Here’s a short overview of the most noteworthy vulnerabilities affecting various products disclosed this week.
Google has updated its Chrome browser for Windows, Mac, and Linux to address several vulnerabilities, including a couple of high risk flaws (CVE-2020-6509) that allow a remote attacker to compromise a vulnerable system.
A vulnerability has been found in the Elliptic package 6.5.2 for Node.js that could be exploited by a remote attacker to compromise the target system. The flaw (CVE-2020-13822) allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Baxter ExactaMix pharmacy compounding system equipment widely used in the healthcare sector contains a number of vulnerabilities, which could lead to the sensitive information disclosure or to the remote code execution. The most interesting flaw is CVE-2017-0143, which exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system and fully compromise the vulnerable system.
Users are advised to upgrade to the ExactaMix Version 1.4 (EM1200) and ExactaMix Version 1.13 (EM2400) which fix the above mentioned issues.
Bitdefender has fixed a flaw in its SafePay solution, a protected web browser designed to secure sensitive online transactions such as online-banking and e-shopping.
Successful exploitation of the CVE-2020-8102 flaw could allow an attacker to execute commands remotely in the context of the user on the system, and depending on the privileges associated with the user, to install software; view, change, or delete data; or create new accounts with full user rights.
Adobe has issued an update to patch three high risk vulnerabilities in Adobe Framemaker software. The bugs, tracked as CVE-2020-9636, CVE-2020-9634, and CVE-2020-9635, can lead to the remote code execution.
A SQL injection issue has been found in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress. The vulnerability (CVE-2020-13640) allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.