A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site. The vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. If successful, the attacker could gain the privileges of another user within the affected Webex site.

Cisco Webex Meetings和Cisco Webex Meetings Server中的漏洞可能允许未经身份验证的远程攻击者获得对易受攻击的Webex站点的未经授权的访问。该漏洞是由于易受攻击的Webex站点对身份验证令牌的处理不当造成的。攻击者可以通过将精心制作的请求发送到易受攻击的Cisco Webex Meetings或Cisco Webex Meetings Server站点来利用此漏洞。如果成功，攻击者可能会在受影响的Webex站点内获得另一个用户的特权。

A vulnerability in the CLI of Cisco Network Services Orchestrator (NSO) could allow an authenticated, local attacker to access confidential information on an affected device. The vulnerability is due to a timing issue in the processing of CLI commands. An attacker could exploit this vulnerability by executing a specific sequence of commands on the CLI. A successful exploit could allow the attacker to read configuration information that would normally be accessible to administrators only.

Cisco Network Services Orchestrator（NSO）的CLI中的漏洞可能允许经过身份验证的本地攻击者访问受影响设备上的机密信息。该漏洞是由于CLI命令处理中的计时问题引起的。攻击者可以通过在CLI上执行特定的命令序列来利用此漏洞。成功的利用可能使攻击者能够读取通常只有管理员才能访问的配置信息。

A vulnerability in the access control list (ACL) functionality of the standby route processor management interface of Cisco IOS XR Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the standby route processor management Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XR Software, which prevents the ACL from working when applied against the standby route processor management interface. An attacker could exploit this vulnerability by attempting to access the device through the standby route processor management interface.

Cisco IOS XR软件的备用路由处理器管理接口的访问控制列表（ACL）功能中的漏洞可能允许未经身份验证的远程攻击者访问备用路由处理器管理千兆位以太网管理接口上的已配置IP地址。该漏洞是由于在Cisco IOS XR软件中引入的逻辑错误所致，当对备用路由处理器管理接口应用ACL时，它会阻止ACL正常工作。攻击者可以通过尝试通过备用路由处理器管理界面访问设备来利用此漏洞。

A vulnerability in the antispam protection mechanisms of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. The vulnerability is due to insufficient input validation of URLs. An attacker could exploit this vulnerability by crafting the URL in a particular way. A successful exploit could allow the attacker to bypass the URL reputation filters that are configured for the affected device, which could allow malicious URLs to pass through the device.

用于Cisco电子邮件安全设备（ESA）的Cisco AsyncOS软件的反垃圾邮件保护机制中的漏洞可能允许未经身份验证的远程攻击者绕过受影响设备上的URL信誉过滤器。该漏洞是由于URL的输入验证不足所致。攻击者可以通过以特定方式制作URL来利用此漏洞。成功的利用可能使攻击者绕过为受影响的设备配置的URL信誉过滤器，这可能允许恶意URL穿过设备。

IBM Business Automation Workflow and IBM Business Process Manager (IBM Business Process Manager Express 8.5.5, 8.5.6, 8.5.7, and 8.6) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 182716.

当浏览器中返回详细的技术错误消息时，IBM Business Automation Workflow和IBM Business Process Manager（IBM Business Process Manager Express 8.5.5、8.5.6、8.5.7和8.6）可以允许远程攻击者获取敏感信息。 。该信息可用于对系统的进一步攻击。 IBM X-Force ID：182716。

In OMERO before 5.6.1, group owners can access members' data in other groups.

在5.6.1之前的OMERO中，组所有者可以访问其他组中的成员数据。

All versions up to 10.06 of ZTEMarket APK are impacted by an information leak vulnerability. Due to Activity Component exposure users can exploit this vulnerability to get the private cookie and execute silent installation.

最高至10.06的ZTEMarket APK版本都受信息泄露漏洞的影响。由于活动组件暴露，用户可以利用此漏洞来获取私有cookie并执行静默安装。

The ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

ExtractTo函数不能安全地转义包含前导或非前导“ ..”的zip存档中的文件路径。这使攻击者可以在系统范围内添加或替换文件。

The ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

ExtractTo函数不能安全地转义包含前导或非前导“ ..”的zip存档中的文件路径。这使攻击者可以在系统范围内添加或替换文件。

OMERO.web before 5.6.3 optionally allows sensitive data elements (e.g., a session key) to be passed as URL query parameters. If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the query parameters may be exposed in the Referer header seen by the target. Information in the URL path such as object IDs may also be exposed.

5.6.3之前的OMERO.web可以选择允许敏感数据元素（例如会话密钥）作为URL查询参数传递。如果攻击者诱使用户单击OMERO.web中的恶意链接，则查询参数中的信息可能会在目标看到的Referer标头中公开。 URL路径中的信息（例如对象ID）也可能被公开。

An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients.

允许通过区域传输将区域数据发送到服务器的攻击者可以利用此漏洞通过特制的区域有意触发断言失败，从而拒绝为客户端提供服务。

Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

除非名称服务器为一个或多个区域提供权威服务，并且至少一个区域包含一个带有星号（“ *”）字符的空非终端条目，否则不会遇到此缺陷。理论上，准许更改区域内容的潜在攻击者可能会引入这样的记录，以便利用此条件导致拒绝服务，尽管我们认为使用此向量的可能性很小，因为任何此类攻击都需要很高的特权级别，并且易于追踪。

ftusbbus2.sys in FabulaTech USB for Remote Desktop through 2020-02-19 allows privilege escalation via crafted IoCtl code related to a USB HID device.

直到2020-02-19为止的FabulaTech USB for Remote Desktop中的ftusbbus2.sys都可以通过与USB HID设备相关的精心设计的IoCtl代码来升级特权。

A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN 6.2.2 and below may allow an attacker to retrieve a logged-in SSL VPN user's credentials should that attacker be able to read the session file stored on the targeted device's system.

FortiOS SSL VPN 6.2.2及更低版本中的文件或磁盘上的明文存储漏洞（CWE-313）漏洞可能使攻击者能够读取存储在该文件或磁盘上的会话文件的攻击者检索登录的SSL VPN用户的凭据。目标设备的系统。

On the Cypress CYW20735 evaluation board, any data that exceeds 384 bytes is copied and causes an overflow. This is because the maximum BLOC buffer size for sending and receiving data is set to 384 bytes, but everything else is still configured to the usual size of 1092 (which was used for everything in the previous CYW20719 and later CYW20819 evaluation board). To trigger the overflow, an attacker can either send packets over the air or as unprivileged local user. Over the air, the minimal PoC is sending "l2ping -s 600" to the target address prior to any pairing. Locally, the buffer overflow is immediately triggered by opening an ACL or SCO connection to a headset. This occurs because, in WICED Studio 6.2 and 6.4, BT_ACL_HOST_TO_DEVICE_DEFAULT_SIZE and BT_ACL_DEVICE_TO_HOST_DEFAULT_SIZE are set to 384.

在赛普拉斯CYW20735评估板上，任何超过384个字节的数据都会被复制并导致溢出。这是因为用于发送和接收数据的最大BLOC缓冲区大小设置为384字节，但其他所有内容仍配置为通常的大小1092（在先前的CYW20719和更高版本的CYW20819评估板中使用过）。要触发溢出，攻击者可以通过无线或以非特权本地用户的身份发送数据包。在进行任何配对之前，最小的PoC都会通过无线方式向目标地址发送“ l2ping -s 600”。在本地，打开与耳机的ACL或SCO连接会立即触发缓冲区溢出。发生这种情况的原因是，在WICED Studio 6.2和6.4中，BT_ACL_HOST_TO_DEVICE_DEFAULT_SIZE和BT_ACL_DEVICE_TO_HOST_DEFAULT_SIZE设置为384。

This is an unbounded write into kernel global memory, via a user-controlled buffer size.Product: AndroidVersions: Android kernelAndroid ID: A-135130450

这是通过用户控制的缓冲区大小对内核全局内存进行的无限制写入。产品：Android版本：Android内核Android ID：A-135130450

Function abc_pcie_issue_dma_xfer_sync creates a transfer object, adds it to the session object then continues to work with it. A concurrent thread could retrieve created transfer object from the session object and delete it using abc_pcie_dma_user_xfer_clean. If this happens, abc_pcie_start_dma_xfer and abc_pcie_wait_dma_xfer in the original thread will trigger UAF when working with the transfer object.Product: AndroidVersions: Android kernelAndroid ID: A-151453714

函数abc_pcie_issue_dma_xfer_sync创建一个传输对象，将其添加到会话对象中，然后继续使用它。并发线程可以从会话对象中检索创建的传输对象，并使用abc_pcie_dma_user_xfer_clean将其删除。如果发生这种情况，则在使用传输对象时，原始线程中的abc_pcie_start_dma_xfer和abc_pcie_wait_dma_xfer将触发UAF产品：Android版本：Android内核Android ID：A-151453714

In crus_afe_get_param of msm-cirrus-playback.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-148189280

在msm-cirrus-playback.c的crus_afe_get_param中，由于缺少边界检查，可能会超出边界写入。这可以导致特权的本地升级，而无需其他执行特权。不需要用户交互即可进行开发。产品：Android版本：Android内核Android ID：A-148189280

