Security Affairs reports that three security issues impacting ProjectSend, North Grid Proself, and Zyxel firewalls have been included by the Cybersecurity and Infrastructure Security Agency in its Known Exploited Vulnerabilities catalog, with federal agencies urged to remediate the flaws by Christmas Eve.
Most severe of the newly added vulnerabilities was the critical improper authentication flaw in the open-source file sharing web app ProjectSend, tracked as CVE-2024-11680, which could be leveraged to enable malicious account creation, webshell uploads, and JavaScript embedding. Attacks abusing the issue were noted by VulnCheck to have potentially involved an exploit code released in September. On the other hand, the Zyxel firmware path traversal bug, tracked as CVE-2024-11667, could be exploited to facilitate file uploads and downloads through custom URLs, while the improper XML External Entity reference restriction flaw in North Grid Proself, tracked as CVE-2023-45727, could be used to allow the compromise of server files with account information.
