The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-1709

• Severity: CRITICAL (CVSS: 10.0)
• Impacted Products: ConnectWise ScreenConnect 23.9.7 and prior
• Description: Authentication Bypass Using an Alternate Path or Channel vulnerability, may allow direct access to confidential information or critical systems.
• Remediation: Patch on-premise instances. Cloud instances patched already by vendor.
• More Info: NVD - CVE-2024-1709, Huntress Blog
• PoC: https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE/

CVE-2022-4262

• Severity: 8.8 HIGH
• Impacted Products: Google Chrome versions prior to 108.0.5359.94
• Description: Type confusion in V8 allowed remote attackers to potentially exploit heap corruption via a crafted HTML page.
• Remediation: Apply updates per vendor instructions.
• More Info: NVD - CVE-2022-4262
• PoC: https://github.com/mistymntncop/CVE-2022-4262/blob/main/exploit.js

CVE-2024-21412

• Severity: 8.1 HIGH
• Impacted Products: Windows 10/11/Server
• Description: Internet Shortcut Files Smart Screen Bypass Vulnerability.
• Remediation: Refer to Microsoft’s guidance for mitigations or patches.
• More Info: NVD - CVE-2024-21412
• PoC: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.