Report Name: no_cve_incident_bdu report
Generated: 2024-04-02 03:39:53

Vulristics Vulnerability Scores

All vulnerabilities: 17
Urgent: 2
Critical: 14
High: 1
Medium: 0
Low: 0

Basic Vulnerability Scores

All vulnerabilities: 17
Critical: 12
High: 4
Medium: 1
Low: 0

Products

Product Name Prevalence U C H M L A Comment

Google Chrome 0.8 1 1 Google Chrome is a popular, free web browser developed by Google. It was first released in 2008 and is available for various operating systems, including Microsoft Windows, Apple macOS, Linux, Android, and iOS.

1С-Битрикс: Управление сайтом 0.7 1 1 Система управления контентом веб-проекта (CMS) для сайтов и интернет-магазинов

Autodesk 3ds Max 0.6 1 1 Autodesk 3ds Max, formerly 3D Studio and 3D Studio Max, is a professional 3D computer graphics program for making 3D animations, models, games and images

PySyft 0.6 1 1 PySyft is an open-source Python library for secure and private Deep Learning

Apache Dubbo 0.5 1 1 Apache Dubbo is an easy-to-use, high-performance WEB and RPC framework with builtin service discovery, traffic management, observability, security features, tools and best practices for building enterprise-level microservices

Casdoor 0.5 1 1 Casdoor is an open-source UI-first Identity Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, RADIUS, Google Workspace, Active Directory and Kerberos

Centreon 0.5 1 1 Centreon is an open-source network, system and application monitoring tool

Google Web Toolkit (GWT) 0.5 1 1 Google Web Toolkit, or GWT Web Toolkit, is an open-source set of tools that allows web developers to create and maintain JavaScript front-end applications in Java

ManageEngine ServiceDesk Plus 0.5 1 1 Zoho ManageEngine ServiceDesk Plus is a unified service management platform for the digital enterprise

iMind 0.5 1 1 iMind — браузерный сервис для проведения вебинаров и видеконференций

nginx 0.5 1 1 Nginx is an open-source web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache

ntopng 0.5 2 2 ntopng is an open-source computer software for monitoring traffic on a computer network

spip 0.5 1 1 SPIP is an open-source software content management system designed for web site publishing, oriented towards online collaborative editing

Visa Tokenisation Service (VTS) 0.4 1 1 The Visa Token Service (VTS) is a Visa-powered security technology that substitutes sensitive account data, such as the 16-digit account number, with a unique token that safeguards the underlying card details from being compromised

Zulip Server 0.4 1 1 Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful

Online-Exam-System 0.3 1 1 An open-source online examination system is a PHP app for setup online quiz with so many functionality

Product Name	Prevalence	U	C	H	A	Comment
Google Chrome	0.8	1			1	Google Chrome is a popular, free web browser developed by Google. It was first released in 2008 and is available for various operating systems, including Microsoft Windows, Apple macOS, Linux, Android, and iOS.
1С-Битрикс: Управление сайтом	0.7		1		1	Система управления контентом веб-проекта (CMS) для сайтов и интернет-магазинов
Autodesk 3ds Max	0.6	1			1	Autodesk 3ds Max, formerly 3D Studio and 3D Studio Max, is a professional 3D computer graphics program for making 3D animations, models, games and images
PySyft	0.6		1		1	PySyft is an open-source Python library for secure and private Deep Learning
Apache Dubbo	0.5		1		1	Apache Dubbo is an easy-to-use, high-performance WEB and RPC framework with builtin service discovery, traffic management, observability, security features, tools and best practices for building enterprise-level microservices
Casdoor	0.5		1		1	Casdoor is an open-source UI-first Identity Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, RADIUS, Google Workspace, Active Directory and Kerberos
Centreon	0.5		1		1	Centreon is an open-source network, system and application monitoring tool
Google Web Toolkit (GWT)	0.5		1		1	Google Web Toolkit, or GWT Web Toolkit, is an open-source set of tools that allows web developers to create and maintain JavaScript front-end applications in Java
ManageEngine ServiceDesk Plus	0.5		1		1	Zoho ManageEngine ServiceDesk Plus is a unified service management platform for the digital enterprise
iMind	0.5		1		1	iMind — браузерный сервис для проведения вебинаров и видеконференций
nginx	0.5		1		1	Nginx is an open-source web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache
ntopng	0.5		2		2	ntopng is an open-source computer software for monitoring traffic on a computer network
spip	0.5		1		1	SPIP is an open-source software content management system designed for web site publishing, oriented towards online collaborative editing
Visa Tokenisation Service (VTS)	0.4			1	1	The Visa Token Service (VTS) is a Visa-powered security technology that substitutes sensitive account data, such as the 16-digit account number, with a unique token that safeguards the underlying card details from being compromised
Zulip Server	0.4		1		1	Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful
Online-Exam-System	0.3		1		1	An open-source online examination system is a PHP app for setup online quiz with so many functionality

Vulnerability Types

Vulnerability Type Criticality U C H M L A

Remote Code Execution 1.0 2 7 9

Authentication Bypass 0.98 2 2

Code Injection 0.97 2 2

Command Injection 0.97 1 1

Security Feature Bypass 0.9 1 1 2

Denial of Service 0.7 1 1

Vulnerability Type	Criticality	U	C	H	A
Remote Code Execution	1.0	2	7		9
Authentication Bypass	0.98		2		2
Code Injection	0.97		2		2
Command Injection	0.97		1		1
Security Feature Bypass	0.9		1	1	2
Denial of Service	0.7		1		1

Vulnerabilities

Urgent (2)

1. Remote Code Execution - Google Chrome (BDU:2022-03225) - Urgent [847]

Description: Уязвимость «нулевого дня» обработчика JavaScript-сценариев V8 браузера Google Chrome связана с возможностью использования памяти после освобождения. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on BDU:PublicExploit website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.8	14	Google Chrome is a popular, free web browser developed by Google. It was first released in 2008 and is available for various operating systems, including Microsoft Windows, Apple macOS, Linux, Android, and iOS.
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

2. Remote Code Execution - Autodesk 3ds Max (BDU:2021-04002) - Urgent [814]

Description: Уязвимость библиотеки MSCPROP.DLL программного обеспечения для 3D-моделирования, анимации и визуализации Autodesk 3dsMax связана с ошибками при обработке запроса. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on BDU:PublicExploit website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.6	14	Autodesk 3ds Max, formerly 3D Studio and 3D Studio Max, is a professional 3D computer graphics program for making 3D animations, models, games and images
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

Critical (14)

3. Command Injection - 1С-Битрикс: Управление сайтом (BDU:2023-05857) - Critical [724]

Description: Уязвимость модуля landing системы управления содержимым сайтов (CMS) 1С-Битрикс: Управление сайтом вызвана ошибками синхронизации при использовании общего ресурса. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить команды ОС на уязвимом узле, получить контроль над ресурсами и проникнуть во внутреннюю сеть

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	0.97	15	Command Injection
Vulnerable Product is Common	0.7	14	Система управления контентом веб-проекта (CMS) для сайтов и интернет-магазинов
CVSS Base Score	1.0	10	CVSS Base Score is 10.0. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

4. Remote Code Execution - Apache Dubbo (BDU:2021-00817) - Critical [696]

Description: Уязвимость RPC-фреймворка Apache Dubbo связана с ошибками при проверке входных данных по протоколу Dubbo. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.5	14	Apache Dubbo is an easy-to-use, high-performance WEB and RPC framework with builtin service discovery, traffic management, observability, security features, tools and best practices for building enterprise-level microservices
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

5. Remote Code Execution - Google Web Toolkit (GWT) (BDU:2023-09109) - Critical [696]

Description: Уязвимость реализации расширенных классов Java-фреймворка для создания и оптимизации браузерных приложений Google Web Toolkit (GWT) связана с недостатками механизма десериализации при использовании стандарта кодирования Base64. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить доступ на чтение, изменение или удаление данных, выполнить произвольный код или вызвать отказ в обслуживании

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.5	14	Google Web Toolkit, or GWT Web Toolkit, is an open-source set of tools that allows web developers to create and maintain JavaScript front-end applications in Java
CVSS Base Score	1.0	10	CVSS Base Score is 9.6. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

6. Remote Code Execution - iMind (BDU:2023-05317) - Critical [696]

Description: Уязвимость программного обеспечения для проведения видеоконференций iMind связана с возможностью внедрения кода или данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код c административными привилегиями

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.5	14	iMind — браузерный сервис для проведения вебинаров и видеконференций
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

7. Remote Code Execution - nginx (BDU:2022-02111) - Critical [696]

Description: Уязвимость реализации демона LDAP-auth HTTP-сервера nginx связана с ошибками в коде. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код в уязвимой системе

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.5	14	Nginx is an open-source web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

8. Remote Code Execution - ntopng (BDU:2020-05515) - Critical [696]

Description: Уязвимость программного средства мониторинга трафика в сети ntopng связана с использованием памяти после ее освобождения. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.5	14	ntopng is an open-source computer software for monitoring traffic on a computer network
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

9. Remote Code Execution - spip (BDU:2022-07420) - Critical [696]

Description: Уязвимость системы управления контентом SPIP связана с неверным управлением генерацией кода. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код путем отправки специально сформированного запроса

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.5	14	SPIP is an open-source software content management system designed for web site publishing, oriented towards online collaborative editing
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

10. Code Injection - Centreon (BDU:2022-07421) - Critical [691]

Description: Уязвимость программного обеспечения для мониторинга ИТ-инфраструктуры Centreon связана с непринятием мер по защите структуры запроса SQL. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнять произвольные SQL-запросы

