On November 23, 2020, VMware released an Advisory addressing a zero-day flaw in multiple products. In the initial advisory, VMware has released a workaround to address the critical vulnerability that affects multiple VMware Workspace One components. Later, VMware released security updates to fix the zero-day flaw. CVE-2020-4006 It’s a command injection vulnerability that could allow … Continue reading “VMware Zero-day flaw in Multiple Products”
Apple Wireless Direct Link (AWDL) Denial of Service vulnerability(CVE-2020-3843)
Overview Apple Wireless Direct Link (AWDL), the wireless protocol that ensures uninterrupted communications among various Apple devices globally, was recently infected by, a trivial bug resulting into buffer overflow via kernel memory corruption in wi-fi driver of AWDL. Ian Beer, a google project zero researcher detailed out this vulnerability was exploitable on various iPhones and other iOS devices until May 2020. … Continue reading “Apple Wireless Direct Link (AWDL) Denial of Service vulnerability(CVE-2020-3843)”
Drupal Core Remote Code Execution Vulnerability (CVE-2020-13671)
Overview On 18 November 2020, Drupal released an advisory for critical Remote Code Execution Vulnerability (CVE-2020-13671). Successful exploitation of this vulnerability may allow attackers to take over vulnerable sites. The bug exists in Drupal core due to improper sanitization of certain filenames on uploaded files. This results in the files being interpreted as an invalid extension and can be treated as a wrong MIME … Continue reading “Drupal Core Remote Code Execution Vulnerability (CVE-2020-13671)”
VMware Multiple Vulnerabilities (VMSA-2020-0026)
On November 19, 2020, VMware published an advisory addressing critical vulnerabilities in various VMware products. VMware has evaluated the severity of CVE-2020-4004 to be “Critical” with a maximum CVSSv3 base score of 9.3. The severity of CVE-2020-4005 has been evaluated to be “Important” with a maximum CVSSv3 base score of 8.8. Affected VMware Products VMware … Continue reading “VMware Multiple Vulnerabilities (VMSA-2020-0026)”
Citrix XenMobile Server – Arbitrary File Read Vulnerability (CVE-2020-8209)
Overview: Citrix XenMobile Server is an enterprise application used for mobile device, as well as mobile application management. A Path Traversal vulnerability (CVE-2020-8209), which leads to arbitrary file read has recently been identified in Citrix XenMobile Server. According to Adrey Modav from Positive Technologies, an authentication is not required to exploit this vulnerability. Description: According to the researcher, the vulnerable code exists in the help-sb-download.jsp file. The vulnerability exists because the user– supplied input is passed to the sbFileName parameter is not sanitized and is directly appended … Continue reading “Citrix XenMobile Server – Arbitrary File Read Vulnerability (CVE-2020-8209)”
Citrix SD-WAN Center Remote Code Execution Vulnerability (CVE-2020–8271, CVE-2020–8272, CVE-2020–8273)
Overview Enterprises and businesses use SD-WAN as a cloud-based networking platform. Situated in different locations, it allows locations and cloud instances to be connected to each other and to company resources. It also applies software control to manage the processes including the orchestration of resources and nodes. Remote Code Execution (RCE) vulnerabilities (CVE-2020–8271, CVE-2020–827, and … Continue reading “Citrix SD-WAN Center Remote Code Execution Vulnerability (CVE-2020–8271, CVE-2020–8272, CVE-2020–8273)”
PAN-OS Multiple Vulnerabilities
On November 11, 2020, Palo Alto Networks released advisories addressing several vulnerabilities in PAN-OS. These vulnerabilities are of High and Medium severity. About the security bugs CVE-2020-2048: System proxy passwords may be logged in clear text while viewing system stateThis issue is addressed in PAN-140157. Information disclosure through log file vulnerability exists where the … Continue reading “PAN-OS Multiple Vulnerabilities”
Two Zero-days in Google Chrome
On November 11, 2020, Google Chrome issued an update announcement for the browser across all platforms. Google confirmed that the “stable channel” desktop Chrome browser is being updated to version 86.0.4240.198 across Windows, Mac, and Linux platforms. As per Google’s official sources, this urgent update will start rolling out over the coming few days or weeks. About … Continue reading “Two Zero-days in Google Chrome”
Apple Devices Critical Vulnerabilities (CVE-2020-27930, CVE-2020-27950, CVE-2020-27932)
Overview On November 5th, 2020, three iOS zero-day vulnerabilities were patched by Apple, which were exploited in the wild affecting Apple devices such as iPhone, iPad, and iPod. Ben Hawkes from Google Project Zero discovered these flaws that were affecting variants of Apple devices. CVE-2020-27930 (RCE) – An RCE in FontParser library that was triggered … Continue reading “Apple Devices Critical Vulnerabilities (CVE-2020-27930, CVE-2020-27950, CVE-2020-27932)”
Git Large File Storage Remote Code Execution Vulnerability on Windows systems (CVE-2020-27955)
Overview Git is a free and open-source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. A critical vulnerability was reported in the Git framework in Git Large File Storage (LFS). With this vulnerability, Windows-system victims are tricked into cloning the attacker’s malicious repository using a … Continue reading “Git Large File Storage Remote Code Execution Vulnerability on Windows systems (CVE-2020-27955)”