controlgap.com

This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 16% were of critical severity, 43% were high, 38% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• Parse Server prototype pollution may lead to unauthenticated remote code execution.
• Plesk cross-site request forgery (CSRF) can allow for attackers to takeover administrative accounts by luring victims to malicious websites.
• Citrix Gateway and ADC products were found to have multiple vulnerabilities, products acting in the “gateway” role have a critical vulnerability which can allow for unauthenticated attackers to take authenticated actions on the device.
• VMWare Workstation ONE has disclosed three unique authentication bypass vulnerabilities, an attacker with network access may be able to take administrative actions.

This week saw the publication of 517 new CVE IDs. Of those, 9 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 12% were of critical severity, 37% were high, 48% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day type confusion vulnerability in Google Chrome V8 has been patched and is currently being exploited in the wild.
• A zero-day vulnerability for Apple devices has received updates addressing older devices as a widespread arbitrary code execution vulnerability is reported anonymously.
• The Zoom Client for Meetings was found to be vulnerable to an arbitrary redirect, users who receive crafted links can be directed to malicious sites.
• Devolutions Remote Desktop Manager was found to keep master passwords for password manager products KeePass Server and Dashlane in its own database in an unencrypted state.

This week saw the publication of 360 new CVE IDs. Of those, 74 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 30% were of critical severity, 37% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• HyperSQL, a hugely popular relational database utilized by many massive Java projects was found to be affected by a remote code execution vulnerability.
• VMWare has released a rare out-of-band patch for its VMWare NSX product which is considered end-of-life to fix an unauthenticated remote code execution vulnerability.
• The French e-commerce and content management system Melis was found to be affected by a remote code execution vulnerability stemming from improper deserialization.
• The adversary emulation tool Cobalt Strike was found to be vulnerable to remote code execution after researchers at IBM found a bypass for a previously patched XSS vulnerability.

This week saw the publication of 540 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 44% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day vulnerability affecting Windows ability to detect files which have the “mark of the web” was discovered by threat analysts researching malware which was appearing “in the wild”.
• A vulnerability affecting Apache Commons Text dubbed “Text4Shell” was disclosed this week. Researchers do not believe the impact to be close to the same magnitude as “Log4Shell”.
• Oracle Web Applications Desktop Integrator is affected by an unauthenticated remote code execution vulnerability which could allow for an attacker to completely compromise the integrator.
• A little known reporting application Anji-Plus AJ Report was found to have an authentication bypass vulnerability stemming from a common development mistake, a hardcoded JWT key.

This week saw the publication of 632 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 48% were high, 36% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s October 11th Patch Tuesday addresses 85 vulnerabilities including multiple escalation of privilege, remote code execution, security bypass, information disclosure, denial of service, and impersonation vulnerabilities. The “ProxyNotShell” vulnerabilities we wrote about last week were not addressed.
• A remote code execution vulnerability in the Community and Enterprise editions of GitLab could allow attackers with a valid API key to completely takeover standalone deployments of the software. This is the second significant GitLab RCE this quarter.
• Continuing the trend, multiple Python Package Index packages have been found to have had remote code execution backdoors inserted by an unknown third-party.
• Aruba EdgeConnect Enterprise Orchestrator had multiple vulnerabilities published which include authentication bypass and unauthenticated remote code execution vulnerabilities.

This week saw the publication of 237 new CVE IDs. Of those, 94 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 38% were high, 36% were medium, and 4% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day reincarnation of 2021’s ProxyShell Microsoft Exchange vulnerabilities dubbed “ProxyNotShell” which could allow authenticated attackers to execute arbitrary code on effected Exchange products has been published. Initial mitigations were found to be ineffective, and Microsoft is urging administrators to take further remedial action.
• An authentication bypass vulnerability affecting multiple Fortinet products was disclosed this week. Due to its ability to be exploited remotely, Fortinet is urging customers to act immediately.
• Veritas NetBackup had multiple high impact vulnerabilities published this week prompting Veritas to release 4 separate security advisories.
• ZKteco ZKBioSecurity, biometric security solutions had two vulnerabilities published this week, including an escalation of privilege vulnerability which allows authenticated users to create admin accounts.

This week saw the publication of 587 new CVE IDs. Of those, 126 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 36% were high, 41% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Sophos firewall unauthenticated remote code execution vulnerability was disclosed and immediately added to CISA’s KEVC.
• Oracle Cloud Infrastructure vulnerability that allowed for the violation of cloud segmentation controls and mounting of storage volumes with full read/write access.
• Previously undisclosed WhatsApp vulnerabilities which could lead to remote code execution under certain conditions are publicly acknowledged by WhatsApp.
• A Python package vulnerability from 2007 has resurfaced after Trellix, a security firm, found that approximately 350,000 GitHub projects are affected.

This week saw the publication of 655 new CVE IDs. Of those, 239 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 53% were high, 31% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple versions of Microsoft SharePoint server are affected by several authenticated remote code execution vulnerabilities.
• Tesla Model 3s using phone key authentication are vulnerable to authentication bypass which could allow an attacker to unlock, start, and drive away the vehicle.
• OASES, a software used to manage aviation maintenance and engineering is vulnerable to an authenticated remote code execution vulnerability.
• Watchdog anti-virus does not enforce access control lists on key application files allowing an attacker to execute arbitrary code in the context of the anti-virus software.

This week saw the publication of 432 new CVE IDs. Of those, 204 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• In a growing pattern, another Python package index package has been backdoored with a remote code execution vulnerability by an unknown third party.
• Japanese company Hytech Inter saw multiple vulnerabilities released for one of their products this week, the affected device, an industrial application LTE router would pose a significant security risk if compromised.
• 23 total vulnerabilities were identified for Snapdragon Auto modules involving memory management, while the impact of these disclosures is still unclear the global adoption of these products could imply far reaching risk.
• An open redirect vulnerability in IBM’s Security Identity Manager could empower threat actors to conduct powerful phishing attacks.

This week saw the publication of 565 new CVE IDs. Of those, 170 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Atlassian BitBucket remote code execution vulnerability allows user with read permissions on any public/private repository to execute arbitrary code through a crafted HTTP request.
• GitLab community edition and enterprise editions are affected by a remote code execution vulnerability in which an authenticated user who can “import from GitHub” can execute arbitrary code in the context of the affected server.
• BlackHat presenters found variations of similar vulnerabilities in automotive remote keyless entry systems which allow for “time-agnostic” exploitation of keyless entry systems.
• The restaurant management software Tabit had multiple vulnerabilities published this week including information disclosure, weak password generation, database injection, unauthorized account modification, and arbitrary SMS messaging as the Tabit server.