In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 16-17, 2024.
During this period, The National Vulnerability Database published 54, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 4
Medium: 7
Low: 4
Severity Not Assigned: 38
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6451
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms.
References: https://www.themissinglink.com.au/security-advisories/cve-2023-6451
CWE-ID: CWE-1394
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-22426
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description:
Dell RecoverPoint for Virtual Machines 5.3.x contains an OS Command injection vulnerability. An unauthenticated remote
attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, which will get executed in the context of the root user, resulting in a complete system compromise.
References: https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-21775
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.
References: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2024-21775.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-21915
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description:
A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.
References: https://www.rockwellautomation.com/en-us/support/advisory.SD1662.html
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-25628
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/alfio-event/alf.io/security/advisories/GHSA-8p6m-mm22-q893
CWE-ID: CWE-613
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 16-17, 2024.
During this period, The National Vulnerability Database published 54, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 4
Medium: 7
Low: 4
Severity Not Assigned: 38
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6451
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms.
References: https://www.themissinglink.com.au/security-advisories/cve-2023-6451
CWE-ID: CWE-1394
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-22426
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description:
Dell RecoverPoint for Virtual Machines 5.3.x contains an OS Command injection vulnerability. An unauthenticated remote
attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, which will get executed in the context of the root user, resulting in a complete system compromise.
References: https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-21775
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.
References: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2024-21775.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-21915
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description:
A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.
References: https://www.rockwellautomation.com/en-us/support/advisory.SD1662.html
CWE-ID: CWE-732
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-25628
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/alfio-event/alf.io/security/advisories/GHSA-8p6m-mm22-q893
CWE-ID: CWE-613
Common Platform Enumerations (CPE): Not Found