Monthly Archive: June 2020

The file transfer component of TIBCO Software Inc.’s TIBCO Managed File Transfer Platform Server for IBM i contains a vulnerability that theoretically allows an attacker to perform unauthorized network file transfers to and from...

An unquoted search path vulnerability was reported in versions prior to 1.0.83.0 of the Synaptics Smart Audio UWP app associated with the DCHU audio drivers on Lenovo platforms that could allow an administrative user...

Lenovo implemented Intel CSME Anti-rollback ARB protections on some ThinkPad models to prevent roll back of CSME Firmware in flash. Date published : 2020-06-09 https://support.lenovo.com/us/en/product_security/LEN-30042

The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T495s, X395, T495, A485, A285, A475, A275 which may allow for unauthorized access. Date published : 2020-06-09 https://support.lenovo.com/us/en/product_security/LEN-30042

A potential vulnerability in the SMI callback function used in the Legacy SD driver in some Lenovo ThinkPad, ThinkStation, and Lenovo Notebook models may allow arbitrary code execution. Date published : 2020-06-09 https://support.lenovo.com/us/en/product_security/LEN-30042

A potential vulnerability in the SMI callback function used in the Legacy USB driver in some Lenovo Notebook and ThinkStation models may allow arbitrary code execution. Date published : 2020-06-09 https://support.lenovo.com/us/en/product_security/LEN-30042

A potential vulnerability in the SMI callback function used in the System Lock Preinstallation driver in some Lenovo Notebook and ThinkStation models may allow arbitrary code execution. Date published : 2020-06-09 https://support.lenovo.com/us/en/product_security/LEN-30042

An internal shell was included in BIOS image in some ThinkPad models that could allow escalation of privilege. Date published : 2020-06-09 https://support.lenovo.com/us/en/product_security/LEN-30042

In FreeBSD 12.1-STABLE before r361918, 12.1-RELEASE before p6, 11.4-STABLE before r361919, 11.3-RELEASE before p10, and 11.4-RC2 before p1, an invalid memory location may be used for HID items if the push/pop level is not...

SAP Commerce, versions – 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions – 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the...

SONY Wireless Headphones WF-1000X, WF-SP700N, WH-1000XM2, WH-1000XM3, WH-CH700N, WH-H900N, WH-XB700, WH-XB900N, WI-1000X, WI-C600N and WI-SP600N with firmware versions prior to 4.5.2 have vulnerability that someone within the Bluetooth range can make the Bluetooth pairing...

This issue was addressed with improved checks. This issue is fixed in macOS Catalina 10.15.5. Importing a maliciously crafted calendar invitation may exfiltrate user information. Date published : 2020-06-09 https://support.apple.com/HT211170

The J2Store plugin before 3.3.13 for Joomla! allows a SQL injection attack by a trusted store manager. Date published : 2020-06-09 https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html https://www.j2store.org/resources/change-log.html

** DISPUTED ** OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users’ image upload section because of a lack of entity encoding. NOTE: this issue exists...