Updates May 2020

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type »

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product »

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation »

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability »

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base »

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp »

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day »

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today »

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

UpdatedBaseTempVulnerabilityChangeExpRemCVE
05/31/20205.75.7Opera Web Browser RTL Address spoofing(5): source_cve_assigned, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nameNot DefinedNot DefinedCVE-2016-6908
05/31/20206.86.3NullSoft WinAmp FLV File memory corruption(1): vulnerability_discoverydateNot DefinedNot DefinedCVE-2017-10725
05/31/20207.06.5NullSoft WinAmp FLV File memory corruption(1): vulnerability_discoverydateNot DefinedNot DefinedCVE-2017-10728
05/31/20207.06.5NullSoft WinAmp FLV File memory corruption(1): vulnerability_discoverydateNot DefinedNot DefinedCVE-2017-10727
05/31/20207.06.5NullSoft WinAmp FLV File memory corruption(1): vulnerability_discoverydateNot DefinedNot DefinedCVE-2017-10726
05/31/20204.44.2NASM labels.c NULL Pointer Dereference denial of service(1): vulnerability_discoverydateProof-of-ConceptNot DefinedCVE-2018-16517
05/31/20209.08.1Oracle Access Manager Authentication Engine privilege escalation(3): advisory_confirm_url, source_cve_assigned, vulnerability_discoverydateProof-of-ConceptOfficial FixCVE-2018-2879
05/31/20205.45.4Netwide Assembler preproc.c Use-After-Free denial of service(3): vulnerability_discoverydate, countermeasure_name, countermeasure_dateNot DefinedOfficial FixCVE-2017-17820
05/31/20207.57.2Joomla CMS LDAP Authentication Password information disclosure(3): advisory_confirm_url, vulnerability_discoverydate, countermeasure_dateNot DefinedOfficial FixCVE-2017-14596
05/31/20204.74.5Joomla CMS sql injection(5): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2017-14595
05/31/20207.57.2Joomla CMS Installer privilege escalation(5): advisory_confirm_url, source_cve_assigned, vulnerability_discoverydate, countermeasure_date, source_securityfocusNot DefinedOfficial FixCVE-2017-11364
05/31/20205.25.2Joomla CMS CSRF Token cross site scripting(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_name, countermeasure_dateNot DefinedOfficial FixCVE-2017-9934
05/31/20206.46.4Joomla CMS Cache information disclosure(6): source_cve_assigned, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_name, countermeasure_dateNot DefinedOfficial FixCVE-2017-9933
05/31/20207.47.1Joomla CMS com_users privilege escalation(1): vulnerability_discoverydateNot DefinedOfficial FixCVE-2019-10946
05/31/20205.24.9Joomla CMS Media Form Field cross site scripting(4): advisory_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-9714
05/31/20207.57.2Joomla CMS Plugins privilege escalation(2): advisory_url, vulnerability_discoverydateNot DefinedOfficial FixCVE-2019-9713
05/31/20205.24.9Joomla CMS com_config cross site scripting(4): advisory_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-9712
05/31/20205.24.9Joomla CMS Edit View cross site scripting(4): advisory_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-9711
05/31/20205.24.9Joomla CMS Core Components cross site scripting(3): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-7744
05/31/20208.58.2Joomla CMS Protection Mechanism Object Injection privilege escalation(4): advisory_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-7743
05/31/20205.24.9Joomla CMS Web Server Configuration cross site scripting(1): vulnerability_discoverydateNot DefinedOfficial FixCVE-2019-7742
05/31/20205.24.9Joomla CMS Global Configuration Stored cross site scripting(3): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-7741
05/31/20205.24.9Joomla CMS core.js writeDynaList cross site scripting(3): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-7740
05/31/20205.85.6Joomla CMS Global Configuration privilege escalation(4): advisory_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_classNot DefinedOfficial FixCVE-2019-7739
05/31/20205.24.9Joomla CMS mod_banners Stored cross site scripting(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2019-6264
05/31/20204.13.7Joomla CMS Global Configuration Stored cross site scripting(9): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, exploit_availability, exploit_publicity, exploit_url, countermeasure_dateProof-of-ConceptOfficial FixCVE-2019-6263
05/31/20204.44.3Joomla CMS Global Configuration Stored cross site scripting(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2019-6262
05/31/20205.24.9Joomla CMS com_contact Stored cross site scripting(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2019-6261
05/31/20205.35.1Joomla CMS com_contact privilege escalation(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2018-17859
05/31/20206.56.2Joomla CMS com_installer cross site request forgery(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2018-17858
05/31/20205.35.1Joomla CMS Tags Search privilege escalation(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2018-17857
05/31/20206.76.4Joomla CMS com_joomlaupdate Remote Code Execution(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2018-17856
05/31/20207.57.2Joomla CMS Registration privilege escalation(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_nickname, countermeasure_dateNot DefinedOfficial FixCVE-2018-17855
05/31/20208.58.2Joomla CMS InputFilter Upload privilege escalation(5): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-15882
05/31/20207.47.1Joomla CMS ACL privilege escalation(5): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-15881
05/31/20204.44.3Joomla CMS Profile Page Stored cross site scripting(5): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-15880
05/31/20207.57.2Joomla CMS class_exists Local File Inclusion privilege escalation(6): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_name, countermeasure_dateNot DefinedOfficial FixCVE-2018-12712
05/31/20205.24.9Joomla CMS Media Manager cross site scripting(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-6378
05/31/20204.54.3Joomla CMS user-info cross site scripting(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-11328
05/31/20205.35.1Joomla CMS Permission privilege escalation(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-11327
05/31/20203.63.4Joomla CMS cross site scripting(6): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, advisory_person_name, advisory_company_name, countermeasure_dateNot DefinedOfficial FixCVE-2018-11326
05/31/20207.57.2Joomla CMS Web Install Application Password information disclosure(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-11325
05/31/20205.95.7Joomla CMS Background Process race condition(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-11324
05/31/20207.57.2Joomla CMS Permission privilege escalation(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-11323
05/31/20206.26.0Joomla CMS PHAR File PHP Code Execution privilege escalation(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-11322
05/31/20206.46.1Joomla CMS com_fields privilege escalation(4): vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-11321
05/31/20207.57.5Joomla CMS Notes List View sql injection(10): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, source_sectracker_date, source_sectracker_cause, advisory_disputed, advisory_reportconfidence, countermeasure_name, countermeasure_dateHighOfficial FixCVE-2018-8045
05/31/20205.24.9Joomla CMS Chromes cross site scripting(5): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-6380
05/31/20205.24.9Joomla CMS Uri Class cross site scripting(5): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-6379
05/31/20205.24.9Joomla CMS com_fields cross site scripting(5): advisory_confirm_url, vulnerability_discoverydate, source_securityfocus_date, source_securityfocus_class, countermeasure_dateNot DefinedOfficial FixCVE-2018-6377

Interested in the pricing of exploits?

See the underground prices here!