This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2020-9934
Vendor: Apple
Product: iOS, iPadOS, and macOS
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information.
Required Action:
Apply updates per vendor instructions.
CVE-2018-7445
Vendor: MikroTik
Product: RouterOS
Added: 2022-09-08
Due Date: 2022-09-29
Description:
In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2018-6530
Vendor: D-Link
Product: Multiple Routers
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Multiple D-Link routers contain an unspecified vulnerability that allows for execution of OS commands.
Required Action:
The vendor D-Link published an advisory stating the fix under CVE-2018-20114 properly patches KEV entry CVE-2018-6530. If the device is still supported, apply updates per vendor instructions. If the affected device has since entered its end-of-life, it should be disconnected if still in use.
CWEs:
CVE-2018-2628
Vendor: Oracle
Product: WebLogic Server
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2018-13374
Vendor: Fortinet
Product: FortiOS and FortiADC
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2017-5521
Vendor: NETGEAR
Product: Multiple Devices
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Multiple NETGEAR devices are prone to admin password disclosure via simple crafted requests to the web management server.
Required Action:
Apply updates per vendor instructions. If the affected device has since entered end-of-life, it should be disconnected if still in use.
CWEs:
CVE-2011-4723
Vendor: D-Link
Product: DIR-300 Router
Added: 2022-09-08
Due Date: 2022-09-29
Description:
The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information.
Required Action:
The impacted product is end-of-life and should be disconnected if still in use.
CWEs:
CVE-2011-1823
Vendor: Android
Product: Android OS
Added: 2022-09-08
Due Date: 2022-09-29
Description:
The vold volume manager daemon in Android kernel trusts messages from a PF_NETLINK socket, which allows an attacker to execute code and gain root privileges. This vulnerability is associated with GingerBreak and Exploit.AndroidOS.Lotoor.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-26352
Vendor: dotCMS
Product: dotCMS
Added: 2022-08-25
Due Date: 2022-09-15
Description:
dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage location. Exploitation allows for remote code execution.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-24706
Vendor: Apache
Product: CouchDB
Added: 2022-08-25
Due Date: 2022-09-15
Description:
Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-24112
Vendor: Apache
Product: APISIX
Added: 2022-08-25
Due Date: 2022-09-15
Description:
Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-22963
Vendor: VMware Tanzu
Product: Spring Cloud
Added: 2022-08-25
Due Date: 2022-09-15
Description:
When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-2294
Vendor: WebRTC
Product: WebRTC
Added: 2022-08-25
Due Date: 2022-09-15
Description:
WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to perform shellcode execution. This vulnerability impacts web browsers using WebRTC including but not limited to Google Chrome.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-39226
Vendor: Grafana Labs
Product: Grafana
Added: 2022-08-25
Due Date: 2022-09-15
Description:
Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-38406
Vendor: Delta Electronics
Product: DOPSoft 2
Added: 2022-08-25
Due Date: 2022-09-15
Description:
Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution.
Required Action:
The impacted product is end-of-life and should be disconnected if still in use.
CWEs: