The U.S. CISA added three new vulnerabilities to its Known Exploited Vulnerabilities catalog.
Below is the list of the three added vulnerabilities:
- CVE-2023-36584 Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
- CVE-2023-1671 Sophos Web Appliance Command Injection Vulnerability. This fflaw is a pre-auth command injection issue that resides in the warn-proceed handler. It affects appliances older than version 18.104.22.168.
- CVE-2023-2551 Oracle Fusion Middleware Unspecified Vulnerability. The issue is a PHP Remote File Inclusion in GitHub repository unilogies/bumsys prior to 2.1.1
CISA orders federal agencies to fix these vulnerabilities by November 17, 2023