Overview
Progress has provided a service pack to address two vulnerabilities affecting the MOVEit Transfer web application:
- CVE-2023-6217: a reflected cross-site scripting vulnerability of which an attacker could craft a malicious payload targeting the system that comprises a MOVEit Gateway and MOVEit Transfer
- CVE-2023-6218: a privilege-escalation vulnerability where it is possible for a group administrator to elevate a group members permissions to the role of an organisation administrator.
Apache has released security updates to address one vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system. An attacker can manipulate file upload parameters to enable paths traversal and, under some circumstances, this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Atlassian has released its December scheduled software updates. Four critical vulnerabilities have been identified that affect multiple products.
Adobe has released security updates to address multiple vulnerabilities in Adobe software. The following products are affected:
- Adobe Prelude
- Adobe Illustrator
- Adobe InDesign
- Adobe Dimension
- Adobe Experience Manager
- Adobe Substance3D Stager
- Adobe Substance3D Sampler
- Adobe Substance3D After Effects
- Adobe Substance3D Designer
Apple has released security updates for Safari, iOS and iPadOS, Sonoma, Ventura, and Monterey to address multiple vulnerabilities. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the following advisories and apply necessary updates:
- Safari 17.2
- iOS 17.2 and iPadOS 17.2
- iOS 16.7.3 and iPadOS 16.7.3
- macOS Sonoma 14.2
- macOS Ventura 13.6.3
- macOS Monterey 12.7.2
Microsoft has released its scheduled December security updates to address vulnerabilities in multiple products. The updates include fixes for critical vulnerabilities in Microsoft Edge and Microsoft Power Platform Connector.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Progress – MOVEit Transfer Service Pack
Atlassian – Security Advisory
Apache – December's Security Bulletin
Adobe – Adobe Security
Apple – Security Updates
Microsoft – December’s Security Bulletin
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.