1. 
Remote Code Execution - BIG-IP (CVE-2020-5902) - Urgent [981] Description: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
2. 
Authentication Bypass - Oracle WebLogic Server (CVE-2020-14882) - Urgent [970] Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
| component | value | weight | comment |
|---|---|---|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned at Vulners (AttackerKB object, AttackerKB object), AttackerKB |
| Public Exploit Exists | 1.0 | 17 | Public exploit is found at Vulners (Oracle WebLogic Server 12.2.1.0 Remote Code Execution, Oracle WebLogic Server Remote Code Execution, Oracle WebLogic Server Administration Console Handle Remote Code Execution, WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request, Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)) |
| Criticality of Vulnerability Type | 0.95 | 15 | Authentication Bypass |
| Vulnerable Product is Common | 0.9 | 14 | Unified and extensible platform for developing, deploying and running enterprise applications |
| CVSS Base Score | 1.0 | 10 | Vulnerability Severity Rating based on CVSS Base Score is 9.8. Based on NVD data |
3. Remote Code Execution - vSphere Client (CVE-2021-21972) - Urgent [943] Description: The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
| component | value | weight | comment |
|---|---|---|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned at Vulners (AttackerKB object), AttackerKB |
| Public Exploit Exists | 1.0 | 17 | Public exploit is found at Vulners (VMware vCenter Server 7.0 Arbitrary File Upload, VMware vCenter Server File Upload / Remote Code Execution, VMware vCenter 6.5 / 7.0 Remote Code Execution Proof Of Concept, VMware vCenter Server 7.0 - Unauthenticated File Upload) |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.7 | 14 | vSphere Client |
| CVSS Base Score | 1.0 | 10 | Vulnerability Severity Rating based on CVSS Base Score is 9.8. Based on NVD data |
4. 
Arbitrary File Reading - Pulse Connect Secure (CVE-2019-11510) - Urgent [933] Description: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
| component | value | weight | comment |
|---|---|---|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned at Vulners (AttackerKB object, AttackerKB object), AttackerKB |
| Public Exploit Exists | 1.0 | 17 | Public exploit is found at Vulners (Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure, Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit), Pulse Connect Secure File Disclosure, Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure Exploit, Pulse Secure VPN Arbitrary File Disclosure, Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (metasploit)) |
| Criticality of Vulnerability Type | 0.95 | 15 | Arbitrary File Reading |
| Vulnerable Product is Common | 0.7 | 14 | Pulse Connect Secure |
| CVSS Base Score | 1.0 | 10 | Vulnerability Severity Rating based on CVSS Base Score is 10.0. Based on NVD data |
5. 
Path Traversal - Fortinet FortiOS (CVE-2018-13379) - Urgent [859] Description: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
6. Path Traversal - Citrix Application Delivery Controller (CVE-2019-19781) - Urgent [859] Description: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
7. 
Command Injection - VMware Workspace One (CVE-2020-4006) - Critical [731] Description: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
| component | value | weight | comment |
|---|---|---|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned at Vulners (AttackerKB object), AttackerKB |
| Public Exploit Exists | 0 | 17 | Public exploit is NOT found at Vulners website |
| Criticality of Vulnerability Type | 0.97 | 15 | Command Injection |
| Vulnerable Product is Common | 0.9 | 14 | Virtualization |
| CVSS Base Score | 0.9 | 10 | Vulnerability Severity Rating based on CVSS Base Score is 9.1. Based on NVD data |
8. Authentication Bypass - Oracle WebLogic Server (CVE-2019-2725) - Critical [727] Description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
9. 
XXE Injection - Zimbra Collaboration Suite (CVE-2019-9670) - Critical [693] Description: mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.
| component | value | weight | comment |
|---|---|---|---|
| Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT found at Vulners, Microsoft and AttackerKB websites |
| Public Exploit Exists | 1.0 | 17 | Public exploit is found at Vulners (Zimbra Collaboration Autodiscover Servlet XXE / ProxyServlet SSRF, Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit), Zimbra Collaboration Autodiscover Servlet XXE / ProxyServlet SSRF Exploit, Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF) |
| Criticality of Vulnerability Type | 0.97 | 15 | XXE Injection |
| Vulnerable Product is Common | 0.7 | 14 | Zimbra Collaboration Suite |
| CVSS Base Score | 1.0 | 10 | Vulnerability Severity Rating based on CVSS Base Score is 9.8. Based on NVD data |
10. 
Information Disclosure - Cisco Small Business Router (CVE-2019-1653) - High [551] Description: A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
11. Remote Code Execution - Kibana (CVE-2019-7609) - High [508] Description: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
| component | value | weight | comment |
|---|---|---|---|
| Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT found at Vulners, Microsoft and AttackerKB websites |
| Public Exploit Exists | 0 | 17 | Public exploit is NOT found at Vulners website |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.9 | 14 | Data visualization dashboard software |
| CVSS Base Score | 1.0 | 10 | Vulnerability Severity Rating based on CVSS Base Score is 10.0. Based on NVD data |
Remote Code Execution (2)Authentication Bypass (1)Arbitrary File Reading (1)Path Traversal (2)Command Injection (1)Authentication Bypass (1)XXE Injection (1)Information Disclosure (1)Remote Code Execution (1)