ThreatChat ThreatHistory Video Feed

Time for a mobile privacy reset?

Chrome zero-day in the wild – patch now!

Russian “government hackers” charged with cybercrimes by the US

Naked Security Live – Ping of Death: are you at risk?

S3 Ep2: Creepy smartwatches, botnets and Pings of Death – Podcast

US Department of Justice reignites the Battle to Break Encryption

Windows “Ping of Death” bug revealed – patch now!

Creepy covert camera “feature” found in popular smartwatch for kids

Microsoft on the counter­attack! Trickbot malware network takes a hit

Naked Security Live – Cybersecurity tips for your own network

Cisco Warns of Severe DoS Flaws in Network Security Software

Microsoft Teams Phishing Attack Targets Office 365 Users

Facebook, News and XSS Underpin Complex Browser Locker Attack

Researcher: I Hacked Trump’s Twitter by Guessing Password

Chrome 86 Aims to Bar Abusive Notification Content

Feds: Iran Behind 'Proud Boys' Email Attacks on Democratic Voters

Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks

Oracle Kills 402 Bugs in Massive October Patch Update

Egregor Claims Responsibility for Barnes & Noble Attack, Leaks Data

Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack

Phishers Capitalize on Headlines with Breakneck Speed

Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

305 CVEs and Counting: Bug-Hunting Stories From a Security Engineer

A Cyber 'Vigilante' is Sabotaging Emotet's Return

Black Hat USA 2020: Critical Meetup.com Flaws Reveal Common AppSec Holes

Encryption Under ‘Full-Frontal Nuclear Assault’ By U.S. Bills

Going Down the Spyware Rabbit Hole with SilkBean Mobile Malware

Microsoft is the Most-Imitated Brand for Phishing Emails

BEC Attacks: Nigeria No Longer the Epicenter as Losses Top $26B

Account Takeover Fraud Losses Total Billions Across Online Retailers

Industrial Cyberattacks Get Rarer but More Complex

Phishing Lures Shift from COVID-19 to Job Opportunities

News Wrap: Barnes & Noble Hack, DDoS Extortion Threats and More

Critical Industrial Flaws Pose Patching Headache For Manufacturers

Vulnerability Disclosure: Ethical Hackers Seek Best Practices

Disinformation Spurs a Thriving Industry as U.S. Election Looms

News Wrap: AWS Cryptojacking Worm, IBM Privacy Lawsuit and More

Researchers Warn of Active Malware Campaign Using HTML Smuggling

New Global Threat Landscape Report Reveals 'Unprecedented' Cyberattacks

Cybercriminals Step Up Their Game Ahead of U.S. Elections

Chris Vickery: AI Will Drive Tomorrow’s Data Breaches

The Enemy Within: How Insider Threats Are Changing

BEC Gang Exploits G Suite, Long Domain Names in Cyberattacks

Fake Skype, Signal Apps Used to Spread Surveillanceware

Tokyo Olympics Postponed, But 5G Security Lessons Shine

2020 Cybersecurity Trends to Watch

Top Mobile Security Stories of 2019

Facebook Security Debacles: 2019 Year in Review

Biggest Malware Threats of 2019

Top 10 IoT Disasters of 2019

2019 Malware Trends to Watch

Top 2018 Security and Privacy Stories

2019: The Year Ahead in Cybersecurity

2018: A Banner Year for Breaches

7 Mobile Browsers Vulnerable to Address-Bar Spoofing

Credential-Stuffing Attacks Plague Loyalty Programs

WordPress Plug-in Updated in Rare Forced Action

8 New and Hot Cybersecurity Certifications for 2020

To Err Is Human: Misconfigurations & Employee ...

McAfee Raises $740M in Second IPO

Need for 'Guardrails' in Cloud-Native Applications ...

Implementing Proactive Cyber Controls in OT: Myths ...

FIRST Announces Cyber-Response Ethical Guidelines

Oracle Releases Another Mammoth Security Patch Update

Ubiq Rolls Out Encryption-as-a-Service Platform ...

As Smartphones Become a Hot Target, Can Mobile EDR ...

Dealing With Insider Threats in the Age of COVID

How AI Will Supercharge Spear-Phishing

IASME Consortium to Kick-start New IoT Assessment ...

Iranian Cyberattack Group Deploys New PowGoop ...

Are You One COVID-19 Test Away From a Cybersecurity ...

Modern Day Insider Threat: Network Bugs That Are ...

Ransomware Attacks Show Little Sign of Slowing in 2021

Do Standards Exist That Certify Secure IoT Systems?

Oregon Retailer Suffers Sustained Data Breach

Attackers Spoof Microsoft Teams

#InfosecurityOnline: Adapting Security Strategies to Growing Digitalization

Fraud Analysts Miss Dark Web Data

#InfosecurityOnline: Tactics for Defending Against Credential Stuffing

KashmirBlack Botnet Uses DevOps to Stay Agile

#InfosecurityOnline: The Three Key Elements of Zero-Trust

Retail, Hospitality and Travel Hit by 64 Billion Credential Stuffing Attacks

US: Iran Was Behind Proud Boys Email Campaign

Ransomware Defense with Micro-Segmentation

Extended Threat Detection and Response: Critical Steps and a Critical System

Security in the Cloud - Emerging Threats & the Future

The Remote Workplace: Managing the New Threat Landscape with ISO 27001

Lessons Learned from the Twitter Spear Phishing Attack

A Better Defense: Does Modern Security Fit With Modern Attacks?

What an Insider Threat Strategy Should Consist of for Effective Detection

Utilizing Native IaaS Controls to Ensure and Achieve Continuous Security

How to manage open source risk

Faster Detection and Response with MITRE ATT&CK;

Does Phishing Prevention Require Better Technology, Detection or Strategy?

Securing Remote Access to Critical Infrastructure: The Key to Industrial Digital Transformation

Major Data Breach at Ohio School District

Waze Vulnerability Lets Attackers Track and Identify Users

Google Was Hit by 2.5Tbps DDoS

Pfizer Exposes Data on Hundreds of Prescription Drug Users

NSA: Patch These 25 CVEs Exploited by Chinese Attackers

#InfosecurityOnline: Beware of Malicious URLs and Rogue Redirects

Establishing a Successful DevSecOps Program: Lessons Learned

Risk-Based Security for Your Organization

Endpoint Security Primary Pain Point in 2020

Corporate Credentials on the Dark Web Up by 429% This Year

#InfosecurityOnline: Are the Cloud and Automation Driving or Hindering Your Business?

Deep Instinct Appoints Goldman Sachs Partner as CFO

US Files Antitrust Lawsuit Against Google

M&S; Boss Spoofed in Gift Voucher Scam

New Security Incident Response Ethics Guidelines Released

#InfosecurityOnline: Utilizing Automation in New Security Architecture

Trust in Remote Working Tools Declines as Need for Security Increases

#InfosecurityOnline: Consider Flexible Training for Different Skill Sets

Major Lessons to be Learned from 2020 Security Mishaps

Ransomware groups are going corporate

Attackers prey on Microsoft Teams accounts to steal credentials

Experts read into how B&N cyberattack affected NOOK and store terminals

NSA releases list of 25 vulnerabilities targeted by China

Less than half of ethnic minority professionals in cyber feel they get equal opportunities

SC Media aces phishing test (whew!), but average score was only 52%

Watch: actionable threat intelligence

Threat intelligence starts with strong relationships

Five ways security pros can lock down stay-at-home workers

Why companies should reject ‘adjunct surveillance’ and any unethical user data collection

Here’s a five-step security plan for industrial environments

URL address spoofing flaw keeps mobile victims from determining fake, real sites

Cybersecurity and a potential Biden White House: Past tech priorities resurrected

Cyber Solarium Commission lays out plan to secure supply chain

Phishing scams use redirects to steal Office 365, Facebook credentials

US indicts six Russian officers for NotPetya, Ukrainian blackouts, other attacks

$1M Cyber Resiliency Fund launched to support security operations impacted by pandemic

EU sanctions Russia over 2015 German Parliament hack

Cisco Warns of Severe DoS Flaws in Network Security Software

US Says Iran Is Behind Threatening ‘Proud Boys’ Emails About Mail-In Vote

Oracle Kills 402 Bugs in Massive October Patch Update

Red Hat Security Advisory 2020-4312-01

Red Hat Security Advisory 2020-4311-01

Red Hat Security Advisory 2020-4307-01

Ubuntu Security Notice USN-4598-1

Ubuntu Security Notice USN-4597-1

Red Hat Security Advisory 2020-4304-01

Red Hat Security Advisory 2020-4305-01

Red Hat Security Advisory 2020-4306-01

Red Hat Security Advisory 2020-4223-01

A Short Tale Of Proxy Leakage

Ubuntu Security Notice USN-4588-1

Ubuntu Security Notice USN-4586-1

Ubuntu Security Notice USN-4587-1

nfstream 6.2.0

BigBlueButton 2.2.25 File Disclosure / Server-Side Request Forgery

Ubuntu Security Notice USN-4596-1

Red Hat Security Advisory 2020-4295-01

Bludit 3.9.2 Bruteforce Mitigation Bypass

Tiki Wiki CMS Groupware 21.1 Authentication Bypass

Libtaxii 1.1.117 / OpenTaxi 0.2.0 Server-Side Request Forgery

Red Hat Security Advisory 2020-4264-01

Ubuntu Security Notice USN-4595-1

GOautodial 4.0 Shell Upload

Ubuntu Security Notice USN-4594-1

School Faculty Scheduling System 1.0 SQL Injection

German Bundeswehr starts own Responsible Disclosure Program (VDPBw) | Vulnerability Magazine - Acknoweldgements, Bug Bounties & Security Research

Adobe releases another out-of-band patch, squashing critical bugs across creative software

Cybersecurity and a potential Biden White House: Past tech priorities resurrected

Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser

Adblockers installed 300,000 times are malicious and should be removed now

NSA publishes list of top vulnerabilities currently targeted by Chinese hackers

FCC trying to help Trump win election with Twitter crackdown, Democrats say

Mysterious 'Robin Hood' hackers donating stolen money

Tokyo Olympics: Russian hackers targeted Games, UK says

This new malware uses remote overlay attacks to hijack your bank account

Automation of Cyberattack Countermeasures Using AI and Machine Learning | by Saurav Rana | The Startup | Oct, 2020 | Medium

Saurav Rana – Medium

How AppSec Can Help Balance Product Usability With Security | by James Chiappetta | The Startup | Oct, 2020 | Medium

How do cloud drives work? | How is your data stored in cloud? | Data Driven Investor

Data Driven Investor – Medium

YouTube Is So Flooded With Political Ads It Can’t Place Them All | by Bloomberg | Bloomberg | Oct, 2020 | Medium

Bitcoin Surges to Highest Since July 2019 After PayPal Embrace | by Bloomberg | Bloomberg | Oct, 2020 | Medium

Google Accused by U.S. of Abusing Market Power in Landmark Case | by Bloomberg | Bloomberg | Oct, 2020 | Medium

The Police Can Probably Break Into Your iPhone | by The New York Times | The New York Times | Oct, 2020 | Medium

The New York Times – Medium

The New York Times

OWASP Top Security Vulnerabilities | by Judah Anthony | Codecademy Engineering | Oct, 2020 | Medium

Judah Anthony – Medium

Codecademy Engineering – Medium

Team Merlin – Medium

How to Defend From Hackers as a Consumer | The Innovation

Emma White – Medium

The Innovation – Medium

React Authentication: How to Store JWT in a Cookie | by Ryan Chenkie | Medium

Securing applications with JWT Spring Boot | by Ignacio Oliveto | Wolox | Medium

Silobreaker - 250 Photos - Software - 4th Floor, Holden House, 57 Rathbone Place, W1T 1JU London, UK

Trump's Twitter hacked after Dutch researcher claims he guessed password – report | US news | The Guardian

President Trump’s Twitter accessed by security expert who guessed password “maga2020!” – TechCrunch

CyberSecLabs - Pipercoin - Linux [Walkthrough]

Basic Buffer Overflow Guide – Catharsis | Blog

Frame Control & How to Debate: The Russell Brand Method

Psychotherapy centre's database hacked, patient info held ransom | Yle Uutiset | yle.fi

Lightweight Cryptography Workshop 2020 | CSRC

Reolink 5 Megapixel IP PoE Security Camera Review - RLC-511 and RLC-522 - YouTube

Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable – TechCrunch

NSA Advisory on Chinese Government Hacking - Schneier on Security

Detailed Audit of Voatz' Voting App Confirms Security Flaws

Create a HOMEKIT Panic Button! - YouTube

The Missing LNKR

COVID-19 Cyber Attacks - WebARX Security

Guide to Identity and Access Management (IAM) | StarWind Blog

File Carving - Sleuthifer

Iran trying to meddle in U.S. election, Russia obtained voter info

Iran trying to meddle in U.S. election, Russia obtained voter info

CyberSecLabs - Pipercoin - Linux [Walkthrough] - YouTube

Around Memory forensics in 80 days Part 6 — Total Rekall | by Warlock | Oct, 2020 | Medium

An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques - SentinelLabs

Firefox to remove support for the FTP protocol | ZDNet

Incident: Kleenheat customer names and addresses exposed in system breach | ZDNet - Australian Information Security Awareness and Advisory

President Trump’s Twitter accessed by security expert who guessed password ‘maga2020!’ – TechCrunch

How Master Manipulators Conceal Their Intentions - Kletische

Google exploring using location info to slow coronavirus spread

Cybersecurity Visuals - Schneier on Security

The U.S. wants smartphone location data to fight coronavirus. Privacy advocates are worried.

My cat won't let me pick my lock! - YouTube

Stop the EARN IT Bill Before It Breaks Encryption | EFF Action Center

Dimple picks: Sparrows Black Flags and the Multipick Elite G-Pro kit. - YouTube

curly maple and peterson steel 3 pick EDC - YouTube

Arctic Wolf Scores $200M Round

MMO game Street Mobster leaking data of 1.9 million players | CyberNews

The Cybersecurity Community Demands Transparency, Not Legal Threats | Orca Security

Finally: a usable and secure password policy backed by science

virusbtn: John Demers of the US Department of Justice accuses China of being a safe haven for cybercriminals willing to work on behalf of the state https://t.co/cxCJQmXcjT

virusbtn: WordPress takes rare step to force update for a critical vulnerability in the Loginizer plug-in https://t.co/KlDDB1AWhB https://t.co/qRejcdHTXB

virusbtn: Sophos's @thepacketrat wrote an analysis of the toolset used by the LockBit ransomware https://t.co/meJX16pJ6I https://t.co/gz0MfeRiAD

virusbtn: Symantec looks at recent cyber-espionage activity by the Iran-linked Sweedworm/MuddyWater APT group in the Middle East https://t.co/MWQlbHVeqr

virusbtn: For Tripwire, regular VB author and speaker @lysamyers explains how to make your security awareness program more effective https://t.co/QNs0uwveKc

MITREattack: @Dave_von_S https://t.co/Psgfm96wUF

MITREattack: @FoundCuriosity We're excited too! Unfortunately no, this release will only involve parts of ATT&CK hosted on https://t.co/8KssQkc2HI.

MITREattack: Have a strong attachment to PRE-ATT&CK? Never fear, PRE-ATT&CK's current content will remain available at https://t.co/CojIf2OHpa and https://t.co/vMy5TSaffn. https://t.co/1PyKDpXxPf

MITREattack: We are getting very close to our next ATT&CK release and the retirement of PRE-ATT&CK in its current form. ATT&CK for Enterprise will be adding new tactics to take its place, as described by @_whatshisface at ATT&CKcon 2.0 (https://t.co/wYO7RPXJvH). Watch this space next Tuesday! https://t.co/pHkNcRoDsx

MITREattack: The second part of @Cyb3rPandaH's data sources blog post, and our initial set of data source objects are now out! You can check them out at https://t.co/MVqVFY8BON and https://t.co/yeWYPpY3Kq. Let us know what you think, should this be the future of ATT&CK data sources? https://t.co/eW0DRBaSj8

SpecterOps: SO-CON Talk Announcement - PSExec Talks the Talk, but Can You Walk the Walk? Using PSExec lateral movement, @Nc3pt0r will dissect the attack and map log sources to relevant indicators - a methodology that can be applied to all attacks. Sign up here: https://t.co/5H2HFRjjIo https://t.co/n1Oq1i1zBH

SpecterOps: SO-CON Talk Announcement - Offensive JA3 @0xdab0 will showcase his projects, ja3transport and Satellite, to create custom JA3 signatures for keying payloads to redirectors within your attack infrastructure. Sign up here: https://t.co/5H2HFRjjIo https://t.co/MFH81Mzoxw

SpecterOps: SO-CON Talk Announcement - Rethinking Detection Engineering: False Positives are Bad, False Negatives are Worse @jaredcatkinson will discuss his perspective of common follies of abstraction in detection, triage, and investigation. Sign up here: https://t.co/5H2HFRAUzW https://t.co/NNDxQtw4x5

SpecterOps: SO-CON Talk Announcement - Managing Your Red Team Operations with Ghostwriter @cmaddalena will overview the Ghostwriter platform and how it has significantly reduced the tedium of managing our red team operations. Sign up here: https://t.co/5H2HFRjjIo https://t.co/FmpClBc7fv

TalosSecurity: Talos worked with WAGO, producers of automation controllers used in automotive, rail, power and manufacturing to address 41 vulnerabilities discovered in two controllers. The issues are resolved by a firmware update that is currently available to users. https://t.co/PofJS5MEAc https://t.co/7hTYFTNyhm

TalosSecurity: We've put all our election security content in one place. Get caught up on all our videos, blog posts and papers covering #disinformation, state-sponsored actors and so much more #Election2020 #vote2020 https://t.co/30UGUO9gj9 https://t.co/PTddC9HCIQ

TalosSecurity: The award-winning Dynamic Data Resolver tool has a new update that includes a new architecture for samples using multi-threading #IDAPro #DDR #infosec https://t.co/J273SBK6dH https://t.co/oaQHUIkZs7

MBThreatIntel: XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability https://t.co/YWBpJ924HA #TechSupportScam #Browlock https://t.co/MdCHtcIrkh

MBThreatIntel: #Emotet malspam for 2020-10-19 IOCs: https://t.co/lfKuBfGZSr https://t.co/ftAkF3wjqU

anyrun_app: Maldoc doesn’t work well during analysis? Try a different environment! #Dridex maldoc macro doesn’t work in old Office versions but works in the newer Office 2019 version. W7: https://t.co/le1ltccUWK W10: https://t.co/a4Jpzjhg6L Customize and expand your analysis with ANYRUN!

anyrun_app: Another #Emotet cluster replenishment with new maldoc's template! To collect URLs from the task fast use ANYRUN's feature "Fake Net". It intercepts HTTP requests and returns 404, forcing malware to reveal its C2 links. Make your analysis faster and easier! https://t.co/52G8wSZKGi https://t.co/ftimCt1F57

anyrun_app: TOP10 last week's threats by uploads ⬆️ #Emotet 1209 (239) ⬆️ #NjRAT 183 (143) ⬆️ #NanoCore 143 (99) ⬇️ #Qbot 128 (143) ⬆️ #AgentTesla 117 (116) ⬆️ #AsyncRAT 116 (51) ⬆️ #Remcos 61 (33) ⬇️ #LokiBot 54 (84) ⬆️ #FormBook 45 (39) ⬆️ #Orcus 43 (34) https://t.co/98nRpXOxWw

abuse_ch: Enjoying fall season 🍂 with my grandma, telling her the hottest cyber security topics 📰 and answering questions why her desktop looks so completely different than the ones from others (my grandma is a proud #Ubuntu user 👩‍🦳) https://t.co/uiozDt2dsR

abuse_ch: Recent #AgentTesla malware samples that are apparently using @telegram for data exfiltration 📁 👉 https://t.co/nZvPWzOKVp If you operate a corporate web proxy you may want to watch out for or block outgoing network traffic towards api.telegram .org 🔍 https://t.co/FRCDUi8KAj

abuse_ch: Did someone say #TrickBot? Another day, another TricKBot malspam campaign (ono92) sent from .... 🥁 *drummrolls* ... @SendGrid Weaponized word DOC: 👉 https://t.co/F2Y6N81sT2 https://t.co/DtPE3tqRqJ

abuse_ch: Malspam sent from Yahoo mailservers, distributing Pupy (?) RAT 🕵️‍♂️ XLSM: 👉 https://t.co/UxQtfjKFS0 EXE: 👉 https://t.co/p3XjobgEoZ Payload URL: 👉 https://t.co/v2wP71zgf7 https://t.co/kuwpwyzkr4

abuse_ch: @dubstard @NamecheapCEO @200_okay_ @Namecheap @urlscanio @malwrhunterteam The issue are usually resellers who either sell their domain registration services on the dark market or lack a customer verification process (which, as far as I know, is not required by ICANN). So the question should be: Why do registrars still do business with dirty resellers?

QuoIntelligence: Our Weekly Snapshot covers #wateringhole attacks targeting #Korean diaspora w/ new variant of #SLUB #malware, #China passing a law on export restrictions over #NationalSecurity concerns & other #cyber and #geopolitical events #ThreatIntel #cybernews https://t.co/mldOmMAPXZ

JAMESWT_MHT: #OrcusRat #Rat First Submission 2020-10-18 14:44:57 Loader https://t.co/siLNVDUSXT Payload https://t.co/20WHhKt8HL Url @zbetcheckin https://t.co/u3yUk5NevD C2 88.123.12.[74 @malwrhunterteam @verovaleros @cyb3rops @Arkbird_SOLG @sugimu_sec

makflwana: @benkow_ They have learned how their infrastructure was taken down and will make it harder next time - threat never goes it jsut shifts

makflwana: @Bank_Security @Citibank @AskCiti Selling for 1500 USD lol account balance is 516 USD = 38000 Rupees

makflwana: @Bank_Security @Citibank @AskCiti Lol didn’t blur the name properly

makflwana: @Office365 #phishing redirect using #elasticbean url > hxxp://shareddom18d2td08788lot80d172m.us-east-2.elasticbeanstalk.com/redirector.php?id=qsFc9EQ7WO& > hxxps://onlinesharedt20lc0c08llc1ca771.an.r.appspot.com/ POST > hxxps://l0te07ettd0ld8tllmd211e1.azurewebsites.net/ https://t.co/xcu7E8f9mk

cyb3rops: @ruben_rodr @sigma_hq 100% de acuerdo. En vez de crear y publicar su propio estándar. O por lo menos ofrecer un convertor de Sigma a su propio formato.

cyb3rops: @disaster_ita @JohnLaTwC @eran_yom_tov @LordOfThePies4 No, wrong. The PATH doesn't matter, since we register it with an absolute path. https://t.co/ksFCvPs80U

RedDrip7: #HWP document containing #COVID-19 contents seems utilized by #APT group to attack South Korea. Once it gets executed, a PDF file relating to COVID-19 is shown to confuse the victim and meanwhile Downloader is executed. https://t.co/6nSdc5dyf6 https://t.co/sVMwXczlGf

RedDrip7: #CVE-2020-16922 Microsoft has fixed it in the October 2020 Patch Tuesday. And the patched file is wintrust.dll. check our report here: https://t.co/Q0ryM8tx82 https://t.co/1Iq8aolwB1

inj3ct0r: #0daytoday #Linux / #Unix su Privilege Escalation #Exploit https://t.co/44XxOff6YZ

inj3ct0r: #0daytoday #Telerik UI https://t.co/oWZPzJIPbe AJAX RadAsyncUpload Deserialization #Exploit https://t.co/AbjXv46WhP

inj3ct0r: #0daytoday #LISTSERV Maestro 9.0-8 Remote Code Execution #Vulnerability #RCE https://t.co/USF3jcDz5d

inj3ct0r: #0daytoday #Apache #Struts2 - DefaultActionMapper Prefixes OGNL Code Execution #Exploit #RCE https://t.co/uPIFpA8Bdr

inj3ct0r: #0daytoday #WordPress Colorbox #Lightbox v1.1.1 Plugin - Persistent Cross-Site Scripting (Authenticated) #Exploit #XSS https://t.co/8WgExIEjNO

malwrhunterteam: "Raccine.exe": 9253e18c2e7bd3cba3b86c7e638fccb70ba5aade3e5b211cd7e7fabb5f9e2c8d Interesting name to use for a test Cobalt sample, not @cyb3rops? 🤔 cc @bryceabdo https://t.co/Le9yitNZQn

malwrhunterteam: 173.232.146[.]37 Related to NetWalker ransomware: https://t.co/1nmdBb4ztM? cc @VK_Intel @bryceabdo @JAMESWT_MHT https://t.co/y23ol5ivDr

malwrhunterteam: "WhatsApp_Messenger.apk": dc2d999b0919e2a4633607f11a4123d80f9eb44e7294f9230ad6d43f142d8bc5 From (opendir): https://file-downloads[.]club/file/WhatsApp_Messenger.apk https://t.co/ntnVDIYBfB

blackorbird: Operation Earth Kitsune: A watering hole campaign. "New exploits for the vulnerabilities CVE-2016-0189¸ CVE-2019-1458, CVE-2020-0674, and CVE-2019-5782, chained with another Chrome bug that does not have an associated CVE." https://t.co/65ffuKXNUU pdf: https://t.co/rAmsPhlroB https://t.co/s89JSWLM2u

wugeej: @youtuberkamijou 유투브 개 재미있게 보고 있어요 ㅋㅋ 시부야에서 회사 다니는데 언젠가 볼 슈 있겠죠? ㅎㅎㅎ

wugeej: @Kevin2600 How does this affect a car?

malware_traffic: @James_inthe_box @Google @mesa_matt @maciekkotowicz @cheapbyte @Ring0x0 @wavellan @noottrak @jw_sec @social_amit @wwp96 @felixw3000 @HerbieZimmerman My luck today... https://t.co/rAXOX1OG9N

malware_traffic: @James_inthe_box @Google @mesa_matt @maciekkotowicz @cheapbyte @Ring0x0 @wavellan @noottrak @jw_sec @social_amit @wwp96 @felixw3000 @HerbieZimmerman Same one used on Tuesday 2020-10-20, so I'm not surprised it might've been taken down

malware_traffic: @James_inthe_box @Google @mesa_matt @maciekkotowicz @cheapbyte @Ring0x0 @wavellan @noottrak @jw_sec @social_amit @wwp96 @felixw3000 @HerbieZimmerman Still no luck again today getting an Excel spreadsheet from the link... Just redirects to docusign[.]com, so it must not like where I'm coming from.

malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to sanitizing and posting this info - 9 #malspam examples, a #pcap of the infection,some malware/artifacts, and the IOCs are available at: https://t.co/jfycZbrtFA https://t.co/vJlBiPHAed

malware_traffic: 2020-10-20 - If anyone's interested, here's a youtube link for the #cybertalk I did for @ECCUniversity - https://t.co/Z75YO3SM6B - I can't share everything about building an effective lab, but the video has what I can share.

James_inthe_box: @KorbenD_Intel 🤔 https://t.co/yWZ08NagJN

James_inthe_box: @c3rb3ru5d3d53c @Google @mal_share @lazyactivist192 @SeraphimDomain Yes.

James_inthe_box: @edurojas69 @Google Nice...here's 213 @google doc links: https://t.co/hnsHSUSOQc

James_inthe_box: @ffforward @executemalware @malware_traffic @Google @mesa_matt @maciekkotowicz @cheapbyte @Ring0x0 @wavellan @noottrak @jw_sec @social_amit @wwp96 @felixw3000 @HerbieZimmerman Thanks to @executemalware hash e122130010bcf147886f9d29a3c0b40d is everywhere.

James_inthe_box: @theDark3d @andsyn1 @anyrun_app @hatching_io @S3CURIT3PLU5 @JAMESWT_MHT @malware_traffic @reecdeep @malwrhunterteam @DynamicAnalysis @makflwana @F4NCI3 @ObscurityLabs @abuse_ch @joe4security @JRoosen @1ZRR4H @wwp96 Aye..related: https://t.co/PemsMqoOka

pmelson: @EanMeyer @r0wdy_ Skeet Ulrich & Russell Wong https://t.co/46O6nRPajK

pmelson: @r0wdy_ Experts

pmelson: Pretty much count on these turning into Ryuk by Monday morning. https://t.co/hKC0anFsUM

pmelson: @r0wdy_ @jfslowik 😇 https://t.co/qRyWEXFEvP

pmelson: @KyleTDavis1 https://t.co/of4I9mWjvA

demonslay335: @gmohammed86 @TRojen610 Makop is impossible to decrypt without the criminal's private keys.

demonslay335: @Hi_Shovo I already told you how to responsibly acquire malware.

demonslay335: @Hi_Shovo Just search any malware sharing platform for the hashtags, there's literally hundreds of samples.

hackerfantastic: @wireghoul @wimremes Type-oh, "however if not enabled" should be "if enabled" - there are still plenty of browsers that are impacted but not in wide-use - thus it would be informational as no-one is using something so old. It's only a risk if they don't explicitly disable it due to legacy browsers.

hackerfantastic: @jsonparse13 @troyhunt Worse than Anthony Weiner's laptop.

hackerfantastic: @wimremes If nosniff is set we consider it informational only, if not set then low risk as some of those legacy browsers might still be in use (horror)

hackerfantastic: @wimremes If MIME sniffing is not explicitly disabled then yes it’s low risk, however if not enabled the number of legacy browsers pre-IE8 may still be impacted. Older browsers that don’t support this option are not in wide use and thus it would be informational.

hackerfantastic: @joxeankoret @RoninDey @matalaz @twittersecurity Interested in the end result of this, if you succeed let us know how!

Cyb3rWard0g: @ram_ssk @msftsecurity @MITREcorp Thank you for sharing @ram_ssk ! Very interesting use of data to overwhelm a SIEM. Looking forward to getting more familiarized with those use cases at work 😊 https://t.co/Fh2CewV8Sw

Cyb3rWard0g: @alcastronic @ErikVaBu @jorgeorchilles @c2_matrix @BHinfoSecurity @MITREattack Thank you @alcastronic ! Thank you for sharing with the community. Looking forward to watching your talk! 🍻

Cyb3rWard0g: @jdu2600 @OSSEM_Project That's awesome @jdu2600 ! Thank you for all your work and contributions to the community! 🙏🙏

VK_Intel: 2020-10-21: 🆕🔥#CobaltStrike Beacon Customized ➡️#Ryuk #Ransomware | Renamed as "debugcommunications.dll" 🤔 | 🛡️ 1⃣C2Server (subdomain prefix): tr. | gf. | bv. | topbackupintheworld[.]com 🥫 2⃣Wordpress-Style HTTP Traffic Mimic 3⃣Spawn as %windir%\syswow64\WUAUCLT.exe https://t.co/cCKhgkbl3v https://t.co/RigAAhxZKi

VK_Intel: Excellent "must read" report from the cyber trenches 👍 https://t.co/u670FcEjGr

VK_Intel: 2020-10-17: 🔥🆕#Ryuk / #BazarBackoor Group Stage Loader | #Signed 🇸🇮'K & D KOMPANI d.o.o.' | #DigiCert Signed by a signer➡️ #Ryuk 🧑‍🔧 GetLocalTime➡️ NtAllocateVirtualMemory (RWX)➡️ RtlDecompressBuffer GitHub Payload (alloc)| IcmpSendEcho_call "cloudflare" h/t @malwrhunterteam https://t.co/9hVp2akAnC

DrunkBinary: When an analyst gets an RFI... @WylieNewmark @Dragonkin37 @ComradeCookie (h/t @ReverseICS ) https://t.co/HpAwDLEgdu

DrunkBinary: @thisismaz @snlyngaas All the way

DrunkBinary: @iamtheky You win https://t.co/FZX8CNs6cv

Arkbird_SOLG: #FIN7 I have found to two DLL using meterpreter reflective method used by the group in September 2020 having some modifications on the algorithms (X86 and X64 arch). Bazaar : https://t.co/m3knX1yvUl VT IP C2: https://t.co/NO4NeUBeVc cc: @JAMESWT_MHT @James_inthe_box @VK_Intel https://t.co/SicVvlyz18

Arkbird_SOLG: @intel_honey With that you have did this give more sense to response on the subject.

Arkbird_SOLG: @intel_honey Why Iran and USA wanted to end with Qasem Soleimani (funny when you add hilary clinton). This also explains why it is also borderline the relations between China and the USA (which have funded the laboratory in China, COVID), for which Twitter and Facebook want you vote.

Arkbird_SOLG: @intel_honey It's more complicated than that, to answer this problem, we must add the key, the deep state which funded BLM in 2016 with the same event to obtain the votes of black people (you can add Jo Cox event as parallel for the method).

KorbenD_Intel: @James_inthe_box Looks like maybe a resume? MSHTA downloads the pastery but doesn't do anything else on my sandbox https://t.co/aWiSUtcrJB

KorbenD_Intel: https[:]//malshare[.]com/sample.php?action=detail&hash=236cbc3d398426b6c75443943e352ba4

KorbenD_Intel: @James_inthe_box @malwrhunterteam @JAMESWT_MHT @pmelson 236cbc3d398426b6c75443943e352ba4 "tasty" DOC 5/62 VT scan detections --> MSHTA --> pastery https://t.co/mESdSXHyPC

KorbenD_Intel: https://t.co/1yl4vhdwO7

KorbenD_Intel: @Es07er1K It's a fair question, though the answer is likely predictable. Throw in electronic warfare as well, like cell jammers and radio interceptors.

ShadowChasing1: Today our researchers have found Android which belongs to #APT_C_23 group ITW:7f742e83d8e65e573fa1f1cca9289f6c https://t.co/s2ivfEe785

ShadowChasing1: @500mk500 Thanks bro

ShadowChasing1: Today our researchers have found new #SFX sample which belongs to #Oceanlotus(#APT32) group ITW:6b95368c23032b8a74caca5c55cef038 filename:9_Programme_SOMCA-Japan_FINAL.docx.exe URL:http[:]//drive.google.com/uc?id=1z3U6tNvA8a6Lk_eNAsu2VXF5FM1bg1gI https://t.co/HCtme9YVyI

ShadowChasing1: @TelsyTRT Yep sir! https://t.co/GyqdAMK1nI

ShadowChasing1: @trungduc751995 Thanks man

ItsReallyNick: @JohnHultquist @SangerNYT @jpmaggio70 You need an agent and a SAG card yesterday. https://t.co/Y2JPX0HiI2

ItsReallyNick: @AricToler You didn't have to stoop so low Have your friends collect your records and then change your number I guess that I don't need that though Now you're just Svobody 21 that I used to know

ItsReallyNick: @AricToler Maintaining secrecy while inciting global cyber conflict is key. But then again, this sure streamlines expensing GRU parking tickets.

cyberwar_15: #북한 #Northkorea #APT 북한 사이버 공작원이 공격에 사용한 코드에서 한글이 발견되고 있습니다. 흔적은 항상 남습니다. #공격방안 #보프 #침투방안 #spy https://t.co/XSLoOzwvWH

cyberwar_15: @Xxx_8885 original file 5adf0abea826264325fabb1c68215aba A Unified Korean Peninsula is Attainable.doc

cyberwar_15: @Xxx_8885 i think not kimsuky(thallium)

Manu_De_Lucia: sha256:d314ff883243444f1853614759a5ec7af96a1829cebdeaa283fc1051e4261ffa #TrickBot 3 / 10 CnC UP from IL and IN. #WizardSpider #TheTrick

Manu_De_Lucia: I'm really proud for contributing to the @virusbtn blog / research. Happy to have contributed with this paper and hope for more publications in the future! https://t.co/wkqC3qYapo

Manu_De_Lucia: Several new active offshore-based command and control servers discovered today (according to my visibility) for #TrickBot botnet. Perhaps the expected "slowdown" period of the infrastructure has to be reduced. #WizardSpider #TheTrick #Ryuk #Conti

DeadlyLynn: #APT #TransparentTribe md5:da8215ba1d8140400a4556d4420b2b64 filename:SARS_Eligible_Clubs___Resorts.xls C2:173.249.14.104 https://t.co/XvWCujh9Ot

58_158_177_102: @hasegawayosuke @taku888infinity に★は放置される方に喜びを感じるタイプかと思ってた。。。

58_158_177_102: @500mk500 @JAMESWT_MHT @cocaman @malwrhunterteam @VK_Intel @FBussoletti @guelfoweb @Arkbird_SOLG @sugimu_sec @James_inthe_box https://t.co/1UvpBLYO7D

58_158_177_102: @VirITeXplorer @JAMESWT_MHT @cybersaiyanIT @merlos1977 @luc4m @reecdeep @gigafio @killamjr @JRoosen @fr0s7_ @w3ndige @JR0driguezB @James_inthe_box @sugimu_sec @bomccss @AIR3_ytakeda @wato_dn @AES256bit @gorimpthon @hamasho_sec @fumik0_ @CERT_Polska_en @_psrok1

issuemakerslab: North Korea's RGB-D5 Attacks on COVID-19 Vaccine Pharmaceuticals https://t.co/cmZ83nP6FI

issuemakerslab: This is an image shown by a malicious script used by North Korea's RGB-D5 in a recent attack. The contents of an email written in English by ROK's Ministry of Foreign Affairs official was used as lure. https://t.co/iMjG8RH9j0

