CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2021-30713	High	0.1%	ApplemacOS	Apple macOS Transparency, Consent, and Control (TCC) contains an unspecified permissions issue which may allow a malicious application to bypass privacy preferences.	Nov 3, 2021	KEV
CVE-2021-27102	High	0.3%	AccellionFTA	Accellion FTA contains an OS command injection vulnerability exploited via a local web service call.	Nov 3, 2021	KEV
CVE-2020-8655	High	87.6%	EyesOfNetworkEyesOfNetwork	EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7.	Nov 3, 2021	KEV
CVE-2019-16759	High 9.8	94.4%	vBulletinvBulletin	The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.	Nov 3, 2021	KEVExploit
CVE-2020-25213	High	94.4%	WordPressFile Manager Plugin	WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.	Nov 3, 2021	KEV
CVE-2019-8394	High	87.3%	ZohoManageEngine	Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization.	Nov 3, 2021	KEV
CVE-2020-1472	High	94.4%	MicrosoftNetlogon	Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploits the vulnerability could run a specially crafted application on a device on the network. The vulnerability is also known under the moniker of Zerologon.	Nov 3, 2021	KEV
CVE-2019-5591	High	48.4%	FortinetFortiOS	Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Directory Access Protocol (LDAP) server.	Nov 3, 2021	KEV
CVE-2019-4716	High	91.5%	IBMPlanning Analytics	IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.	Nov 3, 2021	KEV
CVE-2019-15752	High	46.9%	DockerDesktop Community Edition	Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\.	Nov 3, 2021	KEV
CVE-2018-13379	High 9.1	94.5%	fortinetFortiOS	Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.	Nov 3, 2021	KEV
CVE-2019-0604	High	94.4%	MicrosoftSharePoint	Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint application pool and the SharePoint server farm account.	Nov 3, 2021	KEV
CVE-2020-3161	High	83.1%	CiscoCisco IP Phones	Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (DoS) condition.	Nov 3, 2021	KEV
CVE-2021-26857	High	44.8%	MicrosoftExchange Server	Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.	Nov 3, 2021	KEV
CVE-2020-3452	High	94.5%	CiscoAdaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)	Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.	Nov 3, 2021	KEV
CVE-2021-35464	High 9.8	94.4%	ForgeRockAccess Management (AM)	ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend).	Nov 3, 2021	KEVExploit
CVE-2021-1497	High 9.8	94.4%	CiscoHyperFlex HX	Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user.	Nov 3, 2021	KEVExploit
CVE-2019-9082	High 8.8	94.3%	ThinkPHPThinkPHP	ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.	Nov 3, 2021	KEVExploit
CVE-2021-30633	High	38.2%	GoogleChromium Indexed DB API	Google Chromium Indexed DB API contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.	Nov 3, 2021	KEV
CVE-2021-30761	High	0.4%	AppleiOS	Apple iOS WebKit contains a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.	Nov 3, 2021	KEV

CVE-2021-30713KEV

High

Apple macOS Transparency, Consent, and Control (TCC) contains an unspecified permissions issue which may allow a malicious application to bypass privacy preferences.

AppleEPSS 0.1%

CVE-2021-27102KEV

High

Accellion FTA contains an OS command injection vulnerability exploited via a local web service call.

AccellionEPSS 0.3%

CVE-2020-8655KEV

High

EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7.

EyesOfNetworkEPSS 87.6%

CVE-2019-16759KEV

High

The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

vBulletinCVSS 9.8EPSS 94.4%

Exploit

CVE-2020-25213KEV

High

WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.

WordPressEPSS 94.4%

CVE-2019-8394KEV

High

Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization.

ZohoEPSS 87.3%

CVE-2020-1472KEV

High

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploits the vulnerability could run a specially crafted application on a device on the network. The vulnerability is also known under the moniker of Zerologon.

MicrosoftEPSS 94.4%

CVE-2019-5591KEV

High

Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Directory Access Protocol (LDAP) server.

FortinetEPSS 48.4%

CVE-2019-4716KEV

High

IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.

IBMEPSS 91.5%

CVE-2019-15752KEV

High

Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\.

DockerEPSS 46.9%

CVE-2018-13379KEV

High

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

fortinetCVSS 9.1EPSS 94.5%

CVE-2019-0604KEV

High

Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint application pool and the SharePoint server farm account.

MicrosoftEPSS 94.4%

CVE-2020-3161KEV

High

Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (DoS) condition.

CiscoEPSS 83.1%

CVE-2021-26857KEV

High

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

MicrosoftEPSS 44.8%

CVE-2020-3452KEV

High

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.

CiscoEPSS 94.5%

CVE-2021-35464KEV

High

ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend).

ForgeRockCVSS 9.8EPSS 94.4%

Exploit

CVE-2021-1497KEV

High

Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user.

CiscoCVSS 9.8EPSS 94.4%

Exploit

CVE-2019-9082KEV

High

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

ThinkPHPCVSS 8.8EPSS 94.3%

Exploit

CVE-2021-30633KEV

High

Google Chromium Indexed DB API contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

GoogleEPSS 38.2%

CVE-2021-30761KEV

High

Apple iOS WebKit contains a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

AppleEPSS 0.4%

65 66 67 68 69 70 71