Here are the CVE updates for the week of November 4th through 10th.
Zero-day Severity Vulnerabilities
Privilege Escalation Vulnerability in Android Framework Allowing Unauthorized Directory Access | CVE-2024-43093: is a privilege escalation vulnerability actively exploited within the Android Framework, disclosed in Google’s November 2024 Android security update. This vulnerability affects Android versions 12, 13, 14, and 15, permitting unauthorized access to sensitive directories, including “Android/data,” “Android/obb,” and “Android/sandbox,” along with their subdirectories. Exploiting this flaw can enable attackers to gain elevated privileges, potentially allowing them to perform unauthorized actions or access sensitive data.
Critical Severity Vulnerabilities
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability | CVE-2024-8956: is a critical OS command injection vulnerability found in PTZOptics PT30X-SDI/NDI-xx cameras, specifically in firmware versions before 6.3.40. This vulnerability stems from insufficient validation of the ntp_addr configuration parameter, which can lead to arbitrary command execution when the ntp_client process is initiated.
Palo Alto Expedition Missing Authentication Vulnerability | CVE-2024-5910: is a critical vulnerability in Palo Alto Networks Expedition, a tool used for configuration migration, tuning, and enrichment. The vulnerability arises from missing authentication for a critical function, allowing attackers with network access to take over the Expedition admin account. This flaw puts sensitive data, including configuration secrets and credentials imported into Expedition, at risk. Exploiting this vulnerability could lead to unauthorized access and manipulation of sensitive information. It is essential for users to apply patches or mitigations to prevent potential exploitation.
Directory Traversal in Nostromo nhttpd Leading to Remote Code Execution | CVE-2019-16278: is a critical directory traversal vulnerability in Nostromo nhttpd (up to version 1.9.6) within the http_verify function. This vulnerability allows attackers to execute arbitrary code on the server through a crafted HTTP request that exploits path traversal. By manipulating file paths, an attacker can access directories and files outside the web root, potentially enabling remote code execution. Users of affected versions are advised to upgrade to a patched release or implement mitigations to prevent exploitation.
Contest Gallery Plugin <= 24.0.3 – Unauthenticated SQL Injection Vulnerability | CVE-2024-10687: is a time-based SQL injection vulnerability in the WordPress plugin, Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons, affecting versions up to 24.0.3. This vulnerability arises from insufficient input validation and escaping of the $collectedIds parameter, allowing unauthenticated attackers to inject additional SQL commands into existing queries. Successful exploitation enables attackers to extract sensitive information from the database.
Authentication bypass Vulnerability in Aero | CVE-2024-51561: is an Improper OTP Validation vulnerability in Aero. This issue stems from an inadequate OTP (One-Time Password) validation mechanism in specific API endpoints. An authenticated remote attacker can exploit this vulnerability by intercepting and altering responses during the second-factor authentication process. By bypassing OTP verification, the attacker could potentially gain unauthorized access to other users’ accounts.
High Severity Vulnerabilities
PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability | CVE-2024-8957: is a critical OS command injection vulnerability found in PTZOptics PT30X-SDI/NDI-xx cameras, specifically in firmware versions before 6.3.40. This vulnerability stems from insufficient validation of the ntp_addr configuration parameter, which can lead to arbitrary command execution when the ntp_client process is initiated.
Cross-site Scripting vulnerability in link CSV import in Combodo iTop | CVE-2024-31448: is a Cross-Site Scripting (XSS) vulnerability in Combodo iTop, a web-based IT Service Management tool. This vulnerability can be exploited by embedding malicious JavaScript code within CSV files. When the maliciously crafted CSV file is imported, the embedded code is executed, which could potentially compromise the application’s security by executing unauthorized actions on behalf of the user.
Cisco Enterprise Chat and Email Denial of Service Vulnerability | CVE-2024-20484: affects the Cisco Enterprise Chat and Email (ECE) service, a platform that integrates customer chat and email interactions within the Cisco Unified Contact Center Enterprise (CCE) environment. This vulnerability specifically impacts the External Agent Assignment Service (EAAS), which is crucial for assigning and managing customer service agents for chat and callback sessions. Due to the insufficient validation of Media Routing Peripheral Interface Manager (MR PIM) traffic, the EAAS feature can be forced into a Denial of Service (DoS) state through crafted MR PIM traffic sent by an unauthenticated remote attacker.
Medium Severity Vulnerabilities
IBM WebSphere Application Server XML external entity injection | CVE-2024-45086: is an XML External Entity (XXE) Injection vulnerability found in IBM WebSphere Application Server versions 8.5 and 9.0. This vulnerability allows an attacker, typically a privileged user, to exploit improper XML data handling. Through this attack, they can manipulate XML input to access or expose sensitive information or consume excessive memory resources, potentially impacting application performance or leading to further data exposure.
Panic Vulnerability in loona-hpack | CVE-2024-51502: describes a vulnerability in loona-hpack, a Rust-based library within the loona HTTP/1.1 and HTTP/2 experimental framework. This issue affects the Decoder component and results from a flaw similar to one documented in issue #11 of the original hpack library. The vulnerability exposes users decoding untrusted input to potential exploitation.
AMTT Hotel Broadband Operation System online_status.php sql injection | CVE-2024-11051: has been identified in AMTT Hotel Broadband Operation System versions up to 3.0.3.151204. The flaw affects the online_status.php file under the /manager/frontdesk/ directory, where manipulating the AccountID parameter can lead to SQL injection. This issue allows attackers to launch remote attacks that may compromise the system. Although the exploit has been publicly disclosed, the vendor has not responded to the disclosure.
ZKTeco ZKBio Time Image File photo direct request | CVE-2024-11049: is a vulnerability in the ZKTeco ZKBio Time 9.0.1 software, specifically affecting the Image File Handler component in the /auth_files/photo/ endpoint. This flaw allows an attacker to remotely manipulate direct requests to unauthorized files. Due to the high complexity of the attack and the difficult exploitability, the vulnerability is classified as problematic rather than critical. Despite attempts to notify the vendor, ZKTeco did not respond to the disclosure. Public availability of the exploit raises concerns about potential misuse.
Comment