好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户提供的文章是关于美国CISA机构将四个软件漏洞加入已知被利用漏洞目录的情况。 首先,我需要理解文章的主要内容。文章提到CISA添加了四个漏洞到KEV目录中,分别是Prettier eslint-config-prettier、Vite Vitejs、Versa Concerto SD-WAN平台和Synacor Zimbra Collaboration Suite的漏洞。每个漏洞都有CVE编号和CVSS评分,并且描述了各自的漏洞细节和影响。 接下来,我需要提取关键信息:CISA机构、四个软件名称、漏洞加入目录、影响范围以及修复要求。同时,用户要求不要使用特定的开头词,直接描述内容。 然后,我要将这些信息浓缩到100字以内。考虑到每个漏洞的细节可能太多,可以简化为提到四个软件及其类型,如供应链安全、访问控制等,并说明CISA要求修复的时间。 最后,确保语言简洁明了,不遗漏重要信息。检查字数是否符合要求,并调整句子结构以达到最佳效果。 </think> 美国网络安全和基础设施安全局(CISA)将Prettier eslint-config-prettier、Vite Vitejs、Versa Concerto SD-WAN平台和Synacor Zimbra Collaboration Suite的四个漏洞加入已知被利用漏洞目录,涉及供应链安全、访问控制和远程文件包含等问题,并要求联邦机构在2026年2月12日前修复这些漏洞。 2026-1-23 11:49:24 Author: securityaffairs.com(查看原文) 阅读量:1 收藏
U.S. CISA adds Prettier eslint-config-prettier, Vite Vitejs, Versa Concerto SD-WAN orchestration platform, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Prettier eslint-config-prettier, Vite Vitejs, Versa Concerto SD-WAN orchestration platform, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Prettier eslint-config-prettier, Vite Vitejs, Versa Concerto SD-WAN orchestration platform and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2025-31125 (CVSS score of 5.3) Vite Vitejs Improper Access Control Vulnerability
- CVE-2025-34026 (CVSS score of 9.2) Versa Concerto Improper Authentication Vulnerability
- CVE-2025-54313 (CVSS score of 7.5) Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
- CVE-2025-68645 (CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
The vulnerability CVE-2025-31125 in the JavaScript frontend framework Vite can expose the contents of non-allowed files via the ?inline&import or ?raw?import parameters. It affects applications that expose the Vite dev server to the network using --host or server.host. The issue is patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
The vulnerability CVE-2025-34026 is an authentication bypass in Versa Concerto SD-WAN caused by a Traefik reverse proxy misconfiguration, letting attackers access admin endpoints, heap dumps, and trace logs in versions 12.1.2–12.2.0.
The vulnerability CVE-2025-54313 is a supply-chain compromise affecting eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. The packages contain embedded malicious code that runs during installation, executing an install.js script that launches the node-gyp.dll malware on Windows systems, potentially allowing arbitrary code execution.
The vulnerability CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration (ZCS) versions 10.0 and 10.1. Due to improper validation of user-supplied parameters in the RestFilter servlet, an unauthenticated remote attacker can send crafted requests to the /h/rest endpoint to manipulate internal request dispatching and include arbitrary files from the WebRoot directory, potentially exposing sensitive information.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 12, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh