Overview
Adobe has released a security update for Adobe Commerce and Magenta Open Source. Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability, CVE-2024-45115, with a CVSS score of 9.8, that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorised access or elevated privileges within the application. Exploitation of this issue does not require user interaction.
Gitlab has released a security update to address a critical-severity vulnerability (CVE-2024-9164) in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. It is now mitigated in the latest release and is assigned.
LatePoint plugin for WordPress has been updated to address two critical-severity vulnerabilities affecting versions up to and including 5.0.12. These vulnerabilities pose serious security risks for WordPress sites using the plugin, particularly if the “Use WordPress users as customers” setting is enabled (disabled by default).
- CVE-2024-8911 (Patched in version 5.0.12): This vulnerability, present in versions up to 5.0.11, arises from insufficient escaping of user-supplied parameters and improper preparation of SQL queries. Unauthenticated attackers can exploit this flaw to change user passwords through SQL injection. If the setting to “Use WordPress users as customers” is enabled, attackers could take over administrator accounts. If the setting is disabled, only the passwords of plugin customers (stored in a separate database) are at risk. The issue is mitigated in version 5.0.12.
- CVE-2024-8943 (Fully patched in version 5.0.13): Affecting versions up to 5.0.12, this vulnerability allows for an authentication bypass due to insufficient verification during the booking customer step. Attackers with access to a user ID can log in as any user, including administrators, if the “Use WordPress users as customers” setting is enabled. While version 5.0.12 partially addressed the issue, the vulnerability is fully resolved in version 5.0.13.
Oracle has released an October 2024 Critical Patch Update addressing 188 vulnerabilities across multiple products, including Oracle Communications, Fusion Middleware, MySQL, Java SE, and Database Server. Several issues are critical, allowing remote unauthenticated attacks, with some vulnerabilities scoring as high as 9.8 on the CVSS scale. Notable fixes include critical patches for Oracle WebLogic Server and MySQL, addressing remote code execution and privilege escalation risks.
Telerik Report Server has patched a critical vulnerability (CVE-2024-8015) affecting versions before R3 2023 (9.2.23.916). This flaw allows unauthenticated remote attackers to exploit insecure type resolution, potentially leading to arbitrary code execution on the server. The issue arises due to improper deserialisation of user input. Users are strongly urged to upgrade to the latest version to mitigate this risk.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Adobe – Security Updates
Gitlab – Patch Release
Latepoint – CVE-2024-8911 and CVE-2024-8943
Oracle – Patch Update Advisory
Telerik Report Service – Advisory
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.