Automation 360 Robotic Process Automation suite v21-v32 is vulnerable to unauthenticated Server-Side Request Forgery (SSRF).
SSRF occurs when the server can be induced to perform arbitrary requests on behalf of an attacker. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server.
Read more…
Source: Rapid7
Related:
- Emergency Oracle Patch Closes Bug Rated 10 in Severity
October 31, 2017
Oracle pushed out an emergency update for a bug in Oracle Identity Manager that is as bad as it gets. Scoring a 10 on the CVSS scale, the vulnerability, CVE-2017-10151, enables an attacker to remotely take over the software without the need for authentication. “While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products,” according ...
- Bad Rabbit used NSA “EternalRomance” exploit to spread, researchers say
October 26, 2017
Despite early reports that there was no use of National Security Agency-developed exploits in this week’s crypto-ransomware outbreak, research released by Cisco Talos suggests that the ransomware worm known as “Bad Rabbit” did in fact use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims’ networks. The attackers used EternalRomance, an exploit that bypasses security over ...
- DUHK Attack Exposes Gaps in FIPS Certification
October 24, 2017
Despite the obligatory logo and clever name, this week’s assault on crypto, the so-called DUHK attack (Don’t Use Hardcoded Keys), isn’t likely to be part of many threat models. Though the attack can be used to passively decrypt VPN and encrypted browser traffic, it relies on a host of implementation errors in admittedly ancient security appliances to trigger ...
- Hackers race to use Flash exploit before vulnerable systems are patched
October 20, 2017
Hackers are rushing to exploit a zero-day Flash vulnerability to plant surveillance software before organisations have time to update their systems to patch the weakness. Uncovered by researchers at Kaspersky Lab on Monday, the CVE-2017-11292 Adobe Flash vulnerability allows attackers to deploy a vulnerability which can lead to code execution on Windows, Mac, Linux, and Chrome OS systems. The exploit enables ...
- Google offers hackers $1,000 bounty to hack and fix Play Store apps
October 20, 2017
Google is offering security researchers a $1,000 (£760) bounty if they can successfully hack apps on its Play Store and help fix them. Bug bounty programmes are a popular way for companies to reward hackers who find vulnerabilities in their software and disclose them to developers so they can be fixed rather than exploited. The focus on ...
- Hackers Take Aim at SSH Keys in New Attacks
October 19, 2017
SSH private keys are being targeted by hackers who have stepped up their scanning of thousands of servers hosting WordPress websites in search of private keys. Since Monday, security researchers said they have observed a single entity scanning as many as 25,000 systems a day seeking vulnerable SSH keys to be used to compromise websites. “What ...