CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2020-1631

Juniper Junos OS Path Traversal Vulnerability

Vendor: Juniper

Product: Junos OS

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22 CWE-73

CVE-2019-6340

Drupal Core Remote Code Execution Vulnerability

Vendor: Drupal

Product: Core

Added: 2022-03-25

Due Date: 2022-04-15

Description:

In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-502

CVE-2019-2616

Oracle BI Publisher Unauthorized Access Vulnerability

Vendor: Oracle

Product: BI Publisher (Formerly XML Publisher)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for authentication bypass.

Required Action:

Apply updates per vendor instructions.

CVE-2019-16920

D-Link Multiple Routers Command Injection Vulnerability

Vendor: D-Link

Product: Multiple Routers

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-78

CVE-2019-15107

Ransomware

Webmin Command Injection Vulnerability

Vendor: Webmin

Product: Webmin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2019-12991

Citrix SD-WAN and NetScaler Command Injection Vulnerability

Vendor: Citrix

Product: SD-WAN and NetScaler

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2019-12989

Citrix SD-WAN and NetScaler SQL Injection Vulnerability

Vendor: Citrix

Product: SD-WAN and NetScaler

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-89

CVE-2019-11043

Ransomware

PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

Vendor: PHP

Product: FastCGI Process Manager (FPM)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-120

CVE-2019-10068

Kentico Xperience Deserialization of Untrusted Data Vulnerability

Vendor: Kentico

Product: Xperience

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-502

CVE-2019-1003030

Jenkins Matrix Project Plugin Remote Code Execution Vulnerability

Vendor: Jenkins

Product: Matrix Project Plugin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CVE-2019-0903

Microsoft GDI Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Graphics Device Interface (GDI)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system.

Required Action:

Apply updates per vendor instructions.

CVE-2018-8414

Microsoft Windows Shell Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2018-8373

Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Product: Internet Explorer Scripting Engine

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-787

CVE-2018-6961

VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability

Vendor: VMware

Product: SD-WAN Edge

Added: 2022-03-25

Due Date: 2022-04-15

Description:

VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2018-14839

LG N1A1 NAS Remote Command Execution Vulnerability

Vendor: LG

Product: N1A1 NAS

Added: 2022-03-25

Due Date: 2022-04-15

Description:

LG N1A1 NAS 3718.510 is affected by a remote code execution vulnerability.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78