Read the original article: Vulnerability Summary for the Week of October 12, 2020
Original release date: October 19, 2020
The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| foxitsoftware — foxit_reader | This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PhantomPDF 10.0.0.35798. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the configuration files used by the Foxit PhantomPDF Update Service. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Was ZDI-CAN-11308. | 2020-10-13 | 7.2 | CVE-2020-17415 N/A N/A |
| foxitsoftware — foxit_reader | This vulnerability allows local attackers to escalate privileges on affected installations of Foxit Reader 10.0.0.35798. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the configuration files used by the Foxit Reader Update Service. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Was ZDI-CAN-11229. | 2020-10-13 | 7.2 | CVE-2020-17414 N/A N/A |
| google — android | In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1Android ID: A-155288585 | 2020-10-14 | 9.3 | CVE-2020-0416 MISC |
| google — android | In gatt_process_read_by_type_rsp of gatt_cl.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-158833854 | 2020-10-14 | 7.8 | CVE-2020-0377 MISC |
| google — android | In setUpdatableDriverPath of GpuService.cpp, there is a possible memory corruption due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162383705 | 2020-10-14 | 7.2 | CVE-2020-0420 MISC |
| google — android | In appendFormatV of String8.cpp, there is a possible out of bounds write due to incorrect error handling. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-161894517 | 2020-10-14 | 7.2 | CVE-2020-0421 MISC |
| google — android | There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-163008257 | 2020-10-14 | 9.4 | CVE-2020-0283 MISC |
| google — android | There is a possible out of bounds read due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-163003156 | 2020-10-14 | 9.4 | CVE-2020-0376 MISC |
| google — android | There is a possible out of bounds read due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-163008256 | 2020-10-14 | 9.4 | CVE-2020-0371 MISC |
| google — android | There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-162980455 | 2020-10-14 | 9.4 | CVE-2020-0367 MISC |
| google — android | There is a possible out of bounds read due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-162980705 | 2020-10-14 | 9.4 | CVE-2020-0339 MISC |
| google — android | In remove of String16.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-156999009 | 2020-10-14 | 7.2 | CVE-2020-0408 MISC |
| huawei — p30_pro_firmware | HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have an out-of-bounds read and write vulnerability. An unauthenticated attacker crafts malformed message with specific parameter and sends the message to the affected products. Due to insufficient validation of message, which may be exploited to cause the process reboot. | 2020-10-12 | 7.1 | CVE-2020-9108 MISC |
| huawei — p30_pro_firmware | HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have an out-of-bounds read and write vulnerability. An unauthenticated attacker crafts malformed message with specific parameter and sends the message to the affected products. Due to insufficient validation of message, which may be exploited to cause the process reboot. | 2020-10-12 | 7.1 | CVE-2020-9107 MISC |
| ibm — cognos_analytics | IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CSV injection. By persuading a victim to open a specially-crafted excel file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176610. | 2020-10-12 | 9.3 | CVE-2020-4302 XF CONFIRM |
| ibm — security_guardium | IBM Security Guardium 11.2 is vulnerable to CVS Injection. A remote privileged attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-ForceID: 186696. | 2020-10-12 | 8.5 | CVE-2020-4689 XF CONFIRM |
| lenovo — diagnostics | A […] Read the original article: Vulnerability Summary for the Week of October 12, 2020
Post navigation |