The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft Patch Tuesday July 2024

Published: 2024-07-09

Last Updated: 2024-07-09 17:35:23 UTC

by Johannes Ullrich (Version: 1)

Microsoft today released patches for 142 vulnerabilities. Only four of the vulnerabilities are rated as "critical". There are two vulnerabilities that have already been discussed and two that have already been exploited.

Noteworthy Vulnerabilities:

CVE-2024-38080: Windows Hyper-V Elevation of Privilege Vulnerability (exploited vulnerability)

An attacker can obtain SYSTEM privilege by exploiting this integer overflow.

CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability

I haven't seen any details disclosed yet. However, these vulnerabilities typically make it difficult to identify the nature and origin of an attachment. A victim may be tricked into opening a malicious attachment, leading to code execution. There have been numerous similar vulnerabilities in the past.

CVE-2024-35264: .NET and Visual Studio Remote Code Execution Vulnerability (disclosed vulnerability)

CVSS score for this vulnerability is 8.1. It is not considered critical. The vulnerability is exploited by closing an http/3 connection while the body is still being processed. The attacker must take advantage of a race condition to execute code.

CVE-2024-37985: Systematic Identification and Characterization of Proprietary Prefetchers (disclosed vulnerability)

This vulnerability only affects ARM systems. An attacker would be able to view privileged heap memory.

CVE-2024-38074, CVE-2024-38076, CVE-2024-38077: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Three of the four critical vulnerabilities affect the RDP Licensing Service. Watch our for PoC exploits for this vulnerability.

CVE-2024-38060: Windows Imaging Component Remote Code Execution Vulnerability

The WIC is the Windows framework used to parse images and related metadata. Toe trigger the vulnerability, an authenticated attacker must upload a TIFF image to a server.

Read the full entry:

https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+July+2024/31058/

SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH.

Published: 2024-07-01

Last Updated: 2024-07-01 17:01:32 UTC

by Johannes Ullrich (Version: 1)

Qualys published a blog post with details regarding a critical remote code execution vulnerability.

This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to save you some time by summarizing the most important points in a very brief post:

The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387,

The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression. An old vulnerability that came back. Sadly, this happens somewhat regularly (not with OpenSSH, but software in general) if developers do not add tests to ensure the vulnerability is patched in future versions. Missing comments are another reason for these regressions. A developer may remove a test they consider unnecessary.

The vulnerability does allow arbitrary remote code execution without authentication.

OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051

OpenSSH versions from 8.5p1 to 9.8p1 (this is the version patched version)

Remember that many Linux distributions will not increase version numbers if they are backporting a patch

This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).

This speed of exploitation is limited by the MaxStartups and LoginGraceTime.

Exploitation for AMD64 appears to be not practical at this time.

Most Linux systems are currently running on 64-bit architectures. However, this could be a big deal for legacy systems / IoT systems in particular if no more patches are available. Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases. First of all, a patch should be applied. But if no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.

Read the full entry:

https://isc.sans.edu/diary/SSH+regreSSHion+Remote+Code+Execution+Vulnerability+in+OpenSSH/31046/

Overlooked Domain Name Resiliency Issues: Registrar Communications

Published: 2024-07-05

Last Updated: 2024-07-05 11:54:02 UTC

by Johannes Ullrich (Version: 1)

I often think the Internet would work better without DNS. People unable to remember an IP address would be unable to use it. But on the other hand, there is more to DNS than translating a human-readable hostname to a "machine-readable" IP address. DNS does allow us to use consistent labels even as the IP address changes.

Many critical resources are only referred to by hostname, not by IP address. This does include part of the DNS infrastructure itself. NS records point to hostnames, not IP addresses, and we use glue records (A records, actually) to resolve them. Organizations typically rely on multiple authoritative name servers that automatically replicate updates between them to provide resiliency for DNS. This process is typically quite reliant, and cloud providers offer additional services to ensure data availability. Anycast name servers can provide additional resilience to this setup.

However, there is a weak point in this setup: Registrars. Yesterday, Hurricane Electric, a significant internet transit provider, experienced this problem ...

As an internet transit provider, Hurricane Electric relies on BGP (Border Gateway Protocol) to route traffic to and from its customers. The associate routers are identified with hostnames like "ns1-ns5.he.net". However, yesterday the name resolution for he.net failed. It probably didn't help that this happened on a major holiday in the US.

The domain "he.net" is hosted with Network Solutions. Network Solutions is one of the "original" domain registrars but has been going through the usual acquisitions and mergers. They currently appear to be owned by Newfold, a company that happens to be located in Jacksonville, FL, where I happen to reside, too.

Yesterday, he.net stopped resolving. The technical issue was that the he.net domain was removed from the .net zone. Without any nameservers being returned by .net nameservers, clients could not resolve he.net names. The registrar is responsible for maintaining this information. Registrars are "special" because they have the contracts in place to update these top-level domains with whoever maintains them. Whois can be used to identify these relationships. For he.net, the whois record returned ...

Read the full entry:

https://isc.sans.edu/diary/Overlooked+Domain+Name+Resiliency+Issues+Registrar+Communications/31048/

Finding Honeypot Data Clusters Using DBSCAN: Part 1 (2024.07.10)

https://isc.sans.edu/diary/Finding+Honeypot+Data+Clusters+Using+DBSCAN+Part+1/31050/

Kunai: Keep an Eye on your Linux Hosts Activity (2024.07.08)

https://isc.sans.edu/diary/Kunai+Keep+an+Eye+on+your+Linux+Hosts+Activity/31054/

Support of SSL 2.0 on web servers in 2024 (2024.06.28)

https://isc.sans.edu/diary/Support+of+SSL+20+on+web+servers+in+2024/31044/

What Setting Live Traps for Cybercriminals Taught Me About Security [Guest Diary] (2024.06.26)

https://isc.sans.edu/diary/What+Setting+Live+Traps+for+Cybercriminals+Taught+Me+About+Security+Guest+Diary/31038/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-38080 - Windows Hyper-V Elevation of Privilege Vulnerability

Product: Microsoft Windows Hyper-V

CVSS Score: 7.8

** KEV since 2024-07-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38080

ISC Diary: https://isc.sans.edu/diary/31058

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38080

CVE-2024-38112 - Windows MSHTML Platform Spoofing Vulnerability

Product: Microsoft Windows MSHTML Platform

CVSS Score: 7.5

** KEV since 2024-07-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38112

ISC Diary: https://isc.sans.edu/diary/31058

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112

CVE-2024-38074, CVE-2024-38076, CVE-2024-38077 - Windows Remote Desktop Licensing Service Remote Code Execution Vulnerabilities

Product: Microsoft Windows Remote Desktop

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38074

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38076

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38077

ISC Diary: https://isc.sans.edu/diary/31058

NVD References:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38074

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38076

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38077

CVE-2024-38089 - Microsoft Defender for IoT Elevation of Privilege Vulnerability

Product: Microsoft Defender for IoT

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38089

ISC Diary: https://isc.sans.edu/diary/31058

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38089

CVE-2024-6172 - The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to time-based SQL Injection in all versions up to 5.7.25, allowing unauthenticated attackers to extract sensitive information from the database.

Product: Icegram Email Subscribers & Newsletters

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6172

NVD References:

- https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L834

- https://plugins.trac.wordpress.org/changeset/3107964/email-subscribers#file4

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3107964%40email-subscribers%2Ftrunk&old=3104864%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=

- https://wordpress.org/plugins/email-subscribers/#developers

- https://www.wordfence.com/threat-intel/vulnerabilities/id/13629598-d45d-4ff5-aeb5-6ac881d25183?source=cve

CVE-2024-36243, CVE-2024-36260, CVE-2024-37030, CVE-2024-37077, & CVE-2024-37185 - OpenHarmony v4.0.0 and prior versions are vulnerable to remote attackers executing arbitrary code in pre-installed apps due to out-of-bounds read and write and use-after-free (CVE-2024-37030).

Product: OpenHarmony

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36243

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36260

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37030

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37077

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37185

NVD References: https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-07.md

CVE-2024-6439 - SourceCodester Home Owners Collection Management System 1.0 is vulnerable to unrestricted file upload via manipulation of the argument img in the file /classes/Users.php?f=save, allowing for remote attackers to initiate an exploit.

Product: Home_Owners_Collection_Management_System_Project Home_Owners_Collection_Management_System 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6439

NVD References:

- https://github.com/GAO-UNO/cve/blob/main/upload.md

- https://vuldb.com/?ctiid.270167

- https://vuldb.com/?id.270167

-https://vuldb.com/?submit.366753

CVE-2024-6440 - SourceCodester Home Owners Collection Management System 1.0 is susceptible to a critical sql injection vulnerability in /classes/Master.php?f=delete_category, allowing for remote cyber attacks.

Product: Home_Owners_Collection_Management_System_Project Home_Owners_Collection_Management_System 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6440

NVD References:

- https://github.com/reverseD0G/cve/blob/main/sql.md

- https://vuldb.com/?ctiid.270168

- https://vuldb.com/?id.270168

- https://vuldb.com/?submit.366988

CVE-2024-32755 - Under certain circumstances the web interface will accept characters unrelated to the expected input.

Product: Netgear Nighthawk Routers

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32755

NVD References:

- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04

- https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

CVE-2024-36404 - GeoTools is vulnerable to Remote Code Execution in versions prior to 31.2, 30.4, and 29.6 when evaluating XPath expressions from user input.

Product: GeoTools

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36404

NVD References:

- https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852

- https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea

- https://github.com/geotools/geotools/pull/4797

- https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w

- https://osgeo-org.atlassian.net/browse/GEOT-7587

- https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4

- https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download

- https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1

CVE-2024-4708 - mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device.

Product: mySCADA myPRO

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4708

NVD References:

- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02

- https://www.myscada.org/mypro/

CVE-2024-37082 - HAProxy release in Cloud Foundry prior to v40.17.0 has a security check loophole that could potentially allow bypass of mTLS authentication for applications.

Product: Cloud Foundry HAProxy

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37082

NVD References: https://www.cloudfoundry.org/blog/cve-2024-37082-mtls-bypass/

CVE-2024-39223 - gost v2.11.5 is vulnerable to an authentication bypass in the SSH service, allowing attackers to intercept communications by setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey.

Product: gost v2.11.5

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39223

NVD References:

- https://gist.github.com/nyxfqq/a7242170b1118e78436a62dee4e09e8a

- https://github.com/ginuerzh/gost/blob/729d0e70005607dc7c69fc1de62fd8fe21f85355/ssh.go#L229

- https://github.com/ginuerzh/gost/issues/1034

CVE-2024-39844 - In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.

Product: ZNC modtcl

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39844

NVD References:

- http://www.openwall.com/lists/oss-security/2024/07/03/9

- https://github.com/znc/znc/releases/tag/znc-1.9.1

- https://wiki.znc.in/Category:ChangeLog

- https://wiki.znc.in/ChangeLog/1.9.1

- https://www.openwall.com/lists/oss-security/2024/07/03/9

CVE-2024-39930, CVE-2024-39931, & CVE-2024-39932 - Gogs through 0.13.0 is vulnerable to argument injection in internal/ssh/ssh.go (CVE-2024-39930), deletion of internal files (CVE-2024-39931), and argument injection during the previewing of changes (CVE-2024-39932).

Product: Gogs

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39930

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39931

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39932

NVD References:

- https://github.com/gogs/gogs/releases

- https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/

CVE-2024-6298 - ABB ASPECT-Enterprise, ABB NEXUS Series, and ABB MATRIX Series on Linux are vulnerable to Remote Code Inclusion due to improper input validation, impacting versions through 3.08.01.

Product: ABB ASPECT-ENT-12

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6298

NVD References: https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.39956449.23035250.1719878527-141379670.1701144964

CVE-2024-38346 - CloudStack cluster service vulnerability allows attackers to execute arbitrary code on targeted hypervisors and hosts, potentially compromising infrastructure confidentiality, integrity, and availability.

Product: Apache Cloudstack

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38346

NVD References:

- http://www.openwall.com/lists/oss-security/2024/07/05/1

- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1

- https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1

- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2/

CVE-2024-39028 - An issue was discovered in SeaCMS <=12.9 which allows remote attackers to execute arbitrary code via admin_ping.php.

Product: SeaCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39028

NVD References: https://github.com/pysnow1/vul_discovery/blob/main/SeaCMS/SeaCMS%20v12.9%20admin_ping.php%20RCE.md

CVE-2024-39864 - CloudStack integration API service allows running its unauthenticated API server on a random port when integration.api.port value is set to 0, allowing attackers to exploit and compromise the infrastructure.

Product: Apache Cloudstack

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39864

NVD References:

- http://www.openwall.com/lists/oss-security/2024/07/05/1

- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1

- https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1

- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2/

CVE-2024-23997 - Lukas Bach yana =<1.0.16 is vulnerable to Cross Site Scripting (XSS) via src/electron-main.ts.

Product: Lukasbach Yana

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23997

NVD References: https://github.com/EQSTLab/PoC/tree/main/2024/LCE/CVE-2024-23997

CVE-2024-23998 - goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.vue.

Product: Goanother Another Redis Desktop Manager

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23998

NVD References: https://github.com/EQSTLab/PoC/tree/main/2024/LCE/CVE-2024-23998

CVE-2024-29319 - Volmarg Personal Management System 1.4.64 is vulnerable to SSRF through SVG file uploads, allowing attackers to send unauthorized HTTP and DNS requests to a controlled server.

Product: Personal-Management-System Personal Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29319

NVD References: https://github.com/b-hermes/vulnerability-research/tree/main/CVE-2024-29319

CVE-2024-37768 - 14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id.

Product: B1Ackc4T 14Finger

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37768

NVD References: https://github.com/b1ackc4t/14Finger/issues/12

CVE-2024-27709 & CVE-2024-27710 - Eskooly Web Product v.3.0 is vulnerable to SQL injection (CVE-2024-27709) and privilege escalation (CVE-2024-27710)

Product: Eskooly Free Online School management Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27709

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27710

NVD References: https://blog.be-hacktive.com/eskooly-cve/cve-2024-27709-sql-injection-in-eskooly-web-product-v.3.0

NVD References: https://blog.be-hacktive.com/eskooly-cve/eskooly-broken-authentication/cve-2024-27710-privilege-escalation-via-authentication-mechanism-in-eskooly-web-product-less-than-v3

CVE-2024-37260 - Server-Side Request Forgery (SSRF) vulnerability in Theme-Ruby Foxiz.This issue affects Foxiz: from n/a through 2.3.5.

Product: Themeruby Foxiz

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37260

NVD References: https://patchstack.com/database/vulnerability/foxiz/wordpress-foxiz-theme-theme-2-3-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

CVE-2024-40614 - EGroupware before 23.1.20240624 mishandles an ORDER BY clause.

Product: EGroupware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40614

NVD References:

- https://github.com/EGroupware/egroupware/commit/553829d30cc2ccdc0e5a8c5a0e16fa03a3399a3f

- https://github.com/EGroupware/egroupware/compare/23.1.20240430...23.1.20240624

- https://github.com/EGroupware/egroupware/releases/tag/23.1.20240624

- https://help.egroupware.org/t/egroupware-maintenance-security-release-23-1-20240624/78438

- https://syss.de

CVE-2023-46685 - LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623 is vulnerable to arbitrary command execution via specially crafted network packets due to a hard-coded password in the telnetd functionality.

Product: LevelOne WBR-6013

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46685

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1871

CVE-2024-1305 - Tap-windows6 driver version 9.26 and earlier allows for potential arbitrary code execution in kernel space due to improper data size checking in incoming write operations.

Product: OpenVPN tap-windows6 driver

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1305

NVD References:

- https://community.openvpn.net/openvpn/wiki/CVE-2024-1305

- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html

CVE-2024-6365 - The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 2.0.1, allowing unauthenticated attackers to execute code on the server via the 'saveCustomTitle' function.

Product: WBW The Product Table by WBW plugin for WordPress

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6365

NVD References:

- https://plugins.trac.wordpress.org/browser/woo-product-tables/trunk/languages/customTitle.php

- https://plugins.trac.wordpress.org/browser/woo-product-tables/trunk/modules/wootablepress/models/wootablepress.php#L7

- https://plugins.trac.wordpress.org/changeset/3113335/

-

https://www.wordfence.com/threat-intel/vulnerabilities/id/ba84711f-bdbe-46d3-a9a3-cc2b1dcefd1a?source=cve

CVE-2024-28747 - An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.

Product: Weintek SmartSPS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28747

NVD References: https://cert.vde.com/en/advisories/VDE-2024-012

CVE-2024-28751 - An high privileged remote attacker can enable telnet access that accepts hardcoded credentials. 

Product: Siemens Simatic HMI TP700.

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28751

NVD References: https://cert.vde.com/en/advisories/VDE-2024-012

CVE-2024-37555 - ZealousWeb Generate PDF using Contact Form 7 allows unrestricted upload of files with dangerous types, posing a security risk from versions n/a through 4.0.6.

Product: ZealousWeb Generate PDF using Contact Form 7

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37555

NVD References: https://patchstack.com/database/vulnerability/generate-pdf-using-contact-form-7/wordpress-generate-pdf-using-contact-form-7-plugin-4-0-6-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-6313 - The Gutenberg Forms plugin for WordPress allows for arbitrary file uploads, potentially leading to remote code execution.

Product: WordPress Gutenberg Forms plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6313

NVD References:

- https://plugins.trac.wordpress.org/browser/forms-gutenberg/tags/2.2.9/Utils/Bucket.php#L19

- https://plugins.trac.wordpress.org/browser/forms-gutenberg/tags/2.2.9/triggers/email.php#L268

- https://www.wordfence.com/threat-intel/vulnerabilities/id/b0315b53-46a1-46b4-a53e-0d914866ca50?source=cve

CVE-2024-6314 - The IQ Testimonials plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially execute remote code due to insufficient file validation, in versions up to 2.2.7, only if the 'gd' PHP extension is not loaded.

Product: WordPress IQ Testimonials plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6314

NVD References:

- https://plugins.trac.wordpress.org/browser/iq-testimonials/tags/2.2.7/lib/iq-testimonials-form.php#L296

- https://www.wordfence.com/threat-intel/vulnerabilities/id/bec50640-a550-49a8-baf6-2dd53995f90b?source=cve

CVE-2024-37112 - WishList Member X is vulnerable to SQL Injection before version 3.26.7, allowing attackers to manipulate database queries.

Product: WishList Member X Membership Software

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37112

NVD References: https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-arbitrary-sql-query-execution-vulnerability?_s_id=cve

CVE-2024-3604 - The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode.

Product: WordPress OSM OpenStreetMap plugin

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3604

NVD References:

- https://wordpress.org/plugins/osm/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/c8eebc67-e590-4d7f-8925-e5e5090cedf0?source=cve

CVE-2024-37418 - Andy Moyle Church Admin is vulnerable to uploading potentially harmful files, such as web shells, to a web server due to an unrestricted upload vulnerability.

Product: Andy Moyle Church Admin

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37418

NVD References: https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-6-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-37420 - Zita Elementor Site Library in WPZita allows uploading a web shell to a web server due to unrestricted upload of dangerous file types, affecting versions from n/a to 1.6.1.

Product: WPZita Elementor Site Library

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37420

NVD References: https://patchstack.com/database/vulnerability/zita-site-library/wordpress-zita-elementor-site-library-plugin-1-6-1-arbitrary-code-execution-vulnerability?_s_id=cve

CVE-2024-37424 - Newspack Blocks allows unrestricted upload of dangerous file types, potentially enabling the upload of a web shell to a web server.

Product: Automattic Newspack Blocks

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37424

NVD References: https://patchstack.com/database/vulnerability/newspack-blocks/wordpress-newspack-blocks-plugin-3-0-8-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-39872 - SINEMA Remote Connect Server (All versions < V3.2 SP1) allows authenticated attackers with the 'Manage firmware updates' role to escalate privileges via improper assignment of rights to temporary files.

Product: Siemens SINEMA Remote Connect Server

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39872

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-381581.html

CVE-2024-35264 - .NET and Visual Studio Remote Code Execution Vulnerability

Product: Microsoft .NET and Visual Studio

CVSS Score: 8.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35264

ISC Diary: https://isc.sans.edu/diary/31058

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35264

CVE-2024-38060 - Windows Imaging Component Remote Code Execution Vulnerability

Product: Microsoft Windows Imaging Component

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38060

ISC Diary: https://isc.sans.edu/diary/31058

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38060

CVE-2024-38517 & CVE-2024-39684 - Tencent RapidJSON privilege escalation vulnerabilities

Product: Tencent RapidJSON

CVSS Score: 7.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38517

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39684

ISC Diary: https://isc.sans.edu/diary/31058

NVD References:

- https://github.com/Tencent/rapidjson/pull/1261/commits/8269bc2bc289e9d343bae51cdf6d23ef0950e001

- https://github.com/fmalita/rapidjson/commit/8269bc2bc289e9d343bae51cdf6d23ef0950e001

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38517

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-39684

The following vulnerability needs a manual review:

CVE-2024-37985 - Systematic Identification and Characterization of Proprietary Prefetchers. This vulnerability only affects ARM systems. An attacker would be able to view privileged heap memory. An attacker must take additional actions before exploitation to successfully prepare the target environment to exploit the vulnerability.

CVSS 3.1: 5.9 / 5.2

ISC Diary: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+July+2024/31058/

References:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37985

- https://blog.qualys.com/vulnerabilities-threat-research/2024/07/09/microsoft-patch-tuesday-july-2024-security-update-review