Here are the CVE updates for the week of October 28th through November 3rd.
Zero-day Severity Vulnerabilities
Unauthenticated Remote Code Execution in CyberPanel | CVE-2024-51567: is a critical vulnerability in CyberPanel that stems from an issue in the upgrademysqlstatus function within the databases/views.py file. This flaw allows attackers to bypass the security middleware by exploiting shell metacharacters in the statusfile property, facilitating remote command execution. The vulnerability is particularly severe because it enables unauthorized users to execute arbitrary commands on the server, thereby compromising the system’s integrity.
Command Injection Vulnerability in CyberPanel’s File Execution Process | CVE-2024-51568: is a critical vulnerability found in CyberPanel, specifically in the ProcessUtilities.outputExecutioner() function. This vulnerability is associated with command injection through the completePath parameter, allowing attackers to perform unauthorized file uploads and execute remote code without requiring authentication. The flaw enables an attacker to craft inputs that can manipulate the execution flow, leading to the potential compromise of the affected system.
Command Execution Vulnerability in CyberPanel’s DNS and FTP Functions | CVE-2024-51378: is a critical vulnerability in CyberPanel affecting the getresetstatus function located within both dns/views.py and ftp/views.py. This vulnerability allows attackers to execute commands remotely by bypassing the security middleware. The ability to circumvent this middleware significantly increases the risk of unauthorized access and control over the affected systems.
NTLM Credential Leak via Malicious Windows Theme Files | CVE-2024-38030: is a critical vulnerability found in multiple versions of Windows, affecting systems from Windows 7 up to Windows 11 (24H2). This vulnerability arises when malicious theme files are created with network paths for properties such as BrandImage and Wallpaper. When these theme files are displayed in Windows Explorer, they can trigger NTLM (NT LAN Manager) authentication requests to remote servers without any user interaction. This behavior can be exploited by attackers to perform NTLM relay attacks and pass-the-hash attacks, allowing them to move laterally across compromised networks, significantly heightening the security risk.
Critical Severity Vulnerabilities
Remote Code Execution Vulnerability in CyberPanel | CVE-2024-51567: is a remote code execution vulnerability in CyberPanel, specifically within the upgrademysqlstatus function located in databases/views.py. This vulnerability allows remote attackers to bypass authentication and execute arbitrary commands by manipulating requests to the /dataBases/upgrademysqlstatus endpoint. The exploit takes advantage of the secMiddleware, which only applies to POST requests, allowing attackers to send requests using GET or other methods that bypass the security checks.
WordPress AR For WordPress plugin | CVE-2024-50496: is an unrestricted file upload vulnerability in the AR For WordPress plugin, versions up to and including 6.2. This vulnerability allows attackers to upload files with dangerous types, such as web shells, to the web server, which can then be executed to gain unauthorized access or control over the server.
Sandbox Escape in Now Platform | CVE-2024-8923: is a remote code execution vulnerability in ServiceNow’s Now Platform. This input validation flaw enables unauthenticated attackers to execute arbitrary code within the platform’s environment. ServiceNow has proactively addressed this vulnerability by deploying patches and hotfixes to hosted instances, as well as providing updates to partners and self-hosted customers to mitigate the risk.
Race Condition in IndexedDB Leading to Memory Corruption in Firefox and Thunderbird | CVE-2024-10468: is a potential race condition vulnerability affecting Firefox versions prior to 132 and Thunderbird versions prior to 132. This vulnerability arises from issues in IndexedDB, which could lead to memory corruption. If exploited, it could result in a crash of the application, potentially making the system vulnerable to further attacks or exploitation.
High Severity Vulnerabilities
Sunnet eHRD CTMS – Authentication Bypass | CVE-2024-10438: is an authentication bypass vulnerability affecting the eHRD CTMS (Clinical Trial Management System) developed by Sunnet. This vulnerability allows unauthenticated remote attackers to bypass authentication under certain specific conditions, potentially granting unauthorized access to sensitive application functionalities and data.
Semicolon Path Injection on API /api;/config | CVE-2024-50334: is a semicolon path injection vulnerability identified in Scoold, a Q&A and knowledge-sharing platform for teams. This vulnerability exists on the /api;/config endpoint, where attackers can manipulate the URL by appending a semicolon. This manipulation allows them to bypass authentication and gain unauthorized access to sensitive configuration data.
Kyverno’s PolicyException objects can be created in any namespace by default | CVE-2024-48921: is a policy bypass vulnerability found in Kyverno, a policy engine designed for Kubernetes. The vulnerability arises from the ability to create a PolicyException that can override a kyverno ClusterPolicy, such as the policy named “disallow-privileged-containers.” This situation occurs because PolicyExceptions can be created from any namespace, which may not be apparent to administrators. As a result, users with privileges in non-Kyverno namespaces can exploit this behavior to create exceptions without the knowledge of the administrators.
Medium Severity Vulnerability
Codezips Hospital Appointment System | CVE-2024-10449: is a critical SQL injection vulnerability in Codezips Hospital Appointment System, specifically affecting version 1.0. The vulnerability is located in the file /loginAction.php, where the Username parameter is not properly sanitized, allowing attackers to manipulate SQL queries. This enables unauthorized access to the database, potentially exposing sensitive patient data or giving attackers control over the application.
SourceCodester Kortex Lite Advocate Office Management System | CVE-2024-10450: is a critical SQL injection vulnerability in SourceCodester Kortex Lite Advocate Office Management System version 1.0. The vulnerability is located in the file /kortex_lite/control/edit_profile.php within the POST Parameter Handler component, where improper handling of the id parameter enables attackers to inject malicious SQL queries. This can potentially give attackers unauthorized access to the database, allowing them to retrieve or manipulate sensitive data.
Consul Vulnerable To Reflected XSS On Content-Type Error Manipulation | CVE-2024-10086: is a reflected cross-site scripting (XSS) vulnerability identified in Consul and Consul Enterprise. This issue arises because the server response does not explicitly set a Content-Type HTTP header. As a result, user-provided input can be misinterpreted by the browser, potentially leading to a reflected XSS attack where malicious scripts can be injected and executed in the victim’s browser.
Cross-Site Scripting In Privileged Identity | CVE-2024-9110: is a medium-severity reflected cross-site scripting (XSS) vulnerability discovered in Privileged Identity. This vulnerability allows attackers to exploit certain inputs that are not adequately sanitized, resulting in the potential execution of malicious scripts within the user’s browser. By sending a crafted URL or request, attackers can leverage this flaw to execute arbitrary scripts, which may lead to data exposure, session hijacking, or other malicious actions affecting end users.
ESAFENET CDG FileDirectoryService.java docHistory sql injection | CVE-2024-10594: is a critical SQL injection vulnerability identified in ESAFENET CDG version 5. The vulnerability resides in the docHistory function within the FileDirectoryService.java file (/com/esafenet/servlet/fileManagement/FileDirectoryService.java). The flaw is due to improper handling of the fileId parameter, allowing remote attackers to inject and execute arbitrary SQL queries by manipulating this argument.