[English]I'm posting another security alert here on the blog that I've had since mid-December 2024 but has "stuck". There was a critical vulnerability CVE-2024-49147 in the Microsoft Update Catalog that allowed privilege escalations in the Microsoft Update Catalog. This vulnerability was closed by Microsoft.
Advertising
German blog reader Jan V. had pointed this out to me and wrote in mid-December 2024 "during the update check for the current Edge v131.0.2903.99 I accidentally 'stumbled' across the message about CVE-2024-49147 from Dec. 12, 2024 addressing a vulnerability in Microsoft Update Catalog.
The screenshot above shows Microsoft's entry for CVE-2024-49147, which has rated the Elevation of Privilege vulnerability as critical and with a CVSS 3.1 index of 9.3. Microsoft states that the deserialization of untrusted data in the Microsoft Update Catalog allows an unauthorized attacker to elevate their privileges on the website's web server.
This vulnerability has already been fully mitigated or closed by Microsoft upon disclosure. However, the disclosure shows what kind of clogs are lurking under the hood.
Advertising
