The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

[Guest Diary] A Deep Dive into TeamTNT and Spinning YARN

Published: 2024-12-18.

Last Updated: 2024-12-18 00:04:50 UTC

by James Levija, SANS.edu BACS Student (Version: 1)

Executive Summary

TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence [2]. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands. This technique is known as server-side scripting vulnerability. This attack originated from IPv4 address 47.93.56.107 targeting port 8090. The attacker used a technique to disguise their harmful code by encoding it. This technique hides the code’s true purpose and assists with avoiding detection against antivirus software and firewalls.

An analysis of the obfuscated code revealed that the command would send the victim to another website to download a malicious file. The malicious file dropped is named “w.sh” [3]. The purpose of this initial file is to install the requirements to run the intended malware and to download the intended malware from the site hxxp://b[.]9-9-8[.]com/brysj. Once the intended malware is downloaded, it runs and assesses the environment. It targets Linux distributions and cloud environments. The malware identifies possible cloud security and attempts to disable it to allow the rest of the code to run smoothly. The malware then sets up its persistence through creating secure keys to talk back to the attacker’s server and establishes a connection to the attacker’s server. It also uses techniques to hide itself on the victim’s device or cloud environment. Finally, the malware sets up a crypto miner to utilize the victim’s resources for the attacker’s gain ...

The impact of this attack extends beyond consuming system resources for cryptocurrency mining. The connection between the victim’s machine or cloud environment and the attacker grants the attacker persistent access. The attacker can abuse this through conducting additional exploits, steal sensitive data, or use the system to launch additional attacks on other systems. TeamTNT is known to have created a work that could steal Amazon Web Service (AWS) credentials. This poses significant risks to operational security and data integrity for any organization.

This attack highlights evolving threats to Linux and cloud environments from sophisticated groups like TeamTNT. Organizations should prioritize securing their infrastructure through regular updates, monitoring suspicious activity, staying up to date on cyber threat intelligence, and implementing robust defenses against malware and their obfuscation techniques. Collaboration withing the cybersecurity community is key to mitigating these ongoing threats ...

Read the full entry: https://isc.sans.edu/diary/Guest+Diary+A+Deep+Dive+into+TeamTNT+and+Spinning+YARN/31530/

Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS)

Published: 2024-12-11.

Last Updated: 2024-12-11 19:59:25 UTC

by Johannes Ullrich (Version: 1)

Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited ...

Read the full entry: https://isc.sans.edu/diary/Apple+Updates+Everything+iOS+iPadOS+macOS+watchOS+tvOS+visionOS/31514/

Santa’s elves arrive back at the North Pole and are working hard to get ready for the holiday gift-giving season. You’ll get to help Alabaster Snowball, Wombley Cube, and the rest of the gang clean up to restore operations at the North Pole!

"I highly recommend building your infosec skills using the free and incredibly awesome Holiday Hack Challenge by Ed and his team." - SANS Holiday Hack Player

Play for free: https://www.sans.org/mlp/holiday-hack-challenge-2024/

Python Delivering AnyDesk Client as RAT (2024.12.17)

https://isc.sans.edu/diary/Python+Delivering+AnyDesk+Client+as+RAT/31524/

Exploit attempts inspired by recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164) (2024.12.15)

https://isc.sans.edu/diary/Exploit+attempts+inspired+by+recent+Struts2+File+Upload+Vulnerability+CVE202453677+CVE202350164/31520/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-38812 - vCenter Server is vulnerable to a heap-overflow in the DCERPC protocol, allowing remote code execution by a malicious actor via a specially crafted network packet.

Product: VMware vCenter Server

CVSS Score: 0

** KEV since 2024-11-20 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38812

ISC Podcast: https://isc.sans.edu/podcastdetail/9252

CVE-2024-38813 - The vCenter Server is vulnerable to privilege escalation, allowing a malicious actor to gain root access through a specially crafted network packet.

Product: VMware vCenter Server

CVSS Score: 0

** KEV since 2024-11-20 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38813

ISC Podcast: https://isc.sans.edu/podcastdetail/9252

CVE-2024-50623 - In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability.