IntezerLabs: Containers offer their own unique technical challenges when it comes to security, but VMs present a broad attack surface. We explore some of the key security advantages & disadvantages that each platform offers https://t.co/AdUeOyKwi1 https://t.co/O71A6sdaqa

IntezerLabs: @intelcapital @InfoSec_Awards 🧬🛡️☁️

IntezerLabs: We've added new features to improve your #DFIR and #threatintel workflows. Check them out here https://t.co/deRpMPxNvR https://t.co/j90RxdtXEp

IntezerLabs: Thank you @InfoSec_Awards for the recognition 🙏 Use our 🆓 Community Edition to protect up to 10 cloud servers against unauthorized code ☁️🛡️ https://t.co/KvnskslAfA https://t.co/JZi3OwmX24 https://t.co/2dXwCCKRzs

IntezerLabs: IPStorm is the latest Windows malware to go multi-platform. Steer clear of this threat with our Detection & Response Guide https://t.co/YSMe8gUYIM https://t.co/eVJXt6XmVp

aboutsecurity: Proud to be part of this amazing team and to share in our #DeviceToCloud #CyberSecurity mission, vision, and goals! #CyberDefense #McAfeeIPO #IAmMcAfee #MCFE 👏👏 https://t.co/rQj8xkCokJ

aboutsecurity: @John_Fokker @Seifreed @dfirence Shhh... will keep a close eye on him, as we've always done... xD @Seifreed if you see some pop-ups on your browser, just click yes, ok? https://t.co/9HvfaQ2NFv

aboutsecurity: @Seifreed @dfirence You'll be missed my friend, but I know where you live! 😄 All the best in your new project Marc!

aboutsecurity: Cyberdefense starts with the knowledge of the adversary: motivation, intent & capabilities. This is why @MITREattack exists, yet it's not "a single source of truth". Kudos to @dfirence for showing how to use the model in a practical way #ThreatModeling https://t.co/izx7ZnKGCg https://t.co/ldJmz0iAHa

kyleehmke: @k_sec @ThreatConnect Good stuff. Thanks, Kurt!

kyleehmke: Cont... driver1master[.]com (45.153.240[.]194) driver1updater[.]com (45.153.240[.]157) driverdwl[.]com (45.153.240[.]220) godofservice[.]com (45.153.240[.]246) service1updater[.]com (45.153.240[.]178) viewdrivers[.]com (45.153.240[.]222)

kyleehmke: Set of probable Ryuk infrastructure registered on 10/17: backup1helper[.]com (45.153.241[.]1) backup1master[.]com (45.153.240[.]136) boost-yourservice[.]com (45.153.240[.]138) checktodrivers[.]com (45.153.240[.]240)... In @ThreatConnect: https://t.co/xd6Fz1Ucw0

kyleehmke: Suspicious domains mscorporateclients[.]com and nod32clients[.]com were registered through NameCheap on 6/26/19 and 10/15/20, respectively. Both recently began resolving to a probable dedicated server at 45.147.231[.]188. In @ThreatConnect: https://t.co/kZ0ZawHE9f https://t.co/0Y7CLB0qmj

DissectMalware: @Hornetsecurity Thanks for sharing the instance. Seems it needs more work...

DissectMalware: @Hornetsecurity can you test the QakBot sample in https://t.co/ORFImnYtBw with the latest #XLMMacroDeobfuscator? I couldn't find the instance on VirusTotal

DissectMalware: @SwiftOnSecurity Want to do the lookup programmatically in #python? https://t.co/jExyuJ24Cl https://t.co/cLLRsOk5Mv

DissectMalware: Fixed a few bugs in #pyxlsb2 and #XLMMacroDeobfuscator so it can interpret the following #xlsb file 7c309387537899f2c0989dcdcc65e21bff85588343800fbbee0d8d36f7aeb155 https://t.co/TyAa5WVOzq Please Update: https://t.co/Npu8zb4i9w H/T @SecurityAura for sharing the sample https://t.co/1tTzoDVaT9

Hexacorn: manifest comclass curiosity https://t.co/tD71UivUdX curious if anyone looked into it (comclass inside the manifest file)

Hexacorn: @jibranilyas Thx Jibran!

Hexacorn: @_xpn_ @FuzzySec @dakami totes; he is a master of `man bites dog` and `there is no such a thing as bad publicity'; such an old formula, but still working its magic

Hexacorn: @FuzzySec I think @dakami is spot on https://t.co/V61MKtv0YU this is a way to amplify his signal - desperate times, desperate measures, but stuff like this works

JCyberSec_: Mr @fr3dhk took a look and has posted his results https://t.co/4doqQ7M6TC

JCyberSec_: #SMS based phishing targeting the UK currently on going. 📱 Sample below is targeting Halifax. #Phishing @n0p1shing https://t.co/HRVbgnZBsg https://t.co/BzVlbold1D

JCyberSec_: 🤔Anyone recognise this? Potential Malware or Phishing Panel? 🌐http://wsusms[.]com/r/ @urlscanio - https://t.co/hcta3qRW9K 🔍Some older scans of the same panel: https://t.co/4kHzJ5Pgmx CC: @fr3dhk @makflwana @malwrhunterteam #Malware #Phishing https://t.co/ND5EtpighY

JCyberSec_: Are any of my followers astrophysicists?? https://t.co/l9qCVshpf0

JCyberSec_: Each bank has it's own phishing site on the same domain. /idv434.com/bank.barclays.co.uk/Login.php /idv434.com/hsbc.co.uk/Login.php /idv434.com/metrobankonline.co.uk/Login.php https://t.co/sMNXDrJkf9

nullcookies: @Viking_Sec Excellent collection.

nullcookies: @jckichen Glorious.

nullcookies: @_glitchXR https://t.co/8l1lV6713z

nullcookies: @TheGh0stShip Yes, currently working through an Ultra-Nightmare campaign. Spicy.

campuscodi: @Ronin0x00 @0xDUDE in the image, yes

campuscodi: @RoninDey Think Energetic Bear takes the prize for the group with the most names. "Energetic Bear, TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala" btw, I'm not seeing the Microsoft name for this group.... so pretty sure they have one more

campuscodi: Energetic Bear is also the group behind the San Francisco airport hack from this spring: https://t.co/vihPsXvE0S

SBousseaden: some processes should rarely or never perform persistence related registry changes https://t.co/tJyKQP3wcA

SBousseaden: @l_whiteheart probably FP, seen this service accessing lsass before, verify whats common between say 10 similar events and likely calltrace details or granted access can be of use for filtering

SBousseaden: @ionstorm msiexec with a url is something most EDRs and defenders looks at, point here was about Masquerading consideration (probably better leave cmdline "empty" or a GUID)

SBousseaden: example of logs -> https://t.co/VV4lqWn4BT

424f424f: I miss the smell of JP-8 in the morning.

424f424f: How do LIQUIDITY POOLS work? (Uniswap, Curve, Balancer) | DEFI Explained https://t.co/h0W1nMdlT9 via @YouTube

lazyactivist192: Nice Find! https://t.co/hkKjhQJ4Uo

lazyactivist192: @Myrtus0x0 @chrisculling @notwhickey @malware_traffic @JRoosen @MalwareTechBlog @JAMESWT_MHT @AbsoZed @Bowflexin91 @dms1899 @MrMeeseeks941 @security_speaks @fr0s7_ @sec_soup @SeraphimDomain @Kittly1101 @_snus @_alex_il_ @Simpo13 oh man, "easy to use api" is my jam!

lazyactivist192: @chrisculling @notwhickey @malware_traffic @JRoosen @MalwareTechBlog @JAMESWT_MHT @AbsoZed @Bowflexin91 @dms1899 @MrMeeseeks941 @security_speaks @Myrtus0x0 @fr0s7_ @sec_soup @SeraphimDomain @Kittly1101 @_snus @_alex_il_ @Simpo13 ~500 GBs of compressed malware too late haha

cyber__sloth: @TrendMicroRSRCH Hey guys there's a small typo in the blog. Please look into it. apart from that amazing research !! https://t.co/7raJn8AOV5

FewAtoms: #malware #opendir #infosec #threathunting #cybersecurity hxxps://globaltechealthy.com/xt/ @abuse_ch @James_inthe_box @JAMESWT_MHT https://t.co/K4uyGWE4bR

FewAtoms: #malware #cybersecurity #opendir #infosec #threathunting hxxps://docsecure.top/ @abuse_ch @James_inthe_box https://t.co/bDrVAmKEnk

reecdeep: 😈#Remcos #Malware back hitting #Italy 🇮🇹 using Discord "Nuovo ordine ottobre" ⚙️https://t.co/8hxAhF81GI 🔥 hxxps://cdn.discordapp.com/attachments/720370823554138118/767966561939750932/Ttyjvcx rromaniitalfoodsinc.zapto[.org @guelfoweb @VirITeXplorer @58_158_177_102 #infosec https://t.co/nh05NUFsJ4

reecdeep: 😈#Malware #MassLogger targets #Italy 🇮🇹 "MOU Conditions" R19 > CHM > PS > RegAsm 🔥 hxxp://optovision.gr/4B.jpg med-star.]gr ⚙️https://t.co/noV3BGMYHY @guelfoweb @AgidCert @merlos1977 @matte_lodi @luc4m @Dr_N0b0dyh @Bl4ng3l @VirITeXplorer @csirt_it @FBussoletti #infosec

reecdeep: @500mk500 @guelfoweb @merlos1977 @matte_lodi @VirITeXplorer @58_158_177_102 thank you 🤣 so sorry for doubleposting!

reecdeep: #Loader #Malware #Remcos "Download Plus 0.2.1" 1⃣downloads from hxxps://cdn.discordapp.com/attachments/753120711077396523/767644226720366602/Dcvg678 2⃣injects TapiUnattend 🔥 incidencias6645.ddns.]net @guelfoweb @merlos1977 @matte_lodi @VirITeXplorer @58_158_177_102 #infosec https://t.co/9tXxGixlxJ

luc4m: Donald Twitter password.. @malwrhunterteam @malware_traffic @reecdeep @c3rb3ru5d3d53c @sS55752750 @FBussoletti @James_inthe_box @JRoosen @Ledtech3 https://t.co/iBDHDgMHGc https://t.co/tL1GyfyXUJ

3xp0rtblog: @struppigel @martijn_grooten @GDATA Maybe a smartphone lies in the newspaper, we can't know it or it's an electronic newspaper with Telegram from the future.

3xp0rtblog: @struppigel @martijn_grooten @GDATA Especially threat actors 😂.

3xp0rtblog: @martijn_grooten @struppigel @GDATA "Простое управление" translate like "Simple control". The seller means that RAT is easy to use, but the toilet 😂...

3xp0rtblog: Let's check a new article about T-RAT 2.0 from @struppigel. Nicely done! https://t.co/R1O16atSwM

----Vulners.com High Sev. Last 3 Days----

CVSS: 7.5 (RHSA-2020:4223) Important: OpenShift Container Platform 3.11.306 jenkins security update

CVSS: 7.2 On the trail of the XMRig miner

CVSS: 9.3 Chromium Security Updates for Microsoft Edge (Chromium-Based)

CVSS: 6.8 Adobe Illustrator PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability

CVSS: 6.8 Adobe Illustrator PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability

CVSS: 6.8 Adobe Illustrator PDF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

CVSS: 6.8 mod_auth_mellon vulnerabilities

CVSS: 10.0 Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks

CVSS: 8.3 Cisco Warns of Severe DoS Flaws in Network Security Software

CVSS: 7.5 Oracle Kills 402 Bugs in Massive October Patch Update

CVSS: 6.5 (RHSA-2020:4295) Moderate: rh-postgresql96-postgresql security update

CVSS: 6.8 Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser

CVSS: 8.5 (RHSA-2020:4264) Low: OpenShift Container Platform 4.3.40 security and bug fix update

CVSS: 7.5 Scientific Linux Security Update : glib2 and ibus on SL7.x x86_64 (20201001)

CVSS: 7.5 EulerOS Virtualization 3.0.2.2 : file (EulerOS-SA-2020-2216)

CVSS: 6.9 EulerOS Virtualization 3.0.2.2 : cpio (EulerOS-SA-2020-2219)

CVSS: 7.2 EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-2227)

CVSS: 6.8 Scientific Linux Security Update : fontforge on SL7.x x86_64 (20201001)

CVSS: 7.2 EulerOS Virtualization 3.0.2.2 : systemd (EulerOS-SA-2020-2226)

CVSS: 7.5 Photon OS 2.0: Oniguruma PHSA-2020-2.0-0291

CVSS: 6.9 EulerOS Virtualization 3.0.2.2 : libffi (EulerOS-SA-2020-2186)

CVSS: 6.8 EulerOS Virtualization 3.0.2.2 : lz4 (EulerOS-SA-2020-2191)

CVSS: 7.5 Scientific Linux Security Update : squid on SL7.x x86_64 (20201001)

CVSS: 6.8 EulerOS Virtualization 3.0.2.2 : unbound (EulerOS-SA-2020-2196)

CVSS: 6.8 Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20201001)

CVSS: 7.8 Scientific Linux Security Update : libvpx on SL7.x x86_64 (20201001)

CVSS: 6.8 Scientific Linux Security Update : httpd on SL7.x x86_64 (20201001)

CVSS: 7.5 Scientific Linux Security Update : curl on SL7.x x86_64 (20201001)

CVSS: 7.8 Scientific Linux Security Update : expat on SL7.x x86_64 (20201001)

CVSS: 7.5 Scientific Linux Security Update : libpng on SL7.x x86_64 (20201001)

CVSS: 6.9 Scientific Linux Security Update : freeradius on SL7.x x86_64 (20201001)

CVSS: 7.8 EulerOS Virtualization 3.0.2.2 : openssl (EulerOS-SA-2020-2223)

CVSS: 7.2 Pam-python vulnerability

CVSS: 9.3 Scientific Linux Security Update : webkitgtk4 on SL7.x x86_64 (20201001)

CVSS: 10.0 EulerOS Virtualization 3.0.2.2 : less (EulerOS-SA-2020-2215)

CVSS: 7.8 EulerOS Virtualization 3.0.2.2 : ruby (EulerOS-SA-2020-2222)

CVSS: 6.8 Oracle Primavera Unifier (Oct 2020 CPU)

CVSS: 6.8 EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-2237)

CVSS: 6.8 Photon OS 1.0: Linux PHSA-2020-1.0-0334

CVSS: 6.8 Scientific Linux Security Update : audiofile on SL7.x x86_64 (20201001)

CVSS: 7.5 Scientific Linux Security Update : librabbitmq on SL7.x x86_64 (20201001)

CVSS: 7.1 Scientific Linux Security Update : python3 on SL7.x x86_64 (20201001)

CVSS: 7.2 EulerOS Virtualization 3.0.2.2 : libvirt (EulerOS-SA-2020-2212)

CVSS: 6.8 EulerOS Virtualization 3.0.2.2 : json-c (EulerOS-SA-2020-2189)

CVSS: 6.5 Scientific Linux Security Update : tigervnc on SL7.x x86_64 (20201001)

CVSS: 7.5 Oracle Linux 8 : nodejs:12 (ELSA-2020-4272)

CVSS: 9.3 Scientific Linux Security Update : firefox on SL7.x x86_64 (20201001)

CVSS: 6.8 Scientific Linux Security Update : SDL on SL7.x x86_64 (20201001)

CVSS: 6.8 Scientific Linux Security Update : nss and nspr on SL7.x x86_64 (20201001)

CVSS: 6.5 EulerOS Virtualization 3.0.2.2 : glusterfs (EulerOS-SA-2020-2187)

CVSS: 7.2 EulerOS Virtualization 3.0.2.2 : bash (EulerOS-SA-2020-2221)

CVSS: 6.8 Scientific Linux Security Update : okular on SL7.x x86_64 (20201001)

CVSS: 6.9 Scientific Linux Security Update : cpio on SL7.x x86_64 (20201001)

CVSS: 6.8 Scientific Linux Security Update : libtiff on SL7.x x86_64 (20201001)

CVSS: 7.5 Scientific Linux Security Update : libwmf on SL7.x x86_64 (20201001)

CVSS: 7.8 Scientific Linux Security Update : libsrtp on SL7.x x86_64 (20201001)

CVSS: 7.5 Scientific Linux Security Update : libxslt on SL7.x x86_64 (20201001)

CVSS: 7.5 EulerOS Virtualization 3.0.2.2 : python-pillow (EulerOS-SA-2020-2232)

CVSS: 6.8 Scientific Linux Security Update : libexif on SL7.x x86_64 (20201001)

CVSS: 6.8 EulerOS Virtualization 3.0.2.2 : icu (EulerOS-SA-2020-2228)

CVSS: 7.2 Scientific Linux Security Update : pcp on SL7.x x86_64 (20201001)

CVSS: 9.3 EulerOS Virtualization 3.0.2.2 : yum-utils (EulerOS-SA-2020-2193)

CVSS: 7.2 kernel security and bug fix update

CVSS: 9.3 Scientific Linux Security Update : kernel on SL7.x x86_64 (20201001)

CVSS: 6.8 CVE-2020-24415

CVSS: 6.8 CVE-2020-24409

CVSS: 6.8 CVE-2020-24412

CVSS: 6.8 CVE-2020-24413

CVSS: 6.8 CVE-2020-24414

CVSS: 9.0 CVE-2020-5791

CVSS: 6.5 CVE-2020-5792

CVSS: 6.8 CVE-2020-24411

CVSS: 6.8 CVE-2020-24410

CVSS: 9.3 Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio

CVSS: 6.5 CVE-2019-4680

CVSS: 7.2 (RHSA-2020:4289) Important: kernel-rt security and bug fix update

----NVD Last 3 Days----

CVE#: CVE-2018-11764 Published Date: 2020-10-21 CVSS: NO CVSS Description: Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.

CVE#: CVE-2019-13633 Published Date: 2020-10-19 CVSS: NO CVSS Description: Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS. An attacker can send arbitrary JavaScript code via a built-in communication channel, such as Telegram, WhatsApp, Viber, Skype, Facebook, Vkontakte, or Odnoklassniki. This is mishandled within the administration panel for conversations/all, conversations/inbox, conversations/unassigned, and conversations/closed.

CVE#: CVE-2019-16127 Published Date: 2020-10-22 CVSS: NO CVSS Description: Atmel Advanced Software Framework (ASF) 4 has an Integer Overflow.

CVE#: CVE-2019-16129 Published Date: 2020-10-22 CVSS: NO CVSS Description: Microchip CryptoAuthentication Library CryptoAuthLib prior to 20191122 has a Buffer Overflow (issue 2 of 2).

CVE#: CVE-2019-4680 Published Date: 2020-10-20 CVSS: 5.9 Description: IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.2.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 171733.

CVE#: CVE-2019-9080 Published Date: 2020-10-20 CVSS: NO CVSS Description: DomainMOD before 4.14.0 uses MD5 without a salt for password storage.

CVE#: CVE-2020-10138 Published Date: 2020-10-21 CVSS: NO CVSS Description: Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

CVE#: CVE-2020-10139 Published Date: 2020-10-21 CVSS: 5.9 Description: Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

CVE#: CVE-2020-10140 Published Date: 2020-10-21 CVSS: 5.9 Description: Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory. Because some privileged processes are executed from the C:\ProgramData\Acronis, an unprivileged user can achieve arbitrary code execution with SYSTEM privileges by placing a DLL in one of several paths within C:\ProgramData\Acronis.

CVE#: CVE-2020-10746 Published Date: 2020-10-19 CVSS: 4.2 Description: A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.

CVE#: CVE-2020-11496 Published Date: 2020-10-19 CVSS: NO CVSS Description: Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to local configuration files can therefore insert malicious commands that are executed after compiling them to valid parameter files (“PDLs”), transferring them to the device, and restarting the device.

CVE#: CVE-2020-13778 Published Date: 2020-10-19 CVSS: NO CVSS Description: rConfig 3.9.4 and earlier allows authenticated code execution (of system commands) by sending a forged GET request to lib/ajaxHandlers/ajaxAddTemplate.php or lib/ajaxHandlers/ajaxEditTemplate.php.

CVE#: CVE-2020-13937 Published Date: 2020-10-19 CVSS: NO CVSS Description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.

CVE#: CVE-2020-14672 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14731 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Segment). Supported versions that are affected are 18.0 and 19.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail Customer Management and Segmentation Foundation accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14732 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Promotions). The supported version that is affected is 19.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail Customer Management and Segmentation Foundation accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14734 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Text. Successful attacks of this vulnerability can result in takeover of Oracle Text. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14735 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Scheduler component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Scheduler executes to compromise Scheduler. While the vulnerability is in Scheduler, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Scheduler. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVE#: CVE-2020-14736 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows high privileged attacker having Create Public Synonym privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Database Vault accessible data as well as unauthorized read access to a subset of Database Vault accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).

CVE#: CVE-2020-14740 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the SQL Developer Install component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. Easily exploitable vulnerability allows low privileged attacker having Client Computer User Account privilege with logon to the infrastructure where SQL Developer Install executes to compromise SQL Developer Install. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of SQL Developer Install accessible data. CVSS 3.1 Base Score 2.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14741 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Database Filesystem component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows high privileged attacker having Resource, Create Table, Create View, Create Procedure, Dbfs_role privilege with network access via Oracle Net to compromise Database Filesystem. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Database Filesystem. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14742 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having SYSDBA level account privilege with network access via Oracle Net to compromise Core RDBMS. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Core RDBMS accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE#: CVE-2020-14743 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows low privileged attacker having Create Procedure privilege with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java VM accessible data. CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N).

CVE#: CVE-2020-14744 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c; Standalone ORDS: prior to 20.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14745 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c; Standalone ORDS: prior to 20.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14746 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Popup windows). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).

CVE#: CVE-2020-14752 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Hyperion Lifecycle Management product of Oracle Hyperion (component: Shared Services). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Lifecycle Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Hyperion Lifecycle Management accessible data. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).

CVE#: CVE-2020-14753 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Hospitality Reporting and Analytics product of Oracle Food and Beverage Applications (component: Installation). The supported version that is affected is 9.1.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Hospitality Reporting and Analytics executes to compromise Oracle Hospitality Reporting and Analytics. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality Reporting and Analytics, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality Reporting and Analytics accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

CVE#: CVE-2020-14754 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14757 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). The supported version that is affected is 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14758 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L).

CVE#: CVE-2020-14759 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Solaris accessible data. CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N).

CVE#: CVE-2020-14760 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVE#: CVE-2020-14761 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Oracle Diagnostics Interfaces). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data as well as unauthorized read access to a subset of Oracle Applications Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVE#: CVE-2020-14762 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14763 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Application Express Quick Poll component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Quick Poll. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Quick Poll, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Quick Poll accessible data as well as unauthorized read access to a subset of Oracle Application Express Quick Poll accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14764 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Hyperion Planning product of Oracle Hyperion (component: Application Development Framework). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Hyperion Planning accessible data. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).

CVE#: CVE-2020-14765 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14766 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web Administration). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

CVE#: CVE-2020-14767 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Hyperion BI+ product of Oracle Hyperion (component: IQR-Foundation service). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise Hyperion BI+. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Hyperion BI+ accessible data. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14768 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: Smart View Provider). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the Hyperion Analytic Provider Services executes to compromise Hyperion Analytic Provider Services. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hyperion Analytic Provider Services accessible data as well as unauthorized read access to a subset of Hyperion Analytic Provider Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Hyperion Analytic Provider Services. CVSS 3.1 Base Score 4.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L).

CVE#: CVE-2020-14769 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14770 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Hyperion BI+ product of Oracle Hyperion (component: IQR-Foundation service). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise Hyperion BI+. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Hyperion BI+ accessible data. CVSS 3.1 Base Score 2.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14771 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVE#: CVE-2020-14772 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Hyperion Lifecycle Management product of Oracle Hyperion (component: Shared Services). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Lifecycle Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Hyperion Lifecycle Management accessible data. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).

CVE#: CVE-2020-14773 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14774 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle CRM Technical Foundation. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14775 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14776 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14777 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14778 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise HCM Global Payroll Core product of Oracle PeopleSoft (component: Security). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Global Payroll Core. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Global Payroll Core accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Global Payroll Core accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise HCM Global Payroll Core. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE#: CVE-2020-14779 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE#: CVE-2020-14780 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the BI Publisher product of Oracle Fusion Middleware (component: BI Publisher Security). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher accessible data as well as unauthorized update, insert or delete access to some of BI Publisher accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).

CVE#: CVE-2020-14781 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14782 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVE#: CVE-2020-14783 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Hospitality RES 3700 product of Oracle Food and Beverage Applications (component: CAL). The supported version that is affected is 5.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Hospitality RES 3700. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Hospitality RES 3700 accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14784 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Mobile Service). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14785 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14786 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14787 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Communications Diameter Signaling Router (DSR) product of Oracle Communications (component: User Interface). Supported versions that are affected are 8.0.0.0-8.4.0.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Diameter Signaling Router (DSR). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Diameter Signaling Router (DSR), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Diameter Signaling Router (DSR) accessible data as well as unauthorized read access to a subset of Oracle Communications Diameter Signaling Router (DSR) accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14788 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Communications Diameter Signaling Router (DSR) product of Oracle Communications (component: User Interface). Supported versions that are affected are 8.0.0.0-8.4.0.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Diameter Signaling Router (DSR). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Diameter Signaling Router (DSR), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Diameter Signaling Router (DSR) accessible data as well as unauthorized read access to a subset of Oracle Communications Diameter Signaling Router (DSR) accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14789 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14790 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14791 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVE#: CVE-2020-14792 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

CVE#: CVE-2020-14793 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14794 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14795 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.57 and 8.58. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14796 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14797 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVE#: CVE-2020-14798 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVE#: CVE-2020-14799 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14800 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14801 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.56, 8.57 and 8.58. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14802 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.56, 8.57 and 8.58. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14803 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14804 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14805 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle E-Business Suite Secure Enterprise Search product of Oracle E-Business Suite (component: Search Integration Engine). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite Secure Enterprise Search. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle E-Business Suite Secure Enterprise Search accessible data as well as unauthorized access to critical data or complete access to all Oracle E-Business Suite Secure Enterprise Search accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14806 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Query). Supported versions that are affected are 8.56, 8.57 and 8.58. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14807 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Hospitality Suite8 product of Oracle Hospitality Applications (component: WebConnect). Supported versions that are affected are 8.10.2 and 8.11-8.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Suite8. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality Suite8 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality Suite8 accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).

CVE#: CVE-2020-14808 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14809 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14810 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Hospitality Suite8 product of Oracle Hospitality Applications (component: WebConnect). Supported versions that are affected are 8.10.2 and 8.11-8.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Suite8. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality Suite8 accessible data as well as unauthorized read access to a subset of Oracle Hospitality Suite8 accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

CVE#: CVE-2020-14811 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: AMP EBS Integration). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Applications Manager accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14812 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14813 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Grids). Supported versions that are affected are 8.56, 8.57 and 8.58. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14814 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14815 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14816 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14817 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14818 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Utility). The supported version that is affected is 11. Difficult to exploit vulnerability allows low privileged attacker with network access via SSH to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Solaris accessible data. CVSS 3.1 Base Score 3.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N).

CVE#: CVE-2020-14819 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E-Business Suite (component: Print Server). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle One-to-One Fulfillment, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data as well as unauthorized update, insert or delete access to some of Oracle One-to-One Fulfillment accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14820 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14821 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14822 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: APIs). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data. CVSS 3.1 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).

CVE#: CVE-2020-14823 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.2.3 - 12.2.10. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle CRM Technical Foundation accessible data as well as unauthorized access to critical data or complete access to all Oracle CRM Technical Foundation accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14824 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 8.0.6-8.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. While the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.1 Base Score 8.6 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

CVE#: CVE-2020-14825 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14826 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: SQL Extensions). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Applications Manager accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14827 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14828 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14829 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14830 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14831 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14832 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Supported versions that are affected are 8.56, 8.57 and 8.58. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14833 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14834 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14835 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.1.1 - 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14836 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14837 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14838 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14839 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14840 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Diagnostics). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Object Library, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data. CVSS 3.1 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).

CVE#: CVE-2020-14841 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14842 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the BI Publisher product of Oracle Fusion Middleware (component: BI Publisher Security). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher accessible data as well as unauthorized update, insert or delete access to some of BI Publisher accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14843 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

CVE#: CVE-2020-14844 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14845 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14846 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14847 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Query). Supported versions that are affected are 8.56, 8.57 and 8.58. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVE#: CVE-2020-14848 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14849 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14850 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Flex Fields). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle CRM Technical Foundation accessible data as well as unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14851 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14852 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Charsets). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14853 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: NDBCluster Plugin). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 4.6 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L).

CVE#: CVE-2020-14854 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Hyperion Infrastructure Technology product of Oracle Hyperion (component: UI and Visualization). The supported version that is affected is 11.1.2.4. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Hyperion Infrastructure Technology accessible data as well as unauthorized access to critical data or complete access to all Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14855 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Administration). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14856 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14857 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14858 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Logging). Supported versions that are affected are 5.5 and 5.6. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 6.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14859 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14860 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE#: CVE-2020-14861 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14862 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3 - 12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14863 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E-Business Suite (component: Print Server). Supported versions that are affected are 12.1.1 - 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle One-to-One Fulfillment, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data as well as unauthorized update, insert or delete access to some of Oracle One-to-One Fulfillment accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14864 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14865 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the PeopleSoft Enterprise SCM eSupplier Connection product of Oracle PeopleSoft (component: eSupplier Connection). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM eSupplier Connection. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise SCM eSupplier Connection accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM eSupplier Connection accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14866 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14867 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14868 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14869 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14870 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: X Plugin). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14871 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVE#: CVE-2020-14872 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.16. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

CVE#: CVE-2020-14873 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 8.0.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14875 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Marketing accessible data as well as unauthorized access to critical data or complete access to all Oracle Marketing accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14876 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.1.1 - 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Trade Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14877 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Logging). Supported versions that are affected are 5.5 and 5.6. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).

CVE#: CVE-2020-14878 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14879 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise BI Publisher. While the vulnerability is in BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher accessible data as well as unauthorized update, insert or delete access to some of BI Publisher accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14880 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise BI Publisher. While the vulnerability is in BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher accessible data as well as unauthorized update, insert or delete access to some of BI Publisher accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).

CVE#: CVE-2020-14881 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.16. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE#: CVE-2020-14882 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14883 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE#: CVE-2020-14884 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.16. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE#: CVE-2020-14885 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.16. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE#: CVE-2020-14886 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.16. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE#: CVE-2020-14887 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.3.0 and 14.0.0-14.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14888 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14889 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.16. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE#: CVE-2020-14890 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle FLEXCUBE Direct Banking product of Oracle Financial Services Applications (component: Pre Login). Supported versions that are affected are 12.0.1, 12.0.2 and 12.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Direct Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Direct Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14891 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14892 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14893 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE#: CVE-2020-14894 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Banking Corporate Lending product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 12.3.0 and 14.0.0-14.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Corporate Lending. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14895 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Utilities Framework product of Oracle Utilities Applications (component: System Wide). Supported versions that are affected are 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0 and 4.4.0.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

CVE#: CVE-2020-14896 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 14.1.0-14.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Payments. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Payments accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14897 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle FLEXCUBE Direct Banking product of Oracle Financial Services Applications (component: Pre Login). Supported versions that are affected are 12.0.1, 12.0.2 and 12.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Direct Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Direct Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-14898 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Packaged Apps accessible data as well as unauthorized read access to a subset of Oracle Application Express Packaged Apps accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14899 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Data Reporter. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Data Reporter, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Data Reporter accessible data as well as unauthorized read access to a subset of Oracle Application Express Data Reporter accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14900 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the Oracle Application Express Group Calendar component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Group Calendar. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Group Calendar, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Group Calendar accessible data as well as unauthorized read access to a subset of Oracle Application Express Group Calendar accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

CVE#: CVE-2020-14901 Published Date: 2020-10-21 CVSS: NO CVSS Description: Vulnerability in the RDBMS Security component of Oracle Database Server. The supported version that is affected is 19c. Easily exploitable vulnerability allows high privileged attacker having Analyze Any privilege with network access via Oracle Net to compromise RDBMS Security. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all RDBMS Security accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVE#: CVE-2020-15240 Published Date: 2020-10-21 CVSS: NO CVSS Description: omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.

CVE#: CVE-2020-15244 Published Date: 2020-10-21 CVSS: NO CVSS Description: In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.

CVE#: CVE-2020-15245 Published Date: 2020-10-19 CVSS: NO CVSS Description: In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.

CVE#: CVE-2020-15256 Published Date: 2020-10-19 CVSS: NO CVSS Description: A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.

CVE#: CVE-2020-15261 Published Date: 2020-10-19 CVSS: NO CVSS Description: On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.

CVE#: CVE-2020-15262 Published Date: 2020-10-19 CVSS: NO CVSS Description: In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. This issue is patched in version 1.5.1.

CVE#: CVE-2020-15263 Published Date: 2020-10-19 CVSS: 2.7 Description: In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4.

CVE#: CVE-2020-15264 Published Date: 2020-10-20 CVSS: NO CVSS Description: The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it'll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0

CVE#: CVE-2020-15265 Published Date: 2020-10-21 CVSS: NO CVSS Description: In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

CVE#: CVE-2020-15266 Published Date: 2020-10-21 CVSS: NO CVSS Description: In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

CVE#: CVE-2020-15269 Published Date: 2020-10-20 CVSS: NO CVSS Description: In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

CVE#: CVE-2020-15822 Published Date: 2020-10-19 CVSS: 3.4 Description: In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.

CVE#: CVE-2020-15906 Published Date: 2020-10-22 CVSS: NO CVSS Description: tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.

CVE#: CVE-2020-15909 Published Date: 2020-10-19 CVSS: NO CVSS Description: SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. Expected behavior would be to check this against a second source and enforce at least a reauthentication or multi factor request as N-Central is a highly privileged service.

CVE#: CVE-2020-15910 Published Date: 2020-10-19 CVSS: NO CVSS Description: SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.

CVE#: CVE-2020-15931 Published Date: 2020-10-20 CVSS: NO CVSS Description: Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a Domain Controller.

CVE#: CVE-2020-16158 Published Date: 2020-10-19 CVSS: 5.9 Description: GoPro gpmf-parser through 1.5 has a stack out-of-bounds write vulnerability in GPMF_ExpandComplexTYPE(). Parsing malicious input can result in a crash or potentially arbitrary code execution.

CVE#: CVE-2020-16159 Published Date: 2020-10-19 CVSS: NO CVSS Description: GoPro gpmf-parser 1.5 has a heap out-of-bounds read and segfault in GPMF_ScaledData(). Parsing malicious input can result in a crash or information disclosure.

CVE#: CVE-2020-16160 Published Date: 2020-10-19 CVSS: NO CVSS Description: GoPro gpmf-parser 1.5 has a division-by-zero vulnerability in GPMF_Decompress(). Parsing malicious input can result in a crash.

CVE#: CVE-2020-16161 Published Date: 2020-10-19 CVSS: NO CVSS Description: GoPro gpmf-parser 1.5 has a division-by-zero vulnerability in GPMF_ScaledData(). Parsing malicious input can result in a crash.

CVE#: CVE-2020-16246 Published Date: 2020-10-20 CVSS: NO CVSS Description: The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow attackers to trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client.

CVE#: CVE-2020-17355 Published Date: 2020-10-21 CVSS: NO CVSS Description: Arista EOS before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause a denial of service (restart of agents) by crafting a malformed DHCP packet which leads to an incorrect route being installed.

CVE#: CVE-2020-17381 Published Date: 2020-10-21 CVSS: NO CVSS Description: An issue was discovered in Ghisler Total Commander 9.51. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the %SYSTEMDRIVE%\totalcmd\TOTALCMD64.EXE binary.

CVE#: CVE-2020-17454 Published Date: 2020-10-21 CVSS: NO CVSS Description: WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF.

CVE#: CVE-2020-24033 Published Date: 2020-10-22 CVSS: NO CVSS Description: An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.

CVE#: CVE-2020-24265 Published Date: 2020-10-19 CVSS: 3.6 Description: An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap buffer overflow vulnerability in MemcmpInterceptorCommon() that can make tcpprep crash and cause a denial of service.

CVE#: CVE-2020-24266 Published Date: 2020-10-19 CVSS: 3.6 Description: An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap buffer overflow vulnerability in get_l2len() that can make tcpprep crash and cause a denial of service.

CVE#: CVE-2020-24375 Published Date: 2020-10-19 CVSS: NO CVSS Description: A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.

CVE#: CVE-2020-24387 Published Date: 2020-10-19 CVSS: NO CVSS Description: An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.

CVE#: CVE-2020-24388 Published Date: 2020-10-19 CVSS: NO CVSS Description: An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. The function does not validate the embedded length field of a message received from the device. This could lead to an oversized memcpy() call that will crash the running process. This could be used by an attacker to cause a denial of service.

CVE#: CVE-2020-24409 Published Date: 2020-10-20 CVSS: 5.9 Description: Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24410 Published Date: 2020-10-20 CVSS: 5.9 Description: Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24411 Published Date: 2020-10-20 CVSS: 5.9 Description: Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds write vulnerability when handling crafted PDF files. This could result in a write past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24412 Published Date: 2020-10-20 CVSS: 5.9 Description: Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24413 Published Date: 2020-10-20 CVSS: 5.9 Description: Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24414 Published Date: 2020-10-20 CVSS: 5.9 Description: Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24415 Published Date: 2020-10-20 CVSS: 5.9 Description: Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24416 Published Date: 2020-10-20 CVSS: 2.7 Description: Marketo Sales Insight plugin version 1.4355 (and earlier) is affected by a blind stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVE#: CVE-2020-24418 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe After Effects version 17.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted .aepx file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-24419 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe After Effects version 17.1.1 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE#: CVE-2020-24420 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Photoshop for Windows version 21.2.1 (and earlier) is affected by an uncontrolled search path element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE#: CVE-2020-24421 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

CVE#: CVE-2020-24422 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Creative Cloud Desktop Application version 5.2 (and earlier) and 2.1 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE#: CVE-2020-24423 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Media Encoder version 14.4 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE#: CVE-2020-24424 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Premiere Pro version 14.4 (and earlier) is affected by an uncontrolled search path element that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE#: CVE-2020-24425 Published Date: 2020-10-21 CVSS: NO CVSS Description: Dreamweaver version 20.2 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. Successful exploitation could result in a local user with permissions to write to the file system running system commands with administrator privileges.

CVE#: CVE-2020-24629 Published Date: 2020-10-19 CVSS: 5.9 Description: A remote urlaccesscontroller authentication bypass vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24630 Published Date: 2020-10-19 CVSS: 5.9 Description: A remote operatoronlinelist_content privilege escalation vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24646 Published Date: 2020-10-19 CVSS: 5.9 Description: A tftpserver stack-based buffer overflow remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24647 Published Date: 2020-10-19 CVSS: 5.9 Description: A remote accessmgrservlet classname input validation code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24648 Published Date: 2020-10-19 CVSS: 5.9 Description: A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24649 Published Date: 2020-10-19 CVSS: 5.9 Description: A remote bytemessageresource transformentity" input validation code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24650 Published Date: 2020-10-19 CVSS: 5.9 Description: A legend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24651 Published Date: 2020-10-19 CVSS: 5.9 Description: A syslogtempletselectwin expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24652 Published Date: 2020-10-19 CVSS: 5.9 Description: A addvsiinterfaceinfo expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-24765 Published Date: 2020-10-20 CVSS: 3.6 Description: InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request.

CVE#: CVE-2020-25157 Published Date: 2020-10-20 CVSS: NO CVSS Description: The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.

CVE#: CVE-2020-25648 Published Date: 2020-10-20 CVSS: 3.6 Description: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.

CVE#: CVE-2020-25820 Published Date: 2020-10-21 CVSS: NO CVSS Description: BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.

CVE#: CVE-2020-26649 Published Date: 2020-10-22 CVSS: NO CVSS Description: AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php

CVE#: CVE-2020-26650 Published Date: 2020-10-22 CVSS: NO CVSS Description: AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php

CVE#: CVE-2020-26891 Published Date: 2020-10-19 CVSS: NO CVSS Description: AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_matrix/client/r0/auth/*/fallback/web or /_matrix/client/unstable/auth/*/fallback/web Synapse endpoints.

CVE#: CVE-2020-26895 Published Date: 2020-10-21 CVSS: NO CVSS Description: Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). The impact is a loss of funds in certain situations.

CVE#: CVE-2020-26896 Published Date: 2020-10-21 CVSS: NO CVSS Description: Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collision with an invoice, the preimage for an expected payment was instead released. A malicious peer could have deliberately intercepted an HTLC intended for the victim node, probed the preimage through a colluding relayed HTLC, and stolen the intercepted HTLC. The impact is a loss of funds in certain situations, and a weakening of the victim's receiver privacy.

CVE#: CVE-2020-27155 Published Date: 2020-10-22 CVSS: NO CVSS Description: An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trusted one.

CVE#: CVE-2020-27195 Published Date: 2020-10-22 CVSS: NO CVSS Description: HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6

CVE#: CVE-2020-27344 Published Date: 2020-10-21 CVSS: NO CVSS Description: The cm-download-manager plugin before 2.8.0 for WordPress allows XSS.

CVE#: CVE-2020-27533 Published Date: 2020-10-22 CVSS: NO CVSS Description: A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.

CVE#: CVE-2020-27560 Published Date: 2020-10-22 CVSS: NO CVSS Description: ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.

CVE#: CVE-2020-27603 Published Date: 2020-10-21 CVSS: NO CVSS Description: BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.

CVE#: CVE-2020-27604 Published Date: 2020-10-21 CVSS: NO CVSS Description: BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.

CVE#: CVE-2020-27605 Published Date: 2020-10-21 CVSS: NO CVSS Description: BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."

CVE#: CVE-2020-27606 Published Date: 2020-10-21 CVSS: NO CVSS Description: BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

CVE#: CVE-2020-27607 Published Date: 2020-10-21 CVSS: NO CVSS Description: In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.

CVE#: CVE-2020-27608 Published Date: 2020-10-21 CVSS: NO CVSS Description: In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.

CVE#: CVE-2020-27609 Published Date: 2020-10-21 CVSS: NO CVSS Description: BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.

CVE#: CVE-2020-27610 Published Date: 2020-10-21 CVSS: NO CVSS Description: The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.

CVE#: CVE-2020-27611 Published Date: 2020-10-21 CVSS: NO CVSS Description: BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.

CVE#: CVE-2020-27612 Published Date: 2020-10-21 CVSS: NO CVSS Description: Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.

CVE#: CVE-2020-27613 Published Date: 2020-10-21 CVSS: NO CVSS Description: The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.

CVE#: CVE-2020-27615 Published Date: 2020-10-21 CVSS: NO CVSS Description: The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.

CVE#: CVE-2020-27619 Published Date: 2020-10-22 CVSS: NO CVSS Description: In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.

CVE#: CVE-2020-27620 Published Date: 2020-10-22 CVSS: NO CVSS Description: The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.

CVE#: CVE-2020-27621 Published Date: 2020-10-22 CVSS: NO CVSS Description: The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension.

CVE#: CVE-2020-27638 Published Date: 2020-10-22 CVSS: NO CVSS Description: receive.c in fastd before v21 allows denial of service (assertion failure) when receiving packets with an invalid type code.

CVE#: CVE-2020-27642 Published Date: 2020-10-22 CVSS: NO CVSS Description: A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6.

CVE#: CVE-2020-27646 Published Date: 2020-10-22 CVSS: NO CVSS Description: Biscom Secure File Transfer (SFT) before 5.1.1082 and 6.x before 6.0.1011 allows user credential theft.

CVE#: CVE-2020-27664 Published Date: 2020-10-22 CVSS: NO CVSS Description: admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.

CVE#: CVE-2020-27665 Published Date: 2020-10-22 CVSS: NO CVSS Description: In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.

CVE#: CVE-2020-27666 Published Date: 2020-10-22 CVSS: NO CVSS Description: Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature.

CVE#: CVE-2020-3299 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured File Policy for HTTP. The vulnerability is due to incorrect detection of modified HTTP packets used in chunked responses. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured File Policy for HTTP packets and deliver a malicious payload.

CVE#: CVE-2020-3304 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition. Note: This vulnerability applies to IP Version 4 (IPv4) and IP Version 6 (IPv6) HTTP traffic.

CVE#: CVE-2020-3317 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the ssl_inspection component of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to crash Snort instances. The vulnerability is due to insufficient input validation in the ssl_inspection component. An attacker could exploit this vulnerability by sending a malformed TLS packet through a Cisco Adaptive Security Appliance (ASA). A successful exploit could allow the attacker to crash a Snort instance, resulting in a denial of service (DoS) condition.

CVE#: CVE-2020-3352 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to access hidden commands. The vulnerability is due to the presence of undocumented configuration commands. An attacker could exploit this vulnerability by performing specific steps that make the hidden commands accessible. A successful exploit could allow the attacker to make configuration changes to various sections of an affected device that should not be exposed to CLI access.

CVE#: CVE-2020-3373 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the IP fragment-handling implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. This memory leak could prevent traffic from being processed through the device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper error handling when specific failures occur during IP fragment reassembly. An attacker could exploit this vulnerability by sending crafted, fragmented IP traffic to a targeted device. A successful exploit could allow the attacker to continuously consume memory on the affected device and eventually impact traffic, resulting in a DoS condition. The device could require a manual reboot to recover from the DoS condition. Note: This vulnerability applies to both IP Version 4 (IPv4) and IP Version 6 (IPv6) traffic.

CVE#: CVE-2020-3410 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the Common Access Card (CAC) authentication feature of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and access the FMC system. The attacker must have a valid CAC to initiate the access attempt. The vulnerability is due to incorrect session invalidation during CAC authentication. An attacker could exploit this vulnerability by performing a CAC-based authentication attempt to an affected system. A successful exploit could allow the attacker to access an affected system with the privileges of a CAC-authenticated user who is currently logged in.

CVE#: CVE-2020-3436 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to upload arbitrary-sized files to specific folders on an affected device, which could lead to an unexpected device reload. The vulnerability exists because the affected software does not efficiently handle the writing of large files to specific folders on the local file system. An attacker could exploit this vulnerability by uploading files to those specific folders. A successful exploit could allow the attacker to write a file that triggers a watchdog timeout, which would cause the device to unexpectedly reload, causing a denial of service (DoS) condition.

CVE#: CVE-2020-3455 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the secure boot process of Cisco FXOS Software could allow an authenticated, local attacker to bypass the secure boot mechanisms. The vulnerability is due to insufficient protections of the secure boot process. An attacker could exploit this vulnerability by injecting code into a specific file that is then referenced during the device boot process. A successful exploit could allow the attacker to break the chain of trust and inject code into the boot process of the device which would be executed at each boot and maintain persistence across reboots.

CVE#: CVE-2020-3456 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the Cisco Firepower Chassis Manager (FCM) of Cisco FXOS Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected device. The vulnerability is due to insufficient CSRF protections for the FCM interface. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could take unauthorized actions on behalf of the targeted user.

CVE#: CVE-2020-3457 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.

CVE#: CVE-2020-3458 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple vulnerabilities in the secure boot process of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software for the Firepower 1000 Series and Firepower 2100 Series Appliances could allow an authenticated, local attacker to bypass the secure boot mechanism. The vulnerabilities are due to insufficient protections of the secure boot process. An attacker could exploit these vulnerabilities by injecting code into specific files that are then referenced during the device boot process. A successful exploit could allow the attacker to break the chain of trust and inject code into the boot process of the device, which would be executed at each boot and maintain persistence across reboots.

CVE#: CVE-2020-3459 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.

CVE#: CVE-2020-3499 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the licensing service of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to improper handling of system resource values by the affected system. An attacker could exploit this vulnerability by sending malicious requests to the targeted system. A successful exploit could allow the attacker to cause the affected system to become unresponsive, resulting in a DoS condition and preventing the management of dependent devices.

CVE#: CVE-2020-3514 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their Cisco FTD instance and execute commands with root privileges in the host namespace. The attacker must have valid credentials on the device.The vulnerability exists because a configuration file that is used at container startup has insufficient protections. An attacker could exploit this vulnerability by modifying a specific container configuration file on the underlying file system. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running Cisco FTD instances or the host Cisco FXOS device.

CVE#: CVE-2020-3515 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.

CVE#: CVE-2020-3528 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the OSPF Version 2 (OSPFv2) implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to incomplete input validation when the affected software processes certain OSPFv2 packets with Link-Local Signaling (LLS) data. An attacker could exploit this vulnerability by sending a malformed OSPFv2 packet to an affected device. A successful exploit could allow the attacker to cause an affected device to reload, resulting in a DoS condition.

CVE#: CVE-2020-3529 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the SSL VPN negotiation process for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to inefficient direct memory access (DMA) memory management during the negotiation phase of an SSL VPN connection. An attacker could exploit this vulnerability by sending a steady stream of crafted Datagram TLS (DTLS) traffic to an affected device. A successful exploit could allow the attacker to exhaust DMA memory on the device and cause a DoS condition.

CVE#: CVE-2020-3533 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to restart unexpectedly. The vulnerability is due to a lack of sufficient memory management protections under heavy SNMP polling loads. An attacker could exploit this vulnerability by sending a high rate of SNMP requests to the SNMP daemon through the management interface on an affected device. A successful exploit could allow the attacker to cause the SNMP daemon process to consume a large amount of system memory over time, which could then lead to an unexpected device restart, causing a denial of service (DoS) condition. This vulnerability affects all versions of SNMP.

CVE#: CVE-2020-3549 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the sftunnel functionality of Cisco Firepower Management Center (FMC) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to obtain the device registration hash. The vulnerability is due to insufficient sftunnel negotiation protection during initial device registration. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a specific flow of the sftunnel communication between an FMC device and an FTD device. A successful exploit could allow the attacker to decrypt and modify the sftunnel communication between FMC and FTD devices, allowing the attacker to modify configuration data sent from an FMC device to an FTD device or alert data sent from an FTD device to an FMC device.

CVE#: CVE-2020-3550 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the sfmgr daemon of Cisco Firepower Management Center (FMC) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to perform directory traversal and access directories outside the restricted path. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by using a relative path in specific sfmgr commands. An exploit could allow the attacker to read or write arbitrary files on an sftunnel-connected peer device.

CVE#: CVE-2020-3553 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.

CVE#: CVE-2020-3554 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the TCP packet processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory exhaustion condition. An attacker could exploit this vulnerability by sending a high rate of crafted TCP traffic through an affected device. A successful exploit could allow the attacker to exhaust device resources, resulting in a DoS condition for traffic transiting the affected device.

CVE#: CVE-2020-3555 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the SIP inspection process of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a crash and reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a watchdog timeout and crash during the cleanup of threads that are associated with a SIP connection that is being deleted from the connection list. An attacker could exploit this vulnerability by sending a high rate of crafted SIP traffic through an affected device. A successful exploit could allow the attacker to cause a watchdog timeout and crash, resulting in a crash and reload of the affected device.

CVE#: CVE-2020-3557 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the host input API daemon of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted data stream to the host input daemon of the affected device. A successful exploit could allow the attacker to cause the host input daemon to restart. The attacker could use repeated attacks to cause the daemon to continuously reload, creating a DoS condition for the API.

CVE#: CVE-2020-3558 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. The vulnerability is due to improper input validation of the parameters of an HTTP request. An attacker could exploit this vulnerability by intercepting an HTTP request from a user. A successful exploit could allow the attacker to modify the HTTP request to cause the interface to redirect the user to a specific, malicious URL. This type of vulnerability is known as an open redirect attack and is used in phishing attacks that get users to unknowingly visit malicious sites.

CVE#: CVE-2020-3561 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the Clientless SSL VPN (WebVPN) of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to conduct a CRLF injection attack, adding arbitrary HTTP headers in the responses of the system and redirecting the user to arbitrary websites.

CVE#: CVE-2020-3562 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the SSL/TLS inspection of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series firewalls could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation for certain fields of specific SSL/TLS messages. An attacker could exploit this vulnerability by sending a malformed SSL/TLS message through an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. No manual intervention is needed to recover the device after it has reloaded.

CVE#: CVE-2020-3563 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the packet processing functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to inefficient memory management. An attacker could exploit this vulnerability by sending a large number of TCP packets to a specific port on an affected device. A successful exploit could allow the attacker to exhaust system memory, which could cause the device to reload unexpectedly. No manual intervention is needed to recover the device after it has reloaded.

CVE#: CVE-2020-3564 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the FTP inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass FTP inspection. The vulnerability is due to ineffective flow tracking of FTP traffic. An attacker could exploit this vulnerability by sending crafted FTP traffic through an affected device. A successful exploit could allow the attacker to bypass FTP inspection and successfully complete FTP connections.

CVE#: CVE-2020-3565 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the TCP Intercept functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Access Control Policies (including Geolocation) and Service Polices on an affected system. The vulnerability exists because TCP Intercept is invoked when the embryonic connection limit is reached, which can cause the underlying detection engine to process the packet incorrectly. An attacker could exploit this vulnerability by sending a crafted stream of traffic that matches a policy on which TCP Intercept is configured. A successful exploit could allow the attacker to match on an incorrect policy, which could allow the traffic to be forwarded when it should be dropped. In addition, the traffic could incorrectly be dropped.

CVE#: CVE-2020-3571 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the ICMP ingress packet processing of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 4110 appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to incomplete input validation upon receiving ICMP packets. An attacker could exploit this vulnerability by sending a high number of crafted ICMP or ICMPv6 packets to an affected device. A successful exploit could allow the attacker to cause a memory exhaustion condition that may result in an unexpected reload. No manual intervention is needed to recover the device after the reload.

CVE#: CVE-2020-3572 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the SSL/TLS session handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory leak when closing SSL/TLS connections in a specific state. An attacker could exploit this vulnerability by establishing several SSL/TLS sessions and ensuring they are closed under certain conditions. A successful exploit could allow the attacker to exhaust memory resources in the affected device, which would prevent it from processing new SSL/TLS connections, resulting in a DoS. Manual intervention is required to recover an affected device.

CVE#: CVE-2020-3577 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the ingress packet processing path of Cisco Firepower Threat Defense (FTD) Software for interfaces that are configured either as Inline Pair or in Passive mode could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient validation when Ethernet frames are processed. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device. A successful exploit could allow the attacker do either of the following: Fill the /ngfw partition on the device: A full /ngfw partition could result in administrators being unable to log in to the device (including logging in through the console port) or the device being unable to boot up correctly. Note: Manual intervention is required to recover from this situation. Customers are advised to contact the Cisco Technical Assistance Center (TAC) to help recover a device in this condition. Cause a process crash: The process crash would cause the device to reload. No manual intervention is necessary to recover the device after the reload.

CVE#: CVE-2020-3578 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and access parts of the WebVPN portal that are supposed to be blocked. The vulnerability is due to insufficient validation of URLs when portal access rules are configured. An attacker could exploit this vulnerability by accessing certain URLs on the affected device.

CVE#: CVE-2020-3580 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

CVE#: CVE-2020-3581 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

CVE#: CVE-2020-3582 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

CVE#: CVE-2020-3583 Published Date: 2020-10-21 CVSS: NO CVSS Description: Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

CVE#: CVE-2020-3585 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the TLS handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000 Series firewalls could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper implementation of countermeasures against the Bleichenbacher attack for cipher suites that rely on RSA for key exchange. An attacker could exploit this vulnerability by sending crafted TLS messages to the device, which would act as an oracle and allow the attacker to carry out a chosen-ciphertext attack. A successful exploit could allow the attacker to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions to the affected device. To exploit this vulnerability, an attacker must be able to perform both of the following actions: Capture TLS traffic that is in transit between clients and the affected device Actively establish a considerable number of TLS connections to the affected device

CVE#: CVE-2020-3599 Published Date: 2020-10-21 CVSS: NO CVSS Description: A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.

CVE#: CVE-2020-3898 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. An application may be able to gain elevated privileges.

CVE#: CVE-2020-3915 Published Date: 2020-10-22 CVSS: NO CVSS Description: A path handling issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to overwrite arbitrary files.

CVE#: CVE-2020-3918 Published Date: 2020-10-22 CVSS: NO CVSS Description: An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A local user may be able to view sensitive user information.

CVE#: CVE-2020-3981 Published Date: 2020-10-20 CVSS: NO CVSS Description: VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202008101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x), Fusion (11.x before 11.5.6) contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

CVE#: CVE-2020-3982 Published Date: 2020-10-20 CVSS: NO CVSS Description: VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202008101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x), Fusion (11.x before 11.5.6) contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap.

CVE#: CVE-2020-3992 Published Date: 2020-10-20 CVSS: NO CVSS Description: OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

CVE#: CVE-2020-3993 Published Date: 2020-10-20 CVSS: NO CVSS Description: VMware NSX-T (3.x before 3.0.2, 2.5.x before 2.5.2.2.0) contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.

CVE#: CVE-2020-3994 Published Date: 2020-10-20 CVSS: NO CVSS Description: VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.

CVE#: CVE-2020-3995 Published Date: 2020-10-20 CVSS: NO CVSS Description: In VMware ESXi (6.7 before ESXi670-201908101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x before 15.1.0), Fusion (11.x before 11.1.0), the VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.

CVE#: CVE-2020-4491 Published Date: 2020-10-20 CVSS: 3.6 Description: IBM Spectrum Scale V4.2.0.0 through V4.2.3.22 and V5.0.0.0 through V5.0.5 could allow a local attacker to cause a denial of service by sending a large number of RPC requests to the mmfsd daemon which would cause the service to crash. IBM X-Force ID: 181991.

CVE#: CVE-2020-4564 Published Date: 2020-10-20 CVSS: 2.7 Description: IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 and IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 183933.

CVE#: CVE-2020-4748 Published Date: 2020-10-20 CVSS: 2.7 Description: IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188517.

CVE#: CVE-2020-4749 Published Date: 2020-10-20 CVSS: 1.4 Description: IBM Spectrum Scale 5.0.0 through 5.0.5.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 188518.

CVE#: CVE-2020-4755 Published Date: 2020-10-20 CVSS: 2.7 Description: IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188595.

CVE#: CVE-2020-4756 Published Date: 2020-10-20 CVSS: 3.6 Description: IBM Spectrum Scale V4.2.0.0 through V4.2.3.23 and V5.0.0.0 through V5.0.5.2 as well as IBM Elastic Storage System 6.0.0 through 6.0.1.0 could allow a local attacker to invoke a subset of ioctls on the device with invalid arguments that could crash the keneral and cause a denial of service. IBM X-Force ID: 188599.

CVE#: CVE-2020-5640 Published Date: 2020-10-20 CVSS: 5.9 Description: Local file inclusion vulnerability in OneThird CMS v1.96c and earlier allows a remote unauthenticated attacker to execute arbitrary code or obtain sensitive information via unspecified vectors.

CVE#: CVE-2020-5650 Published Date: 2020-10-21 CVSS: NO CVSS Description: Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.

CVE#: CVE-2020-5651 Published Date: 2020-10-21 CVSS: NO CVSS Description: SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL.

CVE#: CVE-2020-5790 Published Date: 2020-10-20 CVSS: 3.6 Description: Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.

CVE#: CVE-2020-5791 Published Date: 2020-10-20 CVSS: 5.9 Description: Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

CVE#: CVE-2020-5792 Published Date: 2020-10-20 CVSS: 5.9 Description: Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.

CVE#: CVE-2020-6084 Published Date: 2020-10-19 CVSS: NO CVSS Description: An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability by sending an Electronic Key Segment with less bytes than required by the Key Format Table.

CVE#: CVE-2020-6085 Published Date: 2020-10-19 CVSS: NO CVSS Description: An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability by sending an Electronic Key Segment with less than 0x18 bytes following the Key Format field.

CVE#: CVE-2020-6308 Published Date: 2020-10-20 CVSS: 1.4 Description: SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.

CVE#: CVE-2020-6315 Published Date: 2020-10-20 CVSS: 3.6 Description: SAP 3D Visual Enterprise Viewer, version 9, allows an attacker to send certain manipulated file to the victim, which can lead to leakage of sensitive information when the victim loads the malicious file into the VE viewer, leading to Information Disclosure.

CVE#: CVE-2020-6362 Published Date: 2020-10-20 CVSS: 3.6 Description: SAP Banking Services version 500, use an incorrect authorization object in some of its reports. Although the affected reports are protected with otherauthorization objects, exploitation of the vulnerability could lead to privilege escalation and violation in segregation of duties, which in turn could lead to Service interruptions and system unavailability for the victim and users of the component.

CVE#: CVE-2020-6366 Published Date: 2020-10-20 CVSS: 5.2 Description: SAP NetWeaver (Compare Systems) versions - 7.20, 7.30, 7.40, 7.50, does not sufficiently validate uploaded XML documents. An attacker with administrative privileges can retrieve arbitrary files including files on OS level from the server and/or can execute a denial-of-service.

CVE#: CVE-2020-6367 Published Date: 2020-10-20 CVSS: 2.7 Description: There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end users browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified.

CVE#: CVE-2020-6369 Published Date: 2020-10-20 CVSS: NO CVSS Description: SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service.

CVE#: CVE-2020-6370 Published Date: 2020-10-20 CVSS: 2.7 Description: SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

CVE#: CVE-2020-6648 Published Date: 2020-10-21 CVSS: NO CVSS Description: A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and below may allow an authenticated attacker to obtain sensitive information such as users passwords by connecting to FortiGate CLI and executing the "diag sys ha checksum show" command.

CVE#: CVE-2020-7020 Published Date: 2020-10-22 CVSS: NO CVSS Description: Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

CVE#: CVE-2020-7141 Published Date: 2020-10-19 CVSS: 5.9 Description: A adddevicetoview expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7142 Published Date: 2020-10-19 CVSS: 5.9 Description: A eventinfo_content expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7143 Published Date: 2020-10-19 CVSS: 5.9 Description: A faultdevparasset expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7144 Published Date: 2020-10-19 CVSS: 5.9 Description: A comparefilesresult expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7145 Published Date: 2020-10-19 CVSS: 5.9 Description: A chooseperfview expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7146 Published Date: 2020-10-19 CVSS: 5.9 Description: A devgroupselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7147 Published Date: 2020-10-19 CVSS: 5.9 Description: A deployselectbootrom expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7148 Published Date: 2020-10-19 CVSS: 5.9 Description: A deployselectsoftware expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7149 Published Date: 2020-10-19 CVSS: 5.9 Description: A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7150 Published Date: 2020-10-19 CVSS: 5.9 Description: A faultstatchoosefaulttype expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7151 Published Date: 2020-10-19 CVSS: 5.9 Description: A faulttrapgroupselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7152 Published Date: 2020-10-19 CVSS: 5.9 Description: A faultparasset expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7153 Published Date: 2020-10-19 CVSS: 5.9 Description: A iccselectdevtype expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7154 Published Date: 2020-10-19 CVSS: 5.9 Description: A ifviewselectpage expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7155 Published Date: 2020-10-19 CVSS: 5.9 Description: A select expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7156 Published Date: 2020-10-19 CVSS: 5.9 Description: A faultinfo_content expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7157 Published Date: 2020-10-19 CVSS: 5.9 Description: A selviewnavcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7158 Published Date: 2020-10-19 CVSS: 5.9 Description: A perfselecttask expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7159 Published Date: 2020-10-19 CVSS: 5.9 Description: A customtemplateselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7160 Published Date: 2020-10-19 CVSS: 5.9 Description: A iccselectdeviceseries expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7161 Published Date: 2020-10-19 CVSS: 5.9 Description: A reporttaskselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7162 Published Date: 2020-10-19 CVSS: 5.9 Description: A operatorgroupselectcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7163 Published Date: 2020-10-19 CVSS: 5.9 Description: A navigationto expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7164 Published Date: 2020-10-19 CVSS: 5.9 Description: A operationselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7165 Published Date: 2020-10-19 CVSS: 5.9 Description: A iccselectcommand expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7166 Published Date: 2020-10-19 CVSS: 5.9 Description: A operatorgrouptreeselectcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7167 Published Date: 2020-10-19 CVSS: 5.9 Description: A quicktemplateselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7168 Published Date: 2020-10-19 CVSS: 5.9 Description: A selectusergroup expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7169 Published Date: 2020-10-19 CVSS: 5.9 Description: A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7170 Published Date: 2020-10-19 CVSS: 5.9 Description: A select expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7171 Published Date: 2020-10-19 CVSS: 5.9 Description: A guidatadetail expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7172 Published Date: 2020-10-19 CVSS: 5.9 Description: A templateselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7173 Published Date: 2020-10-19 CVSS: 5.9 Description: A actionselectcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7174 Published Date: 2020-10-19 CVSS: 5.9 Description: A soapconfigcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7175 Published Date: 2020-10-19 CVSS: 5.9 Description: A iccselectdymicparam expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7176 Published Date: 2020-10-19 CVSS: 5.9 Description: A viewtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7177 Published Date: 2020-10-19 CVSS: 5.9 Description: A wmiconfigcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7178 Published Date: 2020-10-19 CVSS: 5.9 Description: A mediaforaction expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7179 Published Date: 2020-10-19 CVSS: 5.9 Description: A thirdpartyperfselecttask expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7180 Published Date: 2020-10-19 CVSS: 5.9 Description: A ictexpertdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7181 Published Date: 2020-10-19 CVSS: 5.9 Description: A smsrulesdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7182 Published Date: 2020-10-19 CVSS: 5.9 Description: A sshconfig expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7183 Published Date: 2020-10-19 CVSS: 5.9 Description: A forwardredirect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7184 Published Date: 2020-10-19 CVSS: 5.9 Description: A viewbatchtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7185 Published Date: 2020-10-19 CVSS: 5.9 Description: A tvxlanlegend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7186 Published Date: 2020-10-19 CVSS: 5.9 Description: A powershellconfigcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7187 Published Date: 2020-10-19 CVSS: 5.9 Description: A reportpage index expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7188 Published Date: 2020-10-19 CVSS: 5.9 Description: A userselectpagingcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7189 Published Date: 2020-10-19 CVSS: 5.9 Description: A faultflasheventselectfact expression language injectionremote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7190 Published Date: 2020-10-19 CVSS: 5.9 Description: A deviceselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7191 Published Date: 2020-10-19 CVSS: 5.9 Description: A devsoftsel expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7192 Published Date: 2020-10-19 CVSS: 5.9 Description: A devicethresholdconfig expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7193 Published Date: 2020-10-19 CVSS: 5.9 Description: A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7194 Published Date: 2020-10-19 CVSS: 5.9 Description: A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7195 Published Date: 2020-10-19 CVSS: 5.9 Description: A iccselectrules expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

CVE#: CVE-2020-7363 Published Date: 2020-10-20 CVSS: NO CVSS Description: User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions.

CVE#: CVE-2020-7364 Published Date: 2020-10-20 CVSS: NO CVSS Description: User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions.

CVE#: CVE-2020-7369 Published Date: 2020-10-20 CVSS: 1.4 Description: User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version 20.8.4 released October 1, 2020.

CVE#: CVE-2020-7370 Published Date: 2020-10-20 CVSS: 1.4 Description: User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of Danyil Vasilenko's Bolt Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Bolt Browser version 1.4 and prior versions.

CVE#: CVE-2020-7371 Published Date: 2020-10-20 CVSS: NO CVSS Description: User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser version 3.3.9 and prior versions.

CVE#: CVE-2020-7745 Published Date: 2020-10-19 CVSS: 4.2 Description: This affects the package MintegralAdSDK before 6.6.0.0. The SDK distributed by the company contains malicious functionality that acts as a backdoor. Mintegral and their partners (advertisers) can remotely execute arbitrary code on a user device.

CVE#: CVE-2020-7747 Published Date: 2020-10-20 CVSS: 4.2 Description: This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.

CVE#: CVE-2020-7748 Published Date: 2020-10-20 CVSS: NO CVSS Description: This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

CVE#: CVE-2020-7749 Published Date: 2020-10-20 CVSS: NO CVSS Description: This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.

CVE#: CVE-2020-7750 Published Date: 2020-10-21 CVSS: 6.0 Description: This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

CVE#: CVE-2020-8929 Published Date: 2020-10-19 CVSS: NO CVSS Description: A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.

CVE#: CVE-2020-9092 Published Date: 2020-10-19 CVSS: 3.6 Description: HUAWEI Mate 20 versions earlier than 10.1.0.163(C00E160R3P8) have a JavaScript injection vulnerability. A module does not verify a specific input. This could allow attackers to bypass filter mechanism to launch JavaScript injection. This could compromise normal service of the affected module.

CVE#: CVE-2020-9111 Published Date: 2020-10-19 CVSS: NO CVSS Description: E6878-370 versions 10.0.3.1(H557SP27C233),10.0.3.1(H563SP21C233) and E6878-870 versions 10.0.3.1(H557SP27C233),10.0.3.1(H563SP11C233) have a denial of service vulnerability. The system does not properly check some events, an attacker could launch the events continually, successful exploit could cause reboot of the process.

CVE#: CVE-2020-9112 Published Date: 2020-10-19 CVSS: NO CVSS Description: Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have a privilege elevation vulnerability. Due to lack of privilege restrictions on some of the business functions of the device. An attacker could exploit this vulnerability to access the protecting information, resulting in the elevation of the privilege.

CVE#: CVE-2020-9113 Published Date: 2020-10-19 CVSS: 5.9 Description: HUAWEI Mate 20 versions earlier than 10.0.0.188(C00E74R3P8) have a buffer overflow vulnerability in the Bluetooth module. Due to insufficient input validation, an unauthenticated attacker may craft Bluetooth messages after successful paring, causing buffer overflow. Successful exploit may cause code execution.

CVE#: CVE-2020-9263 Published Date: 2020-10-19 CVSS: 5.9 Description: HUAWEI Mate 30 versions earlier than 10.1.0.150(C00E136R5P3) and HUAWEI P30 version earlier than 10.1.0.160(C00E160R2P11) have a use after free vulnerability. There is a condition exists that the system would reference memory after it has been freed, the attacker should trick the user into running a crafted application with common privilege, successful exploit could cause code execution.

CVE#: CVE-2020-9417 Published Date: 2020-10-20 CVSS: NO CVSS Description: The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction Insight, and TIBCO Foresight Transaction Insight Healthcare Edition contains a vulnerability that theoretically allows an authenticated attacker to perform SQL injection. Affected releases are TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Archive and Retrieval System Healthcare Edition: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Operational Monitor: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Operational Monitor Healthcare Edition: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Transaction Insight: versions 5.1.0 and below, version 5.2.0, and TIBCO Foresight Transaction Insight Healthcare Edition: versions 5.1.0 and below, version 5.2.0.

CVE#: CVE-2020-9747 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Animate version 20.5 (and earlier) is affected by a double free vulnerability when parsing a crafted .fla file, which could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

CVE#: CVE-2020-9748 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Animate version 20.5 (and earlier) is affected by a stack overflow vulnerability, which could lead to arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted .fla file in Animate.

CVE#: CVE-2020-9749 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Animate version 20.5 (and earlier) is affected by an out-of-bounds read vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted .fla file in Animate.

CVE#: CVE-2020-9750 Published Date: 2020-10-21 CVSS: NO CVSS Description: Adobe Animate version 20.5 (and earlier) is affected by an out-of-bounds read vulnerability, which could result in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted .fla file in Animate.

CVE#: CVE-2020-9771 Published Date: 2020-10-22 CVSS: NO CVSS Description: This issue was addressed with a new entitlement. This issue is fixed in macOS Catalina 10.15.4. A user may gain access to protected parts of the file system.

CVE#: CVE-2020-9772 Published Date: 2020-10-22 CVSS: NO CVSS Description: A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A sandboxed process may be able to circumvent sandbox restrictions.

CVE#: CVE-2020-9779 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory.

CVE#: CVE-2020-9787 Published Date: 2020-10-22 CVSS: NO CVSS Description: A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. Some websites may not have appeared in Safari Preferences.

CVE#: CVE-2020-9796 Published Date: 2020-10-22 CVSS: NO CVSS Description: A race condition was addressed with improved state handling. This issue is fixed in macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.

CVE#: CVE-2020-9810 Published Date: 2020-10-22 CVSS: NO CVSS Description: A logic issue was addressed with improved restrictions. This issue is fixed in macOS Catalina 10.15.5. A person with physical access to a Mac may be able to bypass Login Window.

CVE#: CVE-2020-9828 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to leak sensitive user information.

CVE#: CVE-2020-9853 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to determine kernel memory layout.

CVE#: CVE-2020-9854 Published Date: 2020-10-22 CVSS: NO CVSS Description: A logic issue was addressed with improved validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5. An application may be able to gain elevated privileges.

CVE#: CVE-2020-9863 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. An application may be able to execute arbitrary code with kernel privileges.

CVE#: CVE-2020-9868 Published Date: 2020-10-22 CVSS: NO CVSS Description: A certificate validation issue existed when processing administrator added certificates. This issue was addressed with improved certificate validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. An attacker may have been able to impersonate a trusted website using shared key material for an administrator added certificate.

CVE#: CVE-2020-9869 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. A remote attacker may cause an unexpected application termination.

CVE#: CVE-2020-9871 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9872 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9873 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9874 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9875 Published Date: 2020-10-22 CVSS: NO CVSS Description: An integer overflow was addressed through improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9876 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.

CVE#: CVE-2020-9877 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9879 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9880 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution.

CVE#: CVE-2020-9881 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, watchOS 6.2.8. Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution.

CVE#: CVE-2020-9882 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, watchOS 6.2.8. Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution.

CVE#: CVE-2020-9883 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9887 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6. Viewing a maliciously crafted JPEG file may lead to arbitrary code execution.

CVE#: CVE-2020-9892 Published Date: 2020-10-22 CVSS: NO CVSS Description: Multiple memory corruption issues were addressed with improved state management. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A malicious application may be able to execute arbitrary code with system privileges.

CVE#: CVE-2020-9898 Published Date: 2020-10-22 CVSS: NO CVSS Description: This issue was addressed with improved entitlements. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A sandboxed process may be able to circumvent sandbox restrictions.

CVE#: CVE-2020-9899 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6. An application may be able to execute arbitrary code with kernel privileges.

CVE#: CVE-2020-9900 Published Date: 2020-10-22 CVSS: NO CVSS Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A local attacker may be able to elevate their privileges.

CVE#: CVE-2020-9901 Published Date: 2020-10-22 CVSS: NO CVSS Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. A local attacker may be able to elevate their privileges.

CVE#: CVE-2020-9902 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A malicious application may be able to determine kernel memory layout.

CVE#: CVE-2020-9904 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. An application may be able to execute arbitrary code with kernel privileges.

CVE#: CVE-2020-9905 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. A remote attacker may be able to cause a denial of service.

CVE#: CVE-2020-9906 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, watchOS 6.2.8. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.

CVE#: CVE-2020-9908 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6. A local user may be able to cause unexpected system termination or read kernel memory.

CVE#: CVE-2020-9919 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9920 Published Date: 2020-10-22 CVSS: NO CVSS Description: A path handling issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, watchOS 6.2.8. A malicious mail server may overwrite arbitrary mail files.

CVE#: CVE-2020-9921 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. A malicious application may be able to execute arbitrary code with system privileges.

CVE#: CVE-2020-9924 Published Date: 2020-10-22 CVSS: NO CVSS Description: A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6. A remote attacker may be able to cause a denial of service.

CVE#: CVE-2020-9927 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6. An application may be able to execute arbitrary code with kernel privileges.

CVE#: CVE-2020-9928 Published Date: 2020-10-22 CVSS: NO CVSS Description: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. An application may be able to execute arbitrary code with kernel privileges.

CVE#: CVE-2020-9929 Published Date: 2020-10-22 CVSS: NO CVSS Description: A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. A local user may be able to cause unexpected system termination or read kernel memory.

CVE#: CVE-2020-9935 Published Date: 2020-10-22 CVSS: NO CVSS Description: A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6. A user may be unexpectedly logged in to another user’s account.

CVE#: CVE-2020-9937 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9938 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9939 Published Date: 2020-10-22 CVSS: NO CVSS Description: This issue was addressed with improved checks. This issue is fixed in macOS Catalina 10.15.6. A local user may be able to load unsigned kernel extensions.

CVE#: CVE-2020-9940 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution.

CVE#: CVE-2020-9980 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. Processing a maliciously crafted font file may lead to arbitrary code execution.

CVE#: CVE-2020-9984 Published Date: 2020-10-22 CVSS: NO CVSS Description: An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE#: CVE-2020-9985 Published Date: 2020-10-22 CVSS: NO CVSS Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, watchOS 6.2.8. Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution.

CVE#: CVE-2020-9986 Published Date: 2020-10-22 CVSS: NO CVSS Description: A file access issue existed with certain home folder files. This was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.7. A malicious application may be able to read sensitive location information.

CVE#: CVE-2020-9990 Published Date: 2020-10-22 CVSS: NO CVSS Description: A race condition was addressed with additional validation. This issue is fixed in macOS Catalina 10.15.6. A malicious application may be able to execute arbitrary code with kernel privileges.

CVE#: CVE-2020-9994 Published Date: 2020-10-22 CVSS: NO CVSS Description: A path handling issue was addressed with improved validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. A malicious application may be able to overwrite arbitrary files.

CVE#: CVE-2020-9997 Published Date: 2020-10-22 CVSS: NO CVSS Description: An information disclosure issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6, watchOS 6.2.8. A malicious application may disclose restricted memory.

----#MALWARE----

LlnuxBot: RT @3XS0: This nasty #malware hit 1 out of every 10 Macs last year https://t.co/bDRzEXADgS #cybersecurity #cybersec #dataprotection #data… Link with Tweet

HeliosCert: Sample submitted 2020-10-22 22:05:02 Dionaea Honeypot Protocol: smbd Sources: ::ffff:117.239.35.172 b4b982709c8a… https://t.co/M65P4BES7S Link with Tweet

3XS0: This nasty #malware hit 1 out of every 10 Macs last year https://t.co/bDRzEXADgS #cybersecurity #cybersec… https://t.co/El6eLk8FLi Link with Tweet Link with Tweet

sectest9: RT @mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat Labs po…

CyberSecurityN8: RT @mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat Labs po…

MaltrakN: RT @mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat Labs po…

PhishFindR: In the Last 24 Hours 🎣 PhishFindR Found: 1242 NEW #Phishing Links 🔗 593 NEW Phishing Domains 🌐 2020-10-23… https://t.co/Cpwr92W65K Link with Tweet

mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat L… https://t.co/yCmkngr1Dh Link with Tweet

Dorothy11405068: RT @CyberNews_com: #Botnets are responsible for massive amounts of #hacking, #spamming, and #malware around the world. And these are some o…

Mohit_Emkay: RT @CioAmaro: Very useful security tips from balancelogic #Infosec #CyberSecurity #CyberAttack #Hacking #Privacy #Threat #Malware #Ransomwa…

sectest9: RT @echocl0ud: What is your Data Worth? #backupplan #cybersecurity #CyberFit #CyberSecurityAwarenessMonth #Data #datasecurity #ransomware…

CyberSecurityN8: RT @echocl0ud: What is your Data Worth? #backupplan #cybersecurity #CyberFit #CyberSecurityAwarenessMonth #Data #datasecurity #ransomware…

MaltrakN: RT @echocl0ud: What is your Data Worth? #backupplan #cybersecurity #CyberFit #CyberSecurityAwarenessMonth #Data #datasecurity #ransomware…

securityaffairs: New #Emotet campaign uses a new '#Windows Update' attachment. https://t.co/8SzfutgVAF #securityaffairs #hacking #malware Link with Tweet

asisact: RT @CioAmaro: Number of leaked government records increases by 278% in Q1, 2020 - Atlas VPN #Infosec #CyberSecurity #CyberAttack #Hacking…

----#PHISHING----

PhishStats: new #phishing at hXXp://0292983393902020[.]efreehost[.]com/ | 185[.]27[.]134[.]138 | United Kingdom | WILDCARD-AS W… https://t.co/z4FacoJB4b Link with Tweet

JEMPradio: George Benson - Shark Bite #CommunityRadio #Phish https://t.co/s9i3jkbCBt Link with Tweet

gdprAI: RT @alvaka: Earlier this year cybercriminals were capitalizing on #phishing campaigns disguised as COVID-19 info. Now, they’re developing n…

alvaka: Earlier this year cybercriminals were capitalizing on #phishing campaigns disguised as COVID-19 info. Now, they’re… https://t.co/wqpLUrabJw Link with Tweet

PiperGolfCo: Remember that time my Dads turned MSG in to @Topgolf https://t.co/Up64sRBNLo https://t.co/dDXQFyx5Ei #piper… https://t.co/cIGSt3LH6l Link with Tweet Link with Tweet Link with Tweet

SparkPost: When it comes to email there’s nothing spookier than a #phishing attack. Learn why here: https://t.co/l2iKP7Ce2J Link with Tweet

karenbeckett: RT @CGI_Global: How can organizations help defend against increases in #phishing attacks related to #COVID19 scams? Read our new blog post…

PhishFindR: In the Last 24 Hours 🎣 PhishFindR Found: 1242 NEW #Phishing Links 🔗 593 NEW Phishing Domains 🌐 2020-10-23… https://t.co/Cpwr92W65K Link with Tweet

TheDukeOfNearl: If the rest of you #phish folks are curious what some other folks listen to when they’re not listening to Phish⬇️⬇️… https://t.co/aVqR80RpqF Link with Tweet

theorrminator: Phishing attacks are on the rise, making it increasingly important to know how to spot these scams. David Bisson lo… https://t.co/Vmu3u7RBWH Link with Tweet

ktamimi: RT @higbee: Still some dreamer SOCs who think they can fully automate their Phish Report response. Hate to burst your bubble.. but if your…

Ultrascan419: Feds delay indictment of ex-Gary mayor's confidant in bank fraud case: Cossey, a serial filer in bankruptcy court f… https://t.co/iRG5s6NORx Link with Tweet

Ultrascan419: First arrests made in push to reduce COVID-19 unemployment fraud: BATON ROUGE, La. (Office of Jeff Landry) - Flanke… https://t.co/rENP7fucFn Link with Tweet

kjrahimi: A question that doesn't get asked that often: what is your favorite version of `Slave to the Traffic Light`?… https://t.co/dHWhcziQ7m Link with Tweet

Mohit_Emkay: RT @CioAmaro: Very useful security tips from balancelogic #Infosec #CyberSecurity #CyberAttack #Hacking #Privacy #Threat #Malware #Ransomwa…

----#OSINT----

carrybeyond: RT @Z_Everson: Tough angle, but any insight into Rudy’s companions at the Trump Hotel DC recently? #osint via @1100penn https://t.co/Ls4H…

TheBugBot: RT @cry__pto: JS is l0ve: https://t.co/b48afC1Pf4 BugBounty TIPS + Tools: https://t.co/VSIYAxo7Ix Java RMI for pentesters: structure, reco… Link with Tweet Link with Tweet

viper202020: Amazing display of B-2 stealth bombers basking in the sun at Hickam Airfield near Honolulu, HI 😎( Image circa 2015… https://t.co/5KtIWfSVJB Link with Tweet

bluespec1497992: RT @CraigSilverman: IT’S HERE! The new Verification Handbook for Disinformation and Media Manipulation is online and avialable for free.…

CyberSecurityN8: RT @h4x0r_dz: A simple way helped me to find more endpoints/info about #bugbounty target. maybe can help you! site:https://t.co/54LKNaswYu… Link with Tweet

sectest9: RT @h4x0r_dz: A simple way helped me to find more endpoints/info about #bugbounty target. maybe can help you! site:https://t.co/54LKNaswYu… Link with Tweet

FragmentedSoul5: RT @h4x0r_dz: A simple way helped me to find more endpoints/info about #bugbounty target. maybe can help you! site:https://t.co/54LKNaswYu… Link with Tweet

FxCebx: RT @DfirDiva: Free Blue Teaming Training by @chihebchebbi201 #DFIR, #OSINT https://t.co/2BkdJBxNd6 Link with Tweet

RDSWEB: RT @recruitmentgeek: Hack: Google for Facebook Photos Interpretations #OSINT https://t.co/YDWQGY4u3l #recruitment Link with Tweet

OSINTgeek: RT @recruitmentgeek: Hack: Google for Facebook Photos Interpretations #OSINT https://t.co/YDWQGY4u3l #recruitment Link with Tweet

LockpickingPete: RT @BsidesORL: Interested in #OSINT ? Grab a ticket to the Introduction to People OSINT & OSINT for Missing Persons workshop with @C_3PJoe…

TraceLabs: RT @BsidesORL: Interested in #OSINT ? Grab a ticket to the Introduction to People OSINT & OSINT for Missing Persons workshop with @C_3PJoe…

BuS1HdO: RT @cry__pto: Awesome Vulnerable Applications: https://t.co/vuDLUXFuhs Awesome Hacking Tools: https://t.co/pdMW9YBPaP The Mobile App Pente… Link with Tweet Link with Tweet

FahadGorain: RT @JinibaBD: Iranian Hacker Group Using New Tools to Target Government Agencies of Middle East #CyberSecurity #osint #infosec #cyberthreat…

InfoSec_Pom: Check the last 45 days of aggregation - https://t.co/seaH3xAtSv --> Threathistory https://t.co/lV8xS3o3Ny 8 New an… https://t.co/GWMGbA7hL3 Link with Tweet Link with Tweet Link with Tweet

----#THREATINTEL----

cybsecbot: RT @FarsightSecInc: New blog article: DNSDB 2.0 Flexible Search is Now Available! https://t.co/3aGWuULd0e #DNS #cybersecurity #threatintel… Link with Tweet

NickWilmot3: RT @ReversingLabs: Building a great security stack requires teamwork. Watch Jon Duffy explain how Reversinglabs and @Anomali make a great…

CyberSecurityN8: RT @NETSCOUT: More than 929,000 #DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a month! Rema…

sectest9: RT @NETSCOUT: More than 929,000 #DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a month! Rema…

Riazjavedbutt: Credential-Stuffing Attacks Plague Loyalty Programs #ThreatIntelligence #MSFTSecurity #MSExpertTalk https://t.co/Ckcn0CGiEv Link with Tweet

rick_weav: RT @CheckPointSW: Although companies are often enthusiastic about #digitaltransformation, their efforts fail 90% of the time. Do you have a…

NETSCOUT: More than 929,000 #DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a m… https://t.co/QVJytWsRrS Link with Tweet

DWCoker1: According to a recent #ThreatIntelligence report by @NETSCOUT, the first half of 2020 saw a 15% increase in the… https://t.co/UuEEUyhCHH Link with Tweet

CSOCIntel: RT @FarsightSecInc: New blog article: DNSDB 2.0 Flexible Search is Now Available! https://t.co/3aGWuULd0e #DNS #cybersecurity #threatintel… Link with Tweet

echosec_search: We help you stay threat informed so you can prevent cyberattacks. Learn more: https://t.co/wmYSYpuD8R #drps #threatintelligence Link with Tweet

FarsightSecInc: New blog article: DNSDB 2.0 Flexible Search is Now Available! https://t.co/3aGWuULd0e #DNS #cybersecurity… https://t.co/npUzCD2gBW Link with Tweet Link with Tweet

RecordedFuture: Our refreshed #securityintelligence handbook will play a major role in your security strategy by offering practical… https://t.co/udnbZqCY67 Link with Tweet

FahadGorain: RT @JinibaBD: Iranian Hacker Group Using New Tools to Target Government Agencies of Middle East #CyberSecurity #osint #infosec #cyberthreat…

AmyRuckes: RT @GroupSenseCyber: Register today to hear our Senior Intelligence Analyst, @CosimoMortola, go in-depth into #WhatsApp's security concern…

GoIrishBrian: RT @banduracyber: If 2020 was a good year for anyone, ransomware operators would certainly be at the top of the list. Want to make sure tha…

----#RANSOMWARE----

tegocyber: The town of Shafter, California has fallen victim to a ransomware attack and is unable to decrypt their IT systems.… https://t.co/5qTJ46zFYT Link with Tweet

Cloud_CIO_: RT @krmaas: #Ransomware attacks! Here are some basic tips for defending against hackers! #CyberAware #exploit #threats #VeteranOwned #Cyber…

sectest9: RT @mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat Labs po…

sanjeevhdesai: RT @Cohesity: Global healthcare is in the crosshairs of cybercriminals, and medical records have become a hot commodity—held for ransom or…

CyberSecurityN8: RT @mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat Labs po…

MaltrakN: RT @mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat Labs po…

mike2003sims: Botnets, #malware campaigns and the resurgence of Emotet #ransomware, oh my! Tune in to the latest Juniper Threat L… https://t.co/yCmkngr1Dh Link with Tweet

HonkHase: Sopra Steria hit by cyber attack. IT services group suspected of falling victim to #ransomware https://t.co/GOp7iy1LPC Link with Tweet

Mohit_Emkay: RT @CioAmaro: Very useful security tips from balancelogic #Infosec #CyberSecurity #CyberAttack #Hacking #Privacy #Threat #Malware #Ransomwa…

vemedina: #Ransomware hits election infrastructure in Georgia county https://t.co/JPMGAQ8Prm #cybersecurity Link with Tweet

NcsVentures: #ransomware | #computerhacker | Toll Group still mopping up after ransomware attacks – Security https://t.co/mJO0gjCPEq Link with Tweet

infomgmttoday: Read more #Ransomware insights here: Ransomware: Would Banning Ransom Payments Mitigate Threat? by @databreachtoday… https://t.co/ViugSpLQJx Link with Tweet

sectest9: RT @echocl0ud: What is your Data Worth? #backupplan #cybersecurity #CyberFit #CyberSecurityAwarenessMonth #Data #datasecurity #ransomware…

CyberSecurityN8: RT @echocl0ud: What is your Data Worth? #backupplan #cybersecurity #CyberFit #CyberSecurityAwarenessMonth #Data #datasecurity #ransomware…

MaltrakN: RT @echocl0ud: What is your Data Worth? #backupplan #cybersecurity #CyberFit #CyberSecurityAwarenessMonth #Data #datasecurity #ransomware…

-----#OPENDIR----

ActorExpose: RT @makflwana: #phishing for email creds #opendir theme - TAX REFUND-100304_docx.html exfil - hxxps://graceatwork.mywire.org/akube/next.php…

_brettfitz: RT @IronNetTR: Phishing page targeting Georgian bank TBC: hxxp://danisbridalwork.icu/e.php #opendir #phishing #TBCbank https://t.co/KNTvjYz…

IronNetTR: Phishing page targeting Georgian bank TBC: hxxp://danisbridalwork.icu/e.php #opendir #phishing #TBCbank https://t.co/KNTvjYzKea

-----#MALSPAM----

rj_chap: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

hj751: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

cybe_rpunkfixer: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

cybsecbot: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

mrgeffitas: The #Emotet botnet is one of the world's largest sources of #malspam. Its latest trick is to lure users into infect… https://t.co/eK9qEYVhCS Link with Tweet

3XS0: #malspam "Ref: DHL_AWB #1008936572891" with .iso attachment contains #masslogger https://t.co/RbQM0cCRXm https://t.co/8qS7JYkqxJ Link with Tweet Link with Tweet

3XS0: #malspam with subject "BL" brings #nanocore https://t.co/DWvwK7sXNC C2: kozatkr.myq-see[.]com:6666 Link with Tweet

3XS0: #malspam "Check this out" brings #404keylogger https://t.co/tLfLi6SmNz Link with Tweet

fbgwls245: RT @MarceloRivero: A Go ransomware sample: - Extension: .VAGGEN - Email: employer21@protonmail[.]com - Note: ABOUT_UR_FILES.txt / AboutYo…

3732n415: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

bit_dam: #malspam #macro detected in-the-wild by @BitDamSecurity sha1: d12e19b5e70148fd2025e3b05fe11b669259480c not on VT… https://t.co/x5MuitOJP8 Link with Tweet

luc4m: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

0xT11: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

Andre3Verzaal: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

frisadhaaa: RT @malware_traffic: 2020-10-20 - Tuesday's #Hancitor infection with an unidentified info stealer and #CobaltStrike - Finally got around to…

