In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 08-09, 2024.
During this period, The National Vulnerability Database published 126, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 8
High: 15
Medium: 25
Low: 2
Severity Not Assigned: 76
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-47072
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
References: https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
https://x-stream.github.io/CVE-2024-47072.html
CWE-ID: CWE-121 CWE-502
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-51998
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` false or not defined. The check used for URL protocol, `is_safe_url`, allows `file:` as a URL scheme. It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with `file://`. The issue comes with the fact that the file URI scheme is not required to have double slashes. This issue has been addressed in version 0.47.06 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13
https://github.com/dgtlmoon/changedetection.io/commit/49bc982c697169c98b79698889fb9d26f6b3317f
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6jrf-rcjf-245r
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-8424
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions.
This issue affects EPDR: before 8.00.23.0000; Panda AD360: before 8.00.23.0000; Panda Dome: before 22.03.00.
References: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00017
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2020-8007
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip.
References: https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/
https://seclists.org/fulldisclosure/2024/Mar/33
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-27195
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Trimble TM4Web 22.2.0 allows unauthenticated attackers to access /inc/tm_ajax.msw?func=UserfromUUID&uuid= to retrieve the last registration access code and use this access code to register a valid account. via a PUT /inc/tm_ajax.msw request. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full privileges.
References: https://seclists.org/fulldisclosure/2024/Apr/16
https://transportation.trimble.com/products/TM4Web
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-21538
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
References: https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/pull/160
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
CWE-ID: CWE-1333
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-7982
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
References: https://wpscan.com/vulnerability/d79e1e9c-980d-4974-bfbd-d87d6e28d9a6/
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-24409
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.
References: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2024-24409.html
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-50588
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An unauthenticated attacker with access to the local network of the
medical office can use known default credentials to gain remote DBA
access to the Elefant Firebird database. The data in the database
includes patient data and login credentials among other sensitive data.
In addition, this enables an attacker to create and overwrite arbitrary
files on the server filesystem with the rights of the Firebird database
("NT AUTHORITY\SYSTEM").
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-1393 CWE-419
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-10839
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.
References: https://www.manageengine.com/sharepoint-management-reporting/advisory/CVE-2024-10839.html
CWE-ID: CWE-611
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-50589
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An unauthenticated attacker with access to the local network of the
medical office can query an unprotected Fast Healthcare Interoperability
Resources (FHIR) API to get access to sensitive electronic health
records (EHR).
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-50590
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Attackers with local access to the medical office computer can
escalate their Windows user privileges to "NT AUTHORITY\SYSTEM" by
overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:\Elefant1" which is
writable for all users. In addition, the Elefant installer registers two
Firebird database services which are running as “NT AUTHORITY\SYSTEM”.
Path: C:\Elefant1\Firebird_2\bin\fbserver.exe
Path: C:\Elefant1\Firebird_2\bin\fbguard.exe
Both service binaries are user writable. This means that a local
attacker can rename one of the service binaries, replace the service
executable with a new executable, and then restart the system. Once the
system has rebooted, the new service binary is executed as "NT
AUTHORITY\SYSTEM".
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-250 CWE-276 CWE-732
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-50591
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An attacker with local access the to medical office computer can
escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by
exploiting a command injection vulnerability in the Elefant Update
Service. The command injection can be exploited by communicating with
the Elefant Update Service which is running as "SYSTEM" via Windows
Named Pipes.The Elefant Software Updater (ESU) consists of two components. An ESU
service which runs as "NT AUTHORITY\SYSTEM" and an ESU tray client
which communicates with the service to update or repair the installation
and is running with user permissions. The communication is implemented
using named pipes. A crafted message of type
"MessageType.SupportServiceInfos" can be sent to the local ESU service
to inject commands, which are then executed as "NT AUTHORITY\SYSTEM".
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-50593
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An attacker with local access to the medical office computer can
access restricted functions of the Elefant Service tool by using a
hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software.
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-50592
Base Score: 7.0
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.9
Description: An attacker with local access the to medical office computer can
escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by
exploiting a race condition in the Elefant Update Service during the
repair or update process. When using the repair function, the service queries the server for a
list of files and their hashes. In addition, instructions to execute
binaries to finalize the repair process are included. The executables are executed as "NT AUTHORITY\SYSTEM" after they are
copied over to the user writable installation folder (C:\Elefant1). This
means that a user can overwrite either "PostESUUpdate.exe" or
"Update_OpenJava.exe" in the time frame after the copy and before the
execution of the final repair step. The overwritten executable is then executed as "NT AUTHORITY\SYSTEM".
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-367
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-45764
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000245655/dsa-2024-449-security-update-for-dell-enterprise-sonic-distribution-vulnerabilities
CWE-ID: CWE-304
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-45765
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. This is a critical severity vulnerability as it allows high privilege OS commands to be executed with a less privileged role; so Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000245655/dsa-2024-449-security-update-for-dell-enterprise-sonic-distribution-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-50966
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 5.8
Description: dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addAdmin.
References: https://github.com/evenomn/YangYiWen/tree/main/11
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-45763
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000245655/dsa-2024-449-security-update-for-dell-enterprise-sonic-distribution-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-51997
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Trustee is a set of tools and components for attesting confidential guests and providing secrets to them. The ART (**Attestation Results Token**) token, generated by AS, could be manipulated by MITM attacker, but the verifier (CoCo Verification Demander like KBS) could still verify it successfully. In the payload of ART token, the ‘jwk’ could be replaced by attacker with his own pub key. Then attacker can use his own corresponding private key to sign the crafted ART token. Based on current code implementation (v0.8.0), such replacement and modification can not be detected. This issue has been addressed in version 0.8.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/confidential-containers/trustee/security/advisories/GHSA-7jc6-j236-vvjw
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-52000
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-52002
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-52007
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
https://cwe.mitre.org/data/definitions/611.html
https://github.com/hapifhir/org.hl7.fhir.core/issues/1571
https://github.com/hapifhir/org.hl7.fhir.core/pull/1717
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh
CWE-ID: CWE-611
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 08-09, 2024.
During this period, The National Vulnerability Database published 126, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 8
High: 15
Medium: 25
Low: 2
Severity Not Assigned: 76
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-47072
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
References: https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
https://x-stream.github.io/CVE-2024-47072.html
CWE-ID: CWE-121 CWE-502
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-51998
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` false or not defined. The check used for URL protocol, `is_safe_url`, allows `file:` as a URL scheme. It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with `file://`. The issue comes with the fact that the file URI scheme is not required to have double slashes. This issue has been addressed in version 0.47.06 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13
https://github.com/dgtlmoon/changedetection.io/commit/49bc982c697169c98b79698889fb9d26f6b3317f
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6jrf-rcjf-245r
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-8424
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions.
This issue affects EPDR: before 8.00.23.0000; Panda AD360: before 8.00.23.0000; Panda Dome: before 22.03.00.
References: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00017
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2020-8007
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip.
References: https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/
https://seclists.org/fulldisclosure/2024/Mar/33
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-27195
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Trimble TM4Web 22.2.0 allows unauthenticated attackers to access /inc/tm_ajax.msw?func=UserfromUUID&uuid= to retrieve the last registration access code and use this access code to register a valid account. via a PUT /inc/tm_ajax.msw request. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full privileges.
References: https://seclists.org/fulldisclosure/2024/Apr/16
https://transportation.trimble.com/products/TM4Web
CWE-ID: CWE-276
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-21538
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
References: https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/pull/160
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
CWE-ID: CWE-1333
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-7982
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 6.0
Description: The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
References: https://wpscan.com/vulnerability/d79e1e9c-980d-4974-bfbd-d87d6e28d9a6/
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-24409
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.
References: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2024-24409.html
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-50588
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An unauthenticated attacker with access to the local network of the
medical office can use known default credentials to gain remote DBA
access to the Elefant Firebird database. The data in the database
includes patient data and login credentials among other sensitive data.
In addition, this enables an attacker to create and overwrite arbitrary
files on the server filesystem with the rights of the Firebird database
("NT AUTHORITY\SYSTEM").
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-1393 CWE-419
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-10839
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.
