The US CISA adds Microsoft, Metabase, Cisco, and Atlassian vulnerabilities to its Known Exploited Vulnerabilities Catalog based on the evidence of mass exploitation.
CVE-2014-2120
Thr vulnerability with a CVSS score of 4.3 and CWE-79, Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via an unspecified parameter.
CVE-2021-26086
The vulnerability with a CVSS score of 5.4 and CWE-22, Atlassian Jira Server, and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF.web.xml endpoint.
CVE-2024-49039
The vulnerability with a CVSS score of 8.8 and CWE-287, Microsoft Windows Task Scheduler contains a privilege escalation vulnerability that can allow an attacker-provided, local application to escalate privileges outside of its AppContainer, and access privileged RPC functions. This is part of November 2024 patch Tuesday
CVE-2024-43451
The vulnerability with a CVSS score of 6.5 and CWE-473, Microsoft Windows, contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user’s NTLMv2 hash to an attacker via a file open operation. The attacker could then leverage this hash to impersonate that user. This is part of the November 2024 patch Tuesday.
CVE-2021-41277
The vulnerability with a CVSS score of 10 and CWE-200, Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted
CISA set December 3, 2024, as a deadline for federal agencies to remediate the vulnerabilities.
