CISA adds CVE-2023-24955 after CVE-2023-29357 to its Known Exploited Vulnerability Catalog

The vulerabilities pertain to Microsoft Sharepoint

2 min. read

Published onMarch 28, 2024

published onMarch 28, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

From time to time, we find out about vulnerabilities in programs. But unless they are critical or directly affect us, there’s little to worry about. This time around, it does!

CISA has added two Microsoft SharePoint vulnerabilities to itsKnown Exploited Vulnerability Catalog, CVE-2023-24955, on March 26, 2024, and CVE-2023-29357, on January 10, 2024. And both have been markedCritical.

All about the two vulnerabilities

CISA describes CVE-2023-24955, titledMicrosoft SharePoint Server Code Injection Vulnerability, as,

It recommends that you either apply the available fix or stop using Microsoft Sharepoint until the vulnerability is patched.

As for CVE-2023-29357 titled,Microsoft SharePoint Server Privilege Escalation Vulnerability, CISA describes it as,

As was the case previously, you are recommended not to use the product in the absence of a fix.

Star Labsresearchers tried exploiting the vulnerabilities and demonstrated it in apost on X(formerly Twitter).

Success!@testanullof@starlabs_sgwas able to execute a 2-bug chain on Microsoft SharePoint. They earn $100,000 and 10 Master of Pwn points.#Pwn2Own#P2OVancouverpic.twitter.com/PxadHs8kKZ

Star Labs alsoshared a documentdescribing the process in detail.

Soon, severalProof-of-Chain(PoC)exploits were developed and deployed by threat actors. The newer ones were relatively simple, allowing anyone to launch attacks.

After CISA added CVE-2023-29357 to the list, all US Federal Agencies were supposed to patch it by the end of the month, i.e., Jan 31. Similarly, for CVE-2023-24955, the US Federal Agencies have until April 16 to deploy a patch and secure the server.

You will find a dedicated page forCVE-2023-29357andCVE-2023-24955on theMicrosoft Security Response Centerdetailing the work done by the developers.

In the past,Microsoft has addressed CVEsand continues to do so as more and more are reported by users!

Are you concerned about the Microsoft SharePoint vulnerabilities? Share with our readers in the comments section.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

CISA adds CVE-2023-24955 after CVE-2023-29357 to its Known Exploited Vulnerability Catalog#

All about the two vulnerabilities#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

CISA adds CVE-2023-24955 after CVE-2023-29357 to its Known Exploited Vulnerability Catalog

All about the two vulnerabilities