Cybersecurity Updates: Vulnerabilities, Feb. 24 – Mar. 2, 2025

Vuln Recap Editor,

Here are the CVE updates for the week of February 24th through March 2nd.

CRITICAL SEVERITY VULNERABILITIES

Adobe ColdFusion Deserialization Vulnerability | CVE-2017-3066 (CISA KEV)

Description: A Java deserialization vulnerability exists in the Apache BlazeDS library used in Adobe ColdFusion versions: ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier. This vulnerability allows attackers to exploit unsafe deserialization of untrusted data, potentially leading to arbitrary code execution on affected systems.

Potential Impacts:

  • Remote Code Execution (RCE): Attackers can execute arbitrary commands on the server.
  • System Compromise: Unauthorized access to sensitive data and administrative privileges.
  • Service Disruption: Attackers may manipulate or shut down ColdFusion services.

Mitigation Recommendations:

  • Apply Security Patches: Update to the latest Adobe ColdFusion versions that include security fixes.
  • Restrict Network Access: Limit access to ColdFusion services to trusted IPs.
  • Disable Unnecessary Features: Remove or secure Apache BlazeDS if not needed.
  • Monitor Server Logs: Detect and respond to suspicious activity related to deserialization attacks.

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability | CVE-2023-34192 (CISA KEV)

Description: A Cross-Site Scripting (XSS) vulnerability exists in Zimbra ZCS v.8.8.15, allowing a remote authenticated attacker to execute arbitrary JavaScript code by injecting a crafted script into the /h/autoSaveDraft function. This vulnerability can be exploited to execute malicious scripts in the victim’s browser, leading to session hijacking, credential theft, or unauthorized actions.

Potential Impacts:

  • Session Hijacking: Attackers can steal session cookies and gain unauthorized access.
  • Data Exposure: Sensitive user information may be accessed or modified.
  • Privilege Escalation: Malicious scripts could manipulate user permissions or perform unauthorized actions.
  • Phishing Attacks: Exploiting this vulnerability could facilitate social engineering attacks.

Mitigation Recommendations:

  • Apply Security Patches: Upgrade to the latest Zimbra ZCS version with security fixes.
  • Sanitize User Input: Ensure proper input validation and output encoding to prevent script injection.
  • Restrict Access: Limit user privileges and enforce least privilege principles.
  • Enable Content Security Policy (CSP): Reduce the risk of executing unauthorized scripts.
  • Monitor Logs: Detect and respond to suspicious activities related to script injection.

Microsoft Partner Center Improper Access Control Vulnerability | CVE-2024-49035 (CISA KEV)

Description: An improper access control vulnerability has been identified in Partner.Microsoft.com, which allows an unauthenticated attacker to elevate privileges over a network. The flaw occurs due to insufficient restrictions on user access controls, potentially enabling attackers to perform unauthorized actions within the system.

Potential Impacts:

  • Privilege Escalation: Attackers may gain higher-level access, compromising system integrity.
  • Unauthorized Data Access: Sensitive information may be exposed to unauthorized users.
  • Service Disruption: Malicious activities could affect normal business operations.
  • Account Takeover: Attackers may impersonate legitimate users and perform unauthorized actions.

Mitigation Recommendations:

  • Apply Security Patches: Ensure that the latest security updates are applied to Partner.Microsoft.com.
  • Enforce Strong Authentication: Implement multi-factor authentication (MFA) to reduce unauthorized access risks.
  • Restrict Privileges: Follow least privilege principles to minimize exposure.
  • Monitor User Activities: Enable logging and security monitoring to detect unusual access patterns.
  • Conduct Security Audits: Regularly review and strengthen access control mechanisms.

Remote Code Execution and Path Traversal Vulnerabilities in Mautic | CVE-2024-47051

Description: Two critical vulnerabilities have been identified in Mautic versions prior to 5.2.3, which can be exploited by authenticated users:

  • Remote Code Execution (RCE) via Asset Upload: Due to insufficient validation of allowed file extensions in the asset upload feature, attackers can bypass restrictions and upload malicious executable files, such as PHP scripts, allowing remote code execution on the server.
  • Path Traversal File Deletion: A path traversal flaw in the upload validation process allows attackers to manipulate file paths, enabling the deletion of arbitrary files on the host system by exploiting improper path handling.

Potential Impacts:

  • Full System Compromise: Uploaded malicious scripts may allow attackers to execute arbitrary commands on the server.
  • Data Loss: Exploitation of the path traversal flaw can lead to deletion of critical files.
  • Service Disruption: Successful attacks may bring down the application or the entire host system.
  • Privilege Escalation: Attackers may leverage these flaws to elevate their access or gain administrative control.

Mitigation Recommendations:

  • Update Mautic: Immediately upgrade to version 5.2.3 or later, where these vulnerabilities have been patched.
  • Restrict Uploads: Limit asset upload permissions to trusted and necessary users only.
  • Implement File Validation: Enforce strict validation on file types and extensions at both server and application levels.
  • Monitor File Activity: Regularly review server file systems and logs for unauthorized uploads or deletions.
  • Backup Regularly: Maintain consistent backups to restore data in case of malicious file deletions or system compromise.

HIGH SEVERITY VULNERABILITIES

Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability | CVE-2024-20953 (CISA KEV): A vulnerability in the Export component of Oracle Agile PLM (version 9.3.6) allows a low-privileged attacker with network access via HTTP to compromise the system. This flaw is easily exploitable and can lead to a complete system takeover, impacting confidentiality, integrity, and availability.

Missing SSL Certificate Validation in SunGrow iSolarCloud Android App | CVE-2024-50691: A Missing SSL Certificate Validation vulnerability exists in the SunGrow iSolarCloud Android app versions V2.1.6.20241104 and earlier. The app explicitly ignores SSL/TLS certificate errors, making it vulnerable to Man-in-the-Middle (MiTM) attacks. An attacker positioned on the same network as the victim or controlling a malicious network (e.g., public Wi-Fi) can exploit this flaw by impersonating the legitimate iSolarCloud server. This allows the attacker to intercept, view, and modify sensitive data exchanged between the app and the server, such as authentication credentials, energy data, and control commands.

Stored Cross-Site Scripting (XSS) in WordPress Contest Gallery Plugin | CVE-2025-1513: A Stored Cross-Site Scripting (XSS) vulnerability exists in the Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery—Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress, affecting all versions up to and including 26.0.0.1. The vulnerability stems from insufficient input sanitization and output escaping on the Name and Comment fields when users submit comments on photo gallery entries. This allows unauthenticated attackers to inject malicious JavaScript code into gallery pages, which is then stored and executed whenever another user views the compromised page.

Privilege Escalation via Account Takeover in Exertio Framework Plugin for WordPress | CVE-2024-13373: A privilege escalation and account takeover vulnerability exists in the Exertio Framework plugin for WordPress, affecting all versions up to and including 1.3.1. The vulnerability is caused by improper validation within the fl_forgot_pass_new() function, which allows unauthenticated attackers to reset passwords of any user, including administrators, without verifying ownership of the account. This flaw enables attackers to change arbitrary user passwords and gain full control over affected accounts.

MEDIUM SEVERITY VULNERABILITIES

Use-After-Free Vulnerability in Zoom Workplace Apps and SDKs | CVE-2024-27246: A Use-After-Free vulnerability has been discovered in certain versions of Zoom Workplace Apps and SDKs, which may allow an authenticated user to trigger a Denial of Service (DoS) attack through network access. This flaw arises when memory that has been freed is still accessed, causing the application to crash or behave unpredictably.

Cross-Site Request Forgery (CSRF) Vulnerability in Subscriptions & Memberships for PayPal Plugin | CVE-2024-13560: A Cross-Site Request Forgery (CSRF) vulnerability exists in the Subscriptions & Memberships for PayPal plugin for WordPress in all versions up to and including 1.1.6. This vulnerability is due to missing or improper nonce validation on specific functions, allowing unauthenticated attackers to potentially delete arbitrary posts by tricking a site administrator into unknowingly executing malicious requests (such as clicking on a crafted link).

Command Injection Vulnerability in Cisco Nexus 3000 and 9000 Series Switches | CVE-2025-20161: A command injection vulnerability has been discovered in the software upgrade process of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches operating in standalone NX-OS mode. This flaw exists due to insufficient validation of specific components within software images during the upgrade process. An authenticated, local attacker with valid Administrator credentials can exploit this vulnerability by installing a maliciously crafted software image.

Post Views: 29
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *