The US Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation.
The flaw, tracked as CVE-2024-23113, is a format string error issue that can lead to full compromise of the system. A remote non-authenticated attacker can send specially crafted requests to the device and execute arbitrary code on the target system. The flaw affects Fortinet’s FortiOS, FortiPAM, FortiProxy, and FortiWeb products.
On the same note, Mozilla has disclosed a critical security flaw in its Firefox and Firefox Extended Support Release (ESR) products, which has also come under active exploitation. The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug within the Animation timeline component. Exploitation of this flaw allows attackers to execute code in the content process by manipulating animation timelines.
“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild,” Mozilla noted in its advisory, without disclosing further details regarding the flaw and the nature of exploitation.
To address the issue, Mozilla has released updates for the affected versions, including Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Users are urged o update to the latest versions immediately to protect against potential exploitation.