Yesterday, CISA announced that it had added two vulnerabilities in the Palo Alto Networks Expedition product to the Known Exploited Vulnerabilities (KEV) catalog. Both vulnerabilities were part of a batch of five vulnerabilities reported by Palo Alto Networks on November 9th, 2024. Palo Alto Networks has a new version that mitigates the vulnerabilities. The two vulnerabilities are:
• OS command
injection - CVE-2024-9463, and
• SQL injection - CVE-2024-9465
The SQL injection vulnerability was initially reported by Zach Hanley of Horizon3.ai. That report included proof-of-concept code. The OS command injection vulnerability was discovered internally by Palo Alto Networks researchers.
CISA has ordered federal agencies to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” They have been given a deadline of December 5th to accomplish those actions.
Posts
No comments:
Post a Comment