Apple has released security updates that address multiple vulnerabilities in macOS Catalina 10.15.5, impacting various components such as Accounts, AirDrop, Audio, Bluetooth, Calendar, ImageIO, Kernel, ksh, PackageKit, Sandbox, SQLite, USB Audio, Wi-Fi, and zsh. The fixed issues could result in denial of service, the circumvention of sandbox restrictions, leak of private information, arbitrary code execution, exfiltration of user information, or elevation of privilege.
OpenSSH, a connectivity tool for remote login with the SSH protocol, contains a vulnerability that allows a remote attacker to write arbitrary files to the victim's system. The bug impacts OpenSSH versions 5.0p1, 5.1p1, 5.2p1, 5.3p1, 5.4p1, 5.5p1, 5.6p1, 5.7p1, 5.8p1, 5.8p2, 5.9p1, 6.0p1, 6.1p1, 6.2p1, 6.2p2, 6.3p1, 6.4p1, 6.5p1, 6.6p1, 6.6p1, 6.7p1, 6.8p1, 6.9p1, 7.0p1, 7.1p1, 7.1p2, 7.2p1, 7.2p1, 7.2p2, 7.3p1, 7.4p1, 7.5p1, 7.6p1, 7.7p1, 7.8p1, 7.9p1, 8.0p1, 8.1p1, and 8.2p1.
Several vulnerabilities were found in Trend Micro InterScan Web Security Virtual Appliance, one of which is classified as a high-risk flaw (CVE-2020-8606). Successful exploitation of this flaw could allow a remote attacker to bypass authentication process. Other bugs could be used to execute arbitrary commands on the system, perform directory traversal attacks or conduct XSS attacks.
A high severity issue was discovered in FreeRDP before 2.1.1. CVE-2020-13398 is an out-of-bounds (OOB) write vulnerability that resides in crypto_rsa_common in libfreerdp/crypto/crypto.c. function. A remote attacker can send specially crafted data to the application, trigger out-of-bounds write and execute arbitrary code on the target system.
Apache Kylin, an open source distributed analytics engine, has a vulnerability (CVE-2020-1956) that allows a remote attacker to execute arbitrary shell commands and compromise the target system. The vulnerability exists due to improper input validation in RESTFull API and can be exploited by sending specially crafted data to the application.
Cybozu Desktop for Windows contains an issue (CVE-2020-5537), which could allow an attacker to carry out a man-in-the-middle (MITM) attack, or perform subdomain takeover and execute arbitrary code on a system.
A serious flaw was found in MyLittleAdmin, a web application for managing MSSQL databases. It exists due to presence of hard-coded "machineKey" in web.config., which could be used by attackers to fully compromise the target system.