In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between August 30-31, 2024.
During this period, The National Vulnerability Database published 71, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 14
Medium: 32
Low: 1
Severity Not Assigned: 20
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-8234
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the functions formSysCmd(), formUpgradeCert(), and formDelcert() in the Zyxel NWA1100-N firmware version 1.00(AACE.1)C0 could allow an unauthenticated attacker to execute some OS commands to access system files on an affected device.
References: https://github.com/GroundCTL2MajorTom/pocs/blob/main/zyxel_NWAW1100-N_rce.md
https://webservice.zyxel.com/eol/ArchivedEOLModel.pdf
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-45488
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.
References: https://support.oneidentity.com/kb/4376740/safeguard-for-privileged-passwords-security-vulnerability-notification-defect-460620
https://support.oneidentity.com/product-notification/noti-00001628
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-45490
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
References: https://github.com/libexpat/libexpat/issues/887
https://github.com/libexpat/libexpat/pull/890
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-45491
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
References: https://github.com/libexpat/libexpat/issues/888
https://github.com/libexpat/libexpat/pull/891
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-45492
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
References: https://github.com/libexpat/libexpat/issues/889
https://github.com/libexpat/libexpat/pull/892
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-8327
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Easy test
Online Learning and Testing Platform from HWA JIUH DIGITAL TECHNOLOGY does not properly validate a specific page parameter, allowing remote attackers with regular privilege to inject arbitrary SQL commands to read, modify, and delete database contents.
References: https://www.twcert.org.tw/en/cp-139-8032-a3d5c-2.html
https://www.twcert.org.tw/tw/cp-132-8028-360e1-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-8329
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: 6SHR system from Gether Technology does not properly validate the specific page parameter, allowing remote attackers with regular privilege to inject SQL command to read, modify, and delete database contents.
References: https://www.twcert.org.tw/en/cp-139-8034-657b7-2.html
https://www.twcert.org.tw/tw/cp-132-8030-e2eac-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-8330
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: 6SHR system from Gether Technology does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload web shell scripts and use them to execute arbitrary system commands on the server.
References: https://www.twcert.org.tw/en/cp-139-8035-53926-2.html
https://www.twcert.org.tw/tw/cp-132-8031-a2f21-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-5784
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.
References: https://tutorlms.com/releases/id/299/
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-2694
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://themeforest.net/item/betheme-responsive-multipurpose-wordpress-theme/7758048
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7c31409-c84a-4197-b08c-b70df5e66a80?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-3673
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.
References: https://wpscan.com/vulnerability/0e8930cb-e176-4406-a43f-a6032471debf/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-39300
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: Missing authentication vulnerability exists in Telnet function of WAB-I1750-PS v1.5.10 and earlier. When Telnet function of the product is enabled, a remote attacker may login to the product without authentication and alter the product's settings.
References: https://jvn.jp/en/jp/JVN24885537/
https://www.elecom.co.jp/news/security/20240827-01/
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-8016
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue.
References: https://theeventscalendar.com/blog/news/important-security-update-for-the-events-calendar-pro/
https://theeventscalendar.com/release-notes/events-calendar-pro/events-calendar-pro-7-0-2-1/
https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-8252
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/clean-login/tags/1.14.5/include/frontend.php#L20
https://plugins.trac.wordpress.org/browser/clean-login/tags/1.14.5/include/shortcodes.php#L146
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3143241%40clean-login&new=3143241%40clean-login&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9f99b51-e1b1-4cd3-a9f7-24e4b59811a7?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-44916
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerability in admin_ip.php in Seacms v13.1, when action=set, allows attackers to control IP parameters that are written to the data/admin/ip.php file and could result in arbitrary command execution.
References: http://seacms.com
https://github.com/nn0nkey/nn0nkey/blob/main/CVE-2024-44916.md
https://github.com/seacms-net
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-6204
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.
References: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2024-6204.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-38868
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15
References: https://www.manageengine.com/products/desktop-central/security-updates-ngav.html
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-8285
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.8
Description: A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
References: https://access.redhat.com/security/cve/CVE-2024-8285
https://bugzilla.redhat.com/show_bug.cgi?id=2308606
CWE-ID: CWE-297
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between August 30-31, 2024.
