The US CISA has added Cisco ASA and FTD flaw, RoundCube Webmail flaw to its Known Exploited Vulnerabilities Catalog based on the evidence of active exploitation.
CVE-2024-20481
With a CVSS score of 5.8, Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service
This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device. Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service. Services that are not related to VPN are not affected.
CVE-2024-37383
RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code
Customers should update their RoundCube Webmail version to 1.6.7 to protect from the exploitation.
CISA has set November 14, 2024, as a deadline for federal agencies to remediate.
