Vulnerability summary for the week: July 10, 2020

Vulnerability summary for the week: July 10, 2020

Less than two weeks after patching a dangerous flaw in PAN-OS operating system Palo Alto Networks has released security upd ate which addresses another severe vulnerability in PAN-OS devices.

The new issue, tracked as CVE-2020-2034, is an OS Command Injection vulnerability impacting the PAN-OS GlobalProtect which could be exploited by an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges.

Apart from the above mentioned vulnerability, the vendor also fixed several less dangerous flaws (CVE-2020-2031, CVE-2020-2030, CVE-2020-1982) that allow a remote attacker to decrypt TLS traffic, execute arbitrary commands, or launch DoS attacks.

Citrix released security updates to address a se t of 11 vulnerabilities affecting its Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO) networking products. One of the flaws (CVE-2020-8194) could be exploited for remote code execution, while others could result in information disclosure or could allow a remote user to escalate privileges on the system.

A couple of high risk vulnerabilities have been found in Chocolate Doom (CVE-2020-14983) and Crispy Doom (CVE-2020-14983) that can be used by a remote attacker to execute arbitrary code on a target system.

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series GT27, GT25, and GT23 contains multiple vulnerabilities. The most severe of them are a buffer overflaw issue (CVE-2020-5595), which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet, and CVE-2020-5598, which could be exploited by a remote attacker to gain unauthorized access to otherwise restricted functionality.

OpenClinic GA, an open-source integrated hospital information management system contains a dozen vulnerabilities with three of them rated as high risk flaws (CVE-2020-14487, CVE-2020-14495, CVE-2020-14485) that could be exploited to bypass authentication process or completely compromise a vulnerable system.

FFmpeg 4.2.3 has a vulnerability, which allow to compromise vulnerable system. The flaw exists due a use-after-free error in FFmpeg when processing a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in libavformat/format.c.

A remote code execution vulnerability has been found in the Zoom client for Windows that allows to compromise vulnerable system. The good news is that the flaw has a couple of mitigating factors - it is only exploitable on systems running Windows 7 and older versions of the OS that are no longer supported by Microsoft, and the attack requires user interaction.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025