orikahmadov.com

Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability

Vendor: Oracle

Product: Fusion Middleware

Added: 2025-11-21

Due Date: 2025-12-12

Description:

Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-306

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2025-11-19

Due Date: 2025-12-10

Description:

Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-843

Fortinet FortiWeb OS Command Injection Vulnerability

Vendor: Fortinet

Product: FortiWeb

Added: 2025-11-18

Due Date: 2025-11-25

Description:

Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

Fortinet FortiWeb Path Traversal Vulnerability

Vendor: Fortinet

Product: FortiWeb

Added: 2025-11-14

Due Date: 2025-11-21

Description:

Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-23

Gladinet Triofox Improper Access Control Vulnerability

Vendor: Gladinet

Product: Triofox

Added: 2025-11-12

Due Date: 2025-12-03

Description:

Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-284

Microsoft Windows Race Condition Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2025-11-12

Due Date: 2025-12-03

Description:

Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-362

WatchGuard Firebox Out-of-Bounds Write Vulnerability

Vendor: WatchGuard

Product: Firebox

Added: 2025-11-12

Due Date: 2025-12-03

Description:

WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-787

Samsung Mobile Devices Out-of-Bounds Write Vulnerability

Vendor: Samsung

Product: Mobile Devices

Added: 2025-11-10

Due Date: 2025-12-01

Description:

Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-787

CWP Control Web Panel OS Command Injection Vulnerability

Vendor: CWP

Product: Control Web Panel

Added: 2025-11-04

Due Date: 2025-11-25

Description:

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability

Vendor: Gladinet

Product: CentreStack and Triofox

Added: 2025-11-04

Due Date: 2025-11-25

Description:

Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-552

Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

Vendor: Broadcom

Product: VMware Aria Operations and VMware Tools

Added: 2025-10-30

Due Date: 2025-11-20

Description:

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-267

XWiki Platform Eval Injection Vulnerability

Vendor: XWiki

Product: Platform

Added: 2025-10-30

Due Date: 2025-11-20

Description:

XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-95

Dassault Systèmes DELMIA Apriso Code Injection Vulnerability

Vendor: Dassault Systèmes

Product: DELMIA Apriso

Added: 2025-10-28

Due Date: 2025-11-18

Description:

Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability

Vendor: Dassault Systèmes

Product: DELMIA Apriso

Added: 2025-10-28

Due Date: 2025-11-18

Description:

Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-862

Adobe Commerce and Magento Improper Input Validation Vulnerability

Vendor: Adobe

Product: Commerce and Magento

Added: 2025-10-24

Due Date: 2025-11-14

Description:

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-20

CISA Known Exploited Vulnerabilities

Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability

Google Chromium V8 Type Confusion Vulnerability

Fortinet FortiWeb OS Command Injection Vulnerability

Fortinet FortiWeb Path Traversal Vulnerability

Gladinet Triofox Improper Access Control Vulnerability

Microsoft Windows Race Condition Vulnerability

WatchGuard Firebox Out-of-Bounds Write Vulnerability

Samsung Mobile Devices Out-of-Bounds Write Vulnerability

CWP Control Web Panel OS Command Injection Vulnerability

Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability

Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

XWiki Platform Eval Injection Vulnerability

Dassault Systèmes DELMIA Apriso Code Injection Vulnerability

Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability

Adobe Commerce and Magento Improper Input Validation Vulnerability

Adobe Commerce and Magento Improper Input Validation Vulnerability