Weekly Vulnerabilities Reports > July 6 to 12, 2020

Overview

188 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 185 products from 82 vendors including Mozilla, Huawei, Citrix, Nedi, and Google. Vulnerabilities are notably categorized as "Cross-site Scripting", "Information Exposure", "SQL Injection", "Improper Input Validation", and "Use After Free".

  • 150 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 57 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 141 reported vulnerabilities are exploitable by an anonymous user.
  • Mozilla has the most reported vulnerabilities, with 26 reported vulnerabilities.
  • Mozilla has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

13 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-07-07 CVE-2020-5599 Mitsubishielectric Injection vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

10.0
2020-07-09 CVE-2020-4305 IBM Deserialization of Untrusted Data vulnerability in IBM products

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data.

9.3
2020-07-09 CVE-2020-12426 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

Mozilla developers and community members reported memory safety bugs present in Firefox 77.

9.3
2020-07-09 CVE-2020-12420 Mozilla Use After Free vulnerability in Mozilla Firefox

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash.

9.3
2020-07-09 CVE-2020-12419 Mozilla Use After Free vulnerability in Mozilla Firefox

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition.

9.3
2020-07-09 CVE-2020-12417 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.

9.3
2020-07-09 CVE-2020-12416 Mozilla Use After Free vulnerability in Mozilla Firefox

A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.

9.3
2020-07-09 CVE-2020-12411 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

Mozilla developers reported memory safety bugs present in Firefox 76.

9.3
2020-07-09 CVE-2020-12410 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8.

9.3
2020-07-09 CVE-2020-12406 Mozilla Insufficient Verification of Data Authenticity vulnerability in Mozilla Firefox

Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash.

9.3
2020-07-08 CVE-2020-2034 Paloaltonetworks OS Command Injection vulnerability in Paloaltonetworks Pan-Os

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges.

9.3
2020-07-08 CVE-2020-2030 Paloaltonetworks OS Command Injection vulnerability in Paloaltonetworks Pan-Os

An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges.

9.0
2020-07-06 CVE-2020-5352 Dell OS Command Injection vulnerability in Dell EMC Data Protection Advisor 18.1/6.4/6.5

Dell EMC Data Protection Advisor 6.4, 6.5 and 18.1 contain an OS command injection vulnerability.

9.0

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-07-07 CVE-2020-10745 Samba
Fedoraproject
Opensuse
Resource Exhaustion vulnerability in multiple products

A flaw was found in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4 in the way it processed NetBios over TCP/IP.

7.8
2020-07-09 CVE-2020-12422 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.

7.6
2020-07-10 CVE-2020-15504 Sophos SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely.

7.5
2020-07-10 CVE-2020-8186 Devcert Project OS Command Injection vulnerability in Devcert Project Devcert 1.1.0

A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function.

7.5
2020-07-10 CVE-2020-7815 Tobesoft Injection vulnerability in Tobesoft Xplatform

XPLATFORM v9.2.260 and eariler versions contain a vulnerability that could allow remote files to be downloaded by setting the arguments to the vulnerable method.

7.5
2020-07-10 CVE-2020-7814 Raonwiz Injection vulnerability in Raonwiz Raon K Upload 2018.0.2.51

RAONWIZ v2018.0.2.50 and eariler versions contains a vulnerability that could allow remote files to be downloaded and excuted by lack of validation to file extension, witch can used as remote-code-excution attacks by hackers File download & execution vulnerability in ____COMPONENT____ of RAONWIZ RAON KUpload allows ____ATTACKER/ATTACK____ to cause ____IMPACT____.

7.5
2020-07-09 CVE-2019-17638 Eclipse Operation on a Resource after Expiration or Release vulnerability in Eclipse Jetty 9.4.27/9.4.28/9.4.29

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error.

7.5
2020-07-09 CVE-2020-7458 Freebsd Out-of-bounds Write vulnerability in Freebsd 11.4/12.1

In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and 11.4-RELEASE before p1, long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of the heap allocated stack possibly leading to arbitrary code execution.

7.5
2020-07-08 CVE-2020-11849 Microfocus Improper Privilege Management vulnerability in Microfocus Identity Manager

Elevation of privilege and/or unauthorized access vulnerability in Micro Focus Identity Manager.

