[ad_1]
CVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a excessive severity. “A few of these bugs confirmed proof of reminiscence corruption and we presume that with sufficient effort a few of these might have been exploited to run arbitrary code,” Mozilla researchers stated.
Zoom
Video conferencing big Zoom has issued fixes for seven flaws in its software program, considered one of which has a CVSS rating of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Shopper for Home windows, Zoom VDI Shopper for Home windows, and Zoom Assembly SDK for Home windows. If exploited, the difficulty might permit an unauthenticated attacker to escalate their privileges by way of community entry, Zoom stated in a safety bulletin.
One other notable flaw is CVE-2024-24697, an untrusted-search-path problem in some Zoom 32 bit Home windows shoppers that might permit an authenticated person with native entry to escalate their privileges.
Ivanti
In January, Ivanti warned that attackers have been focusing on two unpatched vulnerabilities in its Join Safe and Coverage Safe merchandise, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS rating of 8.2 the primary authentication-bypass vulnerability within the internet element of Ivanti Join Safe and Ivanti Coverage Safe permits a distant attacker to entry restricted assets by bypassing management checks.
With a CVSS rating of 9.1, the second command injection vulnerability in internet parts of Ivanti Join Safe and Ivanti Coverage Safe permits an authenticated administrator to ship specifically crafted requests and execute arbitrary instructions on the equipment. This vulnerability might be exploited over the web.
On the finish of the month, the agency alerted corporations to a different two severe flaws, considered one of which was being exploited in assaults. The exploited problem is a server-side request forgery bug within the SAML element tracked as CVE-2024-21893. In the meantime, CVE-2024-21888 is a privilege-escalation vulnerability.
Patches have been obtainable by February 1, however the points have been deemed so severe that the US Cybersecurity and Infrastructure Safety Company (CISA) suggested disconnecting all Ivanti merchandise by February 2.
On February 8, Ivanti launched a patch for one more problem tracked as CVE-2024-22024, which prompted one other CISA warning.
Fortinet
Fortinet has issued a patch for a essential problem with a CVSS rating of 9.6, which it says is already being utilized in assaults. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS variations 6.0, 6.2, 6.4, 7.0, 7.2 and seven.4. The out-of-bounds write vulnerability can be utilized for arbitrary code execution utilizing specifically crafted HTTP requests, Fortinet stated.
It got here simply days after the agency launched a patch for 2 points in its FortiSIEM merchandise, CVE-2024-23108 and CVE-2024-23109, rated as essential with a CVSS rating of 9.7. The flaw in FortiSIEM Supervisor might permit a distant unauthenticated attacker to execute unauthorized instructions by way of crafted API requests, Fortinet stated in an advisory.
Cisco
Cisco has listed a number of vulnerabilities in its Expressway Sequence that might permit an unauthenticated, distant attacker to conduct cross-site request forgery assaults.
Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities within the API of Cisco Expressway Sequence gadgets have been given a CVSS rating of 9.6. “An attacker might exploit these vulnerabilities by persuading a person of the API to observe a crafted hyperlink,” Cisco stated. “A profitable exploit might permit the attacker to carry out arbitrary actions with the privilege degree of the affected person.”
SAP
Enterprise software program agency SAP has launched 13 safety updates as a part of its SAP Safety Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS rating of 9.1.
CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a excessive affect, with a CVSS rating of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded earlier than together with them into redirect URLs,” safety agency Onapsis stated. “This can lead to a cross-site scripting vulnerability, resulting in a excessive affect on confidentiality and delicate affect on integrity and availability.”
[ad_2]
Source link
