The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday placed two safety flaws impacting Microsoft Companion Heart and Synacor Zimbra Collaboration Suite (ZCS) to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The vulnerabilities in query are as follows –
- CVE-2024-49035 (CVSS rating: 8.7) – An improper entry management vulnerability in Microsoft Companion Heart that permits an attacker to escalate privileges. (Mounted in November 2024)
- CVE-2023-34192 (CVSS rating: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that permits a distant authenticated attacker to execute arbitrary code by way of a crafted script to the /h/autoSaveDraft operate. (Mounted in July 2023 with model 8.8.15 Patch 40)
Final yr, Microsoft acknowledged that CVE-2024-49035 had been exploited within the wild, however didn’t reveal any extra particulars on the way it was weaponized in real-world assaults. There are at the moment no public stories about in-the-wild abuse of CVE-2023-34192.
In gentle of the event, Federal Civilian Govt Department (FCEB) companies are mandated to use the mandatory updates by March 18, 2025, to safe their networks.
The event comes a day after CISA added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
