controlgap.com

This week saw the publication of 343new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 31% were of critical severity, 30% were high, 38% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Tailscale, the popular VPN and networking solution, could allow for remote code execution on Windows clients if users visit a malicious website.
• Dolibarr, the popular ERP and CRM solution was found to be vulnerable to SQL injection.
• The “Nighthawk” router made by NetGear has had 17 unique buffer overflow vulnerabilities disclosed this week for multiple firmware versions.
• The privacy focused communications application Nextcloud Talk for Android was found to have flawed permissions which could allow for malicious apps to spy on user communications.

This week saw the publication of 500 new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 35% were high, 45% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• F5 Big-IP and Big-IQ products were found to be affected by a cross-site request forgery vulnerability which could lead to remote code execution. Exploitation of the vulnerability is highly conditional.
• Liferay, the “digital experience” provider, has had 17 vulnerabilities of varying severity disclosed this week affecting a wide array of products and product versions.
• IBM InfoSphere DataStage was found to be vulnerable to unauthenticated command injection. Customers are encouraged to patch immediately.
• Atlassian BitBucket users who can control their username can achieve command execution with crafted username payloads.

This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 16% were of critical severity, 43% were high, 38% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• Parse Server prototype pollution may lead to unauthenticated remote code execution.
• Plesk cross-site request forgery (CSRF) can allow for attackers to takeover administrative accounts by luring victims to malicious websites.
• Citrix Gateway and ADC products were found to have multiple vulnerabilities, products acting in the “gateway” role have a critical vulnerability which can allow for unauthenticated attackers to take authenticated actions on the device.
• VMWare Workstation ONE has disclosed three unique authentication bypass vulnerabilities, an attacker with network access may be able to take administrative actions.

This week saw the publication of 517 new CVE IDs. Of those, 9 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 12% were of critical severity, 37% were high, 48% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day type confusion vulnerability in Google Chrome V8 has been patched and is currently being exploited in the wild.
• A zero-day vulnerability for Apple devices has received updates addressing older devices as a widespread arbitrary code execution vulnerability is reported anonymously.
• The Zoom Client for Meetings was found to be vulnerable to an arbitrary redirect, users who receive crafted links can be directed to malicious sites.
• Devolutions Remote Desktop Manager was found to keep master passwords for password manager products KeePass Server and Dashlane in its own database in an unencrypted state.

This week saw the publication of 360 new CVE IDs. Of those, 74 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 30% were of critical severity, 37% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• HyperSQL, a hugely popular relational database utilized by many massive Java projects was found to be affected by a remote code execution vulnerability.
• VMWare has released a rare out-of-band patch for its VMWare NSX product which is considered end-of-life to fix an unauthenticated remote code execution vulnerability.
• The French e-commerce and content management system Melis was found to be affected by a remote code execution vulnerability stemming from improper deserialization.
• The adversary emulation tool Cobalt Strike was found to be vulnerable to remote code execution after researchers at IBM found a bypass for a previously patched XSS vulnerability.

This week saw the publication of 540 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 44% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day vulnerability affecting Windows ability to detect files which have the “mark of the web” was discovered by threat analysts researching malware which was appearing “in the wild”.
• A vulnerability affecting Apache Commons Text dubbed “Text4Shell” was disclosed this week. Researchers do not believe the impact to be close to the same magnitude as “Log4Shell”.
• Oracle Web Applications Desktop Integrator is affected by an unauthenticated remote code execution vulnerability which could allow for an attacker to completely compromise the integrator.
• A little known reporting application Anji-Plus AJ Report was found to have an authentication bypass vulnerability stemming from a common development mistake, a hardcoded JWT key.

This week saw the publication of 632 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 48% were high, 36% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s October 11th Patch Tuesday addresses 85 vulnerabilities including multiple escalation of privilege, remote code execution, security bypass, information disclosure, denial of service, and impersonation vulnerabilities. The “ProxyNotShell” vulnerabilities we wrote about last week were not addressed.
• A remote code execution vulnerability in the Community and Enterprise editions of GitLab could allow attackers with a valid API key to completely takeover standalone deployments of the software. This is the second significant GitLab RCE this quarter.
• Continuing the trend, multiple Python Package Index packages have been found to have had remote code execution backdoors inserted by an unknown third-party.
• Aruba EdgeConnect Enterprise Orchestrator had multiple vulnerabilities published which include authentication bypass and unauthenticated remote code execution vulnerabilities.

This week saw the publication of 237 new CVE IDs. Of those, 94 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 38% were high, 36% were medium, and 4% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day reincarnation of 2021’s ProxyShell Microsoft Exchange vulnerabilities dubbed “ProxyNotShell” which could allow authenticated attackers to execute arbitrary code on effected Exchange products has been published. Initial mitigations were found to be ineffective, and Microsoft is urging administrators to take further remedial action.
• An authentication bypass vulnerability affecting multiple Fortinet products was disclosed this week. Due to its ability to be exploited remotely, Fortinet is urging customers to act immediately.
• Veritas NetBackup had multiple high impact vulnerabilities published this week prompting Veritas to release 4 separate security advisories.
• ZKteco ZKBioSecurity, biometric security solutions had two vulnerabilities published this week, including an escalation of privilege vulnerability which allows authenticated users to create admin accounts.

This week saw the publication of 587 new CVE IDs. Of those, 126 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 36% were high, 41% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Sophos firewall unauthenticated remote code execution vulnerability was disclosed and immediately added to CISA’s KEVC.
• Oracle Cloud Infrastructure vulnerability that allowed for the violation of cloud segmentation controls and mounting of storage volumes with full read/write access.
• Previously undisclosed WhatsApp vulnerabilities which could lead to remote code execution under certain conditions are publicly acknowledged by WhatsApp.
• A Python package vulnerability from 2007 has resurfaced after Trellix, a security firm, found that approximately 350,000 GitHub projects are affected.

This week saw the publication of 655 new CVE IDs. Of those, 239 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 53% were high, 31% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple versions of Microsoft SharePoint server are affected by several authenticated remote code execution vulnerabilities.
• Tesla Model 3s using phone key authentication are vulnerable to authentication bypass which could allow an attacker to unlock, start, and drive away the vehicle.
• OASES, a software used to manage aviation maintenance and engineering is vulnerable to an authenticated remote code execution vulnerability.
• Watchdog anti-virus does not enforce access control lists on key application files allowing an attacker to execute arbitrary code in the context of the anti-virus software.