Google patches third zero-day in Chrome this week

Google has released a new Chrome emergency security update that addresses the third zero-day vulnerability, specifically CVE-2024-4947, in one week.

The high-severity vulnerability is caused by a type-confusion weakness in the JavaScript V8 engine reported by Vasily Berdnikov and Boris Larin of Kaspersky.

Although these vulnerabilities typically allow attackers to cause a browser to crash, they can also be exploited to execute arbitrary code on target devices.

Google has fixed the vulnerability by releasing versions 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 (Linux). This is the seventh zero-day fix in the Chrome web browser since the beginning of the year.

Critical security vulnerability in PrestaShop

The PrestaShop project, which has powered more than 300,000 web stores worldwide since 2007, recently issued a security alert revealing two significant vulnerabilities.

The first vulnerability, tracked as CVE-2024-34717, allows unauthorized individuals to download invoices belonging to other customers. This privacy breach could lead to the exposure of sensitive financial and customer information.

The second vulnerability, identified as CVE-2024-34716, is a cross-site scripting (XSS) attack that allows hackers to inject malicious code into a contact form. This code can then be executed when viewed by an administrator, which can give the attacker access to the entire backend of the store and sensitive information.

PrestaShop has released version 8.1.6, which includes fixes for both issues. We strongly encourage all PrestaShop users to upgrade to this latest version immediately to protect their stores and customer data.

Microsoft fixes actively exploited 0-Day vulnerabilities

May’s Microsoft Patch Tuesday addresses a whopping 67 vulnerabilities. In particular, it targets two 0-day vulnerabilities, CVE-2024-30040 and CVE-2024-30051, which are being actively exploited.

The most serious vulnerability patched this month, CVE-2024-30044, is related to Microsoft SharePoint Server. This Remote Code Execution vulnerability allows authenticated attackers to execute code on the target server. Kaspersky’s monitoring revealed that the vulnerability has already been exploited in conjunction with QakBot and other malware, indicating that multiple groups have had access to it.

Another vulnerability, identified as CVE-2024-30040 Security Feature Bypass in Windows MSHTML, could allow attackers to bypass security measures in Microsoft 365 and Office.

CVE-2024-30051, then, allows for elevated privileges in the Windows DWM Core Library.

Microsoft is urging IT administrators to prioritize deployment of these updates to protect their systems from new threats.

Critical vulnerability in Cacti

The popular open-source network monitoring tool, Cacti, recently released a critical security update that addresses two significant vulnerabilities.

Command Injection: CVE-2024-29895

The first and more serious of the vulnerabilities is CVE-2024-29895 with a CVSS score of 10. This vulnerability in the cmd_realtime.php file allows unauthenticated users to execute arbitrary commands on the server. The vulnerability is of particular concern due to the ease of exploitation.

XSS (Cross-Site Scripting) vulnerability: CVE-2024-30268

The second vulnerability, identified as CVE-2024-30268 with a CVSS score of 6.1, points to an XSS (Cross-Site Scripting) issue in the settings.php file This vulnerability could allow attackers to intercept administrator or any user’s cookies.

Both vulnerabilities were discovered by a LioTree security researcher who immediately reported them to the Cacti development team. Fortunately, the issues were immediately resolved in the latest Cacti 1.3.x DEV. Cacti users are strongly advised to immediately upgrade their installations to the patched version to protect themselves from potential abuse.