This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2011-2005
Vendor: Microsoft
Product: Ancillary Function Driver (afd.sys)
Added: 2022-03-28
Due Date: 2022-04-18
Description:
afd.sys in the Ancillary Function Driver in Microsoft Windows does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2010-4398
Vendor: Microsoft
Product: Windows
Added: 2022-03-28
Due Date: 2022-04-21
Description:
Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows allows local users to gain privileges, and bypass the User Account Control (UAC) feature.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-26318
Vendor: WatchGuard
Product: Firebox and XTM Appliances
Added: 2022-03-25
Due Date: 2022-04-15
Description:
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-26143
Vendor: Mitel
Product: MiCollab, MiVoice Business Express
Added: 2022-03-25
Due Date: 2022-04-15
Description:
A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2022-21999
Vendor: Microsoft
Product: Windows
Added: 2022-03-25
Due Date: 2022-04-15
Description:
Microsoft Windows Print Spooler contains an unspecified vulnerability which can allow for privilege escalation.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-42237
Vendor: Sitecore
Product: XP
Added: 2022-03-25
Due Date: 2022-04-15
Description:
Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-22941
Vendor: Citrix
Product: ShareFile
Added: 2022-03-25
Due Date: 2022-04-15
Description:
Improper Access Control in Citrix ShareFile storage zones controller may allow an unauthenticated attacker to remotely compromise the storage zones controller.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-9377
Vendor: D-Link
Product: DIR-610 Devices
Added: 2022-03-25
Due Date: 2022-04-15
Description:
D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php.
Required Action:
The impacted product is end-of-life and should be disconnected if still in use.
CWEs:
CVE-2020-9054
Vendor: Zyxel
Product: Multiple Network-Attached Storage (NAS) Devices
Added: 2022-03-25
Due Date: 2022-04-15
Description:
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-7247
Vendor: OpenBSD
Product: OpenSMTPD
Added: 2022-03-25
Due Date: 2022-04-15
Description:
smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-5410
Vendor: VMware Tanzu
Product: Spring Cloud Configuration (Config) Server
Added: 2022-03-25
Due Date: 2022-04-15
Description:
Spring, by VMware Tanzu, Cloud Config contains a path traversal vulnerability that allows applications to serve arbitrary configuration files.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-25223
Vendor: Sophos
Product: SG UTM
Added: 2022-03-25
Due Date: 2022-04-15
Description:
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-2506
Vendor: QNAP Systems
Product: Helpdesk
Added: 2022-03-25
Due Date: 2022-04-15
Description:
QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-2021
Vendor: Palo Alto Networks
Product: PAN-OS
Added: 2022-03-25
Due Date: 2022-04-15
Description:
Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-1956
Vendor: Apache
Product: Kylin
Added: 2022-03-25
Due Date: 2022-04-15
Description:
Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution.
Required Action:
Apply updates per vendor instructions.
CWEs: