This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.
There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.
We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.
If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!
1. CVE-2024-26247
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-26247
2. CVE-2023-29057
A valid XCC user’s local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.
https://nvd.nist.gov/vuln/detail/CVE-2023-29057
3. CVE-2024-26167
Microsoft Edge for Android Spoofing Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-26167
4. CVE-2024-26163
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-26163
5. CVE-2024-26246
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-26246
6. CVE-2024-27198
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
https://nvd.nist.gov/vuln/detail/CVE-2024-27198
7. CVE-2023-23397
Microsoft Outlook Elevation of Privilege Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2023-23397
8. CVE-2023-6875
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
https://nvd.nist.gov/vuln/detail/CVE-2023-6875
9. CVE-2024-21762
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
https://nvd.nist.gov/vuln/detail/CVE-2024-21762
10. CVE-2024-1512
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the ‘user’ parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
https://nvd.nist.gov/vuln/detail/CVE-2024-1512