This week saw the publication of 294 new CVE IDs. Of those, 99 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 10% were of critical severity, 33% were high, 57% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
The popular WordPress plugin “Advanced Custom Fields” and its pro version have both had cross-site scripting vulnerabilities disclosed this past week. A researcher with PatchStack, “Rafie Muhammad”, reported the vulnerability which was assigned the ID CVE-2023-30777. The WordPress plugin boasts more than 2 million installs split between its pro and normal versions. The plugin is frequently used to customize HTML or form fields within WordPress websites. The reflected cross-site scripting vulnerability only affects authenticated users, meaning an attacker would have to convince an authenticated user or an admin to visit a specific link. Victims who do visit the link could be subject to unauthorized actions taken on the WordPress site via their account and/or information theft.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
A vulnerability has been disclosed for the Cisco Phone adaptor model SPA112 which would allow for an unauthenticated attacker to execute remote code on the affected device. This vulnerability has been assigned the ID CVE-2023-20126. The issue stems from an authentication flaw on the firmware upgrade function of the device which can allow an attacker to update the firmware and run malicious code without disrupting normal operations. Middleware, especially VoIP devices, live on internal networks and are therefore less susceptible to attack. However, when compromised, they are typically overlooked as inventory management for the devices is poor and they lack the ability to support endpoint detection capabilities. Cisco has released an advisory stating that the devices are end-of-life and will not be receiving updates.
Real-World Exploitability Medium |
Exploited in the Wild No |
Available Public Exploits No |
OpenText BizManager is a software suite designed to facilitate the sharing of digital documents with multiple types and sizes. A security researcher who goes by the moniker “hackandpwn” discovered an account takeover vulnerability which would allow an unauthenticated attacker to take control of admin accounts and compromise the affected service. OpenText BizManager versions before 16.6.0.1 are affected, and no official statements have been made regarding the vulnerability. The vulnerability is currently being tracked as CVE-2023-35898.
Real-World Exploitability Low |
Exploited in the Wild No |
Available Public Exploits No |
Acronis is a Swiss technology company specializing in data protection and backup software and solutions. According to their own website, Acronis products are used by more than 18,000 service providers across more than 150 countries. This week, CVE-2022-30995 was published and describes an issue affecting two Acronis products: Cyber Protect 15 and Cyber Backup 12.5. The vulnerability lacks much technical or even general detail and just states that it is an issue that would allow for sensitive information disclosure. The vulnerability is particularly concerning as backup data typically handled by these products is highly sensitive and will commonly contain corporate secrets. Interestingly, the vulnerability was reported to Acronis privately through HackerOne and had a security advisory / patch released back in November 2022. Only this week was the bounty closed on HackerOne and the CVE published.