During this period, The National Vulnerability Database published 71, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 14
Medium: 32
Low: 1
Severity Not Assigned: 20
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-8234
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the functions formSysCmd(), formUpgradeCert(), and formDelcert() in the Zyxel NWA1100-N firmware version 1.00(AACE.1)C0 could allow an unauthenticated attacker to execute some OS commands to access system files on an affected device.
References: https://github.com/GroundCTL2MajorTom/pocs/blob/main/zyxel_NWAW1100-N_rce.md
https://webservice.zyxel.com/eol/ArchivedEOLModel.pdf
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-45488
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.
References: https://support.oneidentity.com/kb/4376740/safeguard-for-privileged-passwords-security-vulnerability-notification-defect-460620
https://support.oneidentity.com/product-notification/noti-00001628
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-45490
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
References: https://github.com/libexpat/libexpat/issues/887
https://github.com/libexpat/libexpat/pull/890
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-45491
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
References: https://github.com/libexpat/libexpat/issues/888
https://github.com/libexpat/libexpat/pull/891
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-45492
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
References: https://github.com/libexpat/libexpat/issues/889
https://github.com/libexpat/libexpat/pull/892
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-8327
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Easy test
Online Learning and Testing Platform from HWA JIUH DIGITAL TECHNOLOGY does not properly validate a specific page parameter, allowing remote attackers with regular privilege to inject arbitrary SQL commands to read, modify, and delete database contents.
References: https://www.twcert.org.tw/en/cp-139-8032-a3d5c-2.html
https://www.twcert.org.tw/tw/cp-132-8028-360e1-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-8329
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: 6SHR system from Gether Technology does not properly validate the specific page parameter, allowing remote attackers with regular privilege to inject SQL command to read, modify, and delete database contents.
References: https://www.twcert.org.tw/en/cp-139-8034-657b7-2.html
https://www.twcert.org.tw/tw/cp-132-8030-e2eac-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-8330
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: 6SHR system from Gether Technology does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload web shell scripts and use them to execute arbitrary system commands on the server.
References: https://www.twcert.org.tw/en/cp-139-8035-53926-2.html
https://www.twcert.org.tw/tw/cp-132-8031-a2f21-1.html
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-5784
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.
References: https://tutorlms.com/releases/id/299/
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-2694
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://themeforest.net/item/betheme-responsive-multipurpose-wordpress-theme/7758048
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7c31409-c84a-4197-b08c-b70df5e66a80?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-3673
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.
References: https://wpscan.com/vulnerability/0e8930cb-e176-4406-a43f-a6032471debf/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-39300
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: Missing authentication vulnerability exists in Telnet function of WAB-I1750-PS v1.5.10 and earlier. When Telnet function of the product is enabled, a remote attacker may login to the product without authentication and alter the product's settings.
References: https://jvn.jp/en/jp/JVN24885537/
https://www.elecom.co.jp/news/security/20240827-01/
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-8016
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue.
References: https://theeventscalendar.com/blog/news/important-security-update-for-the-events-calendar-pro/
https://theeventscalendar.com/release-notes/events-calendar-pro/events-calendar-pro-7-0-2-1/
https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-8252
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/clean-login/tags/1.14.5/include/frontend.php#L20
https://plugins.trac.wordpress.org/browser/clean-login/tags/1.14.5/include/shortcodes.php#L146
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3143241%40clean-login&new=3143241%40clean-login&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9f99b51-e1b1-4cd3-a9f7-24e4b59811a7?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-44916
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Vulnerability in admin_ip.php in Seacms v13.1, when action=set, allows attackers to control IP parameters that are written to the data/admin/ip.php file and could result in arbitrary command execution.
References: http://seacms.com
https://github.com/nn0nkey/nn0nkey/blob/main/CVE-2024-44916.md
https://github.com/seacms-net
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-6204
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.
References: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2024-6204.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-38868
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15
References: https://www.manageengine.com/products/desktop-central/security-updates-ngav.html
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-8285
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.8
Description: A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
References: https://access.redhat.com/security/cve/CVE-2024-8285
https://bugzilla.redhat.com/show_bug.cgi?id=2308606
CWE-ID: CWE-297
Common Platform Enumerations (CPE): Not Found