This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2013-2596
Vendor: Linux
Product: Kernel
Added: 2022-09-15
Due Date: 2022-10-06
Description:
Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows for privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2013-2094
Vendor: Linux
Product: Kernel
Added: 2022-09-15
Due Date: 2022-10-06
Description:
Linux kernel fails to check all 64 bits of attr.config passed by user space, resulting to out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy(). Explotation allows for privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2010-2568
Vendor: Microsoft
Product: Windows
Added: 2022-09-15
Due Date: 2022-10-06
Description:
Microsoft Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could execute code as the logged-on user.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-37969
Vendor: Microsoft
Product: Windows
Added: 2022-09-14
Due Date: 2022-10-05
Description:
Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-32917
Vendor: Apple
Product: iOS, iPadOS, and macOS
Added: 2022-09-14
Due Date: 2022-10-05
Description:
Apple kernel, which is included in iOS, iPadOS, and macOS, contains an unspecified vulnerability where an application may be able to execute code with kernel privileges.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-3075
Vendor: Google
Product: Chromium Mojo
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Google Chromium Mojo contains an insufficient data validation vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-27593
Vendor: QNAP
Product: Photo Station
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-26258
Vendor: D-Link
Product: DIR-820L
Added: 2022-09-08
Due Date: 2022-09-29
Description:
D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution.
Required Action:
The impacted product is end-of-life and should be disconnected if still in use.
CWEs:
CVE-2020-9934
Vendor: Apple
Product: iOS, iPadOS, and macOS
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information.
Required Action:
Apply updates per vendor instructions.
CVE-2018-7445
Vendor: MikroTik
Product: RouterOS
Added: 2022-09-08
Due Date: 2022-09-29
Description:
In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2018-6530
Vendor: D-Link
Product: Multiple Routers
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Multiple D-Link routers contain an unspecified vulnerability that allows for execution of OS commands.
Required Action:
The vendor D-Link published an advisory stating the fix under CVE-2018-20114 properly patches KEV entry CVE-2018-6530. If the device is still supported, apply updates per vendor instructions. If the affected device has since entered its end-of-life, it should be disconnected if still in use.
CWEs:
CVE-2018-2628
Vendor: Oracle
Product: WebLogic Server
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2018-13374
Vendor: Fortinet
Product: FortiOS and FortiADC
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2017-5521
Vendor: NETGEAR
Product: Multiple Devices
Added: 2022-09-08
Due Date: 2022-09-29
Description:
Multiple NETGEAR devices are prone to admin password disclosure via simple crafted requests to the web management server.
Required Action:
Apply updates per vendor instructions. If the affected device has since entered end-of-life, it should be disconnected if still in use.
CWEs:
CVE-2011-4723
Vendor: D-Link
Product: DIR-300 Router
Added: 2022-09-08
Due Date: 2022-09-29
Description:
The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information.
Required Action:
The impacted product is end-of-life and should be disconnected if still in use.
CWEs: