VYPR

Vendor CVEs

Kerio Technologies

All CVEs

58 total · sorted by risk
  • CVE-2024-31849CriApr 5, 2024
    risk 0.71cvss 9.8epss 0.06

    A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.

  • CVE-2026-22069HigMay 19, 2026
    risk 0.47cvss 7.3epss 0.00

    A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.

  • CVE-2003-0220May 12, 2003
    risk 0.08cvss epss 0.69

    Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.

  • CVE-2019-16516Jan 23, 2020
    risk 0.06cvss epss 0.19

    An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.

  • CVE-2004-1907Dec 31, 2004
    risk 0.04cvss epss 0.07

    The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.13 allows remote attackers to cause a denial of service (crash) by sending hex-encoded URLs containing "%13%12%13".

  • CVE-2003-0488Aug 7, 2003
    risk 0.04cvss epss 0.07

    Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module.

  • CVE-2003-0487Aug 7, 2003
    risk 0.04cvss epss 0.11

    Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long…

  • CVE-2014-3857Jul 3, 2014
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php.

  • CVE-2006-6131Nov 28, 2006
    risk 0.03cvss epss 0.01

    Untrusted search path vulnerability in (1) WSAdminServer and (2) WSWebServer in Kerio WebSTAR (4D WebSTAR Server Suite) 5.4.2 and earlier allows local users with webstar privileges to gain root privileges via a malicious libucache.dylib helper library in the current working…

  • CVE-2006-3787Jul 24, 2006
    risk 0.03cvss epss 0.01

    kpf4ss.exe in Sunbelt Kerio Personal Firewall 4.3.x before 4.3.268 does not properly hook the CreateRemoteThread API function, which allows local users to cause a denial of service (crash) and bypass protection mechanisms by calling CreateRemoteThread.

  • CVE-2004-1109Jan 10, 2005
    risk 0.03cvss epss 0.03

    The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field.

  • CVE-2002-1434Apr 11, 2003
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in the Web mail module of Kerio MailServer 5.0 allow remote attackers to execute HTML script as other users via certain URLs.

  • CVE-2019-16514Jan 23, 2020
    risk 0.01cvss epss 0.04

    An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server.

  • CVE-2023-25719Feb 13, 2023
    risk 0.00cvss epss 0.01

    ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The…

  • CVE-2023-25718Feb 13, 2023
    risk 0.00cvss epss 0.01

    In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled…

  • CVE-2023-23127Feb 1, 2023
    risk 0.00cvss epss 0.00

    In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS)…

  • CVE-2023-23128Feb 1, 2023
    risk 0.00cvss epss 0.00

    Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability…

  • CVE-2021-44470Aug 18, 2022
    risk 0.00cvss epss 0.00

    Incorrect default permissions for the Intel(R) Connect M Android application before version 1.7.4 may allow an authenticated user to potentially enable information disclosure via local access.

  • CVE-2021-3613Jul 2, 2021
    risk 0.00cvss epss 0.01

    OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).

  • CVE-2020-15075Mar 30, 2021
    risk 0.00cvss epss 0.00

    OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access via symlinks in /tmp.

  • CVE-2019-16515Jan 23, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. Certain HTTP security headers are not used.

  • CVE-2019-16512Jan 23, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier.

  • CVE-2019-16513Jan 23, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. CSRF can be used to send API requests.

  • CVE-2011-1506Mar 22, 2011
    risk 0.00cvss epss 0.02

    The STARTTLS implementation in Kerio Connect 7.1.4 build 2985 and MailServer 6.x does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in…

  • CVE-2009-2636Jul 28, 2009
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Integration page in the WebMail component in Kerio MailServer 6.6.0, 6.6.1, 6.6.2, and 6.7.0 allows remote attackers to inject arbitrary web script or HTML via an e-mail message.

  • CVE-2008-5769Dec 30, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer before 6.6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) folder parameter to mailCompose.php or the (2) daytime parameter to calendarEdit.php. NOTE: some of these details are…

  • CVE-2008-5760Dec 30, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in error413.php in Kerio MailServer before 6.6.2 allows remote attackers to inject arbitrary web script or HTML via the sent parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-0859Feb 21, 2008
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in Kerio MailServer before 6.5.0 allows remote attackers to cause a denial of service (crash) via unspecified vectors related to decoding of uuencoded input, which triggers memory corruption.

  • CVE-2008-0858Feb 21, 2008
    risk 0.00cvss epss 0.04

    Buffer overflow in the Visnetic anti-virus plugin in Kerio MailServer before 6.5.0 might allow remote attackers to execute arbitrary code via unspecified vectors.

  • CVE-2008-0860Feb 21, 2008
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the AVG plugin in Kerio MailServer before 6.5.0 has unspecified impact via unknown remote attack vectors related to null DACLs.

  • CVE-2007-6385Dec 15, 2007
    risk 0.00cvss epss 0.00

    The proxy server in Kerio WinRoute Firewall before 6.4.1 does not properly enforce authentication for HTTPS pages, which has unknown impact and attack vectors. NOTE: it is not clear whether this issue crosses privilege boundaries.

  • CVE-2007-3993Jul 25, 2007
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the attachment filter in Kerio MailServer before 6.4.1 has unknown impact and remote attack vectors.

  • CVE-2006-6554Dec 14, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in Kerio MailServer before 6.3.1 allows remote attackers to cause a denial of service (segmentation fault and service stop) via certain long LDAP queries, as demonstrated by vd_kms6.pm.

  • CVE-2006-5812Nov 8, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in Kerio MailServer allows attackers to cause a denial of service, as demonstrated by vd_kms4.pm, a "Kerio MailServer DoS." NOTE: As of 20061108, this disclosure has no actionable information. However, since it is from a reliable researcher, it is being…

  • CVE-2006-5420Oct 20, 2006
    risk 0.00cvss epss 0.03

    Kerio WinRoute Firewall 6.2.2 and earlier allows remote attackers to cause a denial of service (crash) via malformed DNS responses.

  • CVE-2006-5153Oct 5, 2006
    risk 0.00cvss epss 0.02

    The (1) fwdrv.sys and (2) khips.sys drivers in Sunbelt Kerio Personal Firewall 4.3.268 and earlier do not validate arguments passed through to SSDT functions, including NtCreateFile, NtDeleteFile, NtLoadDriver, NtMapViewOfSection, NtOpenFile, and NtSetInformationFile, which…

  • CVE-2006-2267May 9, 2006
    risk 0.00cvss epss 0.03

    Kerio WinRoute Firewall before 6.2.1 allows remote attackers to cause a denial of service (application crash) via unknown vectors in the "email protocol inspectors," possibly (1) SMTP and (2) POP3.

  • CVE-2006-2203May 5, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in Kerio MailServer before 6.1.4 has unknown impact and remote attack vectors related to a "possible bypass of attachment filter."

  • CVE-2006-1158Mar 12, 2006
    risk 0.00cvss epss 0.02

    Kerio MailServer before 6.1.3 Patch 1 allows remote attackers to cause a denial of service (application crash) via a crafted IMAP LOGIN command.

  • CVE-2006-0335Jan 21, 2006
    risk 0.00cvss epss 0.03

    Multiple unspecified vulnerabilities in Kerio WinRoute Firewall before 6.1.4 Patch 1 allow remote attackers to cause a denial of service via multiple unspecified vectors involving (1) long strings received from Active Directory and (2) the filtering of HTML.

  • CVE-2006-0336Jan 21, 2006
    risk 0.00cvss epss 0.02

    Kerio WinRoute Firewall before 6.1.4 Patch 2 allows attackers to cause a denial of service (CPU consumption and hang) via unknown vectors involving "browsing the web".

  • CVE-2005-4425Dec 20, 2005
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in Kerio WinRoute Firewall before 6.1.3 allows remote attackers to cause a denial of service (crash) via certain RTSP streams.

  • CVE-2005-4157Dec 11, 2005
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in Kerio WinRoute Firewall before 6.1.3 allows remote attackers to authenticate to the service using an account that has been disabled.

  • CVE-2005-3286Oct 23, 2005
    risk 0.00cvss epss 0.00

    The FWDRV driver in Kerio Personal Firewall 4.2 and Server Firewall 1.1.1 allows local users to cause a denial of service (crash) by setting the PAGE_NOACCESS or PAGE_GUARD protection on the Page Environment Block (PEB), which triggers an exception, aka the "PEB lockout…

  • CVE-2005-0964May 2, 2005
    risk 0.00cvss epss 0.00

    Unknown vulnerability in Kerio Personal Firewall 4.1.2 and earlier allows local users to bypass firewall rules via a malicious process that impersonates a legitimate process that has fewer restrictions.

  • CVE-2005-1062May 2, 2005
    risk 0.00cvss epss 0.03

    The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to quickly obtain passwords that are 5 characters or less via brute force methods.

  • CVE-2005-1063Apr 29, 2005
    risk 0.00cvss epss 0.02

    The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to cause a denial of service (CPU consumption) via certain attacks that force the product to "compute unexpected…

  • CVE-2005-1138Apr 18, 2005
    risk 0.00cvss epss 0.01

    Unknown vulnerability in WebMail in Kerio MailServer before 6.0.9 allows remote attackers to cause a denial of service (CPU consumption) via certain e-mail messages.

  • CVE-2004-1022Jan 10, 2005
    risk 0.00cvss epss 0.00

    Kerio Winroute Firewall before 6.0.7, ServerFirewall before 1.0.1, and MailServer before 6.0.5 use symmetric encryption for user passwords, which allows attackers to decrypt the user database and obtain the passwords by extracting the secret key from within the software.

  • CVE-2004-1023Jan 10, 2005
    risk 0.00cvss epss 0.00

    Kerio Winroute Firewall before 6.0.9, ServerFirewall before 1.0.1, and MailServer before 6.0.5, when installed on Windows based systems, do not modify the ACLs for critical files, which allows local users with Power Users privileges to modify programs, install malicious DLLs in…

Page 1 of 2