CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2020-2506

QNAP Helpdesk Improper Access Control Vulnerability

Vendor: QNAP Systems

Product: Helpdesk

Added: 2022-03-25

Due Date: 2022-04-15

Description:

QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

CVE-2020-2021

Ransomware

Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

Vendor: Palo Alto Networks

Product: PAN-OS

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-347

CVE-2020-1956

Apache Kylin OS Command Injection Vulnerability

Vendor: Apache

Product: Kylin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2020-1631

Juniper Junos OS Path Traversal Vulnerability

Vendor: Juniper

Product: Junos OS

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22 CWE-73

CVE-2019-6340

Drupal Core Remote Code Execution Vulnerability

Vendor: Drupal

Product: Core

Added: 2022-03-25

Due Date: 2022-04-15

Description:

In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-502

CVE-2019-2616

Oracle BI Publisher Unauthorized Access Vulnerability

Vendor: Oracle

Product: BI Publisher (Formerly XML Publisher)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for authentication bypass.

Required Action:

Apply updates per vendor instructions.

CVE-2019-16920

D-Link Multiple Routers Command Injection Vulnerability

Vendor: D-Link

Product: Multiple Routers

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-78

CVE-2019-15107

Webmin Command Injection Vulnerability

Vendor: Webmin

Product: Webmin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2019-12991

Citrix SD-WAN and NetScaler Command Injection Vulnerability

Vendor: Citrix

Product: SD-WAN and NetScaler

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2019-12989

Citrix SD-WAN and NetScaler SQL Injection Vulnerability

Vendor: Citrix

Product: SD-WAN and NetScaler

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-89

CVE-2019-11043

Ransomware

PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

Vendor: PHP

Product: FastCGI Process Manager (FPM)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-120

CVE-2019-10068

Kentico Xperience Deserialization of Untrusted Data Vulnerability

Vendor: Kentico

Product: Xperience

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-502

CVE-2019-1003030

Jenkins Matrix Project Plugin Remote Code Execution Vulnerability

Vendor: Jenkins

Product: Matrix Project Plugin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CVE-2019-0903

Microsoft GDI Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Graphics Device Interface (GDI)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system.

Required Action:

Apply updates per vendor instructions.

CVE-2018-8414

Microsoft Windows Shell Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20