A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site

Alerts

Multiple critical vulnerabilities affecting WordPress (CVE-2024-3604, CVE-2024-6314, CVE-2024-6313, CVE-2024-6365)

Advisory No: TZCERT/SA/2024/07/10-2

Date of First Release: 10th July 2024

Source: Wordfence

Software Affected: osm, iq-testimonials, forms-gutenberg, woo-product-tables

Overview:

WordPress is vulnerable to four critical vulnerabilities. Exploitation of these vulnerabilities makes remote code execution possible.

Description:

Four WordPress plugins namely osm, iq-testimonials, forms-gutenberg, and woo-product-tables are affected by the vulnerabilities tracked as CVE-2024-3604, CVE-2024-6314, CVE-2024-6313, and CVE-2024-6365 respectively. Reasons for the flaws include insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query, insufficient file type validation in the ‘process_image_upload’ function, user’s ability to specify the allowed file types in the ‘upload’ function, and due to missing authorization and lack of sanitization of appended data in the languages/customTitle.php file. The attackers can exploit the vulnerabilities to execute arbitrary codes on the server.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/osm/osm-openstreetmap-602-authenticated-contributor-sql-injection
  2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/iq-testimonials/iq-testimonials-227-unauthenticated-arbitrary-file-upload
  3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/forms-gutenberg/gutenberg-forms-229-unauthenticated-arbitrary-file-upload
  4. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woo-product-tables/product-table-by-wbw-201-unauthenticated-remote-code-execution

Critical Vulnerabilities in multiple IBM vulnerabilities (CVE-2024-1597, CVE-2022-46337)

Advisory No: TZCERT/SA/2024/07/10-1

Date of First Release: 10th July 2024

Source: IBM

Software Affected:  PostgreSQL JDBC Driver, Apache Derby

Overview:

Multiple IBM products depending on  PostgreSQL JDBC Driver, and Apache Derby are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to dump critical data or execute arbitrary code.

Description:

Multiple IBM products running on  PostgreSQL JDBC Driver, and are affected by critical vulnerabilities with CVSS base scores of 10 and 9.1 and tracked as CVE-2024-1597, and CVE-2022-46337 respectively. The vulnerabilities exist in PostgreSQL JDBC Driver that uses the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value, and in Apache Derby plugin caused by a LDAP injection vulnerability in authenticator. The attackers can send specially crafted request to execute arbitrary code on the vulnerable system.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution:

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://exchange.xforce.ibmcloud.com/vulnerabilities/283693
  2. https://exchange.xforce.ibmcloud.com/vulnerabilities/271915

TZCERT-SU-24-0714 (Mageia Security Update)

Mageia has released security updates to address vulnerabilities in its multiple products. Exploitation of these vulnerabilities may allow an attacker to take control of an affected system.

Users and Administrators are encouraged to review Mageia Security Advisories dated 9th July 2024 and apply necessary updates.

TZCERT-SU-24-0713 (Cisco Security Update)

Cisco has released security updates to address a vulnerability in OpenSSH Server(regreSSHion). Exploitation of this vulnerability may allow an attacker to take control of an affected system.

Users and Administrators are encouraged to review Cisco Security Advisory and apply necessary updates.

TZCERT-SU-24-0712 (Mageia Security Update)

Mageia has released security updates to address vulnerabilities in its multiple products. Exploitation of these vulnerabilities may allow an attacker to take control of an affected system.

Users and Administrators are encouraged to review Mageia Security Advisories dated 9th July 2024 and apply necessary updates.