CVSS: 10.0EPSS: 94%CPEs: 398EXPL: 416CVE-2021-44228 – Apache Log4j2 Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-44228
10 Dec 2021 — Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.... • https://packetstorm.news/files/id/171626 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 5.5EPSS: 0%CPEs: 42EXPL: 0CVE-2021-1546 – Cisco SD-WAN Software Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-1546
23 Sep 2021 — A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to access sensitive information. This vulnerability is due to improper protections on file access through the CLI. An attacker could exploit this vulnerability by running a CLI command that targets an arbitrary file on the local system. A successful exploit could allow the attacker to return portions of an arbitrary file, possibly resulting in the disclosure of sensitive information. Una vulnerabilidad en la CLI... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-Fhqh8pKX • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-34712 – Cisco SD-WAN vManage Software Cypher Query Language Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-34712
23 Sep 2021 — A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct cypher query language injection attacks on an affected system. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the interface of an affected system. A successful exploit could allow the attacker to obtain sensitive information. Una vulner... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-jOsuRJCc • CWE-943: Improper Neutralization of Special Elements in Data Query Logic •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1535 – Cisco SD-WAN vManage Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-1535
06 May 2021 — A vulnerability in the cluster management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. To be affected by this vulnerability, the Cisco SD-WAN vManage Software must be in cluster mode. This vulnerability is due to the absence of authentication for sensitive information in the cluster management interface. An attacker could exploit this vulnerability by sending a crafted request to the cluster management interfa... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vmanageinfdis-LKrFpbv • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1507 – Cisco SD-WAN vManage API Stored Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2021-1507
06 May 2021 — A vulnerability in an API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the application web-based interface. This vulnerability exists because the API does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending malicious input to the API. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web-based interface or a... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-xss-eN75jxtW • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •