Active threat advisories and known exploited vulnerabilities.

Critical CVE-2024-29745 Android · Pixel Added Apr 4, 2024

Android Pixel Information Disclosure Vulnerability

Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-24955 Microsoft · SharePoint Server Added Mar 26, 2024

Microsoft SharePoint Server Code Injection Vulnerability

Microsoft SharePoint Server contains a code injection vulnerability that allows an authenticated attacker with Site Owner privileges to execute code remotely.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2019-7256 Nice · Linear eMerge E3-Series Added Mar 25, 2024

Nice Linear eMerge E3-Series OS Command Injection Vulnerability

Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2021-44529 Ivanti · Endpoint Manager Cloud Service Appliance (EPM CSA) Added Mar 25, 2024

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-48788 Fortinet · FortiClient EMS Added Mar 25, 2024

Fortinet FortiClient EMS SQL Injection Vulnerability

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-27198 JetBrains · TeamCity Added Mar 7, 2024

JetBrains TeamCity Authentication Bypass Vulnerability

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-23225 Apple · Multiple Products Added Mar 6, 2024

Apple Multiple Products Memory Corruption Vulnerability

Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-23296 Apple · Multiple Products Added Mar 6, 2024

Apple Multiple Products Memory Corruption Vulnerability

Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-21237 Android · Pixel Added Mar 5, 2024

Android Pixel Information Disclosure Vulnerability

Android Pixel contains a vulnerability in the Framework component, where the UI may be misleading or insufficient, providing a means to hide a foreground service notification. This could enable a local attacker to disclose sensitive information.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2021-36380 Sunhillo · SureLine Added Mar 5, 2024

Sunhillo SureLine OS Command Injection Vulnerablity

Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-21338 Microsoft · Windows Added Mar 4, 2024

Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys that allows a local attacker to achieve privilege escalation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-29360 Microsoft · Streaming Service Added Feb 29, 2024

Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability

Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-1709 ConnectWise · ScreenConnect Added Feb 22, 2024

ConnectWise ScreenConnect Authentication Bypass Vulnerability

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2020-3259 Cisco · Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Added Feb 15, 2024

Cisco ASA and FTD Information Disclosure Vulnerability

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-21410 Microsoft · Exchange Server Added Feb 15, 2024

Microsoft Exchange Server Privilege Escalation Vulnerability

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-21412 Microsoft · Windows Added Feb 13, 2024

Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-21351 Microsoft · Windows Added Feb 13, 2024

Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-43770 Roundcube · Webmail Added Feb 12, 2024

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-21762 Fortinet · FortiOS Added Feb 9, 2024

Fortinet FortiOS Out-of-Bound Write Vulnerability

Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-4762 Google · Chromium V8 Added Feb 6, 2024

Google Chromium V8 Type Confusion Vulnerability

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2022-48618 Apple · Multiple Products Added Jan 31, 2024

Apple Multiple Products Memory Corruption Vulnerability

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a time-of-check/time-of-use (TOCTOU) memory corruption vulnerability that allows an attacker with read and write capabilities to bypass Pointer Authentication.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-21893 Ivanti · Connect Secure, Policy Secure, and Neurons Added Jan 31, 2024

Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-22527 Atlassian · Confluence Data Center and Server Added Jan 24, 2024

Atlassian Confluence Data Center and Server Template Injection Vulnerability

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2024-23222 Apple · Multiple Products Added Jan 23, 2024

Apple Multiple Products WebKit Type Confusion Vulnerability

Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-34048 VMware · vCenter Server Added Jan 22, 2024

VMware vCenter Server Out-of-Bounds Write Vulnerability

VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed