Vulnerability Details
The Computer Network Defence Alert State is designed to give a granular and more dynamic visualisation of the current cyber security threat. Any increase in an alert state will occur immediately an issue is detected and it will drop again by one level each working day.
Our rationale for this agility is that vulnerabilities often occur in clusters, therefore reducing the alert state again quickly, will increase your visibility of new threats to the same product. Daily reductions in alert state occur at approximately 1900 GMT/UTC. Significant vulnerabilities may remain for longer. Vulnerabilities on this page are predominantly remotely executable, very few local server exploits will be shown.
Monday 18 March 2024
IBM
Patch
PaperCut
Patch
The Monthly Security Bulletin is out for PaperCut NG/MF. Highest CVSSv3 score of 8.6
More info.
Canon
Patch
A potential buffer overflow vulnerability exists in the WSD protocol process for Canon Laser Printers and Small Office Multifunctional Printers. A remote attacker can execute arbitrary code, or cause a DoS.
More info.
Linux
Patch
SUSE has updated the kernel. More info.
Friday 15 March 2024
Juniper
Patch
Multiple vulnerabilities have been resolved in Juniper Secure Analytics. Highest CVSSv3 score of 9.8
More info.
Microsoft
Patch
Microsoft has updated Edge to fix chromium-based vulnerabilities as well as 3 Edge-specific vulnerabilities.
More info.
Dell
Patch
Dell VxRail remediation fixes multiple security vulnerabilities that could be exploited. Dell rates this Critical.
More info.
HPE
Patch
Security vulnerabilities have been identified in Unified OSS Console Assurance Monitoring that allow a remote attacker to achieve arbitrary code execution and DoS. Highest CVSSv3 score of 8.1
More info.
NetApp
New
NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 9.8
Only 1 has patches.
More info.
Mitel
Patch
An Improper Configuration vulnerability has been identified in the BluStar component of Mitel InAttend and Mitel CMG which allows a remote attacker to gain access to sensitive information, modify system configuration or execute arbitrary commands. CVSSv3 score of 9.8
More info.
Linux
Patch
SUSE has updated the kernel. More info.
Thursday 14 March 2024
Cisco
Patch
Cisco has published 7 new security bulletins. Highest CVSSv3 score of 7.8.
More info.
A vulnerability in theDHCPv4 server feature of IOS XR Software could allow a remote attacker to trigger a crash of the dhcpd process, resulting in a DoS. CVSSv3 score of 5.3
More info.
Multiple vulnerabilities in the IP ACL processing in the ingress direction on MPLS and Pseudowire interfaces of IOS XR Software could allow a remote attacker to bypass a configured ACL. CVSSv3 score of 5.8
More info.
Arcserve
Patch
BD
Patch
BD has published security updates for third-party software for BACTEC FX, ViperLT, and BACTEC FX40.
The bulletins are dated 30 and 31 March.
More info.
Mitsubishi
Electric
New
Information disclosure and RCE vulnerabilities exist in MELSEC-Q/L Series CPU modules. A remote attacker can read arbitrary information or execute malicious code by sending a specially crafted packet. CVSSv3 score of 9.8
A patch will be released in the near future.
More info.
IBM
Patch
Multple vulnerabilities affect IBM Sterling Secure Proxy. Highest CVSSv3 score of 9.4
More info.
Linux
Patch
Red Hat has updated the kernel, kernel-rt, and kpatch. More info.
Wednesday 13 March 2024
Microsoft
Patch
Adobe
Patch
Adobe Monthly Patches include updates for Experience Manager, Premier Pro, ColdFusion, Bridge, Lightroom, and Animate. Highest CVSSv3 score of 8.6
More info.
Fortinet
Patch
Fortinet Monthly Patches include 8 bulletins for FortiOS and FortiProxy, FortiPortal, FortiWLM MEA for FortiManager, and FortiClientEMS. Highest CVSSv3 score of 9.3
More info.
OoB write and Stack-based Buffer Overflow vulnerabilities in FortiOS & FortiProxy captive portal may allow an attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests. CVSSv3 score of 9.3
More info.
An improper neutralization of formula elements in a CSV File vulnerability in FortiClientEMS may allow a remote attacker to execute arbitrary commands on the admin workstation via creating malicious log entries with crafted requests to the server. CVSSv3 score of 8.7
More info.
An improper access control vulnerability in FortiWLM MEA for FortiManager may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. CVSSv3 score of 7.7
More info.
A SQL Injection vulnerability in FortiClientEMS may allow a remote attacker to execute unauthorized code or commands via specifically crafted requests. CVSSv3 score of 9.3
More info.
Patch
Google has updated Chrome for Desktop to fix 3 security vulnerabilities.
More info.
Bosch
Patch
RPS and RPS-LITE operator and communication process contain several vulnerabilities, included hardcoded credentials. Highest CVSSv3 score of 7.3
More info.
Citrix
Patch
SD-WAN contains a vulnerability that allows a remote attacker to disclose limited information from the appliance. CVSSv3 score of 6.5
This requires access to the management interface.
More info.
Hitachi
Patch
Several vulnerabilities affect Cosminexus products.
More info.
IBM
Patch
Intel
Patch
Tuesday 12 March 2024
Siemens
Patch
Siemens Monthly Patches are out, with 11 new bulletins and 11 updated bulletins. Of the new bulletins, highest CVSSv3 score of 10
More info.
RUGGEDCOM APE 1808 contains Fortigate NGFW, which has been updated to fix several vulnerabilities. Highest CVSSv3 score of 9.8
More info. And here.
Several products used in Sinteso EN and Cerberus PRO EN Fire Protection Systems contain buffer overflow vulnerabilities in the network communication stack. Highest CVSSv3 score of 10.
More info.
SENTRON 3KC ATC6 Expansion Module Ethernet exposes an unused, unstable http service at port 80/tcp on the Modbus-TCP Ethernet. CVSSv3 score of 7.5
More info.
SIMATIC RF160B contain multiple vulnerabilities of different types that could allow an attacker to execute arbitrary code. Highest CVSSv3 score of 9.8
More info.
SINEMA Remote Connect Server before V3.2 is affected by multiple vulnerabilities. Highest CVSSv3 score of 9.8
More info.
Schneider
Electric
Patch
SAP
Patch
SAP Security Patch Day includes 10 new Security Notes and 2 updated Security Notes. There are updates for NetWeaver, NetWeaver AS Java, NetWeaver AS ABAP, NetWeaver Process Integration, Build Apps, HANA XS Classic and Advanced, BusinessObjects Business Intelligence Platform, Fiori Front End Server and ABAP Platform. Of the new Notes, Highest CVSSv3 score of 9.4. One of the updated notes has a CVSSv3 score of 10.
More info.
Phoenix
Contact
Patch
Synology
Patch
Multiple vulnerabilities exist in Synology Router Manage,r that allows a remote attacker to inject arbitrary web script or HTML, among other authenticated vulnerabilities.
More info.
Linux
Patch
Monday 11 March 2024
Dell
Patch
Dell NetWorker vProxy remediation is available for multiple security vulnerabilities that could be exploited. Dell rates this Critical.
More info.
HPE
Patch
Vulnerabilities have been identified in HPE Unified OSS Console Assurance Monitoring that could allow a remote attacker to allow DoS, unauthorized data access and remote disclosure of sensitive information. Highest CVSSv3 score of 8.1
More info.
Digi
New
Digi products are vulnerabile to the Terrapin attack in SSH. CVSSv3 score of 4.9
Manual removal of vulnerabile ciphers/MACs until updates are available.
More info.
Friday 08 March 2024
Apple
Exploit
Apple has published updates for Safari, macOS, tvOS, watchOS, and visionOS. At least one vulnerability in each of these products is being actively exploited.
More info.
Chirp
Systems
New
Chirp Access contains a Hard-coded Credentials vulnerability, the software improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access. CVSSv3 score of 9.1
No response from vendor.
More info.
Microsoft
Patch
Microsoft has updated Edge with the latest chromium fixes.
More info.
QNAP
Patch
Multiple vulnerabilities have been reported to affect certain QNAP operating system and applications including an improper authentication vulnerability, allowing a remote attacker to compromise the security of the system via a network. QNAP rates this Critical.
More info.
NetApp
New
NetApp has published 13 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 9.8
No patches yet.
More info.
Linux
Patch
Ubuntu has updated the kernel. More info.
Thursday 07 March 2024
Cisco
Patch
Pilz
Patch
The PITreader product family contains the 3rd-party-component uC/HTTP to implement the web server functionality. uC/HTTP is affected by multiple vulnerabilities. These vulnerabilities may enable a remote attacker to gain full control over the system. CVSSv3 score of 9.8.
More info. (registration required)
IBM
Patch
Vulnerabilities have been identified with the DS8900F Hardware Management Console. Highest CVSSv3 score of 9.8
More info.
An execute arbitrary code vulnerability in Apache Axis, an authentication bypass vulnerability in Apache Shiro, and several vulnerabilities in SnakeYAML affect IBM WebSphere Service Registry and Repository. Highest CVSSv3 score of 9.8
More info.
Artica
New
Artica Proxy contains several vulnerabilities reported by KoreLogic. No patches.
More info.
Bosch
Patch
Multiple Git for Windows vulnerabilities have been discovered in DIVAR IP System Manager, affecting several Bosch DIVAR IP all-in-one models.. Highest CVSSv3 score of 9.8
More info.
Linux
Patch
Wednesday 06 March 2024
Apple
0-Day
Nice
Patch
Linear eMerge E3-Series contains multiple vulnerabilities, including OS command injection, Unrestricted Upload of File with Dangerous Type, Incorrect Authorization, Insufficiently Protected Credentials, Use of Hard-coded Credentials, and Out-of-bounds Write, among others. Highest CVSSv3 score of 10.
More info.
Sophos
Patch
UTM has been updated to fix a Tinyproxy vulnerability and several curl vulnerabilities, dating back to 2021. Highest CVSSv3 score of 7.5
More info.
Moxa
Patch
A stack-based buffer overflow in the built-in web server in Moxa NPort W2150A/W2250A allows a remote attacker to exploit the vulnerability by sending crafted payload to the web service, resulting in DoS. CVSSv3 score of 8.2
More info.
Bosch
Patch
BVMS contains a Device Adapter service that uses an OpenSSL library containing multiple vulnerabilities. These vulnerabilities could lead to command injection or denial of service. Highest CVSSv3 score of 9.8
More info.
Patch
Google has updated Chrome for Desktop to fix 3 security vulnerabilities, all rated High.
More info.
HPE
Patch
Linux
Patch
Tuesday 05 March 2024
Patch
Google Monthly Patches for Android are out, with 13 vulnerabilities with 2 rated Critical and 11 rated High, as well as patches for AMLogic, Arm, MediaTek, and Qualcomm. Highest CVSSv3 score of 9.8
More info.
Google Monthly Patches for Pixel include 52 vulnerabilities, 16 rated Critical, 18 rated High, and 18 rated Moderate.
More info.
Samsung
Patch
Samsung Monthly Patches include 9 vulnerabilities plus Google Android updates.
More info.
Mozilla
Patch
Thunderbird leaks encrypted email subjects to other conversations. CVSSv3 score of 5.7
More info.
Squid
Patch
Due to an Uncontrolled Recursion bug, Squid may be vulnerable to a DoS against HTTP Chunked decoder. CVSSv3 score of 8.6
More info.
