Cybersecurity and US Infrastructure Agency (CISA) accommodate Two safety deficiencies affecting the Microsoft Affiliate Center and Synacor Zimbra Cortoration Suite (ZCS) to their famous exploited vulnerabilities (Ship) A catalog based on evidence of active operation.
Considered vulnerabilities following –
- Cve-2024-49035 (CVSS assessment: 8.7) – Incorrect vulnerability of access control at the Microsoft Affiliate Center, which allows the attacker to develop privileges. (Corrected in November 2024)
- Cve-2023-34192 (CVSS assessment: 9.0) – Vulnerability within the site (XSS) in Synacor ZCS, which allows a remote authentified attacker to perform an arbitrary code through the created scenario to /h /autosavedraft. (Corrected in July 2023 With Version 8.8.15 Patch 40)
Last year, Microsoft acknowledged that the CVE-2014-49035 was used in the wild but did not reveal additional details about how it was armed with real attacks. Currently, there are no public reports of CVe-2023-34192 abuse.
In the light of the development of the Federal Civil Executive Agency (FCEB), it is scheduled to apply the necessary updates by March 18, 2025 to provide its networks.
Development comes through the day after Cisa added Two security deficiencies affecting Adobe Coldfusion and Oracle Agile Product Lifecycle (PLM), to its famous exploited vulnerabilities (KEV) based on active exploitation evidence.
