The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-8190

• Severity: Awaiting analysis.
• Impacted Products: Ivanti Cloud Services Appliance versions 4.6 <= Patch 518
• Description: An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-8190
• PoC: https://github.com/horizon3ai/CVE-2024-8190/

CVE-2024-38014

• Severity: 7.8 HIGH
• Impacted Products: Windows installers (any developed insecurely)
• Description: Windows Installer Elevation of Privilege Vulnerability. See blog post below for more details.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-38014
• PoC: https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/ and MSI scanning tool available here: https://github.com/sec-consult/msiscan

CVE-2024-8503

• Severity: Awaiting analysis.
• Impacted Products: VICIdial
• Description: An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-8503
• PoC: https://github.com/Chocapikk/CVE-2024-8504/

CVE-2024-44466

• Severity: 9.8 CRITICAL
• Impacted Products: COMFAST CF-XR11 V2.7.2
• Description: COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter iface.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-44466
• PoC: https://github.com/CurryRaid/iot_vul/tree/main/comfast

CVE-2024-29847

• Severity: 9.8 CRITICAL
• Impacted Products: Ivanti EPM before 2022 SU6, or the 2024 September update
• Description: Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-29847
• PoC: https://github.com/sinsinology/CVE-2024-29847

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.