Category: alerts

Cyber Security Monitor Alerts News Notifications. We monitor and send notifications on the latest Cyber Security alerts, blogs, news on data breaches and emerging cyber threats.

alerts

16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines

Post author By admin
Post date July 20, 2021

The bug could allow cyberattackers to bypass security products, tamper with data and run code in kernel mode.

alerts

Significant Historical Cyber-Intrusion Campaigns Targeting ICS

Post author By admin
Post date July 20, 2021

Original release date: July 20, 2021

Protecting our Nation’s critical infrastructure is the responsibility of federal and state, local, tribal, and territorial (SLTT) governments and owners and operators of that infrastructure. The cybersecurity threats posed to the industrial control systems (ICS) that control and operate critical infrastructure are among the most significant and growing issues confronting our Nation.

To raise awareness of the risks to—and improve the cyber protection of—critical infrastructure, CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS:

Joint CISA-FBI Cybersecurity Advisory (CSA): AA21-201A: Gas Pipeline Intrusion Campaign, 2011-2013 Note: CISA released the initial version of this publication to affected stakeholders in 2012.
ICS Joint Security Awareness Report: JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B)
ICS Advisory: ICSA-14-178-01: ICS Focused Malware – Havex
ICS Alert: ICS-ALERT-14-281-01E: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
ICS Alert: IR-ALERT-H-16-056-01: Cyber-Attack Against Ukrainian Critical Infrastructure
Technical Alert: TA17-163A: CrashOverride Malware

CISA urges critical infrastructure owners and operators to review the publications listed above and apply the mitigations in Joint CISA-FBI CSA AA21-201A: Gas Pipeline Intrusion Campaign, 2011-2013. CISA also encourages owners and operators to review AR-17-20045: Enhanced Analysis of Malicious Cyber Activity. These products contain threat actor tactics, techniques, and procedures (TTPs); technical indicators; and forensic analysis that critical infrastructure owners and operators can use to reduce their organizations’ exposure to cyber threats. Note: although these publications detail historical activity, the TTPs remain relevant to help network defenders protect against intrusions.

CISA encourages critical infrastructure owners and operators to report cyber incidents to CISA. Note: for information on the U.S. Department of State’s reward program for identifying persons who participate in the malicious cyber activities against U.S. critical infrastructure, see the U.S. Department of State press release.

This product is provided subject to this Notification and this Privacy & Use policy.

alerts

AA21-201A: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013

Post author By admin
Post date July 20, 2021

Original release date: July 20, 2021

Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

Note: CISA released technical information, including indicators of compromise (IOCs), provided in this advisory in 2012 to affected organizations and stakeholders.

This Joint Cybersecurity Advisory—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)—provides information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies.

CISA and the FBI provided incident response and remediation support to a number of victims of this activity. Overall, the U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion.

The U.S. Government has attributed this activity to Chinese state-sponsored actors. CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.

This advisory provides information on this campaign, including tactics, techniques, and procedures (TTPs) and IOCs. The TTPs remain relevant to help network defenders protect against intrusions. The IOCs are provided for historical awareness.

CISA and the FBI urge owners and operators of Energy Sector and other critical infrastructure (CI) networks to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this advisory, which include implementing network segmentation between IT and industrial control system (ICS)/operational technology (OT) networks. These mitigations will improve a CI entity’s defensive cyber posture and functional resilience by reducing the risk of compromise or severe operational degradation if the system is compromised by malicious cyber actors, including but not limited to actors associated with the campaign described in this advisory.

For more information on Chinese malicious cyber activity, see us-cert.cisa.gov/china.

Click here for a PDF version of this report.

Technical Details

In April 2012, CISA received reports about targeted attacks directed at multiple ONG pipeline sites; CISA (via a predecessor organization) and FBI provided incident response and remediation support to a number of victims from 2012 to 2013. CISA and FBI’s analysis of the malware and threat actor techniques identified that this activity was related to a spearphishing campaign. The U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted in this campaign. Of the 23 known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion.

Threat Actor Activity

The spearphishing activity appears to have started in late December 2011. From December 9, 2011, through at least February 29, 2012, ONG organizations received spearphishing emails [T1566.002] specifically targeting their employees. The emails were at constructed with a high level of sophistication to convince employees to view malicious files [T1204.002]. Note: see the appendix for a table of the MITRE ATT&CK tactics and techniques observed in this campaign.

In addition to spearphishing, CISA and the FBI were made aware of social engineering attempts by malicious actors believed to be associated with this campaign. The apparent goal was to gain sensitive information from asset owners [T1598]. One asset owner reported that individuals in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices. Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset. The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices. He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems. The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service.

During the investigation of these compromises, CISA and FBI personnel discovered that Chinese state-sponsored actors specifically collected [TA0009] and exfiltrated [TA0010] ICS-related information. The Chinese state-sponsored actors searched document repositories [T1213] for the following data types:

Document searches: “SCAD*”
Personnel lists
Usernames/passwords
Dial-up access information
System manuals

Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. Though designed for legitimate business purposes, these systems have the potential to be manipulated by malicious cyber actors if unmitigated. With this access, the Chinese state-sponsored actors could have impersonated legitimate system operators to conduct unauthorized operations. According to the evidence obtained by CISA and FBI, the Chinese state-sponsored actors made no attempts to modify the pipeline operations of systems they accessed. Note: there was a significant number of cases where log data was not available, and the depth of intrusion and persistent impacts were unable to be determined; at least 8 of 23 cases (35 percent) identified in the campaign were assessed as having an unknown depth of intrusion due to the lack of log data.

CISA and FBI assess that during these intrusions, China was successful in accessing the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies.

Chinese actors also gained information specific to dial-up access, including phone numbers, usernames, and passwords [T1120]. Dial-up modems continue to be prevalent in the Energy Sector, providing direct access into the ICS environment with little or no security and no monitoring, which makes them an optimal vector for hold-at-risk operations. The exfiltrated data provided the capabilities for the Chinese cyber actors to access ONG operational systems at a level where they could potentially conduct unauthorized operations.

Exfiltrated Information and Assessed Motives

The Chinese actors specifically targeted information that pertained to access of ICSs. Searches were made for terms involving “SCAD*,” and the actors exfiltrated documents, including personnel lists, usernames and passwords, dial-up access information, remote terminal unit (RTU) sites, and systems manuals. The Chinese actors also exfiltrated information pertaining to ICS permission groups and compromised jump points between corporate and ICS networks. The totality of this information would allow the actors to access ICS networks via multiple channels and would provide sufficient access to allow them to remotely perform unauthorized operations on the pipeline with physical consequences.

CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access. One victim organization set up a honeypot that contained decoy documents with content that appeared to be SCADA-related data and sensitive organizational information. According to this organization, the SCADA-related decoy content was exfiltrated within 15 minutes of the time it was made available in the honeypot. Other sensitive decoy information, including financial and business-related information, was ignored.

CISA and FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.

Indicators of Compromise

Table 1 lists indicators related to this spearphishing and intrusion campaign as of May 7, 2012, which are provided in this alert for historical completeness.

Table 1: IOCs from Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013

Type	Indicator	Filename
Malware	MD5:84873fae9cdecb84452fff9cca171004 ntshrui.dll
Malicious email content, including any attachments and/or message body	fpso.bigish[.]net
Malware	MD5:e12ce62cf7de42581c2fe1d7f36d521c ntshrui.dll
User agent string	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
User agent string	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Named pipe	ssnp
Possible command and control (C2) domain	<xxx>.arrowservice[.]net Where xxx is the targeted company name abbreviation
Malware	MD5:7361a1f33d48802d061605f34bf08fb0	spoolsvd.exe
Malware	5e6a033fa01739d9b517a468bd812162	AdobeUpdater.exe
Malware	e62afe2273986240746203f9d55496db	ins.exe
Malware	ed92d1242c0017668b93a72865b0876b	px.exe
Malware	6818a9aef22c0c2084293c82935e84fe	gh.exe
Malware	fcbbfadc992e265c351e54598a6f6dfb	fslist.exe
Malware	05476307f4beb3c0d9099270c504f055	u.exe
Malware	54db65a27472c9f3126df5bf91a773ea	slm.exe
Malware	a46a7045c0a3350c5a4c919fff2831a0	niu.exe
Malware	60456fe206a87f5422b214369af4260e	ccApp1.exe
Malware	d6eaadcbcf9ea9192db1bd5bb7462bf8	ntshrui.dll
Malware	52294de74a80beb1e579e5bca7c7248a	moonclient2.exe
Malware	e62afe2273986240746203f9d55496db	inn.exe
Malware	5e6a033fa01739d9b517a468bd812162	kkk.exe
Malware	4a8854363044e4d66bf34a0cd331d93d	inn.exe
Malware	124ad1778c65a83208dbefcec7706dc6	AcroRD32.exe
Malware	17199ddac616938f383a0339f416c890	iass.dll
Malicious email sender address	“(name of victim company official)@yahoo.com”
Malicious email content, including any attachments and/or message body	“If not read this paper, pay attention.”
Malicious email hyperlinked probable malware	The hyperlink indicated a “.zip” file and contained the words “quality specifications” in reference to a particular component or product unique to the victim U.S. corporation.
Malicious email signature block	Contained the name, title, phone number, and corporate email address of an actual victim company official.
Malicious attachment name		Project-seems-clear-for-takeoff.zip
Possible C2 domain	<xxx>.arrowservice[dot]net Where <xxx> may be the full name of the targeted company
Possible C2 domain	<xxx>.federalres[.]org
Possible C2 domain	<xxx>.businessconsults[.]net Where <xxx> may be the targeted company name abbreviation or full name
Possible C2 domain	idahoanad[dot]org
Possible C2 domain	energyreview.strangled[.]net
Possible C2 domain	blackcake[.]net
Possible C2 domain	infosupports[.]com
Malware	7caf4dbf53ff1dcd5bd5be92462b2995	iTunesHelper.exe
Malware	99b58e416c5e8e0bcdcd39ba417a08ed	Solarworldsummary.exe
Malware	f0a00cfd891059b70af96b807e9f9ab8	smss.exe
Malware	ea1b46fab56e7f12c4c2e36cce63d593	AcroRD32.exe
Malicious email content, including any attachments and/or message body	3d28651bb2d16eeaa6a35099c886fbaa	Election_2012_Analysis.pdf
Possible C2 domain	balancefitstudio[.]com
Possible C2 domain	res.federalres[.]org
Possible C2 domain	18center[.]com
Possible C2 domain	milk.crabdance[.]com
Possible C2 domain	bargainblog[.com[.]au
Possible C2 domain	etrace-it[.]com
Possible C2 domain	picture.wintersline[.]com
Possible C2 domain	wish.happyforever[.]com
Possible C2 domain	mitchellsrus[.]com
Possible C2 domain	un.linuxd[.]org
Malicious email content, including any attachments and/or message body		How_Can_Steelmakers_Compete_for_Growth_in_the_Steel_Sector_in_2012.zip
Malicious email content, including any attachments and/or message body		(Company Name)_Summary.zip
Malicious email content, including any attachments and/or message body	f5369e59a1ddca9b97ede327e98d8ffe	Solarworldsummary.zip
Malicious email content, including any attachments and/or message body		(Company Name)_to_Sell_RNGMS_to_(Company Name).zip
Malicious email content, including any attachments and/or message body		Gift-Winter.zip
Malicious email content, including any attachments and/or message body		Happy_New_Year.zip
Malicious email content, including any attachments and/or message body		Debt_Crisis_Hits_US.zip
Malicious email content, including any attachments and/or message body		01-12-RATEALERT.zip
Malicious email content, including any attachments and/or message body	fni.itgamezone[.]net

Mitigations

CISA and the FBI urge Energy Sector and other CI owners and operators to apply the following mitigations to implement a layered, defense-in-depth cyber posture. By implementing a layered approach, administrators will enhance the defensive cyber posture of their OT/ICS networks, reducing the risk of compromise or severe operational degradation if their system is compromised by malicious cyber actors.

Harden the IT/corporate network to reduce the risk of initial compromise.
- Update all software, including operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system.
- Replace all end-of-life software and hardware devices.
- Restrict and manage remote access software. Remote access tools are a common method for threat actors to gain initial access and persistence on target networks.
  - Manage and restrict users and groups who are permitted to access remote capabilities. Permissions should be limited to users that require the capability to complete their duties.
  - Require multi-factor authentication (MFA) for remote access.
  - Limit access to resources over networks, especially by restricting Remote Desktop Protocol (RDP). If RDP is operationally necessary, restrict the originating sources and require MFA.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Implement unauthorized execution prevention by:
  - Disabling macro scrips from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  - Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common malware locations, such as temporary folders supporting popular internet browsers.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
- Set antivirus/antimalware programs to regularly scan IT network assets using up-to-date signatures.

Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised.
- Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology (NIST) Special Publication 800-82: Guide to ICS Security.
- Use one-way communication diodes to prevent external access, whenever possible.
- Set up demilitarized zones (DMZs) to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
- Employ reliable network security protocols and services where feasible.
- Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access.

Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally.
- Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and filter routers and switches.
- Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).
- Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
- Configure security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.

Implement the following additional ICS environment best practices:
- Update all software. Use a risk-based assessment strategy to determine which ICS network and assets and zones should participate in the patch management program.
  - Test all patches in off-line text environments before implementation.
- Implement application allowlisting on human machine interfaces.
- Harden field devices, including tablets and smartphones.
- Replace all end-of-life software and hardware devices.
- Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).
- Restrict and manage remote access software. Require MFA for remote access to ICS networks.
- Configure encryption and security for ICS protocols.
- Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
- Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware.
- Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies.
- Ensure robust physical security is in place to prevent unauthorized personal from accessing controlled spaces that house ICS equipment.
- Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline.
- Manage the supply chain by adjusting the ICS procurement process to weigh cybersecurity heavily as part of the scoring and evaluation methodology. Additionally, establish contractual agreements for all outsourced services that ensure proper incident handling and reporting, security of interconnections, and remote access specifications and processes.

Implement the following additional best practices:
- Implement IP geo-blocking, as appropriate.
- Implement regular, frequent data backup procedures on both the IT and ICS networks. Data backup procedures should address the following best practices:
  - Ensure backups are regularly tested.
  - Store backups separately, i.e., backups should be isolated from network connections that could enable spread of malware or lateral movement.
  - Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt.
  - Retain backup hardware to rebuild systems in the even rebuilding the primary system is not preferred.
- Implement a user training program to train employees to recognize spearphishing attempts, discourage users from visiting malicious websites or opening malicious attachments, and re-enforce appropriate user response to spearphishing emails.

APPENDIX: Tactics and Techniques

Table 2 provides a summary of the MITRE ATT&CK tactics and techniques observed in this campaign.

Table 2: Observed MITRE ATT&CK tactics and techniques

Tactic	Technique
Reconnaissance [TA0043]	Phishing for Information [T1598]
Initial Access [TA0001]	Phishing: Spearphishing Link [T1566.002]
Execution [TA0002]	User Execution: Malicious File [T1204.002]
Discovery [TA0007]	Peripheral Device Discovery [T1120]
Collection [TA0009]	Information from Document Repositories [T1213]
Exfiltration [TA0010]

Revisions

Initial Version: July 20, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

alerts

Unpatched iPhone Bug Allows Remote Device Takeover

Post author By admin
Post date July 19, 2021

A format-string bug believed to be a low-risk denial-of-service issue turns out to be much nastier than expected.

alerts

Fortinet Releases Security Updates for FortiManager and FortiAnalyzer

Post author By admin
Post date July 19, 2021

Original release date: July 19, 2021

Fortinet has released security advisory FG-IR-21-067 to address a use-after-free vulnerability in the FortiManager fgfmsd daemon. A use-after-free condition occurs when a program marks a section of memory as free but then subsequently tries to use that memory, which could result in a program crash. The use of previously freed memory in FortiManager fgfmsd daemon may allow a remote, unauthenticated attacker to execute arbitrary code as root. This occurs via sending a specifically crafted request to the fgfm port of the targeted device.

Note that FortiAnalyzer is only vulnerable where it supports FortiManager features that have been enabled, on specific hardware, with a very specific upgrade path.

CISA encourages users and administrators to review Fortinet security advisory FG-IR-21-067 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

alerts

Vulnerability Summary for the Week of July 12, 2021

Post author By admin
Post date July 19, 2021

Original release date: July 19, 2021

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
echobh — sharecare	Echo ShareCare 8.15.5 is susceptible to SQL injection vulnerabilities when processing remote input from both authenticated and unauthenticated users, leading to the ability to bypass authentication, exfiltrate Structured Query Language (SQL) records, and manipulate data.	2021-07-13	7.5	CVE-2021-33578 MISC
echobh — sharecare	An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerable to attacks such as SQL injection.	2021-07-13	7.5	CVE-2021-36124 MISC
espruino — espruino	Buffer overflow vulnerability in function jsvGetStringChars in Espruino before RELEASE_2V09, allows remote attackers to execute arbitrary code.	2021-07-13	7.5	CVE-2020-22884 MISC
fortinet — forticlient	An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase.	2021-07-12	7.2	CVE-2021-26089 CONFIRM
fortinet — fortimail	A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.	2021-07-09	7.5	CVE-2021-24020 CONFIRM
fortinet — fortimail	Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow a non-authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.	2021-07-09	7.5	CVE-2021-24007 CONFIRM
golang — go	golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script.	2021-07-09	7.5	CVE-2012-2666 MISC MISC MISC MISC
google — android	In phNciNfc_RecvMfResp of phNxpExtns_MifareStd.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over NFC with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181346550	2021-07-14	7.8	CVE-2021-0596 MISC
google — android	In setNiNotification of GpsNetInitiatedHandler.java, there is a possible permissions bypass due to an empty mutable PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-154319182	2021-07-14	7.2	CVE-2020-0417 MISC
google — android	In flv extractor, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187161771	2021-07-14	7.2	CVE-2021-0577 MISC
google — android	In Factory::CreateStrictFunctionMap of factory.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-167389063	2021-07-14	10	CVE-2021-0515 MISC
google — android	In beginWrite and beginRead of MessageQueueBase.h, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-184963385	2021-07-14	7.2	CVE-2021-0585 MISC
google — android	In onCreate of ConfirmConnectActivity, there is a possible remote bypass of user consent due to improper input validation. This could lead to remote (proximal, NFC) escalation of privilege allowing an attacker to deceive a user into allowing a Bluetooth connection with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176445224	2021-07-14	7.9	CVE-2021-0594 MISC
google — android	In StreamOut::prepareForWriting of StreamOut.cpp, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-185259758	2021-07-14	7.2	CVE-2021-0587 MISC
google — android	In BTM_TryAllocateSCN of btm_scn.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-180939982	2021-07-14	7.2	CVE-2021-0589 MISC
google — android	In various functions in WideVine, there are possible out of bounds writes due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-188061006	2021-07-14	9.3	CVE-2021-0592 MISC
google — android	In several functions of the V8 library, there is a possible use after free due to a race condition. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-9 Android-11 Android-8.1Android ID: A-162604069	2021-07-14	9.3	CVE-2021-0514 MISC
google — android	In onCreateOptionsMenu of WifiNetworkDetailsFragment.java, there is a possible way for guest users to view and modify Wi-Fi settings for all configured APs due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-177573895	2021-07-14	7.2	CVE-2021-0602 MISC
halo — halo	Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.	2021-07-12	7.5	CVE-2020-18980 MISC
jsish — jsish	Integer overflow vulnerability in function Jsi_ObjSetLength in jsish before 3.0.6, allows remote attackers to execute arbitrary code.	2021-07-13	7.5	CVE-2020-22875 MISC MISC
jsish — jsish	Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to execute arbitrary code.	2021-07-13	7.5	CVE-2020-22874 MISC MISC
jsish — jsish	Buffer overflow vulnerability in function NumberToPrecisionCmd in jsish before 3.0.7, allows remote attackers to execute arbitrary code.	2021-07-13	7.5	CVE-2020-22873 MISC
kaseya — vsa	Kaseya VSA before 9.5.5 allows remote code execution.	2021-07-09	7.5	CVE-2021-30118 MISC
kramerav — viaware	KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg.	2021-07-12	7.5	CVE-2021-35064 MISC
linux — linux_kernel	An out-of-bounds memory write flaw was found in the Linux kernel’s joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.	2021-07-09	7.2	CVE-2021-3612 MISC MISC
linuxptp_project — linuxptp	A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This flaw affects linuxptp versions before 3.1.1, before 2.0.1, before 1.9.3, before 1.8.1, before 1.7.1, before 1.6.1 and before 1.5.1.	2021-07-09	8	CVE-2021-3570 MISC DEBIAN FEDORA FEDORA
metinfo — metinfo	SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.	2021-07-12	7.5	CVE-2020-21132 MISC MISC
metinfo — metinfo	SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.	2021-07-12	7.5	CVE-2020-21133 MISC MISC
microsoft — exchange_server	Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-34473.	2021-07-14	7.5	CVE-2021-31206 MISC
microsoft — windows_10	Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31979, CVE-2021-34514.	2021-07-14	7.2	CVE-2021-33771 MISC
microsoft — windows_10	Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability	2021-07-14	7.5	CVE-2021-33757 MISC
microsoft — windows_10	Windows Secure Kernel Mode Security Feature Bypass Vulnerability	2021-07-14	7.2	CVE-2021-33744 MISC
microsoft — windows_10	Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33771, CVE-2021-34514.	2021-07-14	7.2	CVE-2021-31979 MISC
microsoft — windows_10	Windows Media Remote Code Execution Vulnerability	2021-07-14	9.3	CVE-2021-33740 MISC
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.	2021-07-12	7.5	CVE-2021-32688 MISC CONFIRM MISC
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.	2021-07-12	7.5	CVE-2021-32726 MISC MISC CONFIRM
ninjateam — filebird	The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user.	2021-07-12	7.5	CVE-2021-24385 CONFIRM MISC
putil-merge_project — putil-merge	Prototype pollution vulnerability in ‘putil-merge’ versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.	2021-07-14	7.5	CVE-2021-25953 MISC
python — pillow	Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.	2021-07-13	7.5	CVE-2021-34552 MISC MISC
qualcomm — apq8009w_firmware	Buffer overflow in modem due to improper array index check before copying into it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables	2021-07-13	10	CVE-2020-11307 CONFIRM
qualcomm — apq8017_firmware	Improper length check of public exponent in RSA import key function could cause memory corruption. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	7.2	CVE-2021-1890 CONFIRM
qualcomm — apq8017_firmware	Incorrect handling of pointers in trusted application key import mechanism could cause memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	7.2	CVE-2021-1886 CONFIRM
qualcomm — apq8017_firmware	Possible buffer overflow due to lack of length check in Trusted Application in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	7.2	CVE-2021-1889 CONFIRM
qualcomm — apq8017_firmware	Memory corruption in key parsing and import function due to double freeing the same heap allocation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	7.2	CVE-2021-1888 CONFIRM
qualcomm — aqt1000_firmware	Possible buffer overflow due to improper validation of buffer length while processing fast boot commands in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music	2021-07-13	7.2	CVE-2021-1931 CONFIRM
qualcomm — aqt1000_firmware	Use after free can occur due to improper handling of response from firmware in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	7.2	CVE-2021-1940 CONFIRM
qualcomm — aqt1000_firmware	Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking	2021-07-13	10	CVE-2021-1965 CONFIRM
sap — netweaver_as_abap	A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.	2021-07-14	7.5	CVE-2021-33678 MISC MISC
solarwinds — dameware_mini_remote_control	In SolarWinds DameWare Mini Remote Control Server 12.0.1.200, insecure file permissions allow file deletion as SYSTEM.	2021-07-13	9.4	CVE-2021-31217 MISC MISC
totaljs — total.js	The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.	2021-07-12	7.5	CVE-2021-23389 MISC MISC MISC
totaljs — total4	The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.	2021-07-12	7.5	CVE-2021-23390 MISC MISC MISC
wms_project — wms	SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the “username” parameter in the component “chkuser.php”.	2021-07-12	7.5	CVE-2020-18544 MISC
wpdevart — poll,_survey,_questionnaire_and_voting_system	The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks	2021-07-12	7.5	CVE-2021-24442 CONFIRM MISC

Medium Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
apache — ant	When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.	2021-07-14	4.3	CVE-2021-36373 MISC MISC MLIST MLIST MLIST
apache — ant	When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.	2021-07-14	4.3	CVE-2021-36374 MISC MISC MLIST MLIST MLIST
apache — tomcat	Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: – Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; – Tomcat honoured the identify encoding; and – Tomcat did not ensure that, if present, the chunked encoding was the final encoding.	2021-07-12	5	CVE-2021-33037 MISC
apache — tomcat	A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.	2021-07-12	5	CVE-2021-30639 MISC MLIST MLIST
artifex — mujs	Buffer overflow vulnerability in function jsG_markobject in jsgc.c in mujs before 1.0.8, allows remote attackers to cause a denial of service.	2021-07-13	5	CVE-2020-22886 MISC
artifex — mujs	Buffer overflow vulnerability in mujs before 1.0.8 due to recursion in the GC scanning phase, allows remote attackers to cause a denial of service.	2021-07-13	5	CVE-2020-22885 MISC
autodesk — design_review	A maliciously crafted PDF, PICT or TIFF file can be used to write beyond the allocated buffer while parsing PDF, PICT or TIFF files in Autodesk 2018, 2017, 2013, 2012, 2011. This vulnerability can be exploited to execute arbitrary code.	2021-07-09	6.8	CVE-2021-27036 MISC
autodesk — design_review	A maliciously crafted TIFF file in Autodesk 2018, 2017, 2013, 2012, 2011 can be forced to read and write beyond allocated boundaries when parsing the TIFF file. This vulnerability can be exploited to execute arbitrary code.	2021-07-09	6.8	CVE-2021-27039 MISC
autodesk — design_review	A Type Confusion vulnerability in Autodesk 2018, 2017, 2013, 2012, 2011 can occur when processing a maliciously crafted PDF file. An attacker can leverage this to execute arbitrary code.	2021-07-09	6.8	CVE-2021-27038 MISC
autodesk — design_review	A maliciously crafted PNG, PDF or DWF file in Autodesk 2018, 2017, 2013, 2012, 2011 can be used to attempt to free an object that has already been freed while parsing them. This vulnerability can be exploited by remote attackers to execute arbitrary code.	2021-07-09	6.8	CVE-2021-27037 MISC
autodesk — design_review	A heap-based buffer overflow could occur while parsing PICT or TIFF files in Autodesk 2018, 2017, 2013, 2012, 2011. This vulnerability can be exploited to execute arbitrary code.	2021-07-09	6.8	CVE-2021-27034 MISC
autodesk — design_review	A maliciously crafted TIFF, PDF, PICT or DWF files in Autodesk 2018, 2017, 2013, 2012, 2011 can be forced to read beyond allocated boundaries when parsing the TIFF, PDF, PICT or DWF files. This vulnerability can be exploited to execute arbitrary code.	2021-07-09	6.8	CVE-2021-27035 MISC
axiosys — bento4	A buffer overflow vulnerability in Ap4ElstAtom.cpp of Bento 1.5.1-628 leads to a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19719 MISC
axiosys — bento4	An unhandled memory allocation failure in Core/Ap4Atom.cpp of Bento 1.5.1-628 causes a direct copy to NULL pointer dereference, leading to a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19722 MISC
axiosys — bento4	An unhandled memory allocation failure in Core/AP4IkmsAtom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19720 MISC
axiosys — bento4	An unhandled memory allocation failure in Core/Ap4Atom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19718 MISC
axiosys — bento4	An unhandled memory allocation failure in Core/Ap48bdlAtom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19717 MISC
axiosys — bento4	A heap buffer overflow vulnerability in Ap4TrunAtom.cpp of Bento 1.5.1-628 may lead to an out-of-bounds write while running mp42aac, leading to system crashes and a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19721 MISC
baidu — umeditor	Cross Site Scripting (XSS) vulnerability in umeditor v1.2.3 via /public/common/umeditor/php/getcontent.php.	2021-07-14	4.3	CVE-2020-18145 MISC
bookingcore — booking_core	The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.	2021-07-14	6.8	CVE-2020-25445 MISC
bookingcore — booking_core	Cross Site Request Forgery (CSRF) vulnerability in Booking Core – Ultimate Booking System Booking Core 1.7.0 . The CSRF token is not being validated when the request is sent as a GET method. This results in an unauthorized change in the user’s email ID, which can later be used to reset the password. The new password will be sent to a modified email ID.	2021-07-14	4.3	CVE-2020-27379 MISC
brave — brave	In Brave Desktop between versions 1.17 and 1.26.60, when adblocking is enabled and a proxy browser extension is installed, the CNAME adblocking feature issues DNS requests that used the system DNS settings instead of the extension’s proxy settings, resulting in possible information disclosure.	2021-07-12	4.3	CVE-2021-22916 MISC
brave — browser	Brave Browser Desktop between versions 1.17 and 1.20 is vulnerable to information disclosure by way of DNS requests in Tor windows not flowing through Tor if adblocking was enabled.	2021-07-12	4.3	CVE-2021-22917 MISC
codeblab — glass	The Glass WordPress plugin through 1.3.2 does not sanitise or escape its “Glass Pages” setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.	2021-07-12	4.3	CVE-2021-24434 CONFIRM
dell — emc_unity_operating_environment	Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.	2021-07-12	4.6	CVE-2021-21590 MISC
dell — emc_unity_operating_environment	Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 do not exit on failed Initialization. A local authenticated Service user could potentially exploit this vulnerability to escalate privileges.	2021-07-12	4.6	CVE-2021-21589 MISC
dell — emc_unity_operating_environment	Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.	2021-07-12	4.6	CVE-2021-21591 MISC
dell — powerflex_presentation_server	Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vulnerability in the Presentation Server/WebUI. An unauthenticated attacker could potentially exploit this vulnerability by tricking the user into performing unwanted actions on the Presentation Server and perform which may lead to configuration changes.	2021-07-12	4.3	CVE-2021-21588 MISC
delta_project — delta	dandavison delta before 0.8.3 on Windows resolves an executable’s pathname as a relative path from the current directory.	2021-07-13	4.4	CVE-2021-36376 CONFIRM MISC MISC
devolutions — devolutions_server	Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts cleartext).	2021-07-12	4.3	CVE-2021-36382 MISC
echobh — sharecare	An issue was discovered in Echo ShareCare 8.15.5. The TextReader feature in General/TextReader/TextReader.cfm is susceptible to a local file inclusion vulnerability when processing remote input in the textFile parameter from an authenticated user, leading to the ability to read arbitrary files on the server filesystems as well any files accessible via Universal Naming Convention (UNC) paths.	2021-07-13	4	CVE-2021-36123 MISC
echobh — sharecare	An issue was discovered in Echo ShareCare 8.15.5. The UnzipFile feature in Access/EligFeedParse_Sup/UnzipFile_Upd.cfm is susceptible to a command argument injection vulnerability when processing remote input in the zippass parameter from an authenticated user, leading to the ability to inject arbitrary arguments to 7z.exe.	2021-07-13	6.5	CVE-2021-36122 MISC
echobh — sharecare	An issue was discovered in Echo ShareCare 8.15.5. The file-upload feature in Access/DownloadFeed_Mnt/FileUpload_Upd.cfm is susceptible to an unrestricted upload vulnerability via the name1 parameter, when processing remote input from an authenticated user, leading to the ability for arbitrary files to be written to arbitrary filesystem locations via ../ Directory Traversal on the Z: drive (a hard-coded drive letter where ShareCare application files reside) and remote code execution as the ShareCare service user (NT AUTHORITYSYSTEM).	2021-07-13	6.5	CVE-2021-36121 MISC
edgexfoundry — edgex_foundry	EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is created, the client_id and client_secret required to obtain an OAuth2 authentication token are set to the username of the proxy user. A remote network attacker can then perform a dictionary-based password attack on the OAuth2 token endpoint of the API gateway to obtain an OAuth2 authentication token and use that token to make authenticated calls to EdgeX microservices from an untrusted network. OAuth2 is the default authentication method in EdgeX Edinburgh release. The default authentication method was changed to JWT in Fuji and later releases. Users should upgrade to the EdgeX Ireland release to obtain the fix. The OAuth2 authentication method is disabled in Ireland release. If unable to upgrade and OAuth2 authentication is required, users should create OAuth2 users directly using the Kong admin API and forgo the use of the `security-proxy-setup` tool to create OAuth2 users.	2021-07-09	5.8	CVE-2021-32753 MISC CONFIRM
edifecs — transaction_management	In Edifecs Transaction Management through 2021-07-12, an unauthenticated user can inject arbitrary text into a user’s browser via logon.jsp?logon_error= on the login screen of the Web application.	2021-07-12	5	CVE-2021-36381 MISC MISC
element-it — http_commander	A Directory Traversal vulnerability in the Unzip feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to write files to arbitrary directories via relative paths in ZIP archives.	2021-07-14	4	CVE-2021-33211 MISC MISC
element-it — http_commander	An SSRF vulnerability in the “Upload from URL” feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address.	2021-07-14	4	CVE-2021-33213 MISC MISC
esri — arcgis_server	A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.	2021-07-10	4.3	CVE-2021-29107 CONFIRM
esri — arcgis_server	A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.	2021-07-10	4.3	CVE-2021-29106 CONFIRM
esri — arcgis_server	A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks.	2021-07-11	6.4	CVE-2021-29102 CONFIRM
esri — arcgis_server	A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.	2021-07-11	4.3	CVE-2021-29104 CONFIRM
esri — arcgis_server	A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.	2021-07-11	4.3	CVE-2021-29103 CONFIRM
eventespresso — event_espresso	A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.	2021-07-13	4.3	CVE-2020-26153 MISC MISC
exiv2 — exiv2	A buffer overflow vulnerability in the Databuf function in types.cpp of Exiv2 v0.27.1 leads to a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19716 MISC
exiv2 — exiv2	An integer overflow vulnerability in the getUShort function of Exiv2 0.27.1 results in segmentation faults within the application, leading to a denial of service (DOS).	2021-07-13	4.3	CVE-2020-19715 MISC
fetchdesigns — sign-up_sheets	The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue	2021-07-12	6	CVE-2021-24441 CONFIRM
fortinet — fortiap	An improper neutralization of special elements used in an OS Command vulnerability in FortiAP’s console 6.4.1 through 6.4.5 and 6.2.4 through 6.2.5 may allow an authenticated attacker to execute unauthorized commands by running the kdbg CLI command with specifically crafted arguments.	2021-07-09	4.6	CVE-2021-26106 CONFIRM
fortinet — fortimail	A missing release of memory after its effective lifetime vulnerability in the Webmail of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6 may allow an unauthenticated remote attacker to exhaust available memory via specifically crafted login requests.	2021-07-12	5	CVE-2021-26090 CONFIRM
fortinet — fortimail	An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of FortiMail before 6.4.4 may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.	2021-07-12	6.5	CVE-2021-24015 CONFIRM
fortinet — fortimail	A missing cryptographic step in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an unauthenticated attacker who intercepts the encrypted messages to manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible.	2021-07-09	5	CVE-2021-26100 CONFIRM
fortinet — fortimail	Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests.	2021-07-12	4	CVE-2021-24013 CONFIRM
fortinet — fortimail	Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext.	2021-07-12	4	CVE-2021-26099 CONFIRM
fortinet — fortimail	Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail before 6.4.5 may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests.	2021-07-09	6.5	CVE-2021-22129 CONFIRM
fortinet — fortisandbox	A concurrent execution using shared resource with improper synchronization (‘race condition’) in the command shell of FortiSandbox before 3.2.2 may allow an authenticated attacker to bring the system into an unresponsive state via specifically orchestrated sequences of commands.	2021-07-09	6.3	CVE-2020-29014 CONFIRM
foxitsoftware — foxit_reader	Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 produce incorrect PDF document signatures because the certificate name, document owner, and signature author are mishandled.	2021-07-09	4.3	CVE-2021-33795 MISC
foxitsoftware — foxit_reader	Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 have an out-of-bounds write via a crafted /Size key in the Trailer dictionary.	2021-07-09	6.8	CVE-2021-33792 MISC
getambassador — emissary-ingress	Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)	2021-07-09	4.3	CVE-2021-36371 MISC MISC
google — android	In handleSendStatusChangeBroadcast of WifiDisplayAdapter.java, there is a possible leak of location-sensitive data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-176541017	2021-07-14	4.9	CVE-2021-0518 MISC
google — android	In onCreate of DevicePickerFragment.java, there is a possible way to trick the user to select an unwanted bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-182584940	2021-07-14	6.9	CVE-2021-0586 MISC
google — android	In processInboundMessage of MceStateMachine.java, there is a possible SMS disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9Android ID: A-177238342	2021-07-14	4.9	CVE-2021-0588 MISC
google — android	In onCreate of PermissionActivity.java, there is a possible permission bypass due to Confusing UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174495520	2021-07-14	4.4	CVE-2021-0441 MISC
google — android	In onCreate of DeviceAdminAdd.java, there is a possible way to mislead a user to activate a device admin app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-179042963	2021-07-14	6.9	CVE-2021-0600 MISC
google — android	In encodeFrames of avc_enc_fuzzer.cpp, there is a possible out of bounds write due to a double free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-180643802	2021-07-14	4.9	CVE-2021-0601 MISC
google — android	In onCreate of ContactSelectionActivity.java, there is a possible way to get access to contacts without permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-182809425	2021-07-14	4.4	CVE-2021-0603 MISC
google — android	In sendNetworkConditionsBroadcast of NetworkMonitor.java, there is a possible way for a privileged app to receive WiFi BSSID and SSID without location permissions due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-175213041	2021-07-14	4.9	CVE-2021-0590 MISC
google — android	In onPackageAddedInternal of PermissionManagerService.java, there is possible access to external storage due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-171430330	2021-07-14	4.6	CVE-2021-0486 MISC
google — android	In scheduleTimeoutLocked of NotificationRecord.java, there is a possible disclosure of a sensitive identifier via broadcasted intent due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175614289	2021-07-14	4.9	CVE-2021-0599 MISC
google — android	In notifyProfileAdded and notifyProfileRemoved of SipService.java, there is a possible way to retrieve SIP account names due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176496502	2021-07-14	4.9	CVE-2021-0597 MISC
halo — halo	File Deletion vulnerability in Halo 0.4.3 via delBackup.	2021-07-12	6.4	CVE-2020-19038 MISC
halo — halo	Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.	2021-07-12	5	CVE-2020-19037 MISC
halo — halo	Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter.	2021-07-12	4.3	CVE-2020-18979 MISC
halo — halo	SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.	2021-07-12	5	CVE-2020-23079 MISC
hms-networks — ecatcher	In HMS Ewon eCatcher through 6.6.4, weak filesystem permissions could allow malicious users to access files that could lead to sensitive information disclosure, modification of configuration files, or disruption of normal system operation.	2021-07-09	6	CVE-2021-33214 MISC MISC MISC MISC
hmtalk — daviewindy	DaviewIndy v8.98.7.0 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed format file that is mishandled by DaviewIndy. Attackers could exploit this and arbitrary code execution.	2021-07-12	6.8	CVE-2020-7872 MISC
huawei — harmonyos	A component of the HarmonyOS 2.0 has a Null Pointer Dereference Vulnerability. Local attackers may exploit this vulnerability to cause system denial of service.	2021-07-14	4.9	CVE-2021-22318 MISC
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 could allow an authenticated user gain escalated privilesges due to improper application permissions. IBM X-Force ID: 196308.	2021-07-13	6.5	CVE-2021-20423 XF CONFIRM
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 could disclose sensitive information to a malicious attacker by accessing data stored in memory. IBM X-Force ID: 196304.	2021-07-13	5	CVE-2021-20422 CONFIRM XF
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195361.	2021-07-13	4.3	CVE-2021-20369 CONFIRM XF
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195031.	2021-07-13	5	CVE-2021-20360 CONFIRM XF
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. X-Force ID: 196309.	2021-07-13	4	CVE-2021-20424 XF CONFIRM
ibm — event_streams	IBM Event Streams 10.0, 10.1, 10.2, and 10.3 could allow a user the CA private key to create their own certificates and deploy them in the cluster and gain privileges of another user. IBM X-Force ID: 203450.	2021-07-12	6.5	CVE-2021-29792 CONFIRM XF
ibm — guardium_data_encryption	IBM Guardium Data Encryption (GDE) 3.0.0.2 could allow a user to bruce force sensitive information due to not properly limiting the number of interactions. IBM X-Force ID: 196216.	2021-07-12	4	CVE-2021-20414 CONFIRM XF
ibm — infosphere_information_server	IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 200966.	2021-07-09	4.3	CVE-2021-29712 CONFIRM XF
ibm — infosphere_information_server	IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 201164.	2021-07-09	6.5	CVE-2021-29730 XF CONFIRM
ibm — mq_appliance	IBM MQ Appliance 9.1 and 9.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191815.	2021-07-12	6.8	CVE-2020-4938 CONFIRM XF
ibm — tivoli_netcool/impact	IBM Tivoli Netcool/Impact 7.1.0.20 and 7.1.0.21 uses an insecure SSH server configuration which enables weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 203556.	2021-07-12	5	CVE-2021-29794 XF CONFIRM
icinga — icinga	Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it’s possible to setup protection rules and blacklists in a user’s role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.	2021-07-12	4	CVE-2021-32747 MISC MISC CONFIRM MISC
ipfire — ipfire	Lightning Wire Labs IPFire 2.21 (x86_64) – Core Update 130 is affected by: Cross Site Scripting (XSS). The impact is: Session Hijacking (local). The component is: Affected at Routing configuration via the “Remark” text box or “remark” parameter. The attack vector is: Attacker need to craft the malicious javascript code.	2021-07-12	4.3	CVE-2020-19204 MISC MISC
jsish — jsish	Stack overflow vulnerability in function jsi_evalcode_sub in jsish before 3.0.18, allows remote attackers to cause a Denial of Service via a crafted value to the execute parameter.	2021-07-13	5	CVE-2020-22907 MISC
kaseya — vsa	SQL injection exists in Kaseya VSA before 9.5.6.	2021-07-09	6.5	CVE-2021-30117 MISC
kaseya — vsa	Local file inclusion exists in Kaseya VSA before 9.5.6.	2021-07-09	6.5	CVE-2021-30121 MISC
kaseya — vsa	Kaseya VSA through 9.5.7 allows attackers to bypass the 2FA requirement.	2021-07-09	5	CVE-2021-30120 MISC
kaseya — vsa	An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6.	2021-07-09	6.5	CVE-2021-30201 MISC
linecorp — line	LINE client for iOS before 10.16.3 allows cross site script with specific header in WebView.	2021-07-13	4.3	CVE-2021-36214 MISC
linuxfoundation — grpc_swift	Mismanaged state in GRPCWebToHTTP2ServerCodec.swift in gRPC Swift 1.1.0 and 1.1.1 allows remote attackers to deny service by sending malformed requests.	2021-07-09	5	CVE-2021-36153 MISC MISC MISC
linuxfoundation — grpc_swift	LengthPrefixedMessageReader in gRPC Swift 1.1.0 and earlier allocates buffers of arbitrary length, which allows remote attackers to cause uncontrolled resource consumption and deny service.	2021-07-09	5	CVE-2021-36155 MISC MISC MISC
linuxfoundation — grpc_swift	HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption.	2021-07-09	5	CVE-2021-36154 MISC MISC MISC
linuxptp_project — linuxptp	A flaw was found in the ptp4l program of the linuxptp package. When ptp4l is operating on a little-endian architecture as a PTP transparent clock, a remote attacker could send a crafted one-step sync message to cause an information leak or crash. The highest threat from this vulnerability is to data confidentiality and system availability. This flaw affects linuxptp versions before 3.1.1 and before 2.0.1.	2021-07-09	5.5	CVE-2021-3571 MISC FEDORA FEDORA
metinfo — metinfo	SQL Injection vulnerability in MetInfo 7.0.0beta via admin/?n=language&c=language_web&a=doAddLanguage.	2021-07-12	6.5	CVE-2020-21131 MISC MISC
microfocus — netiq_advanced_authentication	Multi-Factor Authentication (MFA) functionality can be bypassed, allowing the use of single factor authentication in NetIQ Advanced Authentication versions prior to 6.3 SP4 Patch 1.	2021-07-12	4	CVE-2021-22515 CONFIRM
microsoft — bing	Microsoft Bing Search Spoofing Vulnerability	2021-07-14	4.3	CVE-2021-33753 MISC
microsoft — exchange_server	Microsoft Exchange Information Disclosure Vulnerability	2021-07-14	5	CVE-2021-33766 MISC MISC
microsoft — exchange_server	Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31206, CVE-2021-34473.	2021-07-14	6.5	CVE-2021-31196 MISC
microsoft — exchange_server	Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34470, CVE-2021-34523.	2021-07-14	5.2	CVE-2021-33768 MISC
microsoft — hevc_video_extensions	HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31947, CVE-2021-33775, CVE-2021-33776, CVE-2021-33777.	2021-07-14	6.8	CVE-2021-33778 MISC
microsoft — hevc_video_extensions	HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31947, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778.	2021-07-14	6.8	CVE-2021-33775 MISC
microsoft — hevc_video_extensions	HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31947, CVE-2021-33775, CVE-2021-33777, CVE-2021-33778.	2021-07-14	6.8	CVE-2021-33776 MISC
microsoft — hevc_video_extensions	HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31947, CVE-2021-33775, CVE-2021-33776, CVE-2021-33778.	2021-07-14	6.8	CVE-2021-33777 MISC
microsoft — hevc_video_extensions	HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33775, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778.	2021-07-14	6.8	CVE-2021-31947 MISC
microsoft — open_enclave_software_development_kit	Open Enclave SDK Elevation of Privilege Vulnerability	2021-07-14	4.6	CVE-2021-33767 MISC
microsoft — power_bi_report_server	Power BI Remote Code Execution Vulnerability	2021-07-14	6.8	CVE-2021-31984 MISC
microsoft — windows_10	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33773, CVE-2021-34445, CVE-2021-34456.	2021-07-14	4.6	CVE-2021-33761 MISC
microsoft — windows_10	Windows TCP/IP Driver Denial of Service Vulnerability This CVE ID is unique from CVE-2021-33772, CVE-2021-34490.	2021-07-14	5	CVE-2021-31183 MISC
microsoft — windows_10	Windows Desktop Bridge Elevation of Privilege Vulnerability	2021-07-14	4.6	CVE-2021-33759 MISC
microsoft — windows_10	Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34460, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513.	2021-07-14	4.6	CVE-2021-33751 MISC
microsoft — windows_10	Windows Projected File System Elevation of Privilege Vulnerability	2021-07-14	4.6	CVE-2021-33743 MISC
microsoft — windows_10	Windows Event Tracing Elevation of Privilege Vulnerability	2021-07-14	4.6	CVE-2021-33774 MISC
microsoft — windows_10	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33761, CVE-2021-34445, CVE-2021-34456.	2021-07-14	4.6	CVE-2021-33773 MISC
microsoft — windows_10	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	2021-07-14	4.6	CVE-2021-33784 MISC
microsoft — windows_10	Windows Authenticode Spoofing Vulnerability	2021-07-14	4.3	CVE-2021-33782 MISC
microsoft — windows_10	Windows DNS Snap-in Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33749, CVE-2021-33750, CVE-2021-33756.	2021-07-14	6.8	CVE-2021-33752 MISC
microsoft — windows_10	Windows Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-33755.	2021-07-14	4	CVE-2021-33758 MISC
microsoft — windows_10	Windows TCP/IP Driver Denial of Service Vulnerability This CVE ID is unique from CVE-2021-31183, CVE-2021-34490.	2021-07-14	5	CVE-2021-33772 MISC
microsoft — windows_10	Windows DNS Snap-in Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33749, CVE-2021-33750, CVE-2021-33752.	2021-07-14	6.8	CVE-2021-33756 MISC
microsoft — windows_10	Windows Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-33758.	2021-07-14	5	CVE-2021-33755 MISC
microsoft — windows_10	Windows SMB Information Disclosure Vulnerability	2021-07-14	4	CVE-2021-33783 MISC
microsoft — windows_10	Windows AF_UNIX Socket Provider Denial of Service Vulnerability	2021-07-14	5	CVE-2021-33785 MISC
microsoft — windows_10	Azure AD Security Feature Bypass Vulnerability	2021-07-14	5.5	CVE-2021-33781 MISC
microsoft — windows_10	Windows DNS Snap-in Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33750, CVE-2021-33752, CVE-2021-33756.	2021-07-14	6.8	CVE-2021-33749 MISC
microsoft — windows_10	Windows DNS Snap-in Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33749, CVE-2021-33752, CVE-2021-33756.	2021-07-14	6.8	CVE-2021-33750 MISC
microsoft — windows_server_2008	Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33746, CVE-2021-33754, CVE-2021-34494, CVE-2021-34525.	2021-07-14	6.5	CVE-2021-33780 MISC
microsoft — windows_server_2008	Windows Key Distribution Center Information Disclosure Vulnerability	2021-07-14	4.3	CVE-2021-33764 MISC
microsoft — windows_server_2008	Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33754, CVE-2021-33780, CVE-2021-34494, CVE-2021-34525.	2021-07-14	6.5	CVE-2021-33746 MISC
microsoft — windows_server_2008	Windows DNS Server Denial of Service Vulnerability This CVE ID is unique from CVE-2021-34442, CVE-2021-34444, CVE-2021-34499.	2021-07-14	4	CVE-2021-33745 MISC
microsoft — windows_server_2008	Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33746, CVE-2021-33780, CVE-2021-34494, CVE-2021-34525.	2021-07-14	6	CVE-2021-33754 MISC
microsoft — windows_server_2016	Windows ADFS Security Feature Bypass Vulnerability	2021-07-14	5.5	CVE-2021-33779 MISC
mikrotik — routeros	Mikrotik RouterOs before stable version 6.47 suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). NOTE: this is different from CVE-2020-20253 and CVE-2020-20254. All four vulnerabilities in the /nova/bin/lcdstat process are discussed in the CVE-2020-20250 github.com/cq674350529 reference.	2021-07-13	4	CVE-2020-20250 MISC MISC
mikrotik — routeros	Mikrotik RouterOs before stable version 6.47 suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).	2021-07-13	4	CVE-2020-20252 MISC
mitre — caldera	A command injection vulnerability in the sandcat plugin of Caldera 2.3.1 and earlier allows authenticated attackers to execute any command or service.	2021-07-12	6.5	CVE-2020-19907 MISC
moddable — moddable	Issue was discovered in the fxParserTree function in moddable, allows attackers to cause denial of service via a crafted payload. Fixed in commit 723816ab9b52f807180c99fc69c7d08cf6c6bd61.	2021-07-13	5	CVE-2020-22882 MISC
nextcloud — nextcloud	Nextcloud Android Client is the Android client for Nextcloud. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.16.1, the Nextcloud Android client skipped a step that involved the client checking if a private key belonged to a previously downloaded public certificate. If the Nextcloud instance served a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. The vulnerability is patched in version 3.16.1. As a workaround, do not add additional end-to-end encrypted devices to a user account.	2021-07-12	5	CVE-2021-32727 CONFIRM MISC MISC MISC
nextcloud — nextcloud_mail	Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.	2021-07-12	4	CVE-2021-32707 MISC MISC CONFIRM
nextcloud — nextcloud_server	Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, use a browser that has support for Content-Security-Policy.	2021-07-12	4.3	CVE-2021-32733 MISC MISC CONFIRM
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.	2021-07-12	5	CVE-2021-32703 CONFIRM MISC MISC
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.	2021-07-12	5	CVE-2021-32705 MISC MISC CONFIRM
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.	2021-07-12	6.8	CVE-2021-32679 CONFIRM MISC MISC
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.	2021-07-12	5	CVE-2021-32678 MISC MISC CONFIRM
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.	2021-07-12	5	CVE-2021-32741 MISC MISC CONFIRM
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings.	2021-07-12	5	CVE-2021-32734 CONFIRM MISC MISC
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.	2021-07-12	5	CVE-2021-32725 CONFIRM MISC MISC
nextcloud — talk	Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and 11.3.0. As a workaround, don’t allow users to choose usernames themselves. This is the default behaviour of Nextcloud, but some user providers may allow doing so.	2021-07-12	4	CVE-2021-32689 MISC MISC MISC CONFIRM MISC
nodejs — node.js	Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().	2021-07-12	6.4	CVE-2021-22918 MISC MISC
nodejs — node.js	Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.	2021-07-12	4.4	CVE-2021-22921 MISC MISC
openvpn — openvpn	OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.	2021-07-12	5.8	CVE-2021-3547 MISC MISC
panasonic — fpwin_pro	Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software.	2021-07-09	4.3	CVE-2021-32972 MISC
pbootcms — pbootcms	Incorrect Access Control vulnerability in PbootCMS 2.0.6 via the list parameter in the update function in upgradecontroller.php.	2021-07-09	4	CVE-2020-22535 MISC
pfsense — pfsense	Netgate pfSense Community Edition 2.4.4 – p2 (arm64) is affected by: Cross Site Scripting (XSS). The impact is: Session Hijacking, Information Leakage (local). The component is: pfSense Dashboard, Work-on-LAN Service configuration. The attack vector is: Inject the malicious JavaScript code in Description text box or parameter.	2021-07-12	4.3	CVE-2020-19203 MISC MISC
plugin-planet — prismatic	The Prismatic WordPress plugin before 2.8 does not escape the ‘tab’ GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator	2021-07-12	4.3	CVE-2021-24409 CONFIRM
pluginus — wordpress_meta_data_and_taxonomies_filter	Cross-site request forgery (CSRF) vulnerability in WordPress Meta Data Filter & Taxonomies Filter versions prior to v.1.2.8 and versions prior to v.2.2.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors.	2021-07-14	6.8	CVE-2021-20781 MISC MISC MISC
putty — putty	PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).	2021-07-09	5.8	CVE-2021-36367 MISC MISC
qualcomm — apq8009_firmware	Denial of service in SAP case due to improper handling of connections when association is rejected in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	5	CVE-2021-1955 CONFIRM
qualcomm — apq8053_firmware	Possible out of bound read due to lack of length check of FT sub-elements in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music	2021-07-13	5	CVE-2021-1970 CONFIRM
qualcomm — apq8053_firmware	Possible buffer overflow due to lack of length check in BA request in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile	2021-07-13	5	CVE-2021-1907 CONFIRM
qualcomm — apq8053_firmware	Possible buffer over read due to improper validation of IE size while parsing beacon from peer device in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking	2021-07-13	5	CVE-2021-1964 CONFIRM
qualcomm — apq8053_firmware	Possible buffer out of bound read can occur due to improper validation of TBTT count and length while parsing the beacon response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking	2021-07-13	5	CVE-2021-1943 CONFIRM
qualcomm — apq8053_firmware	Possible buffer over read due to improper validation of data pointer while parsing FILS indication IE in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking	2021-07-13	5	CVE-2021-1954 CONFIRM
qualcomm — apq8053_firmware	Possible out of bound read due to lack of length check of Bandwidth-NSS IE in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking	2021-07-13	5	CVE-2021-1945 CONFIRM
qualcomm — aqt1000_firmware	Improper handling of received malformed FTMR request frame can lead to reachable assertion while responding with FTM1 frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking	2021-07-13	5	CVE-2021-1953 CONFIRM
qualcomm — aqt1000_firmware	Possible assertion due to improper verification while creating and deleting the peer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking	2021-07-13	5	CVE-2021-1938 CONFIRM
qualcomm — ar7420_firmware	An assertion can be reached in the WLAN subsystem while using the Wi-Fi Fine Timing Measurement protocol in Snapdragon Wired Infrastructure and Networking	2021-07-13	5	CVE-2021-1887 CONFIRM
quickjs_project — quickjs	Buffer Overflow vulnerability in quickjs.c in QuickJS, allows remote attackers to cause denial of service. This issue is resolved in the 2020-07-05 release.	2021-07-13	5	CVE-2020-22876 MISC
redhat — keycloak	A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.	2021-07-09	5	CVE-2021-3637 MISC
restsharp — restsharp	RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. Thus the remote server can trigger Denial of Service.	2021-07-12	5	CVE-2021-27293 MISC MISC
retty — retty	Retty App for Android versions prior to 4.8.13 and Retty App for iOS versions prior to 4.11.14 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app.	2021-07-14	5	CVE-2021-20748 MISC MISC
retty — retty	Improper authorization in handler for custom URL scheme vulnerability in Retty App for Android versions prior to 4.8.13 and Retty App for iOS versions prior to 4.11.14 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.	2021-07-14	4.3	CVE-2021-20747 MISC MISC
rockwellautomation — micrologix_1100_firmware	Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, which results in a denial-of-service condition. If successfully exploited, this vulnerability will cause the controller to fault whenever the controller is switched to RUN mode.	2021-07-09	5	CVE-2021-33012 MISC
salonbookingsystem — salon_booking_system	The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the “Calendar” page and the malicious script is executed in the admin context.	2021-07-12	4.3	CVE-2021-24429 CONFIRM
sap — 3d_visual_enterprise_viewer	SAP 3D Visual Enterprise Viewer, version – 9, allows a user to open manipulated CGM file received from untrusted sources which causes out of bounds write and causes the application to crash and becoming temporarily unavailable until the user restarts the application.	2021-07-14	4.3	CVE-2021-33681 MISC MISC
sap — 3d_visual_enterprise_viewer	SAP 3D Visual Enterprise Viewer, version – 9, allows a user to open manipulated CGM file received from untrusted sources which causes buffer overflow and causes the application to crash and becoming temporarily unavailable until the user restarts the application.	2021-07-14	4.3	CVE-2021-33680 MISC MISC
sap — businessobjects_web_intelligence	Under certain conditions, SAP Business Objects Web Intelligence (BI Launchpad) versions – 420, 430, allows an attacker to access jsp source code, through SDK calls, of Analytical Reporting bundle, a part of the frontend application, which would otherwise be restricted.	2021-07-14	4	CVE-2021-33667 MISC MISC
sap — customer_relationship_management	A missing authority check in SAP CRM, versions – 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system.	2021-07-14	6.5	CVE-2021-33676 MISC MISC
sap — netweaver_abap	SAP NetWeaver ABAP Server and ABAP Platform, versions – 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.	2021-07-14	5	CVE-2021-33677 MISC MISC
sap — netweaver_application_server_java	When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version – 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted.	2021-07-14	4	CVE-2021-33689 MISC MISC
sap — netweaver_application_server_java	SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.	2021-07-14	5	CVE-2021-33670 MISC MISC
sap — netweaver_application_server_java	SAP NetWeaver AS JAVA (Enterprise Portal), versions – 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information.	2021-07-14	4	CVE-2021-33687 MISC MISC
sap — netweaver_guided_procedures	SAP NetWeaver Guided Procedures (Administration Workset), versions – 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data.	2021-07-14	6.5	CVE-2021-33671 MISC MISC
segment — is-email	A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package before 1.0.1 for Node.js. An attacker that is able to provide crafted input to the isEmail(input) function may cause an application to consume an excessive amount of CPU.	2021-07-14	5	CVE-2021-36716 MISC CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing SGI files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13404)	2021-07-13	6.8	CVE-2021-34319 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Jt981.dll library in affected applications lacks proper validation of user-supplied data when parsing JT files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13442)	2021-07-13	6.8	CVE-2021-34331 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Jt981.dll library in affected applications lacks proper validation of user-supplied data prior to performing further free operations on an object when parsing JT files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13430)	2021-07-13	6.8	CVE-2021-34330 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Solid Edge SE2021 (All Versions < SE2021MP5), Teamcenter Visualization (All versions < V13.2). The plmxmlAdapterSE70.dll library in affected applications lacks proper validation of user-supplied data when parsing PAR files. This could result in an out of bounds write past the fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13427)	2021-07-13	6.8	CVE-2021-34329 CONFIRM CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13199)	2021-07-13	4.3	CVE-2021-34304 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Solid Edge SE2021 (All Versions < SE2021MP5), Teamcenter Visualization (All versions < V13.2). The plmxmlAdapterSE70.dll library in affected applications lacks proper validation of user-supplied data when parsing PAR files. This could result in an out of bounds write past the fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13422)	2021-07-13	6.8	CVE-2021-34326 CONFIRM CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Jt981.dll library in affected applications lacks proper validation of user-supplied data prior to performing further free operations on an object when parsing JT files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13420)	2021-07-13	6.8	CVE-2021-34324 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Jt981.dll library in affected applications lacks proper validation of user-supplied data when parsing JT files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13419)	2021-07-13	6.8	CVE-2021-34323 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The DL180CoolType.dll library in affected applications lacks proper validation of user-supplied data when parsing PDF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13380)	2021-07-13	6.8	CVE-2021-34316 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Solid Edge SE2021 (All Versions < SE2021MP5), Teamcenter Visualization (All versions < V13.2). The plmxmlAdapterSE70.dll library in affected applications lacks proper validation of user-supplied data when parsing ASM files. This could result in an out of bounds write past the fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13423)	2021-07-13	6.8	CVE-2021-34327 CONFIRM CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13343)	2021-07-13	4.3	CVE-2021-34307 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing SGI files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13356)	2021-07-13	6.8	CVE-2021-34315 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing SGI files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13355)	2021-07-13	6.8	CVE-2021-34314 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds write past the fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13354)	2021-07-13	6.8	CVE-2021-34313 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds write past the fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13353)	2021-07-13	6.8	CVE-2021-34312 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Mono_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing J2K files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13352)	2021-07-13	6.8	CVE-2021-34311 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13192)	2021-07-13	4.3	CVE-2021-34299 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13197)	2021-07-13	4.3	CVE-2021-34302 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13198)	2021-07-13	4.3	CVE-2021-34303 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing PCT files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13403)	2021-07-13	6.8	CVE-2021-34318 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Solid Edge SE2021 (All Versions < SE2021MP5), Teamcenter Visualization (All versions < V13.2). The plmxmlAdapterSE70.dll library in affected applications lacks proper validation of user-supplied data when parsing PAR files. This could result in an out of bounds write past the fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13424)	2021-07-13	6.8	CVE-2021-34328 CONFIRM CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing PCX files. This could result in an out of bounds write past the fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13402)	2021-07-13	6.8	CVE-2021-34317 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Gif_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing GIF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-12956)	2021-07-13	6.8	CVE-2021-34291 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13057)	2021-07-13	6.8	CVE-2021-34296 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-12959)	2021-07-13	6.8	CVE-2021-34292 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The VisDraw.dll library in affected applications lacks proper validation of user-supplied data when parsing J2K files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13414)	2021-07-13	4.3	CVE-2021-34321 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Jt981.dll library in affected applications lacks proper validation of user-supplied data when parsing JT files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13406)	2021-07-13	4.3	CVE-2021-34320 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Jt981.dll library in affected applications lacks proper validation of user-supplied data when parsing JT files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13421)	2021-07-13	4.3	CVE-2021-34325 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. A malformed input file could result in an infinite loop condition that leads to denial of service condition. An attacker could leverage this vulnerability to consume excessive resources. (CNVD-C-2021-79300)	2021-07-13	4.3	CVE-2021-34332 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. A malformed input file could result in double free of an allocated buffer that leads to a crash. An attacker could leverage this vulnerability to cause denial of service condition. (CNVD-C-2021-79295)	2021-07-13	4.3	CVE-2021-34333 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13351)	2021-07-13	6.8	CVE-2021-34310 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13344)	2021-07-13	4.3	CVE-2021-34308 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The JPEG2K_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing J2K files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13416)	2021-07-13	4.3	CVE-2021-34322 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13350)	2021-07-13	6.8	CVE-2021-34309 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Gif_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing GIF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13024)	2021-07-13	6.8	CVE-2021-34295 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. This could result in a memory corruption condition. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13342)	2021-07-13	6.8	CVE-2021-34306 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Gif_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing GIF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13340)	2021-07-13	6.8	CVE-2021-34305 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Gif_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing GIF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13020)	2021-07-13	6.8	CVE-2021-34293 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data prior to performing further free operations on an object when parsing BMP files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13196)	2021-07-13	6.8	CVE-2021-34301 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds write past the end of an allocated buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13194)	2021-07-13	6.8	CVE-2021-34300 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data prior to performing further free operations on an object when parsing BMP files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13060)	2021-07-13	6.8	CVE-2021-34298 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Gif_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing GIF files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13023	2021-07-13	6.8	CVE-2021-34294 CONFIRM
siemens — jt2go	A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13059)	2021-07-13	6.8	CVE-2021-34297 CONFIRM
sonicwall — switch	Multiple Out-of-Bound read vulnerability in SonicWall Switch when handling LLDP Protocol allows an attacker to cause a system instability or potentially read sensitive information from the memory locations.	2021-07-09	6.8	CVE-2021-20024 CONFIRM
stormshield — endpoint_security	Stormshield Endpoint Security Evolution 2.0.0 through 2.0.2 does not accomplish the intended defense against local administrators who can replace the Visual C++ runtime DLLs (in %WINDIR%system32) with malicious ones.	2021-07-13	4.6	CVE-2021-35957 MISC MISC
stormshield — endpoint_security	SES Evolution before 2.1.0 allows deleting some resources not currently in use by any security policy by leveraging access to a computer having the administration console installed.	2021-07-13	4.3	CVE-2021-31225 MISC MISC
tipsandtricks-hq — software_license_manager	Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors.	2021-07-14	6.8	CVE-2021-20782 MISC MISC MISC
vmware — cloud_foundation	SFCB (Small Footprint CIM Broker) as used in ESXi has an authentication bypass vulnerability. A malicious actor with network access to port 5989 on ESXi may exploit this issue to bypass SFCB authentication by sending a specially crafted request.	2021-07-13	6.8	CVE-2021-21994 MISC
vmware — cloud_foundation	OpenSLP as used in ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. A malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition.	2021-07-13	5	CVE-2021-21995 MISC
vmware — thinapp	VMware Thinapp version 5.x prior to 5.2.10 contain a DLL hijacking vulnerability due to insecure loading of DLLs. A malicious actor with non-administrative privileges may exploit this vulnerability to elevate privileges to administrator level on the Windows operating system having VMware ThinApp installed on it.	2021-07-13	6.9	CVE-2021-22000 MISC FULLDISC
voidtools — everything	HTTP header injection vulnerability in Everything all versions except the Lite version may allow a remote attacker to inject an arbitrary script or alter the website that uses the product via unspecified vectors.	2021-07-14	5.8	CVE-2021-20784 MISC MISC MISC
wayang-cms_project — wayang-cms	A SQL injection vulnerability in wy_controlls/wy_side_visitor.php of Wayang-CMS v1.0 allows attackers to obtain sensitive database information.	2021-07-14	5	CVE-2020-29147 MISC
wayang-cms_project — wayang-cms	A cross site scripting (XSS) vulnerability in index.php of Wayang-CMS v1.0 allows attackers to execute arbitrary web scripts or HTML via a constructed payload created by adding the X-Forwarded-For field to the header.	2021-07-14	4.3	CVE-2020-29146 MISC
wire — wire	Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.	2021-07-13	4	CVE-2021-32755 CONFIRM
xen-orchestra — xo-server	Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.	2021-07-12	4	CVE-2021-36383 MISC
xml —	It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected resources, depending on how the library is used.	2021-07-09	5	CVE-2012-1102 MISC MISC
xmlsoft — libxml2	A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.	2021-07-09	4	CVE-2021-3541 MISC
yop-poll — yop_poll	In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options “Allow other answers”, “Display other answers in the result list” and “Show results”, it can lead to Stored Cross-Site Scripting issues as the ‘Other’ answer is not sanitised before being output in the page. The execution of the XSS payload depends on the ‘Show results’ option selected, which could be before or after sending the vote for example.	2021-07-12	4.3	CVE-2021-24454 MISC CONFIRM

Low Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
admincolumns — admin_columns	The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type “Custom Field” allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of “Custom Field” columns.	2021-07-12	3.5	CVE-2021-24365 CONFIRM MISC
blackcat-cms — blackcat_cms	A stored cross site scripting (XSS) vulnerability in the ‘Add Page’ feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘Title’ parameter.	2021-07-09	3.5	CVE-2020-25877 MISC MISC
blackcat-cms — blackcat_cms	A stored cross site scripting (XSS) vulnerability in the ‘Admin-Tools’ feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the ‘Output Filters’ and ‘Droplets’ modules.	2021-07-09	3.5	CVE-2020-25878 MISC MISC
boldgrid — w3_total_cache	The W3 Total Cache WordPress plugin before 2.1.3 did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue	2021-07-12	3.5	CVE-2021-24427 MISC CONFIRM
codologic — codoforum	A stored cross site scripting (XSS) vulnerability in the ‘Manage Users’ feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘Username’ parameter.	2021-07-09	3.5	CVE-2020-25879 MISC MISC
codologic — codoforum	A stored cross site scripting (XSS) vulnerability in the ‘Smileys’ feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the ‘Smiley Code’ parameter.	2021-07-09	3.5	CVE-2020-25875 MISC MISC
codologic — codoforum	A stored cross site scripting (XSS) vulnerability in the ‘Pages’ feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the ‘Page Title’ parameter.	2021-07-09	3.5	CVE-2020-25876 MISC MISC
cszcms — csz_cms	A cross site scripting vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘New Pages’ field under the ‘Pages Content’ module.	2021-07-09	3.5	CVE-2020-25391 MISC
cszcms — csz_cms	A cross site scripting (XSS) vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘New Article’ field under the ‘Article’ plugin.	2021-07-09	3.5	CVE-2020-25392 MISC
dotcms — dotcms	A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.	2021-07-09	3.5	CVE-2021-35360 MISC
dotcms — dotcms	A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/links of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.	2021-07-09	3.5	CVE-2021-35361 MISC
dotcms — dotcms	A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘Title’ and ‘Filename’ parameters.	2021-07-09	3.5	CVE-2021-35358 MISC
element-it — http_commander	A Cross-site scripting (XSS) vulnerability in the “View in Browser” feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SVG image.	2021-07-14	3.5	CVE-2021-33212 MISC MISC
emarketdegisn — request_a_quote	The Request a Quote WordPress plugin before 2.3.4 did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the ‘All Quotes” table.	2021-07-12	3.5	CVE-2021-24420 CONFIRM
esri — arcgis_server	A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory.	2021-07-11	3.5	CVE-2021-29105 CONFIRM
eyecix — jobsearch_wp_job_board	The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue	2021-07-12	3.5	CVE-2021-24421 CONFIRM MISC
fetchdesigns — sign-up_sheets	The Sign-up Sheets WordPress plugin before 1.0.14 did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the ‘All Sheets’ page in the admin dashboard	2021-07-12	3.5	CVE-2021-24440 CONFIRM
flowdroid_project — flowdroid	FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file.	2021-07-12	3.5	CVE-2021-32754 CONFIRM
google — android	In generateFileInfo of BluetoothOppSendFileInfo.java, there is a possible way to share private files over Bluetooth due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-179910660	2021-07-14	1.9	CVE-2021-0604 MISC
halo — halo	Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.	2021-07-12	3.5	CVE-2020-18982 MISC
huawei — mate_20_firmware	There is a path traversal vulnerability in some Huawei products. The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename. Affected product versions include:HUAWEI Mate 20 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1);HUAWEI Mate 20 Pro 9.0.0.187(C432E10R1P16), 9.0.0.188(C185E10R2P1), 9.0.0.245(C10E10R2P1), 9.0.0.266(C432E10R1P16), 9.0.0.267(C636E10R2P1), 9.0.0.268(C635E12R1P16), 9.0.0.278(C185E10R2P1); Hima-L29C 9.0.0.105(C10E9R1P16), 9.0.0.105(C185E9R1P16), 9.0.0.105(C636E9R1P16); Laya-AL00EP 9.1.0.139(C786E133R3P1); OxfordS-AN00A 10.1.0.223(C00E210R5P1); Tony-AL00B 9.1.0.257(C00E222R2P1).	2021-07-13	2.1	CVE-2021-22440 MISC
huawei — p30_firmware	The Bluetooth function of some Huawei smartphones has a DoS vulnerability. Attackers can install third-party apps to send specific broadcasts, causing the Bluetooth module to crash. This vulnerability is successfully exploited to cause the Bluetooth function to become abnormal. Affected product versions include: HUAWEI P30 10.0.0.195(C432E22R2P5), 10.0.0.200(C00E85R2P11), 10.0.0.200(C461E6R3P1), 10.0.0.201(C10E7R5P1), 10.0.0.201(C185E4R7P1), 10.0.0.206(C605E19R1P3), 10.0.0.209(C636E6R3P4), 10.0.0.210(C635E3R2P4), and versions earlier than 10.1.0.165(C01E165R2P11).	2021-07-13	2.1	CVE-2021-22399 MISC
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195035.	2021-07-13	3.5	CVE-2021-20364 CONFIRM XF
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195357.	2021-07-13	3.5	CVE-2021-20368 XF CONFIRM
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195037.	2021-07-13	3.5	CVE-2021-20366 CONFIRM XF
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195036.	2021-07-13	3.5	CVE-2021-20365 XF CONFIRM
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195034.	2021-07-13	3.5	CVE-2021-20363 CONFIRM XF
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195033.	2021-07-13	3.5	CVE-2021-20362 XF CONFIRM
ibm — cloud_pak_for_applications	IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195032.	2021-07-13	3.5	CVE-2021-20361 XF CONFIRM
ibm — tivoli_netcool/omnibus_gui	IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204262.	2021-07-12	3.5	CVE-2021-29804 XF CONFIRM
ibm — tivoli_netcool/omnibus_gui	IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204263.	2021-07-12	3.5	CVE-2021-29805 CONFIRM XF
ibm — tivoli_netcool/omnibus_gui	IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204164.	2021-07-12	3.5	CVE-2021-29803 CONFIRM XF
ibm — tivoli_netcool/omnibus_gui	IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204349.	2021-07-12	3.5	CVE-2021-29822 CONFIRM XF
icinga — icinga	Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.	2021-07-12	3.5	CVE-2021-32746 MISC CONFIRM MISC MISC
kaseya — vsa	Cross Site Scripting (XSS) exists in Kaseya VSA before 9.5.7.	2021-07-09	3.5	CVE-2021-30119 MISC
microsoft — windows_10	Media Foundation Information Disclosure Vulnerability	2021-07-14	2.1	CVE-2021-33760 MISC
microsoft — windows_10	Windows Remote Access Connection Manager Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-34454, CVE-2021-34457.	2021-07-14	2.1	CVE-2021-33763 MISC
microsoft — windows_10	Windows Installer Spoofing Vulnerability	2021-07-14	2.1	CVE-2021-33765 MISC
microsoft — windows_10	Windows InstallService Elevation of Privilege Vulnerability	2021-07-14	3.6	CVE-2021-31961 MISC
mozilo — mozilocms	A stored cross site scripting (XSS) vulnerability in moziloCMS 2.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the “Content” parameter.	2021-07-09	3.5	CVE-2020-25394 MISC
nextcloud — nextcloud_server	Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn’t properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.	2021-07-12	2.1	CVE-2021-32680 CONFIRM MISC MISC
pfsense — pfsense	A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.	2021-07-12	3.5	CVE-2020-19201 MISC MISC MISC
plugin-planet — prismatic	The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.	2021-07-12	3.5	CVE-2021-24408 CONFIRM
prothemedesign — browser_screenshots	The Browser Screenshots WordPress plugin before 1.7.6 allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the image_class parameter of the browser-shot shortcode was not escaped.	2021-07-12	3.5	CVE-2021-24439 CONFIRM
publiccms — publiccms	Cross Site Scripting (XSS) vulnerability in PublicCMS 4.0 to get an admin cookie when the Administrator reviews submit case.	2021-07-09	3.5	CVE-2020-21333 MISC
qualcomm — apq8009_firmware	Possible buffer over-read due to lack of length check while flashing meta images in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	2.1	CVE-2021-1901 CONFIRM
qualcomm — apq8009_firmware	Possible Buffer Over-read due to lack of validation of boundary checks when loading splash image in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	2.1	CVE-2021-1897 CONFIRM
qualcomm — apq8009_firmware	Possible buffer over-read due to incorrect overflow check when loading splash image in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables	2021-07-13	2.1	CVE-2021-1898 CONFIRM
qualcomm — apq8009w_firmware	Possible buffer over read due to lack of length check while flashing meta images in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables	2021-07-13	2.1	CVE-2021-1899 CONFIRM
qualcomm — aqt1000_firmware	Weak configuration in WLAN could cause forwarding of unencrypted packets from one client to another in Snapdragon Compute, Snapdragon Connectivity	2021-07-13	3.3	CVE-2021-1896 CONFIRM
rukovoditel — rukovoditel	A stored cross site scripting (XSS) vulnerability in the ‘Users Access Groups’ feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘Name’ parameter.	2021-07-09	3.5	CVE-2020-35986 MISC
rukovoditel — rukovoditel	A stored cross site scripting (XSS) vulnerability in the ‘Entities List’ feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘Name’ parameter.	2021-07-09	3.5	CVE-2020-35987 MISC
rukovoditel — rukovoditel	A stored cross site scripting (XSS) vulnerability in the ‘Users Alerts’ feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘Title’ parameter.	2021-07-09	3.5	CVE-2020-35984 MISC
rukovoditel — rukovoditel	A stored cross site scripting (XSS) vulnerability in the ‘Global Lists” feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the ‘Name’ parameter.	2021-07-09	3.5	CVE-2020-35985 MISC
sap — lumira_server	SAP Lumira Server version 2.4 does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with basic level privileges to store a malicious script on SAP Lumira Server. The execution of the script content, by a victim registered on SAP Lumira Server, could compromise the confidentiality and integrity of SAP Lumira content.	2021-07-14	3.5	CVE-2021-33682 MISC MISC
smooth_scroll_page_up/down_buttons_project — smooth_scroll_page_up/down_buttons	The Smooth Scroll Page Up/Down Buttons WordPress plugin through 1.4 does not properly sanitise and validate its psb_positioning settings, allowing high privilege users such as admin to set an XSS payload in it, which will be executed in all pages of the blog	2021-07-12	3.5	CVE-2021-24418 CONFIRM MISC
stormshield — endpoint_security	SES Evolution before 2.1.0 allows duplicating an existing security policy by leveraging access of a user having read-only access to security policies.	2021-07-13	2.9	CVE-2021-31224 MISC MISC
stormshield — endpoint_security	SES Evolution before 2.1.0 allows modifying security policies by leveraging access of a user having read-only access to security policies.	2021-07-13	2.3	CVE-2021-31220 MISC MISC
stormshield — endpoint_security	SES Evolution before 2.1.0 allows reading some parts of a security policy by leveraging access to a computer having the administration console installed.	2021-07-13	2.9	CVE-2021-31223 MISC MISC
stormshield — endpoint_security	SES Evolution before 2.1.0 allows updating some parts of a security policy by leveraging access to a computer having the administration console installed.	2021-07-13	2.9	CVE-2021-31222 MISC MISC
stormshield — endpoint_security	SES Evolution before 2.1.0 allows deleting some parts of a security policy by leveraging access to a computer having the administration console installed.	2021-07-13	2.9	CVE-2021-31221 MISC MISC
web-dorado — backup-wd	The Backup by 10Web â€“ Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue	2021-07-12	3.5	CVE-2021-24426 MISC CONFIRM
webfactoryltd — wp_reset	The WP Reset â€“ Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue	2021-07-12	3.5	CVE-2021-24424 CONFIRM MISC
wp_youtube_lyte_project — wp_youtube_lyte	The WP YouTube Lyte WordPress plugin before 1.7.16 did not sanitise or escape its lyte_yt_api_key and lyte_notification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues.	2021-07-12	3.5	CVE-2021-24419 CONFIRM MISC

Severity Not Yet Assigned

Primary Vendor — Product	Description	Published	CVSS Score	Source & Patch Info
1password_connect — 1password_connect	1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets Automation access tokens can create tokens that have access beyond what the user is authorized to access, but limited to the existing authorizations of the Secret Automation the token is created in.	2021-07-16	not yet calculated	CVE-2021-36758 MISC
MdeModulePkg — MdeModulePkg	Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.	2021-07-14	not yet calculated	CVE-2019-11098 MISC
acronis — true_image	Acronis True Image through 2021 on macOS allows local privilege escalation from admin to root due to insecure folder permissions.	2021-07-15	not yet calculated	CVE-2020-25593 MISC MISC
acronis — true_image	Acronis True Image 2019 update 1 through 2021 update 1 on macOS allows local privilege escalation due to an insecure XPC service configuration.	2021-07-15	not yet calculated	CVE-2020-25736 MISC MISC
acronis — true_image_2019	Acronis True Image for Mac before 2021 Update 4 allowed local privilege escalation due to insecure folder permissions.	2021-07-15	not yet calculated	CVE-2020-15496 MISC MISC
acronis — true_image_2019	Acronis True Image 2019 update 1 through 2020 on macOS allows local privilege escalation due to an insecure XPC service configuration.	2021-07-15	not yet calculated	CVE-2020-15495 MISC MISC
advantech — r-seenet	A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21804 MISC
advantech — r-seenet	This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.	2021-07-16	not yet calculated	CVE-2021-21801 MISC
advantech — r-seenet	This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.	2021-07-16	not yet calculated	CVE-2021-21802 MISC
advantech — r-seenet	This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.	2021-07-16	not yet calculated	CVE-2021-21803 MISC
advantech — r-seenet	Cross-site scripting vulnerabilities exist in the ssh_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21800 MISC
advantech — r-seenet	Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21799 MISC
apache — commons_compress	When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress’ zip package.	2021-07-13	not yet calculated	CVE-2021-36090 MISC MISC MLIST MLIST MLIST MLIST MLIST MLIST
apache — commons_compress	When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress’ sevenz package.	2021-07-13	not yet calculated	CVE-2021-35515 MISC MISC MLIST MLIST
apache — commons_compress	When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress’ tar package.	2021-07-13	not yet calculated	CVE-2021-35517 MISC MISC MLIST MLIST MLIST MLIST MLIST
apache — commons_compress	When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress’ sevenz package.	2021-07-13	not yet calculated	CVE-2021-35516 MISC MISC MLIST MLIST
apache — mina_sshd	A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0	2021-07-12	not yet calculated	CVE-2021-30129 CONFIRM MLIST MLIST MLIST
apache — tomcat	A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.	2021-07-12	not yet calculated	CVE-2021-30640 MISC
booking_core — ultimate_booking_system_booking_core	Cross Site Scripting (XSS) vulnerability in Booking Core – Ultimate Booking System Booking Core 1.7.0 via the (1) “About Yourself” section under the “My Profile” page, ” (2) “Hotel Policy” field under the “Hotel Details” page, (3) “Pricing code” and “name” fields under the “Manage Tour” page, and (4) all the labels under the “Menu” section.	2021-07-14	not yet calculated	CVE-2020-25444 MISC
broadcom — bcm4352_and_bcm43684	A vulnerability exists in Broadcom BCM4352 and BCM43684 chips. Any wireless router using BCM4352 and BCM43684 will be affected, such as ASUS AX6100. An attacker may cause a Denial of Service (DoS) to any device connected to BCM4352 or BCM43684 routers via an association or reassociation frame.	2021-07-14	not yet calculated	CVE-2021-34174 MISC MISC
cartadis — gespage	Cartadis Gespage through 8.2.1 allows Directory Traversal in gespage/doDownloadData and gespage/webapp/doDownloadData.	2021-07-12	not yet calculated	CVE-2021-33807 MISC CONFIRM MISC
centreon — platform	An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. A SQL injection vulnerability in “Configuration > Users > Contacts / Users” allows remote authenticated users to execute arbitrary SQL commands via the Additional Information parameters.	2021-07-16	not yet calculated	CVE-2021-28053 MISC MISC MISC
centreon — platform	An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. A Stored Cross-Site Scripting (XSS) issue in “Configuration > Hosts” allows remote authenticated users to inject arbitrary web script or HTML via the Alias parameter.	2021-07-16	not yet calculated	CVE-2021-28054 MISC MISC MISC
chatwoot — chatwoot	chatwoot is vulnerable to Inefficient Regular Expression Complexity	2021-07-16	not yet calculated	CVE-2021-3649 MISC CONFIRM
cisco — adaptive_security_appliance	A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the device that results in a denial of service (DoS) condition. The vulnerability is due to a logic error in how the software cryptography module handles specific types of decryption errors. An attacker could exploit this vulnerability by sending malicious packets over an established IPsec connection. A successful exploit could cause the device to crash, forcing it to reload. Important: Successful exploitation of this vulnerability would not cause a compromise of any encrypted data. Note: This vulnerability affects only Cisco ASA Software Release 9.16.1 and Cisco FTD Software Release 7.0.0.	2021-07-16	not yet calculated	CVE-2021-1422 CISCO
d-link — dap-1330_routers	This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1330 1.13B01 BETA routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Cookie HTTP header. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-12028.	2021-07-15	not yet calculated	CVE-2021-34830 MISC
d-link — dap-1330_routers	This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1330 1.13B01 BETA routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the SOAPAction HTTP header. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-12029.	2021-07-15	not yet calculated	CVE-2021-34827 MISC
d-link — dap-1330_routers	This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1330 1.13B01 BETA routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the SOAPAction HTTP header. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-12066.	2021-07-15	not yet calculated	CVE-2021-34828 MISC
d-link — dap-1330_routers	This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1330 1.13B01 BETA routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the HNAP_AUTH HTTP header. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-12065.	2021-07-15	not yet calculated	CVE-2021-34829 MISC
d-link — dir-3040	A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21818 MISC
d-link — dir-3040	An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21816 MISC
d-link — dir-3040	An information disclosure vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21817 MISC
d-link — dir-3040	A code execution vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21819 MISC
d-link — dir-3040	A hard-coded password vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability.	2021-07-16	not yet calculated	CVE-2021-21820 MISC
dell — emc_avamar_server	Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.	2021-07-16	not yet calculated	CVE-2019-3752 MISC
dell — wyse_management_suite	Wyse Management Suite versions 3.2 and earlier contain an absolute path traversal vulnerability. A remote authenticated malicious user could exploit this vulnerability in order to read arbitrary files on the system.	2021-07-15	not yet calculated	CVE-2021-21586 MISC
dell — wyse_management_suite	Dell Wyse Management Suite versions 3.2 and earlier contain a full path disclosure vulnerability. A local unauthenticated attacker could exploit this vulnerability in order to obtain the path of files and folders.	2021-07-15	not yet calculated	CVE-2021-21587 MISC
depstech — wifi_digital_microscope_3	DEPSTECH WiFi Digital Microscope 3 allows remote attackers to change the SSID and password, and demand a ransom payment from the rightful device owner, because there is no way to reset to Factory Default settings.	2021-07-15	not yet calculated	CVE-2020-12734 MISC MISC
depstech — wifi_digital_microscope_3	Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account.	2021-07-15	not yet calculated	CVE-2020-12733 MISC MISC
depstech — wifi_digital_microscope_3	DEPSTECH WiFi Digital Microscope 3 has a default SSID of Jetion_xxxxxxxx with a password of 12345678.	2021-07-15	not yet calculated	CVE-2020-12732 MISC MISC
discourse — discourse	Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in `stable` version 2.7.6, `beta` version 2.8.0.beta3, and `tests-passed` version 2.8.0.beta3. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.	2021-07-15	not yet calculated	CVE-2021-32764 CONFIRM
dr.id — door_access_control_and_personnel_attendance_management_system	Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission.	2021-07-16	not yet calculated	CVE-2021-35961 MISC MISC
dr.id — door_access_control_and_personnel_attendance_management_system	Specific page parameters in Dr. ID Door Access Control and Personnel Attendance Management system does not filter special characters. Remote attackers can apply Path Traversal means to download credential files from the system without permission.	2021-07-16	not yet calculated	CVE-2021-35962 MISC MISC
eclipse — jetty	For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.	2021-07-15	not yet calculated	CVE-2021-34429 CONFIRM
ecostructure — control_expert	Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause unauthorized access to a project file protected by a password when this file is shared with untrusted sources. An attacker may bypass the password protection and be able to view and modify a project file.	2021-07-14	not yet calculated	CVE-2021-22780 MISC
ecostructure — control_expert	Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause a leak of SMTP credential used for mailbox authentication when an attacker can access a project file.	2021-07-14	not yet calculated	CVE-2021-22781 MISC
ecostructure — control_expert	Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions – part numbers BMEP* and BMEH), Modicon M340 CPU (all versions – part numbers BMXP34), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.	2021-07-14	not yet calculated	CVE-2021-22779 MISC
ecostructure — control_expert	Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause protected derived function blocks to be read or modified by unauthorized users when accessing a project file.	2021-07-14	not yet calculated	CVE-2021-22778 MISC
ecostructure — control_expert	Missing Encryption of Sensitive Data vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause an information leak allowing disclosure of network and process information, credentials or intellectual property when an attacker can access a project file.	2021-07-14	not yet calculated	CVE-2021-22782 MISC
ectouch — ectouch	SQL Injection Vulnerability in ECTouch v2 via the integral_min parameter in index.php.	2021-07-14	not yet calculated	CVE-2020-18144 MISC
elfinder.net.core — elfinder.net.core	This affects the package elFinder.Net.Core from 0 and before 1.2.4. The user-controlled file name is not properly sanitized before it is used to create a file system path.	2021-07-14	not yet calculated	CVE-2021-23407 MISC MISC MISC
espressif — esp32	An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover.	2021-07-14	not yet calculated	CVE-2021-34173 MISC MISC
fail2ban — fail2ban	fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail actions like `mail-whois` can execute command if unescaped sequences (`n~`) are available in “foreign” input (for instance in whois output). To exploit the vulnerability, an attacker would need to insert malicious characters into the response sent by the whois server, either via a MITM attack or by taking over a whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a workaround, one may avoid the usage of action `mail-whois` or patch the vulnerability manually.	2021-07-16	not yet calculated	CVE-2021-32749 MISC MISC CONFIRM
falco — falco	Falco through 0.28.1 has a Time-of-check Time-of-use (TOCTOU) Race Condition. Issue is fixed in Falco versions >= 0.29.1.	2021-07-15	not yet calculated	CVE-2021-33505 MISC
fossil — fossil	Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation.	2021-07-12	not yet calculated	CVE-2021-36377 MISC
froala — wysiwyg	Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing.	2021-07-16	not yet calculated	CVE-2021-28114 MISC MISC MISC
fsso — collector	An improper authentication vulnerability in FSSO Collector version 5.0.295 and below may allow an unauthenticated user to bypass a FSSO firewall policy and access the protected network via sending specifically crafted UDP login notification packets.	2021-07-12	not yet calculated	CVE-2021-26088 CONFIRM
gatsby — gatsby	Gatsby is a framework for building websites. The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the `auth: { }` section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run `gatsby clean` followed by a `gatsby build`. One may manually edit the app.js file post-build as a workaround.	2021-07-15	not yet calculated	CVE-2021-32770 CONFIRM
github — enterprise_server	A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.1.3 and was fixed in 3.1.3, 3.0.11, and 2.22.17. This vulnerability was reported via the GitHub Bug Bounty program.	2021-07-14	not yet calculated	CVE-2021-22867 MISC MISC MISC
go — go	The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.	2021-07-15	not yet calculated	CVE-2021-34558 MISC MISC MISC
google — android	In isRealSnapshot of TaskThumbnailView.java, there is possible data exposure due to a missing permission check. This could lead to local information disclosure from locked profiles with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168802517References: N/A	2021-07-14	not yet calculated	CVE-2021-0654 MISC
hashicorp — consul	HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.	2021-07-17	not yet calculated	CVE-2021-32574 MISC CONFIRM
hashicorp — consul	In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.	2021-07-17	not yet calculated	CVE-2021-36213 MISC CONFIRM
hitachi — abb_power_grids_esoms	Password autocomplete vulnerability in the web application password field of Hitachi ABB Power Grids eSOMS allows attacker to gain access to user credentials that are stored by the browser. This issue affects: Hitachi ABB Power Grids eSOMS version 6.3 and prior versions.	2021-07-14	not yet calculated	CVE-2021-35527 CONFIRM
ibm — infosphere_data_republican	IBM InfoSphere Data Replication 11.4 and IBM InfoSphere Change Data Capture for z/OS 10.2.1, under certain configurations, could allow a user to bypass authentication mechanisms using an empty password string. IBM X-Force ID: 189834	2021-07-16	not yet calculated	CVE-2020-4821 CONFIRM CONFIRM XF
ibm — infosphere_master_data_management_server	IBM InfoSphere Master Data Management Server 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 186324.	2021-07-16	not yet calculated	CVE-2020-4675 CONFIRM XF
ibm — qradar_siem	IBM QRadar SIEM 7.3 and 7.4 uses less secure methods for protecting data in transit between hosts when encrypt host connections is not enabled as well as data at rest. IBM X-Force ID: 192539.	2021-07-16	not yet calculated	CVE-2020-4980 CONFIRM XF
ibm — secure_external_authentication_server	IBM Secure External Authentication Server 2.4.3.2, 6.0.1, 6.0.2 and IBM Secure Proxy 3.4.3.2, 6.0.1, 6.0.2 could allow a remote user to consume resources causing a denial of service due to a resource leak.	2021-07-15	not yet calculated	CVE-2021-29725 CONFIRM XF CONFIRM
ibm — secure_external_authentication_server	IBM Secure External Authentication Server 6.0.2 and IBM Secure Proxy 6.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 201777.	2021-07-15	not yet calculated	CVE-2021-29749 XF CONFIRM CONFIRM
ibm — security_access_amanger	IBM Security Access Manager 9.0 and IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by an unauthorized user.	2021-07-15	not yet calculated	CVE-2021-20439 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 198660	2021-07-15	not yet calculated	CVE-2021-20523 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 198814	2021-07-15	not yet calculated	CVE-2021-20534 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 198300.	2021-07-15	not yet calculated	CVE-2021-20511 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198661.	2021-07-15	not yet calculated	CVE-2021-20524 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could reveal highly sensitive information to a local privileged user. IBM X-Force ID: 197980.	2021-07-15	not yet calculated	CVE-2021-20500 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 197969	2021-07-15	not yet calculated	CVE-2021-20497 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow an authenticated user to bypass input due to improper input validation. IBM X-Force ID: 197966.	2021-07-15	not yet calculated	CVE-2021-20496 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 198813	2021-07-15	not yet calculated	CVE-2021-20533 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 197973	2021-07-15	not yet calculated	CVE-2021-20499 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow a user to impersonate another user on the system. IBM X-Force ID: 201483.	2021-07-15	not yet calculated	CVE-2021-29742 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 reveals version information in HTTP requets that could be used in further attacks against the system. IBM X-Force ID: 197972.	2021-07-15	not yet calculated	CVE-2021-20498 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 198299	2021-07-15	not yet calculated	CVE-2021-20510 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 could allow a remote priviled user to upload arbitrary files with a dangerous file type that could be excuted by an user. IBM X-Force ID: 200600.	2021-07-15	not yet calculated	CVE-2021-29699 XF CONFIRM
ibm — security_verify_access_docker	IBM Security Verify Access Docker 10.0.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID:198918	2021-07-15	not yet calculated	CVE-2021-20537 XF CONFIRM
icinga — icinga	Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule.	2021-07-15	not yet calculated	CVE-2021-32743 MISC CONFIRM
icinga — icinga	Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user’s credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node’s certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user’s identity. Versions 2.12.5 and 2.11.10 both contain a fix the vulnerability. As a workaround, one may either specify queryable types explicitly or filter out ApiListener objects.	2021-07-15	not yet calculated	CVE-2021-32739 MISC CONFIRM
idrive — remotepc	iDrive RemotePC before 4.0.1 on Linux allows denial of service. A remote and unauthenticated attacker can disconnect a valid user session by connecting to an ephemeral port.	2021-07-15	not yet calculated	CVE-2021-34691 MISC MISC
idrive — remotepc	iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A locally authenticated attacker can read an encrypted version of the system’s Personal Key in world-readable %PROGRAMDATA% log files. The encryption is done using a hard-coded static key and is therefore reversible by an attacker.	2021-07-15	not yet calculated	CVE-2021-34688 MISC MISC
idrive — remotepc	iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A locally authenticated attacker can read the system’s Personal Key in world-readable %PROGRAMDATA% log files.	2021-07-15	not yet calculated	CVE-2021-34689 MISC MISC
idrive — remotepc	iDrive RemotePC before 7.6.48 on Windows allows authentication bypass. A remote and unauthenticated attacker can bypass cloud authentication to connect and control a system via TCP port 5970 and 5980.	2021-07-15	not yet calculated	CVE-2021-34690 MISC MISC
idrive — remotepc	iDrive RemotePC before 7.6.48 on Windows allows privilege escalation. A local and low-privileged user can force RemotePC to execute an attacker-controlled executable with SYSTEM privileges.	2021-07-15	not yet calculated	CVE-2021-34692 MISC MISC
idrive — remotepc	iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A man in the middle can recover a system’s Personal Key when a client attempts to make a LAN connection. The Personal Key is transmitted over the network while only being encrypted via a substitution cipher.	2021-07-15	not yet calculated	CVE-2021-34687 MISC MISC
intel — bssa_dft	Insecure default variable initialization for the Intel BSSA DFT feature may allow a privileged user to potentially enable an escalation of privilege via local access.	2021-07-14	not yet calculated	CVE-2021-0144 MISC
intelliants — subrion_cms	SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection.	2021-07-14	not yet calculated	CVE-2020-18155 MISC
jamf — pro	Jamf Pro before 10.30.1 allows for an unvalidated URL redirect vulnerability affecting Jamf Pro customers who host their environments on-premises. An attacker may craft a URL that appears to be for a customer’s Jamf Pro instance, but when clicked will forward a user to an arbitrary URL that may be malicious. This is tracked via Jamf with the following ID: PI-009822	2021-07-12	not yet calculated	CVE-2021-35037 MISC MISC
jasper — image_coding_toolkit	A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.c	2021-07-15	not yet calculated	CVE-2021-27845 MISC
jfif_encode — jfif_encode	A global buffer overflow vulnerability in jfif_encode at jfif.c:701 of ffjpeg through 2020-06-22 allows attackers to cause a Denial of Service (DOS) via a crafted jpeg file.	2021-07-15	not yet calculated	CVE-2020-23705 MISC
jt — utilities	A vulnerability has been identified in JT Utilities (All versions < V13.0.2.0). When parsing specially crafted JT files, a race condition could cause an object to be released before being operated on, leading to NULL pointer deference condition and causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.	2021-07-13	not yet calculated	CVE-2021-33715 CONFIRM
jt — utilities	A vulnerability has been identified in JT Utilities (All versions < V13.0.2.0). When parsing specially crafted JT files, a missing check for the validity of an iterator leads to NULL pointer deference condition, causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.	2021-07-13	not yet calculated	CVE-2021-33714 CONFIRM
jt — utilities	A vulnerability has been identified in JT Utilities (All versions < V13.0.2.0). When parsing specially crafted JT files, a hash function is called with an incorrect argument leading the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.	2021-07-13	not yet calculated	CVE-2021-33713 CONFIRM
juniper_networks — contrail_cloud	Juniper Networks Contrail Cloud (CC) releases prior to 13.6.0 have RabbitMQ service enabled by default with hardcoded credentials. The messaging services of RabbitMQ are used when coordinating operations and status information among Contrail services. An attacker with access to an administrative service for RabbitMQ (e.g. GUI), can use these hardcoded credentials to cause a Denial of Service (DoS) or have access to unspecified sensitive system information. This issue affects the Juniper Networks Contrail Cloud releases on versions prior to 13.6.0.	2021-07-15	not yet calculated	CVE-2021-0279 CONFIRM
juniper_networks — junos_os	A vulnerability in the handling of exceptional conditions in Juniper Networks Junos OS Evolved (EVO) allows an attacker to send specially crafted packets to the device, causing the Advanced Forwarding Toolkit manager (evo-aftmand-bt or evo-aftmand-zx) process to crash and restart, impacting all traffic going through the FPC, resulting in a Denial of Service (DoS). Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. Following messages will be logged prior to the crash: Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:35 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:37 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:44 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:47 Feb 2 10:14:39 fpc0 audit[16263]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm=”EvoAftManBt-mai” exe=”/usr/sbin/evo-aftmand-bt” sig=11 Feb 2 10:14:39 fpc0 kernel: audit: type=1701 audit(1612260879.272:17): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm=”EvoAftManBt-mai” exe=”/usr/sbin/evo-aftmand-bt” sig=1 This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-EVO; 21.1 versions prior to 21.1R2-EVO.	2021-07-15	not yet calculated	CVE-2021-0286 CONFIRM
juniper_networks — junos_os	An Improper Input Validation vulnerability in J-Web of Juniper Networks Junos OS allows a locally authenticated attacker to escalate their privileges to root over the target device. junos:18.3R3-S5 junos:18.4R3-S9 junos:19.1R3-S6 junos:19.3R2-S6 junos:19.3R3-S3 junos:19.4R1-S4 junos:19.4R3-S4 junos:20.1R2-S2 junos:20.1R3 junos:20.2R3-S1 junos:20.3X75-D20 junos:20.3X75-D30 junos:20.4R2-S1 junos:20.4R3 junos:21.1R1-S1 junos:21.1R2 junos:21.2R1 junos:21.3R1 This issue affects: Juniper Networks Junos OS 19.3 versions 19.3R1 and above prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R2-S2, 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 19.3R1.	2021-07-15	not yet calculated	CVE-2021-0278 CONFIRM
juniper_networks — junos_os	On Juniper Networks Junos OS devices with Multipath or add-path feature enabled, processing a specific BGP UPDATE can lead to a routing process daemon (RPD) crash and restart, causing a Denial of Service (DoS). Continued receipt and processing of this UPDATE message will create a sustained Denial of Service (DoS) condition. This BGP UPDATE message can propagate to other BGP peers with vulnerable Junos versions on which Multipath or add-path feature is enabled, and cause RPD to crash and restart. This issue affects both IBGP and EBGP deployments in IPv4 or IPv6 network. Junos OS devices that do not have the BGP Multipath or add-path feature enabled are not affected by this issue. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S18; 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R2-S13, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R3-S3;	2021-07-15	not yet calculated	CVE-2021-0282 CONFIRM
juniper_networks — junos_os	Improper Handling of Exceptional Conditions in Ethernet interface frame processing of Juniper Networks Junos OS allows an attacker to send specially crafted frames over the local Ethernet segment, causing the interface to go into a down state, resulting in a Denial of Service (DoS) condition. The interface does not recover on its own and the FPC must be reset manually. Continued receipt and processing of these frames will create a sustained Denial of Service (DoS) condition. This issue is platform-specific and affects the following platforms and line cards: * MPC7E/8E/9E and MPC10E on MX240, MX480, MX960, MX2008, MX2010, and MX2020 * MX204, MX10003, MX10008, MX10016 * EX9200, EX9251 * SRX4600 No other products or platforms are affected by this vulnerability. An indication of this issue occurring can be seen in the system log messages, as shown below: user@host> show log messages \| match “Failed to complete DFE tuning” fpc4 smic_phy_dfe_tuning_state: et-4/1/6 – Failed to complete DFE tuning (count 3) and interface will be in a permanently down state: user@host> show interfaces et-4/1/6 terse Interface Admin Link Proto Local Remote et-4/1/6 up down et-4/1/6.0 up down aenet –> ae101.0 This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S7 on MX Series; 17.1R1 and later versions prior to 17.2R3-S3 on MX Series; 17.3 versions prior to 17.3R3-S8 on MX Series; 17.4 versions prior to 17.4R2-S11, 17.4R3-S1 on MX Series, SRX4600; 18.1 versions prior to 18.1R3-S10 on MX Series, EX9200 Series, SRX4600; 18.2 versions prior to 18.2R3-S3 on MX Series, EX9200 Series, SRX4600; 18.3 versions prior to 18.3R3-S1 on MX Series, EX9200 Series, SRX4600; 18.4 versions prior to 18.4R2-S3, 18.4R3 on MX Series, EX9200 Series, SRX4600; 19.1 versions prior to 19.1R2-S1, 19.1R3 on MX Series, EX9200 Series, SRX4600; 19.2 versions prior to 19.2R1-S3, 19.2R2 on MX Series, EX9200 Series, SRX4600; 19.3 versions prior to 19.3R2 on MX Series, EX9200 Series, SRX4600. This issue does not affect Juniper Networks Junos OS versions prior to 16.1R1.	2021-07-15	not yet calculated	CVE-2021-0290 CONFIRM
juniper_networks — junos_os	When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command “show interfaces <> extensive” and review the output. See further details below. An example output is: show interfaces extensive \| match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. On SRX Series this issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.4 versions prior to 19.4R3-S4; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series. This issue does not affect Junos OS Evolved.	2021-07-15	not yet calculated	CVE-2021-0289 CONFIRM
juniper_networks — junos_os	A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) of Juniper Networks Junos OS on the QFX10K Series switches allows an attacker to trigger a packet forwarding loop, leading to a partial Denial of Service (DoS). The issue is caused by DVMRP packets looping on a multi-homed Ethernet Segment Identifier (ESI) when VXLAN is configured. DVMRP packets received on a multi-homed ESI are sent to the peer, and then incorrectly forwarded out the same ESI, violating the split horizon rule. This issue only affects QFX10K Series switches, including the QFX10002, QFX10008, and QFX10016. Other products and platforms are unaffected by this vulnerability. This issue affects Juniper Networks Junos OS on QFX10K Series: 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 version 18.2R1 and later versions; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S9, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R1-S7, 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2.	2021-07-15	not yet calculated	CVE-2021-0295 CONFIRM
juniper_networks — junos_os	An Exposure of System Data vulnerability in Juniper Networks Junos OS and Junos OS Evolved, where a sensitive system-level resource is not being sufficiently protected, allows a network-based unauthenticated attacker to send specific traffic which partially reaches this resource. A high rate of specific traffic may lead to a partial Denial of Service (DoS) as the CPU utilization of the RE is significantly increased. The SNMP Agent Extensibility (agentx) process should only be listening to TCP port 705 on the internal routing instance. External connections destined to port 705 should not be allowed. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R2. Juniper Networks Junos OS Evolved versions prior to 20.3R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 13.2R1.	2021-07-15	not yet calculated	CVE-2021-0291 CONFIRM
juniper_networks — junos_os	A vulnerability in Juniper Networks Junos OS caused by Missing Release of Memory after Effective Lifetime leads to a memory leak each time the CLI command ‘show system connections extensive’ is executed. The amount of memory leaked on each execution depends on the number of TCP connections from and to the system. Repeated execution will cause more memory to leak and eventually daemons that need to allocate additionally memory and ultimately the kernel to crash, which will result in traffic loss. Continued execution of this command will cause a sustained Denial of Service (DoS) condition. An administrator can use the following CLI command to monitor for increase in memory consumption of the netstat process, if it exists: user@junos> show system processes extensive \| match “username\|netstat” PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 21181 root 100 0 5458M 4913M CPU3 2 0:59 97.27% netstat The following log message might be observed if this issue happens: kernel: %KERN-3: pid 21181 (netstat), uid 0, was killed: out of swap space This issue affects Juniper Networks Junos OS 18.2 versions prior to 18.2R2-S8, 18.2R3-S7. 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S7; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S1; 19.4 versions prior to 19.4R1-S4, 19.4R2-S3, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1, 20.3R2; This issue does not affect Juniper Networks Junos OS versions prior to 18.2R1.	2021-07-15	not yet calculated	CVE-2021-0293 CONFIRM
juniper_networks — junos_os	A vulnerability in Juniper Networks Junos OS, which only affects the release 18.4R2-S5, where a function is inconsistently implemented on Juniper Networks Junos QFX5000 Series and EX4600 Series, and if “storm-control enhanced” is configured, can lead to the enhanced storm control filter group not be installed. It will cause storm control not to work hence allowing an attacker to cause high CPU usage or packet loss issues by sending a large amount of broadcast or unknown unicast packets arriving the device. This issue affects Juniper Networks QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, EX4600, and EX4650, and QFX5100 with QFX 5e Series image installed. QFX5130 and QFX5220 are not affected from this issue. This issue affects Juniper Networks Junos OS 18.4R2-S5 on QFX5000 Series and EX4600 Series. No other product or platform is affected by this vulnerability.	2021-07-15	not yet calculated	CVE-2021-0294 CONFIRM
juniper_networks — junos_os	An Out-of-bounds Read vulnerability in the processing of specially crafted LLDP frames by the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved may allow an attacker to cause a Denial of Service (DoS), or may lead to remote code execution (RCE). Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S18; 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R2-S1, 20.3R3; 20.4 versions prior to 20.4R2. Juniper Networks Junos OS Evolved versions prior to 20.4R2-EVO.	2021-07-15	not yet calculated	CVE-2021-0277 CONFIRM
juniper_networks — junos_os	A vulnerability in the processing of specific MPLS packets in Juniper Networks Junos OS on MX Series and EX9200 Series devices with Trio-based MPCs (Modular Port Concentrators) may cause FPC to crash and lead to a Denial of Service (DoS) condition. Continued receipt of this packet will sustain the Denial of Service (DoS) condition. This issue only affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines). This issue affects Juniper Networks Junos OS on MX Series, EX9200 Series: 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S2; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R2-S2, 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2;	2021-07-15	not yet calculated	CVE-2021-0288 CONFIRM
juniper_networks — junos_os	In a Segment Routing ISIS (SR-ISIS)/MPLS environment, on Juniper Networks Junos OS and Junos OS Evolved devices, configured with ISIS Flexible Algorithm for Segment Routing and sensor-based statistics, a flap of a ISIS link in the network, can lead to a routing process daemon (RPD) crash and restart, causing a Denial of Service (DoS). Continued link flaps will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS: 19.4 versions prior to 19.4R1-S4, 19.4R3-S2; 20.1 versions prior to 20.1R2-S1, 20.1R3; 20.2 versions prior to 20.2R2-S2, 20.2R3; 20.3 versions prior to 20.3R2; Juniper Networks Junos OS Evolved: 20.3-EVO versions prior to 20.3R2-EVO; 20.4-EVO versions prior to 20.4R2-EVO. This issue does not affect: Juniper Networks Junos OS releases prior to 19.4R1. Juniper Networks Junos OS Evolved releases prior to 19.4R1-EVO.	2021-07-15	not yet calculated	CVE-2021-0287 CONFIRM
juniper_networks — junos_os	On Juniper Networks Junos OS devices configured with BGP origin validation using Resource Public Key Infrastructure (RPKI) receipt of a specific packet from the RPKI cache server may cause routing process daemon (RPD) to crash and restart, creating a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R2-S4, 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2. Juniper Networks Junos OS Evolved All versions prior to 20.4R2-S2-EVO.	2021-07-15	not yet calculated	CVE-2021-0281 CONFIRM
juniper_networks — junos_os	An uncontrolled resource consumption vulnerability in Juniper Networks Junos OS on QFX5000 Series and EX4600 Series switches allows an attacker sending large amounts of legitimate traffic destined to the device to cause Interchassis Control Protocol (ICCP) interruptions, leading to an unstable control connection between the Multi-Chassis Link Aggregation Group (MC-LAG) nodes which can in turn lead to traffic loss. Continued receipt of this amount of traffic will create a sustained Denial of Service (DoS) condition. An indication that the system could be impacted by this issue is the following log message: “DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception LOCALNH:aggregate exceeded its allowed bandwidth at fpc <fpc number> for <n> times, started at <timestamp>” This issue affects Juniper Networks Junos OS on QFX5000 Series and EX4600 Series: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S7; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S2; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R2-S3, 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R1-S1, 20.4R2.	2021-07-15	not yet calculated	CVE-2021-0285 CONFIRM
juniper_networks — junos_os	A buffer overflow vulnerability in the TCP/IP stack of Juniper Networks Junos OS allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS). By repeatedly sending these sequences of packets to the device, an attacker can sustain the Denial of Service (DoS) condition. The device will abnormally shut down as a result of these sent packets. A potential indicator of compromise will be the following message in the log files: “eventd[13955]: SYSTEM_ABNORMAL_SHUTDOWN: System abnormally shut down” These issue are only triggered by traffic destined to the device. Transit traffic will not trigger these issues. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S19; 15.1 versions prior to 15.1R7-S10; 16.1 version 16.1R1 and later versions; 16.2 version 16.2R1 and later versions; 17.1 version 17.1R1 and later versions; 17.2 version 17.2R1 and later versions; 17.3 version 17.3R1 and later versions; 18.1 versions prior to 18.1R3-S13; 18.2 version 18.2R1 and later versions; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior ot 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R3-S5; 20.1 versions prior to 20.1R2-S2, 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2; 21.2 versions prior to 21.2R2.	2021-07-15	not yet calculated	CVE-2021-0283 CONFIRM
juniper_networks — junos_os	Due to an Improper Initialization vulnerability in Juniper Networks Junos OS on PTX platforms and QFX10K Series with Paradise (PE) chipset-based line cards, ddos-protection configuration changes made from the CLI will not take effect as expected beyond the default DDoS (Distributed Denial of Service) settings in the Packet Forwarding Engine (PFE). This may cause BFD sessions to flap when a high rate of specific packets are received. Flapping of BFD sessions in turn may impact routing protocols and network stability, leading to a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue affects only the following platforms with Paradise (PE) chipset-based line cards: PTX1000, PTX3000 (NextGen), PTX5000, PTX10008, PTX10016 Series and QFX10002 Series. This issue affects: Juniper Networks Junos OS 17.4 versions prior to 17.4R3-S5 on PTX Series, QFX10K Series; 18.2 versions prior to 18.2R3-S8 on PTX Series, QFX10K Series; 18.3 versions prior to 18.3R3-S5 on PTX Series, QFX10K Series; 18.4 versions prior to 18.4R2-S8 on PTX Series, QFX10K Series; 19.1 versions prior to 19.1R3-S5 on PTX Series, QFX10K Series; 19.2 versions prior to 19.2R3-S2 on PTX Series, QFX10K Series; 19.3 versions prior to 19.3R3-S2 on PTX Series, QFX10K Series; 19.4 versions prior to 19.4R3-S2 on PTX Series, QFX10K Series; 20.1 versions prior to 20.1R3 on PTX Series, QFX10K Series; 20.2 versions prior to 20.2R2-S3, 20.2R3 on PTX Series, QFX10K Series; 20.3 versions prior to 20.3R2 on PTX Series, QFX10K Series; 20.4 versions prior to 20.4R2 on PTX Series, QFX10K Series.	2021-07-15	not yet calculated	CVE-2021-0280 CONFIRM
juniper_networks — junos_os	An Uncontrolled Resource Consumption vulnerability in the ARP daemon (arpd) and Network Discovery Protocol (ndp) process of Juniper Networks Junos OS Evolved allows a malicious attacker on the local network to consume memory resources, ultimately resulting in a Denial of Service (DoS) condition. Link-layer functions such as IPv4 and/or IPv6 address resolution may be impacted, leading to traffic loss. The processes do not recover on their own and must be manually restarted. Changes in memory usage can be monitored using the following shell commands (header shown for clarity): user@router:/var/log# ps aux \| grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 59.0 0.7 5702564 247952 ? xxx /usr/sbin/arpd –app-name arpd -I object_select –shared-objects-mode 3 user@router:/var/log# ps aux \| grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 49.1 1.0 5813156 351184 ? xxx /usr/sbin/arpd –app-name arpd -I object_select –shared-objects-mode 3 Memory usage can be monitored for the ndp process in a similar fashion: user@router:/var/log# ps aux \| grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 5614052 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select –app-name ndp –shared-obje user@router:/var/log# ps aux \| grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 5725164 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select –app-name ndp –shared-obje This issue affects Juniper Networks Junos OS Evolved: 19.4 versions prior to 19.4R2-S3-EVO; 20.1 versions prior to 20.1R2-S4-EVO; all versions of 20.2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 19.4R2-EVO.	2021-07-15	not yet calculated	CVE-2021-0292 CONFIRM
juniper_networks — sbr_carrier	A stack-based Buffer Overflow vulnerability in Juniper Networks SBR Carrier with EAP (Extensible Authentication Protocol) authentication configured, allows an attacker sending specific packets causing the radius daemon to crash resulting with a Denial of Service (DoS) or leading to remote code execution (RCE). By continuously sending this specific packets, an attacker can repeatedly crash the radius daemon, causing a sustained Denial of Service (DoS). This issue affects Juniper Networks SBR Carrier: 8.4.1 versions prior to 8.4.1R19; 8.5.0 versions prior to 8.5.0R10; 8.6.0 versions prior to 8.6.0R4.	2021-07-15	not yet calculated	CVE-2021-0276 CONFIRM
lenovo — multiple_products	Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage.	2021-07-16	not yet calculated	CVE-2021-3453 MISC
lenovo — notebook	A vulnerability was reported on some Lenovo Notebook systems that could allow an attacker with physical access to elevate privileges under certain conditions during a BIOS update performed by Lenovo Vantage.	2021-07-16	not yet calculated	CVE-2021-3614 MISC
lenovo — pcmanager	A DLL search path vulnerability was reported in Lenovo PCManager, prior to version 3.0.500.5102, that could allow privilege escalation.	2021-07-16	not yet calculated	CVE-2021-3550 MISC
lexmark — printer_software_installation_packages	The Lexmark Printer Software G2, G3 and G4 Installation Packages have a local escalation of privilege vulnerability due to a registry entry that has an unquoted service path.	2021-07-14	not yet calculated	CVE-2021-35469 MISC MISC
libvips — libvips	Division-By-Zero vulnerability in Libvips 8.10.5 in the function vips_eye_point, eye.c#L83, and function vips_mask_point, mask.c#L85.	2021-07-15	not yet calculated	CVE-2021-27847 MISC
magicmotion — flamingo_2	The MagicMotion Flamingo 2 application for Android stores data on an sdcard under com.vt.magicmotion/files/Pictures, whence it can be read by other applications.	2021-07-15	not yet calculated	CVE-2020-12731 MISC
magicmotion — flamingo_2	MagicMotion Flamingo 2 has a lack of access control for reading from device descriptors.	2021-07-15	not yet calculated	CVE-2020-12729 MISC
magicmotion — flamingo_2	MagicMotion Flamingo 2 lacks BLE encryption, enabling data sniffing and packet forgery.	2021-07-15	not yet calculated	CVE-2020-12730 MISC
mendix — mendix	A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.22), Mendix Applications using Mendix 8 (All versions < V8.18.7), Mendix Applications using Mendix 9 (All versions < V9.3.0). Write access checks of attributes of an object could be bypassed, if user has a write permissions to the first attribute of this object.	2021-07-13	not yet calculated	CVE-2021-33718 CONFIRM
micronaut — micronaut	Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using “/../../” in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use `*` in mapping, use only ``, which exposes only flat structure of a directory not allowing traversal. If using Linux, another workaround is to run micronaut in chroot.	2021-07-16	not yet calculated	CVE-2021-32769 CONFIRM MISC
microsoft — defender	Microsoft Defender Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34464.	2021-07-14	not yet calculated	CVE-2021-34522 MISC
microsoft — directwrite	DirectWrite Remote Code Execution Vulnerability	2021-07-14	not yet calculated	CVE-2021-34489 MISC
microsoft — dynamics	Dynamics Business Central Remote Code Execution Vulnerability	2021-07-14	not yet calculated	CVE-2021-34474 MISC
microsoft — excel	Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34518.	2021-07-14	not yet calculated	CVE-2021-34501 MISC
microsoft — excel	Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34501.	2021-07-14	not yet calculated	CVE-2021-34518 MISC
microsoft — exchange	Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34523.	2021-07-14	not yet calculated	CVE-2021-34470 MISC
microsoft — exchange	Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.	2021-07-14	not yet calculated	CVE-2021-34473 MISC
microsoft — exhange	Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470.	2021-07-14	not yet calculated	CVE-2021-34523 MISC
microsoft — office	Microsoft Office Security Feature Bypass Vulnerability	2021-07-14	not yet calculated	CVE-2021-34469 MISC
microsoft — office	Microsoft Office Online Server Spoofing Vulnerability	2021-07-16	not yet calculated	CVE-2021-34451 MISC
microsoft — sharepoint	Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34467, CVE-2021-34468.	2021-07-14	not yet calculated	CVE-2021-34520 MISC
microsoft — sharepoint	Microsoft SharePoint Server Information Disclosure Vulnerability	2021-07-14	not yet calculated	CVE-2021-34519 MISC
microsoft — sharepoint	Microsoft SharePoint Server Spoofing Vulnerability	2021-07-14	not yet calculated	CVE-2021-34517 MISC
microsoft — sharepoint	Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34467, CVE-2021-34520.	2021-07-14	not yet calculated	CVE-2021-34468 MISC
microsoft — sharepoint	Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34468, CVE-2021-34520.	2021-07-16	not yet calculated	CVE-2021-34467 MISC
microsoft — thinkpad	A potential vulnerability in the system shutdown SMI callback function in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.	2021-07-16	not yet calculated	CVE-2021-3452 MISC
microsoft — visual_studio	Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability	2021-07-14	not yet calculated	CVE-2021-34477 MISC
microsoft — visual_studio	Microsoft Visual Studio Spoofing Vulnerability	2021-07-14	not yet calculated	CVE-2021-34479 MISC
microsoft — visual_studio	Visual Studio Code Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34528.	2021-07-14	not yet calculated	CVE-2021-34529 MISC
microsoft — visual_studio	Visual Studio Code Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34529.	2021-07-14	not yet calculated	CVE-2021-34528 MISC
microsoft — win32k	Win32k Information Disclosure Vulnerability	2021-07-14	not yet calculated	CVE-2021-34491 MISC
microsoft — win32k	Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34516.	2021-07-16	not yet calculated	CVE-2021-34449 MISC
microsoft — win32k	Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34449.	2021-07-14	not yet calculated	CVE-2021-34516 MISC
microsoft — windows	Windows Remote Access Connection Manager Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-33763, CVE-2021-34457.	2021-07-16	not yet calculated	CVE-2021-34454 MISC
microsoft — windows	Windows Remote Access Connection Manager Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-33763, CVE-2021-34454.	2021-07-16	not yet calculated	CVE-2021-34457 MISC
microsoft — windows	Windows MSHTML Platform Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34497.	2021-07-16	not yet calculated	CVE-2021-34447 MISC
microsoft — windows	Scripting Engine Memory Corruption Vulnerability	2021-07-16	not yet calculated	CVE-2021-34448 MISC
microsoft — windows	Windows DNS Server Denial of Service Vulnerability This CVE ID is unique from CVE-2021-33745, CVE-2021-34442, CVE-2021-34499.	2021-07-16	not yet calculated	CVE-2021-34444 MISC
microsoft — windows	Windows GDI Information Disclosure Vulnerability	2021-07-14	not yet calculated	CVE-2021-34496 MISC
microsoft — windows	Windows Certificate Spoofing Vulnerability	2021-07-14	not yet calculated	CVE-2021-34492 MISC
microsoft — windows	Windows Kernel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34508.	2021-07-16	not yet calculated	CVE-2021-34458 MISC
microsoft — windows	Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability	2021-07-16	not yet calculated	CVE-2021-34461 MISC
microsoft — windows	Microsoft Windows Media Foundation Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34439, CVE-2021-34503.	2021-07-16	not yet calculated	CVE-2021-34441 MISC
microsoft — windows	Microsoft Windows Media Foundation Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34441, CVE-2021-34503.	2021-07-16	not yet calculated	CVE-2021-34439 MISC
microsoft — windows	Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513.	2021-07-16	not yet calculated	CVE-2021-34460 MISC
microsoft — windows	GDI+ Information Disclosure Vulnerability	2021-07-16	not yet calculated	CVE-2021-34440 MISC
microsoft — windows	Windows HTML Platforms Security Feature Bypass Vulnerability	2021-07-16	not yet calculated	CVE-2021-34446 MISC
microsoft — windows	Windows File History Service Elevation of Privilege Vulnerability	2021-07-16	not yet calculated	CVE-2021-34455 MISC
microsoft — windows	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33761, CVE-2021-33773, CVE-2021-34445.	2021-07-16	not yet calculated	CVE-2021-34456 MISC
microsoft — windows	Windows DNS Server Denial of Service Vulnerability This CVE ID is unique from CVE-2021-33745, CVE-2021-34444, CVE-2021-34499.	2021-07-16	not yet calculated	CVE-2021-34442 MISC
microsoft — windows	Microsoft Defender Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34522.	2021-07-16	not yet calculated	CVE-2021-34464 MISC
microsoft — windows	Windows Print Spooler Elevation of Privilege Vulnerability	2021-07-16	not yet calculated	CVE-2021-34481 MISC
microsoft — windows	Windows AppX Deployment Extensions Elevation of Privilege Vulnerability	2021-07-16	not yet calculated	CVE-2021-34462 MISC
microsoft — windows	Windows TCP/IP Driver Denial of Service Vulnerability This CVE ID is unique from CVE-2021-31183, CVE-2021-33772.	2021-07-14	not yet calculated	CVE-2021-34490 MISC
microsoft — windows	Windows Console Driver Elevation of Privilege Vulnerability	2021-07-14	not yet calculated	CVE-2021-34488 MISC
microsoft — windows	Windows Partition Management Driver Elevation of Privilege Vulnerability	2021-07-14	not yet calculated	CVE-2021-34493 MISC
microsoft — windows	Bowser.sys Denial of Service Vulnerability	2021-07-14	not yet calculated	CVE-2021-34476 MISC
microsoft — windows	Windows AppContainer Elevation Of Privilege Vulnerability	2021-07-16	not yet calculated	CVE-2021-34459 MISC
microsoft — windows	Windows Hello Security Feature Bypass Vulnerability	2021-07-16	not yet calculated	CVE-2021-34466 MISC
microsoft — windows	Windows Font Driver Host Remote Code Execution Vulnerability	2021-07-16	not yet calculated	CVE-2021-34438 MISC
microsoft — windows	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33761, CVE-2021-33773, CVE-2021-34456.	2021-07-16	not yet calculated	CVE-2021-34445 MISC
microsoft — windows	Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34525.	2021-07-14	not yet calculated	CVE-2021-34494 MISC
microsoft — windows	Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34460, CVE-2021-34510, CVE-2021-34513.	2021-07-14	not yet calculated	CVE-2021-34512 MISC
microsoft — windows	Windows GDI Elevation of Privilege Vulnerability	2021-07-14	not yet calculated	CVE-2021-34498 MISC
microsoft — windows	Windows Hyper-V Remote Code Execution Vulnerability	2021-07-16	not yet calculated	CVE-2021-34450 MISC
microsoft — windows	Windows MSHTML Platform Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34447.	2021-07-14	not yet calculated	CVE-2021-34497 MISC
microsoft — windows	Windows Kernel Memory Information Disclosure Vulnerability	2021-07-14	not yet calculated	CVE-2021-34500 MISC
microsoft — windows	Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34460, CVE-2021-34510, CVE-2021-34512.	2021-07-14	not yet calculated	CVE-2021-34513 MISC
microsoft — windows	Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494.	2021-07-14	not yet calculated	CVE-2021-34525 MISC
microsoft — windows	Raw Image Extension Remote Code Execution Vulnerability	2021-07-14	not yet calculated	CVE-2021-34521 MISC
microsoft — windows	Windows DNS Server Denial of Service Vulnerability This CVE ID is unique from CVE-2021-33745, CVE-2021-34442, CVE-2021-34444.	2021-07-14	not yet calculated	CVE-2021-34499 MISC
microsoft — windows	Windows Address Book Remote Code Execution Vulnerability	2021-07-14	not yet calculated	CVE-2021-34504 MISC
microsoft — windows	Windows Remote Assistance Information Disclosure Vulnerability	2021-07-14	not yet calculated	CVE-2021-34507 MISC
microsoft — windows	Windows Kernel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34458.	2021-07-14	not yet calculated	CVE-2021-34508 MISC
microsoft — windows	Storage Spaces Controller Information Disclosure Vulnerability	2021-07-14	not yet calculated	CVE-2021-34509 MISC
microsoft — windows	Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34460, CVE-2021-34512, CVE-2021-34513.	2021-07-14	not yet calculated	CVE-2021-34510 MISC
microsoft — windows	Windows Installer Elevation of Privilege Vulnerability	2021-07-14	not yet calculated	CVE-2021-34511 MISC
microsoft — windows	Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31979, CVE-2021-33771.	2021-07-14	not yet calculated	CVE-2021-34514 MISC
microsoft — windows	Microsoft Windows Media Foundation Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34439, CVE-2021-34441.	2021-07-14	not yet calculated	CVE-2021-34503 MISC
microsoft — windows_server	Windows LSA Denial of Service Vulnerability	2021-07-14	not yet calculated	CVE-2021-33788 MISC
microsoft — windows_server	Windows LSA Security Feature Bypass Vulnerability	2021-07-14	not yet calculated	CVE-2021-33786 MISC
microsoft — word	Microsoft Word Remote Code Execution Vulnerability	2021-07-16	not yet calculated	CVE-2021-34452 MISC
miktorik — routeros	Mikrotik RouterOs through stable version 6.48.3 suffers from a memory corruption vulnerability in the /nova/bin/detnet process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).	2021-07-14	not yet calculated	CVE-2020-20231 MISC MISC
mitsubishi — electric_air_conditioning_system	Incorrect Implementation of Authentication Algorithm in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.2.50 to Ver. 3.35, GB-50A Ver.2.50 to Ver. 3.35, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior) and Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) allows a remote authenticated attacker to impersonate administrators to disclose configuration information of the air conditioning system and tamper information (e.g. operation information and configuration of air conditioning system) by exploiting this vulnerability.	2021-07-13	not yet calculated	CVE-2021-20593 MISC MISC
mitsubishi — electric_air_conditioning_system	Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose some of data in the air conditioning system or cause a DoS condition by sending specially crafted packets.	2021-07-13	not yet calculated	CVE-2021-20595 MISC MISC
nightscout — web_monitor	Nightscout Web Monitor (aka cgm-remote-monitor) 14.2.2 allows XSS via a crafted X-Forwarded-For header.	2021-07-16	not yet calculated	CVE-2021-36755 MISC
ok-file-formats — ok-file-formats	A heap-based buffer overflow vulnerability in the function ok_jpg_decode_block_progressive() at ok_jpg.c:1054 of ok-file-formats through 2020-06-26 allows attackers to cause a Denial of Service (DOS) via a crafted jpeg file.	2021-07-15	not yet calculated	CVE-2020-23707 MISC
ok-file-formats — ok-file-formats	A heap-based buffer overflow vulnerability in the function ok_jpg_decode_block_subsequent_scan() ok_jpg.c:1102 of ok-file-formats through 2020-06-26 allows attackers to cause a Denial of Service (DOS) via a crafted jpeg file.	2021-07-15	not yet calculated	CVE-2020-23706 MISC
palo_alto_networks — cortex_xdr	A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables an authenticated local Windows user to execute programs with SYSTEM privileges. Exploiting this vulnerability requires the user to have file creation privilege in the Windows root directory (such as C:). This issue impacts: All versions of Cortex XDR agent 6.1 without content update 181 or a later version; All versions of Cortex XDR agent 7.2 without content update 181 or a later version; All versions of Cortex XDR agent 7.3 without content update 181 or a later version. Cortex XDR agent 5.0 versions are not impacted by this issue. Content updates are required to resolve this issue and are automatically applied for the agent.	2021-07-15	not yet calculated	CVE-2021-3042 MISC
polipo — polipo	UNSUPPORTED WHEN ASSIGNED Polipo through 1.1.1 allows denial of service via a reachable assertion during parsing of a malformed Range header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.	2021-07-15	not yet calculated	CVE-2020-36420 MISC MISC MISC
prisma — cloud_compute	A reflected cross-site scripting (XSS) vulnerability exists in the Prisma Cloud Compute web console that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console while an authenticated administrator is using that web interface. Prisma Cloud Compute SaaS versions were automatically upgraded to the fixed release. No additional action is required for these instances. This issue impacts: Prisma Cloud Compute 20.12 versions earlier than Prisma Cloud Compute 20.12.552; Prisma Cloud Compute 21.04 versions earlier than Prisma Cloud Compute 21.04.439.	2021-07-15	not yet calculated	CVE-2021-3043 MISC
radarorg — radare2-extras	A heap buffer overflow vulnerability in the r_asm_swf_disass function of Radare2-extras before commit e74a93c allows attackers to execute arbitrary code or carry out denial of service (DOS) attacks.	2021-07-14	not yet calculated	CVE-2020-24133 MISC MISC MISC
rancher — rancher	A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16.	2021-07-15	not yet calculated	CVE-2021-25320 CONFIRM
rancher — rancher	A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16.	2021-07-15	not yet calculated	CVE-2021-25318 CONFIRM
rancher — rancher	A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the “Impersonate-User” or “Impersonate-Group” headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16.	2021-07-15	not yet calculated	CVE-2021-31999 CONFIRM
raonwiz — editor	An issue in RAONWIZ K Editor v2018.0.0.10 allows attackers to perform a DLL hijacking attack when the service or system is restarted.	2021-07-14	not yet calculated	CVE-2020-29157 MISC MISC
ruby — ruby	An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).	2021-07-13	not yet calculated	CVE-2021-31810 MISC MISC
rust — sgx	In Rust SGX 1.1.3, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.	2021-07-14	not yet calculated	CVE-2021-24117 MISC MISC MISC
rwg1.m12 — rwg1.m12	A vulnerability has been identified in RWG1.M12 (All versions < V1.16.16), RWG1.M12D (All versions < V1.16.16), RWG1.M8 (All versions < V1.16.16). Sending specially crafted ARP packets to an affected device could cause a partial denial-of-service, preventing the device to operate normally. A restart is needed to restore normal operations.	2021-07-13	not yet calculated	CVE-2021-25671 CONFIRM
sap — netweaver	SAP NetWeaver AS ABAP and ABAP Platform, versions – KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.	2021-07-14	not yet calculated	CVE-2021-33684 MISC MISC
sap — web_dispatcher_and_internet_communication_manager	SAP Web Dispatcher and Internet Communication Manager (ICM), versions – KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.	2021-07-14	not yet calculated	CVE-2021-33683 MISC MISC
sharkdp — bat	sharkdp BAT before 0.18.2 executes less.exe from the current working directory.	2021-07-15	not yet calculated	CVE-2021-36753 MISC MISC MISC MISC
siemens — multiple_products	A vulnerability has been identified in Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All versions), RUGGEDCOM RM1224 (All Versions < 6.4), SCALANCE M-800 (All Versions < 6.4), SCALANCE S615 (All Versions < 6.4), SCALANCE W1700 IEEE 802.11ac (All versions), SCALANCE W700 IEEE 802.11n (All versions), SCALANCE X200-4 P IRT (All Versions < V5.5.0), SCALANCE X201-3P IRT (All Versions < V5.5.0), SCALANCE X201-3P IRT PRO (All Versions < V5.5.0), SCALANCE X202-2 IRT (All Versions < V5.5.0), SCALANCE X202-2P IRT (incl. SIPLUS NET variant) (All Versions < V5.5.0), SCALANCE X202-2P IRT PRO (All Versions < V5.5.0), SCALANCE X204 IRT (All Versions < V5.5.0), SCALANCE X204 IRT PRO (All Versions < V5.5.0), SCALANCE X204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE X204-2FM (All versions), SCALANCE X204-2LD (incl. SIPLUS NET variant) (All versions), SCALANCE X204-2LD TS (All versions), SCALANCE X204-2TS (All versions), SCALANCE X206-1 (All versions), SCALANCE X206-1LD (incl. SIPLUS NET variant) (All versions), SCALANCE X208 (incl. SIPLUS NET variant) (All versions), SCALANCE X208PRO (All versions), SCALANCE X212-2 (All versions), SCALANCE X212-2LD (All versions), SCALANCE X216 (All versions), SCALANCE X224 (All versions), SCALANCE X302-7EEC (All versions), SCALANCE X304-2FE (All versions), SCALANCE X306-1LDFE (All versions), SCALANCE X307-2EEC (All versions), SCALANCE X307-3 (All versions), SCALANCE X307-3LD (All versions), SCALANCE X308-2 (incl. SIPLUS NET variant) (All versions), SCALANCE X308-2LD (All versions), SCALANCE X308-2LH (All versions), SCALANCE X308-2LH+ (All versions), SCALANCE X308-2M (All versions), SCALANCE X308-2M POE (All versions), SCALANCE X308-2M TS (All versions), SCALANCE X310 (All versions), SCALANCE X310FE (All versions), SCALANCE X320-1FE (All versions), SCALANCE X320-3LDFE (All versions), SCALANCE XB-200 (All versions), SCALANCE XC-200 (All versions), SCALANCE XF-200BA (All versions), SCALANCE XF201-3P IRT (All Versions < V5.5.0), SCALANCE XF202-2P IRT (All Versions < V5.5.0), SCALANCE XF204 (All versions), SCALANCE XF204 IRT (All Versions < V5.5.0), SCALANCE XF204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE XF204-2BA IRT (All Versions < V5.5.0), SCALANCE XF206-1 (All versions), SCALANCE XF208 (All versions), SCALANCE XM400 (All versions < V6.3.1), SCALANCE XP-200 (All versions), SCALANCE XR-300WG (All versions), SCALANCE XR324-12M (All versions), SCALANCE XR324-12M TS (All versions), SCALANCE XR324-4M EEC (All versions), SCALANCE XR324-4M POE (All versions), SCALANCE XR324-4M POE TS (All versions), SCALANCE XR500 (All versions < V6.3.1), SIMATIC CFU PA (All versions), SIMATIC IE/PB-LINK V3 (All versions), SIMATIC MV500 family (All versions < V3.0), SIMATIC NET CM 1542-1 (All versions), SIMATIC NET CP1616/CP1604 (All Versions >= V2.7), SIMATIC NET CP1626 (All versions), SIMATIC NET DK-16xx PN IO (All Versions >= V2.7), SIMATIC PROFINET Driver (All versions), SIMATIC Power Line Booster PLB, Base Module (MLFB: 6ES7972-5AA10-0AB0) (All versions), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All Versions < V4.5), SIMOCODE proV Ethernet/IP (All versions < V1.1.3), SIMOCODE proV PROFINET (All versions < V2.1.3), SOFTNET-IE PNIO (All versions). Affected devices contain a vulnerability that allows an unauthenticated attacker to trigger a denial-of-service condition. The vulnerability can be triggered if a large amount of DCP reset packets are sent to the device.	2021-07-13	not yet calculated	CVE-2020-28400 CONFIRM
siemens — sinumerik	A vulnerability has been identified in SINUMERIK Analyse MyCondition (All versions), SINUMERIK Analyze MyPerformance (All versions), SINUMERIK Analyze MyPerformance /OEE-Monitor (All versions), SINUMERIK Analyze MyPerformance /OEE-Tuning (All versions), SINUMERIK Integrate Client 02 (All versions >= V02.00.12 < 02.00.18), SINUMERIK Integrate Client 03 (All versions >= V03.00.12 < 03.00.18), SINUMERIK Integrate Client 04 (V04.00.02 and all versions >= V04.00.15 < 04.00.18), SINUMERIK Integrate for Production 4.1 (All versions < V4.1 SP10 HF3), SINUMERIK Integrate for Production 5.1 (V5.1), SINUMERIK Manage MyMachines (All versions), SINUMERIK Manage MyMachines /Remote (All versions), SINUMERIK Manage MyMachines /Spindel Monitor (All versions), SINUMERIK Manage MyPrograms (All versions), SINUMERIK Manage MyResources /Programs (All versions), SINUMERIK Manage MyResources /Tools (All versions), SINUMERIK Manage MyTools (All versions), SINUMERIK Operate V4.8 (All versions < V4.8 SP8), SINUMERIK Operate V4.93 (All versions < V4.93 HF7), SINUMERIK Operate V4.94 (All versions < V4.94 HF5), SINUMERIK Optimize MyProgramming /NX-Cam Editor (All versions). Due to an error in a third-party dependency the ssl flags used for setting up a TLS connection to a server are overwitten with wrong settings. This results in a missing validation of the server certificate and thus in a possible TLS MITM szenario.	2021-07-13	not yet calculated	CVE-2021-31892 CONFIRM
siemens — simatic_pcs	A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.X (All versions), SIMATIC PDM (All versions), SIMATIC STEP 7 V5.X (All versions < V5.7), SINAMICS STARTER (containing STEP 7 OEM version) (All versions). A directory containing metafiles relevant to devices’ configurations has write permissions. An attacker could leverage this vulnerability by changing the content of certain metafiles and subsequently manipulate parameters or behavior of devices that would be later configured by the affected software.	2021-07-13	not yet calculated	CVE-2021-31894 CONFIRM
siemens — simatic_pcs	A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3), SIMATIC PDM (All versions < V9.2), SIMATIC STEP 7 V5.X (All versions < V5.6 SP2 HF3), SINAMICS STARTER (containing STEP 7 OEM version) (All versions < V5.4 HF2). The affected software contains a buffer overflow vulnerability while handling certain files that could allow a local attacker to trigger a denial-of-service condition or potentially lead to remote code execution.	2021-07-13	not yet calculated	CVE-2021-31893 CONFIRM
siemens — multiple_ruggedcomros_products	A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions < V4.3.7), RUGGEDCOM ROS M2200 (All versions < V4.3.7), RUGGEDCOM ROS M969 (All versions < V4.3.7), RUGGEDCOM ROS RMC (All versions < V4.3.7), RUGGEDCOM ROS RMC20 (All versions < V4.3.7), RUGGEDCOM ROS RMC30 (All versions < V4.3.7), RUGGEDCOM ROS RMC40 (All versions < V4.3.7), RUGGEDCOM ROS RMC41 (All versions < V4.3.7), RUGGEDCOM ROS RMC8388 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RMC8388 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RP110 (All versions < V4.3.7), RUGGEDCOM ROS RS400 (All versions < V4.3.7), RUGGEDCOM ROS RS401 (All versions < V4.3.7), RUGGEDCOM ROS RS416 (All versions < V4.3.7), RUGGEDCOM ROS RS416v2 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RS416v2 V5.X (All versions < 5.5.4), RUGGEDCOM ROS RS8000 (All versions < V4.3.7), RUGGEDCOM ROS RS8000A (All versions < V4.3.7), RUGGEDCOM ROS RS8000H (All versions < V4.3.7), RUGGEDCOM ROS RS8000T (All versions < V4.3.7), RUGGEDCOM ROS RS900 (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RS900 (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RS900G (All versions < V4.3.7), RUGGEDCOM ROS RS900G (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RS900G (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RS900GP (All versions < V4.3.7), RUGGEDCOM ROS RS900L (All versions < V4.3.7), RUGGEDCOM ROS RS900W (All versions < V4.3.7), RUGGEDCOM ROS RS910 (All versions < V4.3.7), RUGGEDCOM ROS RS910L (All versions < V4.3.7), RUGGEDCOM ROS RS910W (All versions < V4.3.7), RUGGEDCOM ROS RS920L (All versions < V4.3.7), RUGGEDCOM ROS RS920W (All versions < V4.3.7), RUGGEDCOM ROS RS930L (All versions < V4.3.7), RUGGEDCOM ROS RS930W (All versions < V4.3.7), RUGGEDCOM ROS RS940G (All versions < V4.3.7), RUGGEDCOM ROS RS969 (All versions < V4.3.7), RUGGEDCOM ROS RSG2100 (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2100 (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2100 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2100P (All versions < V4.3.7), RUGGEDCOM ROS RSG2100P (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2100P (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2200 (All versions < V4.3.7), RUGGEDCOM ROS RSG2288 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2288 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2300 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2300 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2300P V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2300P V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2488 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2488 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG900 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG900 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG900C (All versions < V5.5.4), RUGGEDCOM ROS RSG900G V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG900G V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG900R (All versions < V5.5.4), RUGGEDCOM ROS RSG920P V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG920P V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSL910 (All versions < V5.5.4), RUGGEDCOM ROS RST2228 (All versions < V5.5.4), RUGGEDCOM ROS RST916C (All versions < V5.5.4), RUGGEDCOM ROS RST916P (All versions < V5.5.4), RUGGEDCOM ROS i800 (All versions < V4.3.7), RUGGEDCOM ROS i801 (All versions < V4.3.7), RUGGEDCOM ROS i802 (All versions < V4.3.7), RUGGEDCOM ROS i803 (All versions < V4.3.7). The DHCP client in affected devices fails to properly sanitize incoming DHCP packets. This could allow an unauthenticated remote attacker to cause memory to be overwritten, potentially allowing remote code execution.	2021-07-13	not yet calculated	CVE-2021-31895 CONFIRM
solarwinds — serv-u	Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.	2021-07-14	not yet calculated	CVE-2021-35211 MISC MISC
teamcenter — active_workspace	A vulnerability has been identified in Teamcenter Active Workspace V4 (All versions < V4.3.9), Teamcenter Active Workspace V5.0 (All versions < V5.0.7), Teamcenter Active Workspace V5.1 (All versions < V5.1.4). By sending malformed requests, a remote attacker could leak an application token due to an error not properly handled by the system.	2021-07-13	not yet calculated	CVE-2021-33709 CONFIRM
teamcenter — active_workspace	A vulnerability has been identified in Teamcenter Active Workspace V4 (All versions < V4.3.9), Teamcenter Active Workspace V5.0 (All versions < V5.0.7), Teamcenter Active Workspace V5.1 (All versions < V5.1.4). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected devices that could allow an attacker to execute malicious JavaScript code by tricking users into accessing a malicious link.	2021-07-13	not yet calculated	CVE-2021-33710 CONFIRM
teamcenter — active_workspace	A vulnerability has been identified in Teamcenter Active Workspace V4 (All versions < V4.3.9), Teamcenter Active Workspace V5.0 (All versions < V5.0.7), Teamcenter Active Workspace V5.1 (All versions < V5.1.4). The affected application allows verbose error messages which allow leaking of sensitive information, such as full paths.	2021-07-13	not yet calculated	CVE-2021-33711 CONFIRM
telegram — telegram	A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.	2021-07-17	not yet calculated	CVE-2021-36769 MISC
thinkcmf — thinkcmf	Cross Site Request Forgerly (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.	2021-07-14	not yet calculated	CVE-2020-18151 MISC
trusted_firmware_mbed — tls	In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.	2021-07-14	not yet calculated	CVE-2021-24119 MISC MISC
unisys — stealth	Unisys Stealth 5.1 before 5.1.025.0 and 6.0 before 6.0.055.0 has an unquoted Windows search path for a scheduled task. An unintended executable might run.	2021-07-15	not yet calculated	CVE-2021-35056 MISC CONFIRM
uri.js — uri.js	URI.js is vulnerable to URL Redirection to Untrusted Site	2021-07-16	not yet calculated	CVE-2021-3647 MISC CONFIRM
varnish — cache	Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.	2021-07-14	not yet calculated	CVE-2021-36740 MISC MISC MISC MISC
wolfssl — wolfssl	In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.	2021-07-14	not yet calculated	CVE-2021-24116 MISC CONFIRM
wuwire — wuwire	MuWire is a file publishing and networking tool that protects the identity of its users by using I2P technology. Users of MuWire desktop client prior to version 0.8.8 can be de-anonymized by an attacker who knows their full ID. An attacker could send a message with a subject line containing a URL with an HTML image tag and the MuWire client would try to fetch that image via clearnet, thus exposing the IP address of the user. The problem is fixed in MuWire 0.8.8. As a workaround, users can disable messaging functionality to prevent other users from sending them malicious messages.	2021-07-15	not yet calculated	CVE-2021-32750 CONFIRM
ysoft — safeq	Incorrect privileges in the MU55 FlexiSpooler service in YSoft SafeQ 6 6.0.55 allows local user privilege escalation by overwriting the executable file via an alternative data stream.	2021-07-14	not yet calculated	CVE-2021-31859 MISC MISC
zoho_manageengine — admanager_plus	Zoho ManageEngine ADManager Plus before 7110 allows remote code execution.	2021-07-17	not yet calculated	CVE-2021-33911 MISC
zoho_manageengine — admanager_plus	Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS.	2021-07-17	not yet calculated	CVE-2021-36771 MISC
zoho_manageengine — admanager_plus	Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.	2021-07-17	not yet calculated	CVE-2021-36772 MISC
zscaler — client_connector	The Zscaler Client Connector for Windows prior to 2.1.2.74 had a stack based buffer overflow when connecting to misconfigured TLS servers. An adversary would potentially have been able to execute arbitrary code with system privileges.	2021-07-15	not yet calculated	CVE-2020-11633 MISC
zscaler — client_connector	The Zscaler Client Connector prior to 2.1.2.150 did not quote the search path for services, which allows a local adversary to execute code with system privileges.	2021-07-15	not yet calculated	CVE-2020-11632 MISC
zscaler — client_connector	The Zscaler Client Connector for Windows prior to 2.1.2.105 had a DLL hijacking vulnerability caused due to the configuration of OpenSSL. A local adversary may be able to execute arbitrary code in the SYSTEM context.	2021-07-15	not yet calculated	CVE-2020-11634 MISC

