June 2015

Yoast SEO Plugin Authenticated, Stored XSS Vulnerability

The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago by someone named “badconker”, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version.

Yoast WordPress SEO XSS in action

Yoast WordPress SEO XSS in action

Continue reading

DefectDojo

Announcing DefectDojo v1.0.2!

I’m happy to announce the latest version of a project that the Security Engineering team at Rackspace has been working on: DefectDojo! DefectDojo is an open source defect tracking system that was created by our team to keep up with security engagements, but it can be useful for tracking any type of application testing. It supports functionality like Finding templates, PDF report generation, metrics graphs, charts, and some self-service tools for doing port scans, for example.

Checking out DefectDojo

A view of the DefectDojo dashboard

A view of the DefectDojo dashboard

To get the latest version, you can download a zip file or view the source on Github. Want to check out a demo before installing it on your machine? We have you covered.

Login as admin:

Login as product owner / non-staff user:

Continue reading