A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.

CVE-2020-16947

A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack.

%PDF-1.5 %���� 1 0 obj << /D \[2 0 R /XYZ 70.866 771.024 null\] >> endobj 3 0 obj << /D \[2 0 R /XYZ 70.866 630.026 null\] >> endobj 4 0 obj << /D \[2 0 R /XYZ 70.866 445.075 null\] >> endobj 5 0 obj << /D \[2 0 R /XYZ 70.866 332.073 null\] >> endobj 6 0 obj << /D \[7 0 R /XYZ 85.039 348.533 null\] >> endobj 8 0 obj << /D \[9 0 R /XYZ 70.866 771.024 null\] >> endobj 10 0 obj << /S /GoTo /D \[2 0 R /Fit\] >> endobj 2 0 obj << /Contents 11 0 R /Type /Page /Resources 12 0 R /Parent 13 0 R /Annots \[14 0 R 15 0 R 16 0 R\] /MediaBox \[0 0 595.276 841.89\] >> endobj 14 0 obj << /A << /S /URI /Type /Action /URI (https://support.industry.siemens.com/cs/ww/en/view/109781922) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 470.474 518.276 481.891\] >> endobj 16 0 obj << /A << /S /URI /Type /Action /URI (https://www.first.org/cvss/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[131.954 106.029 248.203 117.566\] >> endobj 17 0 obj << /A << /S /URI /Type /Action /URI (https://cwe.mitre.org/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[69.87 721.983 163.926 733.519\] >> endobj 12 0 obj << /ProcSet \[/PDF /Text\] /Font << /F55 18 0 R /F52 19 0 R >> >> endobj 11 0 obj << /Filter /FlateDecode /Length 2960 >> stream xڵZ\[S�F~�W�m� �7I=o0Y��C6��A���-G�a�\_���nْ|AS�V c��}n}.��v0x��>��N>)>оy8=����pi�+ F��o�m���y9<�Q�ݦ�e1

CVE-2020-15792

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) use undocumented accounts.

2020-10-05 14:00 (CEST) VDE-2020-040  

**Pepperl+Fuchs: Multiple Products prone to multiple vulnerabilities in Comtrol RocketLinux**  
Share: Email | Twitter  

**

Published

**

2020-10-05 14:00 (CEST)

**

Last update

**

2020-10-05 14:00 (CEST)

**Vendor(s)**

Pepperl+Fuchs SE  

**Product(s)**

Article No°

Product Name

Affected Version(s)

ES7506

all versions

ES7506

all versions

ES7510

all versions

ES7510-XT

all versions

ES7528

all versions

ES8508

all versions

ES8508F

all versions

ES8509-XT

all versions

ES8510

all versions

ES8510-XT

all versions

ES8510-XTE

all versions

ES9528/ES9528-XT

all versions

ES9528-XTv2

all versions

**

Summary

**

Several critical vulnerabilities within Firmware have been identified. Please consult the CVEs for details.

**

Vulnerabilities

**

**Summary**

_Active TFTP-Service_

**Summary**

_Unauthenticated Device Administration_

**Weakness**

Use of Hardcoded Credentials (CWE-798)

**Summary**

_Undocumented Accounts_

**Weakness**

Cross-Site Request Forgery (CSRF) (CWE-352)

**Summary**

_Unauthenticated Device Administration_

**Weakness**

Improper Input Validation (CWE-20)

**Summary**

_Multiple Authenticated Command Injections_

**

Impact

**

Pepperl+Fuchs analyzed and identified affected devices.  
Remote attackers may exploit multiple vulnerabilities to get access to the device and  
execute any program and tap information.

**

Solution

**

An external protective measure is required.

1) Traffic from untrusted networks to the device should be blocked by a firewall. Especially  
traffic targeting the administration webpage.

2) Administrator and user access should be protected by a secure password and only be  
available to a very limited group of people.

**

Reported by

**

CVE-2020-12501: VDE-2020-040 | CERT@VDE

Improperly implemented security check in McAfee MVISION Endpoint Detection and Response Client (MVEDR) prior to 3.2.0 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MVEDR failing open rather than closed

Download our support app to manage your open Service Requests.

CVE-2020-7327

The Windows Logon installer prior to 4.1.2 did not properly validate file installation paths. This allows an attacker with local user privileges to coerce the installer to write to arbitrary privileged directories. If successful, an attacker can manipulate files used by Windows Logon, cause Denial of Service (DoS) by deleting file(s), or replace system files to potentially achieve elevation of privileges. Note that this can only exploitable during new installations while the installer is running and is not exploitable once installation is finished. Versions 4.1.2 of Windows Logon addresses this issue.

Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons.

Download the current release from the Checksums and Downloads page.

**Version 4.2.0 - September 23, 2021**

*   Introduces remembered devices for local Windows logins. The Remembered Devices policy for Duo MFA, Access, and Beyond plan customers now includes settings for Windows Logon. Remembering the device during online authentication creates a trusted session, letting users skip Duo two-factor authentication for the lifetime of the session.
*   Adds the hostname of the system where Duo for Windows Logon is installed to Duo Mobile push requests and the Windows logon authentication type (Local, RDP, UAC) to Duo Push request notifications.
*   Adds support for Windows 11 and Windows Server 2022.
*   Bug fixes.

**Version 4.1.3 - November 2, 2020**

*   Fixes an issue with Duo Windows Logon installer that may cause a MSI self-repair and subsequent "Installation stopped" error from Duo Windows Logon Installer. Customers upgrading from 4.1.2 may still experience unexpected MSI self repairs during installation. Refer to Duo KB article 6462 for additional remediation steps.

**Version 4.1.2 - October 14, 2020**

*   Addresses an elevation of privilege vulnerability in the Windows Logon installer which could allow an authenticated local attacker to overwrite files in privileged directories (CVE-2020-3427). The vulnerability was limited to the installer only, and did not affect the application once installed.

**Version 4.1.1 - July 13, 2020**

*   Updated installer to remove the password check that contributed to user lockouts in v4.1.0 when installed on Active Directory Domain Controllers. Customers with v4.1.0 installed should upgrade to v4.1.1 at the earliest opportunity.

**Version 4.1.0 - April 29, 2020**

There is a known issue with installation of Duo Authentication for Windows Logon and RDP version 4.1 on Active Directory domain controllers that may trigger user lockouts.

*   Introduces User Elevation, which adds the 2FA Duo prompt for credentialed User Account Control.
*   GPO template updated to include User Elevation configuration.
*   SHA-256 signed installer.
*   Additional bug fixes and security enhancements

**Version 4.0.7 - October 2019**

*   Fixes an issue related to multiple in-flight authentications.
*   Support for Windows Server 2008 R2 and Windows 7 ends in January 2020. Future releases may not function on unsupported operating systems.

**Version 4.0.6 - September 2019**

*   Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
*   Added log file rotation.
*   Added additional UI installer options for HTTP proxy settings.
*   Updated GPO template to include log file rotation and Offline Authentication configuration.
*   Removed .NET dependency for the installer connectivity check.
*   Fixed a bug that would result in "Ordinal Not Found" being displayed in certain scenarios.
*   Fixed the flow of windows password changes that could cause re-enrollment in Offline Authentication.
*   Removed errant log message stating "Duo Auth Not Configured".
*   Response to CERT/CC Vulnerability Note VU#576688.
*   Security improvements for Offline Authentication.
*   Additional bug fixes and security enhancements.

**Version 4.0.5 - April 2019**

*   Correct issue enforcing secure failmode (FailOpen=0) when the Offline Access feature is disabled at the client system (OfflineAvailable=0). PSA-2019-001 (CVE-2019-11237)

**Version 4.0.3 - February 2019**

*   Corrected issue with installer not preserving configured options on upgrade.

**Version 4.0.2 - February 2019**

*   Corrected an issue with offline access de-provisioning registered users unexpectedly after a bypass login.
*   Installer dialog changes for integration and smart card options.
*   Command line installer now permits setting all configuration options.
*   Fixed issues with installer product codes that affected MSI in-place upgrades.

