7-13 Working VB HIGH, MEDIUM, and LOW tables
Released
Jul 13, 2020
Document ID
SB20-195
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| mozilla -- multiple_products | Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | 2020-07-09 | 9.3 | CVE-2020-12406 MISC MISC MISC MISC |
| mozilla -- multiple_products | Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | 2020-07-09 | 9.3 | CVE-2020-12410 MISC MISC MISC MISC |
| mozilla -- firefox | Mozilla developers reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 77. | 2020-07-09 | 9.3 | CVE-2020-12411 MISC MISC |
| mozilla -- multiple_products | A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78. | 2020-07-09 | 9.3 | CVE-2020-12416 MISC MISC |
| mozilla -- multiple_products | Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. | 2020-07-09 | 9.3 | CVE-2020-12417 MISC MISC MISC MISC |
| mozilla -- multiple_products | When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. | 2020-07-09 | 9.3 | CVE-2020-12419 MISC MISC MISC MISC |
| mozilla -- multiple_products | When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. | 2020-07-09 | 9.3 | CVE-2020-12420 MISC MISC MISC MISC |
| gog -- galaxy_client | An issue was discovered in GOG Galaxy Client 2.0.17. Local escalation of privileges is possible when a user starts or uninstalls a game because of weak file permissions and missing file integrity checks. | 2020-07-05 | 9.3 | CVE-2020-15528 MISC |
| gog -- galaxy_client | An issue was discovered in GOG Galaxy Client 2.0.17. Local escalation of privileges is possible when a user installs a game or performs a verify/repair operation. The issue exists because of weak file permissions and can be exploited by using opportunistic locks. | 2020-07-05 | 9.3 | CVE-2020-15529 MISC |
| mozilla -- firefox | In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78. | 2020-07-09 | 7.6 | CVE-2020-12422 MISC MISC |
| webchess -- webchess | WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter. | 2020-07-07 | 7.5 | CVE-2019-20896 CONFIRM |
| atlassian -- jira_server_and_data_center | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to achieve template injection via the Web Resources Manager. The affected versions are before version 8.8.1. | 2020-07-03 | 7.5 | CVE-2020-14172 MISC |
| mobileiron -- core_and_connector | A remote code execution vulnerability in MobileIron Core and Connector versions 10.6 and earlier, and Sentry versions 9.8 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. | 2020-07-07 | 7.5 | CVE-2020-15505 MISC |
| mobileiron -- core_and_connector | An Authentication Bypass vulnerability in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to bypass authentication mechanisms via unspecified vectors. | 2020-07-07 | 7.5 | CVE-2020-15506 MISC |
| we-com -- opendata_cms | We-com OpenData CMS 2.0 allows SQL Injection via the username field on the administrator login page. | 2020-07-05 | 7.5 | CVE-2020-15540 MISC MISC |
| solarwinds -- serv-u_ftp | SolarWinds Serv-U FTP server before 15.2.1 allows remote command execution. | 2020-07-05 | 7.5 | CVE-2020-15541 MISC |
| phpzag -- phpzag | SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql | 2020-07-07 | 7.5 | CVE-2020-8519 MLIST MISC MISC |
| phpzag -- phpzag | SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql | 2020-07-07 | 7.5 | CVE-2020-8520 MLIST MISC MISC |
| phpzag -- phpzag | SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql | 2020-07-07 | 7.5 | CVE-2020-8521 MLIST MISC MISC |
| google -- android | An issue was discovered on Samsung mobile devices with Q(10.0) software. Attackers can trigger an out-of-bounds access and device reset via a 4K wallpaper image because ImageProcessHelper mishandles boundary checks. The Samsung ID is SVE-2020-18056 (July 2020). | 2020-07-07 | 7.1 | CVE-2020-15584 CONFIRM |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| mozilla -- multiple_products | An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.1, Thunderbird < 60, and Firefox < 61. | 2020-07-09 | 6.8 | CVE-2018-12371 MISC MISC MISC MISC |
| adobe -- acrobat_and_reader | Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution . | 2020-07-06 | 6.8 | CVE-2019-8249 CONFIRM |
| adobe -- acrobat_and_reader | Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution . | 2020-07-06 | 6.8 | CVE-2019-8250 CONFIRM |
| mozilla -- firefox | When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. This vulnerability affects Firefox < 77. | 2020-07-09 | 6.8 | CVE-2020-12409 MISC MISC |
| huawei -- mate_30_smartphones | HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a type confusion vulnerability. The system does not properly check and transform the type of certain variable, the attacker tricks the user into installing then running a crafted application, successful exploit could cause code execution. | 2020-07-06 | 6.8 | CVE-2020-9261 MISC |
| huawei -- mate_30_smartphones | HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a use after free vulnerability. There is a condition exists that the system would reference memory after it has been freed, the attacker should trick the user into running a crafted application with high privilege, successful exploit could cause code execution. | 2020-07-06 | 6.8 | CVE-2020-9262 MISC |
| phplist -- phplist | An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section. | 2020-07-08 | 6.5 | CVE-2020-15072 MISC CONFIRM CONFIRM |
| wireshark -- wireshark | In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-gvcp.c by ensuring that an offset increases in all situations. | 2020-07-05 | 5 | CVE-2020-15466 MISC MISC MISC |
| mobileiron -- core_and_connector | An arbitrary file reading vulnerability in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to read files on the system via unspecified vectors. | 2020-07-07 | 5 | CVE-2020-15507 MISC |
| google -- android | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Attackers can bypass Factory Reset Protection (FRP) via the KNOX API. The Samsung ID is SVE-2020-17318 (July 2020). | 2020-07-07 | 5 | CVE-2020-15579 CONFIRM |
| google -- android
| An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The kernel logging feature allows attackers to discover virtual addresses via vectors involving shared memory. The Samsung ID is SVE-2020-17605 (July 2020). | 2020-07-07 | 5 | CVE-2020-15581 CONFIRM |
| atlassian -- jira_server_and_data_center | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2. | 2020-07-03 | 4.4 | CVE-2019-20419 MISC |
| huawei -- hisuite | Earlier than HiSuite 10.1.0.500 have a DLL hijacking vulnerability. This vulnerability exists due to some DLL file is loaded by HiSuite improperly. And it allows an attacker to load this DLL file of the attacker's choosing. | 2020-07-06 | 4.4 | CVE-2020-9100 MISC |
| adobe -- acrobat_and_reader | Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability. Successful exploitation could lead to information disclosure. | 2020-07-06 | 4.3 | CVE-2019-8251 CONFIRM |
| mozilla -- multiple_products | NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | 2020-07-09 | 4.3 | CVE-2020-12399 MISC MISC MISC MISC |
| mozilla -- firefox | During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. | 2020-07-09 | 4.3 | CVE-2020-12402 MISC MISC |
| mozilla -- firefox_for_ios | For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26. | 2020-07-09 | 4.3 | CVE-2020-12404 MISC MISC |
| mozilla -- firefox | When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar. This vulnerability affects Firefox < 77. | 2020-07-09 | 4.3 | CVE-2020-12408 MISC MISC |
| mozilla -- firefox | By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents. This vulnerability affects Firefox < 70. | 2020-07-09 | 4.3 | CVE-2020-12412 MISC MISC |
| mozilla -- firefox_for_ios | IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode. This vulnerability affects Firefox for iOS < 27. | 2020-07-09 | 4.3 | CVE-2020-12414 MISC MISC |
| mozilla -- firefox | When "%2F" was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory. This vulnerability affects Firefox < 78. | 2020-07-09 | 4.3 | CVE-2020-12415 MISC MISC |
| mozilla -- multiple_products | Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. | 2020-07-09 | 4.3 | CVE-2020-12418 MISC MISC MISC MISC |
| mozilla -- multiple_products | When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. | 2020-07-09 | 4.3 | CVE-2020-12421 MISC MISC MISC MISC |
| mozilla -- firefox | When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt. This vulnerability affects Firefox < 78. | 2020-07-09 | 4.3 | CVE-2020-12424 MISC MISC |
| mozilla -- firefox | Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78. | 2020-07-09 | 4.3 | CVE-2020-12425 MISC MISC |
| hesk -- hesk | An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A Stored XSS issue allows remote unauthenticated attackers to abuse a helpdesk user's logged in session. A user with sufficient privileges to change their login-page image must open a crafted ticket. | 2020-07-09 | 4.3 | CVE-2020-13992 MISC |
| wordpress -- wordpress | An issue was discovered in the bestsoftinc Car Rental System plugin through 1.3 for WordPress. Persistent XSS can occur via any of the registration fields. | 2020-07-05 | 4.3 | CVE-2020-15535 MISC MISC |
| wordpress -- wordpress | An issue was discovered in the Vanguard plugin 2.1 for WordPress. XSS can occur via the mails/new title field, a product field to the p/ URI, or the Products Search box. | 2020-07-05 | 4.3 | CVE-2020-15537 MISC MISC |
| milkytracker -- playergeneric | PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor. | 2020-07-06 | 4.3 | CVE-2020-15569 MISC |
| whoopsie -- whoopsie | The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file. | 2020-07-06 | 4.3 | CVE-2020-15570 MISC MISC MISC MISC |
| google -- android | An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 7885 chipsets) software. The Bluetooth Low Energy (BLE) component has a buffer overflow with a resultant deadlock or crash. The Samsung ID is SVE-2020-16870 (July 2020). | 2020-07-07 | 4.3 | CVE-2020-15582 CONFIRM |
