In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 26-27, 2024.
During this period, The National Vulnerability Database published 67, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 5
Medium: 52
Low: 5
Severity Not Assigned: 5
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-7300
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: Huawei Home Music System has a path traversal vulnerability. Successful exploitation of this vulnerability may cause the music host file to be deleted or the file permission to be changed.(Vulnerability ID:HWPSIRT-2023-60613)
References: https://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-91f7c6fa-en
CWE-ID: CWE-35
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-51540
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Dell ECS, versions prior to 3.8.1.3 contains an arithmetic overflow vulnerability exists in retention period handling of ECS. An authenticated user with bucket or object-level access and the necessary privileges could potentially exploit this vulnerability to bypass retention policies and delete objects.
References: https://www.dell.com/support/kbdoc/en-us/000256642/dsa-2024-483-security-update-for-dell-ecs-multiple-vulnerabilities
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-54907
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.
References: https://github.com/MnrikSrins/totolink_A3002R_RCE
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-45600
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.0
Description: Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13.
References: https://github.com/pluginsGLPI/fields/commit/eb927b0f084ee4ef6c87ab2eb7a15e99369e74ae#diff-a7024a397fba9a026157683da73cc675ec6b73bd900374b3836bcdc76ec7bd5cR1166
https://github.com/pluginsGLPI/fields/security/advisories/GHSA-wwxw-64g6-2992
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-53850
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.
References: https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0
https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9
CWE-ID: CWE-470
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 26-27, 2024.
During this period, The National Vulnerability Database published 67, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 5
Medium: 52
Low: 5
Severity Not Assigned: 5
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-7300
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: Huawei Home Music System has a path traversal vulnerability. Successful exploitation of this vulnerability may cause the music host file to be deleted or the file permission to be changed.(Vulnerability ID:HWPSIRT-2023-60613)
References: https://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-91f7c6fa-en
CWE-ID: CWE-35
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-51540
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Dell ECS, versions prior to 3.8.1.3 contains an arithmetic overflow vulnerability exists in retention period handling of ECS. An authenticated user with bucket or object-level access and the necessary privileges could potentially exploit this vulnerability to bypass retention policies and delete objects.
References: https://www.dell.com/support/kbdoc/en-us/000256642/dsa-2024-483-security-update-for-dell-ecs-multiple-vulnerabilities
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-54907
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.
References: https://github.com/MnrikSrins/totolink_A3002R_RCE
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-45600
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.0
Description: Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13.
References: https://github.com/pluginsGLPI/fields/commit/eb927b0f084ee4ef6c87ab2eb7a15e99369e74ae#diff-a7024a397fba9a026157683da73cc675ec6b73bd900374b3836bcdc76ec7bd5cR1166
https://github.com/pluginsGLPI/fields/security/advisories/GHSA-wwxw-64g6-2992
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-53850
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.
References: https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0
https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9
CWE-ID: CWE-470
Common Platform Enumerations (CPE): Not Found