Updates to the United States Cybersecurity and Infrastructure Security (CISA) Known Exploited Vulnerabilities (KEV) Catalog indicates critical vulnerabilities in applications likely to be widely used are actively exploited in the wild, requiring organizations to readily address such flaws.
The vulnerabilities newly listed in the KEV Catalog include:
CVE-2023-38203 (CVSS 9.8): Adobe Cold Fusion - versions 2018 update (u) 17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) - is affected by a deserialization of untrusted data vulnerability which may result in arbitrary code execution. Applying the patches issued by the vendor resolves the issue.
CVE-2023-27524 (CVSS 9.8): Apache Superset up to and including 2.0.1 is subject to a session validation flaw which may lead to authentication bypass and unauthorized access to resources. The precondition for exploitation is that administrators maintained the default value of the SECRET_KEY configuration. Altering this value prevents exploitation.
CVE-2023-29357 (CVSS 9.8): Microsoft SharePoint Server is affected by a vulnerability which enables a potential unauthenticated attacker with access to a JSON web token to elevate privileges and execute network attacks. A patch for this vulnerability was released with the June 2023 Patch Tuesday. However, in early December 2023, there were reports of supposedly pro-Russian threat actors, particularly hacktivists, conducting mass scanning for this vulnerability. Security researchers also reported this vulnerability may be chained with a separate code injection bug, CVE-2023-94955, to achieve an unauthenticated code execution.
The KEV Catalog also lists a newly discovered Ivanti Connect Secure vulnerabilities that have been discussed in a separate post.