Product: Cleo Harmony

CVSS Score: 0

** KEV since 2024-12-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50623

ISC Podcast: https://isc.sans.edu/podcastdetail/9252

CVE-2024-55956 - Cleo Harmony, VLTrader, and LexiCom before 5.8.0.24 allow unauthenticated users to execute arbitrary Bash or PowerShell commands by exploiting default settings in the Autorun directory.

Product: Cleo Harmony

CVSS Score: 9.8

** KEV since 2024-12-17 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55956

NVD References:

- https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending

- https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update

- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

CVE-2024-49138 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

Product: Microsoft Windows 10 1507

CVSS Score: 7.8

** KEV since 2024-12-10 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49138

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49138

CVE-2024-20767 - Adobe ColdFusion is vulnerable to an Improper Access Control flaw allowing attackers to read arbitrary files without user interaction if the admin panel is exposed to the internet.

Product: Adobe ColdFusion 2023

CVSS Score: 0

** KEV since 2024-12-16 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20767

CVE-2024-54032 - Adobe Connect versions 12.6, 11.4.7 and earlier are vulnerable to stored Cross-Site Scripting (XSS) attacks, allowing attackers to inject and execute malicious scripts in victim's browsers.

Product: Adobe Connect

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54032

NVD References: https://helpx.adobe.com/security/products/connect/apsb24-99.html

CVE-2024-53677 - Apache Struts is vulnerable to flawed file upload logic from version 2.0.0 before 6.4.0, with a fix provided in version 6.4.0.

Product: Apache Struts

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53677

ISC Diary: https://isc.sans.edu/diary/31520

ISC Podcast: https://isc.sans.edu/podcastdetail/9254

NVD References: https://cwiki.apache.org/confluence/display/WW/S2-067

CVE-2023-50164 - Apache Struts is vulnerable to file upload parameter manipulation leading to Remote Code Execution, and users should upgrade to Struts 2.5.33 or Struts 6.3.0.2 or newer versions for a fix.

Product: Apache Struts

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50164

ISC Diary: https://isc.sans.edu/diary/31520

ISC Podcast: https://isc.sans.edu/podcastdetail/9256

CVE-2024-50379 - Apache Tomcat is vulnerable to a Time-of-check Time-of-use (TOCTOU) Race Condition that can lead to remote code execution on case insensitive file systems with default servlet enabled for write.

Product: Apache Tomcat

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50379

NVD References: https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r

NVD References: http://www.openwall.com/lists/oss-security/2024/12/17/4

CVE-2024-11639 - Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access through an authentication bypass in the admin web console.

Product: Ivanti CSA

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11639

ISC Podcast: https://isc.sans.edu/podcastdetail/9250

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773

CVE-2024-11772 - Ivanti CSA before version 5.0.3 is vulnerable to command injection, enabling a remote authenticated attacker with admin privileges to execute remote code.

Product: Ivanti CSA

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11772

ISC Podcast: https://isc.sans.edu/podcastdetail/9250

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773

CVE-2024-11773 - Ivanti CSA before version 5.0.3 is vulnerable to SQL injection in the admin web console, enabling a remote attacker with admin privileges to execute arbitrary SQL queries.

Product: Ivanti CSA

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11773

ISC Podcast: https://isc.sans.edu/podcastdetail/9250

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773

CVE-2024-11633 - Ivanti Connect Secure prior to 22.7R2.4 allows admin privileged attackers to remotely execute code by injecting arguments into arguments.

Product: Ivanti Connect Secure

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11633

NVD References: https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs

CVE-2024-11634 - Ivanti Connect Secure and Ivanti Policy Secure versions before 22.7R2.3 and 22.7R1.2 allow remote attackers with admin privileges to execute code remotely.

Product: Ivanti Connect Secure and Policy Secure

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11634

NVD References: https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs

CVE-2024-55636, CVE-2024-55637, CVE-2024-55638 - Drupal Core is vulnerable to object injection through deserialization of untrusted data, impacting versions 8.0.0 to 10.2.11, 10.3.0 to 10.3.9, and 11.0.0 to 11.0.8.

Product: Drupal Core

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55636

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55637

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55638

NVD References:

- https://www.drupal.org/sa-core-2024-006

- https://www.drupal.org/sa-core-2024-007

- https://www.drupal.org/sa-core-2024-008

CVE-2024-53552 - CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.

