Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23369PUBLISHED: 2021-05-10In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVE-2020-23370PUBLISHED: 2021-05-10In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
CVE-2020-23371PUBLISHED: 2021-05-10Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
CVE-2020-23373PUBLISHED: 2021-05-10Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2020-23374PUBLISHED: 2021-05-10Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
0 Comments
Tweet This
User Rank: Apprentice
10/12/2015 | 12:22:18 PM
"Yes" the App has to have mitigations for its vulnerabilities as they exist at the App level, but that is a far cry from actually securing the operating environment. And without securing the OS operation the App can be made to believe that anything is occurring (or not occurring) as desired to exploit a weakness in the system.
Security is a chain that has to have 'strong links' at every level.
There has been a marketing trend of late, claiming that "their product" can magically secure the operating environment by running it on your App. Managers love this type of easy solution; it is just a shame that they are largely ineffective, at best just securing some limited aspects of App operation. At worst they are a lot of 'security theater' and hand waving.
In my opinion, the best approach is a multi-layered solution with a hardware root of trust. The use of TrustZone is a good first step towards this, and with all the security company acquisitions that ARM is making lately apparently they must be headed in that direction as well.
Now all we have to do is to convince the OS manufacturers that security is important enough to us that they will then start to use some of these hardware security tools that are available to them.
Instead they are releasing "new features" like 'upper / lower case keyboards' and 'long press', as if these are some new revolutionary concepts. We need them to focus on the real issues, not the fluff.
Maybe voting with our wallets will get their attention.