CISA identifies six vulnerabilities: Apple, Apache, Adobe, D-Link, Joomla are under attack

CISA Flags 6 Vulnerabilities

The American Cybersecurity and Infrastructure Security Agency (CISA) did this added six security flaws in the known exploited vulnerabilities (KEV) catalogue, citing evidence of active exploitation.

This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability affecting the Apache Superset open-source data visualization software that could enable remote code execution. It is fixed in version 2.1.

Details of the issue first came to light in April 2023, when Horizon3.ai’s Naveen Sunkavally described it as a “dangerous default configuration in Apache Superset that could allow an unauthenticated attacker to execute remote code, collect credentials, and compromise data .”

It is currently unknown how the vulnerability is being exploited in the wild. Also added by CISA are five other deficiencies:

  • CVE-2023-38203 (CVSS Score: 9.8) – Adobe ColdFusion Deserialization Untrusted Data Vulnerability
  • CVE-2023-29300 (CVSS Score: 9.8) – Adobe ColdFusion Deserialization Untrusted Data Vulnerability
  • CVE-2023-41990 (CVSS Score: 7.8) – Cross-product code execution vulnerability in Apple
  • CVE-2016-20017 (CVSS score: 9.8) – Command injection vulnerability in D-Link DSL-2750B devices
  • CVE-2023-23752 (CVSS score: 5.3) – Joomla! Improper access control vulnerability

It is worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a special crafted iMessage PDF attachment.

Federal Civilian Executive Branch (FCEB) agencies are recommended to implement fixes for the above bugs by January 29, 2024, to secure their networks from active threats.

 

#CISA #identifies #vulnerabilities #Apple #Apache #Adobe #DLink #Joomla #attack

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Apache OfBiz Vulnerability

New PoC exploit for Apache OfBiz vulnerability puts ERP systems at risk

Next Post
Windows Update

Microsoft’s January 2024 Windows Update fixes 48 new vulnerabilities

Related Posts