CVE-2024-1553 and CVE-2024-1557 are memory safety bugs that are rated as high severity. “Some of these bugs show evidence of memory corruption, and we speculate that with enough effort, some of these could be exploited to execute arbitrary code. ” said Mozilla researchers.
zoom
Video conferencing giant Zoom has released fixes for seven flaws in its software, one of which had a CVSS score of 9.6. CVE-2024-24691 is an improper input validation bug in the Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. Zoom said in a security bulletin that this issue could be exploited by an unauthenticated attacker to gain elevated privileges via network access.
Another notable flaw is CVE-2024-24697. This is an untrusted search path issue in some Zoom 32-bit Windows clients that could allow an authenticated user with local access to escalate privileges.
Ivanti
Ivanti warned in January that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887 . With a CVSS score of 8.2, an initial authentication bypass vulnerability exists in the web components of Ivanti Connect Secure and Ivanti Policy Secure that allows remote attackers to bypass control checks and gain access to restricted resources. .
A second command injection vulnerability in the Ivanti Connect Secure and Ivanti Policy Secure web components with a CVSS score of 9.1 could allow an authenticated administrator to send a specially crafted request and execute arbitrary commands on the appliance. It will be possible to execute. This vulnerability can be exploited via the Internet.
Later that month, the company warned businesses that two more critical flaws existed, one of which was being exploited in an attack. The exploited issue is a server-side request forgery bug in the SAML component, tracked as CVE-2024-21893. CVE-2024-21888, on the other hand, is a privilege escalation vulnerability.
A patch was available by February 1st, but the issue was deemed so severe that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) required all Ivanti products to be removed by February 2nd. It was recommended that it be amputated.
On February 8, Ivanti released a patch for another issue tracked as CVE-2024-22024. This triggered another of his CISA warnings.
fortinet
Fortinet has issued a patch for a critical issue with a CVSS score of 9.6 and says it is already being used in attacks. This code execution flaw, tracked as CVE-2024-21762, affects FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2, and 7.4. According to Fortinet, this out-of-bounds write vulnerability can be exploited to execute arbitrary code using a specially crafted HTTP request.
This comes days after the company released patches for two issues in its FortiSIEM product, CVE-2024-23108 and CVE-2024-23109, which were rated critical with a CVSS score of 9.7. A flaw in FortiSIEM Supervisor could allow an unauthenticated, remote attacker to execute unauthorized commands via a crafted API request, Fortinet said in an advisory.
Cisco
Cisco has listed multiple vulnerabilities in the Expressway series that could allow an unauthenticated, remote attacker to perform cross-site request forgery attacks.
Two vulnerabilities in the API of Cisco Expressway Series devices, tracked as CVE-2024-20252 and CVE-2024-20254, have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” he said. “A successful exploit could allow the attacker to perform arbitrary actions at the privileged level of the affected user.”
SAP
Enterprise software company SAP has released 13 security updates as part of SAP Security Patch Day. CVE-2024-22131 is a code injection vulnerability in SAP ABA with a CVSS score of 9.1.
CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java that is listed as high impact with a CVSS score of 8.8. “Incoming URL parameters are poorly validated and improperly encoded before being included in the redirect URL,” security firm Onapsis said. “This creates a cross-site scripting vulnerability that has significant confidentiality impacts, but may have minor integrity and availability impacts.”
