Security Vulnerabilities - Known exploited
CVE-2024-28986
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.
While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.
However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.
Known exploited
CVSS Score
9.8
EPSS Score
0.769
Published
2024-08-13
CVE-2024-7593
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2024-08-13
CVE-2024-38213
Windows Mark of the Web Security Feature Bypass Vulnerability
Known exploited
CVSS Score
6.5
EPSS Score
0.593
Published
2024-08-13
CVE-2024-38193
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.8
EPSS Score
0.732
Published
2024-08-13
CVE-2024-38189
Microsoft Project Remote Code Execution Vulnerability
Known exploited
CVSS Score
8.8
EPSS Score
0.437
Published
2024-08-13
CVE-2024-38178
Scripting Engine Memory Corruption Vulnerability
Known exploited
CVSS Score
7.5
EPSS Score
0.302
Published
2024-08-13
CVE-2024-38106
Windows Kernel Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.0
EPSS Score
0.007
Published
2024-08-13
CVE-2024-38107
Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.8
EPSS Score
0.034
Published
2024-08-13
CVE-2024-41710
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system.
Known exploited
CVSS Score
7.2
EPSS Score
0.197
Published
2024-08-12
CVE-2024-27443
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Known exploited
CVSS Score
6.1
EPSS Score
0.324
Published
2024-08-12