orikahmadov.com

Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability

Vendor: Qualcomm

Product: Multiple Chipsets

Added: 2025-06-03

Due Date: 2025-06-24

Description:

Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-863

Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability

Vendor: Qualcomm

Product: Multiple Chipsets

Added: 2025-06-03

Due Date: 2025-06-24

Description:

Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-863

Qualcomm Multiple Chipsets Use-After-Free Vulnerability

Vendor: Qualcomm

Product: Multiple Chipsets

Added: 2025-06-03

Due Date: 2025-06-24

Description:

Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-416

ASUS Routers Improper Authentication Vulnerability

Vendor: ASUS

Product: Routers

Added: 2025-06-02

Due Date: 2025-06-23

Description:

ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

ConnectWise ScreenConnect Improper Authentication Vulnerability

Vendor: ConnectWise

Product: ScreenConnect

Added: 2025-06-02

Due Date: 2025-06-23

Description:

ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Vendor: Craft CMS

Product: Craft CMS

Added: 2025-06-02

Due Date: 2025-06-23

Description:

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-472

Craft CMS Code Injection Vulnerability

Vendor: Craft CMS

Product: Craft CMS

Added: 2025-06-02

Due Date: 2025-06-23

Description:

Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

ASUS RT-AX55 Routers OS Command Injection Vulnerability

Vendor: ASUS

Product: RT-AX55 Routers

Added: 2025-06-02

Due Date: 2025-06-23

Description:

ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

Samsung MagicINFO 9 Server Path Traversal Vulnerability

Vendor: Samsung

Product: MagicINFO 9 Server

Added: 2025-05-22

Due Date: 2025-06-12

Description:

Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22

ZKTeco BioTime Path Traversal Vulnerability

Vendor: ZKTeco

Product: BioTime

Added: 2025-05-19

Due Date: 2025-06-09

Description:

ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Vendor: Synacor

Product: Zimbra Collaboration Suite (ZCS)

Added: 2025-05-19

Due Date: 2025-06-09

Description:

Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-79

Srimax Output Messenger Directory Traversal Vulnerability

Vendor: Srimax

Product: Output Messenger

Added: 2025-05-19

Due Date: 2025-06-09

Description:

Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22

MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability

Vendor: MDaemon

Product: Email Server

Added: 2025-05-19

Due Date: 2025-06-09

Description:

MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-79

Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

Vendor: Ivanti

Product: Endpoint Manager Mobile (EPMM)

Added: 2025-05-19

Due Date: 2025-06-09

Description:

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability

Vendor: Ivanti

Product: Endpoint Manager Mobile (EPMM)

Added: 2025-05-19

Due Date: 2025-06-09

Description:

Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-288

CISA Known Exploited Vulnerabilities

Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability

Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability

Qualcomm Multiple Chipsets Use-After-Free Vulnerability

ASUS Routers Improper Authentication Vulnerability

ConnectWise ScreenConnect Improper Authentication Vulnerability

Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Craft CMS Code Injection Vulnerability

ASUS RT-AX55 Routers OS Command Injection Vulnerability

Samsung MagicINFO 9 Server Path Traversal Vulnerability

ZKTeco BioTime Path Traversal Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Srimax Output Messenger Directory Traversal Vulnerability

MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability

Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability