Security Vulnerabilities - CVEs Published In September 2024
An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-10
Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to obtain OS credentials.
CVSS Score
8.2
EPSS Score
0.0
Published
2024-09-10
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
CVSS Score
10.0
EPSS Score
0.126
Published
2024-09-10
cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.
CVSS Score
6.1
EPSS Score
0.004
Published
2024-09-10
An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVSS Score
7.2
EPSS Score
0.023
Published
2024-09-10
A reflected cross-site scripting (XSS) vulnerability in moziloCMS v3.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-09-10
Microsoft Outlook for iOS Information Disclosure Vulnerability
CVSS Score
6.5
EPSS Score
0.038
Published
2024-09-10
Windows Mark of the Web Security Feature Bypass Vulnerability
CVSS Score
6.5
EPSS Score
0.053
Published
2024-09-10
Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.
This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.
Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support.
CVSS Score
9.8
EPSS Score
0.155
Published
2024-09-10
Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
CVSS Score
7.8
EPSS Score
0.007
Published
2024-09-10