References: https://www.manageengine.com/sharepoint-management-reporting/advisory/CVE-2024-10839.html
CWE-ID: CWE-611
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-50589
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An unauthenticated attacker with access to the local network of the
medical office can query an unprotected Fast Healthcare Interoperability
Resources (FHIR) API to get access to sensitive electronic health
records (EHR).
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-50590
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Attackers with local access to the medical office computer can
escalate their Windows user privileges to "NT AUTHORITY\SYSTEM" by
overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:\Elefant1" which is
writable for all users. In addition, the Elefant installer registers two
Firebird database services which are running as “NT AUTHORITY\SYSTEM”.
Path: C:\Elefant1\Firebird_2\bin\fbserver.exe
Path: C:\Elefant1\Firebird_2\bin\fbguard.exe
Both service binaries are user writable. This means that a local
attacker can rename one of the service binaries, replace the service
executable with a new executable, and then restart the system. Once the
system has rebooted, the new service binary is executed as "NT
AUTHORITY\SYSTEM".
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-250 CWE-276 CWE-732
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-50591
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An attacker with local access the to medical office computer can
escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by
exploiting a command injection vulnerability in the Elefant Update
Service. The command injection can be exploited by communicating with
the Elefant Update Service which is running as "SYSTEM" via Windows
Named Pipes.The Elefant Software Updater (ESU) consists of two components. An ESU
service which runs as "NT AUTHORITY\SYSTEM" and an ESU tray client
which communicates with the service to update or repair the installation
and is running with user permissions. The communication is implemented
using named pipes. A crafted message of type
"MessageType.SupportServiceInfos" can be sent to the local ESU service
to inject commands, which are then executed as "NT AUTHORITY\SYSTEM".
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-50593
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An attacker with local access to the medical office computer can
access restricted functions of the Elefant Service tool by using a
hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software.
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-50592
Base Score: 7.0
Base Severity: HIGH
Exploitability Score: 1.0
Impact Score: 5.9
Description: An attacker with local access the to medical office computer can
escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by
exploiting a race condition in the Elefant Update Service during the
repair or update process. When using the repair function, the service queries the server for a
list of files and their hashes. In addition, instructions to execute
binaries to finalize the repair process are included. The executables are executed as "NT AUTHORITY\SYSTEM" after they are
copied over to the user writable installation folder (C:\Elefant1). This
means that a user can overwrite either "PostESUUpdate.exe" or
"Update_OpenJava.exe" in the time frame after the copy and before the
execution of the final repair step. The overwritten executable is then executed as "NT AUTHORITY\SYSTEM".
References: https://hasomed.de/produkte/elefant/
https://r.sec-consult.com/hasomed
CWE-ID: CWE-367
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-45764
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000245655/dsa-2024-449-security-update-for-dell-enterprise-sonic-distribution-vulnerabilities
CWE-ID: CWE-304
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-45765
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. This is a critical severity vulnerability as it allows high privilege OS commands to be executed with a less privileged role; so Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000245655/dsa-2024-449-security-update-for-dell-enterprise-sonic-distribution-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-50966
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 5.8
Description: dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addAdmin.
References: https://github.com/evenomn/YangYiWen/tree/main/11
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-45763
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.
References: https://www.dell.com/support/kbdoc/en-us/000245655/dsa-2024-449-security-update-for-dell-enterprise-sonic-distribution-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-51997
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Trustee is a set of tools and components for attesting confidential guests and providing secrets to them. The ART (**Attestation Results Token**) token, generated by AS, could be manipulated by MITM attacker, but the verifier (CoCo Verification Demander like KBS) could still verify it successfully. In the payload of ART token, the ‘jwk’ could be replaced by attacker with his own pub key. Then attacker can use his own corresponding private key to sign the crafted ART token. Based on current code implementation (v0.8.0), such replacement and modification can not be detected. This issue has been addressed in version 0.8.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/confidential-containers/trustee/security/advisories/GHSA-7jc6-j236-vvjw
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-52000
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-52002
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-52007
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
https://cwe.mitre.org/data/definitions/611.html
https://github.com/hapifhir/org.hl7.fhir.core/issues/1571
https://github.com/hapifhir/org.hl7.fhir.core/pull/1717
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh
CWE-ID: CWE-611
Common Platform Enumerations (CPE): Not Found