CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2012-1823

PHP-CGI Query String Parameter Vulnerability

Vendor: PHP

Product: PHP

Added: 2022-03-25

Due Date: 2022-04-15

Description:

sapi/cgi/cgi_main.c in PHP, when configured as a CGI script, does not properly handle query strings, which allows remote attackers to execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2010-4345

Exim Privilege Escalation Vulnerability

Vendor: Exim

Product: Exim

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-264

CVE-2010-4344

Exim Heap-Based Buffer Overflow Vulnerability

Vendor: Exim

Product: Exim

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2010-3035

Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability

Vendor: Cisco

Product: IOS XR

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Cisco IOS XR, when BGP is the configured routing feature, allows remote attackers to cause a denial-of-service (DoS).

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2010-2861

Ransomware

Adobe ColdFusion Directory Traversal Vulnerability

Vendor: Adobe

Product: ColdFusion

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A directory traversal vulnerability exists in the administrator console in Adobe ColdFusion which allows remote attackers to read arbitrary files.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2009-2055

Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability

Vendor: Cisco

Product: IOS XR

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Cisco IOS XR,when BGP is the configured routing feature, allows remote attackers to cause a denial-of-service (DoS).

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2009-1151

phpMyAdmin Remote Code Execution Vulnerability

Vendor: phpMyAdmin

Product: phpMyAdmin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2009-0927

Adobe Reader and Adobe Acrobat Stack-Based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Reader and Acrobat

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Stack-based buffer overflow in Adobe Reader and Adobe Acrobat allows remote attackers to execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2005-2773

HP OpenView Network Node Manager Remote Code Execution Vulnerability

Vendor: Hewlett Packard (HP)

Product: OpenView Network Node Manager

Added: 2022-03-25

Due Date: 2022-04-15

Description:

HP OpenView Network Node Manager could allow a remote attacker to execute arbitrary commands on the system.

Required Action:

Apply updates per vendor instructions.

CVE-2020-5135

SonicWall SonicOS Buffer Overflow Vulnerability

Vendor: SonicWall

Product: SonicOS

Added: 2022-03-15

Due Date: 2022-04-05

Description:

A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-120

CVE-2019-1405

Ransomware

Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-15

Due Date: 2022-04-05

Description:

A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation.

Required Action:

Apply updates per vendor instructions.

CVE-2019-1322

Ransomware

Microsoft Windows Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-15

Due Date: 2022-04-05

Description:

A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

Required Action:

Apply updates per vendor instructions.

CVE-2019-1315

Ransomware

Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-15

Due Date: 2022-04-05

Description:

A privilege escalation vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-59

CVE-2019-1253

Ransomware

Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-15

Due Date: 2022-04-05

Description:

A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-59

CVE-2019-1132

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-03-15

Due Date: 2022-04-05

Description:

A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

Required Action:

Apply updates per vendor instructions.