** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID：无。原因：该候选人位于2019年未分配任何问题的CNA池中。注意：没有。

** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances."

**争议** **在utimes系统调用失败时，OpenSSH 8.2中的scp客户端错误地将重复的响应发送到服务器，这允许远程服务器上的恶意无特权用户通过在任意位置创建精心制作的子目录来覆盖客户端下载目录中的任意文件在远程服务器上。受害者必须使用命令scp -rp下载文件层次结构，该文件层次结构包含此精心制作的子目录。注意：供应商指出：“这种攻击所能达到的最大范围是敌对同伴已经能够在scp协议中实现”和“在正常情况下utimes不会失败”。

A NULL pointer dereference in sanei_epson_net_read in SANE Backends through 1.0.29 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075.

到1.0.29之前的SANE后端的sanei_epson_net_read中的NULL指针取消引用允许与受害者连接到同一本地网络的恶意设备导致拒绝服务，也称为GHSL-2020-075。

QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.

通过2.5.5版的QuickBox Community Edition和通过2.1.8版的Pro Edition，允许经过身份验证的远程攻击者通过servicestart参数中的命令注入在服务器上执行代码。

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option.

在2.5.5版的QuickBox社区版和2.1.8版的Pro版中，本地www-data用户无需密码即可执行sudo mysql，这意味着www-data用户可以通过mysql -e选项执行任意OS命令。

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.

在2.5.5版的QuickBox社区版和2.1.8版的Pro版中，本地www-data用户具有sudo特权，无需密码即可以root身份执行grep，这使得攻击者可以通过/ root /的grep获取敏感信息。 * .db或/ etc / shadow文件。

Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

在解密密文期间，Python-RSA 4.0会忽略前导'\ 0'字节。可以想象这可能会带来与安全相关的影响，例如，通过帮助攻击者推断应用程序使用Python-RSA，或者接受的密文长度是否会影响应用程序行为（例如，导致过多的内存分配）。

modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.

Bitrix24到20.0.950中的Web应用程序防火墙中的modules / security / classes / general.post_filter.php / post_filter.php允许XSS通过将％00放在有效负载之前。

ZTE's PON terminal product is impacted by the access control vulnerability. Due to the system not performing correct access control on some program interfaces, an attacker could use this vulnerability to tamper with the program interface parameters to perform unauthenticated operations. This affects: <ZTE F680><V9.0.10P1N6>

中兴通讯的PON终端产品受到访问控制漏洞的影响。由于系统未在某些程序接口上执行正确的访问控制，因此攻击者可能利用此漏洞来篡改程序接口参数以执行未经身份验证的操作。这会影响：<ZTE F680> <V9.0.10P1N6>

reel through 0.6.1 allows Request Smuggling attacks due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks. Note: This project is deprecated, and is not maintained any more.

reel through 0.6.1允许由于不正确的Content-Length和Transfer编码标头解析而导致的请求走私攻击。通过发送两次Content-Length标头可以进行HTTP请求走私攻击。此外，发现无效的传输编码标头被解析为有效的，可用于TE：CL走私攻击。注意：该项目已弃用，不再维护。

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

3.1.0之前的serialize-javascript允许远程攻击者通过“ index.js”中的“ deleteFunctions”函数注入任意代码。

There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php files of GESIO ERP. GESIO ERP all versions prior to 11.2 allows malicious users to retrieve all database information.

GESIO ERP的php文件中的SQL命令（SQL注入）漏洞中使用的特殊元素未正确中和。 GESIO ERP 11.2之前的所有版本都允许恶意用户检索所有数据库信息。

There is a few bytes out-of-bounds read vulnerability in some Huawei products. The software reads data past the end of the intended buffer when parsing certain message, an authenticated attacker could exploit this vulnerability by sending crafted messages to the device. Successful exploit may cause service abnormal in specific scenario.Affected product versions include:AR120-S versions V200R007C00SPC900,V200R007C00SPCa00

在某些华为产品中，有几个字节的越界读取漏洞。该软件在解析某些消息时会读取超出预期缓冲区末尾的数据，经过身份验证的攻击者可以通过向设备发送特制消息来利用此漏洞。成功利用此漏洞可能会导致特定情况下的服务异常。受影响的产品版本包括：AR120-S版本V200R007C00SPC900，V200R007C00SPCa00

An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.

FortiClient for Windows 6.2.1及以下版本中的“不安全临时文件”漏洞可能允许本地用户通过耗尽临时文件名池以及符号链接攻击来获得提升的特权。

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.

4.8.1之前的Atlassian Fisheye and Crucible中的审阅资源允许远程攻击者通过审阅目标通过跨站点脚本（XSS）漏洞注入任意HTML或Javascript。