The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday positioned two security flaws impacting Microsoft Associate Heart and Synacor Zimbra Collaboration Suite (ZCS) to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The vulnerabilities in query are as follows –
- CVE-2024-49035 (CVSS rating: 8.7) – An improper entry management vulnerability in Microsoft Associate Heart that permits an attacker to escalate privileges. (Fastened in November 2024)
- CVE-2023-34192 (CVSS rating: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that permits a distant authenticated attacker to execute arbitrary code by way of a crafted script to the /h/autoSaveDraft perform. (Fastened in July 2023 with model 8.8.15 Patch 40)
Final 12 months, Microsoft acknowledged that CVE-2024-49035 had been exploited within the wild, however didn’t reveal any further particulars on the way it was weaponized in real-world assaults. There are presently no public experiences about in-the-wild abuse of CVE-2023-34192.
In mild of the event, Federal Civilian Govt Department (FCEB) companies are mandated to use the required updates by March 18, 2025, to safe their networks.
The event comes a day after CISA added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
