Active threat advisories and known exploited vulnerabilities.

Critical CVE-2024-8190 Ivanti · Cloud Services Appliance Added Sep 13, 2024

Ivanti Cloud Services Appliance OS Command Injection Vulnerability

Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38217 Microsoft · Windows Added Sep 10, 2024

Microsoft Windows Mark of the Web (MOTW) Protection Mechanism Failure Vulnerability

Microsoft Windows Mark of the Web (MOTW) contains a protection mechanism failure vulnerability that allows an attacker to bypass MOTW-based defenses. This can result in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38014 Microsoft · Windows Added Sep 10, 2024

Microsoft Windows Installer Improper Privilege Management Vulnerability

Microsoft Windows Installer contains an improper privilege management vulnerability that could allow an attacker to gain SYSTEM privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38226 Microsoft · Publisher Added Sep 10, 2024

Microsoft Publisher Protection Mechanism Failure Vulnerability

Microsoft Publisher contains a protection mechanism failure vulnerability that allows attacker to bypass Office macro policies used to block untrusted or malicious files.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-40766 SonicWall · SonicOS Added Sep 9, 2024

SonicWall SonicOS Improper Access Control Vulnerability

SonicWall SonicOS contains an improper access control vulnerability that could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2017-1000253 Linux · Kernel Added Sep 9, 2024

Linux Kernel PIE Stack Buffer Corruption Vulnerability

Linux kernel contains a position-independent executable (PIE) stack buffer corruption vulnerability in load_elf_ binary() that allows a local attacker to escalate privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2016-3714 ImageMagick · ImageMagick Added Sep 9, 2024

ImageMagick Improper Input Validation Vulnerability

ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. This allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-7262 Kingsoft · WPS Office Added Sep 3, 2024

Kingsoft WPS Office Path Traversal Vulnerability

Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2021-20124 DrayTek · VigorConnect Added Sep 3, 2024

Draytek VigorConnect Path Traversal Vulnerability

Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2021-20123 DrayTek · VigorConnect Added Sep 3, 2024

Draytek VigorConnect Path Traversal Vulnerability

Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-7965 Google · Chromium V8 Added Aug 28, 2024

Google Chromium V8 Inappropriate Implementation Vulnerability

Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38856 Apache · OFBiz Added Aug 27, 2024

Apache OFBiz Incorrect Authorization Vulnerability

Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-7971 Google · Chromium V8 Added Aug 26, 2024

Google Chromium V8 Type Confusion Vulnerability

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-39717 Versa · Director Added Aug 23, 2024

Versa Director Dangerous File Type Upload Vulnerability

The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2021-31196 Microsoft · Exchange Server Added Aug 21, 2024

Microsoft Exchange Server Information Disclosure Vulnerability

Microsoft Exchange Server contains an information disclosure vulnerability that allows for remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2022-0185 Linux · Kernel Added Aug 21, 2024

Linux Kernel Heap-Based Buffer Overflow Vulnerability

Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2021-33045 Dahua · IP Camera Firmware Added Aug 21, 2024

Dahua IP Camera Authentication Bypass Vulnerability

Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2021-33044 Dahua · IP Camera Firmware Added Aug 21, 2024

Dahua IP Camera Authentication Bypass Vulnerability

Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-23897 Jenkins · Jenkins Command Line Interface (CLI) Added Aug 19, 2024

Jenkins Command Line Interface (CLI) Path Traversal Vulnerability

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-28986 SolarWinds · Web Help Desk Added Aug 15, 2024

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38107 Microsoft · Windows Added Aug 13, 2024

Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability

Microsoft Windows Power Dependency Coordinator contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to obtain SYSTEM privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38106 Microsoft · Windows Added Aug 13, 2024

Microsoft Windows Kernel Privilege Escalation Vulnerability

Microsoft Windows Kernel contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38193 Microsoft · Windows Added Aug 13, 2024

Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38213 Microsoft · Windows Added Aug 13, 2024

Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience via a malicious file.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-38178 Microsoft · Windows Added Aug 13, 2024

Microsoft Windows Scripting Engine Memory Corruption Vulnerability

Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted URL.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed