The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-32002

• Severity: 9 CRITICAL
• Impacted Products: Git prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4
• Description: Repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule’s worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.
• Remediation: Upgrade git. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
• More Info: CVE-2024-32002
• PoC: https://github.com/M507/CVE-2024-32002/

CVE-2024-3806

• Severity: 9.8 CRITICAL
• Impacted Products: Porto WP Theme up to and including 7.1.0
• Description: The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the ‘porto_ajax_posts’ function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
• Remediation: Check developer advice.
• More Info: CVE-2024-3806
• PoC: https://github.com/truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc

CVE-2024-32735

• Severity: 9.8 CRITICAL
• Impacted Products: CyberPower PowerPanel Enterprise < v2.8.3
• Description: An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
• Remediation: Check vendor advice.
• More Info: CVE-2024-32735
• PoC: https://www.tenable.com/security/research/tra-2024-14

CVE-2024-29895

• Severity: Awaiting Analysis
• Impacted Products: Cacti 1.3.x DEV branch
• Description: Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv option of PHP is On.
• Remediation: Check developer advice.
• More Info: CVE-2024-29895
• PoC: https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC/

CVE-2023-45866

• Severity: 6.5 MEDIUM
• Impacted Products: Various BlueZ packages, e.g. bluez 5.64-0ubuntu1. Can lead to keystroke injection on Linux, MacOS or Android.
• Description: Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access.
• Remediation: Check developer advice.
• More Info: CVE-2023-45866
• PoC: https://github.com/marcnewlin/hi_my_name_is_keyboard

And a bonus PoC that I spotted this week but wasn’t in the newsletters yet as of this morning:

CVE-2024-27130

• Severity: Awaiting Analysis
• Impacted Products: WNAP QuTSCloud NAS
• Description: Buffer overflow leading to RCE as root.
• Remediation: Check developer advice.
• More Info: CVE-2024-27130 & writeup/walkthrough from watchtowr
• PoC: https://github.com/watchtowrlabs/CVE-2024-27130 - N.B. stack canaries and ASLR were disabled for the PoC so you’ll have to work around those manually to use it against a live target.

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.