The US CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability. ServiceNow Utah, Vancouver, and Washington DC Now releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.
- CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability. ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.
- CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability. Acronis Cyber Infrastructure (ACI) allows an unauthenticated user to execute commands remotely due to the use of default passwords.
Federal and other government agencies should remediate this vulnerability by 19th October 2024.
