Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In 2024, several significant vulnerabilities were identified within the Kubernetes and broader cloud-native ecosystem. In this post we have compiled a roundup of the most notable Common Vulnerabilities and Exposures (CVEs) reported this year.

With each organization facing over 30 critical or high-risk vulnerabilities per website/public-facing asset annually and 31% of these remaining open for over 180 days, the pressure to address vulnerabilities promptly is undeniable. Delays in patching not only increase the risk of breaches but also erode the trust of clients, vendors, and partners while compromising compliance efforts.

Web Pixel Audit is essential to address privacy risks and enhance data security. In this post, we’ll explore how to evaluate your organization’s use of these digital trackers and identify potential vulnerabilities.

On October 9, 2024, the security researchers at Astra Security found an HTML injection vulnerability in the messages section of the Admidio User Management solution. The vulnerability, assigned CVE-2024-47836, allows attackers to inject arbitrary HTML content into the application, which could manipulate webpage behavior, mislead users, and act as a precursor to further attacks.

The researchers from Astra’s security team, on November 6, 2024, found a Stored Cross-Site Scripting (XSS) in InstantCMS, a free and open-source CMS that allows you to build websites. The vulnerability was identified in the photo album page’s photo upload function.

As open-source software, Kubernetes gives a platform to orchestrate containers or control application deployment in a containerized way, simplifying their running. It is a scalable and efficient system that automatically deploys and scales applications so the developers can focus on their coding. In contrast, the system takes care of other underlying infrastructure work.

On 29 July 2024, the researchers at Astra identified a critical vulnerability in UnifiedTransform, a popular school management software. CVE-2024-53573 is an improper access control vulnerability in an admin endpoint, leading to an account takeover.