The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-5806

• Severity: Awaiting analysis
• Impacted Products: MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
• Description: Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-5806
• PoC: https://github.com/watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806/

CVE-2024-34102

• Severity: Awaiting analysis
• Impacted Products: Adobe Commerce and Magento versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier.
• Description: XXE vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-34102
• PoC: https://github.com/11whoami99/CVE-2024-34102/

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.