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	0.97	15	Code Injection
Vulnerable Product is Common	0.5	14	Centreon is an open-source network, system and application monitoring tool
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

11. Remote Code Execution - PySyft (BDU:2020-02931) - Critical [689]

Description: Уязвимость функции eval библиотеки Python для безопасного частного машинного обучения PySyft связана с недостаточной проверкой предоставленных пользователем данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код путем отправки специально сформированного вредоносного запроса

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.6	14	PySyft is an open-source Python library for secure and private Deep Learning
CVSS Base Score	0.8	10	CVSS Base Score is 8.1. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

12. Security Feature Bypass - Casdoor (BDU:2022-05473) - Critical [678]

Description: Уязвимость платформы для организации IAM и SSO Casdoor связана с неограниченной загрузкой файлов опасного типа. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, загрузить и запустить произвольный файл в целевой системе

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	0.9	15	Security Feature Bypass
Vulnerable Product is Common	0.5	14	Casdoor is an open-source UI-first Identity Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, RADIUS, Google Workspace, Active Directory and Kerberos
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

13. Authentication Bypass - ManageEngine ServiceDesk Plus (BDU:2020-02930) - Critical [669]

Description: Уязвимость реализации протокола OAuth системы управления IT-службами Zoho ManageEngine ServiceDesk Plus связана с недостатками процедуры аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	0.98	15	Authentication Bypass
Vulnerable Product is Common	0.5	14	Zoho ManageEngine ServiceDesk Plus is a unified service management platform for the digital enterprise
CVSS Base Score	0.8	10	CVSS Base Score is 7.5. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

14. Authentication Bypass - Zulip Server (BDU:2020-02809) - Critical [664]

Description: Уязвимость реализации разрешения «invite_by_admins_only» приложения для группового чата Zulip Server связана с недостатками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	0.98	15	Authentication Bypass
Vulnerable Product is Common	0.4	14	Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful
CVSS Base Score	0.9	10	CVSS Base Score is 8.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

15. Code Injection - Online-Exam-System (BDU:2020-04466) - Critical [657]

Description: Уязвимость параметра «fid» (dash.php) программного средства для онлайн-экзаменов Online-Exam-System связана с непринятием мер по защите структуры запроса SQL. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольные SQL-запросы

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	0.97	15	Code Injection
Vulnerable Product is Common	0.3	14	An open-source online examination system is a PHP app for setup online quiz with so many functionality
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

16. Denial of Service - ntopng (BDU:2020-05514) - Critical [619]

Description: Уязвимость программного средства мониторинга трафика в сети ntopng связана с неконтролируемым расходом ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	0.7	15	Denial of Service
Vulnerable Product is Common	0.5	14	ntopng is an open-source computer software for monitoring traffic on a computer network
CVSS Base Score	0.8	10	CVSS Base Score is 7.5. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

High (1)

17. Security Feature Bypass - Visa Tokenisation Service (VTS) (BDU:2021-05930) - High [590]

Description: Уязвимость сервисов MasterCard Tokenisation Service (MDES), Visa Tokenisation Service (VTS) связана с произвольной модификацией поля Amount в пакете Authorisation Request ISO 8583. Эксплуатация уязвимости может позволить нарушителю использовать криптограммы для совершения мошеннических платежей

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on BDU website
Public Exploit Exists	0.5	17	The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type	0.9	15	Security Feature Bypass
Vulnerable Product is Common	0.4	14	The Visa Token Service (VTS) is a Visa-powered security technology that substitutes sensitive account data, such as the 16-digit account number, with a unique token that safeguards the underlying card details from being compromised
CVSS Base Score	0.4	10	CVSS Base Score is 4.1. According to BDU data source
EPSS Percentile	0	10	EPSS data is not available

Medium (0)

Low (0)

Exploitation in the wild detected (17)

Remote Code Execution (9)

Google Chrome (BDU:2022-03225)
Autodesk 3ds Max (BDU:2021-04002)
Apache Dubbo (BDU:2021-00817)
Google Web Toolkit (GWT) (BDU:2023-09109)
iMind (BDU:2023-05317)
nginx (BDU:2022-02111)
ntopng (BDU:2020-05515)
spip (BDU:2022-07420)
PySyft (BDU:2020-02931)

Command Injection (1)

1С-Битрикс: Управление сайтом (BDU:2023-05857)

Code Injection (2)

Centreon (BDU:2022-07421)
Online-Exam-System (BDU:2020-04466)

Security Feature Bypass (2)

Casdoor (BDU:2022-05473)
Visa Tokenisation Service (VTS) (BDU:2021-05930)

Authentication Bypass (2)

ManageEngine ServiceDesk Plus (BDU:2020-02930)
Zulip Server (BDU:2020-02809)

Denial of Service (1)

ntopng (BDU:2020-05514)