Security News

Updates released on Wednesday for the Drupal content management system patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files. The vulnerability, tracked as CVE-2020-13671, has been classified as critical, but it's worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with "Critical" being only the second highest rating, after "Highly critical."

Three security bugs in the Citrix software-defined-WAN platform would allow remote code-execution and network takeover, according to researchers. The first vulnerability allows unauthenticated RCE with root privileges in Citrix SD-WAN Center, according to Citrix.

Microsoft has released the November 2020 Office security updates with a total of 22 updates and 5 cumulative updates for 7 different products, fixing 14 vulnerabilities with five of them potentially enabling remote attackers to execute arbitrary code on vulnerable systems. The highlight of this month's Office security updates is CVE-2020-17061, a high severity Microsoft SharePoint vulnerability discovered by Oleksandr Mirosh from Micro Focus Fortify that leads to remote code execution.

Cisco informed customers on Wednesday that it's working on a patch for a code execution vulnerability affecting its AnyConnect product. According to the networking giant, the product is affected by a flaw, tracked as CVE-2020-3556, that can be exploited by a local, authenticated attacker to cause an AnyConnect user to execute a malicious script.

Patches released by NVIDIA last week for the GeForce Experience software address two arbitrary code execution bugs assessed with a severity rating of high. The GeForce Experience software is a companion application that is being installed alongside NVIDIA's GeForce drivers.

VMware this week informed customers that it has patched several vulnerabilities in its ESXi, Workstation, Fusion and NSX-T products, including a critical flaw that allows arbitrary code execution. VMware pointed out that the attacker needs to be on the management network and have access to port 427 on an ESXi machine in order to exploit the vulnerability.

Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. There are 16 critical bugs, all of which allow arbitrary code execution in the context of the current user.

The Cybersecurity and Infrastructure Security Agency on Friday informed users about the availability of patches for two remote code execution vulnerabilities that affect Windows Codecs Library and Visual Studio Code. Residing in Visual Studio Code and tracked as CVE-2020-17023, the second vulnerability can be triggered when the user opens a malicious 'package.

Two critical flaws in Magento - Adobe's e-commerce platform that is commonly targeted by attackers like the Magecart threat group - could enable arbitrary code execution on affected systems. Retail is set to boom in the coming months - between this week's Amazon Prime Day and November's Black Friday - which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops.

PDF software developer Foxit has released patches to address several high-risk vulnerabilities affecting both Windows and macOS applications. Last week, the company released security updates for both Foxit PhantomPDF Mac and Foxit Reader Mac, to address a vulnerability that could result in code injection or information disclosure.