Sonar's latest blog posts

Featured Post

Announcing SonarSweep: Improving training data quality for coding LLMs

Recent research from Anthropic has shown that even a small amount of malicious or poor quality training data can have a massively negative impact on a model’s performance, exposing users to significant security and quality issues.

Read More
https://assets-eu-01.kc-usercontent.com:443/55017e37-262d-017b-afd6-daa9468cbc30/c4c32669-0e01-4074-926a-1b257686a90c/sonarsweep_blog_or_press_featured_with_mark__2x.webp
In this blog post we introduce an authenticated arbitrary file deletion vulnerability (CVE-2018-20714) in the WordPress core that can lead to attackers executing arbitrary code.
Blog post

WordPress File Delete to Code Execution

In this blog post we introduce an authenticated arbitrary file deletion vulnerability (CVE-2018-20714) in the WordPress core that can lead to attackers executing arbitrary code.

Read Blog >

In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release (CVE-2018-1133).
Blog post

Evil Teacher: Code Injection in Moodle

In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release (CVE-2018-1133).

Read Blog >

Get new blog posts delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

I do not wish to receive promotional emails about upcoming SonarQube updates, new releases, news and events.

By clicking “Sign up”, you consent to receive email communications from SonarSource containing blog updates, product news, and other relevant content. We will store and process your personal data for this purpose as described in our Privacy Policy. You can withdraw your consent at any time by clicking the unsubscribe link in our emails or by contacting us in accordance with the Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Image shows various elements of code security, languages and bugs
Blog post

Import issues of your favorite linters in SonarQube Cloud!

Over the past 2 weeks, the following new features were deployed on SonarQube Cloud: import of issues from external linters with built-in support for TypeScript projects, support for the Go language, graceful handling of username change, first version of the GitHub Application, new rules for Python, Java and Swift

Read Blog >

Image shows various elements of code security, languages and bugs
Blog post

A Salesmans Code Execution: PrestaShop 1.7.2.4

PrestaShop is one of the most popular e-commerce solutions. We detected a highly critical vulnerability that allows to execute arbitrary code on any installation with version <= 1.7.2.4. In this technical blog post we present the vulnerability and the exploitation technique that could have been misused by attackers (CVE-2018-20717).

Read Blog >

Image for LimeSurvey 2.72.3 - Persistent XSS to Code Execution
Blog post

LimeSurvey 2.72.3 - Persistent XSS to Code Execution

We detected two vulnerabilities in LimeSurvey < 2.72.3: An unauthenticated persistent cross-site scripting vulnerability (CVE-2017-18358) and an authenticated arbitrary file write vulnerability which can be chained.

Read Blog >

Image shows various elements of code security, languages and bugs
Blog post

Joomla! 3.8.3: Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems and the second most used CMS on the web. We discovered a second-order SQL injection (CVE-2018-6376) that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions on Joomla! prior version 3.8.4.

Read Blog >

Image shows various elements of code security, languages and bugs
Blog post

Why did my coverage just drop?!

After an upgrade people are sometimes surprised to find that the next analysis of a project with no real changes shows a significant drop in coverage. Believe it or not, that really is a feature, not a bug, and it's called Executable Lines.

Read Blog >

Image shows various elements of code security, languages and bugs
Blog post

CubeCart 6.1.12 - Admin Authentication Bypass

CubeCart is an open source e-commerce solution. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator (CVE-2018-20716).

Read Blog >

Image shows various elements of code security, languages and bugs
Blog post

Supporting analysis of .NET Core projects

Support for SonarQube Server analysis of projects in the new MSBuild v15 format has been one of the features most requested by the Microsoft community, now it's done !

Read Blog >

Image for Shopware 5.3.3: PHP Object Instantiation to Blind XXE
Blog post

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

Shopware is a popular e-commerce software that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare PHP object instantiation vulnerability (CVE-2017-18357).

Read Blog >

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to l...
Blog post

Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to leak the super user password and to fully take over any Joomla! installation.

Read Blog >