Known Exploited Vulnerabilities Catalog

Download CSV version

Download JSON version

Download JSON schema

Subscribe to the Known Exploited Vulnerabilities Catalog Update Bulletin

Back to previous page for background on known exploited vulnerabilities

CVE Vendor/Project Product Vulnerability Name Date Added to Catalog Short Description Action Due Date Notes
CVE-2021-27104 Accellion FTA Accellion FTA OS Command Injection Vulnerability 2021-11-03 Accellion FTA contains an OS command injection vulnerability exploited via a crafted POST request to various admin endpoints. Apply updates per vendor instructions. 2021-11-17
CVE-2021-27102 Accellion FTA Accellion FTA OS Command Injection Vulnerability 2021-11-03 Accellion FTA contains an OS command injection vulnerability exploited via a local web service call. Apply updates per vendor instructions. 2021-11-17
CVE-2021-27101 Accellion FTA Accellion FTA SQL Injection Vulnerability 2021-11-03 Accellion FTA contains a SQL injection vulnerability exploited via a crafted host header in a request to document_root.html. Apply updates per vendor instructions. 2021-11-17
CVE-2021-27103 Accellion FTA Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability 2021-11-03 Accellion FTA contains a server-side request forgery (SSRF) vulnerability exploited via a crafted POST request to wmProgressstat.html. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21017 Adobe Acrobat and Reader Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability 2021-11-03 Acrobat Acrobat and Reader contain a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user. Apply updates per vendor instructions. 2021-11-17
CVE-2021-28550 Adobe Acrobat and Reader Adobe Acrobat and Reader Use-After-Free Vulnerability 2021-11-03 Adobe Acrobat and Reader contains a use-after-free vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user. Apply updates per vendor instructions. 2021-11-17
CVE-2018-4939 Adobe ColdFusion Adobe ColdFusion Deserialization of Untrusted Data Vulnerability 2021-11-03 Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could allow for code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2018-15961 Adobe ColdFusion Adobe ColdFusion Unrestricted File Upload Vulnerability 2021-11-03 Adobe ColdFusion contains an unrestricted file upload vulnerability that could allow for code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2018-4878 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2021-11-03 Adobe Flash Player contains a use-after-free vulnerability that could allow for code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-03
CVE-2020-5735 Amcrest Cameras and Network Video Recorder (NVR) Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability 2021-11-03 Amcrest cameras and NVR contain a stack-based buffer overflow vulnerability through port 37777 that allows an unauthenticated, remote attacker to crash the device and possibly execute code. Apply updates per vendor instructions. 2022-05-03
CVE-2019-2215 Android Android Kernel Android Kernel Use-After-Free Vulnerability 2021-11-03 Android Kernel contains a use-after-free vulnerability in binder.c which allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-0041 and CVE-2020-0069 under exploit chain "AbstractEmu." Apply updates per vendor instructions. 2022-05-03
CVE-2020-0041 Android Android Kernel Android Kernel Out-of-Bounds Write Vulnerability 2021-11-03 Android Kernel binder_transaction of binder.c contains an out-of-bounds write vulnerability due to an incorrect bounds check that could allow for local privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0069 under exploit chain "AbstractEmu." Apply updates per vendor instructions. 2022-05-03
CVE-2020-0069 MediaTek Multiple Chipsets Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability 2021-11-03 Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading to privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0041 under exploit chain "AbstractEmu." Apply updates per vendor instructions. 2022-05-03
CVE-2017-9805 Apache Struts Apache Struts Deserialization of Untrusted Data Vulnerability 2021-11-03 Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. Apply updates per vendor instructions. 2022-05-03
CVE-2021-42013 Apache HTTP Server Apache HTTP Server Path Traversal Vulnerability 2021-11-03 Apache HTTP Server contains a path traversal vulnerability which allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. This CVE ID resolves an incomplete patch for CVE-2021-41773. Apply updates per vendor instructions. 2021-11-17
CVE-2021-41773 Apache HTTP Server Apache HTTP Server Path Traversal Vulnerability 2021-11-03 Apache HTTP Server contains a path traversal vulnerability which allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013. Apply updates per vendor instructions. 2021-11-17
CVE-2019-0211 Apache HTTP Server Apache HTTP Server Privilege Escalation Vulnerability 2021-11-03 Apache HTTP Server, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute code with the privileges of the parent process (usually root) by manipulating the scoreboard. Apply updates per vendor instructions. 2022-05-03
CVE-2016-4437 Apache Shiro Apache Shiro Code Execution Vulnerability 2021-11-03 Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature. Apply updates per vendor instructions. 2022-05-03
CVE-2019-17558 Apache Solr Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability 2021-11-03 The Apache Solr VelocityResponseWriter plug-in contains an unspecified vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-17530 Apache Struts Apache Struts Remote Code Execution Vulnerability 2021-11-03 Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2017-5638 Apache Struts Apache Struts Remote Code Execution Vulnerability 2021-11-03 Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2018-11776 Apache Struts Apache Struts Remote Code Execution Vulnerability 2021-11-03 Apache Struts contains a vulnerability which allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace. Or, using URL tag which doesn�t have value and action set and in same time, its upper package configuration have no or wildcard namespace. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30858 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, macOS Use-After-Free Vulnerability 2021-11-03 Apple iOS, iPadOS, and macOS WebKit contains a use-after-free vulnerability that may allow for code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2019-6223 Apple iOS and macOS Apple iOS and macOS Group Facetime Vulnerability 2021-11-03 Apple iOS and macOS Group FaceTime contains an unspecified vulnerability where the call initiator can cause the recipient's Apple device to answer unknowingly or without user interaction. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30860 Apple Multiple Products Apple Multiple Products Integer Overflow Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, and watchOS CoreGraphics contain an integer overflow vulnerability which may allow code execution when processing a maliciously crafted PDF. The vulnerability is also known under the moniker of FORCEDENTRY. Apply updates per vendor instructions. 2021-11-17
CVE-2020-27930 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, and watchOS FontParser contain a memory corruption vulnerability which may allow for code execution when processing maliciously crafted front. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30807 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, and watchOS IOMobileFrameBuffer contain a memory corruption vulnerability which may allow an application to execute code with kernel privileges. Apply updates per vendor instructions. 2021-11-17
CVE-2020-27950 Apple Multiple Products Apple Multiple Products Memory Initialization Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, and watchOS contain a memory initialization vulnerability that may allow a malicious application to disclose kernel memory. Apply updates per vendor instructions. 2022-05-03
CVE-2020-27932 Apple Multiple Products Apple Multiple Products Type Confusion Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, and watchOS contain a type confusion vulnerability that may allow a malicious application to execute code with kernel privileges. Apply updates per vendor instructions. 2022-05-03
CVE-2020-9818 Apple iOS, iPadOS, and watchOS Apple iOS, iPadOS, and watchOS Out-of-Bounds Write Vulnerability 2021-11-03 Apple iOS, iPadOS, and watchOS Mail contains an out-of-bounds write vulnerability which may allow memory modification or application termination when processing a maliciously crafted mail message. Apply updates per vendor instructions. 2022-05-03
CVE-2020-9819 Apple iOS, iPadOS, and watchOS Apple iOS, iPadOS, and watchOS Memory Corruption Vulnerability 2021-11-03 Apple iOS, iPadOS, and watchOS Mail contains a memory corruption vulnerability that may allow heap corruption when processing a maliciously crafted mail message. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30762 Apple iOS Apple iOS Use-After-Free Vulnerability 2021-11-03 Apple iOS WebKit contains a use-after-free vulnerability which may allow for code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2021-1782 Apple Multiple Products Apple Multiple Products Race Condition Vulnerability 2021-11-03 Apple iOS, iPadOs, macOS, watchOS, and tvOS contain a race condition vulnerability that may allow a malicious application to elevate privileges. Apply updates per vendor instructions. 2021-11-17
CVE-2021-1870 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, and macOS Remote Code Execution Vulnerability 2021-11-03 Apple iOS, iPadOS, and macOS WebKit contain an unspecified logic issue which may allow a remote attacker to execute code. Apply updates per vendor instructions. 2021-11-17
CVE-2021-1871 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, and macOS Remote Code Execution Vulnerability 2021-11-03 Apple iOS, iPadOS, and macOS WebKit contain an unspecified logic issue which may allow a remote attacker to execute code. Apply updates per vendor instructions. 2021-11-17
CVE-2021-1879 Apple iOS, iPadOS, and watchOS Apple iOS, iPadOS, and watchOS Cross-Site Scripting (XSS) Vulnerability 2021-11-03 Apple iOS, iPadOS, and watchOS WebKit contains a cross-site scripting (XSS) vulnerability when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30661 Apple Multiple Products Apple Multiple Products Use-After-Free Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, watchOS, tvOS, and Safari WebKit Storage contain a use-after-free vulnerability which may allow for code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30666 Apple iOS Apple iOS Buffer Overflow Vulnerability 2021-11-03 Apple iOS WebKit contains a buffer-overflow vulnerability which may allow for code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30713 Apple macOS Apple macOS Unspecified Vulnerability 2021-11-03 Apple macOS Transparency, Consent, and Control (TCC) contains an unspecified permissions issue which may allow a malicious application to bypass privacy preferences. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30657 Apple macOS Apple macOS Unspecified Vulnerability 2021-11-03 Apple macOS contains an unspecified logic issue in System Preferences that may allow a malicious application to bypass Gatekeeper checks. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30665 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, watchOS, and tvOS WebKit contain a memory corruption vulnerability which may allow for code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30663 Apple Multiple Products Apple Multiple Products Integer Overflow Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain an integer overflow vulnerability which may allow for code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30761 Apple iOS Apple iOS Memory Corruption Vulnerability 2021-11-03 Apple iOS WebKit contains a memory corruption vulnerability which may allow for code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30869 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, and macOS Type Confusion Vulnerability 2021-11-03 Apple iOS, iPadOS, and macOS contain a type confusion vulnerability in the XNU which may allow a malicious application to execute code with kernel privileges. Apply updates per vendor instructions. 2021-11-17
CVE-2020-9859 Apple Multiple Products Apple Multiple Products Code Execution Vulnerability 2021-11-03 Apple iOS, iPadOS, macOS, watchOS, and tvOS contain an unspecified vulnerability that may allow an application to execute code with kernel privileges. Apply updates per vendor instructions. 2022-05-03
CVE-2021-20090 Arcadyan Buffalo Firmware Arcadyan Buffalo Firmware Path Traversal Vulnerability 2021-11-03 Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This vulnerability affects multiple routers across several different vendors. Apply updates per vendor instructions. 2021-11-17
CVE-2021-27562 Arm Trusted Firmware Arm Trusted Firmware Out-of-Bounds Write Vulnerability 2021-11-03 Arm Trusted Firmware contains an out-of-bounds write vulnerability allowing the non-secure (NS) world to trigger a system halt, overwrite secure data, or print out secure data when calling secure functions under the non-secure processing environment (NSPE) handler mode. This vulnerability affects Yealink Device Management servers. Apply updates per vendor instructions. 2021-11-17
CVE-2021-28664 Arm Mali Graphics Processing Unit (GPU) Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability 2021-11-03 Arm Mali Graphics Processing Unit (GPU) kernel driver contains an unspecified vulnerability that may allow a non-privileged user to gain write access to read-only memory, gain root privilege, corrupt memory, and modify the memory of other processes. Apply updates per vendor instructions. 2021-11-17
CVE-2021-28663 Arm Mali Graphics Processing Unit (GPU) Arm Mali Graphics Processing Unit (GPU) Use-After-Free Vulnerability 2021-11-03 Arm Mali Graphics Processing Unit (GPU) kernel driver contains a use-after-free vulnerability that may allow a non-privileged user to make improper operations on GPU memory to gain root privilege, and/or disclose information. Apply updates per vendor instructions. 2021-11-17
CVE-2019-3398 Atlassian Confluence Server and Data Center Atlassian Confluence Server and Data Center Path Traversal Vulnerability 2021-11-03 Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can lead to remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2021-26084 Atlassian Confluence Server and Data Center Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability 2021-11-03 Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code. Apply updates per vendor instructions. 2021-11-17
CVE-2019-11580 Atlassian Crowd and Crowd Data Center Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability 2021-11-03 Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in release builds. Apply updates per vendor instructions. 2022-05-03
CVE-2019-3396 Atlassian Confluence Server and Data Server Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability 2021-11-03 Atlassian Confluence Server and Data Center contain a server-side template injection vulnerability that may allow an attacker to achieve path traversal and remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2021-42258 BQE BillQuick Web Suite BQE BillQuick Web Suite SQL Injection Vulnerability 2021-11-03 BQE BillQuick Web Suite contains an SQL injection vulnerability when accessing the username parameter that may allow for unauthenticated, remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2020-3452 Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Cisco ASA and FTD Read-Only Path Traversal Vulnerability 2021-11-03 Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. Apply updates per vendor instructions. 2022-05-03
CVE-2020-3580 Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability 2021-11-03 Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful exploitation could allow an attacker to perform cross-site scripting (XSS) in the context of the interface or access sensitive browser-based information. Apply updates per vendor instructions. 2022-05-03
CVE-2021-1497 Cisco HyperFlex HX Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability 2021-11-03 Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the�root�user. Apply updates per vendor instructions. 2021-11-17
CVE-2021-1498 Cisco HyperFlex HX Cisco HyperFlex HX Data Platform Command Injection Vulnerability 2021-11-03 Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. Apply updates per vendor instructions. 2021-11-17
CVE-2018-0171 Cisco IOS and IOS XE Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability 2021-11-03 Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected device, cause a denial-of-service (DoS) condition, or perform code execution on the affected device. Apply updates per vendor instructions. 2022-05-03
CVE-2020-3118 Cisco IOS XR Cisco IOS XR Software Discovery Protocol Format String Vulnerability 2021-11-03 Cisco IOS XR improperly validates string input from certain fields in Cisco Discovery Protocol messages. Exploitation could allow an unauthenticated, adjacent attacker to execute code with administrative privileges or cause a reload on an affected device. Apply updates per vendor instructions. 2022-05-03
CVE-2020-3566 Cisco IOS XR Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability 2021-11-03 Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to immediately crash the IGMP process or make it consume available memory and eventually crash. Apply updates per vendor instructions. 2022-05-03
CVE-2020-3569 Cisco IOS XR Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability 2021-11-03 Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to immediately crash the IGMP process or make it consume available memory and eventually crash. Apply updates per vendor instructions. 2022-05-03
CVE-2020-3161 Cisco Cisco IP Phones Cisco IP Phones Web Server Remote Code Execution and Denial-of-Service Vulnerability 2021-11-03 Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with�root�privileges or cause a denial-of-service condition. Apply updates per vendor instructions. 2022-05-03
CVE-2019-1653 Cisco Small Business RV320 and RV325 Routers Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability 2021-11-03 Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diagnostic information. Apply updates per vendor instructions. 2022-05-03
CVE-2018-0296 Cisco Adaptive Security Appliance (ASA) Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability 2021-11-03 Cisco Adaptive Security Appliance (ASA) contains an improper input validation vulnerability with HTTP URLs. Exploitation could allow an attacker to cause a denial-of-service condition or information disclosure. Apply updates per vendor instructions. 2022-05-03
CVE-2019-13608 Citrix StoreFront Server Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability 2021-11-03 Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8193 Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability 2021-11-03 Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an authorization bypass vulnerability that may allow unauthenticated access to certain URL endpoints. The attacker must have access to the NetScaler IP (NSIP) in order to perform exploitation. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8195 Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability 2021-11-03 Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an information disclosure vulnerability. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8196 Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability 2021-11-03 Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an information disclosure vulnerability. Apply updates per vendor instructions. 2022-05-03
CVE-2019-19781 Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability 2021-11-03 Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2019-11634 Citrix Workspace Application and Receiver for Windows Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability 2021-11-03 Citrix Workspace Application and Receiver for Windows contains remote code execution vulnerability resulting from local drive access preferences not being enforced into the clients' local drives. Apply updates per vendor instructions. 2022-05-03
CVE-2020-29557 D-Link DIR-825 R1 Devices D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability 2021-11-03 D-Link DIR-825 R1 devices contain a buffer overflow vulnerability in the web interface that may allow for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-25506 D-Link DNS-320 Device D-Link DNS-320 Device Command Injection Vulnerability 2021-11-03 D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2018-15811 DotNetNuke (DNN) DotNetNuke (DNN) DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability 2021-11-03 DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. Apply updates per vendor instructions. 2022-05-03
CVE-2018-18325 DotNetNuke (DNN) DotNetNuke (DNN) DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability 2021-11-03 DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. This CVE ID resolves an incomplete patch for CVE-2018-15811. Apply updates per vendor instructions. 2022-05-03
CVE-2017-9822 DotNetNuke (DNN) DotNetNuke (DNN) DotNetNuke (DNN) Remote Code Execution Vulnerability 2021-11-03 DotNetNuke (DNN) contains a vulnerability that may allow for remote code execution via cookie deserialization. Apply updates per vendor instructions. 2022-05-03
CVE-2019-15752 Docker Desktop Community Edition Docker Desktop Community Edition Privilege Escalation Vulnerability 2021-11-03 Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8515 DrayTek Multiple Vigor Routers Multiple DrayTek Vigor Routers Web Management Page Vulnerability 2021-11-03 DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2018-7600 Drupal Drupal Core Drupal Core Remote Code Execution Vulnerability 2021-11-03 Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. Apply updates per vendor instructions. 2022-05-03
CVE-2021-22205 GitLab Community and Enterprise Editions GitLab Community and Enterprise Editions Remote Code Execution Vulnerability 2021-11-03 GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through ExifTool, which improperly validates the image files. Apply updates per vendor instructions. 2021-11-17
CVE-2018-6789 Exim Exim Exim Buffer Overflow Vulnerability 2021-11-03 Exim contains a buffer overflow vulnerability in the base64d function part of the SMTP listener that may allow for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8657 EyesOfNetwork EyesOfNetwork EyesOfNetwork Use of Hard-Coded Credentials Vulnerability 2021-11-03 EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8655 EyesOfNetwork EyesOfNetwork EyesOfNetwork Improper Privilege Management Vulnerability 2021-11-03 EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7. Apply updates per vendor instructions. 2022-05-03
CVE-2020-5902 F5 BIG-IP F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability 2021-11-03 F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages. Apply updates per vendor instructions. 2022-05-03
CVE-2021-22986 F5 BIG-IP and BIG-IQ Centralized Management F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability 2021-11-03 F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system commands, create or delete files, and disable services. Apply updates per vendor instructions. 2021-11-17
CVE-2021-35464 ForgeRock Access Management (AM) ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability 2021-11-03 ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend). Apply updates per vendor instructions. 2021-11-17
CVE-2019-5591 Fortinet FortiOS Fortinet FortiOS Default Configuration Vulnerability 2021-11-03 Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Directory Access Protocol (LDAP) server. Apply updates per vendor instructions. 2022-05-03
CVE-2020-12812 Fortinet FortiOS Fortinet FortiOS SSL VPN Improper Authentication Vulnerability 2021-11-03 Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username. Apply updates per vendor instructions. 2022-05-03
CVE-2018-13379 Fortinet FortiOS Fortinet FortiOS SSL VPN Path Traversal Vulnerability 2021-11-03 Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. Apply updates per vendor instructions. 2022-05-03
CVE-2020-16010 Google Chrome Google Chrome for Android Heap Buffer Overflow Vulnerability 2021-11-03 Google Chrome for Android contains a heap buffer overflow vulnerability which allows a remote attacker, who had compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. Apply updates per vendor instructions. 2022-05-03
CVE-2020-15999 Google Chrome Google Chrome Heap Buffer Overflow Vulnerability 2021-11-03 Google Chrome uses FreeType, an open-source software library to render fonts, which contains a heap buffer overflow vulnerability in the function Load_SBit_Png when processing PNG images embedded into fonts. This vulnerability is part of an exploit chain with CVE-2020-17087 on Windows and CVE-2020-16010 on Android. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21166 Google Chromium Google Chromium Race Condition Vulnerability 2021-11-03 Google Chromium contains a race condition vulnerability in audio which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2020-16017 Google Chrome Google Chrome Use-After-Free Vulnerability 2021-11-03 Google Chrome contains a use-after-free vulnerability within the site isolation component which allows a remote attacker, who had compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. Apply updates per vendor instructions. 2022-05-03
CVE-2021-37976 Google Chromium Google Chromium Information Disclosure Vulnerability 2021-11-03 Google Chromium contains an information disclosure vulnerability within the core memory component which allows a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. Apply updates per vendor instructions. 2021-11-17
CVE-2020-16009 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2021-11-03 Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30632 Google Chromium V8 Engine Google Chromium V8 Out-of-Bounds Write Vulnerability 2021-11-03 Google Chromium V8 Engine contains an out-of-bounds write vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2020-16013 Google Chromium V8 Engine Google Chromium V8 Incorrect Implementation Vulnerabililty 2021-11-03 Google Chromium V8 Engine contains an incorrect implementation vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30633 Google Chromium Google Chromium Indexed DB API Use-After-Free Vulnerability 2021-11-03 Google Chromium Indexed DB API contains a use-after-free vulnerability which allows a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21148 Google Chromium V8 Engine Google Chromium V8 Heap Buffer Overflow Vulnerability 2021-11-03 Google Chromium V8 Engine contains a heap buffer overflow vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-37973 Google Chromium Google Chromium Use-After-Free Vulnerability 2021-11-03 Google Chromium Portals contains a use-after-free vulnerability which allows a remote attacker, who had compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30551 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2021-11-03 Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-37975 Google Chromium V8 Engine Google Chromium V8 Use-After-Free Vulnerability 2021-11-03 Google Chromium V8 Engine contains a use-after-free vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2020-6418 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2021-11-03 Google Chromium V8 Engine contains a type confusion vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30554 Google Chromium Google Chromium Use-After-Free Vulnerability 2021-11-03 Google Chromium WebGL contains a use-after-free vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21206 Google Chromium Google Chromium Use-After-Free Vulnerability 2021-11-03 Google Chromium Blink contains a use-after-free vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-38000 Google Chromium Google Chromium Improper Input Validation Vulnerability 2021-11-03 Google Chromium Intents contains an improper input validation vulnerability which allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-38003 Google Chromium V8 Engine Google Chromium V8 Memory Corruption Vulnerability 2021-11-03 Google Chromium V8 Engine has a bug in JSON.stringify where the internal TheHole value can leak to script code causing memory corruption. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21224 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2021-11-03 Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21193 Google Chromium Google Chromium Blink Use-After-Free Vulnerability 2021-11-03 Google Chromium Blink contains a use-after-free vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21220 Google Chromium V8 Engine Google Chromium V8 Improper Input Validation Vulnerability 2021-11-03 Google Chromium V8 Engine contains an improper input validation vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2021-30563 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2021-11-03 Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2021-11-17
CVE-2020-4430 IBM Data Risk Manager IBM Data Risk Manager Directory Traversal Vulnerability 2021-11-03 IBM Data Risk Manager contains a directory traversal vulnerability that could allow a remote authenticated attacker to traverse directories and send a specially crafted URL request to download arbitrary files from the system. Apply updates per vendor instructions. 2022-05-03
CVE-2020-4427 IBM Data Risk Manager IBM Data Risk Manager Security Bypass Vulnerability 2021-11-03 IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. Apply updates per vendor instructions. 2022-05-03
CVE-2020-4428 IBM Data Risk Manager IBM Data Risk Manager Remote Code Execution Vulnerability 2021-11-03 IBM Data Risk Manager contains an unspecified vulnerability which could allow a remote, authenticated attacker to execute commands on the system.� Apply updates per vendor instructions. 2022-05-03
CVE-2019-4716 IBM Planning Analytics IBM Planning Analytics Remote Code Execution Vulnerability 2021-11-03 IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. Apply updates per vendor instructions. 2022-05-03
CVE-2016-3715 ImageMagick ImageMagick ImageMagick Arbitrary File Deletion Vulnerability 2021-11-03 ImageMagick contains an unspecified vulnerability that could allow users to delete files by using ImageMagick's 'ephemeral' pseudo protocol, which deletes files after reading. Apply updates per vendor instructions. 2022-05-03
CVE-2016-3718 ImageMagick ImageMagick ImageMagick Server-Side Request Forgery (SSRF) Vulnerability 2021-11-03 ImageMagick contains an unspecified vulnerability which allows attackers to perform server-side request forgery (SSRF) via a crafted image. Apply updates per vendor instructions. 2022-05-03
CVE-2020-15505 Ivanti MobileIron Multiple Products Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability 2021-11-03 Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2021-30116 Kaseya Virtual System/Server Administrator (VSA) Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability 2021-11-03 Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system. Apply updates per vendor instructions. 2021-11-17
CVE-2020-7961 Liferay Liferay Portal Liferay Portal Deserialization of Untrusted Data Vulnerability 2021-11-03 Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services. Apply updates per vendor instructions. 2022-05-03
CVE-2021-23874 McAfee McAfee Total Protection (MTP) McAfee Total Protection (MTP) Improper Privilege Management Vulnerability 2021-11-03 McAfee Total Protection (MTP) contains an improper privilege management vulnerability that allows a local user to gain elevated privileges and execute code, bypassing MTP self-defense. Apply updates per vendor instructions. 2021-11-17
CVE-2021-22506 Micro Focus Micro Focus Access Manager Micro Focus Access Manager Information Leakage Vulnerability 2021-11-03 Micro Focus Access Manager contains an information leakage vulnerability resulting from a SAML service provider redirection issue when the Assertion Consumer Service URL is used. Apply updates per vendor instructions. 2021-11-17
CVE-2021-22502 Micro Focus Operation Bridge Reporter (OBR) Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability 2021-11-03 Micro Focus Operation Bridge Report (OBR) contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2014-1812 Microsoft Windows Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows Active Directory contains a privilege escalation vulnerability due to the way it distributes passwords that are configured using Group Policy preferences. An authenticated attacker who successfully exploits the vulnerability could decrypt the passwords and use them to elevate privileges on the domain. Apply updates per vendor instructions. 2022-05-03
CVE-2021-38647 Microsoft Open Management Infrastructure (OMI) Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability 2021-11-03 Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2016-0167 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation via a crafted application Apply updates per vendor instructions. 2022-05-03
CVE-2020-0878 Microsoft Edge and Internet Explorer Microsoft Edge and Internet Explorer Memory Corruption Vulnerability 2021-11-03 Microsoft Edge and Internet Explorer contain a memory corruption vulnerability that allows attackers to execute code in the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2021-31955 Microsoft Windows Microsoft Windows Kernel Information Disclosure Vulnerability 2021-11-03 Microsoft Windows Kernel contains an unspecified vulnerability which allows for information disclosure. Successful exploitation allows attackers to read the contents of kernel memory from a user-mode process. Apply updates per vendor instructions. 2021-11-17
CVE-2021-1647 Microsoft Defender Microsoft Defender Remote Code Execution Vulnerability 2021-11-03 Microsoft Defender contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2021-33739 Microsoft Desktop Window Manager (DWM) Core Library Microsoft Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability 2021-11-03 Microsoft Desktop Window Manager (DWM) Core Library contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2016-0185 Microsoft Windows Microsoft Windows Media Center Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows Media Center contains a remote code execution vulnerability when Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. Apply updates per vendor instructions. 2022-05-03
CVE-2020-0683 Microsoft Windows Microsoft Windows Installer Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows Installer contains a privilege escalation vulnerability when MSI packages process symbolic links, which allows attackers to bypass access restrictions to add or remove files. Apply updates per vendor instructions. 2022-05-03
CVE-2020-17087 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows kernel contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-05-03
CVE-2021-33742 Microsoft Windows Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability 2021-11-03 Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-33771 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows kernel contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-31956 Microsoft Windows Microsoft Windows NTFS Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows New Technology File System (NTFS) contains an unspecified vulnerability that allows attackers to escalate privileges via a specially crafted application. Apply updates per vendor instructions. 2021-11-17
CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability 2021-11-03 Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-31979 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows kernel contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2020-0938 Microsoft Windows Microsoft Windows Adobe Font Manager Library Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows Adobe Font Manager Library contains an unspecified vulnerability when handling specially crafted multi-master fonts (Adobe Type 1 PostScript format) that allows for remote code execution for all systems except Windows 10. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. Apply updates per vendor instructions. 2022-05-03
CVE-2020-17144 Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability 2021-11-03 Microsoft Exchange Server improperly validates cmdlet arguments which allow an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-0986 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows kernel contains an unspecified vulnerability when handling objects in memory that allows attackers to escalate privileges and execute code in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2020-1020 Microsoft Windows Microsoft Windows Adobe Font Manager Library Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows Adobe Font Manager Library contains an unspecified vulnerability when handling specially crafted multi-master fonts (Adobe Type 1 PostScript format) that allows for remote code execution for all systems except Windows 10. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. Apply updates per vendor instructions. 2022-05-03
CVE-2021-38645 Microsoft Open Management Infrastructure (OMI) Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability 2021-11-03 Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-34523 Microsoft Exchange Server Microsoft Exchange Server Privilege Escalation Vulnerability 2021-11-03 Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2017-7269 Microsoft Internet Information Services (IIS) Microsoft Windows Server Buffer Overflow Vulnerability 2021-11-03 Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 which allows remote attackers to execute code via a long header beginning with "If: Apply updates per vendor instructions. 2022-05-03
CVE-2021-36948 Microsoft Windows Microsoft Windows Update Medic Service Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-38649 Microsoft Open Management Infrastructure (OMI) Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability 2021-11-03 Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2020-0688 Microsoft Exchange Server Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability 2021-11-03 Microsoft Exchange Server Validation Key fails to properly create unique keys at install time, allowing for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2017-0143 Microsoft Windows Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows Server Message Block 1.0 (SMBv1) contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2016-7255 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k kernel-mode driver fails to properly handle objects in memory which allows for privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2019-0708 Microsoft Remote Desktop Services Microsoft Remote Desktop Services Remote Code Execution Vulnerability 2021-11-03 Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability which allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests. Successful exploitation allows for remote code execution. The vulnerability is also known under the moniker of BlueKeep. Apply updates per vendor instructions. 2022-05-03
CVE-2021-34473 Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability 2021-11-03 Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2020-1464 Microsoft Windows Microsoft Windows Spoofing Vulnerability 2021-11-03 Microsoft Windows contains a spoofing vulnerability when Windows incorrectly validates file signatures, allowing an attacker to bypass security features and load improperly signed files. Apply updates per vendor instructions. 2022-05-03
CVE-2021-1732 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-34527 Microsoft Windows Microsoft Windows Print Spooler Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation allows an attacker to perform remote code execution with SYSTEM privileges. The vulnerability is also known under the moniker of PrintNightmare. Apply updates per vendor instructions. 2021-07-20 Reference CISA's ED 21-04 (https://www.cisa.gov/emergency-directive-21-04) for further guidance and requirements.
CVE-2021-31207 Microsoft Exchange Server Microsoft Exchange Server Security Feature Bypass Vulnerability 2021-11-03 Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass. Apply updates per vendor instructions. 2021-11-17
CVE-2019-0803 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2020-1040 Microsoft Hyper-V RemoteFX Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability 2021-11-03 Microsoft Hyper-V RemoteFX vGPU contains an improper input validation vulnerability due to the host server failing to properly validate input from an authenticated user on a guest operating system. Successful exploitation allows for remote code execution on the host operating system. Apply updates per vendor instructions. 2022-05-03
CVE-2021-28310 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows Win32k contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2020-1350 Microsoft Windows Microsoft Windows DNS Server Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows DNS Servers fail to properly handle requests, allowing an attacker to perform remote code execution in the context of the Local System Account. The vulnerability is also known under the moniker of SIGRed. Apply updates per vendor instructions. 2020-07-24 Reference CISA's ED 20-03 (https://www.cisa.gov/emergency-directive-20-03) for further guidance and requirements.
CVE-2021-26411 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2021-11-03 Microsoft Internet Explorer contains an unspecified vulnerability which allows for memory corruption. Apply updates per vendor instructions. 2021-11-17
CVE-2019-0859 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2021-40444 Microsoft MSHTML Microsoft MSHTML Remote Code Execution Vulnerability 2021-11-03 Microsoft MSHTML contains a unspecified vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2017-8759 Microsoft .NET Framework Microsoft .NET Framework Remote Code Execution Vulnerability 2021-11-03 Microsoft .NET Framework contains a remote code execution vulnerability when processing untrusted input that could allow an attacker to take control of an affected system. Apply updates per vendor instructions. 2022-05-03
CVE-2018-8653 Microsoft Internet Explorer Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability 2021-11-03 Microsoft Internet Explorer contains a memory corruption vulnerability due to how the Scripting Engine handles objects in memory, leading to remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2019-0797 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2021-36942 Microsoft Windows Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability 2021-11-03 Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability allowing an unauthenticated attacker to call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. Apply updates per vendor instructions. 2021-11-17
CVE-2019-1215 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker to execute code with elevated privileges.� Apply updates per vendor instructions. 2022-05-03
CVE-2018-0798 Microsoft Office Microsoft Office Memory Corruption Vulnerability 2021-11-03 Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0802. Apply updates per vendor instructions. 2022-05-03
CVE-2018-0802 Microsoft Office Microsoft Office Memory Corruption Vulnerability 2021-11-03 Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0798. Apply updates per vendor instructions. 2022-05-03
CVE-2012-0158 Microsoft MSCOMCTL.OCX Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability 2021-11-03 Microsoft MSCOMCTL.OCX contains an unspecified vulnerability that allows for remote code execution, allowing an attacker to take complete control of an affected system under the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2015-1641 Microsoft Office Microsoft Office Memory Corruption Vulnerability 2021-11-03 Microsoft Office contains a memory corruption vulnerability due to failure to properly handle rich text format files in memory. Successful exploitation allows for remote code execution in the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2021-27085 Microsoft Internet Explorer Microsoft Internet Explorer Remote Code Execution Vulnerability 2021-11-03 Microsoft Internet Explorer contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2019-0541 Microsoft MSHTML Microsoft MSHTML Remote Code Execution Vulnerability 2021-11-03 Microsoft MSHTML engine contains an improper input validation vulnerability which allows for remote code execution vulnerability. Apply updates per vendor instructions. 2022-05-03
CVE-2017-11882 Microsoft Office Microsoft Office Memory Corruption Vulnerability 2021-11-03 Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2020-0674 Microsoft Internet Explorer Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability 2021-11-03 Microsoft Internet Explorer contains a memory corruption vulnerability due to the way the Scripting Engine handles objects in memory. Successful exploitation could allow remote code execution in the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2021-27059 Microsoft Office Microsoft Office Remote Code Execution Vulnerability 2021-11-03 Microsoft Office contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2019-1367 Microsoft Internet Explorer Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability 2021-11-03 Microsoft Internet Explorer contains a memory corruption vulnerability in how the scripting engine handles objects in memory. Successful exploitation allows for remote code execution in the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2017-0199 Microsoft Office and WordPad Microsoft Office and WordPad Remote Code Execution Vulnerability 2021-11-03 Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-1380 Microsoft Internet Explorer Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability 2021-11-03 Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2019-1429 Microsoft Internet Explorer Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability 2021-11-03 Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. Apply updates per vendor instructions. 2022-05-03
CVE-2017-11774 Microsoft Office Microsoft Office Outlook Security Feature Bypass Vulnerability 2021-11-03 Microsoft Office Outlook contains a security feature bypass vulnerability due to improperly handling objects in memory. Successful exploitation allows an attacker to execute commands. Apply updates per vendor instructions. 2022-05-03
CVE-2020-0968 Microsoft Internet Explorer Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability 2021-11-03 Microsoft Internet Explorer contains a memory corruption vulnerability due to how the Scripting Engine handles objects in memory, leading to remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-1472 Microsoft Netlogon Microsoft Netlogon Privilege Escalation Vulnerability 2021-11-03 Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploits the vulnerability could run a specially crafted application on a device on the network. The vulnerability is also known under the moniker of Zerologon. Apply updates per vendor instructions. 2020-09-21 Reference CISA's ED 20-03 (https://www.cisa.gov/emergency-directive-20-03) for further guidance and requirements.
CVE-2021-26855 Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability 2021-11-03 Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. Apply updates per vendor instructions. 2021-04-16 Reference CISA's ED 21-02 (https://www.cisa.gov/emergency-directive-21-02) for further guidance and requirements.
CVE-2021-26858 Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability 2021-11-03 Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. Apply updates per vendor instructions. 2021-04-16 Reference CISA's ED 21-02 (https://www.cisa.gov/emergency-directive-21-02) for further guidance and requirements.
CVE-2021-27065 Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability 2021-11-03 Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. Apply updates per vendor instructions. 2021-04-16 Reference CISA's ED 21-02 (https://www.cisa.gov/emergency-directive-21-02) for further guidance and requirements.
CVE-2020-1054 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k contains a privilege escalation vulnerability when the Windows kernel-mode driver fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2021-1675 Microsoft Windows Microsoft Windows Print Spooler Remote Code Execution Vulnerability 2021-11-03 Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2021-34448 Microsoft Windows Microsoft Windows Scripting Engine Memory Corruption Vulnerability 2021-11-03 Microsoft Windows Scripting Engine contains an unspecified vulnerability that allows for memory corruption. Apply updates per vendor instructions. 2021-11-17
CVE-2020-0601 Microsoft Windows Microsoft Windows CryptoAPI Spoofing Vulnerability 2021-11-03 Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The vulnerability is also known under the moniker of CurveBall. Apply updates per vendor instructions. 2020-01-29 Reference CISA's ED 20-02 (https://www.cisa.gov/emergency-directive-20-02) for further guidance and requirements.
CVE-2019-0604 Microsoft SharePoint Microsoft SharePoint Remote Code Execution Vulnerability 2021-11-03 Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint application pool and the SharePoint server farm account. Apply updates per vendor instructions. 2022-05-03
CVE-2020-0646 Microsoft .NET Framework Microsoft .NET Framework Remote Code Execution Vulnerability 2021-11-03 Microsoft .NET Framework contains an improper input validation vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2019-0808 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2021-11-03 Microsoft Win32k contains a privilege escalation vulnerability due to the component failing to properly handle objects in memory. Successful exploitation allows an attacker to run code in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2021-26857 Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability 2021-11-03 Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. Apply updates per vendor instructions. 2021-04-16 Reference CISA's ED 21-02 (https://www.cisa.gov/emergency-directive-21-02) for further guidance and requirements.
CVE-2020-1147 Microsoft .NET Framework, SharePoint, Visual Studio Microsoft .NET Framework, SharePoint, and Visual Studio Remote Code Execution Vulnerability 2021-11-03 Microsoft .NET Framework, Microsoft SharePoint, and Visual Studio contain a remote code execution vulnerability when the software fails to check the source markup of XML file input. Successful exploitation allows an attacker to execute code in the context of the process responsible for deserialization of the XML content. Apply updates per vendor instructions. 2022-05-03
CVE-2019-1214 Microsoft Windows Microsoft Windows Privilege Common Log File System (CLFS) Escalation Vulnerability 2021-11-03 Microsoft Windows Common Log File System (CLFS) driver improperly handles objects in memory which can allow for privilege escalation. Apply updates per vendor instructions. 2022-05-03
CVE-2016-3235 Microsoft Office Microsoft Office OLE DLL Side Loading Vulnerability 2021-11-03 Microsoft Office Object Linking & Embedding (OLE) dynamic link library (DLL) contains a side loading vulnerability due to it improperly validating input before loading libraries. Successful exploitation allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2019-0863 Microsoft Windows Microsoft Windows Error Reporting (WER) Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows Error Reporting (WER) contains a privilege escalation vulnerability due to the way it handles files, allowing for code execution in kernel mode. Apply updates per vendor instructions. 2022-05-03
CVE-2021-36955 Microsoft Windows Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability 2021-11-03 Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-38648 Microsoft Open Management Infrastructure (OMI) Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability 2021-11-03 Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2020-6819 Mozilla Firefox and Thunderbird Mozilla Firefox And Thunderbird Use-After-Free Vulnerability 2021-11-03 Mozilla Firefox and Thunderbird contain a race condition vulnerability when running the nsDocShell destructor under certain conditions. The race condition creates a use-after-free vulnerability, causing unspecified impacts. Apply updates per vendor instructions. 2022-05-03
CVE-2020-6820 Mozilla Firefox and Thunderbird Mozilla Firefox And Thunderbird Use-After-Free Vulnerability 2021-11-03 Mozilla Firefox and Thunderbird contain a race condition vulnerability when handling a ReadableStream under certain conditions. The race condition creates a use-after-free vulnerability, causing unspecified impacts. Apply updates per vendor instructions. 2022-05-03
CVE-2019-17026 Mozilla Firefox and Thunderbird Mozilla Firefox And Thunderbird Type Confusion Vulnerability 2021-11-03 Mozilla Firefox and Thunderbird contain a type confusion vulnerability due to incorrect alias information in the IonMonkey JIT compiler when setting array elements. Apply updates per vendor instructions. 2022-05-03
CVE-2019-15949 Nagios Nagios XI Nagios XI Remote Code Execution Vulnerability 2021-11-03 Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root. Apply updates per vendor instructions. 2022-05-03
CVE-2020-26919 NETGEAR JGS516PE Devices Netgear JGS516PE Devices Missing Function Level Access Control Vulnerability 2021-11-03 Netgear JGS516PE devices contain a missing function level access control vulnerability. Apply updates per vendor instructions. 2022-05-03
CVE-2019-19356 Netis WF2419 Devices Netis WF2419 Devices Remote Code Execution Vulnerability 2021-11-03 Netis WF2419 devices contains an unspecified vulnerability which allows an attacker to perform remote code execution as root through the router's web management page. Apply updates per vendor instructions. 2022-05-03
CVE-2020-2555 Oracle Multiple Products Oracle Multiple Products Remote Code Execution Vulnerability 2021-11-03 Multiple Oracle products contain a remote code execution vulnerability that allows an unauthenticated attacker with network access via T3 or HTTP to takeover the affected system. Impacted Oracle products: Oracle Coherence in Fusion Middleware, Oracle Utilities Framework, Oracle Retail Assortment Planning, Oracle Commerce, Oracle Communications Diameter Signaling Router (DSR). Apply updates per vendor instructions. 2022-05-03
CVE-2012-3152 Oracle Fusion Middleware Oracle Fusion Middleware Unspecified Vulnerability 2021-11-03 Oracle Fusion Middleware Reports Developer contains an unspecified vulnerability that allows remote attackers to affect confidentiality and integrity of affected systems. Apply updates per vendor instructions. 2022-05-03
CVE-2020-14871 Oracle Solaris and Zettabyte File System (ZFS) Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability 2021-11-03 Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected systems. Apply updates per vendor instructions. 2022-05-03
CVE-2015-4852 Oracle WebLogic Server Oracle WebLogic Server Deserialization of Untrusted Data Vulnerability 2021-11-03 Oracle WebLogic Server contains a deserialization of untrusted data vulnerability within Apache Commons, which can allow for for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-14750 Oracle WebLogic Server Oracle WebLogic Server Remote Code Execution Vulnerability 2021-11-03 Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882. Apply updates per vendor instructions. 2022-05-03
CVE-2020-14882 Oracle WebLogic Server Oracle WebLogic Server Remote Code Execution Vulnerability 2021-11-03 Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related to CVE-2020-14750. Apply updates per vendor instructions. 2022-05-03
CVE-2020-14883 Oracle WebLogic Server Oracle WebLogic Server Unspecified Vulnerability 2021-11-03 Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8644 PlaySMS PlaySMS PlaySMS Server-Side Template Injection Vulnerability 2021-11-03 PlaySMS contains a server-side template injection vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2019-18935 Progess Telerik UI for ASP.NET AJAX Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability 2021-11-03 Progess Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process. Apply updates per vendor instructions. 2022-05-03
CVE-2021-22893 Ivanti Pulse Connect Secure Ivanti Pulse Connect Secure Use-After-Free Vulnerability 2021-11-03 Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services. Apply updates per vendor instructions. 2021-04-23 Reference CISA's ED 21-03 (https://www.cisa.gov/emergency-directive-21-03) for further guidance and requirements.
CVE-2020-8243 Ivanti Pulse Connect Secure Ivanti Pulse Connect Secure Code Execution Vulnerability 2021-11-03 Ivanti Pulse Connect Secure contains an unspecified vulnerability in the admin web interface that could allow an authenticated attacker to upload a custom template to perform code execution. Apply updates per vendor instructions. 2021-04-23 Reference CISA's ED 21-03 (https://www.cisa.gov/emergency-directive-21-03) for further guidance and requirements.
CVE-2021-22900 Ivanti Pulse Connect Secure Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability 2021-11-03 Ivanti Pulse Connect Secure contains an unrestricted file upload vulnerability that allows an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. Apply updates per vendor instructions. 2021-04-23 Reference CISA's ED 21-03 (https://www.cisa.gov/emergency-directive-21-03) for further guidance and requirements.
CVE-2021-22894 Ivanti Pulse Connect Secure Ivanti Pulse Connect Secure Collaboration Suite Buffer Overflow Vulnerability 2021-11-03 Ivanti Pulse Connect Secure Collaboration Suite contains a buffer overflow vulnerabilities that allows a remote authenticated users to execute code as the root user via maliciously crafted meeting room. Apply updates per vendor instructions. 2021-04-23 Reference CISA's ED 21-03 (https://www.cisa.gov/emergency-directive-21-03) for further guidance and requirements.
CVE-2020-8260 Ivanti Pulse Connect Secure Ivanti Pulse Connect Secure Code Execution Vulnerability 2021-11-03 Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction. Apply updates per vendor instructions. 2021-04-23 Reference CISA's ED 21-03 (https://www.cisa.gov/emergency-directive-21-03) for further guidance and requirements.
CVE-2021-22899 Ivanti Pulse Connect Secure Ivanti Pulse Connect Secure Command Injection Vulnerability 2021-11-03 Ivanti Pulse Connect Secure contains a command injection vulnerability that allows remote authenticated users to perform remote code execution via Windows File Resource Profiles. Apply updates per vendor instructions. 2021-04-23 Reference CISA's ED 21-03 (https://www.cisa.gov/emergency-directive-21-03) for further guidance and requirements.
CVE-2019-11510 Ivanti Pulse Connect Secure Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability 2021-11-03 Ivanti Pulse Connect Secure contains an arbitrary file read vulnerability that allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI. Apply updates per vendor instructions. 2021-04-23 Reference CISA's ED 21-03 (https://www.cisa.gov/emergency-directive-21-03) for further guidance and requirements.
CVE-2019-11539 Ivanti Pulse Connect Secure and Pulse Policy Secure Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability 2021-11-03 Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands. Apply updates per vendor instructions. 2022-05-03
CVE-2021-1906 Qualcomm Multiple Chipsets Qualcomm Multiple Chipsets Detection of Error Condition Without Action Vulnerability 2021-11-03 Multiple Qualcomm chipsets contain a detection of error condition without action vulnerability when improper handling of address deregistration on failure can lead to new GPU address allocation failure. Apply updates per vendor instructions. 2021-11-17
CVE-2021-1905 Qualcomm Multiple Chipsets Qualcomm Multiple Chipsets Use-After-Free Vulnerability 2021-11-03 Multiple Qualcomm Chipsets contain a use after free vulnerability due to improper handling of memory mapping of multiple processes simultaneously. Apply updates per vendor instructions. 2022-05-03
CVE-2020-10221 rConfig rConfig rConfig OS Command Injection Vulnerability 2021-11-03 rConfig lib/ajaxHandlers/ajaxAddTemplate.php contains an OS command injection vulnerability which allows remote attackers to execute OS commands via shell metacharacters in the fileName POST parameter. Apply updates per vendor instructions. 2022-05-03
CVE-2021-35395 Realtek AP-Router SDK Realtek AP-Router SDK Buffer Overflow Vulnerability 2021-11-03 Realtek AP-Router SDK HTTP web server �boa� contains a buffer overflow vulnerability due to unsafe copies of some overly long parameters submitted in the form that lead to denial-of-service. Apply updates per vendor instructions. 2021-11-17
CVE-2017-16651 Roundcube Roundcube Webmail Roundcube Webmail File Disclosure Vulnerability 2021-11-03 Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. Apply updates per vendor instructions. 2022-05-03
CVE-2020-11652 SaltStack Salt SaltStack Salt Path Traversal Vulnerability 2021-11-03 SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability. Apply updates per vendor instructions. 2022-05-03
CVE-2020-11651 SaltStack Salt SaltStack Salt Authentication Bypass Vulnerability 2021-11-03 SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some methods without authentication, which can be used to retrieve user tokens from the salt master and/or run commands on salt minions. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability. Apply updates per vendor instructions. 2022-05-03
CVE-2020-16846 SaltStack Salt SaltStack Salt Shell Injection Vulnerability 2021-11-03 SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users running the Salt API. Apply updates per vendor instructions. 2022-05-03
CVE-2018-2380 SAP Customer Relationship Management (CRM) SAP Customer Relationship Management (CRM) Path Traversal Vulnerability 2021-11-03 SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users. Apply updates per vendor instructions. 2022-05-03
CVE-2010-5326 SAP NetWeaver SAP NetWeaver Remote Code Execution Vulnerability 2021-11-03 SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request. Apply updates per vendor instructions. 2022-05-03
CVE-2016-9563 SAP NetWeaver SAP NetWeaver XML External Entity (XXE) Vulnerability 2021-11-03 SAP NetWeaver Application Server Java Platforms contains an unspecified vulnerability in BC-BMT-BPM-DSK which allows remote, authenticated users to conduct XML External Entity (XXE) attacks. Apply updates per vendor instructions. 2022-05-03
CVE-2020-6287 SAP NetWeaver SAP NetWeaver Missing Authentication for Critical Function Vulnerability 2021-11-03 SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users. Apply updates per vendor instructions. 2022-05-03
CVE-2020-6207 SAP Solution Manager SAP Solution Manager Missing Authentication for Critical Function Vulnerability 2021-11-03 SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution Manager. Apply updates per vendor instructions. 2022-05-03
CVE-2016-3976 SAP NetWeaver SAP NetWeaver Directory Traversal Vulnerability 2021-11-03 SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files. Apply updates per vendor instructions. 2022-05-03
CVE-2019-16256 SIMalliance Toolbox Browser SIMalliance Toolbox Browser Command Injection Vulnerability 2021-11-03 SIMalliance Toolbox Browser contains an command injection vulnerability that could allow remote attackers to retrieve location and IMEI information or execute a range of other attacks by modifying the attack message. Apply updates per vendor instructions. 2022-05-03
CVE-2020-10148 SolarWinds Orion SolarWinds Orion Authentication Bypass Vulnerability 2021-11-03 SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands. Apply updates per vendor instructions. 2022-05-03
CVE-2021-35211 SolarWinds Serv-U SolarWinds Serv-U Remote Code Execution Vulnerability 2021-11-03 SolarWinds Serv-U contains an unspecified memory escape vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2016-3643 SolarWinds Virtualization Manager SolarWinds Virtualization Manager Privilege Escalation Vulnerability 2021-11-03 SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo. Apply updates per vendor instructions. 2022-05-03
CVE-2020-10199 Sonatype Nexus Repository Sonatype Nexus Repository Remote Code Execution Vulnerability 2021-11-03 Sonatype Nexus Repository contains an unspecified vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2021-20021 SonicWall SonicWall Email Security SonicWall Email Security Improper Privilege Management Vulnerability 2021-11-03 SonicWall Email Security contains an improper privilege management vulnerability which allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20022 and CVE-2021-20023 to achieve privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2019-7481 SonicWall SMA100 SonicWall SMA100 SQL Injection Vulnerability 2021-11-03 SonicWall SMA100 contains a SQL injection vulnerability allowing an unauthenticated user to gain read-only access to unauthorized resources. Apply updates per vendor instructions. 2022-05-03
CVE-2021-20022 SonicWall SonicWall Email Security SonicWall Email Security Unrestricted Upload of File Vulnerability 2021-11-03 SonicWall Email Security contains an unrestricted upload of file with dangerous type vulnerability that allows a post-authenticated attacker to upload a file to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20023 to achieve privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-20023 SonicWall SonicWall Email Security SonicWall Email Security Path Traversal Vulnerability 2021-11-03 SonicWall Email Security contains a path traversal vulnerability that allows a post-authenticated attacker to read files on the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20022 to achieve privilege escalation. Apply updates per vendor instructions. 2021-11-17
CVE-2021-20016 SonicWall SSLVPN SMA100 SonicWall SSLVPN SMA100 SQL Injection Vulnerability 2021-11-03 SonicWall SSLVPN SMA100 contains a SQL injection vulnerability which allows remote exploitation for credential access by an unauthenticated attacker. Apply updates per vendor instructions. 2021-11-17
CVE-2020-12271 Sophos SFOS Sophos SFOS SQL Injection Vulnerability 2021-11-03 Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords). Apply updates per vendor instructions. 2022-05-03
CVE-2020-10181 Sumavision Enhanced Multimedia Router (EMR) Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability 2021-11-03 Sumavision Enhanced Multimedia Router (EMR) contains a cross-site request forgery (CSRF) vulnerability allowing the creation of users with elevated privileges as administrator on a device. Apply updates per vendor instructions. 2022-05-03
CVE-2017-6327 Symantec Symantec Messaging Gateway Symantec Messaging Gateway Remote Code Execution Vulnerability 2021-11-03 Symantec Messaging Gateway contains an unspecified vulnerability which can allow for remote code execution. With the ability to perform remote code execution, an attacker may also desire to perform privilege escalating actions. Apply updates per vendor instructions. 2022-05-03
CVE-2019-18988 TeamViewer Desktop TeamViewer Desktop Bypass Remote Login Vulnerability 2021-11-03 TeamViewer Desktop allows for bypass of remote-login access control because the same AES key is used for different customers' installations. If an attacker were to know this key, they could decrypt protected information stored in registry or configuration files or decryption of the Unattended Access password to the system (which allows for remote login to the system). Apply updates per vendor instructions. 2022-05-03
CVE-2017-9248 Progess ASP.NET AJAX and Sitefinity Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability 2021-11-03 Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey), perform cross-site-scripting (XSS) attacks, compromise the ASP.NET ViewState, and/or upload and download files. Apply updates per vendor instructions. 2022-05-03
CVE-2021-31755 Tenda AC11 Router Tenda AC11 Router Stack Buffer Overflow Vulnerability 2021-11-03 Tenda AC11 devices contain a stack buffer overflow vulnerability in /goform/setmac which allows attackers to execute code via a crafted post request. Apply updates per vendor instructions. 2021-11-17
CVE-2020-10987 Tenda AC1900 Router AC15 Model Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability 2021-11-03 Tenda AC1900 Router AC15 Model contains an unspecified vulnerability which allows remote attackers to execute system commands via the deviceName POST parameter. Apply updates per vendor instructions. 2022-05-03
CVE-2018-14558 Tenda AC7, AC9, and AC10 Routers Tenda AC7, AC9, and AC10 Routers Command Injection Vulnerability 2021-11-03 Tenda AC7, AC9, and AC10 devices contain a command injection vulnerability due to the "formsetUsbUnload" function executes a dosystemCmd function with untrusted input. Successful exploitation allows an attacker to execute OS commands via a crafted goform/setUsbUnload request. Apply updates per vendor instructions. 2022-05-03
CVE-2018-20062 ThinkPHP noneCms ThinkPHP "noneCms" Remote Code Execution Vulnerability 2021-11-03 ThinkPHP "noneCms" contains an unspecified vulnerability which allows for remote code execution through crafted use of the filter parameter. Apply updates per vendor instructions. 2022-05-03
CVE-2019-9082 ThinkPHP ThinkPHP ThinkPHP Remote Code Execution Vulnerability 2021-11-03 ThinkPHP contains an unspecified vulnerability which allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. Apply updates per vendor instructions. 2022-05-03
CVE-2019-18187 Trend Micro OfficeScan Trend Micro OfficeScan Directory Traversal Vulnerability 2021-11-03 Trend Micro OfficeScan contains a directory traversal vulnerability by extracting files from a zip file to a specific folder on the OfficeScan server, leading to remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8467 Trend Micro Apex One and OfficeScan Trend Micro Apex One and OfficeScan Remote Code Execution Vulnerability 2021-11-03 Trend Micro Apex One and OfficeScan contain an unspecified vulnerability within a migration tool component that allows for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8468 Trend Micro Apex One, OfficeScan and Worry-Free Business Security Agents Trend Micro Multiple Products Content Validation Escape Vulnerability 2021-11-03 Trend Micro Apex One, OfficeScan, and Worry-Free Business Security agents contain a content validation escape vulnerability that could allow an attacker to manipulate certain agent client components. Apply updates per vendor instructions. 2022-05-03
CVE-2020-24557 Trend Micro Apex One, OfficeScan, and Worry-Free Business Security Trend Micro Multiple Products Improper Access Control Vulnerability 2021-11-03 Trend Micro Apex One, OfficeScan, and Worry-Free Business Security on Microsoft Windows contain an improper access control vulnerability that may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function, and attain privilege escalation. Apply updates per vendor instructions. 2022-05-03
CVE-2020-8599 Trend Micro Apex One and OfficeScan Trend Micro Apex One and OfficeScan Authentication Bypass Vulnerability 2021-11-03 Trend Micro Apex One and OfficeScan server contain a vulnerable EXE file that could allow a remote attacker to write data to a path on affected installations and bypass root login. Apply updates per vendor instructions. 2022-05-03
CVE-2021-36742 Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security Trend Micro Multiple Products Improper Input Validation Vulnerability 2021-11-03 Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security contain an improper input validation vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2021-11-17 https://success.trendmicro.com/dcx/s/solution/000287819?language=en_US, https://success.trendmicro.com/dcx/s/solution/000287820?language=en_US
CVE-2021-36741 Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security Trend Micro Multiple Products Improper Input Validation Vulnerability 2021-11-03 Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security contain an improper input validation vulnerability that allows a remote attacker to upload files. Apply updates per vendor instructions. 2021-11-17 https://success.trendmicro.com/dcx/s/solution/000287819?language=en_US, https://success.trendmicro.com/dcx/s/solution/000287820?language=en_US
CVE-2019-20085 TVT NVMS-1000 TVT NVMS-1000 Directory Traversal Vulnerability 2021-11-03 TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests. Apply updates per vendor instructions. 2022-05-03
CVE-2020-5849 Unraid Unraid Unraid Authentication Bypass Vulnerability 2021-11-03 Unraid contains an authentication bypass vulnerability that allows attackers to gain access to the administrative interface. This CVE is chainable with CVE-2020-5847 for remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-5847 Unraid Unraid Unraid Remote Code Execution Vulnerability 2021-11-03 Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access. Apply updates per vendor instructions. 2022-05-03
CVE-2019-16759 vBulletin vBulletin vBulletin PHP Module Remote Code Execution Vulnerability 2021-11-03 The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. Apply updates per vendor instructions. 2022-05-03
CVE-2020-17496 vBulletin vBulletin vBulletin PHP Module Remote Code Execution Vulnerability 2021-11-03 The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. This CVE ID resolves an incomplete patch for CVE-2019-16759. Apply updates per vendor instructions. 2022-05-03
CVE-2019-5544 VMware VMware ESXi and Horizon DaaS VMware ESXi and Horizon DaaS OpenSLP Heap-Based Buffer Overflow Vulnerability 2021-11-03 VMware ESXi and Horizon Desktop as a Service (DaaS) OpenSLP contains a heap-based buffer overflow vulnerability that allows an attacker with network access to port 427 to overwrite the heap of the OpenSLP service to perform remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-3992 VMware ESXi VMware ESXi OpenSLP Use-After-Free Vulnerability 2021-11-03 VMware ESXi OpenSLP contains a use-after-free vulnerability that allows an attacker residing in the management network with access to port 427 to perform remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2020-3950 VMware Multiple Products VMware Multiple Products Privilege Escalation Vulnerability 2021-11-03 VMware Fusion, Remote Console (VMRC) for Mac, and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries that allows attackers to escalate privileges to root. Apply updates per vendor instructions. 2022-05-03
CVE-2021-22005 VMware vCenter Server VMware vCenter Server File Upload Vulnerability 2021-11-03 VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 to execute code. Apply updates per vendor instructions. 2021-11-17
CVE-2020-3952 VMware vCenter Server VMware vCenter Server Information Disclosure Vulnerability 2021-11-03 VMware vCenter Server contains an information disclosure vulnerability in the VMware Directory Service (vmdir) when the Platform Services Controller (PSC) does not correctly implement access controls. Successful exploitation allows an attacker with network access to port 389 to extract sensitive information. Apply updates per vendor instructions. 2022-05-03
CVE-2021-21972 VMware vCenter Server VMware vCenter Server Remote Code Execution Vulnerability 2021-11-03 VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system. Apply updates per vendor instructions. 2021-11-17
CVE-2021-21985 VMware vCenter Server VMware vCenter Server Improper Input Validation Vulnerability 2021-11-03 VMware vSphere Client contains an improper input validation vulnerability in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server, which allows for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2020-4006 VMware Multiple Products Multiple VMware Products Command Injection Vulnerability 2021-11-03 VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a command injection vulnerability. An attacker with network access to the administrative configurator on port 8443 and a valid password for the configurator administrator account can execute commands with unrestricted privileges on the underlying operating system. Apply updates per vendor instructions. 2022-05-03
CVE-2020-25213 WordPress File Manager Plugin WordPress File Manager Plugin Remote Code Execution Vulnerability 2021-11-03 WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site. Apply updates per vendor instructions. 2022-05-03
CVE-2020-11738 WordPress Snap Creek Duplicator Plugin WordPress Snap Creek Duplicator Plugin File Download Vulnerability 2021-11-03 WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their Wordpress dashboard. This vulnerability affects Duplicator and Dulplicator Pro. Apply updates per vendor instructions. 2022-05-03
CVE-2019-9978 WordPress Social Warfare Plugin WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability 2021-11-03 WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro. Apply updates per vendor instructions. 2022-05-03
CVE-2021-27561 Yealink Device Management Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability 2021-11-03 Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2021-40539 Zoho ManageEngine Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability 2021-11-03 Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution. Apply updates per vendor instructions. 2021-11-17
CVE-2020-10189 Zoho ManageEngine Zoho ManageEngine Desktop Central File Upload Vulnerability 2021-11-03 Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution. Apply updates per vendor instructions. 2022-05-03
CVE-2019-8394 Zoho ManageEngine Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability 2021-11-03 Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization. Apply updates per vendor instructions. 2022-05-03
CVE-2020-29583 Zyxel Multiple Products Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability 2021-11-03 Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password. Apply updates per vendor instructions. 2022-05-03
CVE-2021-22204 Perl Exiftool ExifTool Remote Code Execution Vulnerability 2021-11-17 Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image Apply updates per vendor instructions. 2021-12-01
CVE-2021-40449 Microsoft Windows Microsoft Windows Win32k Privilege Escalation Vulnerability 2021-11-17 Unspecified vulnerability allows for an authenticated user to escalate privileges. Apply updates per vendor instructions. 2021-12-01
CVE-2021-42321 Microsoft Exchange Microsoft Exchange Server Remote Code Execution Vulnerability 2021-11-17 An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution. Apply updates per vendor instructions. 2021-12-01
CVE-2021-42292 Microsoft Office Microsoft Excel Security Feature Bypass 2021-11-17 A security feature bypass vulnerability in Microsoft Excel would allow a local user to perform arbitrary code execution. Apply updates per vendor instructions. 2021-12-01
CVE-2020-11261 Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables Qualcomm Multiple Chipsets Improper Input Validation Vulnerability 2021-12-01 Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables Apply updates per vendor instructions. 2022-06-01
CVE-2018-14847 MikroTik RouterOS MikroTik Router OS Directory Traversal Vulnerability 2021-12-01 MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. Apply updates per vendor instructions. 2022-06-01
CVE-2021-37415 Zoho ManageEngine ServiceDesk Plus (SDP) Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability 2021-12-01 Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication Apply updates per vendor instructions. 2021-12-15
CVE-2021-40438 Apache Apache Apache HTTP Server-Side Request Forgery (SSRF) 2021-12-01 A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Apply updates per vendor instructions. 2021-12-15
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability 2021-12-01 Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution Apply updates per vendor instructions. 2021-12-15
CVE-2021-44515 Zoho Desktop Central Zoho Desktop Central Authentication Bypass Vulnerability 2021-12-10 Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. Apply updates per vendor instructions. 2021-12-24
CVE-2019-13272 Linux Kernel Linux Kernel Improper Privilege Management Vulnerability 2021-12-10 Kernel/ptrace.c in Linux kernel mishandles contains an improper privilege management vulnerability which allows local users to obtain root access. Apply updates per vendor instructions. 2022-06-10
CVE-2021-35394 Realtek Jungle Software Development Kit (SDK) Realtek Jungle SDK Remote Code Execution Vulnerability 2021-12-10 RealTek Jungle SDK contains multiple memory corruption vulnerabilities which can allow an attacker to perform remote code execution. Apply updates per vendor instructions. 2021-12-24
CVE-2019-7238 Sonatype Nexus Repository Manager Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability 2021-12-10 Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution. Apply updates per vendor instructions. 2022-06-10
CVE-2019-0193 Apache Solr Apache Solr DataImportHandler Code Injection Vulnerability 2021-12-10 The optional Apache Solr module DataImportHandler contains a code injection vulnerability. Apply updates per vendor instructions. 2022-06-10
CVE-2021-44168 Fortinet FortiOS Fortinet FortiOS Arbitrary File Download 2021-12-10 Fortinet FortiOS "execute restore src-vis" downloads code without integrity checking, allowing an attacker to arbitrarily download files. Apply updates per vendor instructions. 2021-12-24
CVE-2017-17562 Embedthis GoAhead Embedthis GoAhead Remote Code Execution Vulnerability 2021-12-10 Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. Apply updates per vendor instructions. 2022-06-10
CVE-2017-12149 Red Hat JBoss Application Server Red Hat JBoss Application Server Remote Code Execution Vulnerability 2021-12-10 The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data. Apply updates per vendor instructions. 2022-06-10
CVE-2010-1871 Red Hat JBoss Seam 2 Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability 2021-12-10 JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. This vulnerability can only be exploited when the Java Security Manager is not properly configured. Apply updates per vendor instructions. 2022-06-10
CVE-2020-17463 Fuel CMS Fuel CMS SQL Injection Vulnerability 2021-12-10 FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. Apply updates per vendor instructions. 2022-06-10
CVE-2020-8816 Pi-hole AdminLTE Pi-Hole AdminLTE Remote Code Execution Vulnerability 2021-12-10 Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. Apply updates per vendor instructions. 2022-06-10
CVE-2019-10758 MongoDB mongo-express MongoDB mongo-express Remote Code Execution Vulnerability 2021-12-10 mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. Apply updates per vendor instructions. 2022-06-10
CVE-2021-44228 Apache Log4j2 Apache Log4j2 Remote Code Execution Vulnerability 2021-12-10 Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution. For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available. 2021-12-24
CVE-2021-43890 Microsoft Windows Microsoft Windows AppX Installer Spoofing Vulnerability 2021-12-15 Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability. Apply updates per vendor instructions. 2021-12-29
CVE-2021-4102 Google Chromium V8 Engine Google Chromium V8 Use-After-Free Vulnerability 2021-12-15 Google Chromium V8 Engine contains a use-after-free vulnerability which can allow a remote attacker to execute arbitrary code on the target system. Apply updates per vendor instructions. 2021-12-29
CVE-2021-22017 VMware vCenter Server VMware vCenter Server Improper Access Control 2022-01-10 Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. Apply updates per vendor instructions. 2022-01-24
CVE-2021-36260 Hikvision Security cameras web server Hikvision Improper Input Validation 2022-01-10 A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation. Apply updates per vendor instructions. 2022-01-24
CVE-2020-6572 Google Chrome Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability 2022-01-10 Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page. Apply updates per vendor instructions. 2022-07-10
CVE-2019-1458 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-01-10 A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. Apply updates per vendor instructions. 2022-07-10
CVE-2013-3900 Microsoft WinVerifyTrust function Microsoft WinVerifyTrust function Remote Code Execution 2022-01-10 A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files. Apply updates per vendor instructions. 2022-07-10
CVE-2019-2725 Oracle WebLogic Server Oracle WebLogic Server, Injection 2022-01-10 Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Apply updates per vendor instructions. 2022-07-10
CVE-2019-9670 Synacor Zimbra Collaboration (ZCS) Synacor Zimbra Collaboration (ZCS) Improper Restriction of XML External Entity Reference 2022-01-10 Improper Restriction of XML External Entity Reference vulnerability affecting Synacor Zimbra Collaboration (ZCS). Apply updates per vendor instructions. 2022-07-10
CVE-2018-13382 Fortinet FortiOS and FortiProxy Fortinet FortiOS and FortiProxy Improper Authorization 2022-01-10 An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password. Apply updates per vendor instructions. 2022-07-10
CVE-2018-13383 Fortinet FortiOS and FortiProxy Fortinet FortiOS and FortiProxy Out-of-bounds Write 2022-01-10 A heap buffer overflow in Fortinet FortiOS and FortiProxy may cause the SSL VPN web service termination for logged in users. Apply updates per vendor instructions. 2022-07-10
CVE-2019-1579 Palo Alto Networks PAN-OS Palo Alto Networks PAN-OS Remote Code Execution Vulnerability 2022-01-10 Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled. Apply updates per vendor instructions. 2022-07-10
CVE-2019-10149 Exim Mail Transfer Agent (MTA) Exim Mail Transfer Agent (MTA) Improper Input Validation 2022-01-10 Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. Apply updates per vendor instructions. 2022-07-10
CVE-2015-7450 IBM WebSphere Application Server and Server Hypervisor Edition IBM WebSphere Application Server and Server Hypervisor Edition Code Injection. 2022-01-10 Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands Apply updates per vendor instructions. 2022-07-10
CVE-2017-1000486 Primetek Primefaces Application Primetek Primefaces Remote Code Execution Vulnerability 2022-01-10 Primetek Primefaces is vulnerable to a weak encryption flaw resulting in remote code execution Apply updates per vendor instructions. 2022-07-10
CVE-2019-7609 Elastic Kibana Kibana Arbitrary Code Execution 2022-01-10 Kibana contain an arbitrary code execution flaw in the Timelion visualizer. Apply updates per vendor instructions. 2022-07-10
CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN software FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit 2022-01-10 A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. Apply updates per vendor instructions. 2022-01-24
CVE-2021-32648 October CMS October CMS October CMS Improper Authentication 2022-01-18 In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. Apply updates per vendor instructions. 2022-02-01
CVE-2021-25296 Nagios Nagios XI Nagios XI OS Command Injection 2022-01-18 Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. Apply updates per vendor instructions. 2022-02-01
CVE-2021-25297 Nagios Nagios XI Nagios XI OS Command Injection 2022-01-18 Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. Apply updates per vendor instructions. 2022-02-01
CVE-2021-25298 Nagios Nagios XI Nagios XI OS Command Injection 2022-01-18 Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. Apply updates per vendor instructions. 2022-02-01
CVE-2021-40870 Aviatrix Aviatrix Controller Aviatrix Controller Unrestricted Upload of File 2022-01-18 Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. Apply updates per vendor instructions. 2022-02-01
CVE-2021-33766 Microsoft Exchange Server Microsoft Exchange Server Information Disclosure 2022-01-18 Microsoft Exchange Server contains an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target. Apply updates per vendor instructions. 2022-02-01
CVE-2021-21975 VMware vRealize Operations Manager API VMware Server Side Request Forgery in vRealize Operations Manager API 2022-01-18 Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials. Apply updates per vendor instructions. 2022-02-01
CVE-2021-21315 Npm package System Information Library for Node.JS System Information Library for Node.JS Command Injection 2022-01-18 In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote. Apply updates per vendor instructions. 2022-02-01
CVE-2021-22991 F5 BIG-IP Traffic Management Microkernel F5 BIG-IP Traffic Management Microkernel Buffer Overflow 2022-01-18 The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls. Apply updates per vendor instructions. 2022-02-01
CVE-2020-14864 Oracle Intelligence Enterprise Edition Oracle Business Intelligence Enterprise Edition Path Transversal 2022-01-18 Path traversal vulnerability, where an attacker can target the preview FilePath parameter of the getPreviewImage function to get access to arbitrary system file. Apply updates per vendor instructions. 2022-07-18
CVE-2020-13671 Drupal Drupal core Drupal core Un-restricted Upload of File 2022-01-18 Improper sanitization in the extension file names is present in Drupal core. Apply updates per vendor instructions. 2022-07-18
CVE-2020-11978 Apache Airflow Apache Airflow Command Injection 2022-01-18 A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow. Apply updates per vendor instructions. 2022-07-18
CVE-2020-13927 Apache Airflow's Experimental API Apache Airflow's Experimental API Authentication Bypass 2022-01-18 The previous default setting for Airflow's Experimental API was to allow all API requests without authentication. Apply updates per vendor instructions. 2022-07-18
CVE-2006-1547 Apache Struts 1 Apache Struts 1 ActionForm Denial-of-Service Vulnerability 2022-01-21 ActionForm in Apache Struts versions before 1.2.9 with BeanUtils 1.7 contains a vulnerability which allows for denial-of-service. Apply updates per vendor instructions. 2022-07-21
CVE-2012-0391 Apache Struts 2 Apache Struts 2 Improper Input Validation Vulnerability 2022-01-21 The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-07-21
CVE-2018-8453 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-01-21 Microsoft Windows Win32k contains a vulnerability which allows an attacker to escalate privileges. Apply updates per vendor instructions. 2022-07-21
CVE-2021-35247 SolarWinds Serv-U SolarWinds Serv-U Improper Input Validation Vulnerability 2022-01-21 SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability which allows attackers to build and send queries without sanitization. Apply updates per vendor instructions. 2022-02-04
CVE-2022-22587 Apple iOS and macOS Apple Memory Corruption Vulnerability 2022-01-28 Apple IOMobileFrameBuffer contains a memory corruption vulnerability which can allow a malicious application to execute arbitrary code with kernel privileges. Apply updates per vendor instructions. 2022-02-11
CVE-2021-20038 SonicWall SMA 100 Appliances SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability 2022-01-28 SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution. Apply updates per vendor instructions. 2022-02-11
CVE-2020-5722 Grandstream UCM6200 Grandstream Networks UCM6200 Series SQL Injection Vulnerability 2022-01-28 Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root. Apply updates per vendor instructions. 2022-07-28
CVE-2020-0787 Microsoft Windows Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability 2022-01-28 Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges. Apply updates per vendor instructions. 2022-07-28
CVE-2017-5689 Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability 2022-01-28 Intel products contain a vulnerability which can allow attackers to perform privilege escalation. Apply updates per vendor instructions. 2022-07-28
CVE-2014-1776 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2022-01-28 Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code in the context of the current user. Apply updates per vendor instructions. 2022-07-28 https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-021?redirectedfrom=MSDN
CVE-2014-6271 GNU Bourne-Again Shell (Bash) GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability 2022-01-28 GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. Apply updates per vendor instructions. 2022-07-28
CVE-2014-7169 GNU Bourne-Again Shell (Bash) GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability 2022-01-28 GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vulnerability in CVE-2014-6271. Apply updates per vendor instructions. 2022-07-28
CVE-2022-21882 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-02-04 Microsoft Win32k contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-02-18
CVE-2021-36934 Microsoft Windows Microsoft Windows SAM Local Privilege Escalation Vulnerability 2022-02-10 If a Volume Shadow Copy (VSS) shadow copy of the system drive is available, users can read the SAM file which would allow any user to escalate privileges to SYSTEM level. Apply updates per vendor instructions. 2022-02-24
CVE-2020-0796 Microsoft SMBv3 Microsoft SMBv3 Remote Code Execution Vulnerability 2022-02-10 A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. Apply updates per vendor instructions. 2022-08-10
CVE-2018-1000861 Jenkins Jenkins Stapler Web Framework Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability 2022-02-10 A code execution vulnerability exists in the Stapler web framework used by Jenkins Apply updates per vendor instructions. 2022-08-10
CVE-2017-9791 Apache Struts 1 Apache Struts 1 Improper Input Validation Vulnerability 2022-02-10 The Struts 1 plugin in Apache Struts might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. Apply updates per vendor instructions. 2022-08-10
CVE-2017-8464 Microsoft Windows Microsoft Windows Shell (.lnk) Remote Code Execution Vulnerability 2022-02-10 Windows Shell in multiple versions of Microsoft Windows allows local users or remote attackers to execute arbitrary code via a crafted .LNK file Apply updates per vendor instructions. 2022-08-10
CVE-2017-10271 Oracle WebLogic Server Oracle Corporation WebLogic Server Remote Code Execution Vulnerability 2022-02-10 Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2022-08-10
CVE-2017-0263 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-02-10 Microsoft Win32k contains a privilege escalation vulnerability due to the Windows kernel-mode driver failing to properly handle objects in memory. Apply updates per vendor instructions. 2022-08-10
CVE-2017-0262 Microsoft Office Microsoft Office Remote Code Execution Vulnerability 2022-02-10 A remote code execution vulnerability exists in Microsoft Office. Apply updates per vendor instructions. 2022-08-10
CVE-2017-0145 Microsoft SMBv1 Microsoft SMBv1 Remote Code Execution Vulnerability 2022-02-10 The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets. Apply updates per vendor instructions. 2022-08-10
CVE-2017-0144 Microsoft SMBv1 Microsoft SMBv1 Remote Code Execution Vulnerability 2022-02-10 The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets. Apply updates per vendor instructions. 2022-08-10
CVE-2016-3088 Apache ActiveMQ Apache ActiveMQ Improper Input Validation Vulnerability 2022-02-10 The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request Apply updates per vendor instructions. 2022-08-10
CVE-2015-2051 D-Link DIR-645 Router D-Link DIR-645 Router Remote Code Execution Vulnerability 2022-02-10 D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. The impacted product is end-of-life and should be disconnected if still in use. 2022-08-10
CVE-2015-1635 Microsoft HTTP.sys Microsoft HTTP.sys Remote Code Execution Vulnerability 2022-02-10 Microsoft HTTP protocol stack (HTTP.sys) contains a vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-08-10
CVE-2015-1130 Apple OS X Apple OS X Authentication Bypass Vulnerability 2022-02-10 The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges. Apply updates per vendor instructions. 2022-08-10
CVE-2014-4404 Apple OS X Apple OS X Heap-Based Buffer Overflow Vulnerability 2022-02-10 Heap-based buffer overflow in IOHIDFamily in Apple OS X, which affects, iOS before 8 and Apple TV before 7, allows attackers to execute arbitrary code in a privileged context. Apply updates per vendor instructions. 2022-08-10
CVE-2022-22620 Apple Webkit Apple Webkit Remote Code Execution Vulnerability 2022-02-11 Apple Webkit, which impacts iOS, iPadOS, and macOS, contains a vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-02-25
CVE-2022-24086 Adobe Commerce and Magento Open Source Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability 2022-02-15 Adobe Commerce and Magento Open Source contain an improper input validation vulnerability which can allow for arbitrary code execution. Apply updates per vendor instructions. 2022-03-01
CVE-2022-0609 Google Chrome Google Chrome Use-After-Free Vulnerability 2022-02-15 The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. Apply updates per vendor instructions. 2022-03-01
CVE-2019-0752 Microsoft Internet Explorer Microsoft Internet Explorer Type Confusion Vulnerability 2022-02-15 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer Apply updates per vendor instructions. 2022-08-15
CVE-2018-8174 Microsoft Windows Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability 2022-02-15 A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution" Apply updates per vendor instructions. 2022-08-15
CVE-2018-20250 RARLAB WinRAR WinRAR Absolute Path Traversal Vulnerability 2022-02-15 WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution Apply updates per vendor instructions. 2022-08-15
CVE-2018-15982 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2022-02-15 Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability The impacted product is end-of-life and should be disconnected if still in use. 2022-08-15
CVE-2017-9841 PHPUnit PHPUnit PHPUnit Command Injection Vulnerability 2022-02-15 PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI. Apply updates per vendor instructions. 2022-08-15
CVE-2014-1761 Microsoft Word Microsoft Word Memory Corruption Vulnerability 2022-02-15 Microsoft Word contains a memory corruption vulnerability which when exploited could allow for remote code execution. Apply updates per vendor instructions. 2022-08-15
CVE-2013-3906 Microsoft Graphics Component Microsoft Graphics Component Memory Corruption Vulnerability 2022-02-15 Microsoft Graphics Component contains a memory corruption vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-08-15
CVE-2022-23131 Zabbix Frontend Zabbix Frontend Authentication Bypass Vulnerability 2022-02-22 Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML. Apply updates per vendor instructions. 2022-03-08
CVE-2022-23134 Zabbix Frontend Zabbix Frontend Improper Access Control Vulnerability 2022-02-22 Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend. Apply updates per vendor instructions. 2022-03-08
CVE-2022-24682 Zimbra Webmail Zimbra Webmail Cross-Site Scripting Vulnerability 2022-02-25 Zimbra webmail clients running versions 8.8.15 P29 & P30 contain a XSS vulnerability that would allow attackers to steal session cookie files. Apply updates per vendor instructions. 2022-03-11
CVE-2017-8570 Microsoft Office Microsoft Office Remote Code Execution Vulnerability 2022-02-25 A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. Apply updates per vendor instructions. 2022-08-25
CVE-2017-0222 Microsoft Internet Explorer Microsoft Internet Explorer Remote Code Execution Vulnerability 2022-02-25 A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. Apply updates per vendor instructions. 2022-08-25
CVE-2014-6352 Microsoft Windows Microsoft Windows Code Injection Vulnerability 2022-02-25 Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object. Apply updates per vendor instructions. 2022-08-25
CVE-2022-20708 Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability 2022-03-03 A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). Apply updates per vendor instructions. 2022-03-17
CVE-2022-20703 Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability 2022-03-03 A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). Apply updates per vendor instructions. 2022-03-17
CVE-2022-20701 Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability 2022-03-03 A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). Apply updates per vendor instructions. 2022-03-17
CVE-2022-20700 Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability 2022-03-03 A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). Apply updates per vendor instructions. 2022-03-17
CVE-2022-20699 Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability 2022-03-03 A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). Apply updates per vendor instructions. 2022-03-17
CVE-2021-41379 Microsoft Windows Microsoft Windows Installer Privilege Escalation Vulnerability 2022-03-03 Microsoft Windows Installer contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-03-17
CVE-2020-1938 Apache Tomcat Apache Tomcat Improper Privilege Management Vulnerability 2022-03-03 Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited. Apply updates per vendor instructions. 2022-03-17
CVE-2020-11899 Treck TCP/IP stack IPv6 Treck TCP/IP stack Out-of-Bounds Read Vulnerability 2022-03-03 The Treck TCP/IP stack contains an IPv6 out-of-bounds read vulnerability. Apply updates per vendor instructions. 2022-03-17
CVE-2019-16928 Exim Exim Internet Mailer Exim Out-of-bounds Write Vulnerability 2022-03-03 Exim contains an out-of-bounds write vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-03-17
CVE-2019-1652 Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers Cisco Small Business Routers Improper Input Validation Vulnerability 2022-03-03 A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. Apply updates per vendor instructions. 2022-03-17
CVE-2019-1297 Microsoft Excel Microsoft Excel Remote Code Execution Vulnerability 2022-03-03 A remote code execution vulnerability exists in Microsoft Excel when the software fails to properly handle objects in memory. Apply updates per vendor instructions. 2022-03-17
CVE-2018-8581 Microsoft Exchange Server Microsoft Exchange Server Privilege Escalation Vulnerability 2022-03-03 A privilege escalation vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. Apply updates per vendor instructions. 2022-03-17
CVE-2018-8298 ChakraCore ChakraCore scripting engine ChakraCore Scripting Engine Type Confusion Vulnerability 2022-03-03 The ChakraCore scripting engine contains a type confusion vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0180 Cisco IOS Software Cisco IOS Software Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Login Enhancements (Login Block) feature of Cisco IOS Software could allow an unauthenticated, remote attacker to trigger a reload of an affected system, resulting in a denial of service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0179 Cisco IOS Software Cisco IOS Software Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Login Enhancements (Login Block) feature of Cisco IOS Software could allow an unauthenticated, remote attacker to trigger a reload of an affected system, resulting in a denial of service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0175 Cisco IOS, XR, and XE Software Cisco IOS, XR, and XE Software Buffer Overflow Vulnerability 2022-03-03 Format string vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0174 Cisco IOS XE Software Cisco IOS Software and Cisco IOS XE Software Improper Input Validation Vulnerability 2022-03-03 A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow for denial-of-service. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0173 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software Improper Input Validation Vulnerability 2022-03-03 A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets can allow for denial-of-service. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0172 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software Improper Input Validation Vulnerability 2022-03-03 A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow for denial-of-service. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0167 Cisco IOS, XR, and XE Software Cisco IOS, XR, and XE Software Buffer Overflow Vulnerability 2022-03-03 There is a buffer overflow vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software which could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0161 Cisco IOS Software Cisco IOS Software Resource Management Errors Vulnerability 2022-03-03 A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software running on certain models of Cisco Catalyst Switches could allow an authenticated, remote attacker to cause a denial-of-service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0159 CIsco IOS Software and Cisco IOS XE Software Cisco IOS and XE Software Internet Key Exchange Version 1 Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the implementation of Internet Key Exchange Version 1 (IKEv1) functionality in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial-of-service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0158 Cisco IOS Software and Cisco IOS XE Software Cisco IOS and XE Software Internet Key Exchange Memory Leak Vulnerability 2022-03-03 A vulnerability in the implementation of Internet Key Exchange Version 1 (IKEv1) functionality in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial-of-service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0156 Cisco IOS Software and Cisco IOS XE Software Cisco IOS Software and Cisco IOS XE Software Smart Install Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial-of-service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0155 Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches Cisco Catalyst Bidirectional Forwarding Detection Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches could allow an unauthenticated, remote attacker to cause a crash of the iosd process, causing a denial-of-service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0154 Cisco IOS Software Cisco IOS Software Integrated Services Module for VPN Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the crypto engine of the Cisco Integrated Services Module for VPN (ISM-VPN) running Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition. Apply updates per vendor instructions. 2022-03-17
CVE-2018-0151 Cisco IOS and IOS XE Software Cisco IOS Software and Cisco IOS XE Software Quality of Service Remote Code Execution Vulnerability 2022-03-03 A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges. Apply updates per vendor instructions. 2022-03-17
CVE-2017-8540 Microsoft Malware Protection Engine Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability 2022-03-03 The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability". Apply updates per vendor instructions. 2022-03-24
CVE-2017-6744 Cisco IOS software Cisco IOS Software SNMP Remote Code Execution Vulnerability 2022-03-03 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Apply updates per vendor instructions. 2022-03-24
CVE-2017-6743 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 2022-03-03 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code. Apply updates per vendor instructions. 2022-03-24
CVE-2017-6740 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 2022-03-03 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. Apply updates per vendor instructions. 2022-03-24
CVE-2017-6739 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 2022-03-03 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. Apply updates per vendor instructions. 2022-03-24
CVE-2017-6738 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 2022-03-03 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code. Apply updates per vendor instructions. 2022-03-24
CVE-2017-6737 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 2022-03-03 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code. Apply updates per vendor instructions. 2022-03-24
CVE-2017-6736 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 2022-03-03 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code. Apply updates per vendor instructions. 2022-03-24
CVE-2017-6663 Cisco IOS and IOS XE Software Cisco IOS Software and Cisco IOS XE Software Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause autonomic nodes of an affected system to reload, resulting in denial-of-service (DoS). Apply updates per vendor instructions. 2022-03-24
CVE-2017-6627 Cisco IOS and IOS XE Software Cisco IOS Software and Cisco IOS XE Software UDP Packet Processing Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the UDP processing code of Cisco IOS and IOS XE could allow an unauthenticated, remote attacker to cause the input queue of an affected system to hold UDP packets, causing an interface queue wedge and denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12319 Cisco IOS XE Software Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet Virtual Private Network (EVPN) for Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload, resulting in a denial of service (DoS) condition, or potentially corrupt the BGP routing table, which could result in network instability. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12240 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software DHCP Remote Code Execution Vulnerability 2022-03-03 The Dynamic Host Configuration Protocol (DHCP) relay subsystem of Cisco IOS and Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12238 Cisco Catalyst 6800 Series Switches Cisco Catalyst 6800 Series Switches VPLS Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisco IOS for Cisco Catalyst 6800 Series Switches could allow an unauthenticated, adjacent attacker to cause a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12237 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software Internet Key Exchange Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to cause high CPU utilization, traceback messages, or a reload of an affected device that leads to a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12235 Cisco IOS software Cisco IOS Software for Cisco Industrial Ethernet Switches PROFINET Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the implementation of the PROFINET Discovery and Configuration Protocol (PN-DCP) for Cisco IOS could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12234 Cisco IOS software Cisco IOS Software Common Industrial Protocol Request Denial-of-Service Vulnerability 2022-03-03 There is a vulnerability in the implementation of the Common Industrial Protocol (CIP) feature in Cisco IOS could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12233 Cisco IOS software Cisco IOS Software Common Industrial Protocol Request Denial-of-Service Vulnerability 2022-03-03 There is a vulnerability in the implementation of the Common Industrial Protocol (CIP) feature in Cisco IOS could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12232 Cisco IOS software Cisco IOS Software for Cisco Integrated Services Routers Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the implementation of a protocol in Cisco Integrated Services Routers Generation 2 (ISR G2) Routers running Cisco IOS could allow an unauthenticated, adjacent attacker to cause an affected device to reload, resulting in a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-12231 Cisco IOS software Cisco IOS Software Network Address Translation Denial-of-Service Vulnerability 2022-03-03 A vulnerability in the implementation of Network Address Translation (NAT) functionality in Cisco IOS could allow an unauthenticated, remote attacker to cause a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2017-11826 Microsoft Office Microsoft Office Remote Code Execution Vulnerability 2022-03-03 A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Apply updates per vendor instructions. 2022-03-24
CVE-2017-11292 Adobe Flash Player Adobe Flash Player Type Confusion Vulnerability 2022-03-03 Adobe Flash Player contains a type confusion vulnerability which can allow for remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2017-0261 Microsoft Office Microsoft Office Use-After-Free Vulnerability 2022-03-03 Microsoft Office contains a use-after-free vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2017-0001 Microsoft Graphics Device Interface (GDI) Microsoft Graphics Device Interface (GDI) Privilege Escalation Vulnerability 2022-03-03 The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges Apply updates per vendor instructions. 2022-03-24
CVE-2016-8562 Siemens SIMATIC CP Siemens SIMATIC CP 1543-1 Improper Privilege Management Vulnerability 2022-03-03 An improper privilege management vulnerability exists within the Siemens SIMATIC Communication Processor (CP) that allows a privileged attacker to remotely cause a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2016-7855 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2022-03-03 Use-after-free vulnerability in Adobe Flash Player Windows and OS and Linux allows remote attackers to execute arbitrary code. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2016-7262 Microsoft Excel Microsoft Office Security Feature Bypass Vulnerability 2022-03-03 A security feature bypass vulnerability exists when Microsoft Office improperly handles input. An attacker who successfully exploited the vulnerability could execute arbitrary commands. Apply updates per vendor instructions. 2022-03-24
CVE-2016-7193 Microsoft Office Microsoft Office Memory Corruption Vulnerability 2022-03-03 Microsoft Office contains a memory corruption vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2016-5195 Linux Kernel Linux Kernel Race Condition Vulnerability 2022-03-03 Race condition in mm/gup.c in the Linux kernel allows local users to escalate privileges. Apply updates per vendor instructions. 2022-03-24
CVE-2016-4117 Adobe Flash Player Adobe Flash Player Arbitrary Code Execution Vulnerability 2022-03-03 An access of resource using incompatible type vulnerability exists within Adobe Flash Player that allows an attacker to perform remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2016-1019 Adobe Flash Player Adobe Flash Player Arbitrary Code Execution Vulnerability 2022-03-03 Adobe Flash Player allows remote attackers to cause a denial of service or possibly execute arbitrary code. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2016-0099 Microsoft Windows Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability 2022-03-03 A privilege escalation vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. Apply updates per vendor instructions. 2022-03-24
CVE-2015-7645 Adobe Flash Player Adobe Flash Player Arbitrary Code Execution Vulnerability 2022-03-03 Adobe Flash Player allows remote attackers to execute arbitrary code via a crafted SWF file. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2015-5119 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2022-03-03 A use-after-free vulnerability exists within the ActionScript 3 ByteArray class in Adobe Flash Player that allows an attacker to perform remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2015-4902 Oracle Java SE Oracle Java SE Integrity Check Vulnerability 2022-03-03 Unspecified vulnerability in Oracle Java SE allows remote attackers to affect integrity via unknown vectors related to deployment. Apply updates per vendor instructions. 2022-03-24
CVE-2015-3043 Adobe Flash Player Adobe Flash Player Memory Corruption Vulnerability 2022-03-03 A memory corruption vulnerability exists in Adobe Flash Player that allows an attacker to perform remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2015-2590 Oracle Java SE Oracle Java SE and Java SE Embedded Remote Code Execution Vulnerability 2022-03-03 An unspecified vulnerability exists within Oracle Java Runtime Environment that allows an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2015-2545 Microsoft Office Microsoft Office Malformed EPS File Vulnerability 2022-03-03 Microsoft Office allows remote attackers to execute arbitrary code via a crafted EPS image. Apply updates per vendor instructions. 2022-03-24
CVE-2015-2424 Microsoft PowerPoint Microsoft PowerPoint Memory Corruption Vulnerability 2022-03-03 Microsoft PowerPoint allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document. Apply updates per vendor instructions. 2022-03-24
CVE-2015-2387 Microsoft ATM Font Driver Microsoft ATM Font Driver Privilege Escalation Vulnerability 2022-03-03 ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-03-24
CVE-2015-1701 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-03-03 An unspecified vulnerability exists in the Win32k.sys kernel-mode driver in Microsoft Windows Server that allows a local attacker to execute arbitrary code with elevated privileges. Apply updates per vendor instructions. 2022-03-24
CVE-2015-1642 Microsoft Office Microsoft Office Memory Corruption Vulnerability 2022-03-03 Microsoft Office contains a memory corruption vulnerability which allows remote attackers to execute arbitrary code via a crafted document. Apply updates per vendor instructions. 2022-03-24
CVE-2014-4114 Microsoft Windows Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability 2022-03-03 A vulnerability exists in Windows Object Linking & Embedding (OLE) that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. Apply updates per vendor instructions. 2022-03-24
CVE-2014-0496 Adobe Reader and Acrobat Adobe Reader and Acrobat Use-After-Free Vulnerability 2022-03-03 Adobe Reader and Acrobat contain a use-after-free vulnerability which can allow for code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2013-5065 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2022-03-03 Microsoft Windows NDProxy.sys in the kernel contains an improper input validation vulnerability which can allow a local attacker to escalate privileges. Apply updates per vendor instructions. 2022-03-24
CVE-2013-3897 Microsoft Internet Explorer Microsoft Internet Explorer Use-After-Free Vulnerability 2022-03-03 A use-after-free vulnerability exists within CDisplayPointer in Microsoft Internet Explorer that allows an attacker to remotely execute arbitrary code. Apply updates per vendor instructions. 2022-03-24
CVE-2013-3346 Adobe Reader and Acrobat Adobe Reader and Acrobat Memory Corruption Vulnerability 2022-03-03 Adobe Reader and Acrobat contain a memory corruption vulnerability which can allow attackers to execute arbitrary code or cause a denial of service. Apply updates per vendor instructions. 2022-03-24
CVE-2013-1675 Mozilla Firefox Mozilla Firefox Information Disclosure Vulnerability 2022-03-03 Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. Apply updates per vendor instructions. 2022-03-24
CVE-2013-1347 Microsoft Internet Explorer Microsoft Internet Explorer Remote Code Execution Vulnerability 2022-03-03 This vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. Apply updates per vendor instructions. 2022-03-24
CVE-2013-0641 Adobe Reader Adobe Reader Buffer Overflow Vulnerability 2022-03-03 A buffer overflow vulnerability exists in Adobe Reader which allows an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2013-0640 Adobe Reader and Acrobat Adobe Reader and Acrobat Memory Corruption Vulnerability 2022-03-03 An memory corruption vulnerability exists in the acroform.dll in Adobe Reader that allows an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2013-0632 Adobe ColdFusion Adobe ColdFusion Authentication Bypass Vulnerability 2022-03-03 An authentication bypass vulnerability exists in Adobe ColdFusion which could result in an unauthorized user gaining administrative access. Apply updates per vendor instructions. 2022-03-24
CVE-2012-4681 Oracle Java SE Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability 2022-03-03 The Java Runtime Environment (JRE) component in Oracle Java SE allow for remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2012-1856 Microsoft Office Microsoft Office MSCOMCTL.OCX Remote Code Execution Vulnerability 2022-03-03 The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption. Apply updates per vendor instructions. 2022-03-24
CVE-2012-1723 Oracle Java SE Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability 2022-03-03 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. Apply updates per vendor instructions. 2022-03-24
CVE-2012-1535 Adobe Flash Player Adobe Flash Player Arbitrary Code Execution Vulnerability 2022-03-03 Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute arbitrary code or cause a denial of service via crafted SWF content. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2012-0507 Oracle Java SE Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability 2022-03-03 An incorrect type vulnerability exists in the Concurrency component of Oracle's Java Runtime Environment allows an attacker to remotely execute arbitrary code. Apply updates per vendor instructions. 2022-03-24
CVE-2011-3544 Oracle Java SE JDK and JRE Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability 2022-03-03 An access control vulnerability exists in the Applet Rhino Script Engine component of Oracle's Java Runtime Environment allows an attacker to remotely execute arbitrary code. Apply updates per vendor instructions. 2022-03-24
CVE-2011-1889 Microsoft Forefront Threat Management Gateway (TMG) Microsoft Forefront TMG Remote Code Execution Vulnerability 2022-03-03 A remote code execution vulnerability exists in the Forefront Threat Management Gateway (TMG) Firewall Client Winsock provider that could allow code execution in the security context of the client application. Apply updates per vendor instructions. 2022-03-24
CVE-2011-0611 Adobe Flash Player Adobe Flash Player Remote Code Execution Vulnerability 2022-03-03 Adobe Flash Player contains a vulnerability which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content. The impacted product is end-of-life and should be disconnected if still in use. 2022-03-24
CVE-2010-3333 Microsoft Office Microsoft Office Stack-based Buffer Overflow Vulnerability 2022-03-03 A stack-based buffer overflow vulnerability exists in the parsing of RTF data in Microsoft Office and earlier allows an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2010-0232 Microsoft Windows Microsoft Windows Kernel Exception Handler Vulnerability 2022-03-03 The kernel in Microsoft Windows, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges. Apply updates per vendor instructions. 2022-03-24
CVE-2010-0188 Adobe Reader and Acrobat Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability 2022-03-03 Unspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code. Apply updates per vendor instructions. 2022-03-24
CVE-2009-3129 Microsoft Excel Microsoft Excel Featheader Record Memory Corruption Vulnerability 2022-03-03 Microsoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset. Apply updates per vendor instructions. 2022-03-24
CVE-2009-1123 Microsoft Windows Microsoft Windows Improper Input Validation Vulnerability 2022-03-03 The kernel in Microsoft Windows does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-03-24
CVE-2008-3431 Oracle VirtualBox Oracle VirtualBox Insufficient Input Validation Vulnerability 2022-03-03 An input validation vulnerability exists in the VBoxDrv.sys driver of Sun xVM VirtualBox which allows attackers to locally execute arbitrary code. Apply updates per vendor instructions. 2022-03-24
CVE-2008-2992 Adobe Acrobat and Reader Adobe Reader and Acrobat Input Validation Vulnerability 2022-03-03 Adobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution. Apply updates per vendor instructions. 2022-03-24
CVE-2004-0210 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2022-03-03 A privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system. Apply updates per vendor instructions. 2022-03-24
CVE-2002-0367 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2022-03-03 smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges. Apply updates per vendor instructions. 2022-03-24
CVE-2022-26486 Mozilla Firefox Mozilla Firefox Use-After-Free Vulnerability 2022-03-07 Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. Apply updates per vendor instructions. 2022-03-21
CVE-2022-26485 Mozilla Firefox Mozilla Firefox Use-After-Free Vulnerability 2022-03-07 Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. Apply updates per vendor instructions. 2022-03-21
CVE-2021-21973 VMware vCenter Server and Cloud Foundation VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability 2022-03-07 VMware vCenter Server and Cloud Foundation Server contain a SSRF vulnerability due to improper validation of URLs in a vCenter Server plugin. This allows for information disclosure. Apply updates per vendor instructions. 2022-03-21
CVE-2020-8218 Pulse Secure Pulse Connect Secure Pulse Connect Secure Code Injection Vulnerability 2022-03-07 A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface. Apply updates per vendor instructions. 2022-09-07
CVE-2019-11581 Atlassian Jira Server and Data Center Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability 2022-03-07 Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-09-07
CVE-2017-6077 NETGEAR Wireless Router DGN2200 NETGEAR DGN2200 Remote Code Execution Vulnerability 2022-03-07 NETGEAR DGN2200 wireless routers contain a vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-09-07
CVE-2016-6277 NETGEAR Multiple Routers NETGEAR Multiple Routers Remote Code Execution Vulnerability 2022-03-07 NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution. Apply updates per vendor instructions. 2022-09-07
CVE-2013-0631 Adobe ColdFusion Adobe ColdFusion Information Disclosure Vulnerability 2022-03-07 Adobe Coldfusion contains an unspecified vulnerability, which could result in information disclosure from a compromised server. Apply updates per vendor instructions. 2022-09-07
CVE-2013-0629 Adobe ColdFusion Adobe ColdFusion Directory Traversal Vulnerability 2022-03-07 Adobe Coldfusion contains a directory traversal vulnerability, which could permit an unauthorized user access to restricted directories. Apply updates per vendor instructions. 2022-09-07
CVE-2013-0625 Adobe ColdFusion Adobe ColdFusion Authentication Bypass Vulnerability 2022-03-07 Adobe Coldfusion contains an authentication bypass vulnerability, which could result in an unauthorized user gaining administrative access. Apply updates per vendor instructions. 2022-09-07
CVE-2009-3960 Adobe BlazeDS Adobe BlazeDS Information Disclosure Vulnerability 2022-03-07 Adobe BlazeDS, which is utilized in LifeCycle and Coldfusion, contains a vulnerability which allows for information disclosure. Apply updates per vendor instructions. 2022-09-07
CVE-2020-5135 SonicWall SonicOS SonicWall SonicOS Buffer Overflow Vulnerability 2022-03-15 A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1405 Microsoft Windows Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1322 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1315 Microsoft Windows Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1253 Microsoft Windows Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1132 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1129 Microsoft Windows Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1069 Microsoft Task Scheduler Microsoft Task Scheduler Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists in the way the Task Scheduler Service validates certain file operations. Apply updates per vendor instructions. 2022-04-05
CVE-2019-1064 Microsoft Windows Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. Apply updates per vendor instructions. 2022-04-05
CVE-2019-0841 Microsoft Windows Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. Apply updates per vendor instructions. 2022-04-05
CVE-2019-0543 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. Apply updates per vendor instructions. 2022-04-05
CVE-2018-8120 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. Apply updates per vendor instructions. 2022-04-05
CVE-2017-0101 Microsoft Windows Microsoft Windows Transaction Manager Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when the Windows Transaction Manager improperly handles objects in memory. Apply updates per vendor instructions. 2022-04-05
CVE-2016-3309 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2022-03-15 A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. Apply updates per vendor instructions. 2022-04-05
CVE-2015-2546 Microsoft Win32k Microsoft Win32k Memory Corruption Vulnerability 2022-03-15 The kernel-mode driver in Microsoft Windows OS and Server allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-04-05
CVE-2022-26318 WatchGuard Firebox and XTM Appliances WatchGuard Firebox and XTM Appliances Arbitrary Code Execution 2022-03-25 On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code. Apply updates per vendor instructions. 2022-04-15
CVE-2022-26143 Mitel MiCollab, MiVoice Business Express MiCollab, MiVoice Business Express Access Control Vulnerability 2022-03-25 A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system. Apply updates per vendor instructions. 2022-04-15
CVE-2022-21999 Microsoft Windows Microsoft Windows Print Spooler Privilege Escalation Vulnerability 2022-03-25 Microsoft Windows Print Spooler contains an unspecified vulnerability which can allow for privilege escalation. Apply updates per vendor instructions. 2022-04-15
CVE-2021-42237 Sitecore XP Sitecore XP Remote Command Execution Vulnerability 2022-03-25 Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2021-22941 Citrix ShareFile Citrix ShareFile Improper Access Control Vulnerability 2022-03-25 Improper Access Control in Citrix ShareFile storage zones controller may allow an unauthenticated attacker to remotely compromise the storage zones controller. Apply updates per vendor instructions. 2022-04-15
CVE-2020-9377 D-Link DIR-610 Devices D-Link DIR-610 Devices Remote Command Execution 2022-03-25 D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-15
CVE-2020-9054 Zyxel Multiple Network-Attached Storage (NAS) Devices Zyxel Multiple NAS Devices OS Command Injection Vulnerability 2022-03-25 Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code. Apply updates per vendor instructions. 2022-04-15
CVE-2020-7247 OpenBSD OpenSMTPD OpenSMTPD Remote Code Execution Vulnerability 2022-03-25 smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session. Apply updates per vendor instructions. 2022-04-15
CVE-2020-5410 VMware Tanzu Spring Cloud Configuration (Config) Server VMware Tanzu Spring Cloud Config Directory Traversal Vulnerability 2022-03-25 Spring, by VMware Tanzu, Cloud Config contains a path traversal vulnerability which allows applications to serve arbitrary configuration files. Apply updates per vendor instructions. 2022-04-15
CVE-2020-25223 Sophos SG UTM Sophos SG UTM Remote Code Execution Vulnerability 2022-03-25 A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM. Apply updates per vendor instructions. 2022-04-15
CVE-2020-2506 QNAP Systems Helpdesk QNAP Helpdesk Improper Access Control Vulnerability 2022-03-25 QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information. Apply updates per vendor instructions. 2022-04-15
CVE-2020-2021 Palo Alto Networks PAN-OS Palo Alto Networks PAN-OS Authentication Bypass Vulnerability 2022-03-25 Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication. Apply updates per vendor instructions. 2022-04-15
CVE-2020-1956 Apache Kylin Apache Kylin OS Command Injection Vulnerability 2022-03-25 Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2020-1631 Juniper Junos OS Juniper Junos OS Path Traversal Vulnerability 2022-03-25 A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2019-6340 Drupal Core Drupal Core Remote Code Execution Vulnerability 2022-03-25 In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. Apply updates per vendor instructions. 2022-04-15
CVE-2019-2616 Oracle BI Publisher (Formerly XML Publisher) Oracle BI Publisher Unauthorized Access Vulnerability 2022-03-25 Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability which allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for authentication bypass. Apply updates per vendor instructions. 2022-04-15
CVE-2019-16920 D-Link Multiple Routers D-Link Multiple Routers Command Injection Vulnerability 2022-03-25 Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-15
CVE-2019-15107 Webmin Webmin Webmin Command Injection Vulnerability 2022-03-25 An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability. Apply updates per vendor instructions. 2022-04-15
CVE-2019-12991 Citrix SD-WAN and NetScaler Citrix SD-WAN and NetScaler Command Injection Vulnerability 2022-03-25 Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. Apply updates per vendor instructions. 2022-04-15
CVE-2019-12989 Citrix SD-WAN and NetScaler Citrix SD-WAN and NetScaler SQL Injection Vulnerability 2022-03-25 Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection. Apply updates per vendor instructions. 2022-04-15
CVE-2019-11043 PHP FastCGI Process Manager (FPM) PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability 2022-03-25 In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2019-10068 Kentico Xperience Kentico Xperience Deserialization of Untrusted Data Vulnerability 2022-03-25 Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2019-1003030 Jenkins Matrix Project Plugin Jenkins Matrix Project Plugin Remote Code Execution Vulnerability 2022-03-25 Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2019-0903 Microsoft Graphics Device Interface (GDI) Microsoft GDI Remote Code Execution Vulnerability 2022-03-25 A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. Apply updates per vendor instructions. 2022-04-15
CVE-2018-8414 Microsoft Windows Microsoft Windows Shell Remote Code Execution Vulnerability 2022-03-25 A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. Apply updates per vendor instructions. 2022-04-15
CVE-2018-8373 Microsoft Internet Explorer Scripting Engine Microsoft Scripting Engine Memory Corruption Vulnerability 2022-03-25 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. Apply updates per vendor instructions. 2022-04-15
CVE-2018-6961 VMware SD-WAN Edge VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability 2022-03-25 VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2018-14839 LG N1A1 NAS LG N1A1 NAS Remote Command Execution Vulnerability 2022-03-25 LG N1A1 NAS 3718.510 is affected by a remote code execution vulnerability. Apply updates per vendor instructions. 2022-04-15
CVE-2018-1273 VMware Tanzu Spring Data Commons VMware Tanzu Spring Data Commons Property Binder Vulnerability 2022-03-25 Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2018-11138 Quest KACE System Management Appliance Quest KACE System Management Appliance Remote Command Execution Vulnerability 2022-03-25 The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2018-0147 Cisco Secure Access Control System (ACS) Cisco Secure Access Control System Java Deserialization Vulnerability 2022-03-25 A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. Apply updates per vendor instructions. 2022-04-15
CVE-2018-0125 Cisco VPN Routers Cisco VPN Routers Remote Code Execution Vulnerability 2022-03-25 A vulnerability in the web interface of the Cisco VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as root and gain full control of an affected system. Apply updates per vendor instructions. 2022-04-15
CVE-2017-6334 NETGEAR DGN2200 Devices NETGEAR DGN2200 Devices OS Command Injection Vulnerability 2022-03-25 dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands The impacted product is end-of-life and should be disconnected if still in use. 2022-04-15
CVE-2017-6316 Citrix NetScaler SD-WAN Enterprise, CloudBridge Virtual WAN, and XenMobile Server Citrix Multiple Products Remote Code Execution Vulnerability 2022-03-25 A vulnerability has been identified in the management interface of Citrix NetScaler SD-WAN Enterprise and Standard Edition and Citrix CloudBridge Virtual WAN Edition that could result in an unauthenticated, remote attacker being able to execute arbitrary code as a root user. This vulnerability also affects XenMobile Server. Apply updates per vendor instructions. 2022-04-15
CVE-2017-3881 Cisco IOS and IOS XE Cisco IOS and IOS XE Remote Code Execution Vulnerability 2022-03-25 A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. Apply updates per vendor instructions. 2022-04-15
CVE-2017-12617 Apache Tomcat Apache Tomcat Remote Code Execution Vulnerability 2022-03-25 When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Apply updates per vendor instructions. 2022-04-15
CVE-2017-12615 Apache Tomcat Apache Tomcat on Windows Remote Code Execution Vulnerability 2022-03-25 When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Apply updates per vendor instructions. 2022-04-15
CVE-2017-0146 Microsoft Windows Microsoft Windows SMB Remote Code Execution Vulnerability 2022-03-25 The SMBv1 server in Microsoft Windows allows remote attackers to perform remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2016-7892 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2022-03-25 Adobe Flash Player has an exploitable use-after-free vulnerability in the TextField class. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-15
CVE-2016-4171 Adobe Flash Player Adobe Flash Player Remote Code Execution Vulnerability 2022-03-25 Unspecified vulnerability in Adobe Flash Player allows for remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-15
CVE-2016-1555 NETGEAR Wireless Access Point (WAP) Devices NETGEAR Multiple WAP Devices Command Injection Vulnerability 2022-03-25 Multiple NETGEAR Wireless Access Point devices allows unauthenticated web pages to pass form input directly to the command-line interface. Exploitation allows for arbitrary code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2016-11021 D-Link DCS-930L Devices D-Link DCS-930L Devices OS Command Injection Vulnerability 2022-03-25 setSystemCommand on D-Link DCS-930L devices allows a remote attacker to execute code via an OS command. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-15
CVE-2016-10174 NETGEAR WNR2000v5 Router NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability 2022-03-25 The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution. Apply updates per vendor instructions. 2022-04-15
CVE-2016-0752 Rails Ruby on Rails Ruby on Rails Directory Traversal Vulnerability 2022-03-25 Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files. Apply updates per vendor instructions. 2022-04-15
CVE-2015-4068 Arcserve Unified Data Protection (UDP) Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability 2022-03-25 Directory traversal vulnerability in Arcserve UDP allows remote attackers to obtain sensitive information or cause a denial of service. Apply updates per vendor instructions. 2022-04-15
CVE-2015-3035 TP-Link Multiple Archer Devices TP-Link Multiple Archer Devices Directory Traversal Vulnerability 2022-03-25 Directory traversal vulnerability in multiple TP-Link Archer devices allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/. Apply updates per vendor instructions. 2022-04-15
CVE-2015-1427 Elastic Elasticsearch Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability 2022-03-25 The Groovy scripting engine in Elasticsearch allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands. Apply updates per vendor instructions. 2022-04-15
CVE-2015-1187 D-Link and TRENDnet Multiple Devices D-Link and TRENDnet Multiple Devices Remote Code Execution Vulnerability 2022-03-25 The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to perform remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-15
CVE-2015-0666 Cisco Prime Data Center Network Manager (DCNM) Cisco Prime Data Center Network Manager (DCNM) Directory Traversal Vulnerability 2022-03-25 Directory traversal vulnerability in the fmserver servlet in Cisco Prime Data Center Network Manager (DCNM) allows remote attackers to read arbitrary files. Apply updates per vendor instructions. 2022-04-15
CVE-2014-6332 Microsoft Windows Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability 2022-03-25 OleAut32.dll in OLE in Microsoft Windows allows remote attackers to remotely execute code via a crafted web site. Apply updates per vendor instructions. 2022-04-15
CVE-2014-6324 Microsoft Kerberos Key Distribution Center (KDC) Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability 2022-03-25 The Kerberos Key Distribution Center (KDC) in Microsoft allows remote authenticated domain users to obtain domain administrator privileges. Apply updates per vendor instructions. 2022-04-15
CVE-2014-6287 Rejetto HTTP File Server (HFS) Rejetto HTTP File Server (HFS) Remote Code Execution Vulnerability 2022-03-25 The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (HFS or HttpFileServer) allows remote attackers to execute arbitrary programs. Apply updates per vendor instructions. 2022-04-15
CVE-2014-3120 Elastic Elasticsearch Elasticsearch Remote Code Execution Vulnerability 2022-03-25 Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code. Apply updates per vendor instructions. 2022-04-15
CVE-2014-0130 Rails Ruby on Rails Ruby on Rails Directory Traversal Vulnerability 2022-03-25 Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted request. Apply updates per vendor instructions. 2022-04-15
CVE-2013-5223 D-Link DSL-2760U D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability 2022-03-25 A cross-site scripting (XSS) vulnerability exists in the D-Link DSL-2760U gateway, allowing remote authenticated users to inject arbitrary web script or HTML. Apply updates per vendor instructions. 2022-04-15
CVE-2013-4810 Hewlett Packard (HP) ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management HP Multiple Products Remote Code Execution Vulnerability 2022-03-25 HP ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet. Apply updates per vendor instructions. 2022-04-15
CVE-2013-2251 Apache Struts Apache Struts Improper Input Validation Vulnerability 2022-03-25 Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. Apply updates per vendor instructions. 2022-04-15
CVE-2012-1823 PHP PHP PHP-CGI Query String Parameter Vulnerability 2022-03-25 sapi/cgi/cgi_main.c in PHP, when configured as a CGI script, does not properly handle query strings, which allows remote attackers to execute arbitrary code. Apply updates per vendor instructions. 2022-04-15
CVE-2010-4345 Exim Exim Exim Privilege Escalation Vulnerability 2022-03-25 Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands. Apply updates per vendor instructions. 2022-04-15
CVE-2010-4344 Exim Exim Exim Heap-Based Buffer Overflow Vulnerability 2022-03-25 Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session. Apply updates per vendor instructions. 2022-04-15
CVE-2010-3035 Cisco IOS XR Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability 2022-03-25 Cisco IOS XR, when BGP is the configured routing feature, allows remote attackers to cause a denial-of-service. Apply updates per vendor instructions. 2022-04-15
CVE-2010-2861 Adobe ColdFusion Adobe ColdFusion Directory Traversal Vulnerability 2022-03-25 A directory traversal vulnerability exists in the administrator console in Adobe ColdFusion which allows remote attackers to read arbitrary files. Apply updates per vendor instructions. 2022-04-15
CVE-2009-2055 Cisco IOS XR Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability 2022-03-25 Cisco IOS XR,when BGP is the configured routing feature, allows remote attackers to cause a denial-of-service. Apply updates per vendor instructions. 2022-04-15
CVE-2009-1151 phpMyAdmin phpMyAdmin phpMyAdmin Remote Code Execution Vulnerability 2022-03-25 Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Apply updates per vendor instructions. 2022-04-15
CVE-2009-0927 Adobe Reader and Acrobat Adobe Reader and Adobe Acrobat Stack-Based Buffer Overflow Vulnerability 2022-03-25 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat allows remote attackers to execute arbitrary code. Apply updates per vendor instructions. 2022-04-15
CVE-2005-2773 Hewlett Packard (HP) OpenView Network Node Manager HP OpenView Network Node Manager Remote Code Execution Vulnerability 2022-03-25 HP OpenView Network Node Manager could allow a remote attacker to execute arbitrary commands on the system. Apply updates per vendor instructions. 2022-04-15
CVE-2022-1096 Google Chromium V8 Google Chromium V8 Type Confusion Vulnerability 2022-03-28 The vulnerability exists due to a type confusion error within the V8 component in Chromium, affecting all Chromium-based browsers. Apply updates per vendor instructions. 2022-04-18
CVE-2022-0543 Redis Debian-specific Redis Servers Debian-specific Redis Server Lua Sandbox Escape Vulnerability 2022-03-28 Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. Apply updates per vendor instructions. 2022-04-18
CVE-2021-38646 Microsoft Office Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability 2022-03-28 Microsoft Office Access Connectivity Engine contains an unspecified vulnerability which can allow for remote code execution. Apply updates per vendor instructions. 2022-04-18
CVE-2021-34486 Microsoft Windows Microsoft Windows Event Tracing Privilege Escalation Vulnerability 2022-03-28 Microsoft Windows Event Tracing contains an unspecified vulnerability which can allow for privilege escalation. Apply updates per vendor instructions. 2022-04-18
CVE-2021-26085 Atlassian Confluence Server Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability 2022-03-28 Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint. Apply updates per vendor instructions. 2022-04-18
CVE-2021-20028 SonicWall Secure Remote Access (SRA) SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability 2022-03-28 SonicWall Secure Remote Access (SRA) products contain an improper neutralization of a SQL Command leading to SQL injection. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-18
CVE-2019-7483 SonicWall SMA100 SonicWall SMA100 Directory Traversal Vulnerability 2022-03-28 In SonicWall SMA100, an unauthenticated Directory Traversal vulnerability in the handleWAFRedirect CGI allows the user to test for the presence of a file on the server. Apply updates per vendor instructions. 2022-04-18
CVE-2018-8440 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2022-03-28 An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). Apply updates per vendor instructions. 2022-04-18
CVE-2018-8406 Microsoft DirectX Graphics Kernel (DXGKRNL) Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability 2022-03-28 An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. Apply updates per vendor instructions. 2022-04-18
CVE-2018-8405 Microsoft DirectX Graphics Kernel (DXGKRNL) Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability 2022-03-28 An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. Apply updates per vendor instructions. 2022-04-18
CVE-2017-0213 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2022-03-28 Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application. Apply updates per vendor instructions. 2022-04-18
CVE-2017-0059 Microsoft Internet Explorer Microsoft Internet Explorer Information Disclosure Vulnerability 2022-03-28 Microsoft Internet Explorer allow remote attackers to obtain sensitive information from process memory via a crafted web site. Apply updates per vendor instructions. 2022-04-18
CVE-2017-0037 Microsoft Edge and Internet Explorer Microsoft Edge and Internet Explorer Type Confusion Vulnerability 2022-03-28 Microsoft Edge and Internet Explorer have a type confusion vulnerability in mshtml.dll, which allows remote code execution. Apply updates per vendor instructions. 2022-04-18
CVE-2016-7201 Microsoft Edge Microsoft Edge Memory Corruption Vulnerability 2022-03-28 The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web site. Apply updates per vendor instructions. 2022-04-18
CVE-2016-7200 Microsoft Edge Microsoft Edge Memory Corruption Vulnerability 2022-03-28 The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web site. Apply updates per vendor instructions. 2022-04-18
CVE-2016-0189 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2022-03-28 The Microsoft JScript nd VBScript engines, as used in Internet Explorer and other products, allow attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web site. Apply updates per vendor instructions. 2022-04-18
CVE-2016-0151 Microsoft Client-Server Run-time Subsystem (CSRSS) Microsoft Windows CSRSS Security Feature Bypass Vulnerability 2022-03-28 The Client-Server Run-time Subsystem (CSRSS) in Microsoft mismanages process tokens, which allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-04-18
CVE-2016-0040 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2022-03-28 The kernel in Microsoft Windows allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-04-18
CVE-2015-2426 Microsoft Windows Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability 2022-03-28 A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. Apply updates per vendor instructions. 2022-04-18
CVE-2015-2419 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2022-03-28 JScript in Microsoft Internet Explorer allows remote attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web site. Apply updates per vendor instructions. 2022-04-18
CVE-2015-1770 Microsoft Office Microsoft Office Uninitialized Memory Use Vulnerability 2022-03-28 Microsoft Office allows remote attackers to execute arbitrary code via a crafted Office document. Apply updates per vendor instructions. 2022-04-18
CVE-2013-3660 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-03-28 The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft does not properly initialize a pointer for the next object in a certain list, which allows local users to gain privileges. Apply updates per vendor instructions. 2022-04-18
CVE-2013-2729 Adobe Reader and Acrobat Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability 2022-03-28 Integer overflow vulnerability in Adobe Reader and Acrobat allows attackers to execute remote code. Apply updates per vendor instructions. 2022-04-18
CVE-2013-2551 Microsoft Internet Explorer Microsoft Internet Explorer Use-After-Free Vulnerability 2022-03-28 Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute remote code via a crafted web site that triggers access to a deleted object. Apply updates per vendor instructions. 2022-04-18
CVE-2013-2465 Oracle Java SE Oracle Java SE Unspecified Vulnerability 2022-03-28 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D Apply updates per vendor instructions. 2022-04-18
CVE-2013-1690 Mozilla Firefox and Thunderbird Mozilla Firefox and Thunderbird Denial-of-Service Vulnerability 2022-03-28 Mozilla Firefox and Thunderbird do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial-of-service or possibly execute arbitrary code via a crafted web site. Apply updates per vendor instructions. 2022-04-18
CVE-2012-5076 Oracle Java SE Oracle Java SE Sandbox Bypass Vulnerability 2022-03-28 The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. Apply updates per vendor instructions. 2022-04-18
CVE-2012-2539 Microsoft Word Microsoft Word Remote Code Execution Vulnerability 2022-03-28 Microsoft Word allows attackers to execute remote code or cause a denial-of-service via crafted RTF data. Apply updates per vendor instructions. 2022-04-18
CVE-2012-2034 Adobe Flash Player Adobe Flash Player Memory Corruption Vulnerability 2022-03-28 Adobe Flash Player contains a memory corruption vulnerability which allows for remote code execution or denial-of-service. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-18
CVE-2012-0518 Oracle Fusion Middleware Oracle Fusion Middleware Unspecified Vulnerability 2022-03-28 Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware allows remote attackers to affect integrity via unknown vectors Apply updates per vendor instructions. 2022-04-18
CVE-2011-2005 Microsoft Ancillary Function Driver (afd.sys) Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability 2022-03-28 afd.sys in the Ancillary Function Driver in Microsoft Windows does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-04-18
CVE-2010-4398 Microsoft Windows Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability 2022-03-28 Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows allows local users to gain privileges, and bypass the User Account Control (UAC) feature. Apply updates per vendor instructions. 2022-04-21
CVE-2022-26871 Trend Micro Apex Central Trend Micro Apex Central Arbitrary File Upload Vulnerability 2022-03-31 An arbitrary file upload vulnerability in Trend Micro Apex Central could allow for remote code execution. Apply updates per vendor instructions. 2022-04-21
CVE-2022-1040 Sophos Firewall Sophos Firewall Authentication Bypass Vulnerability 2022-03-31 An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution. Apply updates per vendor instructions. 2022-04-21
CVE-2021-34484 Microsoft Windows Microsoft Windows User Profile Service Privilege Escalation Vulnerability 2022-03-31 Microsoft Windows User Profile Service contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-04-21
CVE-2021-28799 QNAP Network Attached Storage (NAS) QNAP NAS Improper Authorization Vulnerability 2022-03-31 QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. Apply updates per vendor instructions. 2022-04-21
CVE-2021-21551 Dell dbutil Driver Dell dbutil Driver Insufficient Access Control Vulnerability 2022-03-31 Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service, or information disclosure. Apply updates per vendor instructions. 2022-04-21
CVE-2018-10562 Dasan Gigabit Passive Optical Network (GPON) Routers Dasan GPON Routers Command Injection Vulnerability 2022-03-31 Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-21
CVE-2018-10561 Dasan Gigabit Passive Optical Network (GPON) Routers Dasan GPON Routers Authentication Bypass Vulnerability 2022-03-31 Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-21
CVE-2022-22965 VMware Spring Framework Spring Framework JDK 9+ Remote Code Execution Vulnerability 2022-04-04 Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Apply updates per vendor instructions. 2022-04-25
CVE-2022-22675 Apple macOS Apple macOS Out-of-Bounds Write Vulnerability 2022-04-04 macOS Monterey contains an out-of-bounds write vulnerability that could allow an application to execute arbitrary code with kernel privileges. Apply updates per vendor instructions. 2022-04-25
CVE-2022-22674 Apple macOS Apple macOS Out-of-Bounds Read Vulnerability 2022-04-04 macOS Monterey contains an out-of-bounds read vulnerability that could allow an application to read kernel memory. Apply updates per vendor instructions. 2022-04-25
CVE-2021-45382 D-Link Multiple Routers D-Link Multiple Routers Remote Code Execution Vulnerability 2022-04-04 A remote code execution vulnerability exists in all series H/W revisions routers via the DDNS function in ncc2 binary file. The impacted product is end-of-life and should be disconnected if still in use. 2022-04-25
CVE-2021-3156 Sudo Sudo Sudo Heap-Based Buffer Overflow Vulnerability 2022-04-06 Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation. Apply updates per vendor instructions. 2022-04-27
CVE-2021-31166 Microsoft HTTP Protocol Stack Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability 2022-04-06 Microsoft HTTP Protocol Stack contains a vulnerability in http.sys that allows for remote code execution. Apply updates per vendor instructions. 2022-04-27
CVE-2017-0148 Microsoft SMBv1 server Microsoft SMBv1 Server Remote Code Execution Vulnerability 2022-04-06 The SMBv1 server in Microsoft allows remote attackers to execute arbitrary code via crafted packets. Apply updates per vendor instructions. 2022-04-27
CVE-2022-23176 WatchGuard Firebox and XTM WatchGuard Firebox and XTM Privilege Escalation Vulnerability 2022-04-11 WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. Apply updates per vendor instructions. 2022-05-02
CVE-2021-42287 Microsoft Active Directory Microsoft Active Directory Domain Services Privilege Escalation Vulnerability 2022-04-11 Microsoft Active Directory Domain Services contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-05-02
CVE-2021-42278 Microsoft Active Directory Microsoft Active Directory Domain Services Privilege Escalation Vulnerability 2022-04-11 Microsoft Active Directory Domain Services contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-05-02
CVE-2021-39793 Google Pixel Google Pixel Out-of-Bounds Write Vulnerability 2022-04-11 Google Pixel contains a possible out-of-bounds write due to a logic error in the code that could lead to local escalation of privilege. Apply updates per vendor instructions. 2022-05-02
CVE-2021-27852 Checkbox Checkbox Survey Checkbox Survey Deserialization of Untrusted Data Vulnerability 2022-04-11 Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. Versions 6 and earlier for this product are end-of-life and must be removed from agency networks. Versions 7 and later are not considered vulnerable. 2022-05-02
CVE-2021-22600 Linux Kernel Linux Kernel Privilege Escalation Vulnerability 2022-04-11 Linux Kernel contains a flaw in the packet socket (AF_PACKET) implementation which could lead to incorrectly freeing memory. A local user could exploit this for denial-of-service or possibly for privilege escalation. Apply updates per vendor instructions. 2022-05-02
CVE-2020-2509 QNAP QNAP Network-Attached Storage (NAS) QNAP Network-Attached Storage (NAS) Command Injection Vulnerability 2022-04-11 QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. Apply updates per vendor instructions. 2022-05-02
CVE-2017-11317 Telerik User Interface (UI) for ASP.NET AJAX Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability 2022-04-11 Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX allows remote attackers to perform arbitrary file uploads or execute arbitrary code. Apply updates per vendor instructions. 2022-05-02
CVE-2022-24521 Microsoft Windows Microsoft Windows CLFS Driver Privilege Escalation Vulnerability 2022-04-13 Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-05-04
CVE-2018-7602 Drupal Core Drupal Core Remote Code Execution Vulnerability 2022-04-13 A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site. Apply updates per vendor instructions. 2022-05-04
CVE-2018-20753 Kaseya Virtual System/Server Administrator (VSA) Kaseya VSA Remote Code Execution Vulnerability 2022-04-13 Kaseya VSA RMM allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. Apply updates per vendor instructions. 2022-05-04
CVE-2015-5123 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2022-04-13 Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player allows remote attackers to execute code or cause a denial-of-service. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-04
CVE-2015-5122 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2022-04-13 Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player allows remote attackers to execute code or cause a denial-of-service. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-04
CVE-2015-3113 Adobe Flash Player Adobe Flash Player Heap-Based Buffer Overflow Vulnerability 2022-04-13 Heap-based buffer overflow vulnerability in Adobe Flash Player allows remote attackers to execute code. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-04
CVE-2015-2502 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2022-04-13 Microsoft Internet Explorer contains a memory corruption vulnerability which allows an attacker to execute code or cause a denial-of-service. Apply updates per vendor instructions. 2022-05-04
CVE-2015-0313 Adobe Flash Player Adobe Flash Player Use-After-Free Vulnerability 2022-04-13 Use-after-free vulnerability in Adobe Flash Player allows remote attackers to execute code. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-04
CVE-2015-0311 Adobe Flash Player Adobe Flash Player Remote Code Execution Vulnerability 2022-04-13 Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute code. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-04
CVE-2014-9163 Adobe Flash Player Adobe Flash Player Stack-Based Buffer Overflow Vulnerability 2022-04-13 Stack-based buffer overflow in Adobe Flash Player allows attackers to execute code remotely. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-04
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability 2022-04-14 VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection. Apply updates per vendor instructions. 2022-05-05
CVE-2022-22960 VMware Multiple Products VMware Multiple Products Privilege Escalation Vulnerability 2022-04-15 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. Apply updates per vendor instructions. 2022-05-06
CVE-2022-1364 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2022-04-15 Google Chromium V8 engine contains a type confusion vulnerability. Apply updates per vendor instructions. 2022-05-06
CVE-2019-3929 Crestron Multiple Products Crestron Multiple Products Command Injection Vulnerability 2022-04-15 Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. Apply updates per vendor instructions. 2022-05-06
CVE-2019-16057 D-Link DNS-320 Storage Device D-Link DNS-320 Remote Code Execution Vulnerability 2022-04-15 The login_mgr.cgi script in D-Link DNS-320 is vulnerable to remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-06
CVE-2018-7841 Schneider Electric U.motion Builder Schneider Electric U.motion Builder SQL Injection Vulnerability 2022-04-15 A SQL Injection vulnerability exists in U.motion Builder software which could cause unwanted code execution when an improper set of characters is entered. The impacted product is end-of-life and should be disconnected if still in use. 2022-05-06
CVE-2016-4523 Trihedral VTScada (formerly VTS) Trihedral VTScada (formerly VTS) Denial-of-Service Vulnerability 2022-04-15 The WAP interface in Trihedral VTScada (formerly VTS) allows remote attackers to cause a denial-of-service. Apply updates per vendor instructions. 2022-05-06
CVE-2014-0780 InduSoft Web Studio InduSoft Web Studio NTWebServer Directory Traversal Vulnerability 2022-04-15 InduSoft Web Studio NTWebServer contains a directory traversal vulnerability which allows remote attackers to read administrative passwords in APP files, allowing for remote code execution. Apply updates per vendor instructions. 2022-05-06
CVE-2010-5330 Ubiquiti AirOS Ubiquiti AirOS Command Injection Vulnerability 2022-04-15 Certain Ubiquiti devices contain a command injection vulnerability via a GET request to stainfo.cgi. Apply updates per vendor instructions. 2022-05-06
CVE-2007-3010 Alcatel OmniPCX Enterprise Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability 2022-04-15 masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server allows remote attackers to execute arbitrary commands. Apply updates per vendor instructions. 2022-05-06
CVE-2018-6882 Zimbra Collaboration Suite (ZCS) Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability 2022-04-19 Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML. Apply updates per vendor instructions. 2022-05-10
CVE-2019-3568 Meta Platforms WhatsApp WhatsApp VOIP Stack Buffer Overflow Vulnerability 2022-04-19 A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. Apply updates per vendor instructions. 2022-05-10
CVE-2022-22718 Microsoft Windows Microsoft Windows Print Spooler Privilege Escalation Vulnerability 2022-04-19 Microsoft Windows Print Spooler contains an unspecified vulnerability which allow for privilege escalation. Apply updates per vendor instructions. 2022-05-10
CVE-2022-29464 WSO2 Multiple Products WSO2 Multiple Products Unrestrictive Upload of File Vulnerability 2022-04-25 Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution. Apply updates per vendor instructions. 2022-05-16
CVE-2022-26904 Microsoft Windows Microsoft Windows User Profile Service Privilege Escalation Vulnerability 2022-04-25 Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-05-16
CVE-2022-21919 Microsoft Windows Microsoft Windows User Profile Service Privilege Escalation Vulnerability 2022-04-25 Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-05-16
CVE-2022-0847 Linux Kernel Linux Kernel Privilege Escalation Vulnerability 2022-04-25 Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has the moniker of "Dirty Pipe." Apply updates per vendor instructions. 2022-05-16
CVE-2021-41357 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-04-25 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-05-16
CVE-2021-40450 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-04-25 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-05-16
CVE-2019-1003029 Jenkins Script Security Plugin Jenkins Script Security Plugin Sandbox Bypass Vulnerability 2022-04-25 Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. Apply updates per vendor instructions. 2022-05-16
CVE-2021-1789 Apple Multiple Products Apple Multiple Products Type Confusion Vulnerability 2022-05-04 A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution. Apply updates per vendor instructions. 2022-05-25
CVE-2019-8506 Apple Multiple Products Apple Multiple Products Type Confusion Vulnerability 2022-05-04 A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution. Apply updates per vendor instructions. 2022-05-25
CVE-2014-4113 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-05-04 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-05-25
CVE-2014-0322 Microsoft Internet Explorer Microsoft Internet Explorer Use-After-Free Vulnerability 2022-05-04 Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code. Apply updates per vendor instructions. 2022-05-25
CVE-2014-0160 OpenSSL OpenSSL OpenSSL Information Disclosure Vulnerability 2022-05-04 The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information. Apply updates per vendor instructions. 2022-05-25
CVE-2022-1388 F5 BIG-IP F5 BIG-IP Missing Authentication Vulnerability 2022-05-10 F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. Apply updates per vendor instructions. 2022-05-31
CVE-2022-30525 Zyxel Multiple Firewalls Zyxel Multiple Firewalls OS Command Injection Vulnerability 2022-05-16 A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. Apply updates per vendor instructions. 2022-06-06
CVE-2022-22947 VMware Spring Cloud Gateway VMware Spring Cloud Gateway Code Injection Vulnerability 2022-05-16 Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. Apply updates per vendor instructions. 2022-06-06
CVE-2022-20821 Cisco IOS XR Cisco IOS XR Open Port Vulnerability 2022-05-23 Cisco IOS XR software health check opens TCP port 6379 by default on activation. An attacker can connect to the Redis instance on the open port and allow access to the Redis instance that is running within the NOSi container. Apply updates per vendor instructions. 2022-06-13
CVE-2021-1048 Android Kernel Android Kernel Use-After-Free Vulnerability 2022-05-23 Android kernel contains a use-after-free vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-06-13
CVE-2021-0920 Android Kernel Android Kernel Race Condition Vulnerability 2022-05-23 Android kernel contains a race condition, which allows for a use-after-free vulnerability. Exploitation can allow for privilege escalation. Apply updates per vendor instructions. 2022-06-13
CVE-2021-30883 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2022-05-23 Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for remote code execution. Apply updates per vendor instructions. 2022-06-13
CVE-2020-1027 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2022-05-23 An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. Apply updates per vendor instructions. 2022-06-13
CVE-2020-0638 Microsoft Update Notification Manager Microsoft Update Notification Manager Privilege Escalation Vulnerability 2022-05-23 Microsoft Update Notification Manager contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-06-13
CVE-2019-7286 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2022-05-23 Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation. Apply updates per vendor instructions. 2022-06-13
CVE-2019-7287 Apple iOS Apple iOS Memory Corruption Vulnerability 2022-05-23 Apple iOS contains a memory corruption vulnerability which could allow an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-06-13
CVE-2019-0676 Microsoft Internet Explorer Microsoft Internet Explorer Information Disclosure Vulnerability 2022-05-23 An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk. Apply updates per vendor instructions. 2022-06-13
CVE-2019-5786 Google Chrome Google Chrome Use-After-Free Vulnerability 2022-05-23 Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access. Apply updates per vendor instructions. 2022-06-13
CVE-2019-0703 Microsoft Windows Microsoft Windows SMB Information Disclosure Vulnerability 2022-05-23 An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, which could lead to information disclosure from the server. Apply updates per vendor instructions. 2022-06-13
CVE-2019-0880 Microsoft Windows Microsoft Windows Privilege Escalation Vulnerability 2022-05-23 A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. Apply updates per vendor instructions. 2022-06-13
CVE-2019-13720 Google Chrome Google Chrome Use-After-Free Vulnerability 2022-05-23 Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption. Apply updates per vendor instructions. 2022-06-13
CVE-2019-11707 Mozilla Firefox and Thunderbird Mozilla Firefox and Thunderbird Type Confusion Vulnerability 2022-05-23 Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash. Apply updates per vendor instructions. 2022-06-13
CVE-2019-11708 Mozilla Firefox and Thunderbird Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability 2022-05-23 Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution. Apply updates per vendor instructions. 2022-06-13
CVE-2019-8720 WebKitGTK WebKitGTK WebKitGTK Memory Corruption Vulnerability 2022-05-23 WebKitGTK contains a memory corruption vulnerability which can allow an attacker to perform remote code execution. Apply updates per vendor instructions. 2022-06-13
CVE-2019-18426 Meta Platforms WhatsApp WhatsApp Cross-Site Scripting Vulnerability 2022-05-23 A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Apply updates per vendor instructions. 2022-06-13
CVE-2019-1385 Microsoft Windows Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability 2022-05-23 A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. Apply updates per vendor instructions. 2022-06-13
CVE-2019-1130 Microsoft Windows Microsoft Windows AppX Deployment Service Privilege Escalation Vulnerability 2022-05-23 A privilege escalation vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. Apply updates per vendor instructions. 2022-06-13
CVE-2018-5002 Adobe Flash Player Adobe Flash Player Stack-based Buffer Overflow Vulnerability 2022-05-23 Adobe Flash Player have a stack-based buffer overflow vulnerability that could lead to remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-13
CVE-2018-8589 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-05-23 A privilege escalation vulnerability exists when Windows improperly handles calls to Win32k.sys. An attacker who successfully exploited this vulnerability could run remote code in the security context of the local system. Apply updates per vendor instructions. 2022-06-13
CVE-2018-8611 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2022-05-24 A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory. Apply updates per vendor instructions. 2022-06-14
CVE-2018-19953 QNAP Network Attached Storage (NAS) QNAP NAS File Station Cross-Site Scripting Vulnerability 2022-05-24 A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. Apply updates per vendor instructions. 2022-06-14
CVE-2018-19949 QNAP Network Attached Storage (NAS) QNAP NAS File Station Command Injection Vulnerability 2022-05-24 A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands. Apply updates per vendor instructions. 2022-06-14
CVE-2018-19943 QNAP Network Attached Storage (NAS) QNAP NAS File Station Cross-Site Scripting Vulnerability 2022-05-24 A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. Apply updates per vendor instructions. 2022-06-14
CVE-2017-0147 Microsoft SMBv1 server Microsoft Windows SMBv1 Information Disclosure Vulnerability 2022-05-24 The SMBv1 server in Microsoft Windows allows remote attackers to obtain sensitive information from process memory via a crafted packet. Apply updates per vendor instructions. 2022-06-14
CVE-2017-0022 Microsoft XML Core Services Microsoft XML Core Services Information Disclosure Vulnerability 2022-05-24 Microsoft XML Core Services (MSXML) improperly handles objects in memory, allowing attackers to test for files on disk via a crafted web site. Apply updates per vendor instructions. 2022-06-14
CVE-2017-0005 Microsoft Windows Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability 2022-05-24 The Graphics Device Interface (GDI) in Microsoft Windows allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-06-14
CVE-2017-0149 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2022-05-24 Microsoft Internet Explorer allows remote attackers to execute code or cause a denial-of-service (memory corruption) via a crafted web site. Apply updates per vendor instructions. 2022-06-14
CVE-2017-0210 Microsoft Internet Explorer Microsoft Internet Explorer Privilege Escalation Vulnerability 2022-05-24 A privilege escalation vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information. Apply updates per vendor instructions. 2022-06-14
CVE-2017-8291 Artifex Ghostscript Artifex Ghostscript Type Confusion Vulnerability 2022-05-24 Artifex Ghostscript allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile. Apply updates per vendor instructions. 2022-06-14
CVE-2017-8543 Microsoft Windows Microsoft Windows Search Remote Code Execution Vulnerability 2022-05-24 Microsoft Windows allows an attacker to take control of the affected system when Windows Search fails to handle objects in memory. Apply updates per vendor instructions. 2022-06-14
CVE-2017-18362 Kaseya Virtual System/Server Administrator (VSA) Kaseya VSA SQL Injection Vulnerability 2022-05-24 ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-14
CVE-2016-0162 Microsoft Internet Explorer Microsoft Internet Explorer Information Disclosure Vulnerability 2022-05-24 An information disclosure vulnerability exists when Internet Explorer does not properly handle JavaScript. The vulnerability could allow an attacker to detect specific files on the user's computer. Apply updates per vendor instructions. 2022-06-14
CVE-2016-3351 Microsoft Internet Explorer and Edge Microsoft Internet Explorer and Edge Information Disclosure Vulnerability 2022-05-24 An information disclosure vulnerability exists in the way that certain functions in Internet Explorer and Edge handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer. Apply updates per vendor instructions. 2022-06-14
CVE-2016-4655 Apple iOS Apple iOS Information Disclosure Vulnerability 2022-05-24 The Apple iOS kernel allows attackers to obtain sensitive information from memory via a crafted application. Apply updates per vendor instructions. 2022-06-14
CVE-2016-4656 Apple iOS Apple iOS Memory Corruption Vulnerability 2022-05-24 A memory corruption vulnerability in Apple iOS kernel allows attackers to execute code in a privileged context or cause a denial-of-service via a crafted application. Apply updates per vendor instructions. 2022-06-14
CVE-2016-4657 Apple iOS Apple iOS Webkit Memory Corruption Vulnerability 2022-05-24 WebKit in Apple iOS contains a memory corruption vulnerability which allows attackers to execute remote code or cause a denial-of-service via a crafted web site. Apply updates per vendor instructions. 2022-06-14
CVE-2016-6366 Cisco Adaptive Security Appliance (ASA) Cisco Adaptive Security Appliance (ASA) SNMP Buffer Overflow Vulnerability 2022-05-24 A buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco ASA software could allow an attacker to cause a reload of the affected system or to remotely execute code. Apply updates per vendor instructions. 2022-06-14
CVE-2016-6367 Cisco Adaptive Security Appliance (ASA) Cisco Adaptive Security Appliance (ASA) CLI Remote Code Execution Vulnerability 2022-05-24 A vulnerability in the command-line interface (CLI) parser of Cisco ASA software could allow an authenticated, local attacker to create a denial-of-service condition or potentially execute code. Apply updates per vendor instructions. 2022-06-14
CVE-2016-3298 Microsoft Internet Explorer Microsoft Internet Explorer Messaging API Information Disclosure Vulnerability 2022-05-24 An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could allow the attacker to test for the presence of files on disk. Apply updates per vendor instructions. 2022-06-14
CVE-2019-3010 Oracle Solaris Oracle Solaris Privilege Escalation Vulnerability 2022-05-25 Oracle Solaris component: XScreenSaver contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-06-15
CVE-2016-3393 Microsoft Windows Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability 2022-05-25 A remote code execution vulnerability exists due to the way the Windows GDI component handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the affected system. Apply updates per vendor instructions. 2022-06-15
CVE-2016-7256 Microsoft Windows Microsoft Windows Open Type Font Remote Code Execution Vulnerability 2022-05-25 A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system. Apply updates per vendor instructions. 2022-06-15
CVE-2016-1010 Adobe Flash Player and AIR Adobe Flash Player and AIR Integer Overflow Vulnerability 2022-05-25 Integer overflow vulnerability in Adobe Flash Player and AIR allows attackers to execute code. The impacted products are end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2016-0984 Adobe Flash Player and AIR Adobe Flash Player and AIR Use-After-Free Vulnerability 2022-05-25 Use-after-free vulnerability in Adobe Flash Player and Adobe AIR allows attackers to execute code. The impacted products are end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2016-0034 Microsoft Silverlight Microsoft Silverlight Runtime Remote Code Execution Vulnerability 2022-05-25 Microsoft Silverlight mishandles negative offsets during decoding, which allows attackers to execute remote code or cause a denial-of-service. The impacted products are end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2015-0310 Adobe Flash Player Adobe Flash Player ASLR Bypass Vulnerability 2022-05-25 Adobe Flash Player does not properly restrict discovery of memory addresses, which allows attackers to bypass the address space layout randomization (ASLR) protection mechanism. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2015-0016 Microsoft Windows Microsoft Windows TS WebProxy Directory Traversal Vulnerability 2022-05-25 Directory traversal vulnerability in the TS WebProxy (TSWbPrxy) component in Microsoft Windows allows remote attackers to escalate privileges. Apply updates per vendor instructions. 2022-06-15
CVE-2015-0071 Microsoft Internet Explorer Microsoft Internet Explorer ASLR Bypass Vulnerability 2022-05-25 Microsoft Internet Explorer allows remote attackers to bypass the address space layout randomization (ASLR) protection mechanism via a crafted web site. Apply updates per vendor instructions. 2022-06-15
CVE-2015-2360 Microsoft Win32k Microsoft Win32k Privilege Escalation Vulnerability 2022-05-25 Win32k.sys in the kernel-mode drivers in Microsoft Windows allows local users to gain privileges or cause denial-of-service. Apply updates per vendor instructions. 2022-06-15
CVE-2015-2425 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2022-05-25 Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service. Apply updates per vendor instructions. 2022-06-15
CVE-2015-1769 Microsoft Windows Microsoft Windows Mount Manager Privilege Escalation Vulnerability 2022-05-25 A privilege escalation vulnerability exists when the Windows Mount Manager component improperly processes symbolic links. Apply updates per vendor instructions. 2022-06-15
CVE-2015-4495 Mozilla Firefox Mozilla Firefox Security Feature Bypass Vulnerability 2022-05-25 Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges. Apply updates per vendor instructions. 2022-06-15
CVE-2015-8651 Adobe Flash Player Adobe Flash Player Integer Overflow Vulnerability 2022-05-25 Integer overflow in Adobe Flash Player allows attackers to execute code. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2015-6175 Microsoft Windows Microsoft Windows Kernel Privilege Escalation Vulnerability 2022-05-25 The kernel in Microsoft Windows contains a vulnerability that allows local users to gain privileges via a crafted application. Apply updates per vendor instructions. 2022-06-15
CVE-2015-1671 Microsoft Windows Microsoft Windows Remote Code Execution Vulnerability 2022-05-25 A remote code execution vulnerability exists when components of Windows, .NET Framework, Office, Lync, and Silverlight fail to properly handle TrueType fonts. Apply updates per vendor instructions. 2022-06-15
CVE-2014-4148 Microsoft Windows Microsoft Windows Remote Code Execution Vulnerability 2022-05-25 A remote code execution vulnerability exists when the Windows kernel-mode driver improperly handles TrueType fonts. Apply updates per vendor instructions. 2022-06-15
CVE-2014-8439 Adobe Flash Player Adobe Flash Player Dereferenced Pointer Vulnerability 2022-05-25 Adobe Flash Player has a vulnerability in the way it handles a dereferenced memory pointer which could lead to code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2014-4123 Microsoft Internet Explorer Microsoft Internet Explorer Privilege Escalation Vulnerability 2022-05-25 Microsoft Internet Explorer contains an unspecified vulnerability that allows remote attackers to gain privileges via a crafted web site. Apply updates per vendor instructions. 2022-06-15
CVE-2014-0546 Adobe Acrobat and Reader Adobe Acrobat and Reader Sandbox Bypass Vulnerability 2022-05-25 Adobe Acrobat and Reader on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context. Apply updates per vendor instructions. 2022-06-15
CVE-2014-2817 Microsoft Internet Explorer Microsoft Internet Explorer Privilege Escalation Vulnerability 2022-05-25 Microsoft Internet Explorer cotains an unspecified vulnerability that allows remote attackers to gain privileges via a crafted web site. Apply updates per vendor instructions. 2022-06-15
CVE-2014-4077 Microsoft Input Method Editor (IME) Japanese Microsoft IME Japanese Privilege Escalation Vulnerability 2022-05-25 Microsoft Input Method Editor (IME) Japanese is a keyboard with Japanese characters that can be enabled on Windows systems as it is included by default (with the default set as disabled). IME Japanese contains an unspecified vulnerability when IMJPDCT.EXE (IME for Japanese) is installed which allows attackers to bypass a sandbox and perform privilege escalation. Apply updates per vendor instructions. 2022-06-15
CVE-2014-3153 Linux Kernel Linux Kernel Privilege Escalation Vulnerability 2022-05-25 The futex_requeue function in kernel/futex.c in Linux kernel does not ensure that calls have two different futex addresses, which allows local users to gain privileges. Apply updates per vendor instructions. 2022-06-15
CVE-2013-7331 Microsoft Internet Explorer Microsoft Internet Explorer Information Disclosure Vulnerability 2022-05-25 An information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried. This vulnerability could allow an attacker to detect anti-malware applications. Apply updates per vendor instructions. 2022-06-15
CVE-2013-3993 IBM InfoSphere BigInsights IBM InfoSphere BigInsights Invalid Input Vulnerability 2022-05-25 Certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2013-3896 Microsoft Silverlight Microsoft Silverlight Information Disclosure Vulnerability 2022-05-25 Microsoft Silverlight does not properly validate pointers during access to Silverlight elements, which allows remote attackers to obtain sensitive information via a crafted Silverlight application. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2013-2423 Oracle Java Runtime Environment (JRE) Oracle JRE Unspecified Vulnerability 2022-05-25 Unspecified vulnerability in hotspot for Java Runtime Environment (JRE) allows remote attackers to affect integrity. Apply updates per vendor instructions. 2022-06-15
CVE-2013-0431 Oracle Java Runtime Environment (JRE) Oracle JRE Sandbox Bypass Vulnerability 2022-05-25 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle allows remote attackers to bypass the Java security sandbox. Apply updates per vendor instructions. 2022-06-15
CVE-2013-0422 Oracle Java Runtime Environment (JRE) Oracle JRE Remote Code Execution Vulnerability 2022-05-25 A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system. Apply updates per vendor instructions. 2022-06-15
CVE-2013-0074 Microsoft Silverlight Microsoft Silverlight Double Dereference Vulnerability 2022-05-25 Microsoft Silverlight does not properly validate pointers during HTML object rendering, which allows remote attackers to execute code via a crafted Silverlight application. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-15
CVE-2012-1710 Oracle Fusion Middleware Oracle Fusion Middleware Unspecified Vulnerability 2022-05-25 Unspecified vulnerability in the Oracle WebCenter Forms Recognition component in Oracle Fusion Middleware allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Designer. Apply updates per vendor instructions. 2022-06-15
CVE-2010-1428 Red Hat JBoss Red Hat JBoss Information Disclosure Vulnerability 2022-05-25 Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information. Apply updates per vendor instructions. 2022-06-15
CVE-2010-0840 Oracle Java Runtime Environment (JRE) Oracle JRE Unspecified Vulnerability 2022-05-25 Unspecified vulnerability in the Java Runtime Environment (JRE) in Java SE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Apply updates per vendor instructions. 2022-06-15
CVE-2010-0738 Red Hat JBoss Red Hat JBoss Authentication Bypass Vulnerability 2022-05-25 The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. Apply updates per vendor instructions. 2022-06-15
CVE-2022-26134 Atlassian Confluence Server/Data Center Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability 2022-06-02 Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution. Immediately block all internet traffic to and from affected products AND apply the update per vendor instructions [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html] OR remove the affected products by the due date on the right. Note: Once the update is successfully deployed, agencies can reassess the internet blocking rules. 2022-06-06
CVE-2022-31460 Owl Labs Meeting Owl Pro and Whiteboard Owl Meeting Owl Pro and Whiteboard Owl Hard-Coded Credentials Vulnerability 2022-06-08 Owl Labs Meeting Owl and Whiteboard Owl allow attackers to activate Tethering Mode with hard-coded hoothoot credentials via a certain c 150 value. Apply updates per vendor instructions. 2022-06-22
CVE-2019-7195 QNAP Photo Station QNAP Photo Station Path Traversal Vulnerability 2022-06-08 QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. Apply updates per vendor instructions. 2022-06-22
CVE-2019-7194 QNAP Photo Station QNAP Photo Station Path Traversal Vulnerability 2022-06-08 QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. Apply updates per vendor instructions. 2022-06-22
CVE-2019-7193 QNAP QTS QNAP QTS Improper Input Validation Vulnerability 2022-06-08 QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. Apply updates per vendor instructions. 2022-06-22
CVE-2019-7192 QNAP Photo Station QNAP Photo Station Improper Access Control Vulnerability 2022-06-08 QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. Apply updates per vendor instructions. 2022-06-22
CVE-2019-5825 Google Chromium V8 Engine Google Chromium V8 Out-of-Bounds Write Vulnerability 2022-06-08 Google Chromium V8 Engine contains an out-of-bounds write vulnerability which allows a remote attacker to potentially exploit heap corruption. Apply updates per vendor instructions. 2022-06-22
CVE-2019-15271 Cisco RV Series Routers Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability 2022-06-08 A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges. Apply updates per vendor instructions. 2022-06-22
CVE-2018-6065 Google Chromium V8 Engine Google Chromium V8 Integer Overflow Vulnerability 2022-06-08 Google Chromium V8 Engine contains an integer overflow vulnerability which allows a remote attacker to potentially exploit heap corruption. Apply updates per vendor instructions. 2022-06-22
CVE-2018-4990 Adobe Acrobat and Reader Adobe Acrobat and Reader Double Free Vulnerability 2022-06-08 Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution. Apply updates per vendor instructions. 2022-06-22
CVE-2018-17480 Google Chromium V8 Engine Google Chromium V8 Out-of-Bounds Write Vulnerability 2022-06-08 Google Chromium V8 Engine contains an out-of-bounds write vulnerability which allows a remote attacker to execute code inside a sandbox. Apply updates per vendor instructions. 2022-06-22
CVE-2018-17463 Google Chromium V8 Engine Google Chromium V8 Remote Code Execution Vulnerability 2022-06-08 Google Chromium V8 Engine contains an unspecified vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-06-22
CVE-2017-6862 NETGEAR Multiple Devices NETGEAR Multiple Devices Buffer Overflow Vulnerability 2022-06-08 Multiple NETGEAR devices contain a buffer overflow vulnerability that allows for authentication bypass and remote code execution. Apply updates per vendor instructions. 2022-06-22
CVE-2017-5070 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2022-06-08 Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to execute code inside a sandbox. Apply updates per vendor instructions. 2022-06-22
CVE-2017-5030 Google Chromium V8 Engine Google Chromium V8 Memory Corruption Vulnerability 2022-06-08 Google Chromium V8 Engine contains a memory corruption vulnerability which allows a remote attacker to execute code. Apply updates per vendor instructions. 2022-06-22
CVE-2016-5198 Google Chromium V8 Engine Google Chromium V8 Out-of-Bounds Memory Vulnerability 2022-06-08 Google Chromium V8 Engine contains an out-of-bounds memory vulnerability. Apply updates per vendor instructions. 2022-06-22
CVE-2016-1646 Google Chromium V8 Engine Google Chromium V8 Out-of-Bounds Read Vulnerability 2022-06-08 Google Chromium V8 contains an out-of-bounds read vulnerability. Apply updates per vendor instructions. 2022-06-22
CVE-2013-1331 Microsoft Office Microsoft Office Buffer Overflow Vulnerability 2022-06-08 Microsoft Office contains a buffer overflow vulnerability which allows remote attackers to execute code via crafted PNG data in an Office document. Apply updates per vendor instructions. 2022-06-22
CVE-2012-5054 Adobe Flash Player Adobe Flash Player Integer Overflow Vulnerability 2022-06-08 Adobe Flash Player contains an integer overflow vulnerability which allows remote attackers to execute code via malformed arguments. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-22
CVE-2012-4969 Microsoft Internet Explorer Microsoft Internet Explorer Use-After-Free Vulnerability 2022-06-08 Microsoft Internet Explorer contains a use-after-free vulnerability which allows remote attackers to execute code via a crafted web site. Apply updates per vendor instructions. 2022-06-22
CVE-2012-1889 Microsoft XML Core Services Microsoft XML Core Services Memory Corruption Vulnerability 2022-06-08 Microsoft XML Core Services contains a memory corruption vulnerability which could allow for remote code execution. Apply updates per vendor instructions. 2022-06-22
CVE-2012-0767 Adobe Flash Player Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability 2022-06-08 Adobe Flash Player contains a XSS vulnerability which allows remote attackers to inject web script or HTML. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-22
CVE-2012-0754 Adobe Flash Player Adobe Flash Player Memory Corruption Vulnerability 2022-06-08 Adobe Flash Player contains a memory corruption vulnerability which allows remote attackers to execute code or cause denial-of-service. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-22
CVE-2012-0151 Microsoft Windows Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability 2022-06-08 The Authenticode Signature Verification function in Microsoft Windows (WinVerifyTrust) does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute code. Apply updates per vendor instructions. 2022-06-22
CVE-2011-2462 Adobe Acrobat and Reader Adobe Acrobat and Reader Universal 3D Memory Corruption Vulnerability 2022-06-08 The Universal 3D (U3D) component in Adobe Acrobat and Reader contains a memory corruption vulnerability which could allow remote attackers to execute code or cause denial-of-service. Apply updates per vendor instructions. 2022-06-22
CVE-2011-0609 Adobe Flash Player Adobe Flash Player Unspecified Vulnerability 2022-06-08 Adobe Flash Player contains an unspecified vulnerability which allows remote attackers to execute code or cause denial-of-service. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-22
CVE-2010-2883 Adobe Reader and Acrobat Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability 2022-06-08 Adobe Acrobat and Reader contain a stack-based buffer overflow vulnerability which allows remote attackers to execute code or cause denial-of-service. Apply updates per vendor instructions. 2022-06-22
CVE-2010-2572 Microsoft PowerPoint Microsoft PowerPoint Buffer Overflow Vulnerability 2022-06-08 Microsoft PowerPoint contains a buffer overflow vulnerability that alllows for remote code execution. Apply updates per vendor instructions. 2022-06-22
CVE-2010-1297 Adobe Flash Player Adobe Flash Player Memory Corruption Vulnerability 2022-06-08 Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service. The impacted product is end-of-life and should be disconnected if still in use. 2022-06-22
CVE-2009-4324 Adobe Acrobat and Reader Adobe Acrobat and Reader Use-After-Free Vulnerability 2022-06-08 Use-after-free vulnerability in Adobe Acrobat and Reader allows remote attackers to execute code via a crafted PDF file. Apply updates per vendor instructions. 2022-06-22
CVE-2009-3953 Adobe Acrobat and Reader Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability 2022-06-08 Adobe Acrobat and Reader contains an array boundary issue in Universal 3D (U3D) support that could lead to remote code execution. Apply updates per vendor instructions. 2022-06-22
CVE-2009-1862 Adobe Acrobat and Reader, Flash Player Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability 2022-06-08 Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service. For Adobe Acrobat and Reader, apply updates per vendor instructions. For Adobe Flash Player, the impacted product is end-of-life and should be disconnected if still in use. 2022-06-22
CVE-2009-0563 Microsoft Office Microsoft Office Buffer Overflow Vulnerability 2022-06-08 Microsoft Office contains a buffer overflow vulnerability that allows remote attackers to execute code via a Word document with a crafted tag containing an invalid length field. Apply updates per vendor instructions. 2022-06-22
CVE-2009-0557 Microsoft Office Microsoft Office Object Record Corruption Vulnerability 2022-06-08 Microsoft Office contains an object record corruption vulnerability which allows remote attackers to execute code via a crafted Excel file with a malformed record object. Apply updates per vendor instructions. 2022-06-22
CVE-2008-0655 Adobe Acrobat and Reader Adobe Acrobat and Reader Unspecified Vulnerability 2022-06-08 Adobe Acrobat and Reader contains an unespecified vulnerability described as a design flaw which could allow a specially crafted file to be printed silently an arbitrary number of times. Apply updates per vendor instructions. 2022-06-22
CVE-2007-5659 Adobe Acrobat and Reader Adobe Acrobat and Reader Buffer Overflow Vulnerability 2022-06-08 Adobe Acrobat and Reader contain a buffer overflow vulnerability which allows remote attackers to execute code via a PDF file with long arguments to unspecified JavaScript methods. Apply updates per vendor instructions. 2022-06-22
CVE-2006-2492 Microsoft Word Microsoft Word Malformed Object Pointer Vulnerability 2022-06-08 Microsoft Word and Microsoft Works Suites contain a malformed object pointer which allows attackers to execute code. Apply updates per vendor instructions. 2022-06-22
CVE-2021-38163 SAP NetWeaver SAP NetWeaver Unrestricted File Upload Vulnerability 2022-06-09 SAP NetWeaver contains a vulnerability that allows unrestricted file upload. Apply updates per vendor instructions. 2022-06-30
CVE-2016-2386 SAP NetWeaver SAP NetWeaver SQL Injection Vulnerability 2022-06-09 SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Apply updates per vendor instructions. 2022-06-30
CVE-2016-2388 SAP NetWeaver SAP NetWeaver Information Disclosure Vulnerability 2022-06-09 The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. Apply updates per vendor instructions. 2022-06-30
CVE-2022-30190 Microsoft Windows Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability 2022-06-14 A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application. Apply updates per vendor instructions. 2022-07-05
CVE-2022-29499 Mitel MiVoice Connect Mitel MiVoice Connect Data Validation Vulnerability 2022-06-27 The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation. Apply updates per vendor instructions. 2022-07-18
CVE-2021-30533 Google Chromium Google Chromium Security Bypass Vulnerability 2022-06-27 Insufficient policy enforcement in the PopupBlocker for Chromium allows an attacker to remotely bypass security mechanisms. This vulnerability impacts web browsers using Chromium such as Chrome and Edge. Apply updates per vendor instructions. 2022-07-18
CVE-2021-4034 Red Hat Polkit Red Hat Polkit Out-of-Bounds Read and Write Vulnerability 2022-06-27 The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability which allows for privilege escalation with administrative rights. Apply updates per vendor instructions. 2022-07-18
CVE-2021-30983 Apple iOS and iPadOS Apple iOS and iPadOS Buffer Overflow Vulnerability 2022-06-27 Apple iOS and iPadOS contain a buffer overflow vulnerability that could allow an application to execute code with kernel privileges. Apply updates per vendor instructions. 2022-07-18
CVE-2020-3837 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2022-06-27 Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. Apply updates per vendor instructions. 2022-07-18
CVE-2020-9907 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2022-06-27 Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. Apply updates per vendor instructions. 2022-07-18
CVE-2019-8605 Apple Multiple Products Apple Multiple Products Use-After-Free Vulnerability 2022-06-27 A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges. Apply updates per vendor instructions. 2022-07-18
CVE-2018-4344 Apple Multiple Products Apple Multiple Products Memory Corruption Vulnerability 2022-06-27 Apple iOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability which can allow for code execution. Apply updates per vendor instructions. 2022-07-18
CVE-2022-26925 Microsoft Windows Microsoft Windows LSA Spoofing Vulnerability 2022-07-01 Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM. Apply remediation actions outlined in CISA guidance [https://www.cisa.gov/guidance-applying-june-microsoft-patch]. 2022-07-22 WARNING: This update is required on all Microsoft Windows endpoints but if deployed to domain controllers without additional configuration changes the update breaks PIV/CAC authentication. Read CISA implementation guidance carefully before deploying to domain controllers.
CVE-2022-22047 Microsoft Windows Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability 2022-07-12 Microsoft Windows CSRSS contains an unspecified vulnerability which allows for privilege escalation to SYSTEM privileges. Apply updates per vendor instructions. 2022-08-02 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047
CVE-2022-26138 Atlassian Confluence Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability 2022-07-29 Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group. Apply updates per vendor instructions. 2022-08-19 https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html
CVE-2022-27924 Zimbra Collaboration (ZCS) Zimbra Collaboration (ZCS) Command Injection Vulnerability 2022-08-04 Zimbra Collaboration (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries. Apply updates per vendor instructions. 2022-08-25 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes
CVE-2022-34713 Microsoft Windows Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability 2022-08-09 A remote code execution vulnerability exists when Microsoft Windows MSDT is called using the URL protocol from a calling application. Apply updates per vendor instructions. 2022-08-30 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713
CVE-2022-30333 RARLAB UnRAR RARLAB UnRAR Directory Traversal Vulnerability 2022-08-09 RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation. Apply updates per vendor instructions. 2022-08-30 Vulnerability updated with version 6.12. Accessing link will download update information: https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz
CVE-2022-27925 Zimbra Collaboration (ZCS) Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability 2022-08-11 Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution. Apply updates per vendor instructions. 2022-09-01 https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/
CVE-2022-37042 Zimbra Collaboration (ZCS) Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability 2022-08-11 Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution. Apply updates per vendor instructions. 2022-09-01 https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/
CVE-2022-22536 SAP Multiple Products SAP Multiple Products HTTP Request Smuggling Vulnerability 2022-08-18 SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches. Apply updates per vendor instructions. 2022-09-08 SAP users must have an account in order to login and access the patch. https://accounts.sap.com/saml2/idp/sso
CVE-2022-32894 Apple iOS and macOS Apple iOS and macOS Out-of-Bounds Write Vulnerability 2022-08-18 Apple iOS and macOS contain an out-of-bounds write vulnerability that could allow an application to execute code with kernel privileges. Apply updates per vendor instructions. 2022-09-08 https://support.apple.com/en-gb/HT213412, https://support.apple.com/en-gb/HT213413
CVE-2022-32893 Apple iOS and macOS Apple iOS and macOS Out-of-Bounds Write Vulnerability 2022-08-18 Apple iOS and macOS contain an out-of-bounds write vulnerability that could allow for remote code execution when processing malicious crafted web content. Apply updates per vendor instructions. 2022-09-08 https://support.apple.com/en-gb/HT213412, https://support.apple.com/en-gb/HT213413
CVE-2022-2856 Google Chrome Google Chrome Intents Insufficient Input Validation Vulnerability 2022-08-18 Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available. Apply updates per vendor instructions. 2022-09-08 https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
CVE-2022-26923 Microsoft Active Directory Microsoft Active Directory Domain Services Privilege Escalation Vulnerability 2022-08-18 An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalation to SYSTEM. Apply updates per vendor instructions. 2022-09-08 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26923
CVE-2022-21971 Microsoft Windows Microsoft Windows Runtime Remote Code Execution Vulnerability 2022-08-18 Microsoft Windows Runtime contains an unspecified vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-09-08 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971
CVE-2017-15944 Palo Alto Networks PAN-OS Palo Alto Networks PAN-OS Remote Code Execution Vulnerability 2022-08-18 Palo Alto Networks PAN-OS contains multiple, unspecified vulnerabilities which can allow for remote code execution when chained. Apply updates per vendor instructions. 2022-09-08 https://security.paloaltonetworks.com/CVE-2017-15944
CVE-2022-0028 Palo Alto Networks PAN-OS Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability 2022-08-22 A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. Apply updates per vendor instructions. 2022-09-12 https://security.paloaltonetworks.com/CVE-2022-0028
CVE-2022-26352 dotCMS dotCMS dotCMS Unrestricted Upload of File Vulnerability 2022-08-25 dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage location. Exploitation allows for remote code execution. Apply updates per vendor instructions. 2022-09-15 https://www.dotcms.com/security/SI-62
CVE-2022-24706 Apache CouchDB Apache CouchDB Insecure Default Initialization of Resource Vulnerability 2022-08-25 Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. Apply updates per vendor instructions. 2022-09-15 https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
CVE-2022-24112 Apache APISIX Apache APISIX Authentication Bypass Vulnerability 2022-08-25 Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2022-09-15 https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94
CVE-2022-22963 VMware Tanzu Spring Cloud VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability 2022-08-25 When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Apply updates per vendor instructions. 2022-09-15 https://tanzu.vmware.com/security/cve-2022-22963
CVE-2022-2294 WebRTC WebRTC WebRTC Heap Buffer Overflow Vulnerability 2022-08-25 WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability which allows an attacker to perform shellcode execution. This vulnerability impacts web browsers using WebRTC including but not limited to Google Chrome. Apply updates per vendor instructions. 2022-09-15 https://groups.google.com/g/discuss-webrtc/c/5KBtZx2gvcQ
CVE-2021-39226 Grafana Labs Grafana Grafana Authentication Bypass Vulnerability 2022-08-25 Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss. Apply updates per vendor instructions. 2022-09-15 https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/
CVE-2021-38406 Delta Electronics DOPSoft 2 Delta Electronics DOPSoft 2 Improper Input Validation Vulnerability 2022-08-25 Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-09-15 https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02
CVE-2021-31010 Apple iOS, macOS, watchOS Apple iOS, macOS, watchOS Sanbox Bypass Vulnerability 2022-08-25 In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions. Apply updates per vendor instructions. 2022-09-15 https://support.apple.com/en-us/HT212804, https://support.apple.com/en-us/HT212805, https://support.apple.com/en-us/HT212806, https://support.apple.com/en-us/HT212807, https://support.apple.com/en-us/HT212824
CVE-2020-36193 PEAR Archive_Tar PEAR Archive_Tar Improper Link Resolution Vulnerability 2022-08-25 PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux. Apply updates per vendor instructions. 2022-09-15 https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916, https://www.drupal.org/sa-core-2021-001, https://access.redhat.com/security/cve/cve-2020-36193
CVE-2020-28949 PEAR Archive_Tar PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability 2022-08-25 PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux. Apply updates per vendor instructions. 2022-09-15 https://pear.php.net/bugs/bug.php?id=27002, https://www.drupal.org/sa-core-2020-013, https://access.redhat.com/security/cve/cve-2020-28949
CVE-2022-3075 Google Chromium Google Chromium Insufficient Data Validation Vulnerability 2022-09-08 Google Chromium Mojo contains an insufficient data validation vulnerability. Impacts from exploitation are not yet known. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2022-09-29 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3075
CVE-2022-28958 D-Link DIR-816L D-Link DIR-816L Remote Code Execution Vulnerability 2022-09-08 D-Link DIR-816L contains an unspecified vulnerability in the shareport.php value parameter which allows for remote code execution. This CVE is currently in disputed status. During the review process, agencies should update per vendor instructions. 2022-09-29 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10300
CVE-2022-27593 QNAP Photo Station QNAP Photo Station Externally Controlled Reference Vulnerability 2022-09-08 Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign. Apply updates per vendor instructions. 2022-09-29 https://www.qnap.com/en/security-advisory/qsa-22-24
CVE-2022-26258 D-Link DIR-820L D-Link DIR-820L Remote Code Execution Vulnerability 2022-09-08 D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution. The impacted product is end-of-life and should be disconnected if still in use. 2022-09-29 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10295
CVE-2020-9934 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, and macOS Input Validation Vulnerability 2022-09-08 Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information. Apply updates per vendor instructions. 2022-09-29 https://support.apple.com/en-us/HT211288, https://support.apple.com/en-us/HT211289
CVE-2018-7445 MikroTik RouterOS MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability 2022-09-08 In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. Apply updates per vendor instructions. 2022-09-29 https://www.coresecurity.com/core-labs/advisories/mikrotik-routeros-smb-buffer-overflow#vendor_update, https://mikrotik.com/download
CVE-2018-6530 D-Link Multiple Routers D-Link Multiple Routers OS Command Injection Vulnerability 2022-09-08 Multiple D-Link routers contain an unspecified vulnerability which allows for execution of OS commands. The vendor D-Link published an advisory stating the fix under CVE-2018-20114 properly patches KEV entry CVE-2018-6530. If the device is still supported, apply updates per vendor instructions. If the affected device has since entered its end-of-life, it should be disconnected if still in use. 2022-09-29 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10105
CVE-2018-2628 Oracle WebLogic Server Oracle WebLogic Server Unspecified Vulnerability 2022-09-08 Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server. Apply updates per vendor instructions. 2022-09-29 https://www.oracle.com/security-alerts/cpuapr2018.html
CVE-2018-13374 Fortinet FortiOS and FortiADC Fortinet FortiOS and FortiADC Improper Access Control Vulnerability 2022-09-08 Fortinet FortiOS and FortiADC contain an improper access control vulnerability which allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server. Apply updates per vendor instructions. 2022-09-29 https://www.fortiguard.com/psirt/FG-IR-18-157
CVE-2017-5521 NETGEAR Multiple Devices NETGEAR Multiple Devices Exposure of Sensitive Information Vulnerability 2022-09-08 Multiple NETGEAR devices are prone to admin password disclosure via simple crafted requests to the web management server. Apply updates per vendor instructions. If the affected device has since entered end-of-life, it should be disconnected if still in use. 2022-09-29 https://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
CVE-2011-4723 D-Link DIR-300 Router D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability 2022-09-08 The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information. The impacted product is end-of-life and should be disconnected if still in use. 2022-09-29 https://www.dlink.ru/mn/products/2/728.html
CVE-2011-1823 Android Android OS Android OS Privilege Escalation Vulnerability 2022-09-08 The vold volume manager daemon in Android kernel trusts messages from a PF_NETLINK socket, which allows an attacker to execute code and gain root privileges. This vulnerability is associated with GingerBreak and Exploit.AndroidOS.Lotoor. Apply updates per vendor instructions. 2022-09-29 https://android.googlesource.com/platform/system/vold/+/c51920c82463b240e2be0430849837d6fdc5352e
CVE-2022-37969 Microsoft Windows Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability 2022-09-14 Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-10-05 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969
CVE-2022-32917 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, and macOS Remote Code Execution Vulnerability 2022-09-14 Apple kernel, which is included in iOS, iPadOS, and macOS, contains an unspecified vulnerability where an application may be able to execute code with kernel privileges. Apply updates per vendor instructions. 2022-10-05 https://support.apple.com/en-us/HT213445, https://support.apple.com/en-us/HT213444
CVE-2022-40139 Trend Micro Apex One and Apex One as a Service Trend Micro Apex One and Apex One as a Service Improper Validation Vulnerability 2022-09-15 Trend Micro Apex One and Apex One as a Service contain an improper validation of rollback mechanism components that could lead to remote code execution. Apply updates per vendor instructions. 2022-10-06 https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US
CVE-2013-6282 Linux Kernel Linux Kernel Improper Input Validation Vulnerability 2022-09-15 The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This allows an application to read and write kernel memory which could lead to privilege escalation. Apply updates per vendor instructions. 2022-10-06 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8404663f81d212918ff85f493649a7991209fa04
CVE-2013-2597 Code Aurora ACDB Audio Driver Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability 2022-09-15 The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability which allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android. Apply updates per vendor instructions. 2022-10-06 https://web.archive.org/web/20161226013354/https:/www.codeaurora.org/news/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597
CVE-2013-2596 Linux Kernel Linux Kernel Integer Overflow Vulnerability 2022-09-15 Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2022-10-06 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a
CVE-2013-2094 Linux Kernel Linux Kernel Privilege Escalation Vulnerability 2022-09-15 Linux kernel fails to check all 64 bits of attr.config passed by user space, resulting to out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy(). Explotation allows for privilege escalation. Apply updates per vendor instructions. 2022-10-06 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f
CVE-2010-2568 Microsoft Windows Microsoft Windows Remote Code Execution Vulnerability 2022-09-15 Microsoft Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could execute code as the logged-on user. Apply updates per vendor instructions. 2022-10-06 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046
CVE-2022-35405 Zoho ManageEngine Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability 2022-09-22 Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution. Apply updates per vendor instructions. 2022-10-13 https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
CVE-2022-3236 Sophos Firewall Sophos Firewall Code Injection Vulnerability 2022-09-23 A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution. Apply updates per vendor instructions. 2022-10-14 https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
CVE-2022-41082 Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability 2022-09-30 Microsoft Exchange Server contains an unspecified vulnerability which allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution. Apply updates per vendor instructions. 2022-10-21 https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
CVE-2022-41040 Microsoft Exchange Server Microsoft Exchange Server Server-Side Request Forgery Vulnerability 2022-09-30 Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution. Apply updates per vendor instructions. 2022-10-21 https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
CVE-2022-36804 Atlassian Bitbucket Server and Data Center Atlassian Bitbucket Server and Data Center Command Injection Vulnerability 2022-09-30 Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request. Apply updates per vendor instructions. 2022-10-21 https://jira.atlassian.com/browse/BSERV-13438
CVE-2022-40684 Fortinet Multiple Products Fortinet Multiple Products Authentication Bypass Vulnerability 2022-10-11 Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Apply updates per vendor instructions. 2022-11-01 https://www.fortiguard.com/psirt/FG-IR-22-377
CVE-2022-41033 Microsoft Windows COM+ Event System Service Microsoft Windows COM+ Event System Service Privilege Escalation Vulnerability 2022-10-11 Microsoft Windows COM+ Event System Service contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2022-11-01 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033
CVE-2022-41352 Zimbra Collaboration (ZCS) Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability 2022-10-20 Zimbra Collaboration (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts. Apply updates per vendor instructions. 2022-11-10 https://wiki.zimbra.com/wiki/Security_Center
CVE-2021-3493 Linux Kernel Linux Kernel Privilege Escalation Vulnerability 2022-10-20 The overlayfs stacking file system in Linux kernel does not properly validate the application of file capabilities against user namespaces, which could lead to privilege escalation. Apply updates per vendor instructions. 2022-11-10 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52
CVE-2020-3433 Cisco AnyConnect Secure Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability 2022-10-24 Cisco AnyConnect Secure Mobility Client for Windows interprocess communication (IPC) channel allows for insufficient validation of resources that are loaded by the application at run time. An attacker with valid credentials on Windows could execute code on the affected machine with SYSTEM privileges. Apply updates per vendor instructions. 2022-11-14 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW
CVE-2020-3153 Cisco AnyConnect Secure Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability 2022-10-24 Cisco AnyConnect Secure Mobility Client for Windows allows for incorrect handling of directory paths. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. Apply updates per vendor instructions. 2022-11-14 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj
CVE-2018-19323 GIGABYTE Multiple Products GIGABYTE Multiple Products Privilege Escalation Vulnerability 2022-10-24 The GPCIDrv and GDrv low-level drivers in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges. Apply updates per vendor instructions. 2022-11-14 https://www.gigabyte.com/Support/Security/1801
CVE-2018-19322 GIGABYTE Multiple Products GIGABYTE Multiple Products Code Execution Vulnerability 2022-10-24 The GPCIDrv and GDrv low-level drivers in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU II expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. Apply updates per vendor instructions. 2022-11-14 https://www.gigabyte.com/Support/Security/1801
CVE-2018-19321 GIGABYTE Multiple Products GIGABYTE Multiple Products Privilege Escalation Vulnerability 2022-10-24 The GPCIDrv and GDrv low-level drivers in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU II expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges. Apply updates per vendor instructions. 2022-11-14 https://www.gigabyte.com/Support/Security/1801
CVE-2018-19320 GIGABYTE Multiple Products GIGABYTE Multiple Products Unspecified Vulnerability 2022-10-24 The GDrv low-level driver in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU II exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system. Apply updates per vendor instructions. 2022-11-14 https://www.gigabyte.com/Support/Security/1801
CVE-2022-42827 Apple iOS and iPadOS Apple iOS and iPadOS Out-of-Bounds Write Vulnerability 2022-10-25 Apple iOS and iPadOS kernel contain an out-of-bounds write vulnerability which can allow an application to perform code execution with kernel privileges. Apply updates per vendor instructions. 2022-11-15 https://support.apple.com/en-us/HT213489
CVE-2022-3723 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2022-10-28 Google Chromium V8 contains a type confusion vulnerability. Specific impacts from exploitation are not available at this time. Apply updates per vendor instructions. 2022-11-18 https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html
CVE-2022-41091 Microsoft Windows Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability 2022-11-08 Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features. Apply updates per vendor instructions. 2022-12-09 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41091
CVE-2022-41073 Microsoft Windows Microsoft Windows Print Spooler Privilege Escalation Vulnerability 2022-11-08 Microsoft Windows Print Spooler contains an unspecified vulnerability which allows an attacker to gain SYSTEM-level privileges. Apply updates per vendor instructions. 2022-12-09 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41073
CVE-2022-41125 Microsoft Windows Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability 2022-11-08 Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service contains an unspecified vulnerability which allows an attacker to gain SYSTEM-level privileges. Apply updates per vendor instructions. 2022-12-09 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41125
CVE-2022-41128 Microsoft Windows Microsoft Windows Scripting Languages Remote Code Execution Vulnerability 2022-11-08 Microsoft Windows contains an unspecified vulnerability in the JScript9 scripting language which allows for remote code execution. Apply updates per vendor instructions. 2022-12-09 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128
CVE-2021-25337 Samsung Mobile Devices Samsung Mobile Devices Improper Access Control Vulnerability 2022-11-08 Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with CVE-2021-25369 and CVE-2021-25370. Apply updates per vendor instructions. 2022-11-29 https://security.samsungmobile.com/securityUpdate.smsb
CVE-2021-25369 Samsung Mobile Devices Samsung Mobile Devices Improper Access Control Vulnerability 2022-11-08 Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370. Apply updates per vendor instructions. 2022-11-29 https://security.samsungmobile.com/securityUpdate.smsb
CVE-2021-25370 Samsung Mobile Devices Samsung Mobile Devices Memory Corruption Vulnerability 2022-11-08 Samsung mobile devices using Mali GPU contain an incorrect implementation handling file descriptor in dpu driver. This incorrect implementation results in memory corruption, leading to kernel panic. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25369. Apply updates per vendor instructions. 2022-11-29 https://security.samsungmobile.com/securityUpdate.smsb
CVE-2022-41049 Microsoft Windows Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability 2022-11-14 Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features. Apply updates per vendor instructions. 2022-12-09 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41049
CVE-2021-35587 Oracle Fusion Middleware Oracle Fusion Middleware Unspecified Vulnerability 2022-11-28 Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to takeover the Access Manager product. Apply updates per vendor instructions. 2022-12-19 https://www.oracle.com/security-alerts/cpujan2022.html
CVE-2022-4135 Google Chromium Google Chromium Heap Buffer Overflow Vulnerability 2022-11-28 Google Chromium GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Apply updates per vendor instructions. 2022-12-19 https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html
CVE-2022-4262 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2022-12-05 Google Chromium V8 contains a type confusion vulnerability. Specific impacts from exploitation are not available at this time. Apply updates per vendor instructions. 2022-12-26 https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html
CVE-2022-42475 Fortinet FortiOS Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability 2022-12-13 Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests. Apply updates per vendor instructions. 2023-01-03 https://www.fortiguard.com/psirt/FG-IR-22-398
CVE-2022-44698 Microsoft Defender Microsoft Defender SmartScreen Security Feature Bypass Vulnerability 2022-12-13 Microsoft Defender SmartScreen contains a security feature bypass vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file. Apply updates per vendor instructions. 2023-01-03 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698
CVE-2022-27518 Citrix Application Delivery Controller (ADC) and Gateway Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability 2022-12-13 Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability which allows an attacker to execute code as administrator. Apply updates per vendor instructions. 2023-01-03 https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
CVE-2022-26500 Veeam Backup & Replication Veeam Backup & Replication Remote Code Execution Vulnerability 2022-12-13 The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code. Apply updates per vendor instructions. 2023-01-03 https://www.veeam.com/kb4288
CVE-2022-26501 Veeam Backup & Replication Veeam Backup & Replication Remote Code Execution Vulnerability 2022-12-13 The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code. Apply updates per vendor instructions. 2023-01-03 https://www.veeam.com/kb4288
CVE-2022-42856 Apple iOS Apple iOS Type Confusion Vulnerability 2022-12-14 Apple iOS contains a type confusion vulnerability when processing maliciously crafted web content leading to code execution. Apply updates per vendor instructions. 2023-01-04 https://support.apple.com/en-us/HT213516
CVE-2018-5430 TIBCO JasperReports TIBCO JasperReports Server Information Disclosure Vulnerability 2022-12-29 TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Apply updates per vendor instructions. 2023-01-19 https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430
CVE-2018-18809 TIBCO JasperReports TIBCO JasperReports Library Directory Traversal Vulnerability 2022-12-29 TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system. Apply updates per vendor instructions. 2023-01-19 https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809
CVE-2022-41080 Microsoft Exchange Server Microsoft Exchange Server Privilege Escalation Vulnerability 2023-01-10 Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. This vulnerability is chainable with CVE-2022-41082, which allows for remote code execution. Apply updates per vendor instructions. 2023-01-31 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080
CVE-2023-21674 Microsoft Windows Microsoft Windows Advanced Local Procedure Call (ALPC) Privilege Escalation Vulnerability 2023-01-10 Microsoft Windows Advanced Local Procedure Call (ALPC) contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2023-01-31 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21674
CVE-2022-44877 CWP Control Web Panel CWP Control Web Panel OS Command Injection Vulnerability 2023-01-17 CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter. Apply updates per vendor instructions. 2023-02-07 https://control-webpanel.com/changelog#1669855527714-450fb335-6194
CVE-2022-47966 Zoho ManageEngine Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability 2023-01-23 Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario. Apply updates per vendor instructions. 2023-02-13 https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
CVE-2017-11357 Telerik User Interface (UI) for ASP.NET AJAX Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability 2023-01-26 Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution. Apply updates per vendor instructions. 2023-02-16 https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/asyncupload-insecure-direct-object-reference
CVE-2022-21587 Oracle E-Business Suite Oracle E-Business Suite Unspecified Vulnerability 2023-02-02 Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Apply updates per vendor instructions. 2023-02-23 https://www.oracle.com/security-alerts/cpuoct2022.html
CVE-2023-22952 SugarCRM Multiple Products Multiple SugarCRM Products Remote Code Execution Vulnerability 2023-02-02 Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates. Apply updates per vendor instructions. 2023-02-23 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/
CVE-2015-2291 Intel Ethernet Diagnostics Driver for Windows Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability 2023-02-10 Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service. Apply updates per vendor instructions. 2023-03-03 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00051.html
CVE-2022-24990 TerraMaster TerraMaster OS TerraMaster OS Remote Command Execution Vulnerability 2023-02-10 TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint. Apply updates per vendor instructions. 2023-03-03 https://forum.terra-master.com/en/viewtopic.php?t=3030
CVE-2023-0669 Fortra GoAnywhere MFT Fortra GoAnywhere MFT Remote Code Execution Vulnerability 2023-02-10 Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object. Apply updates per vendor instructions. 2023-03-03 Fortra users must have an account in order to login and access the patch. https://my.goanywhere.com/webclient/DownloadProductFiles.xhtml
CVE-2023-21715 Microsoft Office Microsoft Office Publisher Security Feature Bypass Vulnerability 2023-02-14 Microsoft Office Publisher contains a security feature bypass vulnerability which allows for a local, authenticated attack on a targeted system. Apply updates per vendor instructions. 2023-03-07 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715
CVE-2023-23376 Microsoft Windows Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability 2023-02-14 Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2023-03-07 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376
CVE-2023-23529 Apple Multiple Products Apple Multiple Products WebKit Type Confusion Vulnerability 2023-02-14 WebKit in Apple iOS, MacOS, Safari and iPadOS contains a type confusion vulnerability that may lead to code execution. Apply updates per vendor instructions. 2023-03-07 https://support.apple.com/en-us/HT213635, https://support.apple.com/en-us/HT213633, https://support.apple.com/en-us/HT213638
CVE-2023-21823 Microsoft Windows Microsoft Windows Graphic Component Privilege Escalation Vulnerability 2023-02-14 Microsoft Windows Graphic Component contains an unspecified vulnerability which allows for privilege escalation. Apply updates per vendor instructions. 2023-03-07 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823
CVE-2022-46169 Cacti Cacti Cacti Command Injection Vulnerability 2023-02-16 Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code. Apply updates per vendor instructions. 2023-03-09 https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
CVE-2022-47986 IBM Aspera Faspex IBM Aspera Faspex Code Execution Vulnerability 2023-02-21 IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. Apply updates per vendor instructions. 2023-03-14 https://exchange.xforce.ibmcloud.com/vulnerabilities/243512?_ga=2.189195179.1800390251.1676559338-700333034.1676325890
CVE-2022-41223 Mitel MiVoice Connect Mitel MiVoice Connect Code Injection Vulnerability 2023-02-21 The Director component in Mitel MiVoice Connect allows an authenticated attacker with internal network access to execute code within the context of the application. Apply updates per vendor instructions. 2023-03-14 https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0008
CVE-2022-40765 Mitel MiVoice Connect Mitel MiVoice Connect Command Injection Vulnerability 2023-02-21 The Mitel Edge Gateway component of MiVoice Connect allows an authenticated attacker with internal network access to execute commands within the context of the system. Apply updates per vendor instructions. 2023-03-14 https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0007
CVE-2022-36537 ZK Framework AuUploader ZK Framework AuUploader Unspecified Vulnerability 2023-02-27 ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager. Apply updates per vendor instructions. 2023-03-20 https://tracker.zkoss.org/browse/ZK-5150
CVE-2022-28810 Zoho ManageEngine Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability 2023-03-07 Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset. Apply updates per vendor instructions. 2023-03-28 https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-28810.html
CVE-2022-33891 Apache Spark Apache Spark Command Injection Vulnerability 2023-03-07 Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. Apply updates per vendor instructions. 2023-03-28 https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
CVE-2022-35914 Teclib GLPI Teclib GLPI Remote Code Execution Vulnerability 2023-03-07 Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed. Apply updates per vendor instructions. 2023-03-28 https://glpi-project.org/fr/glpi-10-0-3-disponible/, http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed.
CVE-2021-39144 XStream XStream XStream Remote Code Execution Vulnerability 2023-03-10 XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation. Apply updates per vendor instructions. 2023-03-31 https://www.vmware.com/security/advisories/VMSA-2022-0027.html, https://x-stream.github.io/CVE-2021-39144.html
CVE-2020-5741 Plex Media Server Plex Media Server Remote Code Execution Vulnerability 2023-03-10 Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. Apply updates per vendor instructions. 2023-03-31 https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819
CVE-2023-23397 Microsoft Office Microsoft Office Outlook Privilege Escalation Vulnerability 2023-03-14 Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user. Apply updates per vendor instructions. 2023-04-04 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397, https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/,
CVE-2023-24880 Microsoft Windows Microsoft Windows SmartScreen Security Feature Bypass Vulnerability 2023-03-14 Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file. Apply updates per vendor instructions. 2023-04-04 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880
CVE-2022-41328 Fortinet FortiOS Fortinet FortiOS Path Traversal Vulnerability 2023-03-14 Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands. Apply updates per vendor instructions. 2023-04-04 https://www.fortiguard.com/psirt/FG-IR-22-369
CVE-2023-26360 Adobe ColdFusion Adobe ColdFusion Deserialization of Untrusted Data Vulnerability 2023-03-15 Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2023-04-05 https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
CVE-2013-3163 Microsoft Internet Explorer Microsoft Internet Explorer Memory Corruption Vulnerability 2023-03-30 Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code or cause a denial of service via a crafted website. The impacted product is end-of-life and should be disconnected if still in use. 2023-04-20 https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055
CVE-2017-7494 Samba Samba Samba Remote Code Execution Vulnerability 2023-03-30 Samba contains a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share and then cause the server to load and execute it. Apply updates per vendor instructions. 2023-04-20 https://www.samba.org/samba/security/CVE-2017-7494.html
CVE-2022-42948 Fortra Cobalt Strike Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability 2023-03-30 Fortra Cobalt Strike User Interface contains an unspecified vulnerability rooted in Java Swing that may allow remote code execution. Apply updates per vendor instructions. 2023-04-20 https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-2/
CVE-2022-39197 Fortra Cobalt Strike Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability 2023-03-30 Fortra Cobalt Strike contains a cross-site scripting (XSS) vulnerability in Teamserver that would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely. Apply updates per vendor instructions. 2023-04-20 https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/
CVE-2021-30900 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability 2023-03-30 Apple GPU drivers, included in iOS, iPadOS, and macOS, contain an out-of-bounds write vulnerability that may allow a malicious application to execute code with kernel privileges. Apply updates per vendor instructions. 2023-04-20 https://support.apple.com/en-us/HT21286, https://support.apple.com/en-us/HT212868, https://support.apple.com/kb/HT212872
CVE-2022-38181 Arm Mali Graphics Processing Unit (GPU) Arm Mali GPU Kernel Driver Use-After-Free Vulnerability 2023-03-30 Arm Mali GPU Kernel Driver contains a use-after-free vulnerability that may allow a non-privileged user to gain root privilege and/or disclose information. Apply updates per vendor instructions. 2023-04-20 https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
CVE-2023-0266 Linux Kernel Linux Kernel Use-After-Free Vulnerability 2023-03-30 Linux kernel contains a use-after-free vulnerability that allows for privilege escalation to gain ring0 access from the system user. Apply updates per vendor instructions. 2023-04-20 https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.10/alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch?id=72783cf35e6c55bca84c4bb7b776c58152856fd4
CVE-2022-3038 Google Chrome Google Chrome Use-After-Free Vulnerability 2023-03-30 Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. Apply updates per vendor instructions. 2023-04-20 https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html
CVE-2022-22706 Arm Mali Graphics Processing Unit (GPU) Arm Mali GPU Kernel Driver Unspecified Vulnerability 2023-03-30 Arm Mali GPU Kernel Driver contains an unspecified vulnerability that allows a non-privileged user to achieve write access to read-only memory pages. Apply updates per vendor instructions. 2023-04-20 https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
CVE-2022-27926 Zimbra Collaboration (ZCS) Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability 2023-04-03 Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing. Apply updates per vendor instructions. 2023-04-24 https://wiki.zimbra.com/wiki/Security_Center
CVE-2021-27876 Veritas Backup Exec Agent Veritas Backup Exec Agent File Access Vulnerability 2023-04-07 Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine. Apply updates per vendor instructions. 2023-04-28 https://www.veritas.com/support/en_US/security/VTS21-001
CVE-2021-27877 Veritas Backup Exec Agent Veritas Backup Exec Agent Improper Authentication Vulnerability 2023-04-07 Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme. Apply updates per vendor instructions. 2023-04-28 https://www.veritas.com/support/en_US/security/VTS21-001
CVE-2021-27878 Veritas Backup Exec Agent Veritas Backup Exec Agent Command Execution Vulnerability 2023-04-07 Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine. Apply updates per vendor instructions. 2023-04-28 https://www.veritas.com/support/en_US/security/VTS21-001
CVE-2019-1388 Microsoft Windows Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability 2023-04-07 Microsoft Windows Certificate Dialog contains a privilege escalation vulnerability, allowing attackers to run processes in an elevated context. Apply updates per vendor instructions. 2023-04-28 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
CVE-2023-26083 Arm Mali Graphics Processing Unit (GPU) Arm Mali GPU Kernel Driver Information Disclosure Vulnerability 2023-04-07 Arm Mali GPU Kernel Driver contains an information disclosure vulnerability that allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata. Apply updates per vendor instructions. 2023-04-28 https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
CVE-2023-28205 Apple Multiple Products Apple Multiple Products WebKit Use-After-Free Vulnerability 2023-04-10 Apple iOS, iPadOS, macOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. Apply updates per vendor instructions. 2023-05-01 https://support.apple.com/en-us/HT213720,https://support.apple.com/en-us/HT213721,https://support.apple.com/en-us/HT213722,https://support.apple.com/en-us/HT213723
CVE-2023-28206 Apple iOS, iPadOS, and macOS Apple iOS, iPadOS, and macOS IOSurfaceAccelerator Out-of-Bounds Write Vulnerability 2023-04-10 Apple iOS, iPadOS, and macOS IOSurfaceAccelerator contain an out-of-bounds write vulnerability that allows an app to execute code with kernel privileges. Apply updates per vendor instructions. 2023-05-01 https://support.apple.com/en-us/HT213720, https://support.apple.com/en-us/HT213721
CVE-2023-28252 Microsoft Windows Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability 2023-04-11 Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation. Apply updates per vendor instructions. 2023-05-02 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252
CVE-2023-20963 Android Framework Android Framework Privilege Escalation Vulnerability 2023-04-13 Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed. Apply updates per vendor instructions. 2023-05-04 https://source.android.com/docs/security/bulletin/2023-03-01
CVE-2023-29492 Novi Survey Novi Survey Novi Survey Insecure Deserialization Vulnerability 2023-04-13 Novi Survey contains an insecure deserialization vulnerability that allows remote attackers to execute code on the server in the context of the service account. Apply updates per vendor instructions. 2023-05-04 https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspx
CVE-2019-8526 Apple macOS Apple macOS Use-After-Free Vulnerability 2023-04-17 Apple macOS contains a use-after-free vulnerability that could allow for privilege escalation. Apply updates per vendor instructions. 2023-05-08 https://support.apple.com/en-us/HT209600
CVE-2023-2033 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2023-04-17 Google Chromium V8 contains a type confusion vulnerability. Specific impacts from exploitation are not available at this time. Apply updates per vendor instructions. 2023-05-08 https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
CVE-2017-6742 Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 2023-04-19 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. Apply updates per vendor instructions. 2023-05-10 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp
CVE-2023-28432 MinIO MinIO MinIO Information Disclosure Vulnerability 2023-04-21 MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure. Apply updates per vendor instructions. 2023-05-12 https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
CVE-2023-27350 PaperCut MF/NG PaperCut MF/NG Improper Access Control Vulnerability 2023-04-21 PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system. Apply updates per vendor instructions. 2023-05-12 https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
CVE-2023-2136 Google Chrome Google Chrome Skia Integer Overflow Vulnerability 2023-04-21 Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. Apply updates per vendor instructions. 2023-05-12 https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
CVE-2023-1389 TP-Link Archer AX21 TP-Link Archer AX-21 Command Injection Vulnerability 2023-05-01 TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution. Apply updates per vendor instructions. 2023-05-22 https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware
CVE-2021-45046 Apache Log4j2 Apache Log4j2 Deserialization of Untrusted Data Vulnerability 2023-05-01 Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. Apply updates per vendor instructions. 2023-05-22 https://logging.apache.org/log4j/2.x/security.html
CVE-2023-21839 Oracle WebLogic Server Oracle WebLogic Server Unspecified Vulnerability 2023-05-01 Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server. Apply updates per vendor instructions. 2023-05-22 https://www.oracle.com/security-alerts/cpujan2023.html
CVE-2023-29336 Microsoft Win32k Microsoft Win32K Privilege Escalation Vulnerability 2023-05-09 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges. Apply updates per vendor instructions. 2023-05-30 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29336
CVE-2023-25717 Ruckus Wireless Multiple Products Multiple Ruckus Wireless Products CSRF and RCE Vulnerability 2023-05-12 Ruckus Wireless Access Point (AP) software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability impacts Ruckus ZoneDirector, SmartZone, and Solo APs. Apply updates per vendor instructions or disconnect product if it is end-of-life. 2023-06-02 https://support.ruckuswireless.com/security_bulletins/315
CVE-2021-3560 Red Hat Polkit Red Hat Polkit Incorrect Authorization Vulnerability 2023-05-12 Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation. Apply updates per vendor instructions. 2023-06-02 https://bugzilla.redhat.com/show_bug.cgi?id=1961710
CVE-2014-0196 Linux Kernel Linux Kernel Race Condition Vulnerability 2023-05-12 Linux Kernel contains a race condition vulnerability within the n_tty_write function that allows local users to cause a denial-of-service or gain privileges via read and write operations with long strings. The impacted product is end-of-life and should be disconnected if still in use. 2023-06-02 https://lkml.iu.edu/hypermail/linux/kernel/1609.1/02103.html
CVE-2010-3904 Linux Kernel Linux Kernel Improper Input Validation Vulnerability 2023-05-12 Linux Kernel contains an improper input validation vulnerability in the Reliable Datagram Sockets (RDS) protocol implementation that allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls. The impacted product is end-of-life and should be disconnected if still in use. 2023-06-02 https://lkml.iu.edu/hypermail/linux/kernel/1601.3/06474.html
CVE-2015-5317 Jenkins Jenkins User Interface (UI) Jenkins User Interface (UI) Information Disclosure Vulnerability 2023-05-12 Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages. Apply updates per vendor instructions. 2023-06-02 https://www.jenkins.io/security/advisory/2015-11-11/
CVE-2016-3427 Oracle Java SE and JRockit Oracle Java SE and JRockit Unspecified Vulnerability 2023-05-12 Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions (JMX). This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. Apply updates per vendor instructions. 2023-06-02 https://www.oracle.com/security-alerts/cpuapr2016v3.html
CVE-2016-8735 Apache Tomcat Apache Tomcat Remote Code Execution Vulnerability 2023-05-12 Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types. Apply updates per vendor instructions. 2023-06-02 https://tomcat.apache.org/security-9.html
CVE-2004-1464 Cisco IOS Cisco IOS Denial-of-Service Vulnerability 2023-05-19 Cisco IOS contains an unspecified vulnerability that may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases, Hypertext Transport Protocol (HTTP) access to the Cisco device. Apply updates per vendor instructions. 2023-06-09 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040827-telnet
CVE-2016-6415 Cisco IOS, IOS XR, and IOS XE Cisco IOS, IOS XR, and IOS XE IKEv1 Information Disclosure Vulnerability 2023-05-19 Cisco IOS, IOS XR, and IOS XE contain insufficient condition checks in the part of the code that handles Internet Key Exchange version 1 (IKEv1) security negotiation requests. contains an information disclosure vulnerability in the Internet Key Exchange version 1 (IKEv1) that could allow an attacker to retrieve memory contents. Successful exploitation could allow the attacker to retrieve memory contents, which can lead to information disclosure. Apply updates per vendor instructions. 2023-06-09 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
CVE-2023-21492 Samsung Mobile Devices Samsung Mobile Devices Insertion of Sensitive Information Into Log File Vulnerability 2023-05-19 Samsung mobile devices running Android 11, 12, and 13 contain an insertion of sensitive information into log file vulnerability that allows a privileged, local attacker to conduct an address space layout randomization (ASLR) bypass. Apply updates per vendor instructions. 2023-06-09 https://security.samsungmobile.com/securityUpdate.smsb
CVE-2023-32409 Apple Multiple Products Apple Multiple Products WebKit Sandbox Escape Vulnerability 2023-05-22 Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out of the Web Content sandbox. Apply updates per vendor instructions. 2023-06-12 https://support.apple.com/HT213757, https://support.apple.com/HT213758, https://support.apple.com/HT213761, https://support.apple.com/HT213762, https://support.apple.com/HT213764, https://support.apple.com/HT213765
CVE-2023-28204 Apple Multiple Products Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability 2023-05-22 Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an out-of-bounds read vulnerability that may disclose sensitive information. Apply updates per vendor instructions. 2023-06-12 https://support.apple.com/HT213757, https://support.apple.com/HT213758, https://support.apple.com/HT213761, https://support.apple.com/HT213762, https://support.apple.com/HT213764, https://support.apple.com/HT213765
CVE-2023-32373 Apple Multiple Products Apple Multiple Products WebKit Use-After-Free Vulnerability 2023-05-22 Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution. Apply updates per vendor instructions. 2023-06-12 https://support.apple.com/HT213757, https://support.apple.com/HT213758, https://support.apple.com/HT213761, https://support.apple.com/HT213762, https://support.apple.com/HT213764, https://support.apple.com/HT213765
CVE-2023-2868 Barracuda Networks Email Security Gateway (ESG) Appliance Barracuda Networks ESG Appliance Improper Input Validation Vulnerability 2023-05-26 Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection. Apply updates per vendor instructions. 2023-06-16 https://status.barracuda.com/incidents/34kx82j5n4q9
CVE-2023-28771 Zyxel Multiple Firewalls Zyxel Multiple Firewalls OS Command Injection Vulnerability 2023-05-31 Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device. Apply updates per vendor instructions. 2023-06-21 https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
CVE-2023-34362 Progress MOVEit Transfer Progress MOVEit Transfer SQL Injection Vulnerability 2023-06-02 Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. Apply updates per vendor instructions. 2023-06-23 https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
CVE-2023-33009 Zyxel Multiple Firewalls Zyxel Multiple Firewalls Buffer Overflow Vulnerability 2023-06-05 Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the notification function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device. Apply updates per vendor instructions. 2023-06-26 https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls
CVE-2023-33010 Zyxel Multiple Firewalls Zyxel Multiple Firewalls Buffer Overflow Vulnerability 2023-06-05 Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the ID processing function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device. Apply updates per vendor instructions. 2023-06-26 https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls
CVE-2023-3079 Google Chromium V8 Engine Google Chromium V8 Type Confusion Vulnerability 2023-06-07 Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Apply updates per vendor instructions. 2023-06-28 https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html

Back to top