We drew an interesting conclusion from the social media analysis we conducted on. The most common vulnerability in databases was Denial-of-Service (DoS). MySQL appears to be ahead of all others popular databases, in terms of new vulnerabilities discovered in the last year, with 130 (59%) of the total vulnerabilities. In the server-side technologies category, PHP – the most prevalent server-side language – was associated with the highest number of vulnerabilities. In the content management system category, WordPress was not only the most popular platform but also dominated the number of new vulnerabilities in 2019. We observed an unexpected decrease in the number of IoT vulnerabilities too, despite the increase in the number of devices in the market.Īs expected, the number of vulnerabilities in API (Application Programming Interface), which is still a growing market, continues to grow, although not as fast as we would have expected based on the previous year. We also observed an increase in vulnerabilities in third-party components compared to the previous year, with most of the vulnerabilities related to WordPress plugins. The runner up category was Cross-site scripting (XSS), mainly consisting of Reflected XSS vulnerabilities. When drilling down into the data, a large percentage appeared to be related to Remote Code/Command Execution (RCE). The dominant category this year was, by far, injection. We believe that such an approach will present the overall picture in the most accurate way.Īs in previous years, we continued to see an increase in the amount of vulnerabilities in 2019. In such cases, we decided to assign this vulnerability to all the categories in which it may manifest. We often face a situation in which one vulnerability can be exploited in different ways and lead to different results. In such a case the vulnerability would be related to both ‘Injection’ and ‘Sensitive Data Exposure’ categories. For example, we came across a SQL injection vulnerability that could allow an attacker to extract sensitive information from a database and execute arbitrary scripts. The reason for this is the assignment of particular vulnerabilities to multiple categories. It may seem to our readers that, when divided into categories, the sum of the vulnerabilities is greater than the total number of vulnerabilities. In this blog post, all the results from 2019 and previous years are aligned based on the new classification algorithm. We, therefore, executed a new algorithm on the data from the previous years and conducted the research back to 2016.
Such changes directly affected our research, however, and made it hard to compare to the previous years’ published results. The goal was to increase classification accuracy as well as to fit the vulnerabilities to the categories defined by OWASP in the best way possible. This year we slightly changed the vulnerability classification algorithm. As we did last year, we took a look back at 2019 to understand the changes and trends in web application and database security over the past year. Having this kind of data puts us in a unique position to provide an analysis of all web applications and database vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape.
Cve 2019 14287 exploit software#
To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrating it into a single repository, and assessing each vulnerability’s priority.
0 kommentar(er)
