Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Every single day, billions of API calls happen across the internet. Behind your favorite applications, APIs work quietly to move data and connect systems. But with the growing use of APIs, API attacks didn’t just increase – they exploded. Take the Optus breach in September 2022, in which attackers exploited an unprotected API endpoint and accessed the personal data of up to 9.8 million customers, leading to a $10 million fine.

Product Name: Dynamic Dashboard Vulnerability: Stored XSS Vulnerable Version: >= 3.0.0, < 3.0.1 CVE: CVE-2024-47817 On October 5, 2024, the security researchers from Astra discovered a severe Stored Cross-Site Scripting vulnerability in Dynamic Dashboard’s paragraph widget. The widget, used for text and markdown, has inadequate input sanitization allowing attackers to inject malicious code.

Product Name: Dynamic Dashboard Vulnerability: Stored XSS Vulnerable Version: >= 3.0.0, < 3.0.1 CVE: CVE-2024-47817 Astra Security researchers identified a vulnerability in LocalAI, an Open-Source OpenAI alternative. The vulnerability, CVE-2024-9900, is a stored Cross-Site Scripting issue affecting the LocalAI v2.21.1 prompts, which allow malicious scripts and payloads to be input.

As organizations grow and adopt cloud-native technologies, securing digital infrastructure at scale has become increasingly complex. According to the Cloud Security Alliance, 73% of organizations struggle to secure business-critical cloud applications due to misconfigurations and limited risk visibility. Ransomware alone can cost companies millions, and with the rise in cyber threats, even cyber insurance may not fully protect them from repeated attacks.

Product Name: bodi0’s Easy Cache Vulnerability: Stored XSS Vulnerable Version: Will be disclosed soon CVE: Will be disclosed soon On September 16, 2024, the team of pentesters at Astra Security found a stored Cross-Site Scripting or XSS in bodi0’s Easy Cache plugin. It is a plugin designed for WordPress that helps optimize the caching functionality, thus allowing enhanced page loading and reducing the server load.

This Cyber Security Awareness month, we’re thrilled to launch The 403 Circle, our new community-driven approach to building a safer world. It isn’t for everyone, but it might be for you. We are surrounded by an overwhelming trove of information, from AI chatbots and mile-long whitepapers to social networks or ‘communities’ that treat you like a product—to acquire, upsell, and renew contracts. At Astra, we strive to simplify proactive security.

On 24 September 2024, the security researchers at Astra discovered a critical broken access control vulnerability in the Class Committee Management System, an open-source project. The web-based system allows users to manage files, schedule meetings, generate reports, and access other management features. A broken access control vulnerability occurs when the application does not enforce proper permissions and restrictions.

Astra Security identified a vulnerability in the InvenTree Inventory Management System on October 2nd, 2024, which has since been patched. This vulnerability, CVE-2024-47610, is stored cross-site scripting (stored XSS) that targets versions of InvenTree below 0.16.5, where ‘Markdown,’ in the Notes feature, can enable attackers to run code. Cross-site scripting vulnerabilities allow a hacker to inject HTML code into an application and affect the users who intercept the code.

Engineering Leaders are stretched thinner than ever, racing to deliver innovative products and scale operations while securing a complex digital ecosystem across the increasing perimeter of code, DevOps, compliance, and more. Remember the infamous MOVEit attacks that compromised nearly 2,000 organizations, from BBC and Harvard to local government agencies. Over 67 million individuals were affected, underscoring the devastating consequences of such breaches.

Cybersecurity is no longer an awareness issue but a strategic execution problem. In 2023, 96% of CEOs acknowledged cybersecurity’s importance for organizational growth, stability, and competitiveness, but only 15% had dedicated board meetings to discuss cybersecurity issues. This disconnect between awareness and action stems primarily from difficulty quantifying cybersecurity goals, investments, and return on investment (ROI), making it easier to overlook or, at best, an afterthought.