Such a vulnerability evades fixes issued for previous OFBiz bugs, tracked as CVE-2024-38856, CVE-2024-36104, and CVE-2024-32113, all of which have resulted from a fragmentation issue within the controller-view map that could allow unauthenticated remote code or SQL query execution, according to Rapid7 security researchers.
Exploitation of the flaw, which stems from LiteSpeed Cache's debug logging functionality, could be conducted by attackers with '/wp-content/debug.log' file access to exfiltrate users' session cookies, spoof admin users, and takeover websites.
Individuals' full names, birthdates, phone numbers, ID numbers, email addresses, home addresses, vehicle identification numbers, car brands and models, engine numbers, and vehicle colors were leaked by the unsecured Elasticsearch instance.
Threat actors could leverage CVE-2024-20439 via static credentials to facilitate the compromise of targeted systems with administrative privileges while intrusions involving CVE-2024-20440 could enable the acquisition of log files with credentials and other sensitive details.
Multiple Zyxel NWA Series, NWA1123-AC PRO, NWA1123ACv3, WAC500, WAC500H, WAC Series, WAX Series, and WBE Series access points are impacted by the flaw, which stems from improper user-supplied data management.
Such a flaw, tracked as CVE-2024-4885, stems from improper user input validation of the GetFileWithoutZip method adopted by WhatsUp Gold, noted Summoning Team, which identified and disclosed the issue.