Product: CrushFTP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53552

NVD References: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

CVE-2024-11986 - CrushFTP is vulnerable to stored XSS through improper input handling in the Host Header, allowing an attacker to execute malicious payloads in web application logs via an administrator viewing functionality.

Product: CrushFTP

CVSS Score: 9.6 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11986

NVD References: https://crushftp.com/crush11wiki/Wiki.jsp?page=Update

CVE-2024-45493 - MSA Safety FieldServer Gateways and Embedded Modules with build revisions before 7.0.0 have a vulnerability that allows attackers to bypass login restrictions and authenticate with internal user accounts from the network.

Product: MSA Safety FieldServer Gateways

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45493

NVD References:

- https://us.msasafety.com/fieldserver

- https://us.msasafety.com/security-notices

CVE-2024-45494 - MSA Safety FieldServer Gateways and Embedded Modules with build revisions before 7.0.0 have an insecure shared administrative user account with a static, unsafe shared secret.

Product: MSA Safety FieldServer Gateways

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45494

NVD References:

- https://us.msasafety.com/fieldserver

- https://us.msasafety.com/security-notices

CVE-2024-55586 - Nette Database through 3.2.4 is vulnerable to SQL injection through an untrusted filter passed directly to the where method.

Product: Nette Database

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55586

NVD References:

- https://github.com/CSIRTTrizna/CVE-2024-55586

- https://github.com/nette/database/releases

- https://www.csirt.sk/nette-framework-vulnerability-permits-sql-injection.html

CVE-2024-5660 - Travis hardware vulnerability may allow bypass of Stage-2 translation and/or GPT protection.

Product: Armv8 Arm processors

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5660

NVD References: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-5660

CVE-2024-54751 - COMFAST CF-WR630AX v2.7.0.2 has a hardcoded password vulnerability in /etc/shadow, enabling root access for attackers.

Product: COMFAST CF-WR630AX

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54751

NVD References: https://colorful-meadow-5b9.notion.site/CF-WR630AX_HardCode_vuln-14bc216a1c3080968161ce15e35fa652?pvs=4

CVE-2024-12286 - MOBATIME Network Master Clock - DTS 4801 allows attackers to use SSH to gain initial access using default credentials.

Product: MOBATIME Network Master Clock - DTS 4801

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12286

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-01

CVE-2024-46442 - An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.

Product: BYD Dilink Headunit System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46442

NVD References:

- http://byd.com

- https://github.com/zgsnj123/BYD_headunit_vuls/tree/main

- https://www.bydauto.com.cn/

CVE-2024-11737 - Schneider Electric Modicon Controllers are vulnerable to a denial of service and loss of confidentiality and integrity due to an Improper Input Validation vulnerability when an unauthenticated crafted Modbus packet is received.

Product: Schneider Electric Modicon Controllers M241 / M251 / M258 and Modicon Controllers LMC058 products.

The Modicon M241/M251/M258/LMC058 products are Programmable Logic Controllers

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11737

NVD References: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-345-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-345-03.pdf

CVE-2024-11948 - GFI Archiver is vulnerable to remote code execution through a flaw in the product installer, allowing attackers to execute code without authentication.

Product: GFI Archiver

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11948

NVD References: https://www.zerodayinitiative.com/advisories/ZDI-24-1671/

CVE-2024-45337 - Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

Product: Golang Cryptography Library

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45337

NVD References:

- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909

- https://go.dev/cl/635315

- https://go.dev/issue/70779

- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ

- https://pkg.go.dev/vuln/GO-2024-3321

- http://www.openwall.com/lists/oss-security/2024/12/11/2

CVE-2024-49112 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Product: Microsoft Windows Lightweight Directory Access Protocol (LDAP)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49112

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112

CVE-2024-55884 - Mullvad VPN client is vulnerable to heap-based out-of-bounds writes in exception-handling, which can lead to code execution.

Product: Mullvad VPN client

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55884

NVD References:

- https://github.com/mullvad/mullvadvpn-app/commit/ef6c862071b26023802b00d6e1dc6ca53d1ab3e6

- https://news.ycombinator.com/item?id=42390768

- https://x41-dsec.de/news/2024/12/11/mullvad/

CVE-2024-44241, CVE-2024-44242, CVE-2024-44299 - iOS and iPadOS versions 18.0 and earlier may allow attackers to execute arbitrary code or cause unexpected system termination in DCP firmware due to inadequate bounds checks.

Product: Apple iOS and iPadOS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44241

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44242

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44299

NVD References: https://support.apple.com/en-us/121563

CVE-2024-54465 - macOS Sequoia 15.2 has an unresolved logic issue in state management that could potentially allow an app to elevate privileges.

Product: Apple macOS Sequoia

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54465

NVD References: https://support.apple.com/en-us/121839

CVE-2024-54492 - macOS Sequoia 15.2, iOS 18.2, iPadOS 18.2, iPadOS 17.7.3, and visionOS 2.2 are vulnerable to network traffic manipulation by attackers on privileged networks, mitigated by implementing HTTPS.

Product: Apple macOS Sequoia

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54492

NVD References:

- https://support.apple.com/en-us/121837

- https://support.apple.com/en-us/121838

- https://support.apple.com/en-us/121839

- https://support.apple.com/en-us/121845

CVE-2024-54506 - macOS Sequoia 15.2 is vulnerable to an out-of-bounds access issue that could allow an attacker to execute arbitrary code in DCP firmware.

Product: Apple macOS Sequoia

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54506

NVD References: https://support.apple.com/en-us/121839

CVE-2024-54534 - watchOS, visionOS, tvOS, macOS Sequoia, Safari, iOS, and iPadOS versions prior to 11.2, 2.2, 18.2, 15.2, 18.2, 18.2, and 18.2, respectively, are vulnerable to memory corruption via malicious web content.

Product: Apple Safari

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54534

NVD References:

- https://support.apple.com/en-us/121837

- https://support.apple.com/en-us/121839

- https://support.apple.com/en-us/121843

- https://support.apple.com/en-us/121844

- https://support.apple.com/en-us/121845

- https://support.apple.com/en-us/121846

CVE-2024-21574 - Customnode fails to validate the pip field in POST requests to /customnode/install, allowing attackers to execute remote code on the server.

Product: Node-RED Custom Nodes

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21574

NVD References:

- https://github.com/ltdrdata/ComfyUI-Manager/blob/ffc095a3e5acc1c404773a0510e6d055a6a72b0e/glob/manager_server.py#L798

- https://github.com/ltdrdata/ComfyUI-Manager/commit/ffc095a3e5acc1c404773a0510e6d055a6a72b0e

CVE-2024-53480 - PHPGurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via the `emailcont` parameter.

Product: PHPGurukul Beauty Parlour Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53480

NVD References:

- http://phpgurukul.com

- https://github.com/sbksibi/CVEs/blob/main/CVE-2024-53480.md

CVE-2024-54842 - A SQL injection vulnerability was found in PHPGurukul Online Nurse Hiring System v1.0 in /admin/password-recovery.php via the mobileno parameter.

Product: PHPGurukul Online Nurse Hiring System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54842

NVD References: https://github.com/achchhelalchauhan/phpgurukul/blob/main/SQL%20injection%20ONHP-forgetpass-mobileno.pdf

CVE-2024-55099 - PHPGurukul Online Nurse Hiring System v1.0 is vulnerable to SQL Injection in /admin/index.php, enabling remote attackers to execute unauthorized database commands.

Product: PHPGurukul Online Nurse Hiring System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55099

NVD References:

- https://github.com/achchhelalchauhan/phpgurukul/blob/main/SQL%20injection%20ONHP-username.pdf

- https://github.com/kuzgunaka/CVE-2024-55099-Online-Nurse-Hiring-System-v1.0-SQL-Injection-Vulnerability-

CVE-2024-54810 - PHPGurukul Pre-School Enrollment System Project v1.0 is vulnerable to a SQL Injection in password-recovery.php, allowing remote attackers to run code via the mobileno parameter.

Product: PHPGurukul Pre-School Enrollment System Project

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54810

NVD References:

- https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Pre-School%20Enrollment/SQL%20Injection%20pre-school%20pa.pdf

- https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Pre-School%20Enrollment/SQL%20Injection%20pre-school%20pa.pdf

CVE-2024-54811 - PHPGurukul Park Ticketing Management System v1.0 is vulnerable to SQL injection via the "login" parameter, allowing attackers to execute arbitrary SQL commands.

Product: PHPGurukul Park Ticketing Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54811

NVD References:

- https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Park%20ticket/report%20sql.pdf

- https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Park%20ticket/report%20sql.pdf

CVE-2024-49147 - Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver.

Product: Microsoft Update Catalog

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49147

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49147

CVE-2024-55662 - XWiki Platform allows for code execution by any user on servers with Extension Repository Application installed prior to version 15.10.9 and 16.3.0.

Product: XWiki Extension Repository Application

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55662

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5

- https://jira.xwiki.org/browse/XWIKI-21890

- https://jira.xwiki.org/browse/XWIKI-21890

CVE-2024-55877 - XWiki Platform allows arbitrary remote code execution prior to versions 15.10.11, 16.4.1, and 16.5.0, compromising the confidentiality, integrity, and availability of the installation.

Product: XWiki Platform

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55877

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c

- https://jira.xwiki.org/browse/XWIKI-22030

- https://jira.xwiki.org/browse/XWIKI-22030

CVE-2024-55879 - XWiki Platform allows arbitrary remote code execution through instances of `XWiki.ConfigurableClass`, compromising confidentiality, integrity, and availability until version 15.10.9 and 16.3.0.

Product: XWiki Platform

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55879

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr

- https://jira.xwiki.org/browse/XWIKI-21207

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398

CVE-2024-21576 - ComfyUI-Bmad-Nodes is vulnerable to Code Injection due to a validation bypass in three custom nodes, allowing for the execution of arbitrary code on the server.

Product: ComfyUI Bmad-Nodes

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21576

NVD References: https://github.com/bmad4ever/comfyui_bmad_nodes/blob/392af9490cbadf32a1fe92ff820ebabe88c51ee8/cv_nodes.py#L1814

CVE-2024-21577 - ComfyUI-Ace-Nodes is vulnerable to code injection through ACE_ExpressionEval node allowing arbitrary code execution on the server.

Product: ComfyUI Ace Nodes

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21577

NVD References: https://github.com/hay86/ComfyUI_AceNodes/blob/5ba01db8a3b7afb8e4aecfaa48823ddeb132bbbb/nodes.py#L1193

CVE-2024-55875 - http4k is vulnerable to XXE (XML External Entity Injection) attacks prior to version 5.41.0.0, allowing attackers to read sensitive information, trigger SSRF, and potentially execute code.

Product: http4k

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55875

NVD References:

- https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46

- https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc

- https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw

- https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw

CVE-2024-11834 - PlexTrac is vulnerable to arbitrary file writes due to an Improper Limitation of a Pathname to a Restricted Directory issue.

Product: PlexTrac

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11834

NVD References: https://docs.plextrac.com/plextrac-documentation/master/security-advisories#release-2.11.0

CVE-2023-29476 - Menlo On-Premise Appliance before 2.88 is vulnerable to inconsistent application of web policy to intentionally malformed client requests, fixed in versions 2.88.2+, 2.89.1+, and 2.90.1+.

Product: Menlo On-Premise Appliance

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29476

NVD References: https://www.menlosecurity.com/published-security-vulnerabilities

CVE-2024-55969 - DocIO in Syncfusion Essential Studio for ASP.NET MVC before version 27.1.55 is vulnerable to an XMLException when resaving a DOCX document with an external reference XML, also known as I640714.

Product: Syncfusion Essential Studio for ASP.NET MVC

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55969

NVD References: https://ej2.syncfusion.com/aspnetmvc/documentation/release-notes/27.1.55?type=all

CVE-2024-12641 - TenderDocTransfer from Chunghwa Telecom is vulnerable to reflected cross-site scripting due to lack of CSRF protection, allowing remote attackers to execute arbitrary JavaScript code in the user’s browser and potentially run OS commands through Node.js features.

Product: Chunghwa Telecom TenderDocTransfer

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12641

NVD References:

- https://www.twcert.org.tw/en/cp-139-8299-42168-2.html

- https://www.twcert.org.tw/tw/cp-132-8292-4fd98-1.html

CVE-2024-49775 - Opcenter Execution Foundation, Opcenter Intelligence, Opcenter Quality, Opcenter RDL, SIMATIC PCS neo, SINEC NMS, and Totally Integrated Automation Portal are vulnerable to a heap-based buffer overflow allowing remote attackers to execute arbitrary code.

Product: Siemens SINEC NMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49775

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-928984.html

CVE-2024-55557 - ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials.

Product: Weasis

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55557

NVD References:

- https://apps.microsoft.com/detail/9nhtv46lg4nh?hl=en-us&gl=US

- https://github.com/nroduit/Weasis/releases/tag/v4.5.1

- https://github.com/partywavesec/CVE-2024-55557

- https://www.partywave.site/show/research/CVE-2024-55557%20-%20Weasis%204.5.1

CVE-2024-29671 - NEXTU FLATA AX1500 Router v.1.0.2 is vulnerable to a buffer overflow that allows remote attackers to execute arbitrary code through the POST request handler component.

Product: NEXTU FLATA AX1500 Router

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29671

NVD References:

- https://ez-net.co.kr/new_2012/customer/download_view.php?cid=&sid=&goods=&cate=&q=Ax1500&seq=228

- https://gist.github.com/laskdjlaskdj12/4afc8b5d75640bd28eaf32de3ceda48a

- https://github.com/laskdjlaskdj12/CVE-2024-29671-POC

CVE-2024-52949 - iptraf-ng 1.2.1 has a stack-based buffer overflow.

Product: iptraf-ng 1.2.1

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52949

NVD References:

- https://github.com/iptraf-ng/iptraf-ng/releases/tag/v1.2.1

- https://www.gruppotim.it/it/footer/red-team.html

- https://www.gruppotim.it/it/footer/red-team.html

CVE-2024-55085 - GetSimple CMS CE 3.3.19 allows attackers to execute arbitrary code via the template editing function in the background management system.

Product: GetSimple CMS CE

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55085

NVD References:

- https://getsimple-ce.ovh/

- https://tasteful-stamp-da4.notion.site/CVE-2024-55085-15b1e0f227cb80a5aee6faeb820bf7e6

CVE-2024-10205 - Hitachi Ops Center Analyzer and Hitachi Infrastructure Analytics Advisor on Linux, 64 bit are vulnerable to an authentication bypass issue from version 10.0.0-00 through 4.4.0-00.

Product: Hitachi Ops Center Analyzer

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10205

NVD References: https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-151/index.html

CVE-2024-12356 - All BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions contain a command injection vulnerability which can be exploited through a malicious client request.

Product: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12356

NVD References:

- https://nvd.nist.gov/vuln/detail/CVE-2024-12356

- https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

- https://www.cve.org/CVERecord?id=CVE-2024-12356

CVE-2024-8972 - Mobil365 Informatics Saha365 App is vulnerable to SQL Injection before 30.09.2024.

Product: Mobil365 Informatics Saha365 App

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8972

NVD References: https://www.usom.gov.tr/bildirim/tr-24-1890

CVE-2024-11015 - The Sign In With Google plugin for WordPress is vulnerable to authentication bypass, allowing unauthenticated attackers to log in as the first user who signed in using Google OAuth.

Product: Sign In With Google plugin

Active Installations: This plugin has been closed as of December 10, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11015

NVD References:

- https://plugins.trac.wordpress.org/browser/sign-in-with-google/trunk/src/admin/class-sign-in-with-google-admin.php#L525

- https://www.wordfence.com/threat-intel/vulnerabilities/id/afe894b0-5e91-4aa2-bbd1-1f74274701cf?source=cve

CVE-2024-10124 - The Vayu Blocks plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation, enabling unauthenticated attackers to achieve remote code execution.

Product: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce

Active Installations: 1,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10124

NVD References:

- https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/vayu-sites/app.php#L28

- https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/vayu-sites/app.php#L46

- https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/vayu-sites/core/class-installation.php#L29

- https://plugins.trac.wordpress.org/changeset/3173408/

- https://plugins.trac.wordpress.org/changeset/3203532/vayu-blocks/tags/1.2.0/inc/vayu-sites/app.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/81e7ab80-7df2-4ef4-80ee-a11d057151c4?source=cve

CVE-2024-9290 - The Super Backup & Clone - Migrate for WordPress plugin is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to upload files and potentially execute remote code.

