Automation 360 Robotic Process Automation suite v21-v32 is vulnerable to unauthenticated Server-Side Request Forgery (SSRF).
SSRF occurs when the server can be induced to perform arbitrary requests on behalf of an attacker. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server.
Read more…
Source: Rapid7
Related:
- Intel ME controller chip has secret kill switch
August 29, 2017
Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk. Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between ...
- VoIP bods Fuze defuse triple whammy of portal security vulnerabilities
August 23, 2017
Messaging provider Fuze has resolved a trio of vulnerabilities in its TPN Handset Portal. The access controls and authentication flaws, discovered by security tools firm Rapid7, created a means for hackers to obtain personal data about Fuze users ranging from phone numbers to email addresses and access credentials. Once seized through brute-force attacks, this sensitive data could ...
- Simple Exploit Allows Attackers to Modify Email Content — Even After It’s Sent!
August 23, 2017
Security researchers are warning of a new, easy-to-exploit email trick that could allow an attacker to turn a seemingly benign email into a malicious one after it has already been delivered to your email inbox. Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), the trick was uncovered by Francisco Ribeiro, the researcher at email and ...
- Juniper Issues Security Alert Tied to Routers and Switches
August 10, 2017
Juniper Networks warned customers Thursday of a high-risk vulnerability in the GD graphics library that could allow a remote attacker to take control of systems running certain versions of the Junos OS. The alert was in conjunction with a warning from the U.S. Computer Emergency Readiness Team (US-CERT) that said affected versions of the Junos OS ...
- CouchPotato: CIA Hacking Tool to Remotely Spy On Video Streams in Real-Time
August 10, 2017
After disclosing CIA’s strategies to hijack and manipulate webcams and microphones to corrupt or delete recordings, WikiLeaks has now published another Vault 7 leak, revealing CIA’s ability to spy on video streams remotely in real-time. Dubbed ‘CouchPotato,’ document leaked from the CIA details how the CIA agents use a remote tool to stealthy collect RTSP/H.264 video streams. Real Time Streaming Protocol, or RTSP, ...
- SAP Patch Tuesday Update Resolves 19 Flaws, Three High Severity
August 9, 2017
SAP released 19 patches on Tuesday, fixing a trio of vulnerabilities marked high severity in its business management software. The most pressing fixes are for a directory traversal vulnerability in the company’s Netweaver AS Java Web Container, a code injection vulnerability in its Visual Composer design tool, and a cross-site AJAX request vulnerability in its BusinessObjects suite of applications. The ...