Show vulnerabilities with patch / with exploit
29 May 2020

Vulnerability summary for the week: May 29, 2020


Vulnerability summary for the week: May 29, 2020
Here’s a brief overview of this week’s most notable vulnerabilities.

Apple has released security updates that address multiple vulnerabilities in macOS Catalina 10.15.5, impacting various components such as Accounts, AirDrop, Audio, Bluetooth, Calendar, ImageIO, Kernel, ksh, PackageKit, Sandbox, SQLite, USB Audio, Wi-Fi, and zsh. The fixed issues could result in denial of service, the circumvention of sandbox restrictions, leak of private information, arbitrary code execution, exfiltration of user information, or elevation of privilege.

OpenSSH, a connectivity tool for remote login with the SSH protocol, contains a vulnerability that allows a remote attacker to write arbitrary files to the victim's system. The bug impacts OpenSSH versions 5.0p1, 5.1p1, 5.2p1, 5.3p1, 5.4p1, 5.5p1, 5.6p1, 5.7p1, 5.8p1, 5.8p2, 5.9p1, 6.0p1, 6.1p1, 6.2p1, 6.2p2, 6.3p1, 6.4p1, 6.5p1, 6.6p1, 6.6p1, 6.7p1, 6.8p1, 6.9p1, 7.0p1, 7.1p1, 7.1p2, 7.2p1, 7.2p1, 7.2p2, 7.3p1, 7.4p1, 7.5p1, 7.6p1, 7.7p1, 7.8p1, 7.9p1, 8.0p1, 8.1p1, and 8.2p1.

Several vulnerabilities were found in Trend Micro InterScan Web Security Virtual Appliance, one of which is classified as a high-risk flaw (CVE-2020-8606). Successful exploitation of this flaw could allow a remote attacker to bypass authentication process. Other bugs could be used to execute arbitrary commands on the system, perform directory traversal attacks or conduct XSS attacks.

A high severity issue was discovered in FreeRDP before 2.1.1. CVE-2020-13398 is an out-of-bounds (OOB) write vulnerability that resides in crypto_rsa_common in libfreerdp/crypto/crypto.c. function. A remote attacker can send specially crafted data to the application, trigger out-of-bounds write and execute arbitrary code on the target system.

Apache Kylin, an open source distributed analytics engine, has a vulnerability (CVE-2020-1956) that allows a remote attacker to execute arbitrary shell commands and compromise the target system. The vulnerability exists due to improper input validation in RESTFull API and can be exploited by sending specially crafted data to the application.

Cybozu Desktop for Windows contains an issue (CVE-2020-5537), which could allow an attacker to carry out a man-in-the-middle (MITM) attack, or perform subdomain takeover and execute arbitrary code on a system.

A serious flaw was found in MyLittleAdmin, a web application for managing MSSQL databases. It exists due to presence of hard-coded "machineKey" in web.config., which could be used by attackers to fully compromise the target system.

Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020