using one a VPN Service, but it allows up to lets say 8 devices to connect, are all the devices/users able to view traffic from other users/devices?
Or is each VPN connection creating its own ...
- 33
0
votes
0
answers
137
views
Counterintuitive remediation cost scale within SEI CERT Coding Guidelines for priority
The SEI CERT Coding Guidelines assign a priority to each rule, formed from the product of three factors: severity, likelihood, and remediation cost. Each of these three factors is assigned a value ...
- 101
3
votes
4
answers
564
views
Risk of web admin portal without extra authentication steps
more of a philosophical question, suppose there is one behavior which allows an attacker to do something with high impact but by itself cannot be used to cause that impact. For example, internet ...
- 31
0
votes
4
answers
242
views
Accessing user data by a public 'token' - is it a potential vunabilility?
I joined a small project, I noticed that in the project uses something like a token associated with a user journey. So the URL looks something like: https://host.com/sell/:jurneyID.
All data entered ...
- 63
1
vote
2
answers
161
views
AES Traffic Security Assesment
Assume we have only access to the traffic between two module (Hardware, Software, ...) and These modules communicate with SSL (PSK).
Is it possible to assess AES encryption of this traffic?
some ...
- 185
3
votes
0
answers
142
views
Version earlier than 0 in Debian OVAL feeds
I'm trying to parse Debian OVAL feeds to establish if some packages are vulnerable or not. I'm using criterions to establish what's the vulnerable version for a package, however often there are ...
1
vote
0
answers
216
views
Threat modelling workshop materials focusing on threat actor profiles [closed]
A while back I went to a threat modelling workshop that had a card deck with various actors, their motivations, and their methods.
I found this extremely helpful to frame the discussion around the ...
- 111
1
vote
1
answer
203
views
Is it reasonable to provide admin access for a PCI vulnerability scan?
My organization is going through a PCI-DSS compliance process. As part of that, we're contracting out our external and internal vulnerability scans.
The contractor is asking for admin access to our ...
- 13
0
votes
0
answers
116
views
Pre-flight request is triggering in Chrome but not in IE
I am testing an app for CSRF vulnerability and i observed that when i generate a Cross-domain XHR POC with burp and try to exploit, a pre-flight request is getting triggered but this is is not ...
- 53
0
votes
0
answers
291
views
Identifying Share Permission and File Permission on Hundreds of Servers
Objective
Identify and report on Windows hosts in the network which allow file/folder access (READ/WRITE/Execute) for Everyone.
Scenario:
Using agent based scanner, I extracted share permissions ...
- 185
2
votes
3
answers
511
views
Do I need to worry about vulnerabilities that require administrative privileges to exploit?
I am currently evaluating the impact that the recent NUC Firmware Advisory has on our machines.
What confuses me is that fact that those vulerabilities are scored with
a high risk score, but
require(...
- 3,930
1
vote
1
answer
185
views
XSS vulnerability in a module that doesn't exist
We did a vulnerability scan on our systems and received a vulnerability:
Basit Submit Module Cross Site Scripting Vulnerability.
We are not even aware of this application on our system. We filed a ...
- 23
3
votes
1
answer
1k
views
Are there any known vulnerabilities in libre office password protection for *.odt files?
I was looking for a source to determine the safety of password protection in libre office. The thread at ask.libreoffice.org suggest its save to use. However the thread is rather old and it is hosted ...
- 183
0
votes
0
answers
323
views
Can OpenVAS do a scan on a scanner device?
I know OpenVAS can scan printers with just tweaking some scan configuration.
I try to scan a scanner device but I only get one result which is OS Detection Consolidation and Reporting.
I have an ...
- 33
1
vote
0
answers
141
views
What would you do as first day of CSO or Head of CyberSecurity [closed]
I was asked this question at an interview today and was unable to give a structured answer since there is so many things a head of security can do.
The additional info that I had were :
- You can ...
1
vote
3
answers
831
views
Vulnerability management and assessment tracking solutions
How does your company track the vulnerability management information that happens between receiving a vulnerability scan report and remediating a vulnerability?
Given the following example:
Scan A ...
- 23
10
votes
1
answer
4k
views
Security risks of using ffmpeg as part of web service
I'm working on a web service that uses ffmpeg on the backend for processing user uploaded media files. I'm giving the users some options to customize how their videos are processed, which is ...
- 203
0
votes
2
answers
336
views
PHP Code Injection vulnerability exists even after recommended hardening
Using Burp to intercept traffic and inject code we have identified
remote code execution vulnerability in a website. After entering data
in input fields on the form and clicking submit the traffic ...
1
vote
0
answers
92
views
Does application security assessments done using SaaS solutions (WhiteHat Sentinal and Fortify on Demand) count as penetration tests?
SaaS security solutions such as "WhiteHat Sentinal" and "Fortify on Demand"
are getting popular now a days. Methodologies of both describe them involving manual verification. Does this qualify the ...
2
votes
1
answer
221
views
What information should I provide to third party pen testers - (black box penetration)
I am going to hire a third party security company for Penetration testing in our company network. I have already selected a pen testing and black box testing company to do them, but they have ...
- 655
0
votes
1
answer
452
views
Internal HTTP(s) vulnerabilities
We use Rapidfire + network detective where I work, for doing non-intrusive internal scans on all of our clients' networks. Every week; half of the tickets I get for this are port 80/443 ...
2
votes
1
answer
116
views
Periods in Common Platform Enumeration WFN (NIST Interagency Report 7695 )
I’m looking at NIST Interagency Report 7695 and the grammar described in 5.3.2 seems to say that all . need to be preceded by a \, but this doesn’t seem to be followed in the CPE dictionary. Am I ...
- 131