Product: Super Backup & Clone - Migrate for WordPress

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9290

NVD References:

- https://codecanyon.net/item/super-backup-clone-migrate-for-wordpress/12943030

- https://www.wordfence.com/threat-intel/vulnerabilities/id/7c31d9b3-38b1-49a1-b361-ffe97e02bff0?source=cve

CVE-2022-46838 - JS Help Desk – Best Help Desk & Support Plugin is vulnerable to missing authorization, allowing for exploitation of incorrectly configured access control security levels.

Product: JS Help Desk – Best Help Desk & Support Plugin

Active Installations: 5,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46838

NVD References: https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-2-7-1-unauthenticated-settings-change-vulnerability?_s_id=cve

CVE-2024-54239 - Missing Authorization vulnerability in dugudlabs Eyewear prescription form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through 4.0.18.

Product: dugudlabs Eyewear prescription form

Active Installations: This extension has been closed as of December 6, 2024 and is not available for download. The closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54239

NVD References: https://patchstack.com/database/wordpress/plugin/eyewear-prescription-form/vulnerability/wordpress-eyewear-prescription-form-plugin-4-0-18-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-54296 - CoSchool LMS by Codexpert, Inc is vulnerable to Authentication Bypass via an Alternate Path or Channel from version n/a through 1.2.

Product: Codexpert Inc, CoSchool LMS

Active Installations: This plugin has been closed as of November 8, 2024, and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54296

NVD References: https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-plugin-1-2-account-takeover-vulnerability?_s_id=cve

CVE-2024-54297 - vBSSO-lite allows Authentication Bypass via an alternate path or channel in www.vbsso.com versions n/a through 1.4.3.

Product: vBSSO-lite

Active Installations: 6,000+

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54297

NVD References: https://patchstack.com/database/wordpress/plugin/vbsso-lite/vulnerability/wordpress-vbsso-lite-plugin-1-4-3-account-takeover-vulnerability?_s_id=cve

CVE-2024-54361 - Instant Appointment suffers from an SQL Injection vulnerability in versions n/a through 1.2, allowing for improper neutralization of special elements in SQL commands.

Product: outstrip Instant Appointment

Active Installations: This plugin has been closed as of November 5, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54361

NVD References: https://patchstack.com/database/wordpress/plugin/instant-appointment/vulnerability/wordpress-instant-appointment-plugin-1-2-sql-injection-vulnerability?_s_id=cve

CVE-2024-54363 - Wp NssUser Register is vulnerable to Incorrect Privilege Assignment, allowing Privilege Escalation in versions from n/a through 1.0.0.

Product: nssTheme Wp NssUser Register

Active Installations: unknown

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54363

NVD References: https://patchstack.com/database/wordpress/plugin/wp-nssuser-register/vulnerability/wordpress-wp-nssuser-register-plugin-1-0-0-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-54367 - Deserialization of Untrusted Data vulnerability in ForumWP ForumWP allows Object Injection.This issue affects ForumWP: from n/a through 2.1.0.

Product: ForumWP

Active Installations: 1,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54367

NVD References: https://patchstack.com/database/wordpress/plugin/forumwp/vulnerability/wordpress-forumwp-plugin-2-1-0-php-object-injection-vulnerability?_s_id=cve

CVE-2024-54369 - Zita Site Builder versions from n/a through 1.0.2 are vulnerable to Missing Authorization, allowing unauthorized access to functionalities not restricted by ACLs.

Product: ThemeHunk Zita Site Builder

Active Installations: This plugin has been closed as of November 6, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54369

NVD References: https://patchstack.com/database/wordpress/plugin/ai-site-builder/vulnerability/wordpress-zita-site-builder-plugin-1-0-2-arbitrary-plugin-installation-and-activation-vulnerability?_s_id=cve

CVE-2024-54372 - Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Insertify allows Code Injection.This issue affects Insertify: from n/a through 1.1.4.

Product: Sourov Amin Insertify

Active Installations: This plugin has been closed as of October 21, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54372

NVD References: https://patchstack.com/database/wordpress/plugin/insertify/vulnerability/wordpress-insertify-plugin-1-1-4-csrf-to-remote-code-execution-vulnerability?_s_id=cve

CVE-2024-55976 - Mike Leembruggen Critical Site Intel is vulnerable to SQL Injection, allowing attackers to manipulate SQL commands from version n/a through 1.0.

