Advisory No: TZCERT/SA/2024/07/04-2

Date of First Release: 4^th July 2024

Source: IBM

Software Affected: IBM Observability with Instana (OnPrem)

Overview:

WordPress is vulnerable to four critical vulnerabilities. The attackers can leverage the vulnerability to take control of the affected system.

Description:

IBM Observability with Instana (OnPrem) is affected by a vulnerability tracked as CVE-2023-39410 with a CVSS score of 9.8. The flaw results from Apache Avro Java SDK that could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization.

Impact:

Successful exploitation of this vulnerability may allow an attacker to take control or cause a denial of service condition of the affected system

Solution:

IBM has released a security patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.ibm.com/support/pages/node/7159660

Advisory No: TZCERT/SA/2024/07/04-1

Date of First Release: 4^th July 2024

Source: Wordfence

Software Affected: wp-nested-pages, addons-for-elementor and IMGspider

Overview:

WordPress is vulnerable to four critical vulnerabilities. The attackers can leverage the vulnerabilities to take control of the affected system.

Description:

Three WordPress plugins namely wp-nested-pages, addons-for-elementor and IMGspider as affected by the vulnerabilities tracked as CVE-2024-5943, CVE-2024-2385, CVE-2024-6319, and CVE-2024-6318 respectively. Reasons for the flaws include missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter, plugin’s widgets through the ‘style’ attribute, and missing file type validation in the ‘upload’ and ‘upload_img_file’ functions in all versions up to, and including, 2.3.10. The attackers can exploit the vulnerabilities to execute remote arbitrary codes on affected system.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of affected system

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-nested-pages/nested-pages-327-cross-site-request-forgery-to-local-file-inclusion
2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/addons-for-elementor/elementor-addons-by-livemesh-837-authenticated-contributor-limited-local-file-inclusion-via-widgets
3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/imgspider/imgspider-2310-authenticated-contributor-arbitrary-file-upload-via-upload
4. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/imgspider/imgspider-2310-authenticated-contributor-arbitrary-file-upload-via-upload-img-file

Oracle Linux has released security updates to address vulnerabilities in its multiple products. Exploitation of these vulnerabilities may allow an attacker to take control of an affected system.

Users and Administrators are encouraged to review Oracle Security Advisories dated 2nd July 2024 and apply necessary updates.

SUSE has released security updates to address vulnerabilities in its multiple products. Exploitation of these vulnerabilities may allow an attacker to take control of an affected system.

Users and Administrators are encouraged to review SUSE Security Advisories dated 2nd July 2024 and apply necessary updates.

Ubuntu has released security updates to address vulnerabilities in OpenVPN package. Exploitation of these vulnerabilities may allow an attacker to cause denial of service condition and/or take control of an affected system.

Users and Administrators are encouraged to review Ubuntu Security Notice and apply necessary updates.