Linux
Patch
Monday 04 March 2024
Qualcomm
Patch
Qualcomm Monthly Patches are out, with 16 vulnerabilities, 2 rated Critical, 12 rated High, and 2 rated Medium. Highest CVSSv3 score of 9.8
More info.
MediaTek
Patch
MediaTek Monthly Patches include 21 vulnerabilities, 12 rated High and 9 rated Medium.
More info.
Hikvision
Patch
HikCentral Professional has been patched to fix 2 vulnerabilities, the worst of which allows a remote attacker to access URLs without authentication. Highest CVSSv3 score of 7.5
More info.
Dell
Patch
Dell PowerScale OneFS remediation is available for multiple security vulnerabilities in node firmware that could be exploited by malicious users to compromise the affected system. Dell rates this Critical.
More info.
Dell EMC Networking remediation is available for Eclypsium security vulnerabilities from Jan 2023 that could be exploited by malicious users to compromise the affected systems. Highest CVSSv3 score of 9.9
More info.
Dell PowerScale OneFS remediation is available for proprietary code vulnerabilities that could be exploited by malicious users to compromise the affected system. Dell rated this High. Highest CVSSv3 score of 7.4
More info.
Xerox
Patch
Xerox has published security updates for FreeFlow Print Servers.
More info.
IBM
Patch
IBM Cloud Pak for Network Automation fixes multiple security vulnerabilities. Highest CVSSv3 score of 9.8
More info.
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues. Highest CVSSv3 score of 9.8
More info.
QRadar Suite Software includes components with known vulnerabilities. Highest CVSSv3 score of 9.8
More info.
Node.js IP package code execution vulnerability affects Cloud Pak System on Power. CVSSv3 score of 9.8
More info.
Friday 01 March 2024
SolarWinds
Patch
SolarWinds has updated Security Event Manager (SEM) to fix vulnerabilities in third-party software as well as one vulnerability in SEM. Highest CVSSv3 score of 9.8
More info.
Microsoft
Patch
Microsoft has updated Edge with the latest chromium patches and one patch for an Edge specific vulnerability.
More info.
NetApp
Patch
NetApp has published 5 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 8.1
Three have patches.
More info.
Ivanti
Patch
MobileIron line products, including EPMM Reporting DB and N-MDM/Cloud, use PostgreSQL and are vulnerable to the JDBC Driver recent vulnerability. CVSSv3 score of 10.
More info.
Linux
Patch
Oracle Linux has updated the kernel. More info.
PRODUCT
GUARDED
This alert state represents the return towards normalisation of an alert state, indicating that there was a higher alert state due to a product vulnerability during the previous few days.
PRODUCT
INCREASED
This alert state indicates that a product vulnerability has been identified within the last few days. The vulnerability is either difficult to exploit, or if exploited, results in reduced impact to the target system.
PRODUCT
HIGH
This alert state indicates a more serious vulnerability which is exploitable.
PRODUCT
CRITICAL
This alert state indicates a significant threat to the product, where exploits exist or where the vulnerability is potentially devastating.
NEW
NEW
This bottom descriptor is used with a vulnerability which has been identified in the last 24 hours, with no patch or exploit. It will typically be paired with Increased.
+24hrs
+24hrs
This bottom descriptor is used with Indicates an alert state which has been present for more than 24 hours. It will typically be paired with Guarded, and could be changed to +48hr for an item that came out as Critical.
Patch
PATCH
This bottom descriptor indicates that patches are available for vulnerabilities, whether it is the initial report or a patch of a vulnerability that had been previously reported. It could be paired with Increased or High, and on rare occasions Critical.
Exploit
EXPLOIT
This bottom descriptor indicates that an Exploit has been made public for a vulnerability, whether it is the initial report or an indication of an exploit for a vulnerability that had been previously reported. It could be paired with High or Critical.
ZERO
ZERO DAY
This bottom descriptor indicates that a vulnerability has been announced without the opportunity for the vendor to patch it before the details are made known. It could be paired with High or Critical.