VULNERA Pulse

Microsoft — SharePoint Server

CVE-2023-24955 / Added: March 26, 2024

HIGH CVSS 7.20 EPSS Score 34.44 EPSS Percentile 97.00

Microsoft SharePoint Server contains a code injection vulnerability that allows an authenticated attacker with Site Owner privileges to execute code remotely.

Headlines

• March 28, 2024 - Patch actively exploited Microsoft SharePoint bug, CISA orders federal agencies (CVE-2023-24955)
• March 27, 2024 - CISA tags Microsoft SharePoint RCE bug as actively exploited
• March 27, 2024 - CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog
• March 27, 2024 - CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability
• March 27, 2024 - CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks
• March 27, 2024 - CISA Warns of Active CVE-2023-24955 Exploitation in Microsoft SharePoint Server
• Jan. 12, 2024 - CISA: Critical SharePoint vuln is under active exploitation
• Jan. 12, 2024 - CISA: Critical Microsoft SharePoint bug now actively exploited
• Jan. 12, 2024 - Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability
• Dec. 16, 2023 - PoC Released for SharePoint Pre-Auth RCE Chain (CVE-2023-29357 & CVE-2023-24955)
• Oct. 2, 2023 - OpenRefine's Zip Slip Vulnerability Could Let Attackers Execute Malicious Code
• Sept. 29, 2023 - Exploit released for Microsoft SharePoint Server auth bypass flaw
• Sept. 27, 2023 - Researchers Release Details of New RCE Exploit Chain for SharePoint
• Sept. 27, 2023 - CVE-2023-29357: Privilege Escalation with Microsoft SharePoint Server PoC + Exploit
• May 10, 2023 - Microsoft Patch Tuesday for May 2023 fixed 2 actively exploited zero-day flaws
• May 10, 2023 - Microsoft's patches include Outlook preview pane vulnerability
• May 9, 2023 - Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
• May 9, 2023 - Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
• May 9, 2023 - Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

Back to top ↑

Nice — Linear eMerge E3-Series

CVE-2019-7256 / Added: March 25, 2024

CRITICAL CVSS 10.00 EPSS Score 97.45 EPSS Percentile 99.95

Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution.

Headlines

• March 26, 2024 - CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products
• March 5, 2024 - Nice Linear eMerge E3-Series | CISA

Back to top ↑

Ivanti — Endpoint Manager Cloud Service Appliance (EPM CSA)

CVE-2021-44529 / Added: March 25, 2024

CRITICAL CVSS 9.80 EPSS Score 96.89 EPSS Percentile 99.69

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).

Headlines

• March 26, 2024 - CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products
• March 25, 2024 - CISA adds FortiClient EMS, Ivanti EPM CSA, Nice Linear eMerge E3-Series bugs to its Known Exploited Vulnerabilities catalog
• Feb. 29, 2024 - The Anatomy of an ALPHA SPIDER Ransomware Attack

Back to top ↑

Fortinet — FortiClient EMS

CVE-2023-48788 / Added: March 25, 2024

CRITICAL CVSS 9.80 EPSS Score 0.79 EPSS Percentile 81.06

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Headlines

• March 25, 2024 - CISA adds FortiClient EMS, Ivanti EPM CSA, Nice Linear eMerge E3-Series bugs to its Known Exploited Vulnerabilities catalog
• March 24, 2024 - newsletter Round 464 by Pierluigi Paganini
• March 21, 2024 - Critical Fortinet's FortiClient EMS flaw actively exploited in the wild
• March 21, 2024 - Critical Fortinet's FortiClient EMS flaw actively exploited in the wild
• March 21, 2024 - Exploit released for Fortinet RCE bug used in attacks, patch now
• March 21, 2024 - PoC Exploit Released for Critical Fortinet FortiClient EMS CVE-2023-48788 Flaw
• March 19, 2024 - Fortinet Releases Security Updates for Multiple Products.
• March 18, 2024 - 133k+ Fortinet appliances still vulnerable to CVE-2024-21762
• March 17, 2024 - Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware
• March 14, 2024 - Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788)
• March 14, 2024 - Fortinet Patches Critical Bug in FortiClient EMS
• March 14, 2024 - Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software
• March 13, 2024 - Fortinet warns of critical RCE bug in endpoint management software
• March 13, 2024 - Fortinet fixes critical bugs in FortiOS, FortiProxy, and FortiClientEMS
• March 13, 2024 - March Patch Tuesday fixes Hyper-V guest-host escape

Back to top ↑

CVE-2024-3094

CRITICAL CVSS 10.00

Remote Code Execution Public Exploits Available

Published: March 29, 2024

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Quotes

• PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity
• Enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely

Headlines

• March 29, 2024 - Red Hat issues urgent alert for Fedora Linux users due to malicious code
• March 29, 2024 - CVE-2024-3094
• March 29, 2024 - Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)
• March 29, 2024 - Red Hat warns of backdoor in XZ tools used by most Linux distros
• March 29, 2024 - Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA

CVE-2023-29357

CRITICAL CVSS 9.80 EPSS Score 48.40 EPSS Percentile 97.41

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: June 14, 2023

Microsoft SharePoint Server Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Sharepoint Server

Quotes

• In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• This CISA advisory highlights the importance of patching and updating your software regularly, especially for private and public-facing servers that handle sensitive data. These chained vulnerabilities are very serious because they allow attackers to circumvent authentication and execute code remotely on vulnerable servers

Headlines

• March 28, 2024 - Patch actively exploited Microsoft SharePoint bug, CISA orders federal agencies (CVE-2023-24955)
• March 27, 2024 - CISA tags Microsoft SharePoint RCE bug as actively exploited
• March 27, 2024 - CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability
• March 27, 2024 - CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks
• March 27, 2024 - CISA Warns of Active CVE-2023-24955 Exploitation in Microsoft SharePoint Server

CVE-2023-48022

CRITICAL CVSS 9.80 EPSS Score 0.32 EPSS Percentile 70.02

Actively Exploited Remote Code Execution Public Exploits Available

Published: Nov. 28, 2023

Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

Vendor Impacted: Anyscale

Product Impacted: Ray

Quotes

• To our knowledge, the attack started 7 months ago
• This vulnerability allows attackers to take over the companies' computing power and leak sensitive data
• Researchers at Oligo Security have observed instances of CVE-2023-48022 being actively exploited in the wild, making the disputed CVE a 'shadow vulnerability' — a CVE that doesn't show up in static scans but can still lead to breaches and significant losses
• The remaining CVE (CVE-2023-48022) - that Ray does not have authentication built in - is a long-standing design decision based on how Ray's security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy

Headlines

• March 27, 2024 - 'Thousands' of firms vulnerable to security bug in Ray AI
• March 27, 2024 - AI framework vulnerability is being used to compromise enterprise servers (CVE-2023-48022)
• March 27, 2024 - Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining
• March 26, 2024 - Hackers exploit Ray framework flaw to breach servers, hijack resources

CVE-2024-21410

CRITICAL CVSS 9.80 EPSS Score 1.86 EPSS Percentile 88.11

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 13, 2024

Microsoft Exchange Server Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Exchange Server

Quotes

• Are so outdated that security updates are no longer offered for them
• The fact that there are tens of thousands of vulnerable installations of such relevant software in Germany must not happen
• Overall, at least 37% of Exchange servers in Germany (and in many cases also the networks behind them) are severely vulnerable. This corresponds to approx. 17,000 systems. In particular, many schools and colleges, clinics, doctor's offices, nursing services and other medical institutions, lawyers and tax consultants, local governments, and medium-sized companies are affected

Headlines

• March 28, 2024 - Germany warns of 17,000 unpatched Microsoft Exchange servers
• March 26, 2024 - Germany warns of 17K vulnerable Microsoft Exchange servers exposed online
• March 26, 2024 - 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns

CVE-2023-24955

HIGH CVSS 7.20 EPSS Score 34.44 EPSS Percentile 97.00

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: May 9, 2023

Microsoft SharePoint Server Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Sharepoint Server, Sharepoint Enterprise Server

Quotes

• In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• This CISA advisory highlights the importance of patching and updating your software regularly, especially for private and public-facing servers that handle sensitive data. These chained vulnerabilities are very serious because they allow attackers to circumvent authentication and execute code remotely on vulnerable servers

Headlines

• March 28, 2024 - Patch actively exploited Microsoft SharePoint bug, CISA orders federal agencies (CVE-2023-24955)
• March 27, 2024 - CISA tags Microsoft SharePoint RCE bug as actively exploited
• March 27, 2024 - CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog
• March 27, 2024 - CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability
• March 27, 2024 - CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks
• March 27, 2024 - CISA Warns of Active CVE-2023-24955 Exploitation in Microsoft SharePoint Server

CVE-2024-29944

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 13.25

Risk Context N/A

Published: March 22, 2024

An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.

Quotes

• Last night, about 21 hours ago, Manfred Paul demonstrated a security exploit targeting Firefox 124 at Pwn2Own
• An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination
• The Stable channel has been updated to 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Headlines

• March 28, 2024 - Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024
• March 25, 2024 - Mozilla fixes $100,000 Firefox zero-days from Pwn2Own event
• March 25, 2024 - Mozilla Patches Firefox Zero-Days Exploited at Pwn2Own
• March 23, 2024 - Mozilla fixed Firefox 0days exploited at Pwn2Own Vancouver 2024

CVE-2024-29943

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 7.53

Risk Context N/A

Published: March 22, 2024

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.

Quotes

• Last night, about 21 hours ago, Manfred Paul demonstrated a security exploit targeting Firefox 124 at Pwn2Own
• An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination
• The Stable channel has been updated to 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Headlines

• March 28, 2024 - Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024
• March 25, 2024 - Mozilla fixes $100,000 Firefox zero-days from Pwn2Own event
• March 25, 2024 - Mozilla Patches Firefox Zero-Days Exploited at Pwn2Own
• March 23, 2024 - Mozilla fixed Firefox 0days exploited at Pwn2Own Vancouver 2024

CVE-2024-28085

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 13.25

Actively Exploited Public Exploits Available

Published: March 27, 2024

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

Quotes

• Improper neutralization of escape sequences in wall
• The util-linux wall command does not filter escape sequences from command line arguments

Headlines

• March 29, 2024 - New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
• March 28, 2024 - Decade-old Linux ‘wall’ bug helps make fake SUDO prompts, steal passwords
• March 28, 2024 - CVE-2024-28085: Critical 'WallEscape' Flaw Discovered in Linux Utilities Package – Passwords at Risk

CVE-2024-2887

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 13.25

Risk Context N/A

Published: March 26, 2024

Type Confusion in WebAssembly in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Quotes

• The Stable channel has been updated to 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Headlines

• March 28, 2024 - Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024
• March 27, 2024 - Google fixes Chrome zero-days exploited at Pwn2Own 2024
• March 27, 2024 - Google Chrome Update Patches High-Risk Vulnerabilities

CVE-2024-2886

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 13.25

Risk Context N/A

Published: March 26, 2024

Use after free in WebCodecs in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

Quotes

• The Stable channel has been updated to 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Headlines

• March 28, 2024 - Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024
• March 27, 2024 - Google fixes Chrome zero-days exploited at Pwn2Own 2024
• March 27, 2024 - Google Chrome Update Patches High-Risk Vulnerabilities