US-CERT Bulletins

CISA Bulletins

Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.

Vulnerability Summary for the Week of November 15, 2021

Author: CISA
Posted: November 22, 2021, 12:03 pm
Original release date: November 22, 2021

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
adobe -- after_effects Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .m4a file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must o...

Read More

Vulnerability Summary for the Week of November 8, 2021

Author: CISA
Posted: November 15, 2021, 12:05 pm
Original release date: November 15, 2021

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
airangel -- hsmx-app-25_firmware Airangel HSMX Gateway devices through 5.2.04 allow Remote Code Execution. 2021-11-10 10 CVE-2021-40521
MISC
MISC
asgaros -- asgaros_forum The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a ...

Read More

Vulnerability Summary for the Week of November 1, 2021

Author: CISA
Posted: November 8, 2021, 2:21 pm
Original release date: November 8, 2021

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
aaptjs_project -- aaptjs An issue was discovered in the crunch function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters. 2021-10-31 7.5 CVE-2020-36380
MISC
aaptjs_project -- aaptjs An issue was discovered in the remove function in shenzhi...

Read More

Vulnerability Summary for the Week of October 25, 2021

Author: CISA
Posted: November 1, 2021, 10:47 am
Original release date: November 1, 2021

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apache -- storm An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x ...

Read More

Vulnerability Summary for the Week of October 18, 2021

Author: CISA
Posted: October 25, 2021, 11:07 am
Original release date: October 25, 2021

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
adobe -- ops-cli Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the checkout_repo function is called on a maliciously crafted file. An attacker can leverage this to execute arbitrary code on the victim machine. 2021...

Read More