This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2023-1671
Vendor: Sophos
Product: Web Appliance
Added: 2023-11-16
Due Date: 2023-12-07
Description:
Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2020-2551
Vendor: Oracle
Product: Fusion Middleware
Added: 2023-11-16
Due Date: 2023-12-07
Description:
Oracle Fusion Middleware contains an unspecified vulnerability in the WLS Core Components that allows an unauthenticated attacker with network access via IIOP to compromise the WebLogic Server.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2023-36033
Vendor: Microsoft
Product: Windows
Added: 2023-11-14
Due Date: 2023-12-05
Description:
Microsoft Windows Desktop Window Manager (DWM) Core Library contains an unspecified vulnerability that allows for privilege escalation.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36025
Vendor: Microsoft
Product: Windows
Added: 2023-11-14
Due Date: 2023-12-05
Description:
Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2023-36036
Vendor: Microsoft
Product: Windows
Added: 2023-11-14
Due Date: 2023-12-05
Description:
Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-47246
Vendor: SysAid
Product: SysAid Server
Added: 2023-11-13
Due Date: 2023-12-04
Description:
SysAid Server (on-premises version) contains a path traversal vulnerability that leads to code execution.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36844
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on EX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control certain, important environment variables. Using a crafted request an attacker is able to modify certain PHP environment variables, leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36845
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on EX Series and SRX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control an important environment variable. Using a crafted request, which sets the variable PHPRC, an attacker is able to modify the PHP execution environment allowing the injection und execution of code.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36846
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36847
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on EX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36851
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-29552
Vendor: IETF
Product: Service Location Protocol (SLP)
Added: 2023-11-08
Due Date: 2023-11-29
Description:
The Service Location Protocol (SLP) contains a denial-of-service (DoS) vulnerability that could allow an unauthenticated, remote attacker to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
Required Action:
Apply mitigations per vendor instructions or disable SLP service or port 427/UDP on all systems running on untrusted networks, including those directly connected to the Internet.
CVE-2023-22518
Vendor: Atlassian
Product: Confluence Data Center and Server
Added: 2023-11-07
Due Date: 2023-11-28
Description:
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an unauthenticated attacker. There is no impact on confidentiality since the attacker cannot exfiltrate any data.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-46604
Vendor: Apache
Product: ActiveMQ
Added: 2023-11-02
Due Date: 2023-11-23
Description:
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-46748
Vendor: F5
Product: BIG-IP Configuration Utility
Added: 2023-10-31
Due Date: 2023-11-21
Description:
F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs: