Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

在某些英特尔（R）处理器中对特定特殊寄存器读取操作的不完全清除可能会使经过身份验证的用户潜在地通过本地访问启用信息公开。

Integer overflow in subsystem for Intel(R) CSME versions before 11.8.77, 11.12.77, 11.22.77 and Intel(R) TXE versions before 3.1.75, 4.0.25 and Intel(R) Server Platform Services (SPS) versions before SPS_E5_04.01.04.380.0, SPS_SoC-X_04.00.04.128.0, SPS_SoC-A_04.00.04.211.0, SPS_E3_04.01.04.109.0, SPS_E3_04.08.04.070.0 may allow a privileged user to potentially enable denial of service via local access.

子系统中的整数溢出，适用于11.8.77、11.12.77、11.22.77之前的Intel（R）CSME版本以及3.1.75、4.0.25和Intel（R）服务器平台服务（SPS）之前的Intel（R）TXE版本在SPS_E5_04.01.04.380.0，SPS_SoC-X_04.00.04.128.0，SPS_SoC-A_04.00.04.211.0，SPS_E3_04.01.04.109.0，SPS_E3_04.08.04.070.0之前可能允许特权用户通过本地访问启用拒绝服务。

Improper Access Control in subsystem for Intel(R) TXE versions before 3.175 and 4.0.25 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

3.175和4.0.25之前的Intel（R）TXE版本的子系统中的访问控制不当可能会导致未经身份验证的用户潜在地通过物理访问启用特权升级。

Improper initialization in subsystem for Intel(R) SPS versions before SPS_E3_04.01.04.109.0 and SPS_E3_04.08.04.070.0 may allow an authenticated user to potentially enable escalation of privilege and/or denial of service via local access.

对于SPS_E3_04.01.04.109.0和SPS_E3_04.08.04.070.0之前的Intel（R）SPS版本，子系统中的不正确初始化可能允许经过身份验证的用户潜在地通过本地访问启用特权升级和/或拒绝服务。

Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

在11.8.77、11.12.77、11.22.77和12.0.64之前的Intel（R）AMT和Intel（R）ISM版本的IPv6子系统中的越界读取可能允许未经身份验证的用户潜在地通过启用特权升级网络访问。

Use after free in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

在11.8.77、11.12.77、11.22.77和12.0.64之前的Intel（R）AMT和Intel（R）ISM版本的IPv6子系统中免费使用后，可能会允许未经身份验证的用户潜在地通过网络访问启用特权升级。

Improper input validation in DHCPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access.

在英特尔®AMT和英特尔®ISM版本11.8.77、11.12.77、11.22.77和12.0.64之前的DHCPv6子系统中，输入验证不正确可能会导致未经身份验证的用户潜在地通过网络访问启用信息公开。

Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 14.0.33 may allow an unauthenticated user to potentially enable denial of service via network access.

14.0.33之前的Intel（R）AMT和Intel（R）ISM版本的IPv6子系统中的越界读取可能会允许未经身份验证的用户潜在地通过网络访问启用拒绝服务。

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.

如果将Apache TomEE配置为使用嵌入式ActiveMQ代理，并且代理URI包含useJMX = true参数，则会在TCP端口1099上打开一个JMX端口，该端口不包括身份验证。这会影响Apache TomEE 8.0.0-M1-8.0.1，Apache TomEE 7.1.0-7.1.2，Apache TomEE 7.0.0-M1-7.0.7，Apache TomEE 1.0.0-1.7.5。

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.

FactoryTalk Linx版本6.00、6.10和6.11，RSLinx Classic v4.11.00和更低版本，Connected Components Workbench：12和更高版本，ControlFLASH：14和更高版本，ControlFLASH Plus：1和更高版本，FactoryTalk Asset Center：9和更高版本，FactoryTalk Linx CommDTM：版本1和更高版本，Studio 5000 Launcher：版本31和更高版本Stud，5000 Logix Designer软件：版本32和更低版本容易受到攻击。公开的API调用允许用户提供无需处理即可处理的文件。这可能使攻击者可以指定文件名来执行未经授权的代码并修改文件或数据。

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify or expose sensitive data or execute arbitrary code.

FactoryTalk Linx版本6.00、6.10和6.11，RSLinx Classic v4.11.00和更低版本，Connected Components Workbench：12和更高版本，ControlFLASH：14和更高版本，ControlFLASH Plus：1和更高版本，FactoryTalk Asset Center：9和更高版本，FactoryTalk Linx CommDTM：版本1和更高版本，Studio 5000 Launcher：版本31和更高版本Stud，5000 Logix Designer软件：版本32和更低版本容易受到攻击。处理某些文件类型的解析机制不提供输入条件。这可能使攻击者可以使用特制文件来遍历文件系统并修改或公开敏感数据或执行任意代码。

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.

FactoryTalk Linx版本6.00、6.10和6.11，RSLinx Classic v4.11.00和更低版本，Connected Components Workbench：12和更高版本，ControlFLASH：14和更高版本，ControlFLASH Plus：1和更高版本，FactoryTalk Asset Center：9和更高版本，FactoryTalk Linx CommDTM：版本1和更高版本，Studio 5000 Launcher：版本31和更高版本Stud，5000 Logix Designer软件：版本32和更低版本容易受到攻击。公开的API调用允许用户提供无需处理即可处理的文件。这可能允许攻击者使用特制请求来遍历文件系统并在本地硬盘驱动器上公开敏感数据。

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a file with bad compression, consuming all the available CPU resources, leading to a denial-of-service condition.

FactoryTalk Linx版本6.00、6.10和6.11，RSLinx Classic v4.11.00和更低版本，Connected Components Workbench：12和更高版本，ControlFLASH：14和更高版本，ControlFLASH Plus：1和更高版本，FactoryTalk Asset Center：9和更高版本，FactoryTalk Linx CommDTM：版本1和更高版本，Studio 5000 Launcher：版本31和更高版本Stud，5000 Logix Designer软件：版本32和更低版本容易受到攻击。通信功能中存在一个漏洞，该漏洞使用户可以通过FactoryTalk Linx上传EDS文件。这可能会使攻击者上载压缩效果不佳的文件，从而消耗所有可用的CPU资源，从而导致拒绝服务情况。

WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.

WebAccess节点版本8.4.4和更低版本容易受到基于堆栈的缓冲区溢出的攻击，这可能使攻击者可以远程执行任意代码。

D-link DSL-2750U ISL2750UEME3.V1E devices allow approximately 90 seconds of access to the control panel, after a restart, before MAC address filtering rules become active.

在MAC地址过滤规则生效之前，D-link DSL-2750U ISL2750UEME3.V1E设备允许重新启动后大约90秒钟访问控制面板。

An issue was discovered in DigDash 2018R2 before p20200210 and 2019R1 before p20200210. The login page is vulnerable to Server-Side Request Forgery (SSRF) that allows use of the application as a proxy. Sent to an external server, a forged request discloses application credentials. For a request to an internal component, the request is blind, but through the error message it's possible to determine whether the request targeted a open service.

在p20200210之前的DigDash 2018R2和p20200210之前的2019R1中发现了一个问题。登录页面容易受到服务器端请求伪造（SSRF）的攻击，该伪造允许将应用程序用作代理。伪造的请求发送到外部服务器后会公开应用程序凭据。对于内部组件的请求，该请求是盲目的，但是通过错误消息，可以确定该请求是否针对开放服务。

An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 before p20200421, and 2019R2 before p20200430. It allows a user to provide data that will be used to generate the JNLP file used by a client to obtain the right Java application. By providing an attacker-controlled URL, the client will obtain a rogue JNLP file specifying the installation of malicious JAR archives and executed with full privileges on the client computer.

在p20200528之前的DigDash 2018R2，p20200421之前的2019R1和p20200430之前的2019R2中发现了一个问题。它允许用户提供数据，该数据将用于生成客户端用来获取正确的Java应用程序的JNLP文件。通过提供攻击者控制的URL，客户端将获得恶意的JNLP文件，该文件指定恶意JAR存档的安装并在客户端计算机上以完全特权执行。

An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 before p20200528, 2019R2 before p20200430, and 2020R1 before p20200507. A cross-site scripting (XSS) vulnerability exists in the login menu.

在p20200528之前的DigDash 2018R2，p20200528之前的2019R1，p20200430之前的2019R2和p20200507之前的2020R1中发现了一个问题。登录菜单中存在一个跨站点脚本（XSS）漏洞。

ScaleViewPortExtEx in libemf.cpp in libEMF (aka ECMA-234 Metafile Library) 1.0.12 allows an integer overflow and denial of service via a crafted EMF file.

libEMF（aka ECMA-234元文件库）1.0.12中的libemf.cpp中的ScaleViewPortExtEx允许整数溢出并通过精心制作的EMF文件拒绝服务。

Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features.

Lansweeper 6.0.x到7.2.x具有默认安装，在该默认安装中，为管理员帐户配置了管理员密码，除非手动取消选中“内置管理员”。这允许通过“添加新程序包”和“调度的部署”功能执行命令。

An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_streaming_rtsp_parse_sdp in plugins/janus_streaming.c has a Buffer Overflow via a crafted RTSP server.

通过0.10.0在janus-gateway（又名Janus WebRTC服务器）中发现了一个问题。 plugins / janus_streaming.c中的janus_streaming_rtsp_parse_sdp通过精巧的RTSP服务器具有缓冲区溢出。

An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_get_codec_from_pt in utils.c has a Buffer Overflow via long value in an SDP Offer packet.

通过0.10.0在janus-gateway（又名Janus WebRTC服务器）中发现了一个问题。 utils.c中的janus_get_codec_from_pt通过SDP Offer数据包中的long值具有缓冲区溢出。

SOKKIA GNR5 Vanguard WEB version 1.2 (build: 91f2b2c3a04d203d79862f87e2440cb7cefc3cd3) and hardware version 212 allows remote attackers to bypass admin authentication via a SQL injection attack that uses the User Name or Password field on the login page.

SOKKIA GNR5 Vanguard WEB版本1.2（内部版本：91f2b2c3a04d203d79862f87e2440cb7cefc3cd3）和硬件版本212允许远程攻击者通过SQL注入攻击（使用登录页面上的用户名或密码字段）绕过管理员身份验证。

TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an authenticated user to execute arbitrary code by POSTing to apply.cgi via the action st_dev_connect, st_dev_disconnect, or st_dev_rconnect with a sufficiently long wan_type key.

通过2.06B04的TRENDnet TEW-827DRU设备在ssi二进制文件中包含基于堆栈的缓冲区溢出。溢出允许经过身份验证的用户通过使用足够长的wan_type密钥的动作st_dev_connect，st_dev_disconnect或st_dev_rconnect通过POST提交apply.cgi来执行任意代码。

KumbiaPHP through 1.1.1, in Development mode, allows XSS via the public/pages/kumbia PATH_INFO.

在开发模式下，通过1.1.1的KumbiaPHP允许通过public / pages / kumbia PATH_INFO进行XSS。

An integer overflow in the getnum function in lua_struct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow. NOTE: this issue exists because of a CVE-2015-8080 regression.

6.0.3之前的Redis中lua_struct.c中的getnum函数中的整数溢出允许上下文相关的攻击者拥有在Redis会话中运行Lua代码的权限，从而导致拒绝服务（内存损坏和应用程序崩溃）或可能绕过预期的沙箱通过大量的限制，触发基于堆栈的缓冲区溢出。注意：由于存在CVE-2015-8080回归，因此存在此问题。

The Server-Server protocol implementation in ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated by the IRC_NJOIN() function.

如IRC_NJOIN（）函数所示，ngIRCd在26〜rc2之前的Server-Server协议实现允许越界访问。

In uftpd before 2.12, handle_CWD in ftpcmd.c mishandled the path provided by the user, causing a NULL pointer dereference and denial of service, as demonstrated by a CWD /.. command.

在2.12之前的uftpd中，ftpcmd.c中的handle_CWD错误地处理了用户提供的路径，从而导致NULL指针取消引用和拒绝服务，如CWD / ..命令所示。

GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash).

3.5.4之前的GNU Bison允许攻击者造成拒绝服务（应用程序崩溃）。

In IJG JPEG (aka libjpeg) before 9d, read_*_pixel() in rdtarga.c in cjpeg mishandles EOF.

在9d之前的IJG JPEG（aka libjpeg）中，cjpeg中rdtarga.c中的read _ * _ pixel（）错误处理了EOF。