CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2020-11738

WordPress Snap Creek Duplicator Plugin File Download Vulnerability

Vendor: WordPress

Product: Snap Creek Duplicator Plugin

Added: 2021-11-03

Due Date: 2022-05-03

Description:

WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their Wordpress dashboard. This vulnerability affects Duplicator and Dulplicator Pro.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2019-9978

WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability

Vendor: WordPress

Product: Social Warfare Plugin

Added: 2021-11-03

Due Date: 2022-05-03

Description:

WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

CVE-2021-27561

Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability

Vendor: Yealink

Product: Device Management

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2021-40539

Ransomware

Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability

Vendor: Zoho

Product: ManageEngine

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-55

CVE-2020-10189

Zoho ManageEngine Desktop Central File Upload Vulnerability

Vendor: Zoho

Product: ManageEngine

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-502

CVE-2019-8394

Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability

Vendor: Zoho

Product: ManageEngine

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-434

CVE-2020-29583

Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability

Vendor: Zyxel

Product: Multiple Products

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-522