[
CVE-2024-1553 and CVE-2024-1557 are memory-protection bugs rated as excessive severity. Mozilla researchers stated, “A few of these bugs confirmed proof of reminiscence corruption and we consider that with sufficient effort a few of these might be used to run arbitrary code.”
zoom
Video conferencing large Zoom has launched fixes for seven flaws in its software program, considered one of which has a CVSS rating of 9.6. CVE-2024-24691 There’s an improper-input-validation bug within the Zoom Desktop Consumer for Home windows, Zoom VDI Consumer for Home windows, and Zoom Assembly SDK for Home windows. Zoom stated in a safety bulletin that if exploited, the problem may permit an unauthenticated attacker to escalate their privileges by way of community entry.
One other notable flaw is CVE-2024-24697, an untrusted-search-path concern in some Zoom 32bit Home windows purchasers that might permit an authenticated consumer with native entry to escalate their privileges.
Ivanti
In January, Ivanti warned that attackers had been focusing on two unpatched vulnerabilities in its Join Safe and Coverage Safe merchandise, tracked as CVE-2023-46805 and CVE-2024-21887. The primary authentication-bypass vulnerability within the internet element of Ivanti Join Safe and Ivanti Coverage Safe with a CVSS rating of 8.2 permits a distant attacker to entry restricted assets by bypassing management checks.
With a CVSS rating of 9.1, the second command injection vulnerability within the internet parts of Ivanti Join Safe and Ivanti Coverage Safe permits an authenticated administrator to ship specifically crafted requests and execute arbitrary instructions on the system. This vulnerability might be exploited on the Web.
On the finish of the month, the agency alerted corporations to 2 different critical flaws, considered one of which was being exploited in assaults. The exploited concern is a server-side request forgery bug within the SAML element tracked as CVE-2024-21893. In the meantime, CVE-2024-21888 is a privilege-escalation vulnerability.
Patches had been accessible by February 1, however the points had been thought of so critical that the US Cybersecurity and Infrastructure Safety Company (CISA) suggested disconnecting all Ivanti merchandise by February 2.
On February 8, Ivanti launched a patch for one more concern tracked as CVE-2024-22024, prompting one other warning from CISA.
fortinet
Fortinet has launched a patch for a vital concern with a CVSS rating of 9.6, which it says is already being utilized in assaults. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS variations 6.0, 6.2, 6.4, 7.0, 7.2, and seven.4. Fortinet stated the out-of-bounds write vulnerability might be exploited to execute arbitrary code utilizing specifically crafted HTTP requests.
This got here after the corporate launched a patch for 2 points in its FortiSIEM merchandise, CVE-2024-23108 and CVE-2024-23109, which had been thought of vital with a CVSS rating of 9.7. The FortiSiem Supervisor flaw may permit a distant unauthenticated attacker to execute unauthorized instructions by way of crafted API requests, Fortinet stated in an advisory.
cisco
Cisco has listed a number of vulnerabilities in its Expressway collection that might permit an unauthenticated, distant attacker to conduct cross-site request forgery assaults.
Tracked as CVE-2024-20252 and CVE-2024-20254, the 2 vulnerabilities within the API of Cisco Expressway collection units have been given a CVSS rating of 9.6. “An attacker may exploit these vulnerabilities by persuading a consumer of the API to observe a crafted hyperlink,” Cisco stated. “A profitable exploit may permit the attacker to carry out arbitrary actions with the affected consumer's privilege stage.”
SAP
Enterprise software program agency SAP has launched 13 safety updates as a part of its SAP Safety Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS rating of 9.1.
CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java, listed as Excessive Impression with a CVSS rating of 8.8. “The incoming URL parameters are insufficiently validated and improperly encoded earlier than being included within the redirect URL,” safety agency Onapsis stated. “This might lead to cross-site scripting vulnerabilities, which may have a excessive affect on privateness and a gentle affect on integrity and availability.”