orikahmadov.com

Ransomware

Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability

Vendor: Cisco

Product: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful exploitation could allow an attacker to perform cross-site scripting (XSS) in the context of the interface or access sensitive browser-based information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability

Vendor: Cisco

Product: HyperFlex HX

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

Cisco HyperFlex HX Data Platform Command Injection Vulnerability

Vendor: Cisco

Product: HyperFlex HX

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability

Vendor: Cisco

Product: IOS and IOS XE

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected device, cause a denial-of-service (DoS) condition, or perform code execution on the affected device.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

Cisco IOS XR Software Discovery Protocol Format String Vulnerability

Vendor: Cisco

Product: IOS XR

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco IOS XR improperly validates string input from certain fields in Cisco Discovery Protocol messages. Exploitation could allow an unauthenticated, adjacent attacker to execute code with administrative privileges or cause a reload on an affected device.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-134

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

Vendor: Cisco

Product: IOS XR

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to immediately crash the IGMP process or make it consume available memory and eventually crash.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-400

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

Vendor: Cisco

Product: IOS XR

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to immediately crash the IGMP process or make it consume available memory and eventually crash.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-400

Cisco IP Phones Web Server Remote Code Execution and Denial-of-Service Vulnerability

Vendor: Cisco

Product: Cisco IP Phones

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (DoS) condition.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

Vendor: Cisco

Product: Small Business RV320 and RV325 Routers

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diagnostic information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability

Vendor: Cisco

Product: Adaptive Security Appliance (ASA)

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Cisco Adaptive Security Appliance (ASA) contains an improper input validation vulnerability with HTTP URLs. Exploitation could allow an attacker to cause a denial-of-service (DoS) condition or information disclosure.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

Ransomware

Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability

Vendor: Citrix

Product: StoreFront Server

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-611

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability

Vendor: Citrix

Product: Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an authorization bypass vulnerability that may allow unauthenticated access to certain URL endpoints. The attacker must have access to the NetScaler IP (NSIP) in order to perform exploitation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability

Vendor: Citrix

Product: Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an information disclosure vulnerability.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability

Vendor: Citrix

Product: Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an information disclosure vulnerability.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

Ransomware

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability

Vendor: Citrix

Product: Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CISA Known Exploited Vulnerabilities

Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability

Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability

Cisco HyperFlex HX Data Platform Command Injection Vulnerability

Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability

Cisco IOS XR Software Discovery Protocol Format String Vulnerability

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

Cisco IP Phones Web Server Remote Code Execution and Denial-of-Service Vulnerability

Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability

Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability