According to evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) on Tuesday identified two security flaws that could affect Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) in its Known Exploited Vulnerabilities ( ) catalog.
The threats are as follows:
- CVE-2024-49035 ( CVSS score: 8.7 )- An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. ( Fixed in November 2024 )
- CVE-2023-34192 ( CVSS score: 9.0)- A cross-site scripting ( XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. ( Fixed in July 2023 with version 8.8.15 Patch 40 )
Last season, Microsoft acknowledged that CVE-2024-49035 had been exploited in the wild, but did not reveal any more information on how it was weaponized in real-world problems. There are presently no public information about in-the-wild misuse of CVE-2023-34192.
In light of the development, Federal Civilian Executive Branch (FCEB ) companies are mandated to apply the necessary changes by March 18, 2025, to secure their networks.
According to the discovery, CISA two security flaws that affect Adobe ColdFusion and Oracle Agile Product Lifecycle Management ( PLM) to its Known Exploited Vulnerabilities (KEV ) catalog in response to the discovery of two of these vulnerabilities.