The US CISA has added 4 vulnerabilities to its Known Exploited Vulnerability Catalog, based on the evidence of exploitation
CVE-2019-0344
SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability: SAP Commerce Cloud contains a deserialization of untrusted data vulnerability within the mediaconversion virtualjdbc extension that allows for code injection.
CVE-2021-4043
Motion Spell GPAC Null Pointer Dereference Vulnerability: Motion Spell GPAC contains a null pointer dereference vulnerability that could allow a local attacker to cause a DoS condition
CVE-2020-15415
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability: DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used
CVE-2023-25280
D-Link DIR-820 Router OS Command Injection Vulnerability: D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp
CISA sets the deadline as October 21, 2024, for federal agencies to remediate the vulnerabilities
