In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 29-30, 2024.
During this period, The National Vulnerability Database published 61, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 10
Medium: 27
Low: 2
Severity Not Assigned: 19
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-5150
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27.
References: https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241
https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number
https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5
https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-5204
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for authenticated attackers with contributor-level and above permissions to log in as any existing user on the site, such as an administrator.
References: https://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/trunk/includes/plugins/class-boomdevs-swiss-toolkit-generate-login-url.php?rev=3077000#L50
https://plugins.trac.wordpress.org/changeset/3091913/swiss-toolkit-for-wp
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8526106-847a-420f-9275-f759a8dd4dfb?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-6743
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server.
References: https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_output.class.php#L1765
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/core/plugins/unlimited_elements/elementor/elementor_widget.class.php#L3948
https://plugins.trac.wordpress.org/changeset/3010986/unlimited-elements-for-elementor#file6
https://plugins.trac.wordpress.org/changeset/3015166/unlimited-elements-for-elementor
https://www.wordfence.com/threat-intel/vulnerabilities/id/25f71a19-85b1-4bc9-b193-d9de2eba81ee?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-21512
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
References: https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a
https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc
https://github.com/sidorares/node-mysql2/pull/2702
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580
CWE-ID: CWE-1321
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-4611
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.
References: https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133
https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167
https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40
https://plugins.trac.wordpress.org/changeset/3093975/apppresser
https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3412
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpstg_processing AJAX action in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/changeset/3076275/wp-staging/trunk/Framework/Network/AjaxBackupDownloader.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ebb1072-ea05-4914-961d-0d8f20248078?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-28826
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.
References: https://checkmk.com/werk/15200
CWE-ID: CWE-73
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-42005
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data 3.5, 4.0, 4.5, 4.6, 4.7, and 4.8 could allow a user with access to the Kubernetes pod, to make system calls compromising the security of containers. IBM X-Force ID: 265264.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/265264
https://www.ibm.com/support/pages/node/7155078
CWE-ID: CWE-264
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-5185
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.2
Description: The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness. An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model.
References: https://www.synopsys.com/blogs/software-security/cyrc-advisory-data-poisoning-embedai.html
CWE-ID: CWE-349
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-36470
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 authentication bypass was possible in specific edge cases
References: https://www.jetbrains.com/privacy-security/issues-fixed/
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-4358
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
References: https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
CWE-ID: CWE-290
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-28974
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Dell Data Protection Advisor, version(s) 19.9, contain(s) an Inadequate Encryption Strength vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of service.
References: https://www.dell.com/support/kbdoc/en-us/000225088/dsa-2024-192-security-update-for-data-protection-advisor-and-powerprotect-dp-series-appliance-idpa-for-multiple-vulnerabilities
CWE-ID: CWE-326
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-36114
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
References: https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071
https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e
https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f
https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e
https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
CWE-ID: CWE-125 CWE-787
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 29-30, 2024.
During this period, The National Vulnerability Database published 61, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 10
Medium: 27
Low: 2
Severity Not Assigned: 19
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-5150
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27.
References: https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241
https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number
https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5
https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-5204
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for authenticated attackers with contributor-level and above permissions to log in as any existing user on the site, such as an administrator.
References: https://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/trunk/includes/plugins/class-boomdevs-swiss-toolkit-generate-login-url.php?rev=3077000#L50
https://plugins.trac.wordpress.org/changeset/3091913/swiss-toolkit-for-wp
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8526106-847a-420f-9275-f759a8dd4dfb?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-6743
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server.
References: https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_output.class.php#L1765
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/core/plugins/unlimited_elements/elementor/elementor_widget.class.php#L3948
https://plugins.trac.wordpress.org/changeset/3010986/unlimited-elements-for-elementor#file6
https://plugins.trac.wordpress.org/changeset/3015166/unlimited-elements-for-elementor
https://www.wordfence.com/threat-intel/vulnerabilities/id/25f71a19-85b1-4bc9-b193-d9de2eba81ee?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-21512
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
References: https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a
https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc
https://github.com/sidorares/node-mysql2/pull/2702
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580
CWE-ID: CWE-1321
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-4611
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.
References: https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133
https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167
https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40
https://plugins.trac.wordpress.org/changeset/3093975/apppresser
https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3412
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpstg_processing AJAX action in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/changeset/3076275/wp-staging/trunk/Framework/Network/AjaxBackupDownloader.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ebb1072-ea05-4914-961d-0d8f20248078?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-28826
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.
References: https://checkmk.com/werk/15200
CWE-ID: CWE-73
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-42005
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data 3.5, 4.0, 4.5, 4.6, 4.7, and 4.8 could allow a user with access to the Kubernetes pod, to make system calls compromising the security of containers. IBM X-Force ID: 265264.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/265264
https://www.ibm.com/support/pages/node/7155078
CWE-ID: CWE-264
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-5185
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.2
Description: The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness. An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model.
References: https://www.synopsys.com/blogs/software-security/cyrc-advisory-data-poisoning-embedai.html
CWE-ID: CWE-349
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-36470
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 authentication bypass was possible in specific edge cases
References: https://www.jetbrains.com/privacy-security/issues-fixed/
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-4358
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
References: https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
CWE-ID: CWE-290
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-28974
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Dell Data Protection Advisor, version(s) 19.9, contain(s) an Inadequate Encryption Strength vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of service.
References: https://www.dell.com/support/kbdoc/en-us/000225088/dsa-2024-192-security-update-for-data-protection-advisor-and-powerprotect-dp-series-appliance-idpa-for-multiple-vulnerabilities
CWE-ID: CWE-326
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-36114
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
References: https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071
https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e
https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f
https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e
https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
CWE-ID: CWE-125 CWE-787
Common Platform Enumerations (CPE): Not Found