CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2018-13379	High 9.1	94.5%	fortinetFortiOS	Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.	Nov 3, 2021	KEV
CVE-2020-3161	High	83.1%	CiscoCisco IP Phones	Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (DoS) condition.	Nov 3, 2021	KEV
CVE-2020-3452	High	94.5%	CiscoAdaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)	Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.	Nov 3, 2021	KEV
CVE-2020-1350	High	93.8%	MicrosoftWindows	Microsoft Windows DNS Servers fail to properly handle requests, allowing an attacker to perform remote code execution in the context of the Local System Account. The vulnerability is also known under the moniker of SIGRed.	Nov 3, 2021	KEV
CVE-2020-4427	High	92.7%	IBMData Risk Manager	IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.	Nov 3, 2021	KEV
CVE-2019-16759	High 9.8	94.4%	vBulletinvBulletin	The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.	Nov 3, 2021	KEVExploit
CVE-2021-35464	High 9.8	94.4%	ForgeRockAccess Management (AM)	ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend).	Nov 3, 2021	KEVExploit
CVE-2020-4430	High	84.3%	IBMData Risk Manager	IBM Data Risk Manager contains a directory traversal vulnerability that could allow a remote authenticated attacker to traverse directories and send a specially crafted URL request to download arbitrary files from the system.	Nov 3, 2021	KEV
CVE-2021-27561	High	94.1%	YealinkDevice Management	Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution.	Nov 3, 2021	KEV

CVE-2018-13379KEV

High

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

fortinetCVSS 9.1EPSS 94.5%

CVE-2020-3161KEV

High

Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (DoS) condition.

CiscoEPSS 83.1%

CVE-2020-3452KEV

High

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.

CiscoEPSS 94.5%

CVE-2020-1350KEV

High

Microsoft Windows DNS Servers fail to properly handle requests, allowing an attacker to perform remote code execution in the context of the Local System Account. The vulnerability is also known under the moniker of SIGRed.

MicrosoftEPSS 93.8%

CVE-2020-4427KEV

High

IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.

IBMEPSS 92.7%

CVE-2019-16759KEV

High

The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

vBulletinCVSS 9.8EPSS 94.4%

Exploit

CVE-2021-35464KEV

High

ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend).

ForgeRockCVSS 9.8EPSS 94.4%

Exploit

CVE-2020-4430KEV

High

IBM Data Risk Manager contains a directory traversal vulnerability that could allow a remote authenticated attacker to traverse directories and send a specially crafted URL request to download arbitrary files from the system.

IBMEPSS 84.3%

CVE-2021-27561KEV

High

Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution.

YealinkEPSS 94.1%

1 2 3 4 5 6 7