Multiple high-severity vulnerabilities were reported in Microsoft’s Edge (Chromium-based) which could be exploited by cybercriminals to gain elevated privileges and execute arbitrary code on targeted systems. Attackers could exploit these vulnerabilities by sending specially crafted requests to targeted systems.
The vulnerabilities in Microsoft Edge were found to exist due to improper implementation of permission prompts, fullscreen API and inframe sandbox, a heap buffer overflow in network service, and use after free in cart.
Microsoft released updates fixing these security bugs on January 12, asking users to update their software to avoid their exploitation.
(For insights on emerging themes at the intersection of technology, business, and policy, subscribe to our tech newsletter Today’s Cache.)
High-severity security bugs were detected in Mozilla Firefox versions, which could be exploited by remote attackers to perform attacks, bypass security restrictions, access sensitive information, and execute arbitrary code on targeted systems.
The security bugs could be exploited by remote cyber attackers by persuading victims to visit a specially crafted website, and exist due to logic errors in process allocation, arbitrary file read on Linux, improper input validation while copying a network request from the developer tools panel, errors in the way an origin notification is handled between normal and private browsing and incorrect processing of content security calls.
Bugs were also found to exist due to a boundary error while processing HTML content, and suppression of full-screen notifications.
Successful exploitation of these bugs could lead to spoofing attacks compromising the security of affected systems, shared CERT-In.
Mozilla has released updates fixing these bugs and requested users to update their software.
Zoho magazine engine products
A high-severity security bug was reported in Zoho ManageEngine products which could allow attackers to execute arbitrary code to gain sensitive information on targeted systems.
The vulnerability, which could be exploited by sending a specially crafted request, existed in Zoho ManageEngine products if SAML single-sign-on was enabled or was ever enabled earlier.
The vulnerability affected Zoho ManageEngine ServiceDesk Plus and Endpoint Central versions, and has been fixed with a security update.
Multiple high-severity security bugs were detected in Cisco’s Industrial Director web management interface of IP phone 7800 and 8800 series, and Small Business XE platforms.
These high-severity vulnerabilities could be exploited by remote attackers to access sensitive information, conduct cross-site scripting attacks, bypass authentication and execute arbitrary codes to cause a denial of services.
Security bugs in Cisco’s Industrial Director web management interface were found to exist due to improper validation of content that is submitted to the affected application, insufficient validation of user-supplied input, and improper input validation when parsing HTTP requests.
Attackers could exploit these vulnerabilities by sending malicious HTTPS requests to affected systems, gaining local access to the server on which Cisco IND is installed, and sending a crafted request to the web-based management interface.
In Cisco’s web-based management interface for Small Business XE, the vulnerabilities were found to exist due to improper validation of user input within incoming HTTP packets. These bugs could be exploited by remote attackers to bypass authentication or execute arbitrary codes on targeted systems by sending a crafted HTTP request to the web-based management interface.
Attackers could also exploit the vulnerabilities to gain root access to the underlying operating system, thereby compromising its security.
Cisco has released security updates for these bugs and asked users to update their software to ensure their security.