**Version 4.0.1 - December 2018**

*   UsernameFormatForService setting now respected when set via GPO.
*   Bug fixes.

**Version 4.0.0 - November 2018**

*   Introduces offline access with Duo MFA.
*   Adds support for Windows Server 2019. Deprecates support for Windows 8 and 2008.
*   Now includes the Windows hostname of the system where Duo is installed in the Duo authentication logs for both remote and local console logins.
*   Bug fixes

**Version 3.1.2 - May 2018**

*   Installer improvements, including a new API connectivity check

**Version 3.1.1 - October 2017**

*   Supports chaining Duo authentication with smart card logon
*   Configurable username format for Duo now supports userPrincipalName (UPN)
*   Bug fixes

**Version 3.1.0 - July 2017**

*   Support for wrapped credential providers
*   Permits an allow list of third-party credential providers
*   Configurable Duo username format sAMAccountName or NTLM name (msDS-PrincipalName)
*   Silent MSI command line upgrade

**Version 3.0.0.85 - February 2017**

*   New authentication prompt UI
*   Dropped active support for Windows Vista

**Version 2.1.0 - September 2016**

*   Added option to allow smart card authentication
*   Windows Server 2016 support

**Version 2.0.0.71 - February 2016**

*   Added HTTP proxy of Duo authentication traffic only
*   Supports configuration via Group Policy

**Version 1.2.0.14 - August 2015**

*   Windows 10 support

**Version 1.1.8 - September 2014**

*   Last release with support for Windows 2003 and XP.
*   Improved handling of UPN usernames
*   Adjustment to authentication attempt timeout logic
*   Bugfixes

**Version 1.1.7 - April 2014**

*   Ensured that the secondary login window always appears on Server 2012, Windows 8, and newer

**Version 1.1.6 - April 2014**

*   Fixed upgrades using .msi installers in headless mode

**Version 1.1.5 - March 2014**

*   Fixed log on to domain accounts on offline workstations
*   Fixed log on to domain accounts with usernames that match local accounts

**Version 1.1.4 - Jan 2014**

*   Bugfixes

**Version 1.1.3 - Jan 2014**

*   Fixed double-prompt for username/password when logging into Windows 7 / Server 2008 R2 (or newer) with an RDP client supporting Network-Level Authentication

**Version 1.1.2 - Oct 2013**

*   Used a more reliable mechanism to determine client IP addresses

**Version 1.1.1 - Oct 2013**

*   Fixed issues parsing usernames

**Version 1.1.0 - Sept 2013**

*   Support for Auto-push

**Version 1.0.7 - July 2013**

*   Fixed password-reset workflow
*   Fixed reporting of client IP addresses for RDP sessions
*   Added support for system-wide WinHTTP proxy configuration

**Version 1.0.6 - November 2012**

*   Released Windows Server 2003 version

CVE-2020-3427: Duo Authentication for Windows Logon and RDP - Release Notes

A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   Audit Trail Plugin
*   couchdb-statistics Plugin
*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Role-based Authorization Strategy Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

**Descriptions****Improper authorization due to caching in Role-based Authorization Strategy Plugin**

**SECURITY-1767 / CVE-2020-2286**  
**Severity (CVSS):** High  
**Affected plugin: role-strategy**  
**Description:**

Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups.

In Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being granted long after the configuration was changed to no longer grant them.

Role-based Authorization Strategy Plugin 3.1 properly invalidates the cache on configuration changes.

**Request logging could be bypassed in Audit Trail Plugin**

**SECURITY-1815 / CVE-2020-2287**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression.

A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for SECURITY-1774 prohibits dispatch of affected requests.

Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

**Incorrect default pattern in Audit Trail Plugin**

**SECURITY-1846 / CVE-2020-2288**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.

In Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.

Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.

Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with arbitrary suffixes.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-1954 / CVE-2020-2289**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5 escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2008 / CVE-2020-2290**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape List and Map return values of sandboxed scripts for _Reactive Reference Parameter_.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This issue is caused by an incomplete fix for SECURITY-470.

Active Choices Plugin 2.5 escapes all legal return values of sandboxed scripts.

**Password stored in plain text by couchdb-statistics Plugin**

**SECURITY-2065 / CVE-2020-2291**  
**Severity (CVSS):** Low  
**Affected plugin: couchdb-statistics**  
**Description:**

couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

couchdb-statistics Plugin 0.4 stores its server password encrypted once its configuration is saved again.

**Stored XSS vulnerability in Release Plugin**

**SECURITY-1928 / CVE-2020-2292**  
**Severity (CVSS):** High  
**Affected plugin: release**  
**Description:**

Release Plugin 2.10.2 and earlier does not escape the release version in the badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Persona Plugin**

**SECURITY-2046 / CVE-2020-2293**  
**Severity (CVSS):** Medium  
**Affected plugin: persona**  
**Description:**

Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Maven Cascade Release Plugin**

**SECURITY-2049 / CVE-2020-2294 (permission check), CVE-2020-2295 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-release-cascade**  
**Description:**

Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Shared Objects Plugin**

**SECURITY-2052 / CVE-2020-2296**  
**Severity (CVSS):** Medium  
**Affected plugin: shared-objects**  
**Description:**

Shared Objects Plugin 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to configure shared objects.

As of publication of this advisory, there is no fix.

**Access token stored in plain text by SMS Notification Plugin**

**SECURITY-2054 / CVE-2020-2297**  
**Severity (CVSS):** Low  
**Affected plugin: sms**  
**Description:**

SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.

This access token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Nerrvana Plugin**

**SECURITY-2097 / CVE-2020-2298**  
**Severity (CVSS):** High  
**Affected plugin: nerrvana-plugin**  
**Description:**

Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, XML parsing is exposed as a form validation endpoint that does not require POST requests, allowing exploitation by users without Overall/Read permission via CSRF.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1767: High
*   SECURITY-1815: Medium
*   SECURITY-1846: Medium
*   SECURITY-1928: High
*   SECURITY-1954: High
*   SECURITY-2008: High
*   SECURITY-2046: Medium
*   SECURITY-2049: Medium
*   SECURITY-2052: Medium
*   SECURITY-2054: Low
*   SECURITY-2065: Low
*   SECURITY-2097: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.4
*   **Audit Trail Plugin** up to and including 3.6
*   **couchdb-statistics Plugin** up to and including 0.3
*   **Maven Cascade Release Plugin** up to and including 1.3.2
*   **Nerrvana Plugin** up to and including 1.02.06
*   **Persona Plugin** up to and including 2.4
*   **Release Plugin** up to and including 2.10.2
*   **Role-based Authorization Strategy Plugin** up to and including 3.0
*   **Shared Objects Plugin** up to and including 0.44
*   **SMS Notification Plugin** up to and including 1.2

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5
*   **Audit Trail Plugin** should be updated to version 3.7
*   **couchdb-statistics Plugin** should be updated to version 0.4
*   **Role-based Authorization Strategy Plugin** should be updated to version 3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1846, SECURITY-2046, SECURITY-2097
*   **Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1815
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2052
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2054, SECURITY-2065
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1767
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1928, SECURITY-1954, SECURITY-2008
*   **Wadeck Follonier, CloudBees, Inc. and Jeff Thompson, CloudBees, Inc.** for SECURITY-2049

CVE-2020-2296: Jenkins Security Advisory 2020-10-08

Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

CVE-2020-2292: Jenkins Security Advisory 2020-10-08

A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.

'1878635?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-25626: Invalid Bug ID

In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.

Permalink

Browse files

Properly store certificate exceptions in Java viewer

Like the native viewer, the Java viewer didn't store certificate
exceptions properly. Whilst not as bad as the native viewer, it still
failed to check that a stored certificate wouldn't be maliciously used
for another server. In practice this can in most cases be used to
impersonate another server.

Handle this like the native viewer by storing exceptions for a specific
hostname/certificate combination.

(cherry picked from commit f029745)

*   Loading branch information

CVE-2020-26117: Properly store certificate exceptions in Java viewer · TigerVNC/tigervnc@20dea80

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

Tag

#perl