Kerio Technologies
Kerio Technologies, Inc. was a technology company specializing in collaboration software and unified threat management for small and medium organizations. Founded in 1997, Kerio is headquartered in San Jose, California.
Products
9- 22 CVEs
- 14 CVEs
- 12 CVEs
- 10 CVEs
- 6 CVEs
- 3 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
58| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-31849 | Cri | 0.71 | 9.8 | 0.06 | Apr 5, 2024 | A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application. | ||
| CVE-2026-22069 | Hig | 0.47 | 7.3 | 0.00 | May 19, 2026 | A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface. | ||
| CVE-2003-0220 | 0.08 | — | 0.69 | May 12, 2003 | Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet. | |||
| CVE-2019-16516 | 0.06 | — | 0.19 | Jan 23, 2020 | An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username. | |||
| CVE-2004-1907 | 0.04 | — | 0.07 | Dec 31, 2004 | The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.13 allows remote attackers to cause a denial of service (crash) by sending hex-encoded URLs containing "%13%12%13". | |||
| CVE-2003-0487 | 0.04 | — | 0.11 | Aug 7, 2003 | Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long… | |||
| CVE-2003-0488 | 0.04 | — | 0.07 | Aug 7, 2003 | Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module. | |||
| CVE-2014-3857 | 0.03 | — | 0.02 | Jul 3, 2014 | Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php. | |||
| CVE-2006-6131 | 0.03 | — | 0.01 | Nov 28, 2006 | Untrusted search path vulnerability in (1) WSAdminServer and (2) WSWebServer in Kerio WebSTAR (4D WebSTAR Server Suite) 5.4.2 and earlier allows local users with webstar privileges to gain root privileges via a malicious libucache.dylib helper library in the current working… | |||
| CVE-2006-3787 | 0.03 | — | 0.01 | Jul 24, 2006 | kpf4ss.exe in Sunbelt Kerio Personal Firewall 4.3.x before 4.3.268 does not properly hook the CreateRemoteThread API function, which allows local users to cause a denial of service (crash) and bypass protection mechanisms by calling CreateRemoteThread. | |||
| CVE-2004-1109 | 0.03 | — | 0.03 | Jan 10, 2005 | The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field. | |||
| CVE-2002-1434 | 0.03 | — | 0.04 | Apr 11, 2003 | Multiple cross-site scripting (XSS) vulnerabilities in the Web mail module of Kerio MailServer 5.0 allow remote attackers to execute HTML script as other users via certain URLs. | |||
| CVE-2019-16514 | 0.01 | — | 0.04 | Jan 23, 2020 | An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server. | |||
| CVE-2023-25719 | 0.00 | — | 0.01 | Feb 13, 2023 | ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The… | |||
| CVE-2023-25718 | 0.00 | — | 0.01 | Feb 13, 2023 | In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled… | |||
| CVE-2023-23127 | 0.00 | — | 0.00 | Feb 1, 2023 | In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS)… | |||
| CVE-2023-23128 | 0.00 | — | 0.00 | Feb 1, 2023 | Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability… | |||
| CVE-2021-44470 | 0.00 | — | 0.00 | Aug 18, 2022 | Incorrect default permissions for the Intel(R) Connect M Android application before version 1.7.4 may allow an authenticated user to potentially enable information disclosure via local access. | |||
| CVE-2021-3613 | 0.00 | — | 0.01 | Jul 2, 2021 | OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe). | |||
| CVE-2020-15075 | 0.00 | — | 0.00 | Mar 30, 2021 | OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access via symlinks in /tmp. |
- risk 0.71cvss 9.8epss 0.06
A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
- risk 0.47cvss 7.3epss 0.00
A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.
- CVE-2003-0220May 12, 2003risk 0.08cvss —epss 0.69
Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.
- CVE-2019-16516Jan 23, 2020risk 0.06cvss —epss 0.19
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.
- CVE-2004-1907Dec 31, 2004risk 0.04cvss —epss 0.07
The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.13 allows remote attackers to cause a denial of service (crash) by sending hex-encoded URLs containing "%13%12%13".
- CVE-2003-0487Aug 7, 2003risk 0.04cvss —epss 0.11
Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long…
- CVE-2003-0488Aug 7, 2003risk 0.04cvss —epss 0.07
Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module.
- CVE-2014-3857Jul 3, 2014risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php.
- CVE-2006-6131Nov 28, 2006risk 0.03cvss —epss 0.01
Untrusted search path vulnerability in (1) WSAdminServer and (2) WSWebServer in Kerio WebSTAR (4D WebSTAR Server Suite) 5.4.2 and earlier allows local users with webstar privileges to gain root privileges via a malicious libucache.dylib helper library in the current working…
- CVE-2006-3787Jul 24, 2006risk 0.03cvss —epss 0.01
kpf4ss.exe in Sunbelt Kerio Personal Firewall 4.3.x before 4.3.268 does not properly hook the CreateRemoteThread API function, which allows local users to cause a denial of service (crash) and bypass protection mechanisms by calling CreateRemoteThread.
- CVE-2004-1109Jan 10, 2005risk 0.03cvss —epss 0.03
The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field.
- CVE-2002-1434Apr 11, 2003risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in the Web mail module of Kerio MailServer 5.0 allow remote attackers to execute HTML script as other users via certain URLs.
- CVE-2019-16514Jan 23, 2020risk 0.01cvss —epss 0.04
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server.
- CVE-2023-25719Feb 13, 2023risk 0.00cvss —epss 0.01
ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The…
- CVE-2023-25718Feb 13, 2023risk 0.00cvss —epss 0.01
In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled…
- CVE-2023-23127Feb 1, 2023risk 0.00cvss —epss 0.00
In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS)…
- CVE-2023-23128Feb 1, 2023risk 0.00cvss —epss 0.00
Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability…
- CVE-2021-44470Aug 18, 2022risk 0.00cvss —epss 0.00
Incorrect default permissions for the Intel(R) Connect M Android application before version 1.7.4 may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2021-3613Jul 2, 2021risk 0.00cvss —epss 0.01
OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).
- CVE-2020-15075Mar 30, 2021risk 0.00cvss —epss 0.00
OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access via symlinks in /tmp.