7.5
2020-07-08 CVE-2020-3931 Geovision Classic Buffer Overflow vulnerability in Geovision products

Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.

7.5
2020-07-07 CVE-2020-8521 Phpzag SQL Injection vulnerability in PHPzag

SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql

7.5
2020-07-07 CVE-2020-8520 Phpzag SQL Injection vulnerability in PHPzag

SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql

7.5
2020-07-07 CVE-2020-8519 Phpzag SQL Injection vulnerability in PHPzag

SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql

7.5
2020-07-07 CVE-2020-12821 Protocol Unspecified vulnerability in Protocol Gossipsub 1.0

Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.

7.5
2020-07-07 CVE-2019-20896 Webchess Project SQL Injection vulnerability in Webchess Project Webchess 1.0

WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter.

7.5
2020-07-07 CVE-2020-15350 Riot OS Classic Buffer Overflow vulnerability in Riot-Os Riot 2020.04

RIOT 2020.04 has a buffer overflow in the base64 decoder.

7.5
2020-07-07 CVE-2020-5595 Mitsubishielectric Classic Buffer Overflow vulnerability in Mitsubishielectric Coreos Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

7.5
2020-07-07 CVE-2020-15506 Mobileiron Improper Authentication vulnerability in Mobileiron products

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.

7.5
2020-07-07 CVE-2020-15505 Mobileiron Unspecified vulnerability in Mobileiron products

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.

7.5
2020-07-10 CVE-2020-3974 Vmware Unspecified vulnerability in VMWare Fusion, Horizon Client and Remote Console

VMware Fusion (11.x before 11.5.5), VMware Remote Console for Mac (11.x and prior before 11.2.0 ) and Horizon Client for Mac (5.x and prior before 5.4.3) contain a privilege escalation vulnerability due to improper XPC Client validation.

7.2
2020-07-07 CVE-2020-15584 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0

An issue was discovered on Samsung mobile devices with Q(10.0) software.

7.1

116 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-07-09 CVE-2020-12423 Mozilla Uncontrolled Search Path Element vulnerability in Mozilla Firefox

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution.

6.9
2020-07-09 CVE-2020-12409 Mozilla Unspecified vulnerability in Mozilla Firefox

When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL.

6.8
2020-07-09 CVE-2020-7457 Freebsd Improper Synchronization vulnerability in Freebsd 11.3/11.4/12.1

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution.

6.8
2020-07-09 CVE-2018-12371 Mozilla Integer Overflow or Wraparound vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird

An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM.

6.8
2020-07-09 CVE-2020-5604 Mercari Injection vulnerability in Mercari 3.51.0

Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.

6.8
2020-07-08 CVE-2020-2031 Paloaltonetworks Integer Underflow (Wrap or Wraparound) vulnerability in Paloaltonetworks Pan-Os 9.1.0/9.1.1/9.1.2

An integer underflow vulnerability in the dnsproxyd component of the PAN-OS management interface allows authenticated administrators to issue a command from the command line interface that causes the component to stop responding.

6.8
2020-07-06 CVE-2020-9262 Huawei Use After Free vulnerability in Huawei Mate 30 Firmware 10.0.0.205(C00E201R7P2)/10.1.0.126(C00E125R5P3)

HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a use after free vulnerability.

6.8
2020-07-06 CVE-2020-9261 Huawei Type Confusion vulnerability in Huawei Mate 30 Firmware 10.0.0.205(C00E201R7P2)/10.1.0.126(C00E125R5P3)

HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a type confusion vulnerability.

6.8
2020-07-06 CVE-2019-8250 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

6.8
2020-07-06 CVE-2019-8249 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

6.8
2020-07-06 CVE-2019-8066 Adobe Out-of-bounds Write vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a heap overflow vulnerability.

6.8
2020-07-10 CVE-2020-6114 Icehrm SQL Injection vulnerability in Icehrm 26.6.0.Os

An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) .

6.5
2020-07-10 CVE-2020-8197 Citrix Improper Privilege Management vulnerability in Citrix products

Privilege escalation vulnerability on Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows a low privileged user with management access to execute arbitrary commands.

6.5
2020-07-09 CVE-2020-13994 Mods FOR Hesk Code Injection vulnerability in Mods-For-Hesk Mods for Hesk

An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0.

6.5
2020-07-09 CVE-2020-9377 Dlink Code Injection vulnerability in Dlink Dir-610 Firmware

** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php.

6.5
2020-07-08 CVE-2020-15072 Phplist SQL Injection vulnerability in PHPlist

An issue was discovered in phpList through 3.5.4.

6.5
2020-07-08 CVE-2020-3973 Vmware SQL Injection vulnerability in VMWare Velocloud Orchestrator

The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection.

6.5
2020-07-07 CVE-2020-12736 Code42 Improper Privilege Management vulnerability in Code42

Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution.

6.5
2020-07-07 CVE-2020-15515 Turn Project Injection vulnerability in Turn! Project Turn!

The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution.

6.5
2020-07-07 CVE-2020-4077 Electronjs Unspecified vulnerability in Electronjs Electron 7.0.0/8.0.0/9.0.0

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass.

6.5
2020-07-06 CVE-2020-6013 Checkpoint Improper Privilege Management vulnerability in Checkpoint Zonealarm Extreme Security

ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems.

6.5
2020-07-06 CVE-2020-5371 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Isilon Onefs and EMC Powerscale Onefs

Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale version 9.0.0 contain a file permissions vulnerability.

6.5
2020-07-09 CVE-2020-7692 Google Missing Authorization vulnerability in Google Oauth Client Library for Java

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps.

6.4
2020-07-07 CVE-2020-15565 XEN
Debian
Resource Exhaustion vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d.

6.1
2020-07-10 CVE-2020-11061 Bareos Heap-based Buffer Overflow vulnerability in Bareos

In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job.

6.0
2020-07-10 CVE-2020-8190 Citrix Improper Preservation of Permissions vulnerability in Citrix products

Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.

6.0
2020-07-07 CVE-2020-15008 Connectwise SQL Injection vulnerability in Connectwise Automate 2019.12

A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12.

6.0
2020-07-10 CVE-2020-5607 SS Proj Open Redirect vulnerability in Ss-Proj Shirasagi

Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2020-07-09 CVE-2020-14171 Atlassian Cleartext Transmission of Sensitive Information vulnerability in Atlassian Bitbucket

Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.

5.8
2020-07-08 CVE-2020-1982 Paloaltonetworks Inadequate Encryption Strength vulnerability in Paloaltonetworks Pan-Os

Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol.

5.8
2020-07-08 CVE-2020-5764 Mxplayer Path Traversal vulnerability in Mxplayer MX Player

MX Player Android App versions prior to v1.24.5, are vulnerable to a directory traversal vulnerability when user is using the MX Transfer feature in "Receive" mode.

5.8
2020-07-07 CVE-2020-11882 Telefonica Open Redirect vulnerability in Telefonica O2 Business 1.2.0

The O2 Business application 1.2.0 for Android exposes the canvasm.myo2.SplashActivity activity to other applications.

5.8
2020-07-07 CVE-2020-15516 MM Forum Project Cross-Site Request Forgery (CSRF) vulnerability in MM Forum Project MM Forum

The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF.

5.8
2020-07-10 CVE-2020-8193 Citrix Missing Authorization vulnerability in Citrix products

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.

5.0
2020-07-10 CVE-2020-8187 Citrix Improper Input Validation vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack.

5.0
2020-07-09 CVE-2020-15093 Amazon Improper Verification of Cryptographic Signature vulnerability in Amazon Tough

The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures.

5.0
2020-07-09 CVE-2020-13993 Mods FOR Hesk SQL Injection vulnerability in Mods-For-Hesk Mods FOR Hesk

An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0.

5.0
2020-07-09 CVE-2020-7693 Sockjs Project Improper Input Validation vulnerability in Sockjs Project Sockjs

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps.

5.0
2020-07-09 CVE-2020-9376 Dlink Information Exposure vulnerability in Dlink Dir-610 Firmware

** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php.

5.0
2020-07-08 CVE-2019-19417 Huawei Improper Input Validation vulnerability in Huawei products

The SIP module of some Huawei products have a denial of service (DoS) vulnerability.

5.0
2020-07-08 CVE-2019-19416 Huawei Improper Input Validation vulnerability in Huawei products

The SIP module of some Huawei products have a denial of service (DoS) vulnerability.

5.0
2020-07-08 CVE-2019-19415 Huawei Improper Input Validation vulnerability in Huawei products

The SIP module of some Huawei products have a denial of service (DoS) vulnerability.

5.0
2020-07-08 CVE-2020-6938 Tableau Information Exposure Through Log Files vulnerability in Tableau Server

A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow access to sensitive information in log files.

5.0
2020-07-08 CVE-2020-5839 Symantec Information Exposure vulnerability in Symantec Endpoint Detection and Response 4.1.0/4.2.0/4.3.0

Symantec Endpoint Detection And Response, prior to 4.4, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.

5.0
2020-07-08 CVE-2020-11994 Apache Injection vulnerability in Apache Camel

Server-Side Template Injection and arbitrary file disclosure on Camel templating components

5.0
2020-07-07 CVE-2020-15581 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.0
2020-07-07 CVE-2020-15579 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.0
2020-07-07 CVE-2020-15576 Solarwinds Information Exposure vulnerability in Solarwinds Serv-U 15.1.6

SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response.

5.0
2020-07-07 CVE-2020-15574 Solarwinds Missing Encryption of Sensitive Data vulnerability in Solarwinds Serv-U 15.1.6

SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893.

5.0
2020-07-07 CVE-2020-15525 Gitlab Improper Privilege Management vulnerability in Gitlab

GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint.

5.0
2020-07-07 CVE-2020-15513 Mittwald Incorrect Authorization vulnerability in Mittwald Typo3 Forum

The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.

5.0
2020-07-07 CVE-2020-15392 Venki Information Exposure vulnerability in Venki Supravizio BPM 10.1.2

A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2.

5.0
2020-07-07 CVE-2020-15367 Venki Improper Restriction of Excessive Authentication Attempts vulnerability in Venki Supravizio BPM 10.1.2

Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts.

5.0
2020-07-07 CVE-2020-5600 Mitsubishielectric Resource Exhaustion vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a resource management error vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

5.0
2020-07-07 CVE-2020-5598 Mitsubishielectric Incorrect Authorization vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop the network functions of the products or execute a malicious program via a specially crafted packet.

5.0
2020-07-07 CVE-2020-5597 Mitsubishielectric NULL Pointer Dereference vulnerability in Mitsubishielectric Coreos Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

5.0
2020-07-07 CVE-2020-5596 Mitsubishielectric Session Fixation vulnerability in Mitsubishielectric Coreos Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

5.0
2020-07-07 CVE-2020-15507 Mobileiron Information Exposure vulnerability in Mobileiron products

An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors.

5.0
2020-07-06 CVE-2020-5372 Dell Incorrect Authorization vulnerability in Dell products

Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network.

5.0
2020-07-06 CVE-2020-5368 Dell Missing Authorization vulnerability in Dell Vxrail D560 Firmware and Vxrail D560F Firmware

Dell EMC VxRail versions 4.7.410 and 4.7.411 contain an improper authentication vulnerability.

5.0
2020-07-06 CVE-2020-14303 Samba
Fedoraproject
Opensuse
Improper Input Validation vulnerability in multiple products

A flaw was found in the AD DC NBT server in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4.

5.0
2020-07-07 CVE-2020-15564 XEN
Debian
Improper Input Validation vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info.

4.9
2020-07-06 CVE-2020-9395 Realtek Classic Buffer Overflow vulnerability in Realtek products

An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6.

4.9
2020-07-07 CVE-2020-15566 XEN
Debian
Improper Handling of Exceptional Conditions vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation.

4.7
2020-07-07 CVE-2020-15563 XEN
Debian
Improper Input Validation vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash.

4.7
2020-07-10 CVE-2020-8199 Citrix Improper Privilege Management vulnerability in Citrix Gateway Plug-In for Linux

Improper access control in Citrix ADC Gateway Linux client versions before 1.0.0.137 results in local privilege escalation to root.

4.6
2020-07-08 CVE-2020-5974 Nvidia Incorrect Default Permissions vulnerability in Nvidia Jetpack Software Development KIT 4.2/4.3

NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.

4.6
2020-07-10 CVE-2020-11081 Linuxfoundation Process Control vulnerability in Linuxfoundation Osquery

osquery before version 4.4.0 enables a privilege escalation vulnerability.

4.4
2020-07-07 CVE-2020-15567 XEN
Debian
Improper Privilege Management vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE.

4.4
2020-07-06 CVE-2020-9100 Huawei Untrusted Search Path vulnerability in Huawei Hisuite

Earlier than HiSuite 10.1.0.500 have a DLL hijacking vulnerability.

4.4
2020-07-10 CVE-2020-4042 Bareos Authentication Bypass by Capture-replay vulnerability in Bareos

Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself.

4.3
2020-07-10 CVE-2020-8198 Citrix Cross-site Scripting vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS).

4.3
2020-07-10 CVE-2020-8194 Citrix Code Injection vulnerability in Citrix products

Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.

4.3
2020-07-10 CVE-2020-8191 Citrix Cross-site Scripting vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).

4.3
2020-07-09 CVE-2020-4173 IBM Unspecified vulnerability in IBM products

IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies.

4.3
2020-07-09 CVE-2020-15299 King Theme Cross-site Scripting vulnerability in King-Theme Kingcomposer 2.7.6/2.9.4

A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is executed in the victim's browser.

4.3
2020-07-09 CVE-2020-15000 Yubico Unspecified vulnerability in Yubico Yubikey 5 NFC Firmware

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6.

4.3
2020-07-09 CVE-2020-15526 RED Gate Information Exposure vulnerability in Red-Gate SQL Monitor

In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration > Notifications pages to disable certificate checking for alert notifications.

4.3
2020-07-09 CVE-2020-13992 Mods FOR Hesk Cross-site Scripting vulnerability in Mods-For-Hesk Mods FOR Hesk

An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0.

4.3
2020-07-09 CVE-2020-12425 Mozilla Out-of-bounds Read vulnerability in Mozilla Firefox

Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure.

4.3
2020-07-09 CVE-2020-12421 Mozilla Improper Certificate Validation vulnerability in Mozilla Firefox

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user.

4.3
2020-07-09 CVE-2020-12418 Mozilla Out-of-bounds Read vulnerability in Mozilla Firefox

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.

4.3
2020-07-09 CVE-2020-12415 Mozilla Incorrect Default Permissions vulnerability in Mozilla Firefox

When "%2F" was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory.

4.3
2020-07-09 CVE-2020-12414 Mozilla Incomplete Cleanup vulnerability in Mozilla Firefox

IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode.

4.3
2020-07-09 CVE-2020-12412 Mozilla Unspecified vulnerability in Mozilla Firefox

By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents.

4.3
2020-07-09 CVE-2020-12408 Mozilla Injection vulnerability in Mozilla Firefox

When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar.

4.3
2020-07-09 CVE-2020-12404 Mozilla Information Exposure vulnerability in Mozilla Firefox

For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions.

4.3
2020-07-09 CVE-2020-12398 Mozilla
Canonical
Cleartext Transmission of Sensitive Information vulnerability in multiple products

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection.

4.3
2020-07-09 CVE-2020-12424 Mozilla Incorrect Default Permissions vulnerability in Mozilla Firefox

When constructing a permission prompt for WebRTC, a URI was supplied from the content process.

4.3
2020-07-08 CVE-2020-7140 HP Cross-site Scripting vulnerability in HP Icewall SSO DFW and Icewall SSO Dgfw

A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gateway Option) could be exploited remotely to cause a remote cross-site scripting (XSS).

4.3
2020-07-07 CVE-2020-15600 Cmsuno Project Cross-Site Request Forgery (CSRF) vulnerability in Cmsuno Project Cmsuno

An issue was discovered in CMSUno before 1.6.1.

4.3
2020-07-07 CVE-2020-15599 Victor CMS Project Cross-site Scripting vulnerability in Victor CMS Project Victor CMS 1.0/20180510/20190228

Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.

4.3
2020-07-07 CVE-2019-19935 Froala Cross-site Scripting vulnerability in Froala Editor

Froala Editor before 3.2.3 allows XSS.

4.3
2020-07-07 CVE-2019-4324 Hcltech Cross-site Scripting vulnerability in Hcltech Appscan 10.0.0/9.0.3.14

"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."

4.3
2020-07-07 CVE-2019-4323 Hcltech Improper Restriction of Rendered UI Layers or Frames vulnerability in Hcltech Appscan 10.0.0/9.0.3.14

"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."

4.3
2020-07-07 CVE-2020-15582 Google Classic Buffer Overflow vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 7885 chipsets) software.

4.3
2020-07-07 CVE-2020-15575 Solarwinds Cross-site Scripting vulnerability in Solarwinds Serv-U 15.1.6

SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194.

4.3
2020-07-07 CVE-2020-15573 Solarwinds Cross-site Scripting vulnerability in Solarwinds Serv-U 15.1.6

SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421.

4.3
2020-07-06 CVE-2020-9226 Huawei Improper Verification of Cryptographic Signature vulnerability in Huawei P30 Firmware

HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an improper signature verification vulnerability.

4.3
2020-07-06 CVE-2019-8252 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

4.3
2020-07-06 CVE-2019-8251 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

4.3
2020-07-06 CVE-2020-15570 Whoopsie Project Allocation of Resources Without Limits or Throttling vulnerability in Whoopsie Project Whoopsie

The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.

4.3
2020-07-06 CVE-2020-15569 Milkytracker Project Use After Free vulnerability in Milkytracker Project Milkytracker

PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.

4.3
2020-07-06 CVE-2020-7691 Parall Cross-site Scripting vulnerability in Parall Jspdf

In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex.

4.3
2020-07-06 CVE-2020-7690 Parall Cross-site Scripting vulnerability in Parall Jspdf

All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS).

4.3
2020-07-06 CVE-2020-15562 Roundcube
Debian
Cross-site Scripting vulnerability in multiple products

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7.

4.3
2020-07-10 CVE-2020-8196 Citrix Missing Authorization vulnerability in Citrix products

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.

4.0
2020-07-10 CVE-2020-8195 Citrix Improper Input Validation vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.

4.0
2020-07-10 CVE-2020-8181 Nextcloud Unrestricted Upload of File with Dangerous Type vulnerability in Nextcloud Contacts

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.

4.0
2020-07-09 CVE-2020-14170 Atlassian Server-Side Request Forgery (SSRF) vulnerability in Atlassian Bitbucket

Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.

4.0
2020-07-09 CVE-2020-5366 Dell Path Traversal vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal Vulnerability.

4.0
2020-07-07 CVE-2020-10730 Samba
Redhat
Opensuse
Fedoraproject
Use After Free vulnerability in multiple products

A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions before 4.10.17, before 4.11.11 and before 4.12.4.

4.0
2020-07-07 CVE-2020-15096 Electronjs Unspecified vulnerability in Electronjs Electron

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

4.0
2020-07-06 CVE-2020-10760 Samba
Canonical
Opensuse
Fedoraproject
Use After Free vulnerability in multiple products

A use-after-free flaw was found in all samba LDAP server versions before 4.10.17, before 4.11.11, before 4.12.4 used in a AC DC configuration.

4.0
2020-07-06 CVE-2019-14900 Hibernate
Redhat
Quarkus
SQL Injection vulnerability in multiple products

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1.

4.0
2020-07-06 CVE-2020-5356 Dell Files or Directories Accessible to External Parties vulnerability in Dell products

Dell PowerProtect Data Manager (PPDM) versions prior to 19.4 and Dell PowerProtect X400 versions prior to 3.2 contain an improper authorization vulnerability.

4.0

38 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-07-06 CVE-2020-1839 Huawei Race Condition vulnerability in Huawei Mate 30 Firmware 10.0.0.205(C00E201R7P2)/10.1.0.126(C00E125R5P3)

HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a race condition vulnerability.

3.7
2020-07-10 CVE-2020-15105 Django TWO Factor Authentication Project Cleartext Storage of Sensitive Information vulnerability in Django Two-Factor Authentication Project Django Two-Factor Authentication

Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded).

3.6
2020-07-07 CVE-2020-4076 Electronjs Unspecified vulnerability in Electronjs Electron 7.0.0/8.0.0/9.0.0

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass.

3.6
2020-07-09 CVE-2020-15092 Northwestern Cross-site Scripting vulnerability in Northwestern Timelinejs

In TimelineJS before version 3.7.0, some user data renders as HTML.

3.5
2020-07-08 CVE-2020-15073 Phplist Cross-site Scripting vulnerability in PHPlist

An issue was discovered in phpList through 3.5.4.

3.5
2020-07-07 CVE-2020-15035 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15034 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15033 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15032 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15031 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15030 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15029 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15028 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15037 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15036 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

3.5
2020-07-07 CVE-2020-15517 Faceted Search Project Cross-site Scripting vulnerability in Faceted Search Project Faceted Search

The ke_search (aka Faceted Search) extension through 2.8.2, and 3.x through 3.1.3, for TYPO3 allows XSS.

3.5
2020-07-07 CVE-2020-15514 JH Captcha Project Cross-site Scripting vulnerability in JH Captcha Project JH Captcha

The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYPO3 allows XSS.

3.5
2020-07-10 CVE-2020-9260 Huawei Information Exposure vulnerability in Huawei P30 Firmware and P30 PRO Firmware

HUAWEI P30 and HUAWEI P30 Pro smartphones with versions earlier than 10.1.0.123(C432E22R2P5) and versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability.

3.3
2020-07-07 CVE-2020-15509 Nordicsemi Missing Encryption of Sensitive Data vulnerability in Nordicsemi Android BLE Library and DFU Library

Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted.

3.3
2020-07-09 CVE-2020-15001 Yubico Information Exposure vulnerability in Yubico Yubikey 5 NFC Firmware

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1.

2.9
2020-07-06 CVE-2020-1836 Huawei Information Exposure vulnerability in Huawei P30 Firmware and P30 PRO Firmware

HUAWEI P30 with versions earlier than 10.1.0.160(C00E160R2P11) and HUAWEI P30 Pro with versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability.

2.9
2020-07-06 CVE-2020-1837 Huawei Improper Input Validation vulnerability in Huawei Changxiang 8 Plus Firmware 9.1.0.111(C00E111R1P6T8)

ChangXiang 8 Plus with versions earlier than 9.1.0.136(C00E121R1P6T8) have a denial of service vulnerability.

2.9
2020-07-09 CVE-2020-12407 Mozilla Information Exposure vulnerability in Mozilla Firefox

Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen.

2.6
2020-07-09 CVE-2020-12405 Mozilla Use After Free vulnerability in Mozilla Firefox

When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash.

2.6
2020-07-09 CVE-2020-13132 Yubico Use of a Broken or Risky Cryptographic Algorithm vulnerability in Yubico products

An issue was discovered in Yubico libykpiv before 2.1.0.

2.1
2020-07-09 CVE-2020-10756 Libslirp Project
Redhat
Debian
Opensuse
Canonical
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.

2.1
2020-07-07 CVE-2020-8916 Openthread Memory Leak vulnerability in Openthread Wpantund 20200528

A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS).

2.1
2020-07-07 CVE-2020-15583 Google Path Traversal vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

2.1
2020-07-07 CVE-2020-15580 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

2.1
2020-07-07 CVE-2020-15578 Google Incorrect Default Permissions vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

2.1
2020-07-07 CVE-2020-15577 Google Unspecified vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

2.1
2020-07-07 CVE-2020-4075 Electronjs Files or Directories Accessible to External Parties vulnerability in Electronjs Electron 7.0.0/8.0.0/9.0.0

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open.

2.1
2020-07-10 CVE-2020-9258 Huawei Information Exposure vulnerability in Huawei P30 Firmware

HUAWEI P30 smartphone with versions earlier than 10.1.0.135(C00E135R2P11) have an improper input verification vulnerability.

1.9
2020-07-09 CVE-2020-13131 Yubico Out-of-bounds Read vulnerability in Yubico products

An issue was discovered in Yubico libykpiv before 2.1.0.

1.9
2020-07-07 CVE-2020-15095 CLI Project
Opensuse
Information Exposure Through Log Files vulnerability in multiple products

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files.

1.9
2020-07-06 CVE-2020-1838 Huawei Improper Authentication vulnerability in Huawei Mate 30 PRO Firmware 10.0.0.203(C00E202R7P2)/10.0.0.205(C00E202R7P2)

HUAWEI Mate 30 Pro with versions earlier than 10.1.0.150(C00E136R5P3) have is an improper authentication vulnerability.

1.9
2020-07-09 CVE-2020-12402 Mozilla
Fedoraproject
Opensuse
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow.

1.2
2020-07-09 CVE-2020-12399 Mozilla
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.

1.2