@RISK

The Consensus Security Vulnerability Alert

September 12, 2024  |  Vol. 24, Num. 36

Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft September 2024 Patch Tuesday

Published: 2024-09-10.

Last Updated: 2024-09-10 17:59:45 UTC

by Johannes Ullrich (Version: 1)

Today, Microsoft released its scheduled September set of patches. This update addresses 79 different vulnerabilities. Seven of these vulnerabilities are rated critical. Four vulnerabilities are already being exploited and have been made public.

Noteworthy Vulnerabilities:

CVE-2024-43491: This "downgrade" vulnerabilities. An attacker can remove previously applied patches and exploit older vulnerabilities. This issue only affects Windows 15 Version 1507, which is EOL. It appears to differ from the similar vulnerabilities (CVE-2024-38202 and CVE-2024-21302) made public by Alon Leviev during Blackhat this year. These two vulnerabilities appear to remain unpatched.

CVE-2024-38014: A Windows Installer issue could lead to attackers gaining System access.

CVE-2024-38217: Yet another "Mark of the Web" bypass that is already exploited and could be used to trick a victim into installing malware.

CVE-2024-38226: Similar to the above vulnerability, a security feature bypass in Publisher.

Microsoft also patched four remote code execution vulnerabilities in Sharepoint, but the lower CVSS score indicates that exploitation will require access and specific prerequisites.

CVE-2024-38119: A critical vulnerability in the Windows NAT code. The low CVSS score is likely because this is not enabled by default.

https://isc.sans.edu/diary/Microsoft+September+2024+Patch+Tuesday/31254/

Attack Surface [Guest Diary]

Published: 2024-09-04.

Last Updated: 2024-09-05 01:15:09 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Joshua Tyrrell, an ISC intern as part of the SANS.edu BACS program]

Managing the Attack Surface

You’ve begun the journey of reviewing your IT infrastructure and attempting to figure out how to protect yourself from those who might not have the greatest intentions. That’s great! Stop yourself though, before you get too far into the weeds of the different technologies available to you to defend yourself. Before you get to that point, there are some details that need to be fleshed out. Let’s have a look:

What industry are you in? Depending on the service provided, you may already have a baseline that you need to be at, provided to you by those who came before you and have danced with those who mean you harm.

Where and who do you do business with? If you’re a utility provider in Topeka, Kansas, does it make sense to have your online presence available to the general public outside of the Continental United States? Think about the potential risk versus limiting access to those who need to manage it.

What does your organization actually need to be successful? What data do you actually need to survive, what devices are necessary, what software will get you to where you need to be?

These are all pertinent questions to either scaling up or scaling down your attack surface and working towards having chaos-free Friday nights.

Fortify the Exterior Walls

Defense-in-Depth is the name of the game in the 21st Century, but that doesn’t mean we shouldn’t be doing what we can to make sure the perimeter walls aren’t as imposing as possible. You use firewalls, yes, but are you using them to their maximum potential? Modern firewalls allow for geo-blocking, which is the blocking of traffic based on IP addresses correlated to countries. These databases are updated somewhat regularly, so there is maintenance to be done on your firewalls to make sure they’re up to date. If you’d like even stronger evidence for using geo-blocking, search for “Top 10 Countries where cyber attacks originate”. Lists have been generated by teams across the world to show where many of the world’s cyber criminals are calling home. Now though, what if you do have a business partner that resides in one of those countries that you may not want traffic widely from? Easy enough, create an exception for their ASN in the geo-fence.

Another tool at your disposal is reputation filtering. This process allows your firewall to reference the IP of either source or destination and forward or drop the packet as per the policy. This can be highly effective at reducing the amount of potentially malicious traffic that is not initially blocked by your geo-fence. Take heed though: Cloud Service Providers may be unintentionally flagged and dropped due to the nature of their business model. There is a way to help you navigate this mystery though, and that is to simply look at who the largest CSP’s are, and weigh that against historical traffic to your assets. You may want to allow AWS, Azure, GCP, and even DigitalOcean, but how about that small-time server farm in Seychelles? Or the Netherlands? Those you can probably block outright, after considering those initial questions we talked about earlier.

https://isc.sans.edu/diary/Attack+Surface+Guest+Diary/31232/

Scans for Moodle Learning Platform Following Recent Update

Published: 2024-09-04.

Last Updated: 2024-09-04 14:37:39 UTC

by Johannes Ullrich (Version: 1)

On August 10th, the popular learning platform "Moodle" released an update fixing CVE-2024-43425. RedTeam Pentesting found the vulnerability and published a detailed blog post late last week. The blog post demonstrates in detail how a user with the "trainer" role could execute arbitrary code on the server. A trainer would have to publish a "calculated question". These questions are generated dynamically by evaluating a formula. Sadly, the formula was evaluated using PHP's "eval" command. As pointed out by RedTeam Pentesting, "eval" is a very dangerous command to use and should be avoided if at all possible. This applies not only to PHP but to most languages (also see my video about command injection vulnerabilities). As I usually say: "eval is only one letter away from evil".

The exploit does require the attacker to be able to publish questions. However, Moodle is used by larger organizations like Universities. An attacker may be able to obtain credentials as a "trainer" via brute forcing or credential stuffing.

I got pointed to "Moodle" after seeing this URL in our "First Seen" list of newly accessed URLs ...

https://isc.sans.edu/diary/Scans+for+Moodle+Learning+Platform+Following+Recent+Update/31230/

Internet Storm Center Entries


Wireshark 4.4's IP Address Functions (2024.09.09)

https://isc.sans.edu/diary/Wireshark+44s+IP+Address+Functions/31250/

Password Cracking & Energy: More Details (2024.09.08)

https://isc.sans.edu/diary/Password+Cracking+Energy+More+Dedails/31242/

Python & Notepad++ (2024.09.07)

https://isc.sans.edu/diary/Python+Notepad/31240/

Enrichment Data: Keeping it Fresh (2024.09.06)

https://isc.sans.edu/diary/Enrichment+Data+Keeping+it+Fresh/31236/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-43491 - Servicing Stack in Windows 10 version 1507 has a vulnerability that could allow attackers to exploit previously mitigated vulnerabilities on systems with specific security updates installed.

Product: Microsoft Windows 10

CVSS Score: 9.8

** KEV since 2024-09-10 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43491

ISC Diary: https://isc.sans.edu/diary/31254

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43491

CVE-2024-38014 - Windows Installer Elevation of Privilege Vulnerability

Product: Microsoft Windows Installer

CVSS Score: 7.8

** KEV since 2024-09-10 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38014

ISC Diary: https://isc.sans.edu/diary/31254

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38014

CVE-2024-38226 - Microsoft Publisher Security Feature Bypass Vulnerability

Product: Microsoft Publisher

CVSS Score: 7.3

** KEV since 2024-09-10 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38226

ISC Diary: https://isc.sans.edu/diary/31254

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38226

CVE-2024-38217 - Windows Mark of the Web Security Feature Bypass Vulnerability

Product: Microsoft Windows Mark of the Web

CVSS Score: 5.4

** KEV since 2024-09-10 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38217

ISC Diary: https://isc.sans.edu/diary/31254

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38217

CVE-2024-7591 - LoadMaster is vulnerable to improper input validation allowing for OS command injection in versions 7.2.40.0 and above, affecting ECS and Multi-Tenancy.

Product: Progress LoadMaster

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7591

ISC Podcast: https://isc.sans.edu/podcastdetail/9132

NVD References: https://support.kemptechnologies.com/hc/en-us/articles/29196371689613-LoadMaster-Security-Vulnerability-CVE-2024-7591

CVE-2024-38220 - Azure Stack Hub Elevation of Privilege Vulnerability

Product: Microsoft Azure Stack Hub

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38220

ISC Diary: https://isc.sans.edu/diary/31254

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38220

CVE-2024-8380 - SourceCodester Contact Manager with Export to VCF 1.0 is vulnerable to SQL injection via the argument contact in /endpoint/delete-account.php, allowing for remote attacks.

Product: Rems Contact Manager With Export To Vcf

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8380

NVD References: https://github.com/jadu101/CVE/blob/main/SourceCodester_Contact_Manager_delete_contact_sqli.md

CVE-2024-7261 - Zyxel NWA1123ACv3, WAC500, WAX655E, WBE530, and USG LITE 60AX firmware versions 6.70(ABVT.4), 6.70(ABVS.4), 7.00(ACDO.1), 7.00(ACLE.1), and V2.00(ACIP.2) improperly neutralize special elements in the parameter "host" in CGI programs, potentially allowing OS command execution via a crafted cookie from an unauthenticated attacker.

Product: Zyxel NWA1123ACv3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7261

NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024

CVE-2024-38811 - VMware Fusion is vulnerable to code execution by malicious actors using an insecure environment variable.

Product: VMware Fusion

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38811

ISC Podcast: https://isc.sans.edu/podcastdetail/9124

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939

CVE-2024-44921 - SeaCMS v12.9 was discovered to contain a SQL injection vulnerability via the id parameter at /dmplayer/dmku/index.php?ac=del.

Product: SeaCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44921

NVD References: https://github.com/nn0nkey/nn0nkey/blob/main/CVE-2024-44921.md

CVE-2024-8381, CVE-2024-8384, CVE-2024-8385, CVE-2024-8387, CVE-2024-8389 - Multiple vulnerabilities in Firefox and Thunderbird prior to version 130

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8381

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8384

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8385

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8387

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8389

NVD References: https://www.mozilla.org/security/advisories/mfsa2024-39/

NVD References: https://www.mozilla.org/security/advisories/mfsa2024-40/

NVD References: https://www.mozilla.org/security/advisories/mfsa2024-41/

NVD References: https://www.mozilla.org/security/advisories/mfsa2024-43/

NVD References: https://www.mozilla.org/security/advisories/mfsa2024-44/

CVE-2024-4259 - SAMPA is vulnerable to Improper Privilege Management through 20240902, allowing holders of AKOS to collect data provided by users without proper authorization.

Product: SAMPA AKOS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4259

NVD References: https://www.usom.gov.tr/bildirim/tr-24-1377

CVE-2024-7345 - OpenEdge LTS platforms may allow unauthorized code injection into Multi-Session Agents under certain conditions.

Product: Progress OpenEdge

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7345

NVD References: https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication

CVE-2024-45307 - SudoBot is vulnerable to privilege escalation and exploit of the `-config` command in versions prior to 9.26.7, allowing anyone to potentially gain control over the bot's settings.

Product: OneSoftNet SudoBot

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45307

NVD References: https://github.com/onesoft-sudo/sudobot/commit/ef46ca98562f3c1abef4ff7dd94d8f7b8155ee50

NVD References: https://github.com/onesoft-sudo/sudobot/security/advisories/GHSA-crgg-w3rr-r9h4

CVE-2024-41433 - PingCAP TiDB v8.1.0 is vulnerable to a buffer overflow in the component expression.ExplainExpressionList, enabling attackers to trigger a DoS with specially-crafted input.

Product: PingCAP TiDB

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41433

NVD References:

- https://gist.github.com/ycybfhb/eec3a1eefe4c85eb22f1bca6114359a1

- https://github.com/pingcap/tidb/issues/53796

CVE-2024-44809 - Pi Camera project version 1.0 by RECANTHA is vulnerable to remote code execution via the "position" GET parameter in the tilt.php script, allowing attackers to execute arbitrary commands on the server with web server user privileges.

Product: RECANTHA Pi Camera

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44809

NVD References:

- https://github.com/recantha/camera-pi/blob/ef018d212288cb16404f0b050593d20f0dc0467b/www/tilt.php#L4

- https://jacobmasse.medium.com/cve-2024-44809-remote-code-execution-in-raspberry-pi-camera-project-4b8e3486a628

CVE-2024-45443 - Directory traversal vulnerability in the cust module

Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

Product: Huawei Emui

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45443

NVD References: https://consumer.huawei.com/en/support/bulletin/2024/9/

CVE-2024-7950 - The WP Job Portal plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation, allowing unauthenticated attackers to execute arbitrary code and create user accounts with Administrator privileges.

Product: WP Job Portal plugin for WordPress

Active Installations: 6,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7950

NVD References:

- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/includes/formhandler.php

- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/includes/includer.php

- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/includes/wpjobportal-hooks.php

- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/modules/configuration/controller.php

- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/modules/user/controller.php

- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/modules/user/tmpl/views/frontend/form-field.php

- https://plugins.trac.wordpress.org/changeset/3138675/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/ca1d5275-3398-47a7-889b-4050ebe635ee?source=cve

CVE-2024-34657 - Stack-based out-of-bounds write in Samsung Notes prior to version 4.4.21.62 allows remote attackers to execute arbitrary code.

Product: Samsung Notes

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34657

NVD References: https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=09

CVE-2024-6926 - The Viral Signup WordPress plugin is vulnerable to SQL injection due to improper sanitisation of parameters in an AJAX action accessible to unauthenticated users.

Product: WordPress Viral Signup

Active Installations: 60+ (this plugin is closed)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6926

NVD References: https://wpscan.com/vulnerability/9ce96ce5-fcf0-4d7a-b562-f63ea3418d93/

CVE-2024-45195 - Apache OFBiz is vulnerable to a direct request ('Forced Browsing') issue before version 18.12.16, which can be fixed by upgrading to the latest release.

Product: Apache OFBiz

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45195

ISC Podcast: https://isc.sans.edu/podcastdetail/9128

NVD References:

- https://issues.apache.org/jira/browse/OFBIZ-13130

- https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy

- https://ofbiz.apache.org/download.html

- https://ofbiz.apache.org/security.html

CVE-2024-45507 - Apache OFBiz is vulnerable to Server-Side Request Forgery (SSRF) and Code Injection before version 18.12.16.

Product: Apache OFBiz

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45507

NVD References:

- https://issues.apache.org/jira/browse/OFBIZ-13132

- https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy

- https://ofbiz.apache.org/download.html

- https://ofbiz.apache.org/security.html

CVE-2024-8289 - The MultiVendorX plugin for WordPress is vulnerable to privilege escalation and account takeover, allowing unauthenticated attackers to change passwords and roles of users with the vendor role.

Product: MultiVendorX

Active Installations: 5,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8289

NVD References:

- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L382

- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L641

- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L705

- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/api/class-mvx-rest-vendors-controller.php?rev=3145638

- https://www.wordfence.com/threat-intel/vulnerabilities/id/a85fbaff-d566-4ed2-8943-c174e0c4d2d8?source=cve

CVE-2024-44400 - D-Link DI-8400 16.07.26A1 is vulnerable to Command Injection via upgrade_filter_asp.

Product: D-Link DI-8400

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44400

NVD References:

- https://github.com/lonelylonglong/openfile-/blob/main/D-link_DI_8400-16.07.26A1_Command_Injection.md/CVE-2024-44400

- https://github.com/lonelylonglong/openfile-/blob/main/D-link_DI_8400-16.07.26A1_Command_Injection.md/D-link_DI_8400-16.07.26A1_Command_Injection.md

CVE-2024-7012 - Foreman is vulnerable to an authentication bypass due to a configuration issue with Apache's mod_proxy, potentially granting unauthorized administrative access.

Product: RedHat Satellite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7012

NVD References:

- https://access.redhat.com/errata/RHSA-2024:6335

- https://access.redhat.com/errata/RHSA-2024:6336

- https://access.redhat.com/errata/RHSA-2024:6337

- https://access.redhat.com/security/cve/CVE-2024-7012

- https://bugzilla.redhat.com/show_bug.cgi?id=2299429

CVE-2024-7923 - Pulpcore is vulnerable to an authentication bypass issue when deployed with Gunicorn versions before 22.0, allowing unauthorized users to potentially gain administrative access.

Product: Redhat Satellite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7923

NVD References:

- https://access.redhat.com/errata/RHSA-2024:6335

- https://access.redhat.com/errata/RHSA-2024:6336

- https://access.redhat.com/errata/RHSA-2024:6337

- https://access.redhat.com/security/cve/CVE-2024-7923

- https://bugzilla.redhat.com/show_bug.cgi?id=2305718

CVE-2024-8408 - Linksys WRT54G 4.21.5 is vulnerable to a critical stack-based buffer overflow in the POST Parameter Handler component, allowing for remote attacks.

Product: Linksys WRT54G

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8408

NVD References:

- https://github.com/BuaaIOTTeam/Iot_Linksys/blob/main/Linksys_WRT54G_validate_services_port.md

CVE-2024-7076 & CVE-2024-7078 - Semtek Sempos iSQL Injection vulnerabilities through July 31, 2024.

Product: Semtekyazilim Semtek Sempos

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7076

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7078

NVD References: https://www.usom.gov.tr/bildirim/tr-24-1396

CVE-2024-44808 - Vypor Attack API System v.1.0 allows remote attackers to execute arbitrary code via user GET parameter.

Product: Vypor Attack API System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44808

NVD References:

- https://github.com/Vypor/Vypors-Attack-API-System

- https://jacobmasse.medium.com/cve-2024-44808-remote-command-execution-in-vypor-ddos-attack-api-1ed073725595

CVE-2024-45076 - IBM webMethods Integration 10.15 allows an authenticated user to upload and execute arbitrary files on the underlying operating system.

Product: IBM WebMethods Integration

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45076

NVD References: https://www.ibm.com/support/pages/node/7167245

CVE-2024-20439 - Cisco Smart Licensing Utility has a vulnerability that lets an unauthenticated, remote attacker access an affected system using a static administrative credential.

Product: Cisco Smart Licensing Utility

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20439

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw

CVE-2024-8415 & CVE-2024-8416 - SourceCodester Food Ordering Management System 1.0 critical SQL injection flaws

Product: Oretnom23 Food Ordering Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8415

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8416

NVD References: https://github.com/Niu-zida/cve/blob/main/sql.md

NVD References: https://github.com/SherlockMA0/cve/blob/main/sql2.md

CVE-2024-43102 - FreeBSD is vulnerable to concurrent removals of certain anonymous shared memory mappings, which can result in premature object destruction and potentially lead to kernel panics, Use-After-Free attacks, and code execution.

Product: Freebsd FreeBSD 14.1

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43102

NVD References: https://security.freebsd.org/advisories/FreeBSD-SA-24:14.umtx.asc

CVE-2024-8463 - PHPGurukul Job Portal 1.0 is vulnerable to file upload restriction bypass, enabling an authenticated user to execute remote code execution (RCE) using a webshell.

Product: PHPGurukul Job Portal

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8463

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-job-portal

CVE-2024-42885 - ESAFENET CDG 5.6 and before is vulnerable to SQL Injection, enabling attackers to run arbitrary code through the id parameter in the data.jsp page.

Product: ESAFENET CDG

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42885

NVD References: https://supervisor0.notion.site/ESAFENET-CDG-SQL-Injection-17d7e244810147f697c3c42a884f932b

CVE-2024-24759 - MindsDB was vulnerable to DNS Rebinding prior to version 23.12.4.2, allowing threat actors to bypass server-side request forgery protection and potentially cause denial of service.

Product: MindsDB

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24759

NVD References:

- https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b

- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr

CVE-2024-44727 - Sourcecodehero Event Management System1.0 is vulnerable to SQL Injection via the parameter 'username' in /event/admin/login.php.

Product: Angeljudesuarez Event Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44727

NVD References: https://github.com/AslamMahi/CVE-Aslam-Mahi/blob/main/Sourcecodehero%20Event%20Management%20System/CVE-2024-44727.MD

CVE-2024-45158 - Mbed TLS 3.6 before 3.6.1 is vulnerable to a stack buffer overflow in mbedtls_ecdsa functions when bits parameter exceeds supported curve sizes, affecting all values of bits in certain configurations with PSA disabled.

Product: Mbed TLS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45158

NVD References:

- https://github.com/Mbed-TLS/mbedtls/releases/

- https://mbed-tls.readthedocs.io/en/latest/security-advisories/

- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-2/

CVE-2024-8395 - FlyCASS is vulnerable to SQL injection attacks due to improper filtering of queries, allowing outside attackers to bypass authentication.

Product: FlyCASS CASS and KCM systems

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8395

NVD References: https://ian.sh/tsa

CVE-2024-8292 - The WP-Recall plugin for WordPress is vulnerable to privilege escalation/account takeover due to a lack of user identity verification during new order creation, allowing unauthenticated attackers to update passwords by supplying any email through the user_email field with the commerce addon enabled.

Product: WP-Recall Registration

Active Installations: 2,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8292

NVD References:

- https://plugins.trac.wordpress.org/browser/wp-recall/tags/16.26.8/add-on/commerce/classes/class-rcl-create-order.php#L127

- https://plugins.trac.wordpress.org/browser/wp-recall/tags/16.26.8/add-on/commerce/functions-frontend.php#L113

- https://plugins.trac.wordpress.org/browser/wp-recall/tags/16.26.8/rcl-functions.php#L1339

- https://plugins.trac.wordpress.org/changeset/3145798/wp-recall/trunk/add-on/commerce/classes/class-rcl-create-order.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/8fa4b5df-dc71-49de-880b-895eb1d9cdca?source=cve

CVE-2024-7493 - The WPCOM Member plugin for WordPress allows unauthenticated attackers to escalate privileges by passing arbitrary data during registration.

Product: WordPress WPCOM Member plugin

Active Installations: 2,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7493

NVD References:

- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.5.2/includes/form-validation.php#L267

- https://www.wordfence.com/threat-intel/vulnerabilities/id/ec7f3e0c-a07c-4082-9b6b-12d0fbe0fdc8?source=cve

CVE-2024-44401 - D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via sub47A60C function in the upgrade_filter.asp file

Product: D-Link DI-8100G

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44401

NVD References:

- https://github.com/lonelylonglong/openfile-/blob/main/D-link_DI_8100GA1_Command_Injection.md/CVE-2024-44401

- https://github.com/lonelylonglong/openfile-/blob/main/D-link_DI_8100GA1_Command_Injection.md/D-link_DI_8100GA1_Command_Injection.md

CVE-2024-44402 - D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via msp_info.htm.

Product: D-Link DI-8100G

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44402

NVD References:

- https://github.com/lonelylonglong/openfile-/blob/main/msp.md/CVE-2024-44402

- https://github.com/lonelylonglong/openfile-/blob/main/msp.md/msp.md

CVE-2024-45758 - H2O.ai H2O through 3.46.0.4 allows arbitrary setting of JDBC URL, enabling deserialization attacks, file reads, and command execution by attackers.

Product: H2O.ai H2O

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45758

NVD References:

- https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb

- https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068

CVE-2024-8517 - SPIP is vulnerable to a command injection issue, allowing remote attackers to execute arbitrary commands via a crafted HTTP request.

Product: SPIP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8517

NVD References:

- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html

- https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/

- https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload/

- https://vulncheck.com/advisories/spip-upload-rce

CVE-2024-44838, CVE-2024-44839, & CVE-2024-45771 - RapidCMS v1.3.1 was discovered to contain multiple SQL injection vulnerabilities

Product: RapidCMS v1.3.1

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44838

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44839

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45771

NVD References: https://github.com/OpenRapid/rapidcms/issues/17

NVD References: https://github.com/OpenRapid/rapidcms/issues/18

CVE-2024-8561 - SourceCodester PHP CRUD 1.0 is vulnerable to critical SQL injection through the deletion functionality in /endpoint/delete.php.

Product: Rems PHP CRUD

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8561

CVE-2024-8565 - SourceCodesters Clinics Patient Management System 2.0 is vulnerable to a critical SQL injection issue in /print_diseases.php that can be remotely exploited.

Product: Oretnom23 Clinics Patient Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8565

NVD References: https://github.com/gurudattch/CVEs/blob/main/Sourcecodester-Clinic's-Patient-Management-System-SQLi.md

CVE-2024-8567 - itsourcecode Payroll Management System 1.0 is vulnerable to a critical SQL injection attack through the /ajax.php?action=delete_deductions file, allowing remote attackers to manipulate the id argument.

Product: Payroll Management System Project

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8567

NVD References:

- https://github.com/ppp-src/ha/issues/8

- https://itsourcecode.com/

CVE-2024-8569 - Hospital Management System 1.0 has a critical vulnerability in user-login.php allowing for remote SQL injection attacks via the username argument.

Product: Fabianros Hospital Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8569

NVD References:

- https://code-projects.org/

- https://github.com/teachersongsec/cve/issues/1

CVE-2024-6924 - The TrueBooker WordPress plugin before 1.0.3 is vulnerable to SQL injection due to improper sanitisation of parameters in an AJAX action accessible by unauthenticated users.

