This week Google has rolled out fixes for multiple vulnerabilities in its Android operating system, including two serious elevation-of-privilege flaws in the Android System component (CVE-2020-0215 and CVE-2020-0416), and a slew of high- and critical-severity issues affecting Qualcomm chips. Overall, the tech giant addressed nearly 50 vulnerabilities as part of October security update for Android.
In addition to Android, Google has patched more than two dozen vulnerabilities in its Chrome browser, the most severe of which could be exploited by a remote attacker to execute arbitrary code on a system, or gain access to sensitive information.
Multiple vulnerabilities have been discovered in Tenda AC15 AC1900 Smart Dual-Band Gigabit WiFi Router, which if exploited could allow a remote attackers to execute arbitrary commands and gain full access to the system. At a present, patches for these bugs are not available, which is unfortunate because some of these flaws (CVE-2018-14558, CVE-2020-10987) have already been observed being exploited in real-world attacks.
GLPI, a free asset and IT management software package, contains numerous vulnerabilities, including two high severity bugs (CVE-2020-15226 and CVE-2020-15176) that allow a remote attacker to execute arbitrary SQL queries in database.
Pepperl+Fuchs Comtrol’s RocketLinx industrial switches have been found to be vulnerable to several dangerous issues, including ones that can be exploited to take complete control of devices, gain access to impacted switches, execute commands, obtain information, or conduct DoS attacks. Note: the vendor has yet to release security updates for these flaws.
qdPM, a free open source web-based project management tool, has multiple vulnerabilities, including a dangerous issue that allows a remote hacker to compromise vulnerable system. As with previous case, there is no official solution to resolve the issues.
GitLab has released updates to address multiple flaws impacting GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed privilege escalation, remote commands execution, cross-site scripting and denial of service (CVE-2020-13333) attacks. Some vulnerabilities (CVE-2020-13332, CVE-2020-13335) could be used by a remote attacker to gain unauthorized access to otherwise restricted functionality.