A vulnerability was discovered in the web interface component of IP Office that may potentially allow a remote, unauthenticated user with network access to gain sensitive information. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 through 11.0.4.2.

在IP Office的Web界面组件中发现了一个漏洞，该漏洞可能潜在地允许具有网络访问权限的未经身份验证的远程用户获取敏感信息。受影响的IP Office版本包括：9.x，10.0到10.1.0.7和11.0到11.0.4.2。

DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG). Affecting all SMG Appliance running releases prior to July 2020. The vulnerability could allow a logged in user with rights to generate DKIM key information to inject system commands into the call to the DKIM system command.

Micro Focus Secure Messaging Gateway（SMG）上的DKIM密钥管理页面漏洞。影响到2020年7月之前运行的所有SMG Appliance版本。该漏洞可能允许具有权限的登录用户生成DKIM密钥信息，以将系统命令注入到DKIM系统命令的调用中。

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

Apache HTTP服务器2.4.32至2.4.44 mod_proxy_uwsgi信息泄露以及可能的RCE

IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.

使用mod_remoteip和mod_rewrite进行代理时的IP地址欺骗对于使用mod_remoteip和某些mod_rewrite规则进行代理的配置，攻击者可能会通过欺骗其IP地址来记录日志和PHP脚本。请注意，此问题已在Apache HTTP Server 2.4.24中修复，但在2020年被追溯分配了低严重性CVE。

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Apache HTTP Server版本2.4.20至2.4.43为HTTP / 2模块和某些流量边缘模式启用跟踪/调试时，在错误的连接上执行了日志记录语句，导致并发使用内存池。在“ info”上方配置mod_http2的LogLevel将减轻未修补服务器的此漏洞。

SecurEnvoy SecurMail 9.3.503 allows attackers to upload executable files and achieve OS command execution via a crafted SecurEnvoyReply cookie.

SecurEnvoy SecurMail 9.3.503允许攻击者通过精心制作的SecurEnvoyReply cookie上传可执行文件并实现OS命令执行。

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.

2.079.000.t0210之前的TP-Link USB网络服务器TL-PS310U设备允许同一网络上的攻击者提升特权，因为可以通过嗅探未加密的UDP通信来发现管理密码。

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.

2.079.000.t0210之前的TP-Link USB网络服务器TL-PS310U设备允许同一网络上的攻击者通过缺少密码参数的Web管理请求绕过身份验证。

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.

2.079.000.t0210之前的TP-Link USB网络服务器TL-PS310U设备允许同一网络上的攻击者利用管理特权来设置精心制作的服务器名称，从而进行持续的XSS攻击。

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to denial-of-service the device via long input values.

2.079.000.t0210之前的TP-Link USB网络服务器TL-PS310U设备允许同一网络上的攻击者通过长输入值拒绝对该设备进行服务。

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.

Lindy 42633 4端口USB 2.0千兆网络服务器2.078.000设备允许在同一网络上的攻击者提升特权，因为可以通过嗅探未加密的UDP通信来发现管理密码。

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.

Lindy 42633 4端口USB 2.0千兆网络服务器2.078.000设备允许同一网络上的攻击者通过缺少密码参数的Web管理请求绕过身份验证。

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.

Lindy 42633 4端口USB 2.0千兆网络服务器2.078.000设备允许在同一网络上的攻击者利用管理特权来设置精心制作的服务器名称，从而进行持续的XSS攻击。

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.

Lindy 42633 4端口USB 2.0千兆网络服务器2.078.000设备允许同一网络上的攻击者通过长输入值拒绝对设备进行服务。

DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.

DIGITUS DA-70254 4端口千兆网络集线器2.073.000.E0008设备允许同一网络上的攻击者提升特权，因为可以通过嗅探未加密的UDP流量来发现管理密码。

DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.

DIGITUS DA-70254 4端口千兆网络集线器2.073.000.E0008设备允许同一网络上的攻击者通过缺少密码参数的Web管理请求绕过身份验证。

DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.

DIGITUS DA-70254 4端口千兆网络集线器2.073.000.E0008设备允许同一个网络上的攻击者利用管理特权来设置精心制作的服务器名称，从而进行持续的XSS攻击。

DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to denial-of-service the device via long input values.

DIGITUS DA-70254 4端口千兆网络集线器2.073.000.E0008设备允许同一网络上的攻击者通过长输入值来拒绝对该设备进行服务。

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

Prism容易受到跨站点脚本的攻击。预览器插件的宽松预览具有XSS漏洞，攻击者可以利用该漏洞在Safari和Internet Explorer中执行任意代码。这会影响使用_Previewers_插件（> = v1.10.0）或_Previewer：Easing_插件（v1.1.0至v1.9.0）的Prism> = v1.1.0的所有Safari和Internet Explorer用户。在1.21.0版中解决了此问题。要解决此问题而不升级，请在所有受影响的代码块上禁用缓动预览。您需要Prism v1.10.0或更高版本才能应用此替代方法。

An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The driver's IOCTL request handler attempts to copy the input buffer onto the stack without checking its size and can cause a buffer overflow. This could lead to arbitrary Ring-0 code execution and escalation of privileges. This affects DirectIo32.sys and DirectIo64.sys.

在通过9.1版的PassMark BurnInTest，通过7.1版的OSForensics和通过10版的PerformanceTest中发现了一个问题。驱动程序的IOCTL请求处理程序尝试将输入缓冲区复制到堆栈上而不检查其大小，并且可能导致缓冲区溢出。这可能导致任意的Ring-0代码执行和特权提升。这会影响DirectIo32.sys和DirectIo64.sys。

An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The kernel driver exposes IOCTL functionality that allows low-privilege users to map arbitrary physical memory into the address space of the calling process. This could lead to arbitrary Ring-0 code execution and escalation of privileges. This affects DirectIo32.sys and DirectIo64.sys.

在9.1版的PassMark BurnInTest，7.1版的OSForensics和10版的PerformanceTest中发现了一个问题。内核驱动程序公开了IOCTL功能，该功能允许低特权用户将任意物理内存映射到调用进程的地址空间中。这可能导致任意的Ring-0代码执行和特权提升。这会影响DirectIo32.sys和DirectIo64.sys。

In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names containing JavaScript.

在19.04.6之前的Mahara 19.04、19.10.4之前的19.10和20.04.1之前的20.04中，某些位置可以执行包含JavaScript的文件或文件夹名称。

Temi Launcher OS 11969 through 13146 has Missing Authentication for a Critical Function.

Temi Launcher OS 11969至13146的关键功能缺少身份验证。

Temi firmware 20190419.165201 does not properly verify that the source of data or communication is valid, aka an Origin Validation Error.

Temi固件20190419.165201无法正确验证数据或通信源是否有效，也就是起源验证错误。

Temi Robox OS 117.21 through 119.24 allows Authentication Bypass via an Alternate Path or Channel.

Temi Robox OS 117.21至119.24允许通过备用路径或通道进行身份验证绕过。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人已被其CNA撤回。进一步的调查表明，这不是安全问题。注意：无。

Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code.

到2020-08-05为止，Sophos XG Firewall用户门户中的两个OS命令注入漏洞可能允许经过身份验证的攻击者远程执行任意代码。

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

Spring Cloud Netflix，2.2.4之前的2.2.x版本，2.1.6之前的2.1.x版本以及较旧的不受支持的版本允许应用程序使用Hystrix Dashboard proxy.stream端点向服务器托管可访问的任何服务器发出请求仪表板。恶意用户或攻击者可以将请求发送到其他不应公开公开的服务器。

hslogin2.dll ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method. This is due to a lack of integrity verification of the policy files referenced in the update process, and a remote attacker could induce a user to crafted web page, causing damage such as malicious code infection.

hslogin2.dll ActiveX控件在组件中包含一个漏洞，该漏洞可以通过将参数设置为activex方法来下载和执行远程文件。这是由于缺乏更新过程中引用的策略文件的完整性验证，并且远程攻击者可能诱使用户制作网页，从而导致诸如恶意代码感染之类的破坏。

A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Tumbleweed sets the permissions for some of the directories of the pcp package to unintended settings. This issue affects: SUSE Linux Enterprise Server 12-SP4 permissions versions prior to 20170707-3.24.1. SUSE Linux Enterprise Server 15-LTSS permissions versions prior to 20180125-3.27.1. SUSE Linux Enterprise Server for SAP 15 permissions versions prior to 20180125-3.27.1. openSUSE Leap 15.1 permissions versions prior to 20181116-lp151.4.24.1. openSUSE Tumbleweed permissions versions prior to 20200624.

SUSE Linux Enterprise Server 12-SP4，SUSE Linux Enterprise Server 15-LTSS，SUSE Linux Enterprise Server for SAP 15的权限包中的错误的执行分配权限漏洞； openSUSE Leap 15.1，openSUSE Tumbleweed将pcp软件包的某些目录的权限设置为意外的设置。此问题影响：20170707-3.24.1之前的SUSE Linux Enterprise Server 12-SP4权限版本。 20180125-3.27.1之前的SUSE Linux Enterprise Server 15-LTSS权限版本。 20180125-3.27.1之前的SUSE Linux Enterprise Server for SAP 15权限版本。 20181116-lp151.4.24.1之前的openSUSE Leap 15.1权限版本。 20200624之前的openSUSE Tumbleweed权限版本。

A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions.

openSUSE Leap 15.2，openSUSE Tumbleweed，openSUSE Leap 15.1中inn的包装中存在一个不正确的默认权限漏洞，该漏洞使受到新用户控制的本地攻击者可以将其特权升级为root。此问题影响：openSUSE Leap 15.2 inn版本2.6.2-lp152.1.26和以前的版本。 openSUSE Tumbleweed inn版本2.6.2-4.2和以前的版本。 openSUSE Leap 15.1旅馆版本2.5.4-lp151.3.3.1和以前的版本。

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Apache HTTP Server版本2.4.20至2.4.43。当服务器实际随后尝试对资源进行HTTP / 2推送时，HTTP / 2请求中'Cache-Digest'标头的特制值将导致崩溃。通过“ H2Push off”配置HTTP / 2功能将缓解未修补服务器的此漏洞。

A backdoor in certain Zyxel products allows remote TELNET access via a CGI script. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0.

某些Zyxel产品中的后门允许通过CGI脚本进行远程TELNET访问。这会影响NAS520 V5.21（AASZ.4）C0，V5.21（AASZ.0）C0，V5.11（AASZ.3）C0和V5.11（AASZ.0）C0; NAS542 V5.11（ABAG.0）C0，V5.20（ABAG.1）C0和V5.21（ABAG.3）C0; NSA325 v2_V4.81（AALS.0）C0和V4.81（AAAJ.1）C0; NSA310 4.22（AFK.0）C0和4.22（AFK.1）C0; NAS326 V5.21（AAZF.8）C0，V5.11（AAZF.4）C0，V5.11（AAZF.2）C0和V5.11（AAZF.3）C0; NSA310S V4.75（AALH.2）C0; NSA320S V4.75（AANV.2）C0和V4.75（AANV.1）C0; NSA221 V4.41（AFM.1）C0; NAS540 V5.21（AATB.5）C0和V5.21（AATB.3）C0。

TOCTOU Race Condition vulnerability in apport allows a local attacker to escalate privileges and execute arbitrary code. An attacker may exit the crashed process and exploit PID recycling to spawn a root process with the same PID as the crashed process, which can then be used to escalate privileges. Fixed in 2.20.1-0ubuntu2.24, 2.20.9 versions prior to 2.20.9-0ubuntu7.16 and 2.20.11 versions prior to 2.20.11-0ubuntu27.6. Was ZDI-CAN-11234.

分配中的TOCTOU Race Condition漏洞使本地攻击者可以提升特权并执行任意代码。攻击者可能退出崩溃的进程，并利用PID回收来生成与崩溃的进程具有相同PID的根进程，然后将其用于升级特权。已在2.20.1-0ubuntu2.24、2.20.9-0ubuntu7.16之前的2.20.9版本和2.20.11-0ubuntu27.6之前的2.20.11版本中修复。是ZDI-CAN-11234。

In whoopsie, parse_report() from whoopsie.c allows a local attacker to cause a denial of service via a crafted file. The DoS is caused by resource exhaustion due to a memory leak. Fixed in 0.2.52.5ubuntu0.5, 0.2.62ubuntu0.5 and 0.2.69ubuntu0.1.

在whoopsie中，whoopsie.c中的parse_report（）允许本地攻击者通过精心制作的文件导致拒绝服务。 DoS是由于内存泄漏导致资源耗尽而引起的。固定在0.2.52.5ubuntu0.5、0.2.62ubuntu0.5和0.2.69ubuntu0.1中。

Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet.

Certain Zyxel products have a locally accessible binary that allows a non-root user to generate a password for an undocumented user account that can be used for a TELNET session as root. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0.

某些Zyxel产品具有本地可访问的二进制文件，该二进制文件允许非root用户为未记录的用户帐户生成密码，该帐户可作为root用于TELNET会话。这会影响NAS520 V5.21（AASZ.4）C0，V5.21（AASZ.0）C0，V5.11（AASZ.3）C0和V5.11（AASZ.0）C0; NAS542 V5.11（ABAG.0）C0，V5.20（ABAG.1）C0和V5.21（ABAG.3）C0; NSA325 v2_V4.81（AALS.0）C0和V4.81（AAAJ.1）C0; NSA310 4.22（AFK.0）C0和4.22（AFK.1）C0; NAS326 V5.21（AAZF.8）C0，V5.11（AAZF.4）C0，V5.11（AAZF.2）C0和V5.11（AAZF.3）C0; NSA310S V4.75（AALH.2）C0; NSA320S V4.75（AANV.2）C0和V4.75（AANV.1）C0; NSA221 V4.41（AFM.1）C0; NAS540 V5.21（AATB.5）C0和V5.21（AATB.3）C0。

Unsafe storage of AD credentials in Ivanti DSM netinst 5.1 due to a static, hard-coded encryption key.

由于静态的硬编码加密密钥，在Ivanti DSM netinst 5.1中无法安全存储AD凭据。

In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.

在3.3.23和3.4.10之前的etcd中，etcd网关是一个简单的TCP代理，可用于基本服务发现和访问。但是，可以将网关地址包括为端点。这导致拒绝服务，因为端点可能陷入请求自身的循环中，直到没有更多可用的文件描述符来接受网关上的连接为止。

etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.

版本3.3.23和3.4.10之前的etcd不执行任何密码长度验证，这允许使用非常短的密码，例如长度为1的密码。这可能使攻击者只需很少的计算即可猜测或强行使用用户的密码。

In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.

在3.4.10和3.3.23之前的版本中，网关TLS身份验证仅应用于DNS SRV记录中检测到的端点。启动网关时，仅在DNS SRV记录中为给定域标识的端点上尝试TLS身份验证，这在discoverEndpoints函数中发生。不会对--endpoints标志中提供的端点执行身份验证。在版本3.4.10和3.3.23中已对此进行了修复，并提供了改进的文档并弃用了该功能。

An unhandled exception in check_ignored() in apport/report.py can be exploited by a local attacker to cause a denial of service. If the mtime attribute is a string value in apport-ignore.xml, it will trigger an unhandled exception, resulting in a crash. Fixed in 2.20.1-0ubuntu2.24, 2.20.9-0ubuntu7.16, 2.20.11-0ubuntu27.6.

本地攻击者可以利用apport / report.py中check_ignored（）中未处理的异常来导致拒绝服务。如果mtime属性是apport-ignore.xml中的字符串值，它将触发未处理的异常，从而导致崩溃。已在2.20.1-0ubuntu2.24、2.20.9-0ubuntu7.16、2.20.11-0ubuntu27.6中修复。

Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by opening specially crafted project files that may overflow the heap, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.

研华WebAccess HMI设计器，版本2.1.9.31及更低版本。通过打开可能会使堆溢出的特制项目文件，可以利用多个基于堆的缓冲区溢出漏洞，这可能允许远程执行代码，公开/修改信息或导致应用程序崩溃。

Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. An out-of-bounds read vulnerability may be exploited by processing specially crafted project files, which may allow an attacker to read information.

研华WebAccess HMI设计器，版本2.1.9.31及更低版本。通过处理特制的项目文件，可以利用越界读取漏洞，这可能使攻击者读取信息。

Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.

研华WebAccess HMI设计器，版本2.1.9.31及更低版本。处理缺少对用户提供的数据的正确验证的特制项目文件可能会导致系统在预期的缓冲区之外进行写入，这可能允许远程执行代码，泄露/修改信息或导致应用程序崩溃。

Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause a stack-based buffer overflow, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.

研华WebAccess HMI设计器，版本2.1.9.31及更低版本。处理未经用户提供的数据正确验证的特制项目文件可能会导致基于堆栈的缓冲区溢出，这可能允许远程执行代码，泄露/修改信息或导致应用程序崩溃。

Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. A double free vulnerability caused by processing specially crafted project files may allow remote code execution, disclosure/modification of information, or cause the application to crash.

研华WebAccess HMI设计器，版本2.1.9.31及更低版本。处理特制项目文件导致的双重免费漏洞可能允许远程执行代码，泄露/修改信息或导致应用程序崩溃。

Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

台达电子TPEditor 1.97版及更低版本。通过处理特制项目文件可以利用越界读取。成功利用此漏洞可能使攻击者能够读取/修改信息，执行任意代码和/或使应用程序崩溃。

Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

台达电子TPEditor 1.97版及更低版本。通过处理特制的项目文件，可以利用基于堆栈的缓冲区溢出。成功利用此漏洞可能使攻击者能够读取/修改信息，执行任意代码和/或使应用程序崩溃。

Delta Electronics TPEditor Versions 1.97 and prior. A heap-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

台达电子TPEditor 1.97版及更低版本。通过处理特制项目文件，可以利用基于堆的缓冲区溢出。成功利用此漏洞可能使攻击者能够读取/修改信息，执行任意代码和/或使应用程序崩溃。

Delta Electronics TPEditor Versions 1.97 and prior. A write-what-where condition may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

台达电子TPEditor 1.97版及更低版本。通过处理特制项目文件可以利用“在哪里写”条件。成功利用此漏洞可能使攻击者能够读取/修改信息，执行任意代码和/或使应用程序崩溃。

Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

台达电子TPEditor 1.97版及更低版本。通过处理用户输入数据时未验证的特制项目文件，可以利用不正确的输入验证。成功利用此漏洞可能使攻击者能够读取/修改信息，执行任意代码和/或使应用程序崩溃。

Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause a type confusion condition, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.

研华WebAccess HMI设计器，版本2.1.9.31及更低版本。处理未经用户提供的数据正确验证的特制项目文件可能会导致类型混乱，这可能会导致远程执行代码，泄露/修改信息或导致应用程序崩溃。

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

在1.13.15之前的版本和在1.14.7之前的14.x可以通过无效输入在ReadUvarint和ReadVarint中以编码/二进制形式进行无限读取循环。

The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software.

GOG Galaxy的GalaxyClientService组件在Windows环境中以提升的SYSTEM特权运行。由于软件带有嵌入式静态RSA私钥，具有此密钥材料和本地用户权限的攻击者可以有效地将任何操作系统命令发送到服务，以在此提升的上下文中执行。该服务在本地绑定的网络端口localhost：9978上侦听此类命令。已发布利用此漏洞的Metasploit模块。此问题影响软件的2.0.x分支（2.0.12和更早版本）以及1.2.x分支（1.2.64和更早版本）。已发布针对受影响软件的2.0.x分支的修复程序。

CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.

铠应xPost遭受未经身份验证的SQL注入漏洞。在Wayfinder_meeting_input.jsp中通过GET参数'wayfinder_seqid'传递的输入在返回给用户或在SQL查询中使用之前未正确处理。可以利用此方法通过注入任意SQL代码并执行SYSTEM命令来操纵SQL查询。

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.

Cayin CMS遭受使用默认凭据的经过身份验证的操作系统半盲命令注入漏洞。可以利用它来通过root用户通过system.cgi页中的“ NTP_Server_IP” HTTP POST参数注入并执行任意shell命令。此问题影响CMS应用程序的多个分支和版本，包括CME-SE，CMS-60，CMS-40，CMS-20和CMS版本8.2、8.0和7.5。

The EasyCorp ZenTao Pro application suffers from an OS command injection vulnerability in its '/pro/repo-create.html' component. After authenticating to the ZenTao dashboard, attackers may construct and send arbitrary OS commands via the POST parameter 'path', and those commands will run in an elevated SYSTEM context on the underlying Windows operating system.

EasyCorp ZenTao Pro应用程序的“ /pro/repo-create.html”组件中存在操作系统命令注入漏洞。在对ZenTao仪表板进行身份验证之后，攻击者可以通过POST参数“ path”构造并发送任意OS命令，这些命令将在底层Windows操作系统的提升的SYSTEM上下文中运行。

In FreeBSD 12.1-STABLE before r362166, 12.1-RELEASE before p8, 11.4-STABLE before r362167, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, missing length validation code common to mulitple USB network drivers allows a malicious USB device to write beyond the end of an allocated network packet buffer.

在r362166之前的FreeBSD 12.1-STABLE，p8之前的12.1-RELEASE，r362167之前的11.4-STABLE，p2之前的11.4-RELEASE和p12之前的11.3-RELEASE中，由于缺少多个USB网络驱动程序通用的长度验证码，恶意USB设备才能写入超出分配的网络数据包缓冲区的末尾。

In FreeBSD 12.1-STABLE before r363918, 12.1-RELEASE before p8, 11.4-STABLE before r363919, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, the sendmsg system call in the compat32 subsystem on 64-bit platforms has a time-of-check to time-of-use vulnerability allowing a mailcious userspace program to modify control message headers after they were validation.

在r363918之前的FreeBSD 12.1-STABLE，p8之前的12.1-RELEASE，r363919之前的11.4-STABLE，p2之前的11.4-RELEASE和p12之前的11.3-RELEASE中，在64位平台上的compat32子系统中的sendmsg系统调用具有以下时间：使用时间检查漏洞，允许一个可邮寄的用户空间程序在验证后对控制消息头进行修改。

MyBrowserPlus downloads the files needed to run the program through the setup file (Setup.inf). At this time, there is a vulnerability in downloading arbitrary files due to insufficient integrity verification of the files.

MyBrowserPlus通过安装文件（Setup.inf）下载运行程序所需的文件。此时，由于文件完整性验证不足，因此在下载任意文件时存在漏洞。

In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.

在3.3.23和3.4.10之前的etcd中，可能有一个条目索引大于wal / wal.go中ReadAll方法中的条目数。当在共识期间读取WAL条目时，这可能会引起问题，因为在读取条目时，任意etcd共识参与者可能会从运行时恐慌中消失。

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.

Aerospike Community Edition 4.9.0.5允许未经身份验证的提交和执行以Lua编写的用户定义函数（UDF），作为数据库查询的一部分。它试图通过禁用os.execute（）调用来限制代码执行，但这还不够。具有网络访问权限的任何人都可以使用精心制作的UDF，在运行Aerospike服务的用户的权限级别上，在群集的所有节点上执行任意OS命令。

The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection.

Magento的ATOS / Sips（又名Atos-Magento）社区模块3.0.0至3.0.5允许命令注入。

Extreme EAC Appliance 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request.

Extreme EAC Appliance 8.4.1.24允许通过GET请求中的参数进行未经身份验证的反射XSS。

**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases.

**已解决**仅当将H2 / MySQL / TiDB用作Apache SkyWalking存储时，通配符查询案例中存在SQL注入漏洞。

An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.

在1.6.10版之前的libX11中实现了X输入法（XIM）客户端，发现了导致堆缓冲区溢出的整数溢出。按照上游，这与安全性有关，即setuid程序在以提升的特权运行时调用XIM客户端函数时。红帽企业版Linux不附带此类程序。

A flaw was found in the way xserver memory was not properly initialized. This could leak parts of server memory to the X client. In cases where Xorg server runs with elevated privileges, this could result in possible ASLR bypass. Xorg-server before version 1.20.9 is vulnerable.

发现xserver内存未正确初始化的方式中存在缺陷。这可能会将部分服务器内存泄漏到X客户端。如果Xorg服务器以提升的特权运行，则可能导致可能的ASLR绕过。 1.20.9之前的Xorg-server容易受到攻击。

In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.

在版本3.3.23和3.4.10之前的etcd中，较大的片段会导致在DeleteRecord方法中出现恐慌。记录的大小存储在WAL文件的length字段中，并且不对此数据进行任何其他验证。因此，可以伪造一个非常大的帧大小，而这可能无意中引起恐慌，而任何RAFT参与者都试图对WAL进行解码。

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

在3.3.23和3.4.10之前的etcd中，使用以下命令创建具有受限访问权限（700）的某些目录路径（etcd数据目录和目录路径（当提供该路径以自动生成与客户端的TLS连接的自签名证书））。 os.MkdirAll。当给定目录路径已经存在时，此功能不执行任何权限检查。可能的解决方法是确保目录具有所需的权限（700）。

In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is accessible to anyone on the network that can reach the Kubernetes node that's running Envoy. There is no authentication in place that prevents a rogue actor on the network from shutting down Envoy via the shutdown manager endpoint. Successful exploitation of this issue will lead to bad actors shutting down all instances of Envoy, essentially killing the entire ingress data plane. This is fixed in version 1.7.0.

在1.7.0版之前的Contour（用于Kubernetes的入口控制器）中，不良行为者可以关闭Envoy的所有实例，从而实质上杀死了整个入口数据平面。到Envoy pod的端口8090上的/ shutdown的GET请求启动Envoy的关闭过程。关闭过程包括将准备就绪端点翻转为false，这会将Envoy从路由池中删除。运行Envoy时（例如，在主机网络上，pod spec hostNetwork = true），网络上可以访问运行Envoy的Kubernetes节点的任何人都可以访问关闭管理器的端点。没有可用的身份验证来阻止网络上的恶意参与者通过关闭管理器端点关闭Envoy。成功利用此问题将导致不良行为者关闭Envoy的所有实例，从根本上杀死整个入口数据平面。此问题在1.7.0版中已修复。

In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the "Forgot Password" request returns the email address to which the email was sent, if the operation was successful. This information should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions 1.6.35, 2.0.10 and 2.1.1.

在Sulu 1.6.35、2.0.10和2.1.1之前的版本中，使用登录屏幕上的“忘记密码”功能时，Sulu要求用户提供用户名或电子邮件地址。如果找不到给定的字符串，则返回带有错误代码“ 400”的响应，以及一条错误消息，指出该用户名不存在。这使攻击者能够检索有效的用户名。同样，如果操作成功，“忘记密码”请求的响应将返回电子邮件发送到的电子邮件地址。此信息不应该公开，因为它可以用来收集电子邮件地址。在版本1.6.35、2.0.10和2.1.1中解决了此问题。

LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.

LimeSurvey 4.3.2允许反射的XSS，因为application / controllers / LSBaseController.php缺少用于验证参数的代码。

The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF.

适用于Ruby的Field Test gem 0.2.0至0.3.2允许CSRF。

The PgHero gem through 2.6.0 for Ruby allows CSRF.

透过2.6.0 for Ruby的PgHero gem允许CSRF。

The Chartkick gem through 3.3.2 for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).

Ruby的3.3.2版中的Chartkick gem允许级联样式表（CSS）注入（不带属性）。

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.

通过使用-dsafe时，在LilyPond到2.20.0和2.21.x到2.21.4中的scm / define-stencil-commands.scm中，使用-dsafe时，对Embedded-ps和Embedded-svg的限制不大，这包括危险的PostScript代码。

USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.

1.0.9之前的USVN（又名用户友好SVN）允许通过SVN日志进行XSS。

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate Revocation List files from the RPKI relying party's view.

在NLnet Labs Routinator 0.1.0到0.7.1中发现了一个问题。通过从策略上保留RPKI依赖方的观点，从策略上保留RPKI路由源授权“ .roa”文件或X509证书吊销列表文件，它使远程攻击者可以绕过预期的访问限制或在从属路由系统上导致拒绝服务。

IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly invalidating session tokens. IBM X-Force ID: 175420.

IBM Security Identity Governance and Intelligence 5.2.6虚拟设备可以允许远程攻击者使用中间人技术来获取敏感信息，因为它们没有适当地使会话令牌无效。 IBM X-Force ID：175420。

IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.

在处理XML数据时，IBM UrbanCode Deploy（UCD）6.2.7.3、6.2.7.4、7.0.3.0和7.0.4.0容易受到XML外部实体注入（XXE）攻击。远程攻击者可能利用此漏洞来泄露敏感信息或消耗内存资源。 IBM X-Force ID：181848。

CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered communication packets via unspecified vectors.

用于HIS CENTUM CS 3000的CAMS（包括CENTUM CS 3000 Small）R3.08.10至R3.09.50，CENTUM VP（包括CENTUM VP Small，Basic）R4.01.00至R6.07.00，B / M9000CS R5.04.01至R5.05.01， B / M9000 VP R6.01.01至R8.03.01允许远程未经身份验证的攻击者绕过身份验证，并通过未指定的向量发送更改的通信数据包。

Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to create or overwrite arbitrary files and run arbitrary commands via unspecified vectors.

HIS的CAMS中的目录遍历漏洞CENTUM CS 3000（包括CENTUM CS 3000 Small）从R3.08.10到R3.09.50，CENTUM VP（包括CENTUM VP Small，Basic）从R4.01.00到R6.07.00，从B / M9000CS R5.04.01到R5.05.01和B / M9000 VP R6.01.01至R8.03.01允许未经身份验证的远程攻击者创建或覆盖任意文件，并通过未指定的向量运行任意命令。

Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.

16.0.R26之前的McAfee Total Protection（MTP）中出现意外行为违规，允许本地用户通过特制对象进行特定功能调用来关闭实时扫描。

An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentially lead to code execution in kernel mode. An attacker must already have obtained administrator access on the target machine (either legitimately or via a separate unrelated attack) to exploit this vulnerability.

使用特定版本的特定Rootkit保护驱动程序的多个趋势科技产品中发现的输入验证漏洞可能允许攻击者以管理员身份在用户模式下滥用驱动程序来修改内核地址，从而可能导致系统崩溃或潜在地导致内核模式下的代码执行。攻击者必须已经在目标计算机上（合法地或通过单独的不相关的攻击）获得了管理员访问权限，才能利用此漏洞。

Jeedom through 4.0.38 allows XSS.

Jeedom通过4.0.38允许XSS。

Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.

受影响的Atlassian Fisheye版本允许远程攻击者通过日志记录功能中的Information Disclosure漏洞查看存储库的HTTP密码。受影响的版本为4.8.3之前的版本。

An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.

在RICOH Streamline NX客户端工具和RICOH Streamline NX PC客户端中发现了一个问题，该问题使攻击者可以升级本地特权。

An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.

SoftPerfect RAM磁盘4.1 spvve.sys驱动程序中存在一个可利用的任意文件删除漏洞。特制的I / O请求数据包（IRP）可以允许无特权的用户删除文件系统上的任何文件。攻击者可以发送恶意IRP来触发此漏洞。

An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.

In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the whole checkout, no matter the step that is being submitted. See the linked reference for more information. As a workaround, if it is not possible to upgrade to a supported patched version, please use this gist in the references section.

在2.8.6、2.9.6和2.10.2之前的版本中，可以更改订单地址而无需触发地址验证。此漏洞使恶意客户可以使用允许更改当前订单地址而无需更改与新货运关联的货运成本的参数来制作请求数据。具有至少两个运输区域且每个区域的运输成本不同的所有商店都将受到影响。此问题来自结帐允许属性的结构。无论提交的是什么步骤，我们都有一个在整个结帐中都允许使用的属性列表。有关更多信息，请参见链接的参考。解决方法是，如果无法升级到受支持的修补程序版本，请在参考部分中使用此要点。

save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. They can in addition create, delete and update users. If they updated the password of a user, that user's files would then be available. If the root password is updated, all files would be visible if they logged in with the new password. Note that due to the same origin policy malicious actors cannot view the gallery or the response of any of the methods, nor be sure they succeeded. This issue has been patched in version 1.0.7.

1.05之前的版本的save-server（npm软件包）受CSRF漏洞的影响，因为没有CSRF缓解措施（令牌等）。版本1.05中引入的修复程序无意间中断了上传，因此版本v1.0.7是固定版本。这是通过实现Double Submit来修补的。 CSRF攻击将要求您在与Save-Server进行活动会话（会话密钥存储在cookie中）时导航到恶意站点。然后，恶意用户将能够执行某些操作，包括上载/删除文件和添加重定向。如果您以root用户身份登录，则此攻击的严重性要大得多。他们还可以创建，删除和更新用户。如果他们更新了用户密码，则该用户的文件将可用。如果更新了root密码，则使用新密码登录的所有文件都将可见。请注意，由于具有相同的来源策略，恶意行为者无法查看图库或任何方法的响应，也不能确保它们成功。此问题已在1.0.7版中修复。

The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.

版本4.11.1之前的Cohesive Networks vns3：vpn设备的管理界面易受身份验证的远程代码执行的攻击，从而导致服务器受损。

An issue was discovered in the Gantt-Chart module before 5.5.4 for Jira. Due to a missing privilege check, it is possible to read and write to the module configuration of other users. This can also be used to deliver an XSS payload to other users' dashboards. To exploit this vulnerability, an attacker has to be authenticated.

在Jira的5.5.4之前的Gantt-Chart模块中发现了一个问题。由于缺少特权检查，因此可以读取和写入其他用户的模块配置。这也可以用于将XSS负载交付给其他用户的仪表板。要利用此漏洞，必须对攻击者进行身份验证。

An issue was discovered in the Gantt-Chart module before 5.5.5 for Jira. Due to missing validation of user input, it is vulnerable to a persistent XSS attack. An attacker can embed the attack vectors in the dashboard of other users. To exploit this vulnerability, an attacker has to be authenticated.

对于Jira，5.5.5之前的Gantt-Chart模块中发现了一个问题。由于缺少用户输入的验证，因此容易受到持续的XSS攻击。攻击者可以将攻击向量嵌入其他用户的仪表板中。要利用此漏洞，必须对攻击者进行身份验证。

ActiveMediaServer.exe in ACTi NVR3 Standard Server 3.0.12.42 allows remote unauthenticated attackers to trigger a buffer overflow and application termination via a malformed payload.

ACTi NVR3 Standard Server 3.0.12.42中的ActiveMediaServer.exe允许未经身份验证的远程攻击者通过格式错误的有效载荷触发缓冲区溢出和应用程序终止。

An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. Given the (user-configurable) credentials for the local Web interface or physical access to a device's plus or reset button, an attacker can create a user with elevated privileges on the Sysbus-API. This can then be used to modify local or remote SSH access, thus allowing a login session as the superuser.

在Swisscom Internet Box 2，Internet Box Standard，10.04.38之前的Internet Box Plus，11.01.20之前的Internet Box 3和08.06.06之前的Internet Box灯上发现了一个问题。有了本地Web界面的（用户可配置）凭据或对设备的加号或“重置”按钮的物理访问，攻击者可以在Sysbus-API上创建具有提升特权的用户。然后可以使用它来修改本地或远程SSH访问，从而允许以超级用户身份登录会话。

Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

台达工业自动化CNCSoft ScreenEditor，版本1.01.23及更低版本。通过处理特制的项目文件，可以利用多个基于堆栈的缓冲区溢出漏洞，这可能使攻击者可以读取/修改信息，执行任意代码和/或使应用程序崩溃。

Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. Multiple out-of-bounds read vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read information.

台达工业自动化CNCSoft ScreenEditor，版本1.01.23及更低版本。通过处理特制的项目文件，可以利用多个越界读取漏洞，这可能使攻击者读取信息。

Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. An uninitialized pointer may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

台达工业自动化CNCSoft ScreenEditor，版本1.01.23及更低版本。通过处理特制的项目文件，可以利用未初始化的指针。成功利用此漏洞可能使攻击者能够读取/修改信息，执行任意代码和/或使应用程序崩溃。