| victor_cms -- victor_cms | Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field. | 2020-07-07 | 4.3 | CVE-2020-15599 CONFIRM |
| parall -- jspdf | In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex. | 2020-07-06 | 4.3 | CVE-2020-7691 MISC MISC MISC MISC MISC |
| huawei -- p30_smartphones | HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an improper signature verification vulnerability. The system does not improper check signature of specific software package, an attacker may exploit this vulnerability to load a crafted software package to the device. | 2020-07-06 | 4.3 | CVE-2020-9226 MISC |
| atlassian -- jira_server_and_data_center | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0. | 2020-07-03 | 4 | CVE-2019-20418 N/A |
| electron -- electron | In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21. | 2020-07-07 | 4 | CVE-2020-15096 CONFIRM MISC |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| huawei -- mate_30_smartphones | HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a race condition vulnerability. There is a timing window exists in which certain pointer members can be modified by another process that is operating concurrently, an attacker should trick the user into running a crafted application with high privilege, successful exploit could cause code execution. | 2020-07-06 | 3.7 | CVE-2020-1839 MISC |
| atlassian -- jira_server_and_data_center | The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1. | 2020-07-03 | 3.5 | CVE-2020-14173 MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter. | 2020-07-07 | 3.5 | CVE-2020-15028 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php sn parameter. | 2020-07-07 | 3.5 | CVE-2020-15029 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Routes.php rtr parameter. | 2020-07-07 | 3.5 | CVE-2020-15030 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php chg parameter. | 2020-07-07 | 3.5 | CVE-2020-15031 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Incidents.php id parameter. | 2020-07-07 | 3.5 | CVE-2020-15032 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the snmpget.php ip parameter. | 2020-07-07 | 3.5 | CVE-2020-15033 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Setup.php tet parameter. | 2020-07-07 | 3.5 | CVE-2020-15034 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Map.php hde parameter. | 2020-07-07 | 3.5 | CVE-2020-15035 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter. | 2020-07-07 | 3.5 | CVE-2020-15036 MISC MISC |
| nedi_consulting -- nedi | NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter. | 2020-07-07 | 3.5 | CVE-2020-15037 MISC MISC |
| phplist -- phplist | An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section. | 2020-07-08 | 3.5 | CVE-2020-15073 MISC CONFIRM CONFIRM |
| huawei -- p30_smartphones | HUAWEI P30 with versions earlier than 10.1.0.160(C00E160R2P11) and HUAWEI P30 Pro with versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability. Certain function's default configuration in the system seems insecure, an attacker should craft a WI-FI hotspot to launch the attack. Successful exploit could cause information disclosure. | 2020-07-06 | 2.9 | CVE-2020-1836 MISC |
| mozilla -- multiple_products | When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | 2020-07-09 | 2.6 | CVE-2020-12405 MISC MISC MISC MISC |
| mozilla -- firefox | Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content. This vulnerability affects Firefox < 77. | 2020-07-09 | 2.6 | CVE-2020-12407 MISC MISC |
| google -- android | An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020). | 2020-07-07 | 2.1 | CVE-2020-15577 CONFIRM |
| google -- android | An issue was discovered on Samsung mobile devices with O(8.x) software. FactoryCamera does not properly restrict runtime permissions. The Samsung ID is SVE-2020-17270 (July 2020). | 2020-07-07 | 2.1 | CVE-2020-15578 CONFIRM |
| google -- android | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Attackers can bypass Factory Reset Protection (FRP) by enrolling a new lock password. The Samsung ID is SVE-2020-17328 (July 2020). | 2020-07-07 | 2.1 | CVE-2020-15580 CONFIRM |
| google -- android | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. StickerProvider allows directory traversal for access to system files. The Samsung ID is SVE-2020-17665 (July 2020). | 2020-07-07 | 2.1 | CVE-2020-15583 CONFIRM |
| huawei -- mate_30_pro_smartphones | HUAWEI Mate 30 Pro with versions earlier than 10.1.0.150(C00E136R5P3) have is an improper authentication vulnerability. The device does not sufficiently validate certain credential of user's face, an attacker could craft the credential of the user, successful exploit could allow the attacker to pass the authentication with the crafted credential. | 2020-07-06 | 1.9 | CVE-2020-1838 MISC |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.