Here are the CVE updates for the week of December 2nd through the 8th.
Critical Severity Vulnerabilities
Unrestricted Upload of File with Dangerous Type in Stefan Bohacek Fediverse Embeds | CVE-2024-52476
Description: is a vulnerability in the Fediverse Embeds plugin by Stefan Bohacek, affecting versions up to 1.5.3. This issue allows for unrestricted uploading of files with dangerous types, such as web shells, to a web server. Attackers can exploit this vulnerability to upload malicious files to the server, which could then be executed to compromise the server’s security and potentially control the web application.
Potential Impacts:
- Remote Code Execution (RCE): Attackers can upload a web shell or other malicious scripts, which can be executed remotely on the server.
- Server Compromise: If exploited, the attacker could gain control over the server, allowing them to manipulate files, steal data, or disrupt server operations.
- Data Breach: Malicious files uploaded via this vulnerability could be used to access sensitive data stored on the server.
- Further Exploitation: This vulnerability can serve as an entry point for additional attacks, including lateral movement within the network or escalation of privileges.
Mitigation Recommendations:
- Update the Plugin: Ensure that the latest version of Fediverse Embeds is installed to address the vulnerability.
- Limit File Uploads: Restrict file types that can be uploaded to only trusted file formats, and implement additional checks for file contents.
- Apply Web Application Firewalls (WAF): Use a WAF to filter and block malicious file uploads before they reach the server.
- Monitor File Uploads: Regularly monitor and audit files uploaded to the server for any unusual activity or suspicious files.
- Enhance Server Security: Implement strict access controls, sandboxing, and server configuration hardening to limit the impact of any potential exploit.
Improper Authentication Vulnerability in ProjectSend | CVE-2024-11680
Description: ProjectSend versions prior to r1720 are vulnerable to an improper authentication flaw. This issue can be exploited by remote, unauthenticated attackers via crafted HTTP requests to the options.php file. Exploitation allows attackers to bypass authentication and manipulate the application’s configuration.
Potential Impacts:
- Unauthorized Configuration Changes: Attackers can modify critical application settings, compromising the system’s integrity.
- Account Creation: Malicious actors can create unauthorized user accounts with elevated privileges.
- Code Execution: Attackers can upload webshells or embed malicious JavaScript to execute arbitrary code on the server.
Mitigation Recommendations:
- Upgrade Software: Update to ProjectSend version r1720 or later to address the vulnerability.
- Restrict Access: Limit access to the web interface to trusted IP addresses and secure environments.
- Monitor Activity: Regularly inspect logs for suspicious activity, such as unauthorized access or unexpected file uploads.
- Apply Web Application Firewall (WAF): Implement a WAF to block malicious HTTP requests targeting vulnerable endpoints.
CyberPanel Incorrect Default Permissions Vulnerability | CVE-2023-45727
Description: CyberPanel, up to and including versions 2.3.6 and (unpatched) 2.3.7, is vulnerable to a command injection attack due to a flaw in the getresetstatus function in dns/views.py and ftp/views.py. This vulnerability allows remote attackers to bypass authentication and execute arbitrary commands by exploiting the statusfile property. The issue arises because the secMiddleware only protects POST requests, leaving GET requests unguarded. Additionally, attackers can exploit shell metacharacters within the statusfile property. This vulnerability was actively exploited in the wild in October 2024, attributed to PSAUX.
Potential Impacts:
- Arbitrary Command Execution: Attackers can execute system commands with the privileges of the application, potentially gaining control over the server.
- Data Compromise: Unauthorized access may lead to the exposure or tampering of sensitive data.
- Service Disruption: Exploitation could result in service crashes or denial-of-service (DoS) conditions.
- Privilege Escalation: Attackers may use this vulnerability as a stepping stone to elevate their privileges further.
Mitigation Recommendations:
- Update CyberPanel: Upgrade to a patched version beyond 2.3.7 as soon as it becomes available.
- Restrict Access: Limit access to the vulnerable endpoints (/dns/getresetstatus and /ftp/getresetstatus) through firewall rules or application-layer restrictions.
- Input Sanitization: Ensure proper validation and sanitization of user inputs to prevent the use of shell metacharacters.
- Apply Middleware Controls: Enforce security middleware for all HTTP methods, not just POST requests, to provide comprehensive request filtering.
- Monitor for Exploits: Watch logs for unusual activity targeting the vulnerable endpoints and respond promptly to any suspicious behavior.
High Severity Vulnerabilities
XML External Entity (XXE) Vulnerability in Proself Editions | CVE-2023-45727: Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier are vulnerable to XML External Entity (XXE) attacks. This issue arises when the system processes specially crafted requests containing malformed XML data. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary files on the server, potentially exposing sensitive information such as account details.
Zyxel Multiple Firewalls Path Traversal Vulnerability | CVE-2024-11667: A directory traversal vulnerability exists in the web management interface of the following Zyxel devices and firmware versions:
- ATP Series: Versions V5.00 through V5.38
- USG FLEX Series: Versions V5.00 through V5.38
- USG FLEX 50(W) Series: Versions V5.10 through V5.38
- USG20(W)-VPN Series: Versions V5.10 through V5.38
This vulnerability allows attackers to upload or download arbitrary files via a crafted URL, exploiting improper path validation in the web management interface.
Denial of Service (DoS) Vulnerability in python-multipart | CVE-2024-53981: is a vulnerability in the python-multipart library, which is a streaming multipart parser for Python. This flaw occurs when the library parses form data and skips line breaks (CR/LF) before the first boundary and after the last boundary. It processes the skips one byte at a time, emitting a log event for each byte, which can lead to excessive logging. An attacker can exploit this vulnerability by sending a malicious request with large amounts of data before or after the expected boundaries, causing excessive CPU usage.
Impersonation Vulnerability in Snap One OVRC Cloud | CVE-2024-50380: affects Snap One OVRC Cloud, which uses MAC addresses as identifiers for devices in its system. The vulnerability arises because the system doesn’t adequately validate or secure the use of MAC addresses. An attacker can exploit this by supplying enumerated MAC addresses that correspond to other devices. This allows the attacker to impersonate a legitimate device and access sensitive information related to the device. Such impersonation could lead to unauthorized access to data or control of devices in the system.
Arbitrary file download in Zoo-Project Echo Example | CVE-2024-53982: Zoo-Project, a C-based Web Processing Service (WPS) implementation, contains a path traversal vulnerability in its Echo example. The Echo example, which is installed by default, implements file caching that can be controlled by user-input parameters. These parameters are not properly validated, allowing an attacker to manipulate the file returned in the response.
Medium Severity Vulnerabilities
Insecure Bootloader in Cisco NX-OS Software | CVE-2024-20397: Cisco NX-OS Software has a vulnerability in its bootloader due to insecure settings, which allows attackers to bypass the image signature verification. This can be exploited by local attackers with administrative access or unauthenticated attackers with physical access. They can load unverified software by executing specific bootloader commands.
XSS in Tungsten Automation TotalAgility | CVE-2024-7874: A reflected cross-site scripting (XSS) vulnerability exists in Tungsten Automation (Kofax) TotalAgility versions through 7.9.0.25.0.954. This issue arises due to improper validation of the mfpConnectionId parameter in POST requests sent to the /TotalAgility/Kofax/BrowserDevice/ScanFront.aspx and /ScanFrontDebug.aspx endpoints. Attackers can inject malicious JavaScript, potentially leaking sensitive data. Exploitation requires crafting a POST request with a valid VIEWSTATE, which reduces but does not eliminate the attack risk.