In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 25-26, 2024.
During this period, The National Vulnerability Database published 56, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 12
Medium: 19
Low: 2
Severity Not Assigned: 21
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-23855
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via/cupseasylive/taxcodemodify.php, in multiple parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-22432
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.1
Impact Score: 6.0
Description:
Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.
References: https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities
CWE-ID: CWE-256
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-3181
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\Windows\Temp~nsu.tmp\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer’s Windows Installer. Since the C:\Windows\Temp~nsu.tmp folder inherits permissions from C:\Windows\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.
References: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md
CWE-ID: CWE-379
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-40547
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.
References: https://access.redhat.com/security/cve/CVE-2023-40547
https://bugzilla.redhat.com/show_bug.cgi?id=2234589
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-52076
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.
References: https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50
https://github.com/mate-desktop/atril/releases/tag/v1.26.2
https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37
CWE-ID: CWE-22 CWE-24 CWE-25 CWE-27
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-0822
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.
References: https://access.redhat.com/security/cve/CVE-2024-0822
https://bugzilla.redhat.com/show_bug.cgi?id=2258509
CWE-ID: CWE-1390
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-6267
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
References: https://access.redhat.com/security/cve/CVE-2023-6267
https://bugzilla.redhat.com/show_bug.cgi?id=2251155
CWE-ID: CWE-280
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-7227
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow an attacker to execute arbitrary commands with root privileges.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-02
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-52355
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
References: https://access.redhat.com/security/cve/CVE-2023-52355
https://bugzilla.redhat.com/show_bug.cgi?id=2251326
https://gitlab.com/libtiff/libtiff/-/issues/621
CWE-ID: CWE-400
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-52356
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.
References: https://access.redhat.com/security/cve/CVE-2023-52356
https://bugzilla.redhat.com/show_bug.cgi?id=2251344
https://gitlab.com/libtiff/libtiff/-/issues/622
https://gitlab.com/libtiff/libtiff/-/merge_requests/546
CWE-ID: CWE-122
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-23655
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Tuta is an encrypted email service. Starting in version 3.118.12 and prior to version 3.119.10, an attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails. This issue was tested with iOS and the web app, but it is possible all clients are affected. Version 3.119.10 fixes this issue.
References: https://github.com/tutao/tutanota/releases/tag/tutanota-release-3.119.10
https://github.com/tutao/tutanota/security/advisories/GHSA-5h47-g927-629g
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-23656
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
References: https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
https://github.com/dexidp/dex/issues/2848
https://github.com/dexidp/dex/pull/2964
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
CWE-ID: CWE-326 CWE-757
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-23817
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.
References: https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-7947-48q7-cp5m
CWE-ID: CWE-79 CWE-80
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-21620
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator.
A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives.
This issue affects Juniper Networks Junos OS on SRX Series and EX Series:
* All versions earlier than 20.4R3-S10;
* 21.2 versions earlier than 21.2R3-S8;
* 21.4 versions earlier than 21.4R3-S6;
* 22.1 versions earlier than 22.1R3-S5;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S2;
* 22.4 versions earlier than 22.4R3-S1;
* 23.2 versions earlier than 23.2R2;
* 23.4 versions earlier than 23.4R2.
References: https://supportportal.juniper.net/JSA76390
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 25-26, 2024.
During this period, The National Vulnerability Database published 56, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 12
Medium: 19
Low: 2
Severity Not Assigned: 21
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-23855
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via/cupseasylive/taxcodemodify.php, in multiple parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-22432
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.1
Impact Score: 6.0
Description:
Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.
References: https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities
CWE-ID: CWE-256
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-3181
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\Windows\Temp~nsu.tmp\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer’s Windows Installer. Since the C:\Windows\Temp~nsu.tmp folder inherits permissions from C:\Windows\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.
References: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md
CWE-ID: CWE-379
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-40547
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.
References: https://access.redhat.com/security/cve/CVE-2023-40547
https://bugzilla.redhat.com/show_bug.cgi?id=2234589
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-52076
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.
References: https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50
https://github.com/mate-desktop/atril/releases/tag/v1.26.2
https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37
CWE-ID: CWE-22 CWE-24 CWE-25 CWE-27
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-0822
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.
References: https://access.redhat.com/security/cve/CVE-2024-0822
https://bugzilla.redhat.com/show_bug.cgi?id=2258509
CWE-ID: CWE-1390
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-6267
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
References: https://access.redhat.com/security/cve/CVE-2023-6267
https://bugzilla.redhat.com/show_bug.cgi?id=2251155
CWE-ID: CWE-280
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-7227
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow an attacker to execute arbitrary commands with root privileges.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-02
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-52355
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
References: https://access.redhat.com/security/cve/CVE-2023-52355
https://bugzilla.redhat.com/show_bug.cgi?id=2251326
https://gitlab.com/libtiff/libtiff/-/issues/621
CWE-ID: CWE-400
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-52356
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.
References: https://access.redhat.com/security/cve/CVE-2023-52356
https://bugzilla.redhat.com/show_bug.cgi?id=2251344
https://gitlab.com/libtiff/libtiff/-/issues/622
https://gitlab.com/libtiff/libtiff/-/merge_requests/546
CWE-ID: CWE-122
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-23655
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Tuta is an encrypted email service. Starting in version 3.118.12 and prior to version 3.119.10, an attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails. This issue was tested with iOS and the web app, but it is possible all clients are affected. Version 3.119.10 fixes this issue.
References: https://github.com/tutao/tutanota/releases/tag/tutanota-release-3.119.10
https://github.com/tutao/tutanota/security/advisories/GHSA-5h47-g927-629g
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-23656
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
References: https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
https://github.com/dexidp/dex/issues/2848
https://github.com/dexidp/dex/pull/2964
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
CWE-ID: CWE-326 CWE-757
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-23817
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.
References: https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-7947-48q7-cp5m
CWE-ID: CWE-79 CWE-80
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-21620
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator.
A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives.
This issue affects Juniper Networks Junos OS on SRX Series and EX Series:
* All versions earlier than 20.4R3-S10;
* 21.2 versions earlier than 21.2R3-S8;
* 21.4 versions earlier than 21.4R3-S6;
* 22.1 versions earlier than 22.1R3-S5;
* 22.2 versions earlier than 22.2R3-S3;
* 22.3 versions earlier than 22.3R3-S2;
* 22.4 versions earlier than 22.4R3-S1;
* 23.2 versions earlier than 23.2R2;
* 23.4 versions earlier than 23.4R2.
References: https://supportportal.juniper.net/JSA76390
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found