Important Vulnerabilities

Here are the crucial CVE list of the week.

1. Critical Security Alert: CVE-2024-5932 in GiveWP WordPress Plugin

• Severity: Critical (CVSS Score: 10)

• Affected Versions: All versions before 3.14.2

• Details: The vulnerability is a PHP Object Injection (POI) flaw triggered by the deserialization of untrusted input via the ‘give_title’ parameter. Attackers can exploit this to execute arbitrary code and delete critical files, potentially compromising entire websites.

• Action Required: Update to version 3.14.2 immediately to secure your site.

• More Information: Details

---

2. Critical Security Alert: CVE-2024-7928 in FastAdmin

• Severity: High

• Affected Versions: FastAdmin (versions up to 1.3.3.20220121)

• Details: The vulnerability is found in the /index/ajax/lang endpoint, where improper handling of the lang parameter leads to a path traversal attack (CWE-22). This can potentially expose sensitive files outside the restricted directories, compromising confidentiality.

• Action Required: Upgrade to version 1.3.4.20220530 immediately to mitigate this vulnerability.

• More Information: Details

---

3. Critical Security Alert: CVE-2024-7646 in Kubernetes Ingress-NGINX

• Severity: High (CVSS Score: 8.8)

• Affected Versions: ingress-nginx controller (versions before v1.11.2)

• Details: This vulnerability targets the annotation validation process in ingress-nginx. Exploiting this flaw can allow attackers to gain control over the ingress-nginx controller, granting access to all secrets within the Kubernetes cluster. The risk is particularly high in multi-tenant environments where non-admin users can create Ingress objects.

• Action Required: Upgrade to ingress-nginx controller v1.11.2 immediately to secure your cluster.

• More Information: Details

---

4. Critical Security Alert: CVE-2024-43202 in Apache DolphinScheduler

• Severity: Critical

• Affected Versions: Apache DolphinScheduler versions 3.0.0 up to (but not including) 3.2.2

• Details: The vulnerability was discovered by the security researcher “an4er” and officially disclosed by ShunFeng Cai on Apache DolphinScheduler’s developer mailing list. Classified as “important,” this flaw could enable unauthorized users to take control of affected systems, potentially leading to data breaches and system disruptions.

• Action Required: Users of affected versions must upgrade to version 3.2.2 immediately to mitigate this vulnerability.

• More Information: Details

---

5. Critical Security Alert: CVE-2024-21733 in Apache Tomcat

• Severity: High

• Affected Versions:

  • Apache Tomcat 8.5.7 to 8.5.63

  • Apache Tomcat 9.0.0-M11 to 9.0.43

• Details: The vulnerability occurs when incomplete POST requests trigger an error response that inadvertently contains data from a previous request, potentially disclosing sensitive information to unauthorized users.

• Action Required:

  • Upgrade to Apache Tomcat 9.0.44 or later.

  • Upgrade to Apache Tomcat 8.5.64 or later.

• More Information: Details

---

6. Critical Security Alert: CVE-2024-7339 in TVT DVR and Other DVR Devices

• Severity: High

• Affected Devices:

  • Hardware: TVT DVR (TD-2104TS-CL, TD-2108TS-HP), Provision-ISR DVR (SH-4050A5-5L(MM)), AVISION DVR (AV108T), and others.

  • Software Versions: 1.3.4.22966B181219.D00.U1(4A21S), 1.3.4.22966B181219.D14.U1(8A41T)

• Details: The vulnerability resides in the device’s web server, which suffers from insufficient access controls. This allows attackers to remotely extract sensitive information, including hardware and software versions, serial numbers, and network configurations. Exploiting this flaw can lead to targeted intrusions, device takeover, and data breaches.

• Action Required:

1.               Check for updates: Contact your DVR manufacturer or vendor to determine if a patch or firmware update is available to address CVE-2024-7339. Apply any updates promptly.

2.               Restrict Access: Implement strict access controls and authentication mechanisms to manage access to the device interfaces.

3.               Secure your network: Use robust network security practices, such as firewalls and strong passwords, to limit unauthorized access.

4.               Monitor for suspicious activity: Regularly check your DVR logs for any unusual behavior and report any concerns to your security team or the manufacturer.

• More Information: Details

---

7. Critical Security Alert: XSS and LFI Vulnerabilities in Zimbra Collaboration

• Severity: High

• Affected Versions: Zimbra Collaboration versions 9.0 and 10.0

• Details:

  • CVE-2024-33533: This vulnerability exists in the Zimbra webmail admin interface due to inadequate input validation of the ‘packages’ parameter. An authenticated attacker can inject and execute malicious JavaScript in another user’s browser session.

  • CVE-2024-33535: This flaw is linked to unauthenticated local file inclusion via the ‘packages’ parameter. Exploiting this can allow an attacker to access arbitrary local files without authentication, potentially exposing sensitive information.

  • CVE-2024-33536: Similar to CVE-2024-33533, this vulnerability involves reflected XSS through the ‘res’ parameter, enabling an authenticated attacker to inject and execute arbitrary JavaScript in another user’s browser session.

• Historical Context: Zimbra Collaboration has been a frequent target for cyberattacks, with past vulnerabilities like CVE-2022-27924 and CVE-2022-41352 being actively exploited. The platform’s popularity and the severity of these flaws make it a high-value target for attackers.

• Action Required: Organizations using Zimbra Collaboration should immediately apply the latest security patches to mitigate these vulnerabilities.

• More Information: Details

---

Stay vigilant and informed as the cybersecurity landscape continues to evolve. Thank you for subscribing to Cybersecurity Insights.