A recent cybersecurity report details the detection of a severe vulnerability in CVE services for the identification, definition and catalog of publicly disclosed cybersecurity vulnerabilities. According to the report, exploiting this flaw in CVEProject would allow threat actors to deploy dangerous hacking tasks.
Tracked as CVE-2022-24875, the vulnerability exists due to the registration of user secrets by the org.conroller.js code, which would allow remote threat actors to access sensitive system information without authorization.
The flaw received a score of 4.9/10 according to the Common Vulnerability Scoring System (CVSS) and, so far, no security patches or alternative solutions for its mitigation are known.
According to the report, the vulnerability resides in all versions of CVE services between 1.0.0 and 1.1.1.
While the flaws could be exploited by unauthenticated remote threat actors, no active exploitation attempts have been identified so far. Still, the fact that the flaw has not received updates is worrisome and forces users of affected deployments to remain alert to the risk of exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.