This article provides a summary of new vulnerabilities that have been disclosed in the past week, including 0Days in Windows, flaws in Apple Safari, OpenWrt, Jenkins plugins and more.

A couple of zero-day remote code execution (RCE) vulnerabilities have been discovered in Microsoft Windows platform. The issues affect the Windows Adobe Type Manager Library and impact devices running desktop and server Windows versions, including Windows 10, Windows 8.1, Windows 7, and multiple versions of Windows Server.

The flaws exist due to a way the Windows Adobe Type Manager Library handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. The vulnerabilities could be exploited by tricking a user into opening a specially crafted document, or viewing it in the Windows Preview pane.

Another dangerous bug disclosed this week affects OpenWrt (OPEN Wireless RouTer), an open source project for embedded operating systems based on Linux. The vulnerability tracked as CVE-2020-7982 allows an attacker to remotely execute arbitrary code and gain complete control over a targeted device.

Memcached, a distributed memory object caching system, contains a flaw, using which an attacker could perform a denial of service (DoS) attack. The vulnerability exists due to insufficient validation of user-supplied input when parsing a binary protocol header within the try_read_command_binary() function in memcached.

Visam VBASE automation platform is plagued by multiple security vulnerabilities, the most severe of which (CVE-2020-10599) could allow an attacker to execute arbitrary code on a target system. This flaw exists due to a boundary error in ActiveX component. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system or cause a denial of service (DoS) condition.

Acyba AcyMailing extension for Joomla contains a vulnerability (CVE-2020-10934) that allows a remote attacker to compromise vulnerable system. The flaw stems from insufficient validation of files during file upload. A remote attacker can upload and execute arbitrary file on the server.

LibVNCServer software is impacted by a high risk vulnerability (CVE-2019-15690), which may lead to a complete compromise of vulnerable system. The issue exists due to a boundary error, allowing a remote attacker to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Other security vulnerabilities worth mentioning reside in several Jenkins plugins, namely Jenkins Azure Container Service (CVE-2020-2168), Jenkins OpenShift Pipeline (CVE-2020-2167), and Jenkins Pipeline: AWS Steps plugin (CVE-2020-2166). All of the above flaws could be exploited to remotely execute arbitrary code on a target system.

Also, this week Apple has released a new Safari 13.1 browser update that fixes 11 vulnerabilities. The update addresses a malicious iframe issue in Safari Downloads (CVE-2020-9784) and several high-risk vulnerabilities, using which a remote attacker could execute arbitrary code or compromise a vulnerable system.

Red Hat Fuse open source integration platform contains nearly two dozen vulnerabilities, including four RCE-flaws (CVE-2019-17570, CVE-2019-14379, CVE-2019-12384, CVE-2017-5929), and several issues that would give an attacker an opportunity to trigger DoS condition or gain access to potentially sensitive information on a target system.