Weekly Vulnerability Roundup: Highlights from SingCERT’s Security Bulletin

Weekly Vulnerability Roundup: Highlights from SingCERT’s Security Bulletin

/in

Cyble Weekly Vulnerability Roundup: Highlights from SingCERT's Security Bulletin

Overview

The Singapore Computer Emergency Response Team (SingCERT) has released its latest Security Bulletin, summarizing vulnerabilities reported in the past week from the National Institute of Standards and Technology (NIST)’s National Vulnerability Database (NVD).

This bulletin provides essential insights for businesses and security professionals to mitigate risks associated with these vulnerabilities.

The vulnerabilities have been categorized based on the Common Vulnerability Scoring System v3 (CVSSv3) base scores, which assess their severity levels:

  • Critical: CVSS score of 9.0 to 10.0

  • High: CVSS score of 7.0 to 8.9

  • Medium: CVSS score of 4.0 to 6.9

  • Low: CVSS score of 0.1 to 3.9

  • None: CVSS score of 0.0

Let’s take a closer look at the critical vulnerabilities reported this week and the potential threats they pose.

Critical Vulnerabilities

  1. CVE-2024-56064
    Product: Azzaroco WP SuperBackup
    Description: This vulnerability allows unrestricted uploads of malicious files, such as web shells, to a server. Exploited attackers can execute arbitrary code.
    Affected Versions: Up to 2.3.3
    CVSS Score: 10.0

  2. CVE-2024-56046
    Product: VibeThemes WPLMS
    Description: Similar to the above, this vulnerability allows attackers to upload malicious files, compromising server integrity.
    Affected Versions: Up to 1.9.9
    CVSS Score: 10.0

  3. CVE-2024-56799
    Product: Simofa (Static Website Deployment Tool)
    Description: A design flaw in the RouteLoader class leaves certain API routes accessible without authentication.
    Affected Versions: Prior to 0.2.7
    CVSS Score: 10.0

  4. CVE-2024-8950
    Product: Arne Informatics Piramit Automation
    Description: SQL Injection vulnerability enabling attackers to execute blind SQL injection, potentially exposing sensitive data.
    Affected Versions: Before 27.09.2024
    CVSS Score: 9.9

  5. CVE-2024-56066
    Product: Inspry Agency Toolkit
    Description: A missing authorization vulnerability that allows privilege escalation, compromising user roles and permissions.
    Affected Versions: Up to 1.0.23
    CVSS Score: 9.8

  6. CVE-2024-13061
    Product: Electronic Official Document Management System (2100 Technology)
    Description: Authentication bypass vulnerability where attackers can deceive the server to obtain user tokens, granting unauthorized access.
    CVSS Score: 9.8

  7. CVE-2024-12108
    Product: WhatsUp Gold
    Description: Public API vulnerability allowing attackers to gain unauthorized access to the server.
    Affected Versions: Released before 2024.0.2
    CVSS Score: 9.6

Other Notable Vulnerabilities

  • CVE-2024-47919
    Product: Tiki Wiki CMS
    Description: OS Command Injection vulnerability, potentially allowing attackers to execute arbitrary commands.
    CVSS Score: 9.8

  • CVE-2024-11281
    Product: WooCommerce Point of Sale Plugin
    Description: Insufficient validation on user IDs allows unauthenticated attackers to change admin account emails and reset passwords.
    CVSS Score: 9.8

  • CVE-2024-54450
    Product: Kurmi Provisioning Suite
    Description: Forged IP addresses in authentication logs may deceive admins, complicating forensic investigations.
    CVSS Score: 9.4

  • CVE-2024-56431
    Product: libtheora
    Description: Integer overflow in the Huffman tree unpacking functionality, leading to potential memory corruption.
    CVSS Score: 9.8

Vulnerabilities in Focus

The bulletin highlighted recurring patterns among this week’s critical vulnerabilities:

  • Privilege Escalation: Many vulnerabilities, such as those in AI Magic, Simple Dashboard, and SSL Wireless SMS Notification, involve incorrect privilege assignments, enabling attackers to escalate their privileges.

  • SQL Injection: Products like SmartAgent and VibeThemes WPLMS suffer from SQL injection vulnerabilities, exposing sensitive databases.

  • Authentication Bypass: Products such as Electronic Official Document Management System and Kurmi Provisioning Suite lack robust authentication mechanisms, allowing attackers unauthorized access.

What This Means for Organizations

These vulnerabilities underline the importance of patch management and proactive monitoring. Affected organizations must:

  1. Apply Patches Promptly: Ensure that systems and software are updated with the latest security patches as soon as possible.

  2. Strengthen Access Controls: Implement robust authentication and privilege management mechanisms to minimize unauthorized access.

  3. Conduct Regular Security Audits: Periodic vulnerability assessments and penetration tests can help identify and fix weaknesses.

  4. Educate Employees: Train staff on cybersecurity best practices, especially for avoiding phishing and social engineering attacks that exploit these vulnerabilities.

Conclusion

The SingCERT Security Bulletin serves as a vital resource for identifying and addressing vulnerabilities that could significantly impact organizations. By taking immediate action on these critical threats, businesses can safeguard their systems, data, and users from exploitation.

For detailed information, visit the full report at SingCERT’s Security Bulletin.

Source: https://www.csa.gov.sg/alerts-advisories/security-bulletins/2025/sb-2025-001

The post Weekly Vulnerability Roundup: Highlights from SingCERT’s Security Bulletin appeared first on Cyble.

Blog – Cyble – ​Read More