The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday positioned two safety flaws impacting Microsoft Companion Heart and Synacor Zimbra Collaboration Suite (ZCS) to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerabilities in query are as follows –
- CVE-2024-49035 (CVSS rating: 8.7) – An improper entry management vulnerability in Microsoft Companion Heart that permits an attacker to escalate privileges. (Fastened in November 2024)
- CVE-2023-34192 (CVSS rating: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that permits a distant authenticated attacker to execute arbitrary code through a crafted script to the /h/autoSaveDraft perform. (Fastened in July 2023 with model 8.8.15 Patch 40)
Final 12 months, Microsoft acknowledged that CVE-2024-49035 had been exploited within the wild, however didn’t reveal any extra particulars on the way it was weaponized in real-world assaults. There are at the moment no public studies about in-the-wild abuse of CVE-2023-34192.
In gentle of the event, Federal Civilian Govt Department (FCEB) businesses are mandated to use the mandatory updates by March 18, 2025, to safe their networks.
The event comes a day after CISA added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
