CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-29209
https://notcve.org/view.php?id=CVE-2024-29209
07 May 2024 — A medium severity vulnerability has been identified in the update mechanism of the Phish Alert Button for Outlook, which could allow an attacker to remotely execute arbitrary code on the host machine. The vulnerability arises from the application's failure to securely verify the authenticity and integrity of the update server. The application periodically checks for updates by querying a specific URL. However, this process does not enforce strict SSL/TLS verification, nor does it validate the digital signat... • https://support.knowbe4.com/hc/en-us/articles/28959755127955-CVE-2024-29209 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-29210
https://notcve.org/view.php?id=CVE-2024-29210
07 May 2024 — A local privilege escalation (LPE) vulnerability has been identified in Phish Alert Button for Outlook (PAB), specifically within its configuration management functionalities. This vulnerability allows a regular user to modify the application's configuration file to redirect update checks to an arbitrary server, which can then be exploited in conjunction with CVE-2024-29209 to execute arbitrary code with elevated privileges. The issue stems from improper permission settings on the application's configuratio... • https://support.knowbe4.com/hc/en-us/articles/28959854203923-CVE-2024-29210 • CWE-269: Improper Privilege Management •