CVE-2024-7940

Missing Authentication for Critical Function (CWE-306)

Published: Aug 27, 2024 / Updated: 2mo ago

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links.

Vulnerability Summary for the Week of August 26, 2024 bjackson Sep 03, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info Adobe--Acrobat Reader Acrobat Reader versions 127.0.2651.105 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-08-26 7.8 CVE-2024-41879 psirt@adobe.com aertherwide -- exiftags Buffer Overflow vulnerability in open source exiftags v.1.01 allows a local attacker to execute arbitrary code via the paresetag function. 2024-08-27 7.8 CVE-2024-42851 cve@mitre.org angeljudesuarez -- tailoring_management_system A vulnerability classified as critical was found in itsourcecode Tailoring Management System 1.0. This vulnerability affects unknown code of the file staffcatedit.php. The manipulation of the argument title leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2024-08-26 9.8 CVE-2024-8171 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com angeljudesuarez -- tailoring_management_system A vulnerability was found in itsourcecode Tailoring Management System 1.0. It has been declared as critical.

Update Mon Sep 2 22:50:17 UTC 2024

Hitachi Energy has reported multiple high to critical severity vulnerabilities in its MicroSCADA X SYS600 product, which is widely used for monitoring and controlling utility power systems. CVE-2024-4872 (CVSS score 9.9) : This critical vulnerability involves SQL injection due to improper validation of user queries, allowing attackers to execute unauthorized commands.

Hitachi Energy is urging customers of its MicroSCADA X SYS600 product for monitoring and controlling utility power systems to immediately upgrade to a newly released version to mitigate multiple critical and high-severity vulnerabilities. However, to pull it off an attacker would need to have local access to a machine where a vulnerable instance of MicroSCADA X SYS600 is installed, and enable session logging, Hitachi said.