The US CISA adds nine vulnerabilities to its Known Exploited Vulnerabilities Catalog based on the evidence of active exploitation
CVE-2024-27348 Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.
CVE-2020-0618 Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.
CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability: Microsoft Windows Task Scheduler contains a privilege escalation vulnerability in the way that the SetJobFileSecurityByName() function is used that can allow an authenticated attacker to gain SYSTEM privileges on an affected system.
CVE-2022-21445 Oracle JDeveloper, a product within the Fusion Middleware suite, contains an deserialization vulnerability the ADF Faces component, leading to unauthenticated remote code execution.
CVE-2020-14644 Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerability to achieve remote code execution.
CVE-2014-0497 Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code.
CVE-2013-0643 Adobe Flash Player contains an incorrect default permissions vulnerability in the Firefox sandbox that allows a remote attacker to execute arbitrary code via crafted SWF content.
CVE-2013-0648 Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content.
CVE-2014-0502 Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code.
CISA is urging all federal agencies to eliminate and fix the above vulnerabilities from their networks by October 8 & October 9 2024. This directive is crucial to mitigate the risk of active threats that could compromise sensitive government data and disrupt critical operations.
