This week’s brief overview of the most important vulnerabilities includes recently disclosed flaws in Google Chrome, Apache Camel and Apache Tomcat, Cisco Unified CCX solution, and more.
Multiple vulnerabilities have been addressed in Apache Camel, an open source integration framework, two of which have been rated as the high-risk flaws (CVE-2020-11973, CVE-2020-11972). Both bugs can be exploited for a remote code execution.
Apache Software Foundation has warned about a dangerous vulnerability (CVE-2020-9484) in Apache Tomcat, an open source Java servlet container, which allows a remote attacker to execute arbitrary code on the target system. The bug exists due to improper validation of the deserialized data.
Apache Tomcat 10.0.0-M1 to 10.0.0-M4
Apache Tomcat 9.0.0.M1 to 9.0.34
Apache Tomcat 8.5.0 to 8.5.54
Apache Tomcat 7.0.0 to 7.0.103
Google has updated Chrome for Linux, Mac, and Windows to fix more than 30 vulnerabilities, including several high-severity flaws:
CVE-2020-6465: Use after free in reader mode.
CVE-2020-6466: Use after free in media.
CVE-2020-6467: Use after free in WebRTC.
CVE-2020-6468: Type Confusion in V8.
CVE-2020-6469: Insufficient policy enforcement in developer tools.
Cisco has patched a critical remote code execution bug (CVE-2020-3280) in Cisco Unified Contact Center Express, its “contact center in a box” solution.
CVE-2020-3280 is a vulnerability in the Java Remote Management Interface of the UCCX solution, which exists due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device.
Multiple vulnerabilities have been reported in Schneider Electric EcoStruxure Operator Terminal Expert solution, the most severe of which (CVE-2020-7493) could allow remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStruxure Operator Terminal Expert.
FreeRDP, a free remote desktop protocol client, contains more than a dozen vulnerabilities, with six of them rated as high-severity flaws, which could be exploited for a remote code execution or for launching denial of service (DoS) attacks.
The WordPress Infinite Scroll – Ajax Load More plugin has an SQL injection vulnerability, which allows a remote attacker to execute arbitrary SQL queries in database and to read, delete, and modify data in database.
Adobe has released an out-of-band patch to fix a remote code execution (RCE) flaw in Adobe Character Animator. The flaw affects Adobe Character Animator for Windows and macOS, versions 3.2 and earlier. Alongside the Adobe Character Animator update the company has also released patches for Adobe Premiere Pro and Adobe Premiere Rush that address two bugs that could be exploited by attackers to gain access to sensitive information.