Active threat advisories and known exploited vulnerabilities.

Critical CVE-2023-20269 Cisco · Adaptive Security Appliance and Firepower Threat Defense Added Sep 13, 2023

Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability

Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or establish a clientless SSL VPN session with an unauthorized user.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-4863 Google · Chromium WebP Added Sep 13, 2023

Google Chromium WebP Heap-Based Buffer Overflow Vulnerability

Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications that use the WebP Codec.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-36761 Microsoft · Word Added Sep 12, 2023

Microsoft Word Information Disclosure Vulnerability

Microsoft Word contains an unspecified vulnerability that allows for information disclosure.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-36802 Microsoft · Streaming Service Proxy Added Sep 12, 2023

Microsoft Streaming Service Proxy Privilege Escalation Vulnerability

Microsoft Streaming Service Proxy contains an unspecified vulnerability that allows for privilege escalation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-41064 Apple · iOS, iPadOS, and macOS Added Sep 11, 2023

Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability

Apple iOS, iPadOS, and macOS contain a buffer overflow vulnerability in ImageIO when processing a maliciously crafted image, which may lead to code execution. This vulnerability was chained with CVE-2023-41061.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-41061 Apple · iOS, iPadOS, and watchOS Added Sep 11, 2023

Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability

Apple iOS, iPadOS, and watchOS contain an unspecified vulnerability due to a validation issue affecting Wallet in which a maliciously crafted attachment may result in code execution. This vulnerability was chained with CVE-2023-41064.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-33246 Apache · RocketMQ Added Sep 6, 2023

Apache RocketMQ Command Execution Vulnerability

Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-38831 RARLAB · WinRAR Added Aug 24, 2023

RARLAB WinRAR Code Execution Vulnerability

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file within a ZIP archive.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-32315 Ignite Realtime · Openfire Added Aug 24, 2023

Ignite Realtime Openfire Path Traversal Vulnerability

Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console reserved for administrative users.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-38035 Ivanti · Sentry Added Aug 22, 2023

Ivanti Sentry Authentication Bypass Vulnerability

Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability that may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-27532 Veeam · Backup & Replication Added Aug 22, 2023

Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-26359 Adobe · ColdFusion Added Aug 21, 2023

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could result in code execution in the context of the current user.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-24489 Citrix · Content Collaboration Added Aug 16, 2023

Citrix Content Collaboration ShareFile Improper Access Control Vulnerability

Citrix Content Collaboration contains an improper access control vulnerability that could allow an unauthenticated attacker to remotely compromise customer-managed ShareFile storage zones controllers.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-38180 Microsoft · .NET Core and Visual Studio Added Aug 9, 2023

Microsoft .NET Core and Visual Studio Denial-of-Service Vulnerability

Microsoft .NET Core and Visual Studio contain an unspecified vulnerability that allows for denial-of-service (DoS).

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2017-18368 Zyxel · P660HN-T1A Routers Added Aug 7, 2023

Zyxel P660HN-T1A Routers Command Injection Vulnerability

Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-35081 Ivanti · Endpoint Manager Mobile (EPMM) Added Jul 31, 2023

Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability

Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078 to bypass authentication and ACLs restrictions (if applicable).

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-37580 Synacor · Zimbra Collaboration Suite (ZCS) Added Jul 27, 2023

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability impacting the confidentiality and integrity of data.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-38606 Apple · Multiple Products Added Jul 26, 2023

Apple Multiple Products Kernel Unspecified Vulnerability

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-35078 Ivanti · Endpoint Manager Mobile (EPMM) Added Jul 25, 2023

Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability

Ivanti Endpoint Manager Mobile (EPMM, previously branded MobileIron Core) contains an authentication bypass vulnerability that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-29298 Adobe · ColdFusion Added Jul 20, 2023

Adobe ColdFusion Improper Access Control Vulnerability

Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-38205 Adobe · ColdFusion Added Jul 20, 2023

Adobe ColdFusion Improper Access Control Vulnerability

Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-3519 Citrix · NetScaler ADC and NetScaler Gateway Added Jul 19, 2023

Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-36884 Microsoft · Windows Added Jul 17, 2023

Microsoft Windows Search Remote Code Execution Vulnerability

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2022-29303 SolarView · Compact Added Jul 13, 2023

SolarView Compact Command Injection Vulnerability

SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Critical CVE-2023-37450 Apple · Multiple Products Added Jul 13, 2023

Apple Multiple Products WebKit Code Execution Vulnerability

Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed