In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 17-18, 2024.
During this period, The National Vulnerability Database published 67, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 8
Medium: 46
Low: 5
Severity Not Assigned: 6
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-20909
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Audit Vault and Database Firewall. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Audit Vault and Database Firewall accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-20917
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.3
Description: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Log Management). The supported version that is affected is 13.5.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-20927
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 8.6 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-20931
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-20953
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-20956
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Installation). Supported versions that are affected are Prior to 6.2.4.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile Product Lifecycle Management for Process accessible data as well as unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-0610
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035641%40woo-payment-gateway-for-piraeus-bank&new=3035641%40woo-payment-gateway-for-piraeus-bank&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f17c4748-2a95-495c-ad3b-86b272855791?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-1512
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset/3036794/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6b6d824-51d3-4da9-a39a-b957368df4dc?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2022-41737
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.0
Description: IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.7.0 could allow a local attacker to initiate connections from a container outside the current namespace. IBM X-Force ID: 237811.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/237811
https://www.ibm.com/support/pages/node/7095312
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
10. CVE-2022-41738
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Storage Scale Container Native Storage Access 5.1.2.1 -through 5.1.7.0 could allow an attacker to initiate connections to containers from external networks. IBM X-Force ID: 237812.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/237812
https://www.ibm.com/support/pages/node/7095312
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 17-18, 2024.
During this period, The National Vulnerability Database published 67, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 8
Medium: 46
Low: 5
Severity Not Assigned: 6
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-20909
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Audit Vault and Database Firewall. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Audit Vault and Database Firewall accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-20917
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.3
Description: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Log Management). The supported version that is affected is 13.5.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-20927
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 8.6 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-20931
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-20953
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-20956
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Installation). Supported versions that are affected are Prior to 6.2.4.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile Product Lifecycle Management for Process accessible data as well as unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
References: https://www.oracle.com/security-alerts/cpujan2024.html
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-0610
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035641%40woo-payment-gateway-for-piraeus-bank&new=3035641%40woo-payment-gateway-for-piraeus-bank&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f17c4748-2a95-495c-ad3b-86b272855791?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-1512
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset/3036794/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6b6d824-51d3-4da9-a39a-b957368df4dc?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2022-41737
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.0
Description: IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.7.0 could allow a local attacker to initiate connections from a container outside the current namespace. IBM X-Force ID: 237811.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/237811
https://www.ibm.com/support/pages/node/7095312
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
10. CVE-2022-41738
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Storage Scale Container Native Storage Access 5.1.2.1 -through 5.1.7.0 could allow an attacker to initiate connections to containers from external networks. IBM X-Force ID: 237812.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/237812
https://www.ibm.com/support/pages/node/7095312
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found