CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2020-10189	High	94.2%	ZohoManageEngine	Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.	Nov 3, 2021	KEV
CVE-2015-1641	High	93.6%	MicrosoftOffice	Microsoft Office contains a memory corruption vulnerability due to failure to properly handle rich text format files in memory. Successful exploitation allows for remote code execution in the context of the current user.	Nov 3, 2021	KEV
CVE-2020-10148	High	94.3%	SolarWindsOrion	SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.	Nov 3, 2021	KEV
CVE-2021-20090	High	94.4%	ArcadyanBuffalo Firmware	Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This vulnerability affects multiple routers across several different vendors.	Nov 3, 2021	KEV
CVE-2021-30633	High	38.2%	GoogleChromium Indexed DB API	Google Chromium Indexed DB API contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.	Nov 3, 2021	KEV
CVE-2019-16256	High	61.2%	SIMallianceToolbox Browser	SIMalliance Toolbox Browser contains an command injection vulnerability that could allow remote attackers to retrieve location and IMEI information or execute a range of other attacks by modifying the attack message.	Nov 3, 2021	KEV
CVE-2017-9805	High	94.3%	ApacheStruts	Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.	Nov 3, 2021	KEV
CVE-2021-40539	High	94.4%	ZohoManageEngine	Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.	Nov 3, 2021	KEV
CVE-2021-30858	High	0.8%	AppleiOS, iPadOS, and macOS	Apple iOS, iPadOS, and macOS WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.	Nov 3, 2021	KEV
CVE-2020-5847	High	93.5%	UnraidUnraid	Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access.	Nov 3, 2021	KEV
CVE-2016-3976	High	81.5%	SAPNetWeaver	SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files.	Nov 3, 2021	KEV
CVE-2021-31955	High	4.3%	MicrosoftWindows	Microsoft Windows Kernel contains an unspecified vulnerability that allows for information disclosure. Successful exploitation allows attackers to read the contents of kernel memory from a user-mode process.	Nov 3, 2021	KEV
CVE-2020-8657	High	90.3%	EyesOfNetworkEyesOfNetwork	EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token.	Nov 3, 2021	KEV
CVE-2021-34523	High	94.0%	MicrosoftExchange Server	Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.	Nov 3, 2021	KEV
CVE-2021-26858	High	53.0%	MicrosoftExchange Server	Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.	Nov 3, 2021	KEV
CVE-2020-3580	High	92.6%	CiscoAdaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)	Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful exploitation could allow an attacker to perform cross-site scripting (XSS) in the context of the interface or access sensitive browser-based information.	Nov 3, 2021	KEV
CVE-2021-22893	High	93.6%	IvantiPulse Connect Secure	Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services.	Nov 3, 2021	KEV
CVE-2018-11776	High	94.4%	ApacheStruts	Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace. Or, using URL tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.	Nov 3, 2021	KEV
CVE-2020-0069	High	0.7%	MediaTekMultiple Chipsets	Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading to privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0041 under exploit chain "AbstractEmu."	Nov 3, 2021	KEV
CVE-2021-36741	High	0.6%	Trend MicroApex One, Apex One as a Service, and Worry-Free Business Security	Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security contain an improper input validation vulnerability that allows a remote attacker to upload files.	Nov 3, 2021	KEV

CVE-2020-10189KEV

High

Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.

ZohoEPSS 94.2%

CVE-2015-1641KEV

High

Microsoft Office contains a memory corruption vulnerability due to failure to properly handle rich text format files in memory. Successful exploitation allows for remote code execution in the context of the current user.

MicrosoftEPSS 93.6%

CVE-2020-10148KEV

High

SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.

SolarWindsEPSS 94.3%

CVE-2021-20090KEV

High

Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This vulnerability affects multiple routers across several different vendors.

ArcadyanEPSS 94.4%

CVE-2021-30633KEV

High

Google Chromium Indexed DB API contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

GoogleEPSS 38.2%

CVE-2019-16256KEV

High

SIMalliance Toolbox Browser contains an command injection vulnerability that could allow remote attackers to retrieve location and IMEI information or execute a range of other attacks by modifying the attack message.

SIMallianceEPSS 61.2%

CVE-2017-9805KEV

High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.

ApacheEPSS 94.3%

CVE-2021-40539KEV

High

Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.

ZohoEPSS 94.4%

CVE-2021-30858KEV

High

Apple iOS, iPadOS, and macOS WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

AppleEPSS 0.8%

CVE-2020-5847KEV

High

Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access.

UnraidEPSS 93.5%

CVE-2016-3976KEV

High

SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files.

SAPEPSS 81.5%

CVE-2021-31955KEV

High

Microsoft Windows Kernel contains an unspecified vulnerability that allows for information disclosure. Successful exploitation allows attackers to read the contents of kernel memory from a user-mode process.

MicrosoftEPSS 4.3%

CVE-2020-8657KEV

High

EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token.

EyesOfNetworkEPSS 90.3%

CVE-2021-34523KEV

High

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

MicrosoftEPSS 94.0%

CVE-2021-26858KEV

High

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

MicrosoftEPSS 53.0%

CVE-2020-3580KEV

High

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful exploitation could allow an attacker to perform cross-site scripting (XSS) in the context of the interface or access sensitive browser-based information.

CiscoEPSS 92.6%

CVE-2021-22893KEV

High

Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services.

IvantiEPSS 93.6%

CVE-2018-11776KEV

High

Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace. Or, using URL tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.

ApacheEPSS 94.4%

CVE-2020-0069KEV

High

Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading to privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0041 under exploit chain "AbstractEmu."

MediaTekEPSS 0.7%

CVE-2021-36741KEV

High

Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security contain an improper input validation vulnerability that allows a remote attacker to upload files.

Trend MicroEPSS 0.6%

64 65 66 67 68 69 70