CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2023-41990

Apple Multiple Products Code Execution Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2024-01-08

Due Date: 2024-01-29

Description:

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2023-27524

Apache Superset Insecure Default Initialization of Resource Vulnerability

Vendor: Apache

Product: Superset

Added: 2024-01-08

Due Date: 2024-01-29

Description:

Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-1188

CVE-2023-29300

Ransomware

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

Vendor: Adobe

Product: ColdFusion

Added: 2024-01-08

Due Date: 2024-01-29

Description:

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-502

CVE-2023-38203

Ransomware

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

Vendor: Adobe

Product: ColdFusion

Added: 2024-01-08

Due Date: 2024-01-29

Description:

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-502

CVE-2023-7101

Spreadsheet::ParseExcel Remote Code Execution Vulnerability

Vendor: Spreadsheet::ParseExcel

Product: Spreadsheet::ParseExcel

Added: 2024-01-02

Due Date: 2024-01-23

Description:

Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-95

CVE-2023-7024

Google Chromium WebRTC Heap Buffer Overflow Vulnerability

Vendor: Google

Product: Chromium WebRTC

Added: 2024-01-02

Due Date: 2024-01-23

Description:

Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-787

CVE-2023-49897

FXC AE1021, AE1021PE OS Command Injection Vulnerability

Vendor: FXC

Product: AE1021, AE1021PE

Added: 2023-12-21

Due Date: 2024-01-11

Description:

FXC AE1021 and AE1021PE contain an OS command injection vulnerability that allows authenticated users to execute commands via a network.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

CVE-2023-47565

QNAP VioStor NVR OS Command Injection Vulnerability

Vendor: QNAP

Product: VioStor NVR

Added: 2023-12-21

Due Date: 2024-01-11

Description:

QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

CVE-2023-6448

Unitronics Vision PLC and HMI Insecure Default Password Vulnerability

Vendor: Unitronics

Product: Vision PLC and HMI

Added: 2023-12-11

Due Date: 2023-12-18

Description:

Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-1188

CVE-2023-41266

Ransomware

Qlik Sense Path Traversal Vulnerability

Vendor: Qlik

Product: Sense

Added: 2023-12-07

Due Date: 2023-12-28

Description:

Qlik Sense contains a path traversal vulnerability that allows a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow the attacker to send further requests to unauthorized endpoints.

Required Action:

Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

CWEs:

CWE-20

CVE-2023-41265

Ransomware

Qlik Sense HTTP Tunneling Vulnerability

Vendor: Qlik

Product: Sense

Added: 2023-12-07

Due Date: 2023-12-28

Description:

Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

Required Action:

Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

CWEs:

CWE-444

CVE-2023-33107

Qualcomm Multiple Chipsets Integer Overflow Vulnerability

Vendor: Qualcomm

Product: Multiple Chipsets

Added: 2023-12-05

Due Date: 2023-12-26

Description:

Multiple Qualcomm chipsets contain an integer overflow vulnerability due to memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

Required Action:

Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

CWEs:

CWE-190

CVE-2023-33106

Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability

Vendor: Qualcomm

Product: Multiple Chipsets

Added: 2023-12-05

Due Date: 2023-12-26

Description:

Multiple Qualcomm chipsets contain a use of out-of-range pointer offset vulnerability due to memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.

Required Action:

Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

CWEs:

CWE-823

CVE-2023-33063

Qualcomm Multiple Chipsets Use-After-Free Vulnerability

Vendor: Qualcomm

Product: Multiple Chipsets

Added: 2023-12-05

Due Date: 2023-12-26

Description:

Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services during a remote call from HLOS to DSP.

Required Action:

Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

CWEs:

CWE-416

CVE-2022-22071

Qualcomm Multiple Chipsets Use-After-Free Vulnerability

Vendor: Qualcomm

Product: Multiple Chipsets

Added: 2023-12-05

Due Date: 2023-12-26

Description:

Multiple Qualcomm chipsets contain a use-after-free vulnerability when process shell memory is freed using IOCTL munmap call and process initialization is in progress.

Required Action:

Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

CWEs:

CWE-416