CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2014-6287

Rejetto HTTP File Server (HFS) Remote Code Execution Vulnerability

Vendor: Rejetto

Product: HTTP File Server (HFS)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (HFS or HttpFileServer) allows remote attackers to execute arbitrary programs.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2014-3120

Elasticsearch Remote Code Execution Vulnerability

Vendor: Elastic

Product: Elasticsearch

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

CVE-2014-0130

Ruby on Rails Directory Traversal Vulnerability

Vendor: Rails

Product: Ruby on Rails

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted request.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2013-5223

D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability

Vendor: D-Link

Product: DSL-2760U

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A cross-site scripting (XSS) vulnerability exists in the D-Link DSL-2760U gateway, allowing remote authenticated users to inject arbitrary web script or HTML.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

CVE-2013-4810

HP Multiple Products Remote Code Execution Vulnerability

Vendor: Hewlett Packard (HP)

Product: ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management

Added: 2022-03-25

Due Date: 2022-04-15

Description:

HP ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2013-2251

Apache Struts Improper Input Validation Vulnerability

Vendor: Apache

Product: Struts

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2012-1823

PHP-CGI Query String Parameter Vulnerability

Vendor: PHP

Product: PHP

Added: 2022-03-25

Due Date: 2022-04-15

Description:

sapi/cgi/cgi_main.c in PHP, when configured as a CGI script, does not properly handle query strings, which allows remote attackers to execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2010-4345

Exim Privilege Escalation Vulnerability

Vendor: Exim

Product: Exim

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-264

CVE-2010-4344

Exim Heap-Based Buffer Overflow Vulnerability

Vendor: Exim

Product: Exim

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2010-3035

Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability

Vendor: Cisco

Product: IOS XR

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Cisco IOS XR, when BGP is the configured routing feature, allows remote attackers to cause a denial-of-service (DoS).

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2010-2861

Ransomware

Adobe ColdFusion Directory Traversal Vulnerability

Vendor: Adobe

Product: ColdFusion

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A directory traversal vulnerability exists in the administrator console in Adobe ColdFusion which allows remote attackers to read arbitrary files.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2009-2055

Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability

Vendor: Cisco

Product: IOS XR

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Cisco IOS XR,when BGP is the configured routing feature, allows remote attackers to cause a denial-of-service (DoS).

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2009-1151

phpMyAdmin Remote Code Execution Vulnerability

Vendor: phpMyAdmin

Product: phpMyAdmin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2009-0927

Adobe Reader and Adobe Acrobat Stack-Based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Reader and Acrobat

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Stack-based buffer overflow in Adobe Reader and Adobe Acrobat allows remote attackers to execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2005-2773

HP OpenView Network Node Manager Remote Code Execution Vulnerability

Vendor: Hewlett Packard (HP)

Product: OpenView Network Node Manager

Added: 2022-03-25

Due Date: 2022-04-15

Description:

HP OpenView Network Node Manager could allow a remote attacker to execute arbitrary commands on the system.

Required Action:

Apply updates per vendor instructions.