In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 27-28, 2024.
During this period, The National Vulnerability Database published 167, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 13
Medium: 27
Low: 5
Severity Not Assigned: 118
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-0759
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM.
This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced.
There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.
References: https://github.com/mintplex-labs/anything-llm/commit/0db6c3b2aa1787a7054ffdaba975474f122c20eb
https://huntr.com/bounties/9a978edd-ac94-41fc-8e3e-c35441bdd12b
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-1698
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Database.php
https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Rest/Analytics.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/e110ea99-e2fa-4558-bcf3-942a35af0b91?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5993
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A flaw in the Windows Installer in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to escalate their privilege level via local access.
References: https://supportportal.thalesgroup.com
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-7016
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A flaw in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to execute code at a SYSTEM level via local access.
References: https://supportportal.thalesgroup.com
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-0197
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A flaw in the installer for Thales SafeNet Sentinel HASP LDK prior to 9.16 on Windows allows an attacker to escalate their privilege level via local access.
References: https://supportportal.thalesgroup.com
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-0551
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack.
It is worth noting that the deterministic nature of the export name is lower risk as the UI for exporting would start the download at the same time, which once downloaded - deletes the export from the system.
The endpoint for exporting should simply be patched to a higher privilege level.
References: https://github.com/mintplex-labs/anything-llm/commit/7aaa4b38e7112a6cd879c1238310c56b1844c6d8
https://huntr.com/bounties/f114c787-ab5f-4f83-afa5-c000435efb78
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-0819
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description:
Improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and establishing a remote connection to a logged-in admin account.
References: https://www.teamviewer.com/en/trust-center/security-bulletins/tv-2024-1001/
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-1403
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the credentials can lead to unauthorized access without proper
authentication.
References: https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer
https://www.progress.com/openedge
CWE-ID: CWE-305
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-26142
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
References: https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
CWE-ID: CWE-1333
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-26143
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.
References: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-27099
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect `AMQP_VALUE` failed state, may cause a double free problem. This may cause a RCE. Update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987.
References: https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987
https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj
CWE-ID: CWE-415
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-0763
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.
References: https://github.com/mintplex-labs/anything-llm/commit/8a7324d0e77a15186e1ad5e5119fca4fb224c39c
https://huntr.com/bounties/25a2f487-5a9c-4c7f-a2d3-b0527db73ea5
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-26294
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-26295
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-26296
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-26297
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-26298
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 27-28, 2024.
During this period, The National Vulnerability Database published 167, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 13
Medium: 27
Low: 5
Severity Not Assigned: 118
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-0759
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM.
This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced.
There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.
References: https://github.com/mintplex-labs/anything-llm/commit/0db6c3b2aa1787a7054ffdaba975474f122c20eb
https://huntr.com/bounties/9a978edd-ac94-41fc-8e3e-c35441bdd12b
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-1698
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Database.php
https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Rest/Analytics.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/e110ea99-e2fa-4558-bcf3-942a35af0b91?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-5993
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A flaw in the Windows Installer in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to escalate their privilege level via local access.
References: https://supportportal.thalesgroup.com
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-7016
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A flaw in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to execute code at a SYSTEM level via local access.
References: https://supportportal.thalesgroup.com
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-0197
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A flaw in the installer for Thales SafeNet Sentinel HASP LDK prior to 9.16 on Windows allows an attacker to escalate their privilege level via local access.
References: https://supportportal.thalesgroup.com
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-0551
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack.
It is worth noting that the deterministic nature of the export name is lower risk as the UI for exporting would start the download at the same time, which once downloaded - deletes the export from the system.
The endpoint for exporting should simply be patched to a higher privilege level.
References: https://github.com/mintplex-labs/anything-llm/commit/7aaa4b38e7112a6cd879c1238310c56b1844c6d8
https://huntr.com/bounties/f114c787-ab5f-4f83-afa5-c000435efb78
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-0819
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description:
Improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and establishing a remote connection to a logged-in admin account.
References: https://www.teamviewer.com/en/trust-center/security-bulletins/tv-2024-1001/
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-1403
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the credentials can lead to unauthorized access without proper
authentication.
References: https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer
https://www.progress.com/openedge
CWE-ID: CWE-305
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-26142
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
References: https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
CWE-ID: CWE-1333
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-26143
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.
References: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-27099
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect `AMQP_VALUE` failed state, may cause a double free problem. This may cause a RCE. Update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987.
References: https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987
https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj
CWE-ID: CWE-415
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-0763
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.
References: https://github.com/mintplex-labs/anything-llm/commit/8a7324d0e77a15186e1ad5e5119fca4fb224c39c
https://huntr.com/bounties/25a2f487-5a9c-4c7f-a2d3-b0527db73ea5
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-26294
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-26295
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-26296
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-26297
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-26298
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found