controlgap.com

This week saw the publication of 537 new CVE IDs. Of those, 480 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 4% were of critical severity, 49% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• YellowFin Business Intelligence platform was found to utilize a hard-coded RSA private key for several cryptographic functions resulting in multiple authentication bypass vulnerabilities which could be abused to achieve remote code execution.
• Multiple buffer overflow vulnerabilities were disclosed for Adobe Acrobat which could result in remote code execution if a user opens a crafted file. These kinds of vulnerabilities will slowly become more valuable as Microsoft makes strides to shut down typical malspam techniques.
• A whopping 62 vulnerabilities allowing for remote code execution were disclosed by Cisco Talos for the Siretta Quartz Gold industrial LTE router.
• Solar-Log Photovoltaic device firmware was found by Swascan researchers to have backdoor “Super Admin” credentials which can be derived from public information available on the web portal.

This week saw the publication of 712 new CVE IDs. Of those, 247 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 29% were high, 48% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple remote code execution vulnerabilities were identified in the universal open-source project Git via a source-code review conducted by X41 D-Sec and the GitLab Security Research Team.
• Two vulnerabilities which could be chained together to achieve unauthenticated remote code execution have been disclosed for multiple models of Cisco Small Business router. The products are end-of-life and Cisco has stated they will not be addressing the vulnerabilities.
• A vulnerability in the Samsung Galaxy App store could allow applications already present on the phone to install any app available through the app store without user permission. The vulnerability does not affect versions of Android 13 or later due to additional security measures implemented on the OS.
• Multiple vulnerabilities were disclosed by CISA for Sewio’s Real-Time Location System including remote code execution. Given the product’s ability to track personnel in real-time, the impact may be much more severe than the assigned CVSS score.

This week saw the publication of 712 new CVE IDs. Of those, 328 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 17% were of critical severity, 49% were high, 33% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A difficult to exploit but wide-ranging vulnerability in Okta’s Auth0 JSON Web Token library could allow for remote code execution under the right conditions.
• A 0-day vulnerability in multiple versions of Windows which would allow for privilege escalation was discovered by Avast in what appears to be an actively utilized exploit chain.
• A simple unauthorized SQL injection vulnerability was discovered by researchers at Tenable which affected more than 100,000 installations of the Paid Membership Pro WordPress plugin.
• The Israeli National Cyber Directorate disclosed multiple vulnerabilities for the cross-platform FTP server Rumpus. The software does not appear to be regularly updated and possibly even abandoned by the developer. There are thousands of internet-facing Rumpus instances at time of writing.

This week saw the publication of 425 new CVE IDs. Of those, 240have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 33% were high, 48% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Popular NAS vendor Synology has disclosed a remote code execution vulnerability affecting their VPN Plus Server bearing the maximum CVSS score of 10.
• CWP is vulnerable to an unauthenticated remote code execution bug stemming from improper handling of user input.
• Zoho ManageEngine password manager products are vulnerable to SQL injection which allows any authenticated user to arbitrarily query the back-end database.
• Apache Dubbo vulnerabilities dating back to 2021 have finally been disclosed by NIST’s NVD. The most severe vulnerability would allow for unauthenticated remote code execution.

This week saw the publication of 806 new CVE IDs. Of those, 307 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 8% were of critical severity, 48% were high, 43% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Fortinet has quietly addressed a vulnerability in its FortiOS SSL-VPN product which could allow for remote code execution. The vulnerability is known to have been exploited in the wild.
• Citrix ADC and Citrix Gateway in certain authentication configurations can be vulnerable to remote code execution. Threat intelligence indicates the vulnerability has been exploited by APTs
• iOS has released a patch for its Webkit engine to address a arbitrary code execution vulnerability. Apple has warned the vulnerability may have been exploited in the wild.
• VMware vRealize has had multiple vulnerabilities disclosed including arbitrary file reads and remote code execution.

This week saw the publication of 430 new CVE IDs. Of those, 4 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 37% were high, 40% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• Cisco IP Phone firmware is vulnerable to remote code execution. Cisco plans to release a patch in the new year.
• AMI MegaRAC BMC firmware which is utilized to manage servers all over the world was found to use default credentials for the root account and is vulnerable to remote code execution.
• Veeam Backup for Google Cloud has been found to be vulnerable to an authentication bypass.
• Zabbix client was found to adjust Windows firewall rules during install to allow all traffic inbound and outbound to the system.

This week saw the publication of 564 new CVE IDs. In a strange week, 223 of those CVE IDs were labelled as “Reject, DO NOT USE”. Of those legitimate IDs, 125 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 13% were of critical severity, 37% were high, 48% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Hyundai and Genesis myHyundai application functionality allows for remote vehicle takeover.
• Android virtual keyboard & mouse applications could allow an attacker to compromise systems or surveil keystrokes.
• Intel Datacenter Management console has been found to be affected by an authentication bypass vulnerability.
• GitHub has released a feature for open-source maintainers that allows for easy reporting, remediation, and disclosure of vulnerabilities.

This week saw the publication of 343new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 31% were of critical severity, 30% were high, 38% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Tailscale, the popular VPN and networking solution, could allow for remote code execution on Windows clients if users visit a malicious website.
• Dolibarr, the popular ERP and CRM solution was found to be vulnerable to SQL injection.
• The “Nighthawk” router made by NetGear has had 17 unique buffer overflow vulnerabilities disclosed this week for multiple firmware versions.
• The privacy focused communications application Nextcloud Talk for Android was found to have flawed permissions which could allow for malicious apps to spy on user communications.

This week saw the publication of 500 new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 35% were high, 45% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• F5 Big-IP and Big-IQ products were found to be affected by a cross-site request forgery vulnerability which could lead to remote code execution. Exploitation of the vulnerability is highly conditional.
• Liferay, the “digital experience” provider, has had 17 vulnerabilities of varying severity disclosed this week affecting a wide array of products and product versions.
• IBM InfoSphere DataStage was found to be vulnerable to unauthenticated command injection. Customers are encouraged to patch immediately.
• Atlassian BitBucket users who can control their username can achieve command execution with crafted username payloads.

This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 16% were of critical severity, 43% were high, 38% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• Parse Server prototype pollution may lead to unauthenticated remote code execution.
• Plesk cross-site request forgery (CSRF) can allow for attackers to takeover administrative accounts by luring victims to malicious websites.
• Citrix Gateway and ADC products were found to have multiple vulnerabilities, products acting in the “gateway” role have a critical vulnerability which can allow for unauthenticated attackers to take authenticated actions on the device.
• VMWare Workstation ONE has disclosed three unique authentication bypass vulnerabilities, an attacker with network access may be able to take administrative actions.