This product is provided subject to this Notification and this Privacy & Use policy.

alerts

U.S. Government Releases Indictment and Several Advisories Detailing Chinese Cyber Threat Activity

Post author By admin
Post date July 19, 2021

Original release date: July 19, 2021

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed increasingly sophisticated Chinese state-sponsored activity targeting U.S. political, economic, military, educational, and critical infrastructure personnel and organizations. In response:

The White House has released a statement attributing recent Microsoft Exchange server exploitation activity to the People’s Republic of China (PRC).
The Department of Justice has indicted four Chinese cyber actors from the advanced persistent threat (APT) group APT40 for malicious cyber activities, carried out on orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD). These activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments.
CISA and FBI have released Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department to help network defenders identify and remediate APT40 intrusions and established footholds.
CISA, NSA and FBI have released Joint Cybersecurity Advisory: Chinese Observed TTPs, which describes Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations.
CISA, NSA and FBI have released CISA Insights: Chinese Cyber Threat Overview for Leaders to help leaders understand this threat and how to reduce their organization’s risk of falling victim to cyber espionage and data theft.

CISA also encourages users and administrators to review the blog post, Safeguarding Critical Infrastructure against Threats from the People’s Republic of China, by CISA Executive Assistant Director Eric Goldstein and the China Cyber Threat Overview and Advisories webpage.

This product is provided subject to this Notification and this Privacy & Use policy.

alerts

AA21-200A: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department

Post author By admin
Post date July 19, 2021

Original release date: July 19, 2021

Summary

This Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. This advisory provides APT40’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.

APT40—aka BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper—is located in Haikou, Hainan Province, People’s Republic of China (PRC), and has been active since at least 2009. APT40 has targeted governmental organizations, companies, and universities in a wide range of industries—including biomedical, robotics, and maritime research—across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China’s Belt and Road Initiative.

On July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology Development Company (Hainan Xiandun). Hainan Xiandun employee Wu Shurong cooperated with and carried out orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to conduct CNE. Wu’s CNE activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments. These MSS-affiliated actors targeted victims in the following industries: academia, aerospace/aviation, biomedical, defense industrial base, education, government, healthcare, manufacturing, maritime, research institutes, and transportation (rail and shipping).

Click here for a PDF version of this report.

Technical Details

This Joint Cybersecurity Advisory uses the MITRE ATT&CK® framework, version 9. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques.

APT40 [G0065] has used a variety of tactics and techniques and a large library of custom and open-source malware—much of which is shared with multiple other suspected Chinese groups—to establish initial access via user and administrator credentials, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. Table 1 provides details on these tactics and techniques. Note: see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity.

Table 1: APT40 ATT&CK Tactics and Techniques

Tactics	Activities and Techniques
Reconnaissance [TA0043] and Resource Development [TA0042]	Gathered victim identity information [T1589] by collecting compromised credentials [T1589.001] Acquire infrastructure [T1583] to establish domains that impersonate legitimate entities [T1583.001], aka ‘typosquatting’, to use in watering hole attacks and as command and control (C2) [TA0011] infrastructure Establish new [T1585.002] and compromise existing [T1586.002] email and social media accounts [1585.001] to conduct social engineering attacks
Initial Access [TA0001]	External remote services (e.g., virtual private network [VPN] services) [T1133] Spearphishing emails with malicious attachments [T1566.001] and links [T1566.002] Drive-by compromises [T1189] and exploitation of public-facing applications [T1190] Access to valid [T1078], compromised administrative [T1078.001] accounts
Execution [TA0002]	Command and scripting interpreters [T1059] such as PowerShell [T1059.001] Exploitation of software vulnerabilities in client applications to execute code [T1203] using lure documents that dropped malware exploiting various Common Vulnerabilities and Exposures (CVEs) User execution [T1204] of malicious files [T1204.002] and links [T1566.002] attached to spearphishing emails [T1566.001]
Persistence [TA0003], Privilege Escalation [TA0004], Credential Access [TA0006], Discovery [TA0007], and Lateral Movement [TA0008]	APT40 has used a combination of tool frameworks and malware to establish persistence, escalate privileges, map, and move laterally on victim networks. Additionally, APT40 conducted internal spearphishing attacks [T1534]. BADFLICK/Greencrash China Chopper [S0020] Cobalt Strike [S0154] Derusbi/PHOTO [S0021] Gh0stRAT [S0032] GreenRAT jjdoor/Transporter jumpkick Murkytop (`mt.exe`) [S0233] NanHaiShu [S0228] Orz/AirBreak [S0229] PowerShell Empire [S0363] PowerSploit [S0194] Server software component: Web Shell [TA1505.003]
Defense Evasion [TA0005], Command and Control [TA0011], Collection [TA0009], and Exfiltration [TA0010]	Use of steganography [T1027.003] to hide stolen data inside other files stored on GitHub Protocol impersonation [T1001.003] by using Application Programming Interface (API) keys for Dropbox accounts in commands to upload stolen data to make it appear that the activity was a legitimate use of the Dropbox service Protocol tunneling [T1572] and multi-hop proxies [T1090.003], including the use of Tor [S0183] Use of domain typosquatting for C2 infrastructure [T1583.001] Archive [T1560], encrypt [T1532], and stage collected data locally [T1074.001] and remotely [T1074.002] for exfiltration Exfiltration over C2 channel [T1041]

Mitigations

Network Defense-in-Depth

Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk. The following guidance may assist organizations in developing network defense procedures.

Patch and Vulnerability Management

Install vendor-provided and verified patches on all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers and software processing internet data—such as web browsers, browser plugins, and document readers.
Ensure proper migrating steps or compensating controls are implemented for vulnerabilities that cannot be patched in a timely manner.
Maintain up-to-date antivirus signatures and engines.
Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect resources and information systems.
Review the articles in the References section for more information on Chinese APT exploitation of common vulnerabilities.

Protect Credentials

Strengthen credential requirements, regularly change passwords, and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts.
Audit all remote authentications from trusted networks or service providers.
Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems.
Log use of system administrator commands such as net, ipconfig, and ping.
Enforce principle of least privilege.

Network Hygiene and Monitoring

Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities.
Actively monitor server disk use and audit for significant changes.
Log Domain Name Service (DNS) queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS.
Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Audit logs for suspicious behavior.
Identify and suspend access of users exhibiting unusual activity.
Use allowlist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.
Leverage multi-sourced threat-reputation services for files, DNS, URLs, IP addresses, and email addresses.
Network device management interfaces—such as Telnet, Secure Shell (SSH), Winbox, and HTTP—should be turned off for wide area network (WAN) interfaces and secured with strong passwords and encryption when enabled.
When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.

APPENDIX: APT40 Indicators of Compromise

APT40 used the following domains, file names, and malware MD5 hash values to facilitate the CNE activity outlined in this CSA between 2009 through 2018.

Domains

airbusocean[.]com	https://pastebin[.]com/vfb5mbbu	pacifichydrologic[.]org
cargillnotice[.]com	huntingtomingalls[.]com	philippinenewss[.]com
ccidmeekparry[.]info	indiadigest[.]in	philstarnotice[.]com
ccvzvhjhdf[.]website	jack-newnb[.]com	porndec143.chickenkiller[.]com
cdigroups[.]com	kAty197.chickenkiller[.]com	santaclarasystem[.]us
checkecc[.]com	louisdreyfu[.]com	scsnewstoday[.]com
chemscalere[.]com	mail2.ignorelist[.]com	secbkav[.]com
cnnzapmeta[.]com	masterroot[.]pw	Soure7788.chickenkiller[.]com
corycs[.]com	microsql-update[.]info	tccoll[.]com
deltektimes[.]com	mihybb[.]com	teledynegroup[.]com
Engaction[.]com	mlcdailynews[.]com	teledyneinstrument[.]com
ens-smithjonathan.rhcloud[.]com	movyaction[.]net	testdomain2019.chickenkiller[.]com
fishgatesite.wordpress[.]com	msusanode[.]com	thestar[.]live
goo2k88yyh2.chickenkiller[.]com	newbb-news[.]com	thrivedataview[.]com
gttdoskip[.]com	nfmybb[.]com	thyssemkrupp[.]com
http://gkimertds.wordpress[.]com/feed/	nmw4xhipveaca7hm[.]onion.link/en_US/all.js	thyssenkrupp-marinesystems[.]org
http://stackoverflow[.]com/users/3627469/angle-swift	nobug[.]uk.to	togetno992.mooo[.]com
http://stackoverflow[.]com/users/3804206/swiftr-angle	notesof992.wordpress[.]com	tojenner97.chickenkiller[.]com
http://stackoverflow[.]com/users/3863346/gkimertdssdads	onlinenewspapers[.]club	trafficeco[.]com
vser.mooo[.]com	onlineobl[.]com	transupdate[.]com
https://pastebin[.]com/p1mktQpD	oyukg43t[.]website	troubledate[.]com
ultrasocial[.]info	wsmcoff[.]com	xbug.uk[.]to
usdagroup[.]com	www.yorkshire-espana-sa[.]com/english/servicios/	yootypes[.]com
	https://github[.]com/slotz/sharp-loader/commit/f9de338fb474fd970a7375030642d04179b9245d

MD5 Malware Hashes

01234c0e41fc23bb5e1946f69e6c6221

018d3c34a296edd32e1b39b7276dcf7f

019b68e26df8750e2f9f580b150b7293

01fa52a4f9268948b6c508fef0377299

022bd2040ec0476d8eb80d1d9dc5cc92

039d9ca446e79f2f4310dc7dcc60ec55

043f6cdca33ce68b1ebe0fd79e4685af

04918772a2a6ccd049e42be16bcbee39

04dc4ca70f788b10f496a404c4903ac6

060067666435370e0289d4add7a07c3b

062c759d04106e46e027bbe3b93f33ef

07083008885d2d0b31b137e896c7266c

079068181a728d0d603fe72ebfc7e910

0803f8c5ee4a152f2108e64c1e7f0233

09143a14272a29c56ff32df160dfdb30

0985f757b1b51533b6c5cf9b1467f388

09aab083fb399527f8ff3065f7796443

0b7bb3e23a1be2f26b9adf7004fc6b52

0b9a614a2bbc64c1f32b95988e5a3359

0bbe092a2120b1be699387be16b5f8fb

0bbe769505ca3db6016da400539f77aa

0c3c00c01f4c4bad92b5ba56bd5a9598

0c4fa4dfbe0b07d3425fea3efe60be1c

0ca936a564508a1f9c91cb7943e07c30

0d69eefede612493afd16a7541415b95

0da08b4bfe84eacc9a1d9642046c3b3c

0dd7f10fdf60fc36d81558e0c4930984

0e01ec14c25f9732cc47cf6344107672

10191b6ce29b4e2bddb9e57d99e6c471

105757d1499f3790e69fb1a41e372fd9

207e3c538231eb0fd805c1fc137a7b46

20e52d2d1742f3a3caafbac07a8aa99a

226042db47bdd3677bd16609d18930bd

22823fed979903f8dfe3b5d28537eb47

2366918da9a484735ec3a9808296aab8

239a22c0431620dc937bc36476e5e245

2499390148fc99a0f38148655d8059e7

24dbcd8e8e478a35943a05c7adfc87cc

25a06ab7675e8f9e231368d328d95344

25b79ba11f4a22c962fea4a13856da7f

25fc4713290000cdf01d3e7a0cea7cef

2639805ae43e60c8f04955f0fe18391c

270df5aab66c4088f8c9de29ef1524b9

280e5a3b9671db31cf003935c34f8cf9

28366de82d9c4441f82b84246369ad3b

28628f709a23d5c02c91d6445e961645

28c6f235946fd694d2634c7a2f24c1ba

29c1b4ec0bc4e224af2d82c443cce415

2b8a06d1de446db3bbbd712cdb2a70ce

2bf998d954a88b12dbec1ee96b072cb9

2c408385acdb04f0679167223d70192b

2c9737c6922b6ca67bf12729dcf038f9

2dd9aab33fcdd039d3a860f2c399d1b1

2de0e31fda6bc801c86645b37ee6f955

2e5b59c62e6e2f3b180db9453968d817

2ee7168c0cc6e0df13d0f658626474bb

2eee367a6273ce89381d85babeae1576

2f0a52ce4f445c6e656ecebbcaceade5

2f9995bc34452c789005841bc1d8da09

30701b1d1e28107f8bd8a15fcc723110

31a72e3bf5b1d33368202614ffd075db

3389dae361af79b04c9c8e7057f60cc6

33d18e29b4ecc0f14c20c46448523fc8

46e80d49764a4e0807e67101d4c60720

480f3a13998069821e51cda3934cc978

48101bbdd897877cc62b8704a293a436

48548309036005b16544e5f3788561dc

4a23e0f2c6f926a41b28d574cbc6ac30

4ab825dc6dabf9b261ab1cf959bfc15d

4b18b1b56b468c7c782700dd02d621f4

4b93159610aaadbaaf7f60bea69f21a4

4beb3f7fd46d73f00c16b4cc6453dcdb

4dd6eab0fa77adb41b7bd265cfb32013

4e79e2cade96e41931f3f681cc49b60a

4ef1c48197092e0f3dea0e7a9030edc8

503f8dc2235f96242063b52440c5c229

50527c728506a95b657ec4097f819be6

5064dc5915a46bfa472b043be9d0f52f

513f559bf98e54236c1d4379e489b4bc

51e21a697aec4cc01e57264b8bfaf978

51f31ed78cec9dbe853d2805b219e6e7

52b0f7d77192fe6f08b03f0d4ea48e46

53ceeaf0a67239b3bc4b533731fd84af

56a9ff904b78644dee6ef5b27985f441

56b18ba219c8868a5a7b354d60429368

56d6d3aa1297c62c6b0f84e5339a6c22

57849bb3949b73e2cd309900adafc853

5826e0bd3cd907cb24c1c392b42152ca

5875dfe9a15dd558ef51f269dcc407b5

58e7fd4530a212b05481f004e82f7bc1

5957ef4b609ab309ea2f17f03eb78b2d

5984955cbc41b1172ae3a688ab0246c5

59ce71ffb298a5748c3115bc834335bf

5a8d488819f2072caed31ead6aeaf2fc

5acac898428f6d20f6f085d79d86db9c

5b2cddac9ebd7b0cd3f3d3ac15026ffb

6f6d12da9e5cf8b4a7f26e53cc8e9fbd

700d2582ccb35713b7d1272aa7cfc598

70206725df8da51f26d6362e21d8fadb

70e0052d1a2828c3da5ae3c90bc969ea

7204c1f6f1f4698ac99c6350f4611391

72a7fd2b3d1b829a9f01db312fdd1cd7

7327993142260cee445b846a12cf4e85

7525bc47e2828464ce07fa8a0db6844f

76adaa87f429111646a27c2e60bda61e

76c5dca8dc9b1241b8c9a376abab0cc5

782202b09f72b3cfdc93ffb096ca27de

7836c4a36cc66d4bcbd84abb25857d21

78a0af31a5c7e4aee0f9acde74547207

7969dc3c87a3d5e672b05ff2fe93f710

7a09bf329b0b311cc552405a38747445

7a63ea3f49a96fa0b53a84e59f005019

7b3f959ab775032a3ca317ebb52189c4

7b710f9731ad3d6e265ae67df2758d50

7bd10b5c8de94e195b7da7b64af1f229

7c036ba51a3818ddc8d51cf5a6673da4

7c49efe027e489134ec317d54de42def

7d63f39fb0100a51ba6d8553ef4f34de

7ef6802fc9652d880a1f3eaf944ce4a3

7f7d726ea2ed049ab3980e5e5cb278a3

7fe679c2450c5572a45772a96b15fcb1

83076104ae977d850d1e015704e5730a

8361b151c51a7ad032ad20cecf7316f4

838ceb02081ac27de43da56bec20fc76

84865f8f1a2255561175ab12d090da7c

8520062de440b75f65217ff2509120f7

85862c262c087dd4470bb3b055ef8ea5

85e5b11d79a7570c73d3aa96e5a4e84d

85ecef9ca15e25835a9300a85f9bcd2a

9d3fd2ff608e79101b09db9e361ea845

9d5206f692577d583b93f1c3378a7a90

9e592d0918c029aa49635f03947026e8

9f847b3618b31ef05aebd81332067bd8

9fdd77dc358843af3d7b3f796580c29d

a025881cd4ae65fab39081f897dc04fd

a0e3561633bdf674b294094ffa06a362

a13715be3d6cbd92ed830a654d086305

a2256f050d865c4335161f823b681c24

a26e600652c33dd054731b4693bf5b01

a2c66a75211e05b20b86dd90ba534792

a2cb95be941b94f5488eab6c2eec7805

a320510258668504ed0140e7b58ee31e

a34db95c0fcb78d9c5452f81254224eb

a3c0151e0b6289376f383630a8014722

a42a91354d605165d2c1283b6b330539

a4711b8414445d211826b4da3f39de0a

a4a70ce528f64521c3cd98dce841f6f3

a5ac89845910862cfef708b20acd0e44

a67fcb5dcfc9e3cfbfd7890e65d4f808

a68bf5fce22e7f1d6f999b7a580ae477

a6b9bbb87eb08168fc92271f69fa5825

a6cab9f2e928d71ed8ecf2c28f03a9a2

a7e4f42ad70ddd380281985302573491

a83b1aed22de71baee82e426842eeb48

a91dca76278cf4f4155eb1b0fc427727

a96dca187c3c001cad13440c3f7e77e8

aa73e7056443f1dd02480a22b48bdd46

aaafb1eeee552b0b676a5c6297cfc426

ab662cee6419327de86897029a619aeb

ab8f72562d02156273618d1f3746855c

abdb86d8b58b7394be841e0a4da9bec7

ace585625de8b3942cc3974cf476f8de

beea0da01409b73be94b8a3ef01c4503

befc121916f9df7363fead1c8554df9a

bf250a8c0c9a820cd1a21e3425acfe37

bfb0dcd9ef6ac6e016a8a5314d4ef637

bff56d7e963ea28176b0bcb60033635d

c05e5bc5adb803b8a53cff7f95621c73

c0ad63a680fbdc75d54b270cbedb4739

c0d9f3a67a8df0ed737ceb9e15bacc47

c112456341a1c5519e7039ce0ba960fa

c161f10fccecec67c589cdd24a05f880

c183e7319f07ccc591954068e15095db

c2e023b46024873573db658d7977e216

c380675a29f47dba0b1401c7f8e149dc

c3996bf709cad38d58907da523992e3b

c583ae5235ddea207ac11fff4af82d9b

c71f125fb385fed2561f3870b4593f18

c75a2b191da91114ceea80638bc54030

c78ee46ffbe5dd76d84fb6a74bf21474

c79b27fe1440b11a99a5611c9d6c6a78

c808d2ed8bb6b2e3c06c907a01b73d06

c8930a4fd33dcf18923d5cf0835272bd

c8940976a63366f39cfcdc099701093b

c89e8f0bc93d472a4f863a5fa7037286

c8a850a027fa4a3cdae7f87cc1c71ba0

cab21cb7ba1c45a926b96a38b0bdaaef

cbe63b9c0c9ac6e8c0f5b357df737c5e

cbfc1587f89f15a62f049e9e16cccf68

cd049c2b76c73510ae70610fd1042267

cd058dd28822c72360bc9950a6c56c45

cd427b4afea8032c77e907917608148a

cd81267e9c82d24a9f40739fa6bf1772

cdc22f7913eb93d77d629e59ac2dc46a

cdc585a1fd677da07163875cd0807402

e0b7e6c17339945bba43b8992a143485

e119a70f50132ae3afba3995fdf1aca6

e1512a0bf924c5a2b258ec24e593645a

e195d22652b01a98259818cfbab98d33

e1ab3358b5356adefaffbc15bc43a3f9

e1b840bbf5b54aeb19e6396cab8f4c6a

e26a29c0fc11cfb92936ab3374730b79

e284c25c50ba59d07a4fa947dc1a914a

e3867f6e964a29134c9ea2b63713f786

e3eb703ef415659f711b6bc5604e131e

e498718fd286aca7bb78858f4636f2db

e4d2c63a73a0f1c6b5e60bde81ac0289

e5478fb5e8d56334d19d43cae7f9224a

e5f7efcee5b15cf95a070a5cd05dbda9

e6348ee5beb9c581eeeaf4e076c5d631

e637f47c4f17c01a68539fcfcc4bc44f

e63fbc864b7911be296c8ee0798f6527

e68f9b39caf116fb108ccb5c9c4ce709

e6a757114c0940b6d63c6a5925ade27f

e6adc73df12092012f8cd246ba619f90

e8881037f684190d5f6cc26aab93d40f

e890fa6fd8a98fec7812d60f65bf1762

e8bc927ee0ae288609e1c37665a3314e

e8e73156316df88dee28214fb203658b

e957c36c9d69d6a8256b6ddf7f806f56

e9ce9b35e2386bf442e22a49243a647e

eadcae9ecba1097571c8d08e9b1c1a9c

eb06648b43d34f20fc1c40e509521e99

eb5e5db77540516e6400a7912ad0ef0d

eb5e999753f5ea094d59bdae0c66901c

eb5ee94048730b321e35394a0fb10a5d

eb64867dc48f757f0afe05dbf605b72d

eb88f415336f0dccedfc93405330c561

fae03ff044d6bb488e1a6f1c6428c510

fc2142bd72bd520338f776146903be67

fc9b8262905a80cc5381d520813d556d

fccd3de1df131f9d74949d69426c24af

fcd912fd7ed80e2cdf905873c6ced4ad

ff804e266a83974775814870cc49b66b

11166f8319c08c70fc886433a7dac92d

1223302912ec70c7c8350268a13ad226

139e071dd83304cdcfd5280022a0f958

13c93dc9186258d6c335b16dc7bb3c8c

14e2b0e47887c3bfbddb3b66012cb6e8

15437cfedfc067370915864feec47678

15e1816280d6c2932ff082329d0b1c76

166694d13ac463ea1c2bed64fbbb7207

16a344cd612cca4f0944ba688609e3ac

16c0011ea01c4690d5e76d7b10917537

1734a2b176a12eba8b74b8ca00ef1074

18144e860d353600bbd2e917aed21fde

1815c3a7a4a6d95f9298abb5855a3701

181a5b55b7987b62b5236965f473ba3b

18c26c5800e9e2482f1507c96804023e

1932ce50b7b6c88014cf082228486e5c

1af78c50aca90ee3d6c3497848ac5705

1b44fb4aaff71b1f96cd049a9461eaf5

1bb8f32e6e0e089d6a9c10737cf19683

1c35a87f61953baace605fff1a2d0921

1c945a6b0deccc6cd2f63c31f255d0ec

1cb216777039fe6a8464fc6a214c3c86

1d3a10846819a07eef66deefcc33459a

1dd6c80b4ea5d83aff4480dcbbef520c

1e91f0f52994617651e9b4a449af551a

1eb568559e335b3ed78588e5d99f9058

1ef9c42efe6e9a08b7ebb16913fa0228

1f2befede815fcf65c463bf875fcf497

1f9bdc0435ff0914605f01db8ca77a65

1ffd883095ff3279b31650ca3a50ad3c

34521c0f78d92a9d95e4f3ff15b516db

34681367cbcc3933f0f4b36481bde44e

34aa195c604d0725d7dd2aa4cc4efe28

354b95e858bcaced369ecbfdec327e2b

35f456afbe67951b3312f3b35d84ff0a

3647d11c155d414239943c8c23f6e8ec

37578c69c515f1d0d49769930fba25ce

375cbb0a88111d786c33510bff258a21

37b9b4ed979bd2cf818e2783499bfb5e

3810a18650dbacecd10d257312e92f61

3975740f65c2fa392247c60df70b1d6d

3a4ec0d0843769a937b5dadbe8ea56b1

3ab6bf23d5d244bc6d32d2626bd11c08

3bf8bb90d71d21233a80b0ec96321e90

3c2fe2dbdf09cfa869344fdb53307cb2

3c3d453ecf8cc7858795caece63e7299

3cbb46065f3e1dccbd707c340f38ce6b

3cf9dc0fdc2a6ab9b6f6265dc66b0157

3e89c56056e5525bf4d9e52b28fbbca7

3eb6f85ac046a96204096ab65bbd3e7e

3f50eedf4755b52aa7a7b740bd21daa6

3fefa55daeb167931975c22df3eca20a

4012acd80613aaa693a5d6cd4e7239ba

40528e368d323db0ac5c3f5e1efe4889

407c1ea99677615b80b2ffa2ed81d513

417949c717f78dc9e55ca81a5f7ade3e

4260e71d89f622c6a3359c5556b3aad7

429c10429a2ebb5f161e04159a59cf5b

4315975499cdc50098dbdb5b8aa4a199

44fa9c5df4ae20c50313aae02ba8fb95

4519b5d443a048a8599144900c4e1f28

45eb058edde4e5755a5ea1aff3ce3db7

460dc00ce690efacb5db8273c80e2b23

5b3050df93629f2f6cb3801ed19963c5

5b37ac4d642b96c4bf185c9584c0257a

5b3e945cd32a380f09ea98746f570758

5b72df8f6c110ae1d603354fcd8fe104

5c6f5cd81b099014718056e86b510fa2

5d63a3a02df2beda9d81f53abbd8264a

5d9c3cb239fa24bed2781bcf2898f153

5e353d1d17720c0f7c93f763e3565b3f

5f1c7f267fbe12210d3c80944f840332

5f393838220a6bf0cd9fd59c7cf97f5b

5f771966ef530ee0c2b42ef5cc46ad3a

6034ff91b376d653dc30f79664915b4e

603935efa89d93ea39b4b4d4a52ec529

607ea06890a6eedd723f629133576f20

60b2ce5ef4a076d1fa8675b584c27987

60cff7381b8fb64602816f9e5858930b

614909c72fa811ae41ea3d9b70122cee

6372d578e881abf76a4ec61e7a28da7d

63bf28f5dc6925a94c8b4e033a95be10

646cbeb4233948560ac50de555ea85ca

64db8e54d9a2daaa6d9cf156a8b73c18

675fe822243dfd1c3ace2a071d0aa6dd

67dbecfb5e0f2f729e57d0f1eda82c67

685cbba8cf2584a3378d82dec65aa0bb

693a4c2fcaa67fb87e62f150fb65e00e

6ad33ab8b9ff3f02964a8aab2a40ebb5

6b540be7ac7159104b0ffa536747f1bf

6b7276e4aa7a1e50735d2f6923b40de4

6b930be55ed4bf8e16b30eadc3873dfd

6c67f275d50f6bfee4848de6d4911931

6c9cfada134ede220b75087c7698ebf2

6e843ef4856336fe3ef4ed27a4c792b1

6e97bf1b7c44edc66622b43e81105779

86e50d6dc28283dbd295079252787577

870fbad5b9a54cb6720c122d1fa321ec

88b3b94574ba1eeb711a66eb04021eed

8956a045306b672d3cc852419a72c4b0

8a9ac1b3ef2bf63c2ddfadbbbfd456b5

8b3b96327fbddebefe727ac2edad5714

8baa499b3e2f081ff47f8cf06a5e7809

8bc20fcd09adb7ea86dda2c57477633b

8be0c21b6ee56d0f68e0d90f7d0a26d7

8c80dd97c37525927c1e549cb59bcbf3

8d2416d9f6926fb0dc12ab5dafef691d

8d74922b2b31354ce588cefac71d9a9b

8e8fb7632c3a7e96cf0ea5299d564018

8ee6c9e1adb71b2623d5e7aa45df5f4d

8efaa987959ef95179a0f5be05c10faf

8fbf53f77c98daba277dae7661b86f02

8fc825df73977eeffaaa1587565f7505

90a3e3a2049c6eb9e39d113d9451a83f

932d355d9f2df2e8d8449d85454fc983

9450980a4413dfdbc60a62b257a7b019

947892152b8419a2dfe498be5063c1da

94d42ff06a588587131c2cd8a9b2fe96

95c15b7961e2d6fad96defa7ff2c6272

96ba4bf00d8b4acee9f550286610dcc7

97004f1962e2aed917dc2be5c908278f

972077c1bb73ca78b7cad4ac6d56c669

991ebcd03ace627093acc860fae739b5

99949240bc4eae33cac4bbb93b72349d

9a0a8048d53dedc763992fff32584741

9a0e3e80cd7c21812de81224f646715e

9a61ed5721cf4586abd1d49e0da55350

9b26999182ea0c2b2cac91919697289e

9c656ce22c93ca31c81ff8378a0a91ee

ace620a0cc2684347e372f7e40e245d5

ad3b9e45192ec7c8085c3588cacb9c58

adb4f6ecb67732b7567486f0cee6e525

afa03ddb9fc64a795aadb6516c3bc268

b0269263ce024fc9de19f8f30bd51188

b04e895827c24070eb7082611ab79676

b059c9946ff67c62c074d6d15f356f6e

b07299a907a4732d14da32b417c08af3

b1dadfcf459f8447b9ec44d8767da36d

b2f1d2fefe9287f3261223b4b8219d03

b36f3e12cb88499f8795b8740ae67057

b4204f08c1a29fd4434e28b6219bfbc6

b4878c233d7f776a407f55a27b5effbc

b6c12d88eeb910784d75a5e4df954001

b7ab5c6926f738dbe8d3a05cb4a1b4f5

b80dcd50e27b85d9a44fc4f55ff0a728

b8a61b1fda80f95a7dcdb0137bc89f67

b9642c1b3dbcccc9d84371b3163d43e0

b9647f389978f588d977ef6ef863938f

b977bed98ae869a9bb9bf725215ef8e5

b9b627c470de997c01fdef4511029219

ba629216db6cf7c0c720054b0c9a13f3

badf0957c668d9f186fb218485d0d0f6

bb165b815e09fe95fa9282bce850528d

bbfb478770a911cf055b8dfd8dcb36e4

bc4c189e590053d2cf97569c495c9610

bc9089c39bcdb1c3ef2e5bd25c77ed68

bd42303e7c38486df2899b0ccf3ce8f7

bd452dc2f9490a44bcff8478d875af4b

bd6031dd85a578edf0bf1560caf36e02

bd63832e090819ea531d1a030fb04e9b

be39ff1ec88a1429939c411113b26c02

be88741844bf7c47f81271270abe82dc

ce26e91fc13ccb1be4b6bf6f55165410

ce449d7cb0a11b53b0513dde3bd57b1c

ceba742bccb23304cf05d6c565dc53f8

cebe44b8a9a2d6e15a03d40d9e98e0ed

cf946bc0faecb2dc8e8edc9e6ce2858f

d09fcd9fa9ed43c9f28bcd4bd4487d22

d0b5c11ee5df0d78bdde3fdc45eaf21d

d0d8243943053256bc1196e45fbf92d2

d0efc042ba4a6b207cf8f5b6760799d8

d20d01038e6ea10a9dcc72a88db5e048

d31596fe58ca278be1bb46e2a0203b34

d3df8c426572a85f3afa46e4cd2b66cd

d59a77a8da7bec1f4bad7054a41b3232

d76b1c624e9227131a2791957955dddc

d79477c9c688a8623930f4235c7228f6

d8a483d21504e73f0ba4b30bc01125d3

da46994fee26782605842005aabcd2fe

daa232882b74d60443dfec8742401808

dab45ac39e34cfee60dcb005c3d5a668

dbc583d6d5ec8f7f0c702b209af975e2

dbe92b105f474efc4a0540673da0eb9c

dbee8be5265a9879b61853cd9c0e4759

dc15ca49b39d1d17b22ec7580d32d905

dc386102060f7df285e9498f320f10e0

dd43cd0eddbb6f7cb69b1f469c37ec35

dd4e0f997e0b2cc9df28dca63ded6816

ddbdc6a3801906de598531b5b2dac02a

dde4ff4e41f86426051f15da48667f5f

ddecce92a712327c4068fabf0e1a7ff1

de608439f2bcc097b001d352b427bb68

deeb9b4789ac002aa8b834da76e70d74

df6475642f1fe122df3d7292217f1cff

e011784958e7a00ec99b8f2320e92bf4

ec4cdc752c2ecd0d9f97491cc646a269

edb648f6c3c2431b5b6788037c1cd8ef

ee3e297abd0a5b943dce46f33f3d56fb

ee4862bc4916fc22f219e1120bea734a

ef14448bf97f49a2322d4c79e64bb60b

ef2738889e9d041826d5c938a256bc45

ef6fcdd1b55adf8ad6bcdf3d93fd109e

efb5499492f08c1f10fecdeb703514d5

f0098aab593b65d980061a2df3a35c21

f073de9c169c8fcb2de5b811bff51cee

f0881d5a7f75389deba3eff3f4df09ac

f172ad4e906d97ed8f071896fc6789dc

f2b6bffa2c22420c0b1c848b673055ed

f446d8808a14649bddcc412f9e754890

f4dbe32f3505bc17364e2b125f8dd6df

f4dd628f6c0bc2472d29c796ee38bf46

f4e67343e13c37449ada7335b9c53dd1

f53e332b0a6dbe8d8d3177e93b70cb1e

f5ae03de0ad60f5b17b82f2cd68402fe

f5ce889a1fa751b8fd726994cdb8f97e

f5fdbfce1a5d2c000c266f4cd180a78d

f7202dea71cc638e0c2dbeb92c2ce279

f7cef381c4ee3704fc8216f00f87552a

f7ffbbbc68aadcbfbace55c58b6da0a7

f8b91554d221fe8ef4a4040e9516f919

f906571d719828f0f4b6212fc2aa7705

f9155052a43832061357c23de873ff9f

f9abacc459e5d50d8582e8c660752c4e

f9f608407d551f49d632bd6bd5bd7a56

f9fc9359dc5d1d0ac754b12efb795f79

fa27742b87747e64c8cb0d54aa70ef98

fa3c8d91ef4a8b245033ddb9aa3054a2

fad93907d5587eb9e0d8ebc78a5e19c2

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov.

