In this week's Security Advisory
KnowBe4 has issued an advisory regarding two (2) vulnerabilities discovered in the Phish Alert Button (PAB) for Windows Outlook tracked as CVE-2024-29210 and CVE-2024-29209. The Phish Alert Button is a security tool that allows a user to report suspected phishing emails to their IT department for analysis and sanitation. The vulnerabilities can be used by threat actors to escalate privilege and cause remote code execution. Customers should verify the version of their Phish Alert Button is up to date, and running on the latest security patch available.
Affected Versions:
1.10.0 - 1.10.11
More Reading/Information
A vulnerability in the R programming language has been discovered that can allow attackers to execute arbitrary code when custom RDS (R Data Serialization) files are loaded. This vulnerability is currently being tracked as, CVE-2024-27322 with a CVSS rating of 8.8 out of a possible 10. Threat actors can further exploit this flaw by distributing malicious packages through open-source R repositories, potentially compromising unsuspecting developers who download and load them.
More Reading/Information
A critical vulnerability has been discovered in the WordPress plugin, WP Automatic, and is currently being tracked as CVE-2024-27956 (CVSS rating of 9.9 out of a possible 10). WP Automatic is a plugin tool that automates the process of fetching and publishing content from online sources. CVE-2024-27956 is a critical SQL injection flaw that can allow attackers to gain access to websites and create user accounts with administrator privileges for full control. This vulnerability is actively being exploited in the wild at a high volume.
Affected Versions:
More Reading/Information
Google Chrome has issued a security update addressing two (2) high-rated vulnerabilities that impact Windows, Mac, and Linux operating systems.
More Reading/Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.