orikahmadov.com

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2024-08-26

Due Date: 2024-09-16

Description:

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-843

Versa Director Dangerous File Type Upload Vulnerability

Vendor: Versa

Product: Director

Added: 2024-08-23

Due Date: 2024-09-13

Description:

The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-434

Microsoft Exchange Server Information Disclosure Vulnerability

Vendor: Microsoft

Product: Exchange Server

Added: 2024-08-21

Due Date: 2024-09-11

Description:

Microsoft Exchange Server contains an information disclosure vulnerability that allows for remote code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Linux Kernel Heap-Based Buffer Overflow Vulnerability

Vendor: Linux

Product: Kernel

Added: 2024-08-21

Due Date: 2024-09-11

Description:

Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.

Required Action:

Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.

CWEs:

CWE-190

Dahua IP Camera Authentication Bypass Vulnerability

Vendor: Dahua

Product: IP Camera Firmware

Added: 2024-08-21

Due Date: 2024-09-11

Description:

Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

Dahua IP Camera Authentication Bypass Vulnerability

Vendor: Dahua

Product: IP Camera Firmware

Added: 2024-08-21

Due Date: 2024-09-11

Description:

Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

Ransomware

Jenkins Command Line Interface (CLI) Path Traversal Vulnerability

Vendor: Jenkins

Product: Jenkins Command Line Interface (CLI)

Added: 2024-08-19

Due Date: 2024-09-09

Description:

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-27

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

Vendor: SolarWinds

Product: Web Help Desk

Added: 2024-08-15

Due Date: 2024-09-05

Description:

SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-502

Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-08-13

Due Date: 2024-09-03

Description:

Microsoft Windows Power Dependency Coordinator contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to obtain SYSTEM privileges.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-416

Microsoft Windows Kernel Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-08-13

Due Date: 2024-09-03

Description:

Microsoft Windows Kernel contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-591

Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-08-13

Due Date: 2024-09-03

Description:

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-416

Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-08-13

Due Date: 2024-09-03

Description:

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience via a malicious file.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-693

Microsoft Windows Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-08-13

Due Date: 2024-09-03

Description:

Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted URL.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-843

Microsoft Project Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Project

Added: 2024-08-13

Due Date: 2024-09-03

Description:

Microsoft Project contains an unspecified vulnerability that allows for remote code execution via a malicious file.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-20

Apache OFBiz Path Traversal Vulnerability

Vendor: Apache

Product: OFBiz

Added: 2024-08-07

Due Date: 2024-08-28

Description:

Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22

CISA Known Exploited Vulnerabilities

Google Chromium V8 Type Confusion Vulnerability

Versa Director Dangerous File Type Upload Vulnerability

Microsoft Exchange Server Information Disclosure Vulnerability

Linux Kernel Heap-Based Buffer Overflow Vulnerability

Dahua IP Camera Authentication Bypass Vulnerability

Dahua IP Camera Authentication Bypass Vulnerability

Jenkins Command Line Interface (CLI) Path Traversal Vulnerability

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability

Microsoft Windows Kernel Privilege Escalation Vulnerability

Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability

Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

Microsoft Windows Scripting Engine Memory Corruption Vulnerability

Microsoft Project Remote Code Execution Vulnerability

Apache OFBiz Path Traversal Vulnerability