Posted on by danny

@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 47

@RISK: The Consensus Security Vulnerability Alert
December 5, 2024 – Vol. 24, Num. 47

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Credential Guard and Kerberos delegation
Published: 2024-12-02.
Last Updated: 2024-12-02 08:47:36 UTC
by Bojan Zdrnja (Version: 1)

The vast majority of red team exercises that I (and my team, of course) have been doing lately are assumed breach scenarios. In an assumed breach scenario (and we cover this in the amazing SEC565: Red Team Operations and Adversary Emulation SANS course that I also teach!) red team is usually given access as a non-privileged domain user, simulating an attacker that has someone already established the first foothold in the organization.

This works quite well as we know that eventually the attacker will succeed and perhaps get a victim (most of the time through some kind of social engineering) to execute their binary. So the first part in such an engagement is to create a malicious binary (an implant) that will evade security controls in the target organization. Most of red teams will have specialists for this.

The next step includes delivery of implant and execution in context of a regular, non-privileged domain user, on the workstation designated for the red team exercise. And if everything works well, we’ll get that beacon communicating to our front end servers.

What now? While there are many things we do next, such as getting some awareness about the organization, setting up persistence, trying to move laterally, there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos. Some actions will not need this, as we can use the builtin Windows authentication of the process our beacon is running under, but if you want, for example, to start a SOCKS proxy and tunnel some tools from your office, we will need to authenticate to target services, and for that we will either need the user’s password, their password hash or TGT. How do we get one through our implant, considering that we do not have local administrator privileges yet? …

Read the full entry: https://isc.sans.edu/diary/Credential+Guard+and+Kerberos+delegation/3148/

The strange case of disappearing Russian servers
Published: 2024-11-25.
Last Updated: 2024-11-25 13:34:45 UTC
by Jan Kopriva (Version: 1)

Few months ago, I noticed that something strange was happening with the number of servers seen by Shodan in Russia…

In order to identify any unusual changes on the internet that might be worth a closer look, I have put together a simple script few years ago. It periodically goes over data that was gathered from the Shodan search engine by my TriOp tool, and looks for significant changes in the number of public IP addresses with various services enabled on them. This script alerts me any time there seems to be something unusual – i.e., if Shodan detects more than a 10 % increase in the number of HTTPS servers during the course of a week, or if there is more than a 20 % decrease in the number of e-mail servers in a specific country in the course of a month.

Around the beginning of August, the script started alerting me to a decrease in the number of basically all types of servers that Shodan detected in Russia.

Since internet-wide scanning and service identification that is performed by Shodan, Censys and similar search engines, is hardly an exact science, the number of systems that they detect can oscillate significantly in the short term, and a single alert by my script therefore seldom means that a real change is occurring. Nevertheless, the alerts kept coming for multiple days and weeks in a row, and so I decided to take a closer look at the underlying data… And, indeed, from the point of view of Shodan, it looked as if significant portions of the Russian internet were disappearing.

My theory was that it might have been caused by introduction of some new functionality into the internet filtering technology that is used by Russia in order to censor internet traffic and block access to various external services, which started interfering with Shodan probes. And while I still believe that this might be the case, looking at the data now, when the number of Russian servers has been more or less stable for about 6 weeks, it seems that the cause for the decrease was at least partially different …

Read the full entry: https://isc.sans.edu/diary/The+strange+case+of+disappearing+Russian+servers/31476/

OTHER INTERNET STORM CENTER ENTRIES
Data Analysis: The Unsung Hero of Cybersecurity Expertise [Guest Diary] (2024.12.04)
https://isc.sans.edu/diary/Data+Analysis+The+Unsung+Hero+of+Cybersecurity+Expertise+Guest+Diary/31494/

Extracting Files Embedded Inside Word Documents (2024.12.03)
https://isc.sans.edu/diary/Extracting+Files+Embedded+Inside+Word+Documents/31486/

From a Regular Infostealer to its Obfuscated Version (2024.11.30)
https://isc.sans.edu/diary/From+a+Regular+Infostealer+to+its+Obfuscated+Version/31484/

Quickie: Mass BASE64 Decoding (2024.11.29)
https://isc.sans.edu/diary/Quickie+Mass+BASE64+Decoding/31470/

SANS ISC Internship Setup: AWS DShield Sensor + DShield SIEM [Guest Diary] (2024.11.26)
https://isc.sans.edu/diary/SANS+ISC+Internship+Setup+AWS+DShield+Sensor+DShield+SIEM+Guest+Diary/31480/

[Guest Diary] Using Zeek, Snort, and Grafana to Detect Crypto Mining Malware (2024.11.26)
https://isc.sans.edu/diary/Guest+Diary+Using+Zeek+Snort+and+Grafana+to+Detect+Crypto+Mining+Malware/31472/

Quick & Dirty Obfuscated JavaScript Analysis (2024.11.24)
https://isc.sans.edu/diary/Quick+Dirty+Obfuscated+JavaScript+Analysis/31468/

Decrypting a PDF With a User Password (2024.11.23)
https://isc.sans.edu/diary/Decrypting+a+PDF+With+a+User+Password/31466

Wireshark 4.4.2 Released (2024.11.23)
https://isc.sans.edu/diary/Wireshark+442+Released/31460/

An Infostealer Searching for <> Data (2024.11.22)
https://isc.sans.edu/diary/An+Infostealer+Searching+for+BIP0039+Data/31464/

Increase In Phishing SVG Attachments (2024.11.21)
https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-49039 – Windows Task Scheduler Elevation of Privilege Vulnerability
Product: Microsoft Windows Task Scheduler
CVSS Score: 0
** KEV since 2024-11-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49039
ISC Podcast: https://isc.sans.edu/podcastdetail/9240

CVE-2024-11680 – ProjectSend versions prior to r1720 have an improper authentication vulnerability that can be exploited by remote attackers to unauthorized modify the application’s configuration, create accounts, upload webshells, and embed malicious JavaScript.
Product: ProjectSend
CVSS Score: 9.8
** KEV since 2024-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11680
NVD References:
– https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
– https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
– https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
– https://vulncheck.com/advisories/projectsend-bypass
– https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf

CVE-2023-45727 – Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier are vulnerable to remote XML External Entity (XXE) attacks, allowing an unauthenticated attacker to read arbitrary server files containing sensitive account information.
Product: Northgrid Proself
CVSS Score: 0
** KEV since 2024-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45727

CVE-2024-11667 – Zyxel ATP, USG FLEX, and USG20(W)-VPN series firmware versions are vulnerable to directory traversal allowing attackers to download/upload files via a crafted URL.
Product: Zyxel ATP series
CVSS Score: 7.5
** KEV since 2024-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11667
NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

CVE-2024-49803 – IBM Security Verify Access Appliance 10.0.0 through 10.0.8 allows remote authenticated attackers to execute arbitrary commands via a specially crafted request.
Product: IBM Security Verify Access Appliance
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49803
ISC Podcast: https://isc.sans.edu/podcastdetail/9238
NVD References: https://www.ibm.com/support/pages/node/7177447

CVE-2024-49805 & CVE-2024-49806 – IBM Security Verify Access Appliance 10.0.0 through 10.0.8 has hard-coded credentials that can be exploited for authentication and data encryption.
Product: IBM Security Verify Access Appliance
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49805
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49806
ISC Podcast: https://isc.sans.edu/podcastdetail/9238
NVD References: https://www.ibm.com/support/pages/node/7177447

CVE-2024-49804 – IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8 allow a locally authenticated non-administrative user to escalate privileges through unnecessary permissions.
Product: IBM Security Verify Access Appliance
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49804
ISC Podcast: https://isc.sans.edu/podcastdetail/9238
NVD References: https://www.ibm.com/support/pages/node/7177447

CVE-2024-52787 – Libre-chat v0.0.6 is vulnerable to path traversal attacks through the upload_documents method when a malicious filename is supplied in an uploaded file.
Product: libre-chat
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52787
NVD References:
– https://gist.github.com/jxfzzzt/276a6e8cfbc54d2c2711bb51d8d3dff3
– https://github.com/vemonet/libre-chat/commit/dbb8e3400e5258112179783d74c9cc54310cb72b
– https://github.com/vemonet/libre-chat/issues/10
– https://github.com/vemonet/libre-chat/pull/9

CVE-2024-50672 – Adapt Learning Adapt Authoring Tool <= 0.11.3 is vulnerable to a NoSQL injection that allows unauthenticated attackers to reset passwords and take over the administrator account, potentially leading to remote code execution on the server.
Product: Adapt Learning Adapt Authoring Tool
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50672
NVD References:
– https://github.com/adaptlearning/adapt_authoring
– https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2024-50672

CVE-2024-28038 – Canon mageRUNNER ADVANCE’s web interface processes a cookie value improperly, leading to a stack buffer overflow when a too long character string is given to the MFPSESSIONID parameter.
Product: Canon mageRUNNER ADVANCE
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28038
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html

CVE-2024-33610 – “Sessionlist.html and sys_trayentryreboot.html allow unauthorized access to sensitive user session data and device reboot function.”
Product: Micro Focus ArcSight Logger
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33610
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html

CVE-2024-35244 – Siemens SCALANCE X Switches have hidden accounts that can be accessed by maintenance engineers to re-configure the device if their passwords are known.
Product: Siemens SCALANCE X Switches
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35244
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html

CVE-2024-36248 – Sharp / Toshiba Tec MFP Hard-coded credentials: “API keys for some cloud services are hardcoded in the “main” binary of [Product], posing a security risk.”
Product: Sharp / Toshiba Tec MFP
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36248
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html
– https://vuldb.com/?id.286095

CVE-2017-11076 – Google Chrome may experience invalid memory access by the decoder due to incorrect frame size on certain hardware revisions with hardware-accelerated VP9 decoding.
Product: Google Chrome
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-11076
NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2018-bulletin.html

CVE-2017-17772 – In multiple functions that process 802.11 frames, out-of-bounds reads can occur due to insufficient validation.
Product: Cisco Aironet Wireless Access Points
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-17772
NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2018-bulletin.html

CVE-2018-11922 – Wrong configuration in Touch Pal application can collect user behavior data without awareness by the user.
Product: TouchPal application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-11922
NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2018-bulletin.html

CVE-2024-50370 through CVE-2024-50375 – Multiple Advantech’s devices vulnerable to OS command injection
Product: Advantech EKI-6333AC devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50370
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50371
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50372
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50373
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50374
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50375
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50370
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50371
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50372
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50373
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50374
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50375

CVE-2024-11693 – Firefox, Thunderbird, and Windows operating systems were vulnerable to not receiving an executable file warning when downloading .library-ms files.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11693
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1921458
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-64/
– https://www.mozilla.org/security/advisories/mfsa2024-67/
– https://www.mozilla.org/security/advisories/mfsa2024-68/

CVE-2024-11698 – Firefox, Thunderbird, and their respective ESR versions may become stuck in fullscreen mode when a modal dialog is opened during a fullscreen transition on macOS, disrupting the browsing experience until the application is restarted.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11698
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1916152
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-64/
– https://www.mozilla.org/security/advisories/mfsa2024-67/
– https://www.mozilla.org/security/advisories/mfsa2024-68/

CVE-2024-11703 – Firefox on Android <133 may have allowed unauthorized access to saved passwords without PIN authentication.
Product: Mozilla Firefox
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11703
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1928779
– https://www.mozilla.org/security/advisories/mfsa2024-63/

CVE-2024-11704 – Firefox and Thunderbird versions below 133 are vulnerable to a double-free issue in `sec_pkcs7_decoder_start_decrypt()`, leading to potential memory corruption.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11704
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1899402
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-67/

CVE-2024-11705 – Firefox and Thunderbird versions lower than 133 crash due to `NSC_DeriveKey` incorrectly assuming `phKey` is always non-NULL.
Product: Mozilla Firefox
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11705
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1921768
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-67/

CVE-2024-11145 – Valor Apps Easy Folder Listing Pro is vulnerable to deserialization, allowing an attacker to run arbitrary code without authentication in Joomla! versions prior to 3.8 and 4.5.
Product: Valor Apps Easy Folder Listing Pro
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11145
NVD References:
– https://github.com/cisagov/CSAF/blob/develop/csaf_files/IT/white/2024/va-24-331-01.json
– https://www.valorapps.com/web-products/easy-folder-listing-pro.html

CVE-2024-49038 – Copilot Studio is vulnerable to Cross-site Scripting, allowing unauthorized attackers to gain elevated privileges over the network.
Product: Copilot Studio
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49038
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49038

CVE-2024-53676 – A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution.
Product: Hewlett Packard Enterprise Insight Remote Support
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53676
NVD References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04731en_us

CVE-2024-42327 – Zabbix allows non-admin user accounts with API access to exploit an SQLi vulnerability in the CUser class.
Product: Zabbix
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42327
NVD References: https://support.zabbix.com/browse/ZBX-25623

CVE-2024-42330 – HttpRequest object vulnerability: Unencoded server response strings enable access to hidden object properties.
Product: Microsoft ASP.NET Core
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42330
NVD References: https://support.zabbix.com/browse/ZBX-25626

CVE-2024-53604 – PHPGurukul COVID 19 Testing Management System v1.0 is vulnerable to SQL Injection via the mobnumber POST parameter, potentially enabling remote code execution.
Product: PHPGurukul COVID 19 Testing Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53604
NVD References: https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/COVID19/SQL%20Injection%20vulnerability%20mo.pdf

CVE-2024-46054 – OpenVidReview 1.0 allows any user to upload files without authentication due to Incorrect Access Control at the /upload route.
Product: OpenVidReview 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46054
NVD References:
– https://github.com/b1d0ws/CVEs/blob/main/CVE-2024-46054.md
– https://github.com/davidguva/OpenVidReview
– https://github.com/davidguva/OpenVidReview/blob/main/routes/upload.js

CVE-2024-53920 – GNU Emacs through 30.0.92 allows attackers to execute arbitrary code by invoking elisp-completion-at-point on untrusted Emacs Lisp source code.
Product: GNU Emacs
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53920
NVD References:
– https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
– https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92
– https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4
– https://news.ycombinator.com/item?id=42256409
– https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com/

CVE-2024-52338 – The Apache Arrow R package versions 4.0.0 through 16.1.0 are vulnerable to arbitrary code execution through the deserialization of untrusted data in IPC and Parquet readers.
Product: Apache Software Foundation Apache Arrow R package
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52338
NVD References:
– https://github.com/apache/arrow/commit/801de2fbcf5bcbce0c019ed4b35ff3fc863b141b
– https://lists.apache.org/thread/0rcbvj1gdp15lvm23zm601tjpq0k25vt
– http://www.openwall.com/lists/oss-security/2024/11/28/3

CVE-2024-11979 – DreamMaker from Interinfo is vulnerable to Path Traversal and unrestricted file uploads, enabling remote attackers to execute arbitrary code.
Product: Interinfo DreamMaker
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11979
NVD References:
– https://www.twcert.org.tw/en/cp-139-8272-13a13-2.html
– https://www.twcert.org.tw/tw/cp-132-8271-29871-1.html

CVE-2024-11482 – ESM 11.6.10 allows unauthenticated access to its internal Snowservice API, leading to remote code execution as root user.
Product: ESM 11.6.10
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11482
NVD References: https://thrive.trellix.com/s/article/000014058#h2_0

CVE-2024-11992 – Quick.CMS version 6.7 suffers from an absolute path traversal vulnerability, allowing remote users to download or delete files outside of the server’s document root via the admin.php page.
Product: Quick.cms version 6.7
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11992
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-vulnerability-quickcms

CVE-2024-52777 through CVE-2024-52782 – DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L,<=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/license_update.php.
Product: DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L,<=9.3.5.26, and DCME-720 <=9.1.5.11
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52777
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52778
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52779
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52780
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52781
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52782
NVD References: https://ba1100n.tech/%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A/dcme-all-series-rcessix-one/

CVE-2024-49360 – Sandboxie allows an authenticated user with no privileges to read all files created in sandbox belonging to other users, posing a risk of unauthorized access to sensitive information.
Product: Sandboxie
CVSS Score: 9.2
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49360
NVD References: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-4chj-3c28-gvmp

CVE-2024-35366 – FFmpeg n6.1.1 is vulnerable to an Integer Overflow in the parse_options function of sbgdec.c within the libavformat module, allowing negative duration values to be accepted without proper validation.
Product: FFmpeg library
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35366
NVD References:
– https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf
– https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389
– https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6

CVE-2024-35367 – FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer
Product: FFmpeg library
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35367
NVD References:
– https://gist.github.com/1047524396/9754a44845578358f6a403447c458ca4
– https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavcodec/ppc/vp8dsp_altivec.c#L53
– https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667

CVE-2024-35368 – FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.
Product: FFmpeg library
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35368
NVD References:
– https://gist.github.com/1047524396/7e6e47220ae2b2d2fb4611f0d8a31ec5
– https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/rkmppdec.c#L466
– https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c

CVE-2024-36610 – Symfony v7.0.3’s VarDumper module is vulnerable to deserialization attacks through the Stub class due to handling issues with null or uninitialized properties, allowing attackers to execute unauthorized code.
Product: Symfony VarDumper
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36610
NVD References:
– https://gist.github.com/1047524396/24e93f2905850235e42ad7db6e878bd5
– https://github.com/symfony/symfony/blob/v7.0.3/src/Symfony/Component/VarDumper/Cloner/Stub.php#L53
– https://github.com/symfony/symfony/commit/3ffd495bb3cc4d2e24e35b2d83c5b909cab7e259

CVE-2024-53504 through CVE-2024-53507 – SQL injection vulnerabilities has been identified in Siyuan 3.1.11.
Product: Siyuan 3.1.11
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53504
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53505
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53506
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53507
NVD References: https://github.com/siyuan-note/siyuan/issues/13058
NVD References: https://github.com/siyuan-note/siyuan/issues/13059
NVD References: https://github.com/siyuan-note/siyuan/issues/13060
NVD References: https://github.com/siyuan-note/siyuan/issues/13057
NVD References: https://github.com/siyuan-note/siyuan/issues/13077

CVE-2024-10905 – IdentityIQ is vulnerable to HTTP access to static content in its application directory that should be protected in versions 8.4 and prior.
Product: SailPoint IdentityIQ
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10905
NVD References: https://www.sailpoint.com/security-advisories/

CVE-2024-46909 – WhatsUp Gold versions released before 2024.0.1 allow remote unauthenticated attackers to execute code using the service account.
Product: WhatsUp Gold
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46909
NVD References:
– https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024
– https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html
– https://www.progress.com/network-monitoring

CVE-2024-8785 – WhatsUp Gold versions released before 2024.0.1 allow a remote unauthenticated attacker to manipulate registry values via NmAPI.exe.
Product: WhatsUp Gold
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8785
NVD References:
– https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024
– https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html
– https://www.progress.com/network-monitoring

CVE-2024-10542 – The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation allowing for potential remote code execution.
Product: CleanTalk Spam protection, Anti-Spam, FireWall
Active Installations: 200,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10542
NVD References:
– https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.43.2/lib/Cleantalk/ApbctWP/RemoteCalls.php#L41
– https://plugins.trac.wordpress.org/changeset/3179819/cleantalk-spam-protect#file631
– https://www.wordfence.com/threat-intel/vulnerabilities/id/d7eb5fad-bb62-4f0b-ad52-b16c3e442b62?source=cve

CVE-2024-11024 – The AppPresser Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover due to improper validation of password reset codes.
Product: AppPresser Mobile App Framework plugin for WordPress
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11024
NVD References:
– https://plugins.trac.wordpress.org/changeset/3192531/apppresser
– https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=cve

CVE-2024-11925 – The JobSearch WP Job Board plugin for WordPress allows unauthenticated attackers to gain admin privileges by exploiting a user_account_activation function flaw.
Product: JobSearch WP Job Board plugin
Active Installations: 6,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11925
NVD References:
– https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
– https://www.wordfence.com/threat-intel/vulnerabilities/id/04bc8101-2676-4695-a498-f79be8221617?source=cve

CVE-2024-11082 – The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads, allowing authenticated attackers with Author-level access and above to upload malicious files and potentially execute remote code.
Product: Tumult Hype Animations
Active Installations: 1,000+
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11082
NVD References:
– https://github.com/tumult/hype-wordpress-plugin/commit/1702d3d4fd0fae9cb9fc40cdfc3dfb8584d5f04c
– https://plugins.trac.wordpress.org/browser/tumult-hype-animations/trunk/includes/adminpanel.php#L277
– https://plugins.trac.wordpress.org/changeset/3197761/
– https://wordpress.org/plugins/tumult-hype-animations/#developers
– https://www.wordfence.com/threat-intel/vulnerabilities/id/be3a0b4b-cce5-4d78-99d5-697f2cf04427?source=cve

CVE-2024-11103 – The Contest Gallery plugin for WordPress allows for privilege escalation through account takeover in versions up to 24.0.7, enabling unauthenticated attackers to change passwords and gain access to any user account.
Product: Contest Gallery
Active Installations: 1,000+
Product: WordPress
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11103
NVD References:
– https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php#L31
– https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-password-reset.php#L88
– https://plugins.trac.wordpress.org/changeset/3196011/contest-gallery/tags/24.0.8/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php?old=3190068&old_path=contest-gallery%2Ftags%2F24.0.7%2Fv10%2Fv10-admin%2Fusers%2Ffrontend%2Flogin%2Fajax%2Fusers-login-check-ajax-lost-password.php
– https://www.wordfence.com/threat-intel/vulnerabilities/id/0df7f413-2631-46d9-8c0b-d66f05a02c01?source=cve

CVE-2024-8672 – The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders, allowing authenticated attackers with contributor-level access and above to execute code on the server.
Product: The Widget Options Widget & Block Control Plugin
Active Installations: 100,000+
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8672
NVD References:
– https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/pagebuilders/beaver/beaver.php#L825
– https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/pagebuilders/elementor/render.php#L379
– https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L718
– https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3192921%40widget-options&new=3192921%40widget-options&sfp_email=&sfph_mail=
– https://www.wordfence.com/threat-intel/vulnerabilities/id/8d03af4d-a1f9-4c15-a62e-f4cdbcfc9af7?source=cve

CVE-2024-52475 – Wawp 3.0.18 and earlier versions are vulnerable to an Authentication Bypass using an Alternate Path or Channel.
Product: Automation Web Platform Wawp
Active Installations: 500+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52475
NVD References: https://patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability?_s_id=cve

CVE-2024-52490 – Pathomation allows for the unrestricted upload of files with dangerous types, leading to the potential upload of a web shell onto a web server.
Product: Pathomation
Active Installations: 2,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52490
NVD References: https://patchstack.com/database/wordpress/plugin/pathomation/vulnerability/wordpress-pathomation-plugin-2-5-1-arbitrary-file-upload-vulnerability?_s_id=cve

Wildcard SSL