Lottie Player (lottiefiles/lottie-player) is a web component that renders lightweight, high-quality animations from JSON files created with tools like Adobe After Effects, enabling scalable and interactive animations on websites and apps. Incident On October 30, 2024, the company posted an update on the forum about the recently infected versions of the Lottie Web Player. In the post, … Continue reading “Lottie Player (lottiefiles/lottie-player) Supply Chain Attack”
Cisco Secure Firewall Management Center Software Command Injection Vulnerability (CVE-2024-20424)
Cisco Firewall Management Center Software is vulnerable to a critical severity vulnerability tracked as CVE-2024-20424. Successful exploitation of the vulnerability may allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system as root. Cisco mentioned in the advisory that they are unaware of any public exploitation of the vulnerability.
Cisco Adaptive Security Appliance Software SSH Remote Command Injection Vulnerability (CVE-2024-20329)
Cisco released an advisory to address a security vulnerability impacting Cisco Adaptive Security Appliance Software. Tracked as CVE-2024-20329, the vulnerability has a critical severity rating with a CVSS score of 9.9. Successful exploitation of the vulnerability could allow the attacker to execute commands on the underlying operating system with root-level privileges.
CISA Added Fortinet FortiManager Vulnerability to its Known Exploitable Vulnerabilities Catalog (CVE-2024-47575)
Fortinet released a security advisory warning its customers about a FortiManager API vulnerability used in zero-day attacks. Tracked as CVE-2024-47575, the vulnerability has a critical severity rating with a CVSS score of 9.8. Fortinet informed in the advisory that the vulnerability is used to steal sensitive files containing configurations, IP addresses, and credentials for managed … Continue reading “CISA Added Fortinet FortiManager Vulnerability to its Known Exploitable Vulnerabilities Catalog (CVE-2024-47575)”
Oracle Critical Patch Update, October 2024 Security Update Review
Oracle released the last quarterly edition of this year’s Critical Patch Update. The update contains patches for 334 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products. In this quarterly Oracle Critical Patch Update, Oracle … Continue reading “Oracle Critical Patch Update, October 2024 Security Update Review”
Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, & CVE-2024-9467)
Palo Alto Networks releases patches to address five security vulnerabilities impacting Palo Alto Networks’ Expedition solution. Successful exploitation may allow attackers to access sensitive data, such as user credentials, to help take over firewall admin accounts. An attacker may also chain the vulnerabilities to hijack PAN-OS firewalls. Palo Alto Networks is unaware of any malicious … Continue reading “Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, & CVE-2024-9467)”
Ivanti Releases Fixes for Multiple Vulnerabilities Impacting Cloud Services Appliance (CVE-2024-9379, CVE-2024-9380, & CVE-2024-9381)
Ivanti released a patch to address three Cloud Services Appliance (CSA) zero-day vulnerabilities actively exploited in attacks. CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381 are high and medium severity vulnerabilities that may allow an attacker with admin privileges to bypass restrictions, run arbitrary SQL statements, or obtain remote code execution. Ivanti mentioned in the advisory, “We are aware … Continue reading “Ivanti Releases Fixes for Multiple Vulnerabilities Impacting Cloud Services Appliance (CVE-2024-9379, CVE-2024-9380, & CVE-2024-9381)”
Mozilla Firefox and Firefox ESR Use-After-Free Zero-day Vulnerability (CVE-2024-9680)
Mozilla warns about the active exploitation of a vulnerability impacting Firefox and the Firefox Extended Support Release (ESR). Tracked as CVE-2024-9680, the vulnerability has a critical severity rating with a CVSS score of 9.8. Damien Schaeffer from ESET discovered and reported the vulnerability to Mozilla. CVE-2024-9680 is a use after free vulnerability in the Animation … Continue reading “Mozilla Firefox and Firefox ESR Use-After-Free Zero-day Vulnerability (CVE-2024-9680)”
Microsoft Patch Tuesday, October 2024 Security Update Review
Microsoft has rolled out its October 2024 Patch Tuesday updates, offering vital security fixes for IT professionals to implement. With several critical vulnerabilities patched, this release highlights the ongoing need for regular maintenance and attention to security. Microsoft Patch’s Tuesday, October 2024 edition addressed 121 vulnerabilities, including three critical and 114 important severity vulnerabilities. In … Continue reading “Microsoft Patch Tuesday, October 2024 Security Update Review”
CUPS Printing Systems Remote Code Execution Vulnerability (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, & CVE-2024-47177)
CUPS, an open-source printing system, is vulnerable to multiple unauthenticated remote code execution vulnerabilities tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. The vulnerabilities affect all GNU/Linux systems. Successful exploitation of the vulnerabilities may allow a remote attacker to execute arbitrary code on a target system without valid credentials or prior access. Organizations like Canonical and … Continue reading “CUPS Printing Systems Remote Code Execution Vulnerability (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, & CVE-2024-47177)”