The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday positioned two safety flaws impacting Microsoft Spouse Middle and Synacor Zimbra Collaboration Suite (ZCS) to its Identified Exploited Vulnerabilities (KEV) catalog, in response to proof of energetic exploitation.
The vulnerabilities in query are as follows –
- CVE-2024-49035 (CVSS rating: 8.7) – An mistaken get right of entry to keep watch over vulnerability in Microsoft Spouse Middle that permits an attacker to escalate privileges. (Mounted in November 2024)
- CVE-2023-34192 (CVSS rating: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that permits a faraway authenticated attacker to execute arbitrary code by the use of a crafted script to the /h/autoSaveDraft serve as. (Mounted in July 2023 with model 8.8.15 Patch 40)
Final yr, Microsoft stated that CVE-2024-49035 were exploited within the wild, however didn’t disclose any further main points on the way it was once weaponized in real-world assaults. There are recently no public reviews about in-the-wild abuse of CVE-2023-34192.
In gentle of the improvement, Federal Civilian Govt Department (FCEB) businesses are mandated to use the important updates by means of March 18, 2025, to protected their networks.
The advance comes an afternoon after CISA added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Control (PLM) to its Identified Exploited Vulnerabilities (KEV) catalog, in response to proof of energetic exploitation.