Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114PUBLISHED: 2019-12-05A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115PUBLISHED: 2019-12-05A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592PUBLISHED: 2019-12-05A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770PUBLISHED: 2019-12-05A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609PUBLISHED: 2019-12-05The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
User Rank: Author
10/30/2019 | 4:59:47 PM
Security and its many disciplines are tough jobs. You're usually an overhead function, which means constant budget pressure, especially if you don't have a clear risk management process/plan. Security leaders have a difficult time navigating what the relationship with the board should be (and thier responsibilties), leaving the security team in ambiguous states of responsibility - a bad place ot be in a breach. Every company today is tehcnolgy driven, and tech adoption and operationalization is often the lynchpin of competitive edge... agile security is hard and can drag the business in it's goals.
I think there's some organizational coaching work, better leadership around roles and repsonsibilties, and better technical approaches that could change the climate for the security proffessional.