September 20, 2024 at 01:33AM Ivanti disclosed active exploitation of a critical security flaw in Cloud Service Appliance (CSA), with remote unauthenticated attacker access. The vulnerability, CVE-2024-8963, carries a CVSS score of 9.4 and can be combined with CVE-2024-8190 for arbitrary command execution. CSA 4.6 Patch 519 and CSA 5.0 address the issue. CISA has … Read more
September 12, 2024 at 02:38PM Adobe’s patch for a remote code execution bug in Acrobat downplays the severity of a vulnerability, failing to mention it is considered a zero-day with a proof-of-concept exploit. Despite a CVSS base score of 7.8, a warning highlights its critical nature. Adobe has confirmed the need for a secondary fix. … Read more
August 22, 2024 at 02:00AM GitHub has addressed three security flaws in its Enterprise Server product, including a critical bug (CVE-2024-6800) that could grant an attacker site administrator privileges. Two medium-severity flaws have also been resolved (CVE-2024-7711, CVE-2024-6337). Users are urged to update to the latest versions (3.13.3, 3.12.8, 3.11.14, and 3.10.16) to mitigate potential … Read more
August 10, 2024 at 01:45AM Microsoft has disclosed an unpatched zero-day in Office (CVE-2024-38200) that could lead to unauthorized disclosure of sensitive information to malicious actors. A patch is expected on August 13, with an alternative fix already enabled. Three mitigation strategies have been outlined. Microsoft is also working on addressing other zero-day flaws in … Read more
June 4, 2024 at 11:07AM Progress Software has released updates to address a critical security flaw in Telerik Report Server, allowing potential bypass of authentication and creation of rogue administrator users. Tracked as CVE-2024-4358, the flaw carries a high CVSS score of 9.8. Users are urged to update to version 2024 Q2 and review user … Read more
June 4, 2024 at 08:39AM A critical vulnerability (CVE-2024-4358, CVSS 9.8) in Progress Software’s Telerik Report Server allows remote attackers to bypass authentication, creating an admin user. An exploited deserialization flaw (CVE-2024-1800) enables remote code execution. Progress addressed both vulnerabilities in version 2024 Q1 (10.0.24.305). Users should update promptly to prevent exploitation. Based on the … Read more
May 22, 2024 at 03:35AM GitHub patched a critical security flaw in its Enterprise Server software with the release of version p3.13.0, impacting instances using SAML SSO authentication. The bug, CVE-2024-4985, allows attackers to gain admin privileges when encrypted assertions are enabled. Microsoft-owned GitHub learned about the flaw through its bug bounty program, rewarding the … Read more
April 17, 2024 at 02:38PM Ivanti has released 27 fixes for vulnerabilities in its 2024 first-quarter release. None are actively exploited. Users are advised to download the Avalanche installer and update to version 6.4.3 to apply the fixes. The vulnerabilities have CVSS scores ranging from 4.3 to 9.8. Ivanti recommends users keep their MSSQL database … Read more
February 15, 2024 at 06:45AM A critical vulnerability in Exchange Server (CVE-2024-21410) is actively exploited, enabling privilege escalation and NTLM hash relay attacks. Microsoft issued a warning and released Exchange Server 2019 CU14 to address the flaw. Furthermore, Check Point disclosed another critical-severity Outlook vulnerability (CVE-2024-21413) allowing remote code execution through crafted hyperlinks. Both companies … Read more
January 30, 2024 at 11:36AM GitLab released fixes for a critical security flaw (CVE-2024-0402) in its Community and Enterprise Editions, allowing unauthorized writing of files. Patches have been backported, and additional medium-severity flaws were resolved. Users are urged to upgrade to the latest version promptly. This follows recent fixes to address critical vulnerabilities in the … Read more