Product: TrueBooker WordPress plugin

Active Installations: 300+ (this plugin is closed)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6924

NVD References: https://wpscan.com/vulnerability/39e79801-6ec7-4579-bc6b-fd7e899733a8/

CVE-2024-6928 - The Opti Marketing WordPress plugin is vulnerable to SQL injection due to unauthenticated users being able to exploit an AJAX action.

Product: Opti Marketing WordPress Plugin

Active Installations: 40+ (this plugin has been closed as of August 8, 2024 and is not available for download)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6928

NVD References: https://wpscan.com/vulnerability/7bb9474f-2b9d-4856-b36d-a43da3db0245/

CVE-2024-8579 - TOTOLINK AC1200 T8 4.1.5cu.861_B20230220 is vulnerable to a critical buffer overflow in the setWiFiRepeaterCfg function of /cgi-bin/cstecgi.cgi, allowing remote attackers to initiate attacks using a manipulated password argument.

Product: TOTOLINK AC1200 T8

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8579

NVD References: https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/AC1200T8/setWiFiRepeaterCfg.md

CVE-2024-8584 - Orca HCM from LEARNING DIGITAL is susceptible to unauthorized access, enabling a remote attacker to create an admin account and gain login privileges.

Product: LEARNING DIGITAL Orca HCM

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8584

NVD References:

- https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html

- https://www.twcert.org.tw/tw/cp-132-8039-24e48-1.html

CVE-2024-37288 - Kibana has a deserialization vulnerability that allows for arbitrary code execution when processing specially crafted YAML payloads, affecting users of Elastic Security's built-in AI tools with an Amazon Bedrock connector configuration.

Product: Elastic Kibana

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37288

NVD References: https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119

CVE-2024-40643 - Joplin is vulnerable to XSS attacks due to not properly validating and sanitizing input involving "<" followed by a non letter character.

Product: Joplin note taking and to-do application

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40643

NVD References:

- https://github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87

- https://github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc

CVE-2024-44721 - SeaCMS v13.1 was discovered to a Server-Side Request Forgery (SSRF) via the url parameter at /admin_reslib.php.

Product: SeaCMS v13.1

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44721

NVD References: https://github.com/seacms-net/CMS/issues/23

CVE-2024-44849 - Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.

Product: Qualitor checkAcesso

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44849

NVD References:

- https://blog.extencil.me/information-security/cves/cve-2024-44849

- https://github.com/extencil/CVE-2024-44849?tab=readme-ov-file

CVE-2024-42500 - HPE has identified a denial of service vulnerability in HPE HP-UX System's Network File System (NFSv4) services.

Product: HPE HP-UX System

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42500

NVD References: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbux04697en_us&docLocale=en_US

CVE-2024-44902 - A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

Product: ThinkPHP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44902

NVD References:

- http://thinkphp.com

- https://github.com/fru1ts/CVE-2024-44902

CVE-2024-6795 - Connex health portal released before 8/30/2024 is susceptible to SQL injection, enabling unauthorized access to the database for an attacker to modify, disclose, and perform administrative tasks.

Product: Connex health portal

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6795

NVD References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01

CVE-2024-44410 & CVE-2024-44411 - D-Link DI-8300 v16.07.26A1 command injection vulnerabilities

Product: D-Link DI-8300

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44410

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44411

NVD References: https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DI-8300A1/CVE-2024-44410

NVD References: https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DI-8300A1/CVE-2024-44411

NVD References: https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DI-8300A1/DI-8300A1.md

NVD References: https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DI-8300A1/DI-8300A1-2.md

NVD References: https://www.dlink.com/en/security-bulletin/

CVE-2024-6342 - Zyxel NAS326 and NAS542 firmware versions through V5.21(AAZF.18)C0 and V5.21(ABAG.15)C0, respectively, are vulnerable to command injection via crafted HTTP POST requests.

Product: Zyxel NAS326 and NAS542 firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6342

NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-nas-products-09-10-2024

CVE-2024-6596 - An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context.

Product: Endress+Hauser AG Multiple Products

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6596

NVD References: https://cert.vde.com/en/advisories/VDE-2024-041

CVE-2024-33698 - SIMATIC Information Server 2022, SIMATIC Information Server 2024, SIMATIC PCS neo, SINEC NMS, and TIA Portal versions 16, 17, 18, and 19 are susceptible to a heap-based buffer overflow vulnerability in the integrated UMC component, enabling a remote attacker to execute arbitrary code.

Product: Siemens Totally Integrated Automation Portal (TIA Portal)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33698

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-039007.html

CVE-2024-35783 - SIMATIC BATCH V9.1, SIMATIC Information Server 2020, SIMATIC Information Server 2022, SIMATIC PCS 7 V9.1, SIMATIC Process Historian 2020, SIMATIC Process Historian 2022, SIMATIC WinCC Runtime Professional V18, SIMATIC WinCC Runtime Professional V19, SIMATIC WinCC V7.4, SIMATIC WinCC V7.5, and SIMATIC WinCC V8.0 are vulnerable to an elevation of privilege attack allowing an authenticated attacker to execute arbitrary OS commands with administrative privileges.

Product: Siemens SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 18)

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35783

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-629254.html

CVE-2024-45032 - Industrial Edge Management Pro and Industrial Edge Management Virtual versions prior to V1.9.5 and V2.3.1-1, respectively, are vulnerable to impersonation attacks due to improper validation of device tokens by affected components.

Product: Siemens Industrial Edge Management

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45032

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-359713.html

CVE-2024-40754 - Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0.

Product: Samsung Escargot JavaScript Engine

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40754

NVD References: https://github.com/Samsung/escargot/pull/1369

CVE-2023-37226, CVE-2023-37227, & CVE-2023-37231 - Loftware Spectrum multiple vulnerabilities

Product: Loftware Spectrum

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37226 (Missing Authentication for a Critical Function)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37227 (Deserialization of Untrusted Data)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37231 (Hard-coded Password)

NVD References:

- https://code-white.com

- https://code-white.com/public-vulnerability-list/

- https://docs.loftware.com/spectrum-releasenotes/Content/Hotfix/4.6_HF14.htm

CVE-2024-44677 - Eladmin v2.7 and before is vulnerable to SSRF, enabling attackers to execute arbitrary code through DatabaseController.java.

Product: eladmin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44677

NVD References:

- https://github.com/elunez/eladmin

- https://github.com/jcxj/jcxj/blob/master/source/_posts/eladmin-%E5%A4%8D%E7%8E%B0.md

CVE-2024-45593 - Nix package manager version 2.24 prior to 2.24.6 allows malicious users to write to arbitrary file system locations with root permissions.

Product: Nix package Manager

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45593

NVD References:

- https://github.com/NixOS/nix/commit/eb11c1499876cd4c9c188cbda5b1003b36ce2e59

- https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493

CVE-2024-38119 - Windows Network Address Translation (NAT) Remote Code Execution Vulnerability

Product: Microsoft Windows Network Address Translation (NAT)

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38119

ISC Diary: https://isc.sans.edu/diary/31254

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38119

CVE-2024-44893 - An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request.

Product: JimuSoftware JimuReport

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44893

NVD References: https://github.com/jeecgboot/JimuReport/issues/2904

CVE-2024-45409 - Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 allows an unauthenticated attacker to forge a SAML Response and log in as an arbitrary user.

Product: Ruby-SAML

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45409

NVD References:

- https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae

- https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7

- https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2

CVE-2024-8503 - VICIdial is vulnerable to time-based SQL injection, allowing attackers to access plaintext credentials stored in the database.

Product: VICIdial

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8503

NVD References:

- https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt

- https://www.vicidial.org/vicidial.php

CVE-2021-20124 - Draytek VigorConnect 1.6.0-B3 is vulnerable to local file inclusion in its WebServlet endpoint, allowing unauthenticated attackers to download files from the operating system with root privileges.

Product: Draytek VigorConnect 1.6.0

CVSS Score: 0

** KEV since 2024-09-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-20124

CVE-2017-1000253 - Linux distributions that have not patched their long-term kernels with commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 are vulnerable to an address mapping flaw in load_elf_binary() that could potentially allow for unauthorized access to memory.

Product: Linux Kernel

CVSS Score: 0

** KEV since 2024-09-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-1000253