Control Gap Vulnerability Roundup: April 29th to May 5th

This week saw the publication of 294 new CVE IDs. Of those, 99 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 10% were of critical severity, 33% were high, 57% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• The highly popular WordPress plugin, “Advanced Custom Fields”, which boasts more than 2 million users, was found to have been affected by an XSS vulnerability which would allow an unauthenticated attacker to conduct scripting attacks against site admins.
• A particular model of Cisco phone adapter was found to allow unauthenticated users to force firmware updates on the device, resulting in complete compromise of the system. The devices are end-of-life and Cisco has stated they will not be releasing a fix.
• OpenText BizManager, a popular document management system, had a vulnerability disclosed this week which would allow for the takeover of admin accounts.
• Acronis, a security vendor specializing in backup solutions, had a CVE published this week for two products affected by information disclosure vulnerabilities. Interestingly, the vulnerabilities were addressed by Acronis a year ago in an official advisory.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

WordPress Custom Field Plugin Cross-Site Scripting (XSS)

The popular WordPress plugin “Advanced Custom Fields” and its pro version have both had cross-site scripting vulnerabilities disclosed this past week. A researcher with PatchStack, “Rafie Muhammad”, reported the vulnerability which was assigned the ID CVE-2023-30777. The WordPress plugin boasts more than 2 million installs split between its pro and normal versions. The plugin is frequently used to customize HTML or form fields within WordPress websites. The reflected cross-site scripting vulnerability only affects authenticated users, meaning an attacker would have to convince an authenticated user or an admin to visit a specific link. Victims who do visit the link could be subject to unauthorized actions taken on the WordPress site via their account and/or information theft.

Cisco Phone Adaptor Remote Code Execution 

A vulnerability has been disclosed for the Cisco Phone adaptor model SPA112 which would allow for an unauthenticated attacker to execute remote code on the affected device. This vulnerability has been assigned the ID CVE-2023-20126. The issue stems from an authentication flaw on the firmware upgrade function of the device which can allow an attacker to update the firmware and run malicious code without disrupting normal operations. Middleware, especially VoIP devices, live on internal networks and are therefore less susceptible to attack. However, when compromised, they are typically overlooked as inventory management for the devices is poor and they lack the ability to support endpoint detection capabilities. Cisco has released an advisory stating that the devices are end-of-life and will not be receiving updates.

OpenText BizManager Admin Account Takeover 

OpenText BizManager is a software suite designed to facilitate the sharing of digital documents with multiple types and sizes. A security researcher who goes by the moniker “hackandpwn” discovered an account takeover vulnerability which would allow an unauthenticated attacker to take control of admin accounts and compromise the affected service. OpenText BizManager versions before 16.6.0.1 are affected, and no official statements have been made regarding the vulnerability. The vulnerability is currently being tracked as CVE-2023-35898.

Acronis Cyber Products Information Disclosure 

Acronis is a Swiss technology company specializing in data protection and backup software and solutions. According to their own website, Acronis products are used by more than 18,000 service providers across more than 150 countries. This week, CVE-2022-30995 was published and describes an issue affecting two Acronis products: Cyber Protect 15 and Cyber Backup 12.5. The vulnerability lacks much technical or even general detail and just states that it is an issue that would allow for sensitive information disclosure. The vulnerability is particularly concerning as backup data typically handled by these products is highly sensitive and will commonly contain corporate secrets. Interestingly, the vulnerability was reported to Acronis privately through HackerOne and had a security advisory / patch released back in November 2022. Only this week was the bounty closed on HackerOne and the CVE published.