Vulnerability summary for the week: July 10, 2020

Vulnerability summary for the week: July 10, 2020

Less than two weeks after patching a dangerous flaw in PAN-OS operating system Palo Alto Networks has released security upd ate which addresses another severe vulnerability in PAN-OS devices.

The new issue, tracked as CVE-2020-2034, is an OS Command Injection vulnerability impacting the PAN-OS GlobalProtect which could be exploited by an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges.

Apart from the above mentioned vulnerability, the vendor also fixed several less dangerous flaws (CVE-2020-2031, CVE-2020-2030, CVE-2020-1982) that allow a remote attacker to decrypt TLS traffic, execute arbitrary commands, or launch DoS attacks.

Citrix released security updates to address a se t of 11 vulnerabilities affecting its Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO) networking products. One of the flaws (CVE-2020-8194) could be exploited for remote code execution, while others could result in information disclosure or could allow a remote user to escalate privileges on the system.

A couple of high risk vulnerabilities have been found in Chocolate Doom (CVE-2020-14983) and Crispy Doom (CVE-2020-14983) that can be used by a remote attacker to execute arbitrary code on a target system.

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series GT27, GT25, and GT23 contains multiple vulnerabilities. The most severe of them are a buffer overflaw issue (CVE-2020-5595), which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet, and CVE-2020-5598, which could be exploited by a remote attacker to gain unauthorized access to otherwise restricted functionality.

OpenClinic GA, an open-source integrated hospital information management system contains a dozen vulnerabilities with three of them rated as high risk flaws (CVE-2020-14487, CVE-2020-14495, CVE-2020-14485) that could be exploited to bypass authentication process or completely compromise a vulnerable system.

FFmpeg 4.2.3 has a vulnerability, which allow to compromise vulnerable system. The flaw exists due a use-after-free error in FFmpeg when processing a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in libavformat/format.c.

A remote code execution vulnerability has been found in the Zoom client for Windows that allows to compromise vulnerable system. The good news is that the flaw has a couple of mitigating factors - it is only exploitable on systems running Windows 7 and older versions of the OS that are no longer supported by Microsoft, and the attack requires user interaction.

Back to the list

Latest Posts

UNC6148 threat actor actively targets outdated and patched SonicWall devices

UNC6148 threat actor actively targets outdated and patched SonicWall devices

The group is using stolen credentials and OTP seeds to regain access to devices even after security updates have been applied.
17 July 2025
Google patches Chrome zero-day allowing sandbox escape

Google patches Chrome zero-day allowing sandbox escape

The flaw stems from insufficient validation of untrusted input in ANGLE and GPU.
16 July 2025
Ukrainian police dismantle major server network used for malware distribution

Ukrainian police dismantle major server network used for malware distribution

Authorities identified a 33-year-old French national as the organizer of the illegal operation.
16 July 2025