In crus_sp_shared_ioctl we first copy 4 bytes from userdata into "size" variable, and then use that variable as the size parameter for "copy_from_user", ending up overwriting memory following "crus_sp_hdr". "crus_sp_hdr" is a static variable, of type "struct crus_sp_ioctl_header".Product: AndroidVersions: Android kernelAndroid ID: A-135129430

在crus_sp_shared_ioctl中，我们首先将userdata中的4个字节复制到“ size”变量中，然后将该变量用作“ copy_from_user”的size参数，最终覆盖“ crus_sp_hdr”之后的内存。 “ crus_sp_hdr”是类型为“ struct crus_sp_ioctl_header”的静态变量。产品：Android版本：Android内核Android ID：A-135129430

Critical services for operation can be terminated from windows task manager, bringing the manipulator to a halt. After this a Re-Calibration of the brakes needs to be performed. Be noted that this only can be accomplished either by a Kuka technician or by Kuka issued calibration hardware that interfaces with the manipulator furthering the delay and increasing operational costs.

可以从Windows任务管理器终止操作的关键服务，从而使操纵器停止运行。此后，需要对制动器进行重新校准。请注意，这只能由Kuka技术人员或Kuka发行的与机械手连接的校准硬件来完成，这进一步增加了延迟并增加了运营成本。

Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure.

Micro Focus ArcSight管理中心产品中的跨站点脚本（XSS）漏洞，影响2.9.4之前的版本2.6.1、2.7.x，2.8.x，2.9.x。该漏洞可能被远程利用，从而导致跨站点脚本（XSS）或信息泄露。

Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting unauthorized information disclosure.

Micro Focus ArcSight管理中心产品中的未经授权的信息泄露漏洞，影响2.9.4之前的版本2.6.1、2.7.x，2.8.x，2.9.x。可以远程利用这些漏洞，从而导致未经授权的信息泄露。

Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting unauthorized information disclosure.

Micro Focus ArcSight管理中心产品中的未经授权的信息泄露漏洞，影响2.9.4之前的版本2.6.1、2.7.x，2.8.x，2.9.x。可以远程利用这些漏洞，从而导致未经授权的信息泄露。

Beckhoff’s TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames. By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device.

A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.

适用于Windows的9.1.6之前的5.3 R70（运行于NT AUTHORITY / SYSTEM）的PulseSecure Client版本中的PulseSecureService.exe中的Check-of-time使用时间漏洞允许无特权的用户运行Microsoft Installer可执行文件具有更高的特权。

I2P before 0.9.46 allows local users to gain privileges via a Trojan horse I2PSvc.exe file because of weak permissions on a certain %PROGRAMFILES% subdirectory.

0.9.46之前的I2P允许本地用户通过特洛伊木马I2PSvc.exe文件获得特权，因为对某些％PROGRAMFILES％子目录的权限很弱。

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

2.9.10.5之前的FasterXML jackson-databind 2.x错误地处理了与org.jsecurity.realm.jndi.JndiRealmFactory（aka org.jsecurity）有关的序列化小工具和键入之间的交互。

BIP-143 in the Bitcoin protocol specification mishandles the signing of a Segwit transaction, which allows attackers to trick a user into making two signatures in certain cases, potentially leading to a huge transaction fee. NOTE: this affects all hardware wallets. It was fixed in 1.9.1 for the Trezor One and 2.3.1 for the Trezor Model T.

比特币协议规范中的BIP-143错误地处理了隔离见证交易的签名，这使攻击者可以在某些情况下欺骗用户进行两个签名，从而可能导致巨额交易费用。注意：这会影响所有硬件钱包。 Trezor One固定在1.9.1中，Trezor Model T固定在2.3.1中。

MONITORAPP AIWAF-VE and AIWAF-4000 through 2020-06-16 allow reflected Cross-Site Scripting (XSS) through a crafted URL. This occurs because the Detect URL field displays the original URL.

到2020年6月16日的MONITORAPP AIWAF-VE和AIWAF-4000允许通过精心制作的URL反映跨站点脚本（XSS）。发生这种情况是因为“检测URL”字段显示了原始URL。

FFmpeg through 4.3 has a heap-based buffer overflow in avio_get_str in libavformat/aviobuf.c because dnn_backend_native.c calls ff_dnn_load_model_native and a certain index check is omitted.

FFmpeg到4.3在libavformat / aviobuf.c中的avio_get_str中有基于堆的缓冲区溢出，因为dnn_backend_native.c调用ff_dnn_load_model_native并省略了某些索引检查。