This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2022-40139
Vendor: Trend Micro
Product: Apex One and Apex One as a Service
Added: 2022-09-15
Due Date: 2022-10-06
Description:
Trend Micro Apex One and Apex One as a Service contain an improper validation of rollback mechanism components that could lead to remote code execution.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2013-6282
Vendor: Linux
Product: Kernel
Added: 2022-09-15
Due Date: 2022-10-06
Description:
The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This allows an application to read and write kernel memory which could lead to privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2013-2597
Vendor: Code Aurora
Product: ACDB Audio Driver
Added: 2022-09-15
Due Date: 2022-10-06
Description:
The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability that allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2013-2596
Vendor: Linux
Product: Kernel
Added: 2022-09-15
Due Date: 2022-10-06
Description:
Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows for privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2013-2094
Vendor: Linux
Product: Kernel
Added: 2022-09-15
Due Date: 2022-10-06
Description:
Linux kernel fails to check all 64 bits of attr.config passed by user space, resulting to out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy(). Explotation allows for privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2010-2568
Vendor: Microsoft
Product: Windows
Added: 2022-09-15
Due Date: 2022-10-06
Description:
Microsoft Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could execute code as the logged-on user.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-37969
Vendor: Microsoft
Product: Windows
Added: 2022-09-14
Due Date: 2022-10-05
Description:
Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-32917
Vendor: Apple
Product: iOS, iPadOS, and macOS
Added: 2022-09-14
Due Date: 2022-10-05
Description:
Apple kernel, which is included in iOS, iPadOS, and macOS, contains an unspecified vulnerability where an application may be able to execute code with kernel privileges.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-3075
Vendor: Google
Product: Chromium Mojo
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Google Chromium Mojo contains an insufficient data validation vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-27593
Vendor: QNAP
Product: Photo Station
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-26258
Vendor: D-Link
Product: DIR-820L
Added: 2022-09-08
Due Date: 2022-09-29
Description:
D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution.
Required Action:
The impacted product is end-of-life and should be disconnected if still in use.
CWEs:
CVE-2020-9934
Vendor: Apple
Product: iOS, iPadOS, and macOS
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information.
Required Action:
Apply updates per vendor instructions.
CVE-2018-7445
Vendor: MikroTik
Product: RouterOS
Added: 2022-09-08
Due Date: 2022-09-29
Description:
In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2018-6530
Vendor: D-Link
Product: Multiple Routers
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Multiple D-Link routers contain an unspecified vulnerability that allows for execution of OS commands.
Required Action:
The vendor D-Link published an advisory stating the fix under CVE-2018-20114 properly patches KEV entry CVE-2018-6530. If the device is still supported, apply updates per vendor instructions. If the affected device has since entered its end-of-life, it should be disconnected if still in use.
CWEs:
CVE-2018-2628
Vendor: Oracle
Product: WebLogic Server
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server.
Required Action:
Apply updates per vendor instructions.
CWEs: