The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added six safety flaws to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
This contains CVE-2023-27524 (CVSS rating: 8.9), a high-severity vulnerability impacting the Apache Superset open-source knowledge visualization software program that would allow distant code execution. It was mounted in model 2.1.
Particulars of the problem first got here to mild in April 2023, with Horizon3.ai’s Naveen Sunkavally describing it as a “harmful default configuration in Apache Superset that permits an unauthenticated attacker to achieve distant code execution, harvest credentials, and compromise knowledge.”
It is at the moment not recognized how the vulnerability is being exploited within the wild. Additionally added by CISA are 5 different flaws –
- CVE-2023-38203 (CVSS rating: 9.8) – Adobe ColdFusion Deserialization of Untrusted Information Vulnerability
- CVE-2023-29300 (CVSS rating: 9.8) – Adobe ColdFusion Deserialization of Untrusted Information Vulnerability
- CVE-2023-41990 (CVSS rating: 7.8) – Apple A number of Merchandise Code Execution Vulnerability
- CVE-2016-20017 (CVSS rating: 9.8) – D-Hyperlink DSL-2750B Units Command Injection Vulnerability
- CVE-2023-23752 (CVSS rating: 5.3) – Joomla! Improper Entry Management Vulnerability
It is value noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was utilized by unknown actors as a part of Operation Triangulation spyware and adware assaults to attain distant code execution when processing a specifically crafted iMessage PDF attachment.
Federal Civilian Government Department (FCEB) companies have been beneficial to use fixes for the aforementioned bugs by January 29, 2024, to safe their networks in opposition to energetic threats.