References

Revisions

July 19, 2021: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

alerts

AA21-200B: Chinese State-Sponsored Cyber Operations: Observed TTPs

Post author By admin
Post date July 19, 2021

Original release date: July 19, 2021

Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques and the D3FEND framework for referenced defensive tactics and techniques.

The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives.

This Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.

To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors’ Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization.

Click here for a PDF version of this report.

Technical Details

Trends in Chinese State-Sponsored Cyber Operations

NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:

Acquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community’s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.
Exploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:
- CISA-FBI Joint CSA AA20-133A: Top 10 Routinely Exploited Vulnerabilities,
- CISA Activity Alert: AA20-275A: Potential for China Cyber Response to Heightened U.S.-China Tensions, and
- NSA CSA U/OO/179811-20: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities.
Encrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.

Observed Tactics and Techniques

Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable JSON file is also available on the NSA Cybersecurity GitHub page.

Refer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.

Figure 1: Example of tactics and techniques used in various cyber operations.

Mitigations

NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:

Patch systems and equipment promptly and diligently. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.
Note: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.
Enhance monitoring of network traffic, email, and endpoint systems. Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.
Use protection capabilities to stop malicious activity. Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary’s ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.▪

Resources

Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber activity.

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.

Trademark Recognition

MITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc.

APPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed Procedures

Note: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.

Tactics: Reconnaissance [TA0043]

Table 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Active Scanning [T1595]	Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit.	Minimize the amount and sensitivity of data available to external parties, for example: Scrub user email addresses and contact lists from public websites, which can be used for social engineering, Share only necessary data and information with third parties, and Monitor and limit third-party access to the network. Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.	Detect: Network Traffic Analysis Connection Attempt Analysis [D3-CAA] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF]
Gather Victim Network Information [T1590]

Threat Actor
Technique / Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Active Scanning [T1595]

Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit.

Minimize the amount and sensitivity of data available to external parties, for example:

Scrub user email addresses and contact lists from public websites, which can be used for social engineering,
Share only necessary data and information with third parties, and
Monitor and limit third-party access to the network.

Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.

Detect:

Network Traffic Analysis
- Connection Attempt Analysis [D3-CAA]

Isolate:

Network Isolation
- Inbound Traffic Filtering [D3-ITF]

Gather Victim Network Information [T1590]

Tactics: Resource Development [TA0042]

Table II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Acquire Infrastructure [T1583]	Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.	Adversary activities occurring outside the organization’s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.	N/A
Stage Capabilities [T1608]
Obtain Capabilities [T1588]: Tools [T1588.002]	Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks.	Organizations may be able to identify malicious use of Cobalt Strike by: Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. Looking for the default Cobalt Strike TLS certificate. Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic. Review the traffic destination domain, which may be malicious and an indicator of compromise. Look at the packet’s HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile. Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike’s malleable C2 language. If discovered, additional recovery and investigation will be required.	N/A

Threat Actor
Technique / Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Acquire Infrastructure [T1583]

Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.

Adversary activities occurring outside the organization’s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.

N/A

Stage Capabilities [T1608]

Obtain Capabilities [T1588]:

Tools [T1588.002]

Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks.

Organizations may be able to identify malicious use of Cobalt Strike by:

Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed.
Looking for the default Cobalt Strike TLS certificate.
Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.
Review the traffic destination domain, which may be malicious and an indicator of compromise.
Look at the packet’s HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.
Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike’s malleable C2 language. If discovered, additional recovery and investigation will be required.

N/A

Tactics: Initial Access [TA0001]

Table III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Detection and Mitigation Recommendations
Drive By Compromise [T1189]	Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.	Ensure all browsers and plugins are kept up to date. Use modern browsers with security features turned on. Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript®, restrict browser extensions, etc. Use adblockers to help prevent malicious code served through advertisements from executing. Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. Use browser sandboxes or remote virtual environments to mitigate browser exploitation. Use security applications that look for behavior used during exploitation, such as Windows Defender® Exploit Guard (WDEG).	Detect: Identifier Analysis Homoglyph Detection [D3-HD] URL Analysis [D3-UA] File Analysis Dynamic Analysis [D3-DA] Isolate: Execution Isolation Hardware-based Process Isolation [D3-HBPI] Executable Allowlisting [D3-EAL] Network Isolation DNS Denylisting [D3-DNSDL] Outbound Traffic Filtering [D3-OTF]
Exploit Public-Facing Application [T1190]	Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[1] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. Chinese state-sponsored cyber actors have also been observed: Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA®) and plant webshells. Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources. Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.	Review previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources. Additional mitigations include: Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application. Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ). Use multi-factor authentication (MFA) with strong factors and require regular re-authentication. Disable protocols using weak authentication. Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [Embracing a Zero Trust Security Model]. When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines). Use automated tools to audit access logs for security concerns. Where possible, enforce MFA for password resets. Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.	Harden: Application Hardening [D3-AH] Platform Hardening Software Update [D3-SU] Detect: File Analysis [D3-FA] Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] Process Analysis Process Spawn Analysis Process Lineage Analysis [D3-PLA] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF]
Phishing [T1566]: Spearphishing Attachment [T1566.001] Spearphishing Link [T1566.002]	Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. These compromise attempts use the cyber actors’ dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.	Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions. Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments. Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`) Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Prevent users from clicking on malicious links by stripping hyperlinks or implementing “URL defanging” at the Email Security Gateway or other email security tools. Add external sender banners to emails to alert users that the email came from an external sender.	Harden: Message Hardening Message Authentication [D3-MAN] Transfer Agent Authentication [D3-TAAN] Detect: File Analysis Dynamic Analysis [D3-DA] Identifier Analysis Homoglyph Detection [D3-HD] URL Analysis [D3-UA] Message Analysis Sender MTA Reputation Analysis [D3-SMRA] Sender Reputation Analysis [D3-SRA]
External Remote Services [T1133]	Chinese state-sponsored cyber actors have been observed: Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems. Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs). Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. Note: refer to the references listed above in Exploit Public-Facing Application [T1190] for information on CVEs known to be exploited by malicious Chinese cyber actors. Note: this technique also applies to Persistence [TA0003].	Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services. Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network. Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users). Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions. Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection. Review and verify all connections between customer systems, service provider systems, and other client enclaves.	Harden: Software Update [D3-SU] Detect: Network Traffic Analysis Connection Attempt Analysis [D3-CAA] Platform Monitoring [D3-PM] Process Analysis Process Spawn Analysis [D3-SPA] Process Lineage Analysis [D3-PLA]
Valid Accounts [T1078]: Default Accounts [T1078.001] Domain Accounts [T1078.002]	Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks. Note: this technique also applies to Persistence [TA0003], Privilege Escalation [TA0004], and Defense Evasion [TA0005].	Adhere to best practices for password and permission management. Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage Do not store credentials or sensitive data in plaintext. Change all default usernames and passwords. Routinely update and secure applications using Secure Shell (SSH). Update SSH keys regularly and keep private keys secure. Routinely audit privileged accounts to identify malicious use.	Harden: Credential Hardening Multi-factor Authentication [D3-MFA] Detect: User Behavior Analysis [D3-UBA] Authentication Event Thresholding [D3-ANET] Job Function Access Pattern Analysis [D3-JFAPA]

Tactics: Execution [TA0002]

Table IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Command and Scripting Interpreter [T1059]: PowerShell® [T1059.001] Windows® Command Shell [T1059.003] Unix® Shell [T1059.004] Python [T1059.006] JavaScript [T1059.007] Network Device CLI [T1059.008]	Chinese state-sponsored cyber actors have been observed: Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI). Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. Employing Python scripts to exploit vulnerable servers. Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network.	PowerShell Turn on PowerShell logging. (Note: this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.) Push Powershell logs into a security information and event management (SIEM) tool. Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists. Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell. Remove PowerShell if it is not necessary for operations. Restrict which commands can be used. Windows Command Shell Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. Monitor for and investigate other unusual or suspicious scripting behavior. Unix Use application controls to prevent execution. Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. Python Audit inventory systems for unauthorized Python installations. Blocklist Python where not required. Prevent users from installing Python where not required. JavaScript Turn off or restrict access to unneeded scripting components. Blocklist scripting where appropriate. For malicious code served up through ads, adblockers can help prevent that code from executing. Network Device Command Line Interface (CLI) Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups.	Harden: Platform Hardening [D3-PH] Detect: Process Analysis Script Execution Analysis [D3-SEA] Isolate: Execution Isolation Executable Allowlisting [D3-EAL]
Scheduled Task/Job [T1053] Cron [T1053.003] Scheduled Task [T1053.005]	Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks. Note: this technique also applies to Persistence [TA0003] and Privilege Escalation [TA0004].	• Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. • Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%System32Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities—such as PowerShell or Windows Management Instrumentation (WMI)—that do not conform to typical administrator or user actions.	Detect: Platform Monitoring Operating System Monitoring [D3-OSM] Scheduled Job Analysis [D3-SJA] System Daemon Monitoring [D3-SDM] System File Analysis [D3-SFA] Isolate: Execution Isolation Executable Allowlisting [D3-EAL]
User Execution [T1204] Malicious Link [T1204.001] Malicious File [T1204.002]	Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.	Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute. Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. Use a domain reputation service to detect and block suspicious or malicious domains. Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Ensure all browsers and plugins are kept up to date. Use modern browsers with security features turned on. Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.	Detect: File Analysis Dynamic Analysis [D3-DA] File Content Rules [D3-FCR] Identifier Analysis Homoglyph Detection [D3-HD] URL Analysis [D3-UA] Network Traffic Analysis DNS Traffic Analysis [D3-DNSTA] Isolate: Execution Isolation Hardware-based Process Isolation [D3-HBPI] Executable Allowlisting [D3-EAL] Network Isolation DNS Denylisting [D3-DNSDL] Outbound Traffic Filtering [D3-OTF]

Threat Actor Technique /
Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Command and Scripting Interpreter [T1059]:

PowerShell® [T1059.001]
Windows® Command Shell [T1059.003]
Unix® Shell [T1059.004]
Python [T1059.006]
JavaScript [T1059.007]
Network Device CLI [T1059.008]

Chinese state-sponsored cyber actors have been observed:

Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).
Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network.
Employing Python scripts to exploit vulnerable servers.
Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network.

PowerShell

Turn on PowerShell logging. (Note: this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)
Push Powershell logs into a security information and event management (SIEM) tool.
Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.
Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.
Remove PowerShell if it is not necessary for operations.
Restrict which commands can be used.

Windows Command Shell

Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts.
Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled.
Monitor for and investigate other unusual or suspicious scripting behavior.

Unix

Use application controls to prevent execution.
Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious.
If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious.

Python

Audit inventory systems for unauthorized Python installations.
Blocklist Python where not required.
Prevent users from installing Python where not required.

JavaScript

Turn off or restrict access to unneeded scripting components.
Blocklist scripting where appropriate.
For malicious code served up through ads, adblockers can help prevent that code from executing.

Network Device Command Line Interface (CLI)

Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.
Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.
Ensure least privilege principles are applied to user accounts and groups.

Harden:

Platform Hardening [D3-PH]

Detect:

Process Analysis
- Script Execution Analysis [D3-SEA]

Isolate:

Execution Isolation
- Executable Allowlisting [D3-EAL]

Scheduled Task/Job [T1053]

Cron [T1053.003]
Scheduled Task [T1053.005]

Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks.

Note: this technique also applies to Persistence [TA0003] and Privilege Escalation [TA0004].

• Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity.
• Configure event logging for scheduled task creation and monitor process execution from svchost.exe (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in %systemroot%System32Tasks that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities—such as PowerShell or Windows Management Instrumentation (WMI)—that do not conform to typical administrator or user actions.

Detect:

Platform Monitoring
- Operating System Monitoring [D3-OSM]
  - Scheduled Job Analysis [D3-SJA]
  - System Daemon Monitoring [D3-SDM]
  - System File Analysis [D3-SFA]

Isolate:

Execution Isolation
- Executable Allowlisting [D3-EAL]

User Execution [T1204]

Malicious Link [T1204.001]
Malicious File [T1204.002]

Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.

Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.
Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
Use a domain reputation service to detect and block suspicious or malicious domains.
Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
Ensure all browsers and plugins are kept up to date.
Use modern browsers with security features turned on.
Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.

Detect:

File Analysis
- Dynamic Analysis [D3-DA]
- File Content Rules [D3-FCR]
Identifier Analysis
- Homoglyph Detection [D3-HD]
- URL Analysis [D3-UA]
Network Traffic Analysis
- DNS Traffic Analysis [D3-DNSTA]

Isolate:

Execution Isolation
- Hardware-based Process Isolation [D3-HBPI]
- Executable Allowlisting [D3-EAL]
Network Isolation
- DNS Denylisting [D3-DNSDL]
- Outbound Traffic Filtering [D3-OTF]

Tactics: Persistence [TA0003]

Table V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Hijack Execution Flow [T1574]: DLL Search Order Hijacking [T1574.001]	Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. Note: this technique also applies to Privilege Escalation [TA0004] and Defense Evasion [TA0005].	Disallow loading of remote DLLs. Enable safe DLL search mode. Implement tools for detecting search order hijacking opportunities. Use application allowlisting to block unknown DLLs. Monitor the file system for created, moved, and renamed DLLs. Monitor for changes in system DLLs not associated with updates or patches. Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).	Detect: Platform Monitoring Operating System Monitoring Service Binary Verification [D3-SBV] Process Analysis File Access Pattern Analysis [D3-FAPA] Isolate: Execution Isolation Executable Allowlisting [D3-EAL]
Modify Authentication Process [T1556] Domain Controller Authentication [T1556.001]	Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. Note: this technique also applies to Defense Evasion [TA0005] and Credential Access [TA0006].	Monitor for policy changes to authentication mechanisms used by the domain controller. Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.	Detect: Process Analysis [D3-PA] User Behavior Analysis Authentication Event Thresholding [D3-ANET] User Geolocation Logon Pattern Analysis [D3-UGLPA]
Server Software Component [T1505]: Web Shell [T1505.003]	Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks.	Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures. Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts. Perform integrity checks on critical servers to identify and investigate unexpected changes. Have application developers sign their code using digital signatures to verify their identity. Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems. Implement a least-privilege policy on web servers to reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories. If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity. Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials. Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones. Establish, and backup offline, a “known good” version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system. Employ user input validation to restrict exploitation of vulnerabilities. Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern. Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.	Detect: Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] Per Host Download-Upload Ratio Analysis [D3-PHDURA] Process Analysis Process Spawn Analysis Process Lineage Analysis [D3-PLA] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF]
Create or Modify System Process [T1543]: Windows Service [T1543.003]	Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence. Note: this technique also applies to Privilege Escalation [TA0004].	Only allow authorized administrators to make service changes and modify service configurations. Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment. Monitor WMI and PowerShell for service modifications.	Detect: Process Analysis Process Spawn Analysis [D3-PSA]

Tactics: Privilege Escalation [TA0004]

Table VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Domain Policy Modification [T1484] Group Policy Modification [T1484.001]	Chinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation. Note: this technique also applies to Defense Evasion [TA0005].	Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools. Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications. Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.	Detect: Network Traffic Analysis Administrative Network Activity Analysis [D3-ANAA] Platform Monitoring Operating System Monitoring System File Analysis [D3-SFA]
Process Injection [T1055]: Dynamic Link Library Injection [T1055.001] Portable Executable Injection [T1055.002]	Chinese state-sponsored cyber actors have been observed: Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement. Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`) Note: this technique also applies to Defense Evasion [TA0005].	Use endpoint protection software to block process injection based on behavior of the injection process. Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files. To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.	Execution Isolation Hardware-based Process Isolation [D3-HBPI] Mandatory Access Control [D3-MAC]

Domain Policy Modification [T1484]

Group Policy Modification [T1484.001]

Chinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.

Note: this technique also applies to Defense Evasion [TA0005].

Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.
Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.
Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.

Detect:

Network Traffic Analysis
- Administrative Network Activity Analysis [D3-ANAA]
Platform Monitoring
- Operating System Monitoring
  - System File Analysis [D3-SFA]

Process Injection [T1055]:

Dynamic Link Library Injection [T1055.001]
Portable Executable Injection [T1055.002]

Chinese state-sponsored cyber actors have been observed:

Injecting into the rundll32.exe process to hide usage of Mimikatz, as well as injecting into a running legitimate explorer.exe process for lateral movement.
Using shellcode that injects implants into newly created instances of the Service Host process (svchost)

Note: this technique also applies to Defense Evasion [TA0005].

Use endpoint protection software to block process injection based on behavior of the injection process.
Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
Monitor for suspicious sequences of Windows API calls such as CreateRemoteThread, VirtualAllocEx, or WriteProcessMemory and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.
To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.

Execution Isolation
- Hardware-based Process Isolation [D3-HBPI]
- Mandatory Access Control [D3-MAC]

Tactics: Defense Evasion [TA0005]

Table VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Deobfuscate/Decode Files or Information [T1140]	Chinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.	Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. Consider blocking, disabling, or monitoring use of 7-Zip.	Detect: Process Analysis Process Spawn Analysis [D3-PSA] Isolate: Execution Isolation Executable Denylisting [D3-EDL]
Hide Artifacts [T1564]	Chinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.	Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.	Detect: Process Analysis File Access Pattern Analysis [D3-FAPA] Isolate: Execution Isolation Executable Allowlisting [D3-EAL]
Indicator Removal from Host [T1070]	Chinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. Several files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.	Make the environment variables associated with command history read only to ensure that the history is preserved. Recognize timestomping by monitoring the contents of important directories and the attributes of the files. Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files. Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.	Detect: Platform Monitoring Operating System Monitoring System File Analysis [D3-SFA] Process Analysis File Access Pattern Analysis [D3-FAPA] Isolate: Execution Isolation Executable Allowlisting [D3-EAL]
Obfuscated Files or Information [T1027]	Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.	Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.	Detect: Process Analysis File Access Pattern Analysis [D3-FAPA]
Signed Binary Proxy Execution [T1218] `Mshta` [T1218.005] `Rundll32` [T1218.011]	Chinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.	Monitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.	Detect: Process Analysis File Access Pattern Analysis [D3-FAPA] Process Spawn Analysis [D3-PSA]

Tactics: Credential Access [TA0006]

Table VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Exploitation for Credential Access [T1212]	Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.	Update and patch software regularly. Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.	Harden: Platform Hardening Software Update [D3-SU] Credential Hardening Multi-factor Authentication [D3-MFA]
OS Credential Dumping [T1003] • LSASS Memory [T1003.001] • NTDS [T1003.003]	Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.	Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts. Consider disabling or restricting NTLM. Consider disabling `WDigest` authentication. Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups). Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.	Harden: Credential Hardening [D3-CH] Detect: Process Analysis File Access Pattern Analysis [D3-FAPA] System Call Analysis [D3-SCA] Isolate: Execution Isolation Hardware-based Process Isolation [D3-HBPI] Mandatory Access Control [D3-MAC]

Exploitation for Credential Access [T1212]

Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.

Update and patch software regularly.
Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.

Harden:

Platform Hardening
- Software Update [D3-SU]
Credential Hardening
- Multi-factor Authentication [D3-MFA]

OS Credential Dumping [T1003]
• LSASS Memory [T1003.001]
• NTDS [T1003.003]

Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (NDST.DIT) for credential dumping.

Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NDST.DIT.
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.
Consider disabling or restricting NTLM.
Consider disabling WDigest authentication.
Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).
Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements.
Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.

Harden:

Credential Hardening [D3-CH]

Detect:

Process Analysis
- File Access Pattern Analysis [D3-FAPA]
- System Call Analysis [D3-SCA]

Isolate:

Execution Isolation
- Hardware-based Process Isolation [D3-HBPI]
- Mandatory Access Control [D3-MAC]

Tactics: Discovery [TA0007]

Table IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
File and Directory Discovery [T1083]	Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.	Monitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.	Detect: User Behavior Analysis Job Function Access Pattern Analysis [D3-JFAPA] Process Analysis Database Query String Analysis [D3-DQSA] File Access Pattern Analysis [D3-FAPA] Process Spawn Analysis [D3-PSA]
Permission Group Discovery [T1069]	Chinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network.	Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.	Detect: Process Analysis Process Spawn Analysis [D3-PSA] System Call Analysis [D3-SCA] User Behavior Analysis [D3-UBA]
Process Discovery [T1057]	Chinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.	Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.	Detect: Process Analysis Process Spawn Analysis [D3-PSA] System Call Analysis [D3-SCA] User Behavior Analysis [D3-UBA]
Network Service Scanning [T1046]	Chinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.	• Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. • Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. • Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.	Detect: Network Traffic Analysis Connection Attempt Analysis [D3-CAA] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF]
Remote System Discovery [T1018]	Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.	Monitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.	Detect: Process Analysis Process Spawn Analysis [D3-PSA] User Behavior Analysis Job Function Access Pattern Analysis [D3-JFAPA]

Tactics: Lateral Movement [TA0008]

Table X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Exploitation of Remote Services [T1210]	Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.	Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources. Disable or remove unnecessary services. Minimize permissions and access for service accounts. Perform vulnerability scanning and update software regularly. Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.	Detect: Network Traffic Analysis Remote Terminal Session Detection [D3-RTSD] User Behavior Analysis [D3-UBA] Isolate: Execution Isolation Mandatory Access Control [D3-MAC]

Threat Actor Technique /
Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Exploitation of Remote Services [T1210]

Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.

Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.

Disable or remove unnecessary services.
Minimize permissions and access for service accounts.
Perform vulnerability scanning and update software regularly.
Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.

Detect:

Network Traffic Analysis
- Remote Terminal Session Detection [D3-RTSD]
User Behavior Analysis [D3-UBA]

Isolate:

Execution Isolation
- Mandatory Access Control [D3-MAC]

Tactics: Collection [TA0009]

Table XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Archive Collected Data [T1560]	Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.	Scan systems to identify unauthorized archival utilities or methods unusual for the environment. Monitor command-line arguments for known archival utilities that are not common in the organization’s environment.	Detect: Process Analysis File Access Pattern Analysis [D3-FAPA] Process Spawn Analysis [D3-PSA] Isolate: Execution Isolation Executable Denylisting [D3-EDL]
Clipboard Data [T1115]	Chinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.	Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line). If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor’s ability to exfiltrate data.	Detect: Network Traffic Analysis Remote Terminal Session Detection [D3-RTSD] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF] Outbound Traffic Filtering [D3-OTF]
Data Staged [T1074]	Chinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.	Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.	Detect: Process Analysis File Access Pattern Analysis [D3-FAPA]
Email Collection [T1114]	Chinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.	Audit email auto-forwarding rules for suspicious or unrecognized rulesets. Encrypt email using public key cryptography, where feasible. Use MFA on public-facing mail servers.	Harden: Credential Hardening Multi-factor Authentication [D3-MFA] Message Hardening Message Encryption [D3-MENCR] Detect: Process Analysis [D3-PA]

Tactics: Command and Control [TA0011]

Table XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation recommendations

Threat Actor Technique / Sub-Techniques	Threat Actor Procedure(s)	Detection and Mitigation Recommendations	Defensive Tactics and Techniques
Application Layer Protocol [T1071]	Chinese state-sponsored cyber actors have been observed: Using commercial cloud storage services for command and control. Using malware implants that use the Dropbox® API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive® API.	Use network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.	Detect: Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] File Carving [D3-FC] Isolate: Network Isolation DNS Denylisting [D3-DNSDL]
Ingress Tool Transfer [T1105]	Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.	Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification. Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.	Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF]
Non-Standard Port [T1571]	Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure.	Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2. Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.	Detect: Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] Protocol Metadata Anomaly Detection [D3-PMAD] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF] Outbound Traffic Filtering [D3-OTF]
Protocol Tunneling [T1572]	Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity.	Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server)	Detect: Network Traffic Analysis Protocol Metadata Anomaly Detection [D3-PMAD]
Proxy [T1090]: Multi-Hop Proxy [T1090.003]	Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.	Monitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication. Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique. Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.	Detect: Network Traffic Analysis Protocol Metadata Anomaly Detection [D3-PMAD] Relay Pattern Analysis [D3-RPA] Isolate: Network Isolation Outbound Traffic Filtering [D3-OTF]

Appendix B: MITRE ATT&CK Framework

Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors (Click here for the downloadable JSON file.)

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.

Media Inquiries / Press Desk:
•   NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov
•   CISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov
•   FBI National Press Office, 202-324-3691, npo@fbi.gov

References

[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Revisions

July 19, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

alerts

Top CVEs Trending with Cybercriminals

Post author By admin
Post date July 16, 2021

An analysis of criminal forums reveal what publicly known vulnerabilities attackers are most interested in.

Managed Security Services

Cyber Threat Intelligence

iDNA

SiON

About Us

Leadership

Advisors

Cyber Security Assessment

SOC Cost Calculator

Request a Dark Web Report

Cyber Security Threat Alerts

What is Incident Response?

SOC 2 Compliance

Cyber Security Definitions and Terminology

Cyber Security Jobs

Blog

Podcast

Instagram

LinkedIn

Twitter

High Vulnerabilities

Medium Vulnerabilities

Low Vulnerabilities

Severity Not Yet Assigned

Domains

MD5 Malware Hashes

Company

Our services

Resources

Partners

Cyber news

Weekly Newsletter

Subscribe to our weekly newsletter on cyber news and best practices!