82/68 Friday, February 28, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities—CVE-2023-34192 in Synacor Zimbra Collaboration Suite (ZCS) and CVE-2024-49035 in Microsoft Partner Center—to its Known Exploited Vulnerabilities (KEV) catalog. Details of these vulnerabilities are as follows:
- CVE-2023-34192 has a CVSS severity score of 9.0 and is a Cross-Site Scripting (XSS) vulnerability in Synacor ZCS. It allows authenticated attackers to execute malicious code through crafted scripts in the /h/autoSaveDraft function. This vulnerability was patched in version 8.8.15 Patch 40 in July 2023.
- CVE-2024-49035 has a CVSS severity score of 8.7 and is an Improper Access Control vulnerability in Microsoft Partner Center, which allows attackers to escalate privileges. This issue was resolved in the November 2024 Patch Tuesday Security Updates.
To mitigate risks associated with these vulnerabilities, agencies under the Federal Civilian Executive Branch (FCEB) are required to apply the necessary security updates by March 25, 2025, in accordance with Binding Operational Directive (BOD) 22-01, which aims to reduce risks from actively exploited vulnerabilities. Additionally, CISA urges private organizations to review the KEV list and implement appropriate security measures to protect against potential cyberattacks.
