Disclosure Date: March 31, 2021 (last updated April 06, 2021)
On BIG-IP versions 16.0.x before 22.214.171.124, 15.1.x before 126.96.36.199, 14.1.x before 14.1.4, 13.1.x before 188.8.131.52, and 12.1.x before 184.108.40.206 amd BIG-IQ 7.1.0.x before 220.127.116.11 and 7.0.0.x before 18.104.22.168, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Disclosure Date: November 11, 2020 (last updated November 17, 2020)
CVE-2020-17087 is a pool-based buffer overflow vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The vulnerability arises from input/output controller (IOCTL) 0x390400 processing and could allow a local attacker to escalate privileges, including for sandbox escape. The vulnerability was initially released as a zero-day by Google's Project Zero team; it was patched on November 10, 2020, as part of Microsoft's November 2020 Patch Tuesday release.
Disclosure Date: April 30, 2020 (last updated August 28, 2020)
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Disclosure Date: February 24, 2021 (last updated April 05, 2021)
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 22.214.171.124).
Disclosure Date: October 21, 2020 (last updated December 28, 2020)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Disclosure Date: March 12, 2020 (last updated September 02, 2020)
This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers.
The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.
Disclosure Date: June 03, 2020 (last updated August 03, 2020)
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
Disclosure Date: June 04, 2019 (last updated July 26, 2021)
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.