The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

N.B. this week, there were a few prototype pollution vulns on open source projects that basically nobody uses. I’ve compiled them this time but in future, if an impacted product has no users, you won’t see it here.

CVE-2024-32113

• Severity: 9.8: CRITICAL
• Impacted Products: Apache OFBiz < 18.12.13.
• Description: Path traversal vulnerability leading to RCE.
• Remediation: Upgrade to 18.12.13 which fixes the issue.
• More Info: CVE-2024-32113
• PoC: https://github.com/YongYe-Security/CVE-2024-32113/

CVE-2024-7314

• Severity: Awaiting analysis.
• Impacted Products: Incomplete info available.
• Description: anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append “;swagger-ui” to HTTP requests to bypass authentication and execute arbitrary Java on the victim server.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-7314
• PoC: https://github.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077/

CVE-2024-6782

• Severity: Awaiting analysis.
• Impacted Products: Calibre 6.9.0 ~ 7.14.0.
• Description: Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-6782
• PoC: https://starlabs.sg/advisories/24/24-6782/

CVE-2024-39011

• Severity: 9.8: CRITICAL
• Impacted Products: redoc v2.0.9-rc.69.
• Description: Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-39011
• PoC: https://gist.github.com/mestrtee/693ef1c8b0a5ff1ae19f253381711f3e

CVE-2024-39010

• Severity: 9.8: CRITICAL
• Impacted Products: chase-moskal snapstate v0.0.9.
• Description: chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-39010
• PoC: https://gist.github.com/mestrtee/af7a746df91ab5e944bd7a186816c262

CVE-2024-38986

• Severity: 9.8: CRITICAL
• Impacted Products: 75lb deep-merge 1.1.1.
• Description: Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-38986
• PoC: https://github.com/75lb/deep-merge/issues/1

CVE-2024-38984

• Severity: 9.8: CRITICAL
• Impacted Products: lukebond json-override 0.2.0.
• Description: Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the proto property.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-38984
• PoC: https://gist.github.com/mestrtee/97a9a7d73fc8b38fcf01322239dd5fb1

CVE-2024-37858

• Severity: 9.8: CRITICAL
• Impacted Products: Lost and Found Information System 1.0
• Description: SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-37858
• PoC: https://packetstormsecurity.com/files/179079/CVE-2024-37858.py.txt

CVE-2024-36572

• Severity: 9.8: CRITICAL
• Impacted Products: allpro form-manager 0.7.4.
• Description: Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-36572
• PoC: https://github.com/allpro/form-manager/issues/1

CVE-2024-36401

• Severity: Awaiting analysis.
• Impacted Products: Geotools prior to versions 2.23.6, 2.24.4, and 2.25.2.
• Description: Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-36401
• PoC: https://github.com/Niuwoo/CVE-2024-36401/

CVE-2024-32030 & CVE-2024-52251

• Severity: Awaiting analysis.
• Impacted Products: Apache Kafka UI prior to 0.7.2.
• Description: An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-32030 CVE-2024-52251
• PoC: https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.