----#EMOTET----

ActorExpose: RT @MBThreatIntel: #Emotet malspam for 2020-10-19 IOCs: https://t.co/lfKuBfGZSr https://t.co/ftAkF3wjqU Link with Tweet

securityaffairs: New #Emotet campaign uses a new '#Windows Update' attachment. https://t.co/8SzfutgVAF #securityaffairs #hacking #malware Link with Tweet

luigi_martire94: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

ActorExpose: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

sathishdatwit: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

mattnotmax: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

jgrunzweig: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

roidowl: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

SamyCod3r: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

Cryptolaemus1: New #emotet Epoch 1 urls //primaage.com/wp-admin/is/ //uvibrands.com/QIG/ s://morrobaydrugandgift.com/wp-contentbak… https://t.co/iK7YYUniDu Link with Tweet

precosymf: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

t0pang4: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

Mesiagh: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

Cloud_CIO_: RT @Cofense: #Emotet has become a serious #phishing threat to many businesses in Japan. How can you defend against a #CyberSecurity threat…

ArunJoseph_AJ: RT @Cryptolaemus1: with current #emotet DOC, you can use the #CyberChef 'Register' function to dynamically select the Replace value from th…

-----#BUGBOUNTY----

ActorExpose: RT @InfoSec_Pom: Check the last 45 days of aggregation - https://t.co/seaH3xAtSv --> Threathistory https://t.co/h4qlIERh35 Phishers Capita… Link with Tweet Link with Tweet

CyberSecurityN8: RT @InfoSec_Pom: Check the last 45 days of aggregation - https://t.co/seaH3xAtSv --> Threathistory https://t.co/h4qlIERh35 Phishers Capita… Link with Tweet Link with Tweet

sectest9: RT @InfoSec_Pom: Check the last 45 days of aggregation - https://t.co/seaH3xAtSv --> Threathistory https://t.co/h4qlIERh35 Phishers Capita… Link with Tweet Link with Tweet

InfoSec_Pom: Check the last 45 days of aggregation - https://t.co/seaH3xAtSv --> Threathistory https://t.co/h4qlIERh35 Phishers… https://t.co/OgOVdE3fqW Link with Tweet Link with Tweet Link with Tweet

CyberSecurityN8: RT @h4x0r_dz: A simple way helped me to find more endpoints/info about #bugbounty target. maybe can help you! site:https://t.co/54LKNaswYu… Link with Tweet

sectest9: RT @h4x0r_dz: A simple way helped me to find more endpoints/info about #bugbounty target. maybe can help you! site:https://t.co/54LKNaswYu… Link with Tweet

FragmentedSoul5: RT @h4x0r_dz: A simple way helped me to find more endpoints/info about #bugbounty target. maybe can help you! site:https://t.co/54LKNaswYu… Link with Tweet

Cloud_CIO_: RT @Mah3Sec_: Some Useful Burp Extension| Suggestions are welcome| #bugbounty #burp #cybersecurity #bugbountytip #CybersecurityAwarenessMon…

Noob_haxer_: RT @disclosedh1: Shopify disclosed a bug submitted by ash_nz: https://t.co/gGw5uwXePl - Bounty: $2,000 #hackerone #bugbounty https://t.co/z… Link with Tweet

akaclandestine: RT @_SaxX_: Some commands aim to bypass WAFs. Enjoy #bugbounty #bugbountytips #PenTest cat /e${the}tc/${game}pas${ftw}swd cat /etc/pas${…

avoulk: RT @_SaxX_: Some commands aim to bypass WAFs. Enjoy #bugbounty #bugbountytips #PenTest cat /e${the}tc/${game}pas${ftw}swd cat /etc/pas${…

hisantana_: RT @_SaxX_: Some commands aim to bypass WAFs. Enjoy #bugbounty #bugbountytips #PenTest cat /e${the}tc/${game}pas${ftw}swd cat /etc/pas${…

darrell_kidjo: RT @_SaxX_: Some commands aim to bypass WAFs. Enjoy #bugbounty #bugbountytips #PenTest cat /e${the}tc/${game}pas${ftw}swd cat /etc/pas${…

LlnuxBot: RT @hacback17: I recommended “Google Cloud Platform 101” on @Medium https://t.co/2Mx4ulmhhn #bugbounty #bugbountytip #infosec #girlswhocode… Link with Tweet

WomenCodersBot: RT @hacback17: I recommended “Google Cloud Platform 101” on @Medium https://t.co/2Mx4ulmhhn #bugbounty #bugbountytip #infosec #girlswhocode… Link with Tweet

----#CYBERCRIME----

barracuda: Check out this episode of the @XaaSJournal podcast to hear the latest on how attackers are using malicious accounts… https://t.co/wFbRqo64Be Link with Tweet

NamesOfLondon: #Cybercrime #Security #Internet @Verisign #IoT 👋 Is it Possible to Take Down the Internet https://t.co/g36Z0mNGVT Link with Tweet

Merckxcycling: RT @EvanKirstel: The Network: How Phantom Secure, which started as a privacy-focused phone company in Canada, became a network for the Sina…

sectest9: RT @HatingHatred: Let's add some tags. #abuse #onlineabuse #hate #harassment #cyberbullying #cybercrime #journalism #freelancing #misogyny…

CyberSecurityN8: RT @HatingHatred: Let's add some tags. #abuse #onlineabuse #hate #harassment #cyberbullying #cybercrime #journalism #freelancing #misogyny…

HatingHatred: Let's add some tags. #abuse #onlineabuse #hate #harassment #cyberbullying #cybercrime #journalism #freelancing… https://t.co/WkHX9nhc2O Link with Tweet

EvanKirstel: The Network: How Phantom Secure, which started as a privacy-focused phone company in Canada, became a network for t… https://t.co/b6eOtN2Loz Link with Tweet

sectest9: RT @ACFEMumbai: With a surge in #cybercrime, Big FM in association with Delhi Police raise awareness against #cybersecurity in form of a ra…

CyberSecurityN8: RT @ACFEMumbai: With a surge in #cybercrime, Big FM in association with Delhi Police raise awareness against #cybersecurity in form of a ra…

AcfePuertoRico: RT @ACFEMumbai: With a surge in #cybercrime, Big FM in association with Delhi Police raise awareness against #cybersecurity in form of a ra…

CISO_Thoughts: RT @securityaffairs: The #Crimeware-as-a-Service model is sweeping over the #cybercrime world. Here’s why https://t.co/BRFlCVLZ9J #security… Link with Tweet

securityaffairs: The #Crimeware-as-a-Service model is sweeping over the #cybercrime world. Here’s why https://t.co/BRFlCVLZ9J #securityaffairs #hacking Link with Tweet

Cloud_CIO_: RT @NextBillion: Combating Cybercrime in Emerging Economies: The Case for Regional Cybersecurity Centers to Protect the Finances of the Poo…

gdprAI: RT @keepnetlabs: 78% of people claim to be aware of the risks of unknown links in emails, yet they click anyway. https://t.co/rOKt0PSmbm #s… Link with Tweet

gdprAI: RT @keepnetlabs: The global information security market will be reaching to $170.4 billion in 2021 - https://t.co/rOKt0PSmbm #statistics #… Link with Tweet

----Hacking Updates----

facebook updated hhvm. This repo has 16701 stars and 1076 watchers. This repo was created on 2010-01-02. --- A virtual machine for executing programs written in Hack.

hhvm updated hsl-experimental. This repo has 13 stars and 9 watchers. This repo was created on 2018-04-23. --- Experimental features for the Hack Standard Library

abrahammurciano updated jack2hack. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-21. --- Jack compiler for the Hack platform via the intermediate language VM

ChriZoizo updated DoctoLib. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- This is the DB lesson for THP school (The Hacking Project)

KroNton updated 30-Days-of-code. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-20. --- Hacker Rank track to learn coding in 30 days to improve programming and problem solving skills.

Naxiuss updated PHue-HackingLights. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- Play with your smart lights

kevinlacaille updated planet_hack_2020_deforestation. This repo has 2 stars and 5 watchers. This repo was created on 2020-10-15. --- Related Project Pitch: https://github.com/planetlabs-community/planet-hack-2020/issues/64

Youtman updated Landing-page. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-17. --- This is a landing page for a cybersecurity event called Capture The Flag at Hacker Halted from October 19-23 2020..... by Cyber Ranges.

KevinSum updated Hack-and-Slash-Game-Demo. This repo has 0 stars and 1 watchers. This repo was created on 2020-08-27. --- Short little Hack and Slash game using Hyper Light Demo sprites and other premade assets

Purp1eW0lf updated HackTheBoxWriteups. This repo has 15 stars and 2 watchers. This repo was created on 2020-05-29. --- Writeups for the machines on ethical hacking site Hack the Box

rfontanarosa updated brainlordapps. This repo has 2 stars and 2 watchers. This repo was created on 2015-11-26. --- a set of web-applications for hacking some old school videogames

Mac15001900 updated powerPanic. This repo has 1 stars and 3 watchers. This repo was created on 2020-10-22. --- Hack the Midlands 2020 game jam entry

mahowa updated Covid-19-d3. This repo has 10 stars and 3 watchers. This repo was created on 2020-10-13. --- Created with CodeSandbox

I-Al-Istannen updated Librarium. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-19. --- A helper for your home library. WIP and hacked together. Written in Haskell and Vue+Typescript

derpguy125 updated SnorcRomHack-Master. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- A little Sonic 1 rom hack I'm working on, based on an inside joke I doodled on a school laptop one day.

ThalesBMC updated Ethical-hacking. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- None

hackforla updated website. This repo has 17 stars and 18 watchers. This repo was created on 2018-04-18. --- Hack for LA's website

Alex-Angelico updated code-fellows-ops101-hacker-challenge-dev-platform. This repo has 2 stars and 2 watchers. This repo was created on 2020-10-16. --- Development Platform for Code Fellows Ops101 Hacker Challenges

hackclub updated webring. This repo has 6 stars and 2 watchers. This repo was created on 2020-07-15. --- A webring for the personal websites of Hack Club members

gustavdersjo updated project-accela. This repo has 1 stars and 1 watchers. This repo was created on 2020-09-14. --- A modular framework for building plugin-driven virtual networks - for hackers to explore and exploit. Enjoy ;)

HacKids-Edu updated pxt-hackbit. This repo has 0 stars and 2 watchers. This repo was created on 2020-10-16. --- Biblioteca para módulos Grove utilizados na placa hack:bit Library for Grove micro:bit project board https://www.hackids.com.br

hackclub updated icons. This repo has 8 stars and 5 watchers. This repo was created on 2018-08-29. --- Hack Club’s iconset, a superset of spectrum-icons

acifani updated yahnc. This repo has 1 stars and 1 watchers. This repo was created on 2018-05-01. --- 📰 Yet Another Hacker News Client

hackclub updated workshops. This repo has 21 stars and 3 watchers. This repo was created on 2020-01-07. --- Website for Hack Club’s learn-to-code curriculum.

Radioactivebun0 updated Hacking-Toolbox. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-17. --- A hacking toolbox with tools made by me, and others

----Security Updates----

cvebase updated cvebase.com. This repo has 11 stars and 3 watchers. This repo was created on 2020-10-03. --- cvebase is a community-driven vulnerability data platform to discover the world's top security researchers and their latest disclosed vulnerabilities & PoCs

lf-edge updated eve. This repo has 209 stars and 20 watchers. This repo was created on 2019-04-19. --- EVE is Edge Virtualization Engine

seemoo-lab updated internalblue. This repo has 316 stars and 30 watchers. This repo was created on 2018-09-04. --- Bluetooth experimentation framework for Broadcom and Cypress chips.

spur01 updated basic-day. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- Updates every day on internet security

uc-berkeley-w215 updated fall2020. This repo has 0 stars and 1 watchers. This repo was created on 2020-08-06. --- UC Berkeley MICS program / W215: "Usable Security" / Fall 2020

nitinjmv updated spring-security-test. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- None

atbjones updated cse132-ac-f20. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-20. --- Computer Security - Alvaro Cardenas

JavaGarcia updated Neanet. This repo has 1 stars and 1 watchers. This repo was created on 2020-08-02. --- Threat intelligence

securityonionsolutions-com updated securityonionsolutions-com.github.io. This repo has 0 stars and 3 watchers. This repo was created on 2016-07-02. --- None

beave updated sagan. This repo has 228 stars and 25 watchers. This repo was created on 2010-07-09. --- Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc)

jrkohlmeyer19 updated Grad_School-Intro_Comp_Security-HW1. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- Repository for Introduction to Computer Security Homework #1

splunk updated security-content. This repo has 121 stars and 38 watchers. This repo was created on 2018-12-18. --- Splunk Security Content

clouditor updated clouditor. This repo has 22 stars and 6 watchers. This repo was created on 2019-05-13. --- The Clouditor is a tool to support continuous cloud assurance. Developed by Fraunhofer AISEC.

tpm2-software updated tpm2-tools. This repo has 342 stars and 57 watchers. This repo was created on 2015-08-21. --- The source repository for the Trusted Platform Module (TPM2.0) tools

jfspps updated Secure-SRM. This repo has 0 stars and 1 watchers. This repo was created on 2020-09-14. --- Spring Security backed academic database

littlebizzy updated slickstack. This repo has 244 stars and 19 watchers. This repo was created on 2017-09-21. --- SlickStack is a free LEMP stack automation script written in Bash designed to enhance and simplify FOSS CMS provisioning, performance, and security.

Security-Onion-Solutions updated securityonion-docker. This repo has 31 stars and 7 watchers. This repo was created on 2018-01-25. --- Docker files for Security Onion

SAP-samples updated cloud-application-security-sample. This repo has 15 stars and 8 watchers. This repo was created on 2018-11-28. --- Demonstrate authorizations on data level into Spring based SAP Cloud Platform applications. We make use of the Spring Security ACL and integrate it with the XSUAA service and the Java Client Security Library offered by SAP

LahiruPriyankara updated SpringBootAppThree-Security. This repo has 0 stars and 1 watchers. This repo was created on 2020-09-22. --- None

AppCraft-Projects updated t360-java-security. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-18. --- None

MinaProtocol updated mina. This repo has 476 stars and 36 watchers. This repo was created on 2017-12-18. --- Mina is a new cryptocurrency with a constant size blockchain, improving scaling while maintaining decentralization and security.

cnr-dxn updated Terminal-Based-Interactive-Market-Monitoring-Interface. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- A terminal based paper trading application that allows for real-time buying, selling and shorting of stocks and securities in the stock market. Made in C++, this application was designed around efficiency and timing, rather than ease of programming, to allow for the most accurate transactions possible.

brunocampos01 updated seguranca. This repo has 6 stars and 1 watchers. This repo was created on 2019-04-04. --- Repositório para as aulas, exercícios e resumos da matéria: segurança da informação e redes(INE5680).

FurkanGozukara updated Security-of-Information-Systems-CSE413-2020. This repo has 1 stars and 1 watchers. This repo was created on 2020-09-21. --- Security of Information Systems 2020 CSE413 Toros University Mersin

linux-mailinglist-archives updated linux-security-module.vger.kernel.org.0. This repo has 0 stars and 0 watchers. This repo was created on 2019-07-01. --- None

----PoC Updates----

ca-mmis updated ITMB-POC. This repo has 0 stars and 12 watchers. This repo was created on 2017-10-20. --- Various Proof of Concept coding efforts.

r0ck3r008 updated AnonReach. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-08. --- Anonymous Comuunication Protocol Proof of Concept based on DHT

SierraSystems updated Oracle-Modernization. This repo has 0 stars and 1 watchers. This repo was created on 2020-09-29. --- Oracle Modernization is a proof-of-concept to migrate legacy Oracle Forms to modern software architecture

veehaitch updated devicecheck-appattest. This repo has 3 stars and 2 watchers. This repo was created on 2020-08-15. --- Proof of concept for validating the authenticity of Apple App Attest statements, written in Kotlin.

ebba0194 updated gatsby-wordpress. This repo has 1 stars and 2 watchers. This repo was created on 2020-09-28. --- Proof of concept

lh3 updated minigraph. This repo has 168 stars and 20 watchers. This repo was created on 2019-02-08. --- Proof-of-concept seq-to-graph mapper and graph generator

peku33 updated logicblocks. This repo has 0 stars and 3 watchers. This repo was created on 2019-12-09. --- Proof of concept building automation system

Raftacon updated tm4j-testng-integration. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-21. --- Proof-of-concept for combining TestNG listeners & the REST API provided by TM4J to ship off automated test results as they occur.

AaronWatters updated visualization_prototypes. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- This is a scratch space for housing proof of concept visualization prototypes.

shuangchen-sc updated DataDive_2019_Project-311. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-20. --- In this one-day “Hackathon" event by DataKind, I worked on a proof-of-concept model for the 311 service to categorize requests into relevant agencies based on issue descriptions.

nlipsyc updated shade_game. This repo has 1 stars and 1 watchers. This repo was created on 2020-03-22. --- Proof of concept for a self teaching plant evolution art game thing

cheretbe updated tekla-poc. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-13. --- Tekla Structures API POC (proof of concept) projects

jckantor updated cbe-virtual-laboratory. This repo has 1 stars and 1 watchers. This repo was created on 2020-10-02. --- A proof of concept study of a virtual laboratory for engineering education using Python and MQTT.

circle-free updated optimistic-roll-in. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-07. --- Layer-Agnostic Optimistic Roll-Ins For Isolated-State-Transitions - A Proof of Concept

brob updated vercel-proof-of-concept-11. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- None

djberg96 updated deckbuilder. This repo has 1 stars and 2 watchers. This repo was created on 2017-01-20. --- Proof of concept for a Rails deckbuilding app

brob updated vercel-proof-of-concept-8. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- None

pfaffman updated discourse-pfaffmanager. This repo has 0 stars and 1 watchers. This repo was created on 2020-09-24. --- Mostly proof of concept plugin for adding a model

BuckarooBanzay updated modgen_poc. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-21. --- modgen game proof of concept

ipppi updated proof-of-concept. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-17. --- IPPPI Proof of Concept

psagers updated sat-browse. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-21. --- A proof of concept for retrieving basic web content via email

akay25 updated poc-image-compression. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-22. --- A proof of concept image compression model built on https://blog.paperspace.com/autoencoder-image-compression-keras/

orebas updated GyroAveraging. This repo has 0 stars and 1 watchers. This repo was created on 2019-12-09. --- proof of concept for gyroveraging transform precomputation

misrraimsp updated tinymarket. This repo has 0 stars and 1 watchers. This repo was created on 2020-10-20. --- e-Commerce Proof of Concept

WhiteOakSecurity updated CVE-2018-19859. This repo has 0 stars and 0 watchers. This repo was created on 2020-10-22. --- CVE-2018-19859 Remote Code Execution Proof of Concept