The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday positioned two safety flaws impacting Microsoft Companion Heart and Synacor Zimbra Collaboration Suite (ZCS) to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The vulnerabilities in query are as follows –
- CVE-2024-49035 (CVSS rating: 8.7) – An improper entry management vulnerability in Microsoft Companion Heart that enables an attacker to escalate privileges. (Mounted in November 2024)
- CVE-2023-34192 (CVSS rating: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that enables a distant authenticated attacker to execute arbitrary code through a crafted script to the /h/autoSaveDraft operate. (Mounted in July 2023 with model 8.8.15 Patch 40)
Final yr, Microsoft acknowledged that CVE-2024-49035 had been exploited within the wild, however didn’t reveal any further particulars on the way it was weaponized in real-world assaults. There are at the moment no public studies about in-the-wild abuse of CVE-2023-34192.
In mild of the event, Federal Civilian Govt Department (FCEB) companies are mandated to use the mandatory updates by March 18, 2025, to safe their networks.
The event comes a day after CISA added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