Product: Mike Leembruggen Critical Site Intel

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55976

NVD References: https://patchstack.com/database/wordpress/plugin/critical-site-intel-stats/vulnerability/wordpress-critical-site-intel-plugin-1-0-sql-injection-vulnerability?_s_id=cve

CVE-2024-55977 - LaunchPage.app Importer allows SQL Injection from n/a through 1.1.

Product: LaunchPage.app Importer

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55977

NVD References: https://patchstack.com/database/wordpress/plugin/launchpage-app-importer/vulnerability/wordpress-launchpage-app-importer-plugin-1-1-sql-injection-vulnerability?_s_id=cve

CVE-2024-55981 - Nabz Image Gallery is vulnerable to SQL Injection from n/a through v1.00.

Product: Nabajit Roy Nabz Image Gallery

Active Installations: This plugin has been closed as of October 30, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55981

NVD References: https://patchstack.com/database/wordpress/plugin/nabz-image-gallery/vulnerability/wordpress-nabz-image-gallery-plugin-v1-00-sql-injection-vulnerability?_s_id=cve

CVE-2024-55982 - Share Buttons – Social Media allows Blind SQL Injection from n/a through 1.0.2.

Product: richteam Share Buttons – Social Media

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55982

NVD References: https://patchstack.com/database/wordpress/plugin/rich-web-share-button/vulnerability/wordpress-share-buttons-social-media-plugin-1-0-2-sql-injection-vulnerability-2?_s_id=cve

CVE-2024-55988 - Navayan CSV Export is vulnerable to Blind SQL Injection due to improper neutralization of special elements in an SQL command, affecting versions from n/a through 1.0.9.

Product: Amol Nirmala Waman Navayan CSV Export

Active Installations: This plugin has been closed as of December 5, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55988

NVD References: https://patchstack.com/database/wordpress/plugin/navayan-csv-export/vulnerability/wordpress-navayan-csv-export-plugin-1-0-9-sql-injection-vulnerability?_s_id=cve

CVE-2024-56012 - Pearlbells Flash News / Post (Responsive) is vulnerable to CSRF allowing Privilege Escalation from versions n/a through 4.1.

Product: Pearlbells Flash News / Post

Active Installations: This plugin has been closed as of October 15, 2024 and is not available for download. Reason: Security Issue.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56012

NVD References: https://patchstack.com/database/wordpress/plugin/flashnews-fading-effect-pearlbells/vulnerability/wordpress-flash-news-post-responsive-plugin-4-1-csrf-to-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-43234 - Woffice is vulnerable to authentication bypass via an alternate path or channel, impacting versions from n/a through 5.4.14.

Product: Envato Woffice

Active Installations: unknown

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43234

NVD References: https://patchstack.com/database/wordpress/theme/woffice/vulnerability/wordpress-woffice-theme-5-4-14-unauthenticated-account-takeover-vulnerability?_s_id=cve

CVE-2024-54229 - Incorrect Privilege Assignment vulnerability in Straightvisions GmbH SV100 Companion allows Privilege Escalation.This issue affects SV100 Companion: from n/a through 2.0.02.

Product: Straightvisions GmbH SV100 Companion

Active Installations: This plugin has been closed as of December 5, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54229

NVD References: https://patchstack.com/database/wordpress/plugin/sv100-companion/vulnerability/wordpress-sv100-companion-plugin-2-0-02-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-54280 - WPBookit is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands, impacting versions from n/a through 1.6.0.

Product: Iqonic Design WPBookit

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54280

NVD References: https://patchstack.com/database/wordpress/plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-6-0-sql-injection-vulnerability?_s_id=cve

CVE-2024-54285 - SeedProd Pro is vulnerable to unrestricted upload of files with dangerous types, allowing attackers to upload web shells to a web server.

Product: SeedProd LLC SeedProd Pro

Active Installations: 800,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54285

NVD References: https://patchstack.com/database/wordpress/plugin/seedprod-coming-soon-pro-5/vulnerability/wordpress-seedprod-pro-plugin-6-18-10-remote-code-execution-rce-vulnerability?_s_id=cve