CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2020-0638

Ransomware

Microsoft Update Notification Manager Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Update Notification Manager

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Microsoft Update Notification Manager contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2019-7286

Apple Multiple Products Memory Corruption Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-787

CVE-2019-7287

Apple iOS Memory Corruption Vulnerability

Vendor: Apple

Product: iOS

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Apple iOS contains a memory corruption vulnerability which could allow an attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-787

CVE-2019-0676

Microsoft Internet Explorer Information Disclosure Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-05-23

Due Date: 2022-06-13

Description:

An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk.

Required Action:

Apply updates per vendor instructions.

CVE-2019-5786

Google Chrome Blink Use-After-Free Vulnerability

Vendor: Google

Product: Chrome Blink

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Google Chrome Blink contains a heap use-after-free vulnerability that allows an attacker to potentially perform out of bounds memory access via a crafted HTML page.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2019-0703

Microsoft Windows SMB Information Disclosure Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-05-23

Due Date: 2022-06-13

Description:

An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, which could lead to information disclosure from the server.

Required Action:

Apply updates per vendor instructions.

CVE-2019-0880

Microsoft Windows Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.

Required Action:

Apply updates per vendor instructions.

CVE-2019-13720

Google Chrome WebAudio Use-After-Free Vulnerability

Vendor: Google

Product: Chrome WebAudio

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Google Chrome WebAudio contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2019-11707

Mozilla Firefox and Thunderbird Type Confusion Vulnerability

Vendor: Mozilla

Product: Firefox and Thunderbird

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2019-11708

Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability

Vendor: Mozilla

Product: Firefox and Thunderbird

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2019-8720

WebKitGTK Memory Corruption Vulnerability

Vendor: WebKitGTK

Product: WebKitGTK

Added: 2022-05-23

Due Date: 2022-06-13

Description:

WebKitGTK contains a memory corruption vulnerability which can allow an attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2019-18426

WhatsApp Cross-Site Scripting Vulnerability

Vendor: Meta Platforms

Product: WhatsApp

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

CVE-2019-1385

Ransomware

Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-59

CVE-2019-1130

Ransomware

Microsoft Windows AppX Deployment Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A privilege escalation vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-59

CVE-2018-5002

Adobe Flash Player Stack-based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Adobe Flash Player have a stack-based buffer overflow vulnerability that could lead to remote code execution.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-787