| ID: CVE-2020-10148 |
Title: Solarwinds Orion SUNBURST infection |
Type: Software |
Bulletins:
CVE-2020-10148 |
Severity: High |
| Description: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected. | ||||
| Applies to: Solarwinds Orion |
Created: 2020-12-23 |
Updated: 2024-09-07 |
||
| ID: CISEC:8473 |
Title: Windows Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8473 CVE-2020-17057 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8437 |
Title: Windows WalletService Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8437 CVE-2020-16999 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8451 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8451 CVE-2020-17037 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8425 |
Title: Windows USO Core Worker Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8425 CVE-2020-17075 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8472 |
Title: Windows Update Stack Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8472 CVE-2020-17077 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8450 |
Title: Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8450 CVE-2020-17073 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8431 |
Title: Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8431 CVE-2020-17076 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8433 |
Title: Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8433 CVE-2020-17074 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8440 |
Title: Windows Update Medic Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8440 CVE-2020-17070 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8463 |
Title: Windows Spoofing Vulnerability |
Type: Software |
Bulletins:
CISEC:8463 CVE-2020-1599 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8454 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8454 CVE-2020-17031 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8467 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8467 CVE-2020-17044 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8469 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8469 CVE-2020-17027 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8475 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8475 CVE-2020-17043 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8428 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8428 CVE-2020-17033 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8429 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8429 CVE-2020-17055 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8439 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8439 CVE-2020-17032 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8462 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8462 CVE-2020-17025 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8464 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8464 CVE-2020-17028 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8478 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8478 CVE-2020-17034 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8480 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8480 CVE-2020-17026 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8474 |
Title: Windows Print Spooler Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8474 CVE-2020-17042 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8446 |
Title: Windows Print Spooler Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8446 CVE-2020-17001 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8426 |
Title: Windows Print Spooler Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8426 CVE-2020-17014 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8471 |
Title: Windows Print Configuration Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8471 CVE-2020-17041 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8455 |
Title: Windows Port Class Library Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8455 CVE-2020-17011 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8479 |
Title: Windows Network File System Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8479 CVE-2020-17051 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8476 |
Title: Windows Network File System Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8476 CVE-2020-17056 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8448 |
Title: Windows Network File System Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8448 CVE-2020-17047 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8424 |
Title: Windows NDIS Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8424 CVE-2020-17069 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8435 |
Title: Windows MSCTF Server Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8435 CVE-2020-17030 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8423 |
Title: Windows KernelStream Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8423 CVE-2020-17045 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8444 |
Title: Windows Kernel Local Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8444 CVE-2020-17087 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8434 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8434 CVE-2020-17035 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8436 |
Title: Windows Hyper-V Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:8436 CVE-2020-17040 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8427 |
Title: Windows Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8427 CVE-2020-17004 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8438 |
Title: Windows GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8438 CVE-2020-17068 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8456 |
Title: Windows Function Discovery SSDP Provider Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8456 CVE-2020-17036 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8432 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8432 CVE-2020-17007 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8461 |
Title: Windows Error Reporting Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8461 CVE-2020-17046 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8458 |
Title: Windows Delivery Optimization Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8458 CVE-2020-17071 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8453 |
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8453 CVE-2020-17088 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8468 |
Title: Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8468 CVE-2020-17024 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8466 |
Title: Windows Canonical Display Driver Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8466 CVE-2020-17029 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8470 |
Title: Windows Camera Codec Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8470 CVE-2020-17113 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8445 |
Title: Windows Bind Filter Driver Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8445 CVE-2020-17012 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8442 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8442 CVE-2020-17013 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8449 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8449 CVE-2020-17038 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8460 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8460 CVE-2020-17010 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8441 |
Title: Remote Desktop Protocol Server Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8441 CVE-2020-16997 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8443 |
Title: Remote Desktop Protocol Client Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8443 CVE-2020-17000 |
Severity: Low |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8459 |
Title: Microsoft Defender for Endpoint Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:8459 CVE-2020-17090 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8430 |
Title: Kerberos Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:8430 CVE-2020-17049 |
Severity: High |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8465 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8465 CVE-2020-16998 |
Severity: Medium |
| Description: | ||||
| Applies to: |
Created: 2020-12-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8381 |
Title: Windows Text Services Framework Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8381 CVE-2020-16921 |
Severity: Low |
| Description: An information disclosure vulnerability exists in Text Services Framework when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit this vulnerability, an attacker would have to log on to an affected system and open a specially crafted file. The update addresses the vulnerability by correcting how Text Services Framework handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8386 |
Title: Windows TCP/IP Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8386 CVE-2020-16898 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8413 |
Title: Windows TCP/IP Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8413 CVE-2020-16899 |
Severity: High |
| Description: A denial of service vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The vulnerability would not allow an attacker to execute code or to elevate user rights directly. The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8392 |
Title: Windows Subsystem for Linux Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8392 CVE-2020-1423 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Subsystem for Linux handles files. An attacker who successfully exploited the vulnerability could execute code with elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Subsystem for Linux handles files. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8414 |
Title: Windows Storage VSP Driver Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8414 CVE-2020-16885 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Storage VSP Driver improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage VSP Driver properly handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8397 |
Title: Windows Storage Services Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8397 CVE-2020-0764 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8376 |
Title: Windows Spoofing Vulnerability |
Type: Software |
Bulletins:
CISEC:8376 CVE-2020-16922 |
Severity: Low |
| Description: A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8419 |
Title: Windows SMBv3 Client/Server Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8419 CVE-2020-1284 |
Severity: Medium |
| Description: A denial of service vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An authenticated attacker who successfully exploited this vulnerability against an SMB Server could cause the affected system to crash. An unauthenticated attacker could also exploit this this vulnerability against an SMB client and cause the affected system to crash. To exploit the vulnerability against a server, an authenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8374 |
Title: Windows Shell Infrastructure Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8374 CVE-2020-1098 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Shell infrastructure component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting the way in which the Shell infrastructure component handles objects in memory and preventing unintended elevation from lower integrity application. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8373 |
Title: Windows Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:8373 CVE-2020-16910 |
Severity: Medium |
| Description: A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location. To exploit this vulnerability, an attacker could run a specially crafted application to bypass Unified Extensible Firmware Interface (UEFI) variable security in Windows. The security update addresses the vulnerability by correcting security feature behavior to enforce permissions. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8415 |
Title: Windows Remote Desktop Service Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8415 CVE-2020-16863 |
Severity: High |
| Description: A denial of service vulnerability exists in Windows Remote Desktop Service when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the Remote Desktop Service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Service. The update addresses the vulnerability by correcting how Remote Desktop Service handles connection requests. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8385 |
Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8385 CVE-2020-16896 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8398 |
Title: Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8398 CVE-2020-16927 |
Severity: High |
| Description: A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8363 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8363 CVE-2020-16887 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8369 |
Title: Windows NAT Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8369 CVE-2020-16894 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Windows Network Address Translation (NAT) fails to properly handle UDP traffic. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system. An attacker who successfully exploited the vulnerability could cause memory corruption on a host operating system. The security update addresses the vulnerability by correcting how Windows NAT handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8402 |
Title: Windows KernelStream Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8402 CVE-2020-16889 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows KernelStream improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows KernelStream handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8379 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8379 CVE-2020-16901 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. To exploit this vulnerability, an authenticated attacker could run a specially crafted application. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. The update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8407 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8407 CVE-2020-16938 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8404 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8404 CVE-2020-16890 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8411 |
Title: Windows iSCSI Target Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8411 CVE-2020-16980 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows iSCSI Target Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows iSCSI Target Service properly handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8420 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8420 CVE-2020-16902 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8391 |
Title: Windows Image Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8391 CVE-2020-16892 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows kernel image properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8377 |
Title: Windows Hyper-V Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8377 CVE-2020-16891 |
Severity: High |
| Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8370 |
Title: Windows Hyper-V Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8370 CVE-2020-1080 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8401 |
Title: Windows Hyper-V Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8401 CVE-2020-1047 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8395 |
Title: Windows Hyper-V Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8395 CVE-2020-1243 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8393 |
Title: Windows GDI+ Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8393 CVE-2020-16914 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface Plus (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI+ handles memory addresses. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8410 |
Title: Windows Event System Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8410 CVE-2020-16900 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Event System improperly handles objects in memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Event System handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8368 |
Title: Windows Error Reporting Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8368 CVE-2020-16895 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles process crashes. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8418 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8418 CVE-2020-16905 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8405 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8405 CVE-2020-16909 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8421 |
Title: Windows Enterprise App Management Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8421 CVE-2020-16919 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Enterprise App Management Service improperly handles certain file operations. An attacker who successfully exploited this vulnerability could read arbitrary files. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Windows Enterprise App Management Service properly handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8390 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8390 CVE-2020-16877 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when Microsoft Windows improperly handles reparse points. An attacker who successfully exploited this vulnerability could overwrite or delete a targeted file that would normally require elevated permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and overwrite or delete files. The security update addresses the vulnerability by correcting how Windows handles reparse points. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8365 |
Title: Windows COM Server Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8365 CVE-2020-16935 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8387 |
Title: Windows COM Server Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8387 CVE-2020-16916 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8384 |
Title: Windows Camera Codec Pack Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8384 CVE-2020-16968 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8406 |
Title: Windows Camera Codec Pack Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8406 CVE-2020-16967 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8412 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8412 CVE-2020-16973 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8416 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8416 CVE-2020-16912 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8367 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8367 CVE-2020-16936 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8380 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8380 CVE-2020-16976 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8382 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8382 CVE-2020-16974 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8383 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8383 CVE-2020-16975 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8388 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8388 CVE-2020-16972 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8364 |
Title: Windows Application Compatibility Client Library Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8364 CVE-2020-16920 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Application Compatibility Client Library improperly handles registry operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Application Compatibility Client Library properly handles registry operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8366 |
Title: Windows Application Compatibility Client Library Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8366 CVE-2020-16876 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Application Compatibility Client Library improperly handles registry operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Application Compatibility Client Library properly handles registry operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8409 |
Title: Windows - User Profile Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8409 CVE-2020-16940 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles junction points. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing. The security update addresses the vulnerability by correcting how the Windows User Profile Service handles junction points. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8378 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8378 CVE-2020-16907 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8389 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8389 CVE-2020-16913 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8417 |
Title: Projected Filesystem Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:8417 CVE-2020-0805 |
Severity: Low |
| Description: A security feature bypass vulnerability exists when a Windows Projected Filesystem improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how Windows Projected Filesystem handle file redirections. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8394 |
Title: NetBT Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8394 CVE-2020-16897 |
Severity: Low |
| Description: An information disclosure vulnerability exists when NetBIOS over TCP (NBT) Extensions (NetBT) improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how a NetBT handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8371 |
Title: Microsoft Graphics Components Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8371 CVE-2020-16923 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8400 |
Title: Microsoft Graphics Components Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8400 CVE-2020-1167 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8372 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:8372 CVE-2020-16915 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8396 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8396 CVE-2020-16924 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8408 |
Title: Group Policy Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8408 CVE-2020-16939 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how Group Policy checks access. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8403 |
Title: GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8403 CVE-2020-16911 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8422 |
Title: Connected User Experiences and Telemetry Service Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8422 CVE-2020-1120 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-11-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8314 |
Title: Windows Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8314 CVE-2020-1152 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how Windows handles calls to Win32k. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8344 |
Title: Windows UPnP Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8344 CVE-2020-1598 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows UPnP service handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8353 |
Title: Windows Text Service Module Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8353 CVE-2020-0908 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Text Service Module improperly handles memory. An attacker who successfully exploited the vulnerability could gain execution on a victim system. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (Chromium-based), and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. The security update addresses the vulnerability by correcting how the Windows Text Service Module handles memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8329 |
Title: Windows Storage Services Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8329 CVE-2020-1559 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8341 |
Title: Windows Storage Services Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8341 CVE-2020-0886 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8326 |
Title: Windows State Repository Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8326 CVE-2020-0914 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8292 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8292 CVE-2020-1303 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8350 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8350 CVE-2020-1169 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8288 |
Title: Windows RSoP Service Application Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8288 CVE-2020-0648 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows RSoP Service Application improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows RSoP Service Application handles memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8340 |
Title: Windows Routing Utilities Denial of Service |
Type: Software |
Bulletins:
CISEC:8340 CVE-2020-1038 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Windows Routing Utilities improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8317 |
Title: Windows Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8317 CVE-2020-1252 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could take control of an affected system. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a specially crafted application. The updates address the vulnerability by correcting how Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8318 |
Title: Windows Print Spooler Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8318 CVE-2020-1030 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8320 |
Title: Windows Modules Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8320 CVE-2020-0911 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Modules Installer improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Modules Installer handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8304 |
Title: Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8304 CVE-2020-0989 |
Severity: Low |
| Description: An information disclosure vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to read files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and access files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8325 |
Title: Windows Media Audio Decoder Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8325 CVE-2020-1593 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Windows Media Audio Decoder improperly handles objects. An attacker who successfully exploited the vulnerability could take control of an affected system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Audio Decoder handles objects. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8349 |
Title: Windows Media Audio Decoder Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8349 CVE-2020-1508 |
Severity: High |
| Description: A remote code execution vulnerability exists when Windows Media Audio Decoder improperly handles objects. An attacker who successfully exploited the vulnerability could take control of an affected system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Audio Decoder handles objects. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8293 |
Title: Windows Language Pack Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8293 CVE-2020-1122 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8290 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8290 CVE-2020-1592 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. To exploit this vulnerability, an authenticated attacker could run a specially crafted application. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. The update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8309 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8309 CVE-2020-0928 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8310 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8310 CVE-2020-1033 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8319 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8319 CVE-2020-16854 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8345 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8345 CVE-2020-1589 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8298 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8298 CVE-2020-1034 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8301 |
Title: Windows InstallService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8301 CVE-2020-1532 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows InstallService improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows InstallService handles memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8335 |
Title: Windows Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8335 CVE-2020-1119 |
Severity: Low |
| Description: An information disclosure vulnerability exists when StartTileData.dll improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which StartTileData.dll handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8308 |
Title: Windows Hyper-V Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8308 CVE-2020-0904 |
Severity: Low |
| Description: A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8322 |
Title: Windows Hyper-V Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8322 CVE-2020-0890 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8352 |
Title: Windows Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8352 CVE-2020-1097 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8354 |
Title: Windows Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8354 CVE-2020-1091 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8303 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8303 CVE-2020-0998 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8315 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8315 CVE-2020-1256 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8332 |
Title: Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8332 CVE-2020-0912 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Function Discovery SSDP Provider improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Function Discovery SSDP Provider handles memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8295 |
Title: Windows Function Discovery Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8295 CVE-2020-1491 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8327 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8327 CVE-2020-1159 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the StartTileData.dll handles file creation in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the StartTileData.dll properly handles this type of function. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8333 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8333 CVE-2020-1376 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that fdSSDP.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the ssdpsrv.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8334 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8334 CVE-2020-1052 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the ssdpsrv.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8302 |
Title: Windows dnsrslvr.dll Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8302 CVE-2020-0839 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the dnsrslvr.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8342 |
Title: Windows DNS Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8342 CVE-2020-1228 |
Severity: Medium |
| Description: A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8359 |
Title: Windows DNS Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8359 CVE-2020-0836 |
Severity: Medium |
| Description: A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8328 |
Title: Windows DHCP Server Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8328 CVE-2020-1031 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in the way that the Windows Server DHCP service improperly discloses the contents of its memory. To exploit the vulnerability, an unauthenticated attacker could send a specially crafted packet to an affected DHCP server. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. The security update addresses the vulnerability by correcting how DHCP servers initializes memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8312 |
Title: Windows Defender Application Control Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:8312 CVE-2020-0951 |
Severity: High |
| Description: A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement. An attacker who successfully exploited this vulnerability could execute PowerShell commands that would be blocked by WDAC. To exploit the vulnerability, an attacker need administrator access on a local machine where PowerShell is running. The attacker could then connect to a PowerShell session and send commands to execute arbitrary code. The update addresses the vulnerability by correcting how PowerShell commands are validated when WDAC protection is enabled. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8307 |
Title: Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8307 CVE-2020-0782 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Cryptographic Catalog Services improperly handle objects in memory. An attacker who successfully exploited this vulnerability could modify the cryptographic catalog. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by addressing how the Windows Cryptographic Catalog Services handle objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8296 |
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8296 CVE-2020-1115 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8357 |
Title: Windows CloudExperienceHost Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8357 CVE-2020-1471 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Microsoft Windows CloudExperienceHost fails to check COM objects. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The security update addresses the vulnerability by checking COM objects. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8336 |
Title: Windows Camera Codec Pack Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8336 CVE-2020-0997 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8299 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8299 CVE-2020-0941 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8316 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8316 CVE-2020-1250 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8291 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8291 CVE-2020-1245 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8348 |
Title: TLS Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8348 CVE-2020-1596 |
Severity: Low |
| Description: A information disclosure vulnerability exists when TLS components use weak hash algorithms. An attacker who successfully exploited this vulnerability could obtain information to further compromise a users's encrypted transmission channel. To exploit the vulnerability, an attacker would have to conduct a man-in-the-middle attack. The update addresses the vulnerability by correcting how TLS components use hash algorithms. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8323 |
Title: Shell infrastructure component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8323 CVE-2020-0870 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Shell infrastructure component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting the way in which the Shell infrastructure component handles objects in memory and preventing unintended elevation from lower integrity application. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8311 |
Title: Projected Filesystem Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8311 CVE-2020-16879 |
Severity: Low |
| Description: An information disclosure vulnerability exists when a Windows Projected Filesystem improperly handles file redirections. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how Windows Projected Filesystem handle file redirections. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8300 |
Title: NTFS Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8300 CVE-2020-0838 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when NTFS improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how NTFS checks access. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8346 |
Title: Microsoft Windows Codecs Library Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8346 CVE-2020-1319 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8356 |
Title: Microsoft Windows Codecs Library Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8356 CVE-2020-1129 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8297 |
Title: Microsoft Store Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8297 CVE-2020-1146 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8358 |
Title: Microsoft Store Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8358 CVE-2020-0766 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8324 |
Title: Microsoft splwow64 Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8324 CVE-2020-0875 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system (low-integrity to medium-integrity). This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8339 |
Title: Microsoft splwow64 Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8339 CVE-2020-0790 |
Severity: Medium |
| Description: A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls.. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8313 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8313 CVE-2020-0921 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8338 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8338 CVE-2020-1083 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8305 |
Title: Microsoft COM for Windows Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8305 CVE-2020-0922 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft COM for Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file or lure the target to a website hosting malicious JavaScript. The security update addresses the vulnerability by correcting how Microsoft COM for Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8294 |
Title: Microsoft COM for Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8294 CVE-2020-1507 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that Microsoft COM for Windows handles objects in memory. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft COM for Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8289 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8289 CVE-2020-1074 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8306 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8306 CVE-2020-1039 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8330 |
Title: Group Policy Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8330 CVE-2020-1013 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8355 |
Title: GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8355 CVE-2020-1285 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8343 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8343 CVE-2020-1308 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8347 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8347 CVE-2020-1053 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8351 |
Title: Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8351 CVE-2020-1590 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8331 |
Title: ADFS Spoofing Vulnerability |
Type: Software |
Bulletins:
CISEC:8331 CVE-2020-0837 |
Severity: Medium |
| Description: A spoofing vulnerability exists when Active Directory Federation Services (ADFS) improperly handles multi-factor authentication requests. To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication factors. This security update corrects how ADFS handles multi-factor authentication requests. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8321 |
Title: Active Directory Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8321 CVE-2020-0718 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account To exploit the vulnerability, an authenticated attacker could send malicious requests to an Active Directory integrated DNS (ADIDNS) server. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8337 |
Title: Active Directory Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8337 CVE-2020-0761 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account To exploit the vulnerability, an authenticated attacker could send malicious requests to an Active Directory integrated DNS (ADIDNS) server. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8286 |
Title: Active Directory Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8286 CVE-2020-0664 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system. To exploit this condition, an authenticated attacker would need to send a specially crafted request to the AD|DNS service. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8287 |
Title: Active Directory Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8287 CVE-2020-0856 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system. To exploit this condition, an authenticated attacker would need to send a specially crafted request to the AD|DNS service. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory. | ||||
| Applies to: |
Created: 2020-10-09 |
Updated: 2024-09-07 |
||
| ID: CISEC:8248 |
Title: Vulnerability in the MySQL Server component of Oracle MySQL |
Type: Software |
Bulletins:
CISEC:8248 CVE-2012-5611 |
Severity: Medium |
| Description: Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53 and other versions through 5.1.66, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command. | ||||
| Applies to: MariaDB MySQL Server 5.1 MySQL Server 5.5 |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8262 |
Title: Vulnerability in the MySQL Server component of Oracle MySQL |
Type: Software |
Bulletins:
CISEC:8262 CVE-2012-5612 |
Severity: Medium |
| Description: Heap-based buffer overflow in Oracle MySQL 5.5.19 and other versions through 5.5.28, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code, as demonstrated using certain variations of the (1) USE, (2) SHOW TABLES, (3) DESCRIBE, (4) SHOW FIELDS FROM, (5) SHOW COLUMNS FROM, (6) SHOW INDEX FROM, (7) CREATE TABLE, (8) DROP TABLE, (9) ALTER TABLE, (10) DELETE FROM, (11) UPDATE, and (12) SET PASSWORD commands. | ||||
| Applies to: MariaDB MySQL Server 5.5 |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8284 |
Title: Vulnerability in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB before 5.5.52, and 10.0.x before 10.0.28, and 10.1.x before 10.1.18 |
Type: Software |
Bulletins:
CISEC:8284 CVE-2016-6664 |
Severity: Medium |
| Description: mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB before 5.5.52, and 10.0.x before 10.0.28, and 10.1.x before 10.1.18, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files. | ||||
| Applies to: MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 mariadb |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8260 |
Title: Vulnerability in Oracle MySQL before 5.7.3 and MariaDB before 5.5.44 |
Type: Software |
Bulletins:
CISEC:8260 CVE-2015-3152 |
Severity: Medium |
| Description: Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack. | ||||
| Applies to: MariaDB MySQL |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8267 |
Title: Vulnerability in Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier |
Type: Software |
Bulletins:
CISEC:8267 CVE-2012-5615 |
Severity: Medium |
| Description: Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8279 |
Title: Vulnerability in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6 |
Type: Software |
Bulletins:
CISEC:8279 CVE-2012-2122 |
Severity: Medium |
| Description: sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value. | ||||
| Applies to: MariaDB MySQL Server 5.1 MySQL Server 5.5 MySQL Server 5.6 |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8258 |
Title: Vulnerability in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier |
Type: Software |
Bulletins:
CISEC:8258 CVE-2013-1861 |
Severity: Medium |
| Description: MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote attackers to cause a denial of service (crash) via a crafted geometry feature that specifies a large number of points, which is not properly handled when processing the binary representation of this feature, related to a numeric calculation error. | ||||
| Applies to: MariaDB MySQL Server 5.6 |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8265 |
Title: Vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions |
Type: Software |
Bulletins:
CISEC:8265 CVE-2012-5614 |
Severity: Medium |
| Description: Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (mysqld crash) via a SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements. | ||||
| Applies to: MariaDB MySQL Server 5.1 MySQL Server 5.5 |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8257 |
Title: Vulnerability in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8257 CVE-2016-2047 |
Severity: Medium |
| Description: The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10, Oracle MySQL, and Percona Server do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "/CN=" string in a field in a certificate, as demonstrated by "/OU=/CN=bar.com/CN=foo.com." | ||||
| Applies to: MariaDB |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8264 |
Title: Vulnerability in MariaDB before 10.1.30 and 10.2.x before 10.2.10 |
Type: Software |
Bulletins:
CISEC:8264 CVE-2017-15365 |
Severity: Medium |
| Description: sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking. | ||||
| Applies to: MariaDB |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8285 |
Title: Vulnerability in MariaDB 10.4.7 through 10.4.11 |
Type: Software |
Bulletins:
CISEC:8285 CVE-2020-7221 |
Severity: High |
| Description: mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently. | ||||
| Applies to: MariaDB |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8276 |
Title: Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier and MariaDB 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 |
Type: Software |
Bulletins:
CISEC:8276 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier and MariaDB 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect availability via vectors related to InnoDB. | ||||
| Applies to: MariaDB MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8263 |
Title: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9 |
Type: Software |
Bulletins:
CISEC:8263 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. | ||||
| Applies to: MariaDB MySQL Server 5.6 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8256 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier |
Type: Software |
Bulletins:
CISEC:8256 CVE-2016-5617 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Error Handling. | ||||
| Applies to: MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 mariadb |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8268 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier |
Type: Software |
Bulletins:
CISEC:8268 CVE-2016-5616 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM. | ||||
| Applies to: MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 mariadb |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8255 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 |
Type: Software |
Bulletins:
CISEC:8255 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect availability via vectors related to PS. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8271 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 |
Type: Software |
Bulletins:
CISEC:8271 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect confidentiality via vectors related to DML. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8275 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 |
Type: Software |
Bulletins:
CISEC:8275 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect availability via vectors related to FTS. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8246 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 |
Type: Software |
Bulletins:
CISEC:8246 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to DDL. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8250 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 |
Type: Software |
Bulletins:
CISEC:8250 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8254 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 |
Type: Software |
Bulletins:
CISEC:8254 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to Replication. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8259 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 |
Type: Software |
Bulletins:
CISEC:8259 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to PS. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8273 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 |
Type: Software |
Bulletins:
CISEC:8273 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect integrity and availability via vectors related to DML. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8277 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 |
Type: Software |
Bulletins:
CISEC:8277 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to DML. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8249 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8249 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8251 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8251 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8252 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8252 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8261 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8261 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8269 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8269 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8274 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8274 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8278 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8278 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8280 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8280 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 MySQL Server 5.7 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8282 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8282 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. | ||||
| Applies to: MariaDB MySQL Server 5.5 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8253 |
Title: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 |
Type: Software |
Bulletins:
CISEC:8253 |
Severity: Low |
| Description: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. | ||||
| Applies to: MariaDB MySQL Server 5.5 MySQL Server 5.6 |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8247 |
Title: Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 |
Type: Software |
Bulletins:
CISEC:8247 CVE-2012-5627 |
Severity: Medium |
| Description: Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks. | ||||
| Applies to: MariaDB |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8283 |
Title: Multiple SQL injection vulnerabilities in Oracle MySQL |
Type: Software |
Bulletins:
CISEC:8283 CVE-2012-4414 |
Severity: Medium |
| Description: Multiple SQL injection vulnerabilities in the replication code in Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62, 5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25, allow remote authenticated users to execute arbitrary SQL commands via vectors related to the binary log. NOTE: as of 20130116, Oracle has not commented on claims from a downstream vendor that the fix in MySQL 5.5.29 is incomplete. | ||||
| Applies to: MariaDB MySQL Server 5.1 MySQL Server 5.5 |
Created: 2020-09-18 |
Updated: 2024-09-07 |
||
| ID: CISEC:8270 |
Title: Buffer overflow in Oracle MySQL and MariaDB before 5.5.35 |
Type: Software |
Bulletins:
CISEC:8270 |
Severity: Low |
| Description: Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string. | ||||
| Applies to: MariaDB |
Created: 2020-09-18 |
Updated: 2020-09-18 |
||
| ID: CISEC:8123 |
Title: Windows Work Folders Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8123 CVE-2020-1516 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8143 |
Title: Windows Work Folders Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8143 CVE-2020-1470 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8171 |
Title: Windows Work Folders Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8171 CVE-2020-1484 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8133 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8133 CVE-2020-1552 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8166 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8166 CVE-2020-1533 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8167 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8167 CVE-2020-1556 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8155 |
Title: Windows WaasMedic Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8155 CVE-2020-1548 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows WaasMedic Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to improperly disclose memory. The security update addresses the vulnerability by correcting how the Windows WaasMedic Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8161 |
Title: Windows UPnP Device Host Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8161 CVE-2020-1519 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8168 |
Title: Windows UPnP Device Host Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8168 CVE-2020-1538 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8163 |
Title: Windows Telephony Server Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8163 CVE-2020-1515 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Telephony Server improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Telephony Server handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8165 |
Title: Windows Storage Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8165 CVE-2020-1490 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Storage Services handles file operations. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8100 |
Title: Windows State Repository Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8100 CVE-2020-1512 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8147 |
Title: Windows Spoofing Vulnerability |
Type: Software |
Bulletins:
CISEC:8147 CVE-2020-1464 |
Severity: Low |
| Description: A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8119 |
Title: Windows Speech Shell Components Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8119 CVE-2020-1524 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Speech Shell Components improperly handle memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Speech Shell Components handle memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8095 |
Title: Windows Speech Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8095 CVE-2020-1521 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Speech Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Speech Runtime handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8134 |
Title: Windows Speech Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8134 CVE-2020-1522 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Speech Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Speech Runtime handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8141 |
Title: Windows Server Resource Management Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8141 CVE-2020-1475 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the srmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the srmsvc.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8160 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8160 CVE-2020-1553 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8136 |
Title: Windows RRAS Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8136 CVE-2020-1383 |
Severity: Low |
| Description: An information disclosure vulnerability exists in RPC if the server has Routing and Remote Access enabled. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system To exploit this vulnerability, an attacker would need to run a specially crafted application against an RPC server which has Routing and Remote Access enabled. Routing and Remote Access is a non-default configuration; systems without it enabled are not vulnerable. The security update addresses the vulnerability by correcting how the Routing and Remote Access service handles requests. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8137 |
Title: Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8137 CVE-2020-1466 |
Severity: Medium |
| Description: A denial of service vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RD Gateway service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides RD Gateway services. The update addresses the vulnerability by correcting how RD Gateway handles connection requests. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8117 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8117 CVE-2020-1537 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Remote Access improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Remote Access properly handles file operations. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8125 |
Title: Windows Remote Access Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8125 CVE-2020-1530 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Remote Access improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how Windows Remote Access handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8108 |
Title: Windows Registry Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8108 CVE-2020-1377 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. A locally authenticated attacker could exploit this vulnerability by running a specially crafted application. The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8142 |
Title: Windows Registry Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8142 CVE-2020-1378 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. A locally authenticated attacker could exploit this vulnerability by running a specially crafted application. The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8132 |
Title: Windows Radio Manager API Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8132 CVE-2020-1528 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Radio Manager API improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Radio Manager API handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8130 |
Title: Windows Print Spooler Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8130 CVE-2020-1337 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8102 |
Title: Windows Network Connection Broker Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8102 CVE-2020-1526 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Network Connection Broker improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Network Connection Broker handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8154 |
Title: Windows Media Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8154 CVE-2020-1339 |
Severity: High |
| Description: A remote code execution vulnerability exists when Windows Media Audio Codec improperly handles objects. An attacker who successfully exploited the vulnerability could take control of an affected system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Audio Codec handles objects. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8099 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8099 CVE-2020-1578 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8101 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8101 CVE-2020-1417 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8145 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8145 CVE-2020-1486 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8175 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8175 CVE-2020-1566 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8104 |
Title: Windows Image Acquisition Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8104 CVE-2020-1485 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Image Acquisition (WIA) Service improperly discloses contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an authenticated attacker could connect an imaging device (camera, scanner, cellular phone) to an affected system and run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how the WIA Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8109 |
Title: Windows Image Acquisition Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8109 CVE-2020-1474 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Image Acquisition (WIA) Service improperly discloses contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an authenticated attacker could connect an imaging device (camera, scanner, cellular phone) to an affected system and run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how the WIA Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8094 |
Title: Windows Hard Link Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8094 CVE-2020-1467 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8111 |
Title: Windows GDI Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8111 CVE-2020-1480 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8146 |
Title: Windows GDI Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8146 CVE-2020-1529 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8162 |
Title: Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8162 CVE-2020-1579 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Function Discovery SSDP Provider improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Function Discovery SSDP Provider handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8170 |
Title: Windows Font Driver Host Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8170 CVE-2020-1520 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Font Driver Host improperly handles memory. An attacker who successfully exploited the vulnerability would gain execution on a victim system. The security update addresses the vulnerability by correcting how the Windows Font Driver Host handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8105 |
Title: Windows File Server Resource Management Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8105 CVE-2020-1518 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows File Server Resource Management Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows File Server Resource Management Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8116 |
Title: Windows File Server Resource Management Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8116 CVE-2020-1517 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows File Server Resource Management Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows File Server Resource Management Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8126 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8126 CVE-2020-1565 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how Windows handles junctions. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8097 |
Title: Windows dnsrslvr.dll Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8097 CVE-2020-1584 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the dnsrslvr.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8153 |
Title: Windows Custom Protocol Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8153 CVE-2020-1527 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Custom Protocol Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Custom Protocol Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8113 |
Title: Windows CSC Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8113 CVE-2020-1513 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8120 |
Title: Windows CSC Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8120 CVE-2020-1489 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8144 |
Title: Windows CDP User Components Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8144 CVE-2020-1549 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows CDP User Components improperly handle memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CDP User Components handle memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8150 |
Title: Windows CDP User Components Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8150 CVE-2020-1550 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows CDP User Components improperly handle memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CDP User Components handle memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8149 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8149 CVE-2020-1534 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8093 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8093 CVE-2020-1543 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8098 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8098 CVE-2020-1535 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8115 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8115 CVE-2020-1546 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8122 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8122 CVE-2020-1536 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8135 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8135 CVE-2020-1545 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8139 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8139 CVE-2020-1540 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8140 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8140 CVE-2020-1541 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8148 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8148 CVE-2020-1544 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8151 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8151 CVE-2020-1551 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8152 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8152 CVE-2020-1542 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8169 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8169 CVE-2020-1547 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8173 |
Title: Windows Backup Engine Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8173 CVE-2020-1539 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8157 |
Title: Windows AppX Deployment Extensions Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8157 CVE-2020-1488 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8138 |
Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8138 CVE-2020-1587 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Ancillary Function Driver for WinSock improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Ancillary Function Driver for WinSock handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8159 |
Title: Windows Accounts Control Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8159 CVE-2020-1531 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Accounts Control improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Accounts Control handles memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8103 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8103 CVE-2020-1510 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8206 |
Title: Vulnerability PostgreSQL before 12.2, before 11.7, before 10.12 and before 9.6.17. |
Type: Software |
Bulletins:
CISEC:8206 CVE-2020-1720 |
Severity: Low |
| Description: A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8216 |
Title: Vulnerability insufficiently random numbers |
Type: Software |
Bulletins:
CISEC:8216 CVE-2013-1900 |
Severity: High |
| Description: PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8185 |
Title: Vulnerability in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 |
Type: Software |
Bulletins:
CISEC:8185 CVE-2012-3489 |
Severity: Medium |
| Description: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8227 |
Title: Vulnerability in Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 |
Type: Software |
Bulletins:
CISEC:8227 |
Severity: Low |
| Description: A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8211 |
Title: Vulnerability in PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 |
Type: Software |
Bulletins:
CISEC:8211 |
Severity: Low |
| Description: It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8218 |
Title: Vulnerability in PostgreSQL before 9.5.x before 9.5.2 |
Type: Software |
Bulletins:
CISEC:8218 CVE-2016-3065 |
Severity: High |
| Description: The (1) brin_page_type and (2) brin_metapage_info functions in the pageinspect extension in PostgreSQL before 9.5.x before 9.5.2 allows attackers to bypass intended access restrictions and consequently obtain sensitive server memory information or cause a denial of service (server crash) via a crafted bytea value in a BRIN index page. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8240 |
Title: Vulnerability in PostgreSQL before 9.5.x before 9.5.2 |
Type: Software |
Bulletins:
CISEC:8240 CVE-2016-2193 |
Severity: Medium |
| Description: PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8242 |
Title: Vulnerability in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 |
Type: Software |
Bulletins:
CISEC:8242 CVE-2016-7048 |
Severity: High |
| Description: The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8225 |
Title: Vulnerability in PostgreSQL before 9.2.22, 9.3.x before 9.3.18, 9.4.x before 9.4.13, 9.5.x before 9.5.8, and 9.6.x before 9.6.4 |
Type: Software |
Bulletins:
CISEC:8225 CVE-2017-7548 |
Severity: Medium |
| Description: PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8219 |
Title: Vulnerability in PostgreSQL before 9.2.22, 9.3.x before 9.3.18, 9.4.x before 9.4.13, 9.5.x before 9.5.8, and 9.6.x before 9.6.4 |
Type: Software |
Bulletins:
CISEC:8219 CVE-2017-7546 |
Severity: High |
| Description: PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8202 |
Title: Vulnerability in PostgreSQL before 9.2.22, 9.3.x before 9.3.18, 9.4.x before 9.4.13, 9.5.x before 9.5.8, and 9.6.x before 9.6.4 |
Type: Software |
Bulletins:
CISEC:8202 CVE-2017-7547 |
Severity: Medium |
| Description: PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8224 |
Title: Vulnerability in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 |
Type: Software |
Bulletins:
CISEC:8224 CVE-2017-7486 |
Severity: Medium |
| Description: PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8236 |
Title: Vulnerability in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 |
Type: Software |
Bulletins:
CISEC:8236 CVE-2017-7485 |
Severity: Medium |
| Description: In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8190 |
Title: Vulnerability in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 |
Type: Software |
Bulletins:
CISEC:8190 CVE-2017-7484 |
Severity: Medium |
| Description: It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8222 |
Title: Vulnerability in PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 |
Type: Software |
Bulletins:
CISEC:8222 CVE-2016-5423 |
Severity: Medium |
| Description: PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8207 |
Title: Vulnerability in PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 |
Type: Software |
Bulletins:
CISEC:8207 CVE-2016-5424 |
Severity: Medium |
| Description: PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8234 |
Title: Vulnerability in PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 |
Type: Software |
Bulletins:
CISEC:8234 CVE-2016-0766 |
Severity: High |
| Description: PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8210 |
Title: Vulnerability in PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 |
Type: Software |
Bulletins:
CISEC:8210 CVE-2016-0773 |
Severity: Medium |
| Description: PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8208 |
Title: Vulnerability in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 |
Type: Software |
Bulletins:
CISEC:8208 CVE-2015-5288 |
Severity: Medium |
| Description: The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8179 |
Title: Vulnerability in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 |
Type: Software |
Bulletins:
CISEC:8179 CVE-2014-0060 |
Severity: Medium |
| Description: PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8180 |
Title: Vulnerability in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 |
Type: Software |
Bulletins:
CISEC:8180 CVE-2014-0066 |
Severity: Medium |
| Description: The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8237 |
Title: Vulnerability in PostgreSQL before 11.1, 10.6 |
Type: Software |
Bulletins:
CISEC:8237 |
Severity: Low |
| Description: PostgreSQL before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8193 |
Title: Vulnerability in PostgreSQL 9.3.x before 9.3.22, 9.4.x before 9.4.17, 9.5.x before 9.5.12, 9.6.x before 9.6.8 and 10.x before 10.3 |
Type: Software |
Bulletins:
CISEC:8193 CVE-2018-1058 |
Severity: Medium |
| Description: A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8198 |
Title: Vulnerability in PostgreSQL 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2 |
Type: Software |
Bulletins:
CISEC:8198 CVE-2018-1053 |
Severity: Low |
| Description: In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8199 |
Title: Vulnerability in PostgreSQL 9.3.3 and earlier |
Type: Software |
Bulletins:
CISEC:8199 CVE-2014-0067 |
Severity: Medium |
| Description: The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8197 |
Title: Vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 |
Type: Software |
Bulletins:
CISEC:8197 CVE-2013-1903 |
Severity: High |
| Description: PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 incorrectly provides the superuser password to scripts related to "graphical installers for Linux and Mac OS X," which has unspecified impact and attack vectors. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8177 |
Title: Vulnerability in PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 |
Type: Software |
Bulletins:
CISEC:8177 CVE-2013-1901 |
Severity: Medium |
| Description: PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8200 |
Title: Vulnerability in PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 |
Type: Software |
Bulletins:
CISEC:8200 CVE-2013-0255 |
Severity: Medium |
| Description: PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8205 |
Title: Vulnerability in PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 |
Type: Software |
Bulletins:
CISEC:8205 CVE-2012-0867 |
Severity: Medium |
| Description: PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8183 |
Title: Vulnerability in PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 |
Type: Software |
Bulletins:
CISEC:8183 CVE-2012-2655 |
Severity: Medium |
| Description: PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8232 |
Title: Vulnerability in PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 |
Type: Software |
Bulletins:
CISEC:8232 CVE-2009-4034 |
Severity: Medium |
| Description: PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8184 |
Title: Vulnerability in PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 |
Type: Software |
Bulletins:
CISEC:8184 CVE-2009-4136 |
Severity: Medium |
| Description: PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8189 |
Title: Vulnerability in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 |
Type: Software |
Bulletins:
CISEC:8189 CVE-2010-1975 |
Severity: Medium |
| Description: PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8220 |
Title: Vulnerability in PostgreSQL 11.x prior to 11.3 |
Type: Software |
Bulletins:
CISEC:8220 CVE-2019-10129 |
Severity: Medium |
| Description: A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any user can create a partitioned table suitable for this attack. (Exploit prerequisites are the same as for CVE-2018-1052). | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8192 |
Title: Vulnerability in PostgreSQL 11.x before 11.5, 10.x before 10.10, 9.6.x before 9.6.15, 9.5.x before 9.5.19, 9.4.x before 9.4.24 |
Type: Software |
Bulletins:
CISEC:8192 CVE-2019-10208 |
Severity: Medium |
| Description: A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8212 |
Title: Vulnerability in PostgreSQL 11.x before 11.5 |
Type: Software |
Bulletins:
CISEC:8212 CVE-2019-10209 |
Severity: Low |
| Description: Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8196 |
Title: Vulnerability in PostgreSQL 11.x before 11.3, 10.xbefore 10.8, 9.6.x before 9.6.13, 9.5.x before 9.5.17 |
Type: Software |
Bulletins:
CISEC:8196 CVE-2019-10130 |
Severity: Medium |
| Description: A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8181 |
Title: Vulnerability in PostgreSQL 10.x before 10.4, 9.6.x before 9.6.9 |
Type: Software |
Bulletins:
CISEC:8181 CVE-2018-1115 |
Severity: Medium |
| Description: postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8187 |
Title: Vulnerability in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 |
Type: Software |
Bulletins:
CISEC:8187 CVE-2017-15099 |
Severity: Medium |
| Description: INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8204 |
Title: Vulnerability in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 |
Type: Software |
Bulletins:
CISEC:8204 CVE-2017-15098 |
Severity: Medium |
| Description: Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8223 |
Title: Vulnerability in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 |
Type: Software |
Bulletins:
CISEC:8223 CVE-2017-12172 |
Severity: High |
| Description: PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8221 |
Title: Vulnerability in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8221 CVE-2010-1169 |
Severity: High |
| Description: PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8229 |
Title: Vulnerability in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8229 CVE-2014-0061 |
Severity: Medium |
| Description: The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8186 |
Title: Vulnerability in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8186 CVE-2010-1170 |
Severity: Medium |
| Description: The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8194 |
Title: Vulnerability in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8194 CVE-2010-1447 |
Severity: High |
| Description: The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8195 |
Title: Vulnerability in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8195 CVE-2013-1902 |
Severity: High |
| Description: PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X." | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8203 |
Title: Vulnerability in PHP through 5.3.13, PostgreSQL 8.4 before 8.4.12, PostgreSQL 9.0 before 9.0.8, PostgreSQL 9.1 before 9.1.4 |
Type: Software |
Bulletins:
CISEC:8203 CVE-2012-2143 |
Severity: Medium |
| Description: The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. | ||||
| Applies to: PHP PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8213 |
Title: Vulnerability in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 |
Type: Software |
Bulletins:
CISEC:8213 CVE-2012-3488 |
Severity: Medium |
| Description: The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8182 |
Title: Unanticipated errors from the standard library in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8182 |
Severity: Low |
| Description: Unanticipated errors from the standard library in PostgreSQL before 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8226 |
Title: Race condition INDEX and |
Type: Software |
Bulletins:
CISEC:8226 CVE-2014-0062 |
Severity: Medium |
| Description: Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8201 |
Title: pgcrypto has multiple error messages for decryption with an incorrect key in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8201 |
Severity: Low |
| Description: pgcrypto has multiple error messages for decryption with an incorrect key in PostgreSQL before 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8114 |
Title: Netlogon Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8114 CVE-2020-1472 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8176 |
Title: Multiple stack-based buffer overflows in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 |
Type: Software |
Bulletins:
CISEC:8176 CVE-2015-5289 |
Severity: Medium |
| Description: Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8188 |
Title: Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 |
Type: Software |
Bulletins:
CISEC:8188 CVE-2014-0063 |
Severity: Medium |
| Description: Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8191 |
Title: Multiple integer overflows in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 |
Type: Software |
Bulletins:
CISEC:8191 CVE-2014-2669 |
Severity: Medium |
| Description: Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8245 |
Title: Multiple integer overflows in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8245 CVE-2014-0064 |
Severity: Medium |
| Description: Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8241 |
Title: Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 |
Type: Software |
Bulletins:
CISEC:8241 CVE-2014-0065 |
Severity: Medium |
| Description: Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8106 |
Title: Microsoft Graphics Components Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8106 CVE-2020-1562 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8110 |
Title: Microsoft Graphics Components Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8110 CVE-2020-1561 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8244 |
Title: Memory errors in the pgcrypto extension in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8244 |
Severity: Low |
| Description: Memory errors in functions in the pgcrypto extension in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8178 |
Title: Memory disclosure vulnerability in PostgreSQL 10.x before 10.2 |
Type: Software |
Bulletins:
CISEC:8178 CVE-2018-1052 |
Severity: Medium |
| Description: Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8096 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:8096 CVE-2020-1477 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8129 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:8129 CVE-2020-1492 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8131 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:8131 CVE-2020-1478 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8156 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:8156 CVE-2020-1554 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8158 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:8158 CVE-2020-1525 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8174 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:8174 CVE-2020-1379 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8112 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8112 CVE-2020-1487 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8172 |
Title: Local Security Authority Subsystem Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8172 CVE-2020-1509 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the Local Security Authority Subsystem Service (LSASS) when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause an elevation of privilege on the target system's LSASS service. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8118 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8118 CVE-2020-1564 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8121 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8121 CVE-2020-1558 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8127 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8127 CVE-2020-1473 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8128 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8128 CVE-2020-1557 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8215 |
Title: Integer overflow in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2 |
Type: Software |
Bulletins:
CISEC:8215 CVE-2010-0733 |
Severity: Low |
| Description: Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8243 |
Title: EnterpriseDB Windows installer bundled OpenSSL executes code from unprotected directory |
Type: Software |
Bulletins:
CISEC:8243 CVE-2019-10211 |
Severity: High |
| Description: When the database server or libpq client library initializes SSL, libeay32.dll attempts to read configuration from a hard-coded directory. Typically, the directory does not exist, but any local user could create it and inject configuration. This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL server or client. Most PostgreSQL client tools and libraries use libpq, and one can encounter this vulnerability by using any of them. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8235 |
Title: Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 |
Type: Software |
Bulletins:
CISEC:8235 CVE-2015-3165 |
Severity: Medium |
| Description: Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8164 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8164 CVE-2020-1479 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8107 |
Title: DirectWrite Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8107 CVE-2020-1577 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8217 |
Title: CRLF injection vulnerability in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 |
Type: Software |
Bulletins:
CISEC:8217 CVE-2012-0868 |
Severity: Medium |
| Description: CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8228 |
Title: CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 |
Type: Software |
Bulletins:
CISEC:8228 CVE-2012-0866 |
Severity: Medium |
| Description: CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8238 |
Title: Constraint violation errors in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8238 |
Severity: Low |
| Description: Constraint violation errors can cause display of values in columns which the user would not normally have rights to see in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8124 |
Title: Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8124 CVE-2020-1511 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8209 |
Title: Buffer overruns in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8209 |
Severity: Low |
| Description: Buffer overruns in "to_char" functions in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8239 |
Title: Buffer overrun in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8239 |
Severity: Low |
| Description: Buffer overrun in replacement printf family of functions in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8230 |
Title: Buffer overflow intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 |
Type: Software |
Bulletins:
CISEC:8230 CVE-2010-4015 |
Severity: Medium |
| Description: Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8214 |
Title: Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 |
Type: Software |
Bulletins:
CISEC:8214 CVE-2013-1899 |
Severity: Medium |
| Description: Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen). | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8231 |
Title: Arbitrary code execution vulnerability in PostgreSQL 9.3 through 11.2 |
Type: Software |
Bulletins:
CISEC:8231 CVE-2019-9193 |
Severity: High |
| Description: In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_read_server_files' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2024-09-07 |
||
| ID: CISEC:8233 |
Title: An error in PostgreSQL |
Type: Software |
Bulletins:
CISEC:8233 |
Severity: Low |
| Description: An error in extended protocol message reading in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19. | ||||
| Applies to: PostgreSQL |
Created: 2020-09-11 |
Updated: 2020-09-11 |
||
| ID: CISEC:8065 |
Title: Vulnerability in JetBrains Hub versions earlier than 2019.1.11738 |
Type: Software |
Bulletins:
CISEC:8065 CVE-2019-18360 |
Severity: Medium |
| Description: In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery. | ||||
| Applies to: JetBrains Hub |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8064 |
Title: Vulnerability in JetBrains Hub before 2020.1.12099 |
Type: Software |
Bulletins:
CISEC:8064 CVE-2020-11691 |
Severity: Medium |
| Description: In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible. | ||||
| Applies to: JetBrains Hub |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8062 |
Title: Vulnerability in JetBrains Hub before 2018.4.11436 |
Type: Software |
Bulletins:
CISEC:8062 CVE-2019-14955 |
Severity: Medium |
| Description: In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented. | ||||
| Applies to: JetBrains Hub |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8066 |
Title: Vulnerability in JetBrains Hub before 2018.4.11298 |
Type: Software |
Bulletins:
CISEC:8066 CVE-2019-12847 |
Severity: Medium |
| Description: In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period. | ||||
| Applies to: JetBrains Hub |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8061 |
Title: Vulnerability in Bitdefender Total Security 21.0.24.62 |
Type: Software |
Bulletins:
CISEC:8061 CVE-2017-10950 |
Severity: Medium |
| Description: This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Bitdefender Total Security 21.0.24.62. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within processing of the 0x8000E038 IOCTL in the bdfwfpf driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker could leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-4776. | ||||
| Applies to: Bitdefender Total Security |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8058 |
Title: Vulnerability in Bitdefender Total Security 2020 prior to 24.9 |
Type: Software |
Bulletins:
CISEC:8058 CVE-2020-8095 |
Severity: Medium |
| Description: A vulnerability in the improper handling of junctions before deletion in Bitdefender Total Security 2020 can allow an attacker to to trigger a denial of service on the affected device. | ||||
| Applies to: Bitdefender Total Security |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8048 |
Title: Vulnerability in Bitdefender Total Security 2020 prior to 24.0.20.116 |
Type: Software |
Bulletins:
CISEC:8048 CVE-2020-8102 |
Severity: Medium |
| Description: Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process. This issue affects Bitdefender Total Security 2020 versions prior to 24.0.20.116. | ||||
| Applies to: Bitdefender Total Security |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8052 |
Title: Vulnerability in Bitdefender Total Security 2020 prior to 24.0.12.69 |
Type: Software |
Bulletins:
CISEC:8052 CVE-2019-17100 |
Severity: Medium |
| Description: An Untrusted Search Path vulnerability in bdserviceshost.exe as used in Bitdefender Total Security 2020 prior to 24.0.12.69 allows an attacker to execute arbitrary code. | ||||
| Applies to: Bitdefender Total Security |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8050 |
Title: Vulnerability in Bitdefender Safepay before 23.0.10.34 |
Type: Software |
Bulletins:
CISEC:8050 CVE-2019-6737 |
Severity: Medium |
| Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIScript. The issue lies in the handling of the openFile method, which allows for an arbitrary file write with attacker controlled data. An attacker can leverage this vulnerability execute code in the context of the current process. Was ZDI-CAN-7247. | ||||
| Applies to: Bitdefender Safepay |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8057 |
Title: Vulnerability in Bitdefender Safepay before 23.0.10.34 |
Type: Software |
Bulletins:
CISEC:8057 CVE-2019-6736 |
Severity: Medium |
| Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of tiscript. When processing the System.Exec method the application does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7234. | ||||
| Applies to: Bitdefender Safepay |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8060 |
Title: Vulnerability in Bitdefender Safepay before 23.0.10.34 |
Type: Software |
Bulletins:
CISEC:8060 CVE-2019-6738 |
Severity: Medium |
| Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIScript. When processing the launch method the application does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability execute code in the context of the current process. Was ZDI-CAN-7250. | ||||
| Applies to: Bitdefender Safepay |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8053 |
Title: Vulnerability in Bitdefender products |
Type: Software |
Bulletins:
CISEC:8053 CVE-2019-14242 |
Severity: High |
| Description: An issue was discovered in Bitdefender products for Windows (Bitdefender Endpoint Security Tool versions prior to 6.6.8.115; and Bitdefender Antivirus Plus, Bitdefender Internet Security, and Bitdefender Total Security versions prior to 23.0.24.120) that can lead to local code injection. A local attacker with administrator privileges can create a malicious DLL file in %SystemRoot%\System32\ that will be executed with local user privileges. | ||||
| Applies to: Bitdefender Antivirus Plus Bitdefender Internet Security Bitdefender Total Security |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8059 |
Title: Vulnerability in Bitdefender Endpoint Security Tools prior to 6.6.11.163 |
Type: Software |
Bulletins:
CISEC:8059 CVE-2019-17099 |
Severity: Medium |
| Description: An Untrusted Search Path vulnerability in EPSecurityService.exe as used in Bitdefender Endpoint Security Tools versions prior to 6.6.11.163 allows an attacker to load an arbitrary DLL file from the search path. This issue affects: Bitdefender EPSecurityService.exe versions prior to 6.6.11.163. | ||||
| Applies to: Bitdefender Endpoint Security Tools |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8051 |
Title: Vulnerability in Bitdefender Antivirus Free prior to 1.0.17.178 |
Type: Software |
Bulletins:
CISEC:8051 CVE-2020-8103 |
Severity: Low |
| Description: A vulnerability in the improper handling of symbolic links in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects Bitdefender Antivirus Free versions prior to 1.0.17.178. | ||||
| Applies to: Bitdefender Antivirus Free |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8045 |
Title: Vulnerability in Bitdefender Antivirus Free prior to 1.0.17 |
Type: Software |
Bulletins:
CISEC:8045 CVE-2020-8099 |
Severity: Medium |
| Description: A vulnerability in the improper handling of junctions in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects: Bitdefender Antivirus Free versions prior to 1.0.17. | ||||
| Applies to: Bitdefender Antivirus Free |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:8054 |
Title: Vulnerability in Bitdefender Antivirus Free prior to 1.0.15.138 |
Type: Software |
Bulletins:
CISEC:8054 |
Severity: Low |
| Description: An Untrusted Search Path vulnerability in the ServiceInstance.dll library versions 1.0.15.119 and lower, as used in Bitdefender Antivirus Free 2020 versions prior to 1.0.15.138, allows an attacker to load an arbitrary DLL file from the search path. | ||||
| Applies to: Bitdefender Antivirus Free |
Created: 2020-08-21 |
Updated: 2020-08-21 |
||
| ID: CISEC:8047 |
Title: Code injection vulnerability in Bitdefender |
Type: Software |
Bulletins:
CISEC:8047 CVE-2017-6186 |
Severity: High |
| Description: Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack. | ||||
| Applies to: Bitdefender Antivirus Plus Bitdefender Internet Security Bitdefender Total Security |
Created: 2020-08-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:7959 |
Title: Windows WalletService Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7959 CVE-2020-1361 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way that the WalletService handles memory. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the WalletService handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8022 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8022 CVE-2020-1362 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8037 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8037 CVE-2020-1344 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7997 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7997 CVE-2020-1369 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8010 |
Title: Windows WalletService Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:8010 CVE-2020-1364 |
Severity: Low |
| Description: A denial of service vulnerability exists in the way that the WalletService handles files. An attacker who successfully exploited the vulnerability could corrupt system files. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the WalletService handles files. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7996 |
Title: Windows USO Core Worker Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7996 CVE-2020-1352 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows USO Core Worker improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows USO Core Worker handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8033 |
Title: Windows UPnP Device Host Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8033 CVE-2020-1430 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7968 |
Title: Windows UPnP Device Host Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7968 CVE-2020-1354 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7958 |
Title: Windows Update Stack Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7958 CVE-2020-1424 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7974 |
Title: Windows System Events Broker Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7974 CVE-2020-1357 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows System Events Broker improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows System Events Broker properly handles file operations. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8025 |
Title: Windows Sync Host Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8025 CVE-2020-1434 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Sync Host Service handles objects in memory. An attacker who successfully exploited the vulnerability could allow an application with limited privileges on an affected system to execute code at a medium integrity level. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Sync Host Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7976 |
Title: Windows Storage Services Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7976 CVE-2020-1347 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7993 |
Title: Windows Spatial Data Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7993 CVE-2020-1441 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when the Windows Spatial Data Service improperly handles objects in memory. An attacker could exploit the vulnerability to overwrite or modify a protected file leading to a privilege escalation. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by addressing how the Windows Spatial Data Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2021-12-30 |
||
| ID: CISEC:7970 |
Title: Windows SharedStream Library Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7970 CVE-2020-1463 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the SharedStream Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the SharedStream Library properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8015 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8015 CVE-2020-1414 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8017 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8017 CVE-2020-1422 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8021 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8021 CVE-2020-1370 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8039 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8039 CVE-2020-1399 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7960 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7960 CVE-2020-1249 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7975 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7975 CVE-2020-1353 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7987 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7987 CVE-2020-1404 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7990 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7990 CVE-2020-1413 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7991 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7991 CVE-2020-1415 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8028 |
Title: Windows Resource Policy Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8028 CVE-2020-1358 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Resource Policy component improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose information about the victim system's memory layout. The security update addresses the vulnerability by correcting how the Windows Resource Policy component handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7988 |
Title: Windows Push Notification Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7988 CVE-2020-1387 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8006 |
Title: Windows Profile Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8006 CVE-2020-1360 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Profile Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Profile Service properly handles file operations. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7963 |
Title: Windows Print Workflow Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7963 CVE-2020-1366 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Print Workflow Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the AppContainer sandbox. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Windows Print Workflow Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8018 |
Title: Windows Picker Platform Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8018 CVE-2020-1363 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Picker Platform improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Picker Platform handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8029 |
Title: Windows Network Location Awareness Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8029 CVE-2020-1437 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Location Awareness Service handles objects in memory. An attacker who successfully exploited the vulnerability could allow an application with limited privileges on an affected system to execute code at a medium integrity level. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Network Location Awareness Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8042 |
Title: Windows Network List Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8042 CVE-2020-1406 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network List Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8008 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8008 CVE-2020-1373 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8011 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8011 CVE-2020-1438 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7995 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7995 CVE-2020-1390 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7979 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7979 CVE-2020-1428 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7981 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7981 CVE-2020-1427 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7986 |
Title: Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7986 CVE-2020-1330 |
Severity: Low |
| Description: An information disclosure vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to read files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and access files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7973 |
Title: Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7973 CVE-2020-1405 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7983 |
Title: Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7983 CVE-2020-1372 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles objects in memory. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8041 |
Title: Windows Lockscreen Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8041 CVE-2020-1398 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly handle Ease of Access dialog. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. The security update addresses the vulnerability by ensuring that the Ease of Access dialog is handled properly. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8016 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8016 CVE-2020-1419 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel initializes memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8026 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8026 CVE-2020-1426 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8036 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8036 CVE-2020-1389 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel initializes memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7964 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7964 CVE-2020-1367 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7961 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7961 CVE-2020-1411 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7966 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7966 CVE-2020-1336 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8027 |
Title: Windows iSCSI Target Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8027 CVE-2020-1356 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows iSCSI Target Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows iSCSI Target Service properly handles file operations. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7977 |
Title: Windows Imaging Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7977 CVE-2020-1397 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit this vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit this vulnerability and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows Imaging Component handles objects in the memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8007 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8007 CVE-2020-1382 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8013 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8013 CVE-2020-1381 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7998 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7998 CVE-2020-1468 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7962 |
Title: Windows Function Discovery Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7962 CVE-2020-1085 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7985 |
Title: Windows Font Library Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7985 CVE-2020-1436 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8012 |
Title: Windows Font Driver Host Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8012 CVE-2020-1355 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when the Windows Font Driver Host improperly handles memory. An attacker who successfully exploited the vulnerability would gain execution on a victim system. The security update addresses the vulnerability by correcting how the Windows Font Driver Host handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8032 |
Title: Windows Event Logging Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8032 CVE-2020-1365 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Event Logging Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Event Logging Service handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7980 |
Title: Windows Event Logging Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7980 CVE-2020-1371 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Event Logging Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Event Logging Service handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8019 |
Title: Windows Error Reporting Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8019 CVE-2020-1429 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles process crashes. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7972 |
Title: Windows Error Reporting Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7972 CVE-2020-1420 |
Severity: Low |
| Description: An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how Windows Error Reporting handles file operations. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8002 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8002 CVE-2020-1392 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Delivery Optimization service handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8009 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8009 CVE-2020-1395 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Speech Brokered API handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Speech Brokered API properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8023 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8023 CVE-2020-1388 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the psmsrv.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8000 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8000 CVE-2020-1394 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Geolocation Framework handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Geolocation Framework properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8030 |
Title: Windows DNS Server Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8030 CVE-2020-1350 |
Severity: High |
| Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server. The update addresses the vulnerability by modifying how Windows DNS servers handle requests. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8040 |
Title: Windows Diagnostics Hub Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8040 CVE-2020-1418 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Diagnostics Execution Service fails to properly sanitize input, leading to an unsecure library-loading behavior. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Diagnostics Execution Service sanitizes input, to help preclude unintended elevated system privileges. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8001 |
Title: Windows Credential Picker Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8001 CVE-2020-1385 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Credential Picker handles objects in memory. An attacker who successfully exploited the vulnerability could allow an application with limited privileges on an affected system to execute code at a medium integrity level. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Credential Picker handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7994 |
Title: Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7994 CVE-2020-1368 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Credential Enrollment Manager service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Credential Enrollment Manager service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7969 |
Title: Windows COM Server Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7969 CVE-2020-1375 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7989 |
Title: Windows CNG Key Isolation Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7989 CVE-2020-1384 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Cryptography Next Generation (CNG) Key Isolation service improperly handles memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CNG Key Isolation Service handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7992 |
Title: Windows CNG Key Isolation Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7992 CVE-2020-1359 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Cryptography Next Generation (CNG) Key Isolation service improperly handles memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CNG Key Isolation Service handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7967 |
Title: Windows AppX Deployment Extensions Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7967 CVE-2020-1431 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8035 |
Title: Windows ALPC Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:8035 CVE-2020-1396 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8034 |
Title: Windows Agent Activation Runtime Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8034 CVE-2020-1391 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Agent Activation Runtime (AarSvc) fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application. The update addresses the vulnerability by correcting how the Windows Agent Activation Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8004 |
Title: Windows Address Book Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8004 CVE-2020-1410 |
Severity: High |
| Description: A remote code execution vulnerability exists when Windows Address Book (WAB) improperly processes vcard files. To exploit the vulnerability, an attacker could send a malicious vcard that a victim opens using Windows Address Book (WAB). After successfully exploiting the vulnerability, an attacker could gain execution on a victim system. The security update addresses the vulnerability by correcting the way Windows Address Book handles bound checking. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7971 |
Title: Windows ActiveX Installer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7971 CVE-2020-1402 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8003 |
Title: Remote Desktop Client Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8003 CVE-2020-1374 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8005 |
Title: Microsoft Graphics Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8005 CVE-2020-1408 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability and then convince users to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7982 |
Title: Microsoft Graphics Components Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7982 CVE-2020-1412 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8020 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:8020 CVE-2020-1351 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7965 |
Title: Local Security Authority Subsystem Service Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7965 CVE-2020-1267 |
Severity: Medium |
| Description: This security update corrects a denial of service in the Local Security Authority Subsystem Service (LSASS) caused when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8031 |
Title: LNK Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8031 CVE-2020-1421 |
Severity: High |
| Description: A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker's choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8014 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8014 CVE-2020-1401 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8024 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8024 CVE-2020-1400 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:8038 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:8038 CVE-2020-1407 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7999 |
Title: Group Policy Services Policy Processing Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7999 CVE-2020-1333 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when Group Policy Services Policy Processing improperly handle reparse points. An attacker who successfully exploited this vulnerability could overwrite a targeted file that would normally require elevated permissions. To exploit the vulnerability, an attacker would first have to log on to a system and create folders that will be used by Group Policy logging and tracing. The attacker could then run a specially crafted application to target a file for overwriting, and then wait for the administrator to apply the Group Policy logging and tracing settings on the vulnerable system. The security update addresses the vulnerability by correcting how Group Policy Services Policy Processing performs data logging. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7984 |
Title: GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7984 CVE-2020-1435 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7978 |
Title: Connected User Experiences and Telemetry Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7978 CVE-2020-1386 |
Severity: Low |
| Description: An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Connected User Experiences and Telemetry Service discloses file information. | ||||
| Applies to: |
Created: 2020-08-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7936 |
Title: Vulnerability in Avira Antivirus through 15.0.2005.1866 |
Type: Software |
Bulletins:
CISEC:7936 CVE-2020-12680 |
Severity: Low |
| Description: Avira Free Antivirus through 15.0.2005.1866 allows local users to discover user credentials. The functions of the executable file Avira.PWM.NativeMessaging.exe are aimed at collecting credentials stored in Chrome, Firefox, Opera, and Edge. The executable does not verify the calling program and thus a request such as fetchChromePasswords or fetchCredentials will succeed. NOTE: some third parties have stated that this is "not a vulnerability." | ||||
| Applies to: Avira Antivirus |
Created: 2020-07-31 |
Updated: 2024-09-07 |
||
| ID: CISEC:7935 |
Title: Vulnerability in Avira Antivirus before 8.3.54.138 |
Type: Software |
Bulletins:
CISEC:7935 CVE-2020-9320 |
Severity: Medium |
| Description: Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet Security Suite for Windows, Prime, Free Security Suite for Windows, and Cross Platform Anti-malware SDK. | ||||
| Applies to: Avira Antivirus |
Created: 2020-07-31 |
Updated: 2024-09-07 |
||
| ID: CISEC:7933 |
Title: Vulnerability in Avira Antivirus before 15.0.2004.1825 |
Type: Software |
Bulletins:
CISEC:7933 CVE-2020-8961 |
Severity: High |
| Description: An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific location, and pass this event to the driver, thereby defeating the anti-virus functionality. | ||||
| Applies to: Avira Antivirus |
Created: 2020-07-31 |
Updated: 2024-09-07 |
||
| ID: CISEC:7934 |
Title: Vulnerability in Avira Antivirus before 15.0.2003.1821 |
Type: Software |
Bulletins:
CISEC:7934 CVE-2020-12254 |
Severity: Medium |
| Description: Avira Antivirus before 15.0.2003.1821 on Windows allows privilege escalation or a denial of service via abuse of a symlink. | ||||
| Applies to: Avira Antivirus |
Created: 2020-07-31 |
Updated: 2024-09-07 |
||
| ID: CISEC:7932 |
Title: Vulnerability in Avira Antivirus |
Type: Software |
Bulletins:
CISEC:7932 CVE-2016-10402 |
Severity: High |
| Description: Avira Antivirus engine versions before 8.3.36.60 allow remote code execution as NT AUTHORITY\SYSTEM via a section header with a very large relative virtual address in a PE file, causing an integer overflow and heap-based buffer underflow. | ||||
| Applies to: Avira Antivirus |
Created: 2020-07-31 |
Updated: 2024-09-07 |
||
| ID: CISEC:7937 |
Title: Vulnerability in Avira Antivirus |
Type: Software |
Bulletins:
CISEC:7937 CVE-2019-18568 |
Severity: High |
| Description: Avira Free Antivirus 15.0.1907.1514 is prone to a local privilege escalation through the execution of kernel code from a restricted user. | ||||
| Applies to: Avira Antivirus |
Created: 2020-07-31 |
Updated: 2024-09-07 |
||
| ID: CISEC:7939 |
Title: Vulnerability in Avira Antivirus |
Type: Software |
Bulletins:
CISEC:7939 CVE-2013-4602 |
Severity: High |
| Description: A Denial of Service (infinite loop) vulnerability exists in Avira AntiVir Engine before 8.2.12.58 via an unspecified function in the PDF Scanner Engine. | ||||
| Applies to: Avira Antivirus |
Created: 2020-07-31 |
Updated: 2024-09-07 |
||
| ID: CISEC:7925 |
Title: Vulnerability in Kaspersky products |
Type: Software |
Bulletins:
CISEC:7925 CVE-2019-15689 |
Severity: Medium |
| Description: Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud prior to version 2020 patch E have bug that allows a local user to execute arbitrary code via execution compromised file placed by an attacker with administrator rights. No privilege escalation. Possible whitelisting bypass some of the security products. | ||||
| Applies to: Kaspersky Internet Security Kaspersky Secure Connection Kaspersky Security Cloud Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7904 |
Title: Vulnerability in Kaspersky Password Manager before 8.0.6.538 |
Type: Software |
Bulletins:
CISEC:7904 CVE-2018-6306 |
Severity: Medium |
| Description: Unauthorized code execution from specific DLL and is known as DLL Hijacking attack in Kaspersky Password Manager versions before 8.0.6.538. | ||||
| Applies to: Kaspersky Password Manager |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7921 |
Title: Vulnerability in Kaspersky Embedded Systems Security 1.2.0.300 and 2.0.0.385 |
Type: Software |
Bulletins:
CISEC:7921 CVE-2017-12823 |
Severity: Medium |
| Description: Kernel pool memory corruption in one of drivers in Kaspersky Embedded Systems Security version 1.2.0.300 leads to local privilege escalation. | ||||
| Applies to: Kaspersky Embedded Systems Security |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7905 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7905 |
Severity: Low |
| Description: Kaspersky Lab has fixed a number of vulnerabilities found by Cisco TALOS. All these vulnerabilities could have been exploited only if machine already contained malicious program. TALOS-CAN-0166: a specially crafted call can cause an access violation in one of products drivers resulting in local denial of service. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2020-07-24 |
||
| ID: CISEC:7906 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7906 |
Severity: Low |
| Description: Kaspersky Lab has fixed vulnerability TALOS-CAN-0169 in Kaspersky Anti-Virus products. This vulnerability could have been exploited only if machine already contained malicious program that might used a bug in one of the products drivers to cause an access violation in it that results in local system denial of service. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2020-07-24 |
||
| ID: CISEC:7908 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7908 CVE-2016-4329 |
Severity: Low |
| Description: A local denial of service vulnerability exists in window broadcast message handling functionality of Kaspersky Anti-Virus software. Sending certain unhandled window messages, an attacker can cause application termination and in the same way bypass KAV self-protection mechanism. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7912 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7912 CVE-2015-8691 |
Severity: Low |
| Description: Kaspersky Lab has fixed vulnerability CVE-2015-8691 in Kaspersky Anti-Virus products which may lead to local privilege escalation. This vulnerability could have been exploited only if host machine already contained malicious program that might used a bug in one of the products drivers to write to arbitrary path without overwrite existing file. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2020-07-24 |
||
| ID: CISEC:7916 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7916 |
Severity: Low |
| Description: Kaspersky Lab has fixed a number of vulnerabilities found by Cisco TALOS. All these vulnerabilities could have been exploited only if machine already contained malicious program. TALOS-CAN-0168: a specially crafted call can cause the one of the products driver to return out of bounds kernel memory, potentially leaking sensitive information. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2020-07-24 |
||
| ID: CISEC:7919 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7919 |
Severity: Low |
| Description: Kaspersky Lab has fixed a number of vulnerabilities found by Cisco TALOS. All these vulnerabilities could have been exploited only if machine already contained malicious program. TALOS-CAN-0167: a specially crafted call can cause an access violation in one of products drivers resulting in local denial of service. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2020-07-24 |
||
| ID: CISEC:7923 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7923 |
Severity: Low |
| Description: Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security versions up to 2019 could potentially disclose unique Product ID by forcing victim to visit a specially crafted webpage (for example, via clicking phishing link). | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2020-07-24 |
||
| ID: CISEC:7927 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7927 CVE-2019-15685 |
Severity: Medium |
| Description: Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component allowed an attacker remotely disable such product's security features as private browsing and anti-banner. Bypass. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Free Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7928 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7928 CVE-2019-15688 |
Severity: Medium |
| Description: Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component did not adequately inform the user about the threat of redirecting to an untrusted site. Bypass. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Free Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7929 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7929 CVE-2019-15687 |
Severity: Medium |
| Description: Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component was vulnerable to remote disclosure of various information about the user's system (like Windows version and version of the product, host unique ID). Information Disclosure. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Free Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7930 |
Title: Vulnerability in Kaspersky Anti-Virus products |
Type: Software |
Bulletins:
CISEC:7930 CVE-2019-15686 |
Severity: Medium |
| Description: Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component allowed an attacker remotely disable various anti-virus protection features. DoS, Bypass. | ||||
| Applies to: Kaspersky Anti-Virus Kaspersky Free Kaspersky Internet Security Kaspersky Total Security |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7924 |
Title: Vulnerability in AhnLab V3 Internet Security 2011.01.18.00, avast! Antivirus 4.8.1351.0 and 5.0.677.0, Kaspersky Anti-Virus 7.0.0.125, ClamAV 0.96.4, Emsisoft Anti-Malware 5.1.0.1 |
Type: Software |
Bulletins:
CISEC:7924 CVE-2012-1459 |
Severity: Medium |
| Description: The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, avast! Antivirus 4.8.1351.0 and 5.0.677.0, Kaspersky Anti-Virus 7.0.0.125, ClamAV 0.96.4, Emsisoft Anti-Malware 5.1.0.1 allows remote attackers to bypass malware detection via a TAR archive entry with a length field corresponding to that entire entry, plus part of the header of the next entry. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. | ||||
| Applies to: AVG Antivirus AhnLab V3 Internet Security Avast! AntiVirus ClamAV Emsisoft Anti-Malware Kaspersky Anti-Virus |
Created: 2020-07-24 |
Updated: 2024-09-07 |
||
| ID: CISEC:7856 |
Title: Vulnerability index error in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7856 CVE-2015-1232 |
Severity: High |
| Description: Array index error in the MidiManagerUsb::DispatchSendMidiData function in media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging renderer access to provide an invalid port index that triggers an out-of-bounds write operation, a different vulnerability than CVE-2015-1212. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7825 |
Title: Vulnerability in Skia, as used in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7825 CVE-2015-1215 |
Severity: High |
| Description: The filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7896 |
Title: Vulnerability in Skia, as used in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7896 CVE-2015-1213 |
Severity: High |
| Description: The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7822 |
Title: Vulnerability in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7822 CVE-2015-1297 |
Severity: High |
| Description: The WebRequest API implementation in extensions/browser/api/web_request/web_request_api.cc in Google Chrome before 45.0.2454.85 does not properly consider a request's source before accepting the request, which allows remote attackers to bypass intended access restrictions via a crafted (1) app or (2) extension. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7839 |
Title: Vulnerability in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7839 CVE-2015-1296 |
Severity: Medium |
| Description: The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK characters in the omnibox, which makes it easier for remote attackers to spoof the SSL lock icon by placing one of these characters at the end of a URL, as demonstrated by the omnibox in localizations for right-to-left languages. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7848 |
Title: Vulnerability in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7848 CVE-2015-1298 |
Severity: Medium |
| Description: The RuntimeEventRouter::OnExtensionUninstalled function in extensions/browser/api/runtime/runtime_api.cc in Google Chrome before 45.0.2454.85 does not ensure that the setUninstallURL preference corresponds to the URL of a web site, which allows user-assisted remote attackers to trigger access to an arbitrary URL via a crafted extension that is uninstalled. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7854 |
Title: Vulnerability in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7854 CVE-2015-1292 |
Severity: Medium |
| Description: The NavigatorServiceWorker::serviceWorker function in modules/serviceworkers/NavigatorServiceWorker.cpp in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to bypass the Same Origin Policy by accessing a Service Worker. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7881 |
Title: Vulnerability in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7881 CVE-2015-1291 |
Severity: Medium |
| Description: The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not check whether a node is expected, which allows remote attackers to bypass the Same Origin Policy or cause a denial of service (DOM tree corruption) via a web site with crafted JavaScript code and IFRAME elements. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7866 |
Title: Vulnerability in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings |
Type: Web |
Bulletins:
CISEC:7866 CVE-2015-1270 |
Severity: Medium |
| Description: The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU), as used in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7819 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7819 CVE-2015-1274 |
Severity: Medium |
| Description: Google Chrome before 44.0.2403.89 does not ensure that the auto-open list omits all dangerous file types, which makes it easier for remote attackers to execute arbitrary code by providing a crafted file and leveraging a user's previous "Always open files of this type" choice, related to download_commands.cc and download_prefs.cc. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7837 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7837 CVE-2015-1278 |
Severity: Medium |
| Description: content/browser/web_contents/web_contents_impl.cc in Google Chrome before 44.0.2403.89 does not ensure that a PDF document's modal dialog is closed upon navigation to an interstitial page, which allows remote attackers to spoof URLs via a crafted document, as demonstrated by the alert_dialog.pdf document. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7838 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7838 CVE-2015-1280 |
Severity: High |
| Description: SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging access to a renderer process and providing crafted serialized data. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7844 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7844 CVE-2015-1287 |
Severity: Medium |
| Description: Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks-mode exception that limits the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to core/fetch/CSSStyleSheetResource.cpp. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7847 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7847 CVE-2015-1284 |
Severity: High |
| Description: The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly check for a page's maximum number of frames, which allows remote attackers to cause a denial of service (invalid count value and use-after-free) or possibly have unspecified other impact via crafted JavaScript code that makes many createElement calls for IFRAME elements. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7863 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7863 CVE-2015-1271 |
Severity: Medium |
| Description: PDFium, as used in Google Chrome before 44.0.2403.89, does not properly handle certain out-of-memory conditions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted PDF document that triggers a large memory allocation. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7867 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7867 CVE-2015-1288 |
Severity: Medium |
| Description: The Spellcheck API implementation in Google Chrome before 44.0.2403.89 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file, a related issue to CVE-2015-1263. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7869 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7869 CVE-2015-1285 |
Severity: Medium |
| Description: The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 44.0.2403.89, does not properly choose a truncation point, which makes it easier for remote attackers to obtain sensitive information via an unspecified linear-time attack. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7898 |
Title: Vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7898 CVE-2015-1281 |
Severity: Medium |
| Description: core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly determine the V8 context of a microtask, which allows remote attackers to bypass Content Security Policy (CSP) restrictions by providing an image from an unintended source. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7864 |
Title: Vulnerability in Google Chrome before 43.0.2357.65, enables the inheritance of the designMode attribute |
Type: Web |
Bulletins:
CISEC:7864 CVE-2015-1254 |
Severity: Medium |
| Description: core/dom/Document.cpp in Blink, as used in Google Chrome before 43.0.2357.65, enables the inheritance of the designMode attribute, which allows remote attackers to bypass the Same Origin Policy by leveraging the availability of editing. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7872 |
Title: Vulnerability in Google Chrome before 43.0.2357.65 relies on libvpx code that was not built with an appropriate --size-limit value |
Type: Web |
Bulletins:
CISEC:7872 CVE-2015-1258 |
Severity: High |
| Description: Google Chrome before 43.0.2357.65 relies on libvpx code that was not built with an appropriate --size-limit value, which allows remote attackers to trigger a negative value for a size field, and consequently cause a denial of service or possibly have unspecified other impact, via a crafted frame size in VP9 video data. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7821 |
Title: Vulnerability in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7821 CVE-2015-1252 |
Severity: High |
| Description: common/partial_circular_buffer.cc in Google Chrome before 43.0.2357.65 does not properly handle wraps, which allows remote attackers to bypass a sandbox protection mechanism or cause a denial of service (out-of-bounds write) via vectors that trigger a write operation with a large amount of data, related to the PartialCircularBuffer::Write and PartialCircularBuffer::DoWrite functions. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7855 |
Title: Vulnerability in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7855 CVE-2015-1263 |
Severity: Medium |
| Description: The Spellcheck API implementation in Google Chrome before 43.0.2357.65 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7901 |
Title: Vulnerability in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7901 CVE-2015-1259 |
Severity: High |
| Description: PDFium, as used in Google Chrome before 43.0.2357.65, does not properly initialize memory, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7824 |
Title: Vulnerability in Google Chrome before 43.0.2357.130 |
Type: Web |
Bulletins:
CISEC:7824 CVE-2015-1267 |
Severity: Medium |
| Description: Blink, as used in Google Chrome before 43.0.2357.130, does not properly restrict the creation context during creation of a DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that uses a Blink public API, related to WebArrayBufferConverter.cpp, WebBlob.cpp, WebDOMError.cpp, and WebDOMFileSystem.cpp. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7829 |
Title: Vulnerability in Google Chrome before 43.0.2357.130 |
Type: Web |
Bulletins:
CISEC:7829 CVE-2015-1268 |
Severity: Medium |
| Description: bindings/scripts/v8_types.py in Blink, as used in Google Chrome before 43.0.2357.130, does not properly select a creation context for a return value's DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code, as demonstrated by use of a data: URL. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7841 |
Title: Vulnerability in Google Chrome before 43.0.2357.130 |
Type: Web |
Bulletins:
CISEC:7841 CVE-2015-1266 |
Severity: Medium |
| Description: content/browser/webui/content_web_ui_controller_factory.cc in Google Chrome before 43.0.2357.130 does not properly consider the scheme in determining whether a URL is associated with a WebUI SiteInstance, which allows remote attackers to bypass intended access restrictions via a similar URL, as demonstrated by use of http://gpu when there is a WebUI class for handling chrome://gpu requests. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7885 |
Title: Vulnerability in Google Chrome before 43.0.2357.130 |
Type: Web |
Bulletins:
CISEC:7885 CVE-2015-1269 |
Severity: Medium |
| Description: The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in Google Chrome before 43.0.2357.130 does not properly canonicalize DNS hostnames before making comparisons to HSTS or HPKP preload entries, which allows remote attackers to bypass intended access restrictions via a string that (1) ends in a . (dot) character or (2) is not entirely lowercase. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7812 |
Title: Vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7812 CVE-2015-1238 |
Severity: High |
| Description: Skia, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7818 |
Title: Vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7818 CVE-2015-1246 |
Severity: Medium |
| Description: Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7826 |
Title: Vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7826 CVE-2015-1240 |
Severity: Medium |
| Description: gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WebGL program that triggers a state inconsistency. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7832 |
Title: Vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7832 CVE-2015-1247 |
Severity: Medium |
| Description: The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search_engines/search_engine_tab_helper.cc in Google Chrome before 42.0.2311.90 does not prevent use of a file: URL for an OpenSearch descriptor XML document, which might allow remote attackers to obtain sensitive information from local files via a crafted (1) http or (2) https web site. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7840 |
Title: Vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7840 CVE-2015-1244 |
Severity: Medium |
| Description: The URLRequest::GetHSTSRedirect function in url_request/url_request.cc in Google Chrome before 42.0.2311.90 does not replace the ws scheme with the wss scheme whenever an HSTS Policy is active, which makes it easier for remote attackers to obtain sensitive information by sniffing the network for WebSocket traffic. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7874 |
Title: Vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7874 CVE-2015-1242 |
Severity: High |
| Description: The ReduceTransitionElementsKind function in hydrogen-check-elimination.cc in Google V8 before 4.2.77.8, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that leverages "type confusion" in the check-elimination optimization. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7891 |
Title: Vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7891 CVE-2015-1241 |
Severity: Medium |
| Description: Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7813 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7813 CVE-2015-1227 |
Severity: High |
| Description: The DragImage::create function in platform/DragImage.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not initialize memory for image drawing, which allows remote attackers to have an unspecified impact by triggering a failed image decoding, as demonstrated by an image for which the default orientation cannot be used. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7817 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7817 CVE-2015-1217 |
Severity: High |
| Description: The V8LazyEventListener::prepareListenerObject function in bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, does not properly compile listeners, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7853 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7853 CVE-2015-1224 |
Severity: Medium |
| Description: The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does not ensure that alpha-plane dimensions are identical to image dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted VPx video data. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7859 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7859 CVE-2015-1226 |
Severity: Medium |
| Description: The DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7861 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7861 CVE-2015-1230 |
Severity: High |
| Description: The getHiddenProperty function in bindings/core/v8/V8EventListenerList.h in Blink, as used in Google Chrome before 41.0.2272.76, has a name conflict with the AudioContext class, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via JavaScript code that adds an AudioContext event listener and triggers "type confusion." | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7884 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7884 CVE-2015-1229 |
Severity: Medium |
| Description: net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7897 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7897 CVE-2015-1228 |
Severity: High |
| Description: The RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not force a relayout operation and consequently does not initialize memory for a data structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted Cascading Style Sheets (CSS) token sequence. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7902 |
Title: Vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7902 CVE-2015-1225 |
Severity: Medium |
| Description: PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7845 |
Title: Vulnerability in Google Chrome before 41.0.2272.118 |
Type: Web |
Bulletins:
CISEC:7845 CVE-2015-1233 |
Severity: High |
| Description: Google Chrome before 41.0.2272.118 does not properly handle the interaction of IPC, the Gamepad API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7870 |
Title: Vulnerability in Google Chrome before 40.0.2214.91 |
Type: Web |
Bulletins:
CISEC:7870 CVE-2015-1248 |
Severity: Medium |
| Description: The FileSystem API in Google Chrome before 40.0.2214.91 allows remote attackers to bypass the SafeBrowsing for Executable Files protection mechanism by creating a .exe file in a temporary filesystem and then referencing this file with a filesystem:http: URL. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7889 |
Title: Vulnerability in Google Chrome before 40.0.2214.111 |
Type: Web |
Bulletins:
CISEC:7889 CVE-2015-1211 |
Severity: High |
| Description: The OriginCanAccessServiceWorkers function in content/browser/service_worker/service_worker_dispatcher_host.cc in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android does not properly restrict the URI scheme during a ServiceWorker registration, which allows remote attackers to gain privileges via a filesystem: URI. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7890 |
Title: Vulnerability in Blink, as used initialize a certain width field |
Type: Web |
Bulletins:
CISEC:7890 CVE-2015-1262 |
Severity: High |
| Description: platform/fonts/shaping/HarfBuzzShaper.cpp in Blink, as used in Google Chrome before 43.0.2357.65, does not initialize a certain width field, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Unicode text. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7852 |
Title: Vulnerability in Blink, as used in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7852 CVE-2015-1293 |
Severity: High |
| Description: The DOM implementation in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7830 |
Title: Vulnerability in Blink, as used in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7830 CVE-2015-1257 |
Severity: High |
| Description: platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation in Blink, as used in Google Chrome before 43.0.2357.65, does not properly handle an insufficient number of values in an feColorMatrix filter, which allows remote attackers to cause a denial of service (container overflow) or possibly have unspecified other impact via a crafted document. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7892 |
Title: Vulnerability in Blink, as used in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7892 CVE-2015-1253 |
Severity: High |
| Description: core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7873 |
Title: Vulnerability in Blink, as used in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7873 CVE-2015-1235 |
Severity: Medium |
| Description: The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7883 |
Title: Vulnerability in Blink, as used in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7883 CVE-2015-1236 |
Severity: Medium |
| Description: The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a crafted web site containing a media element. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7835 |
Title: Vulnerability in Blink, as used in Google Chrome before 40.0.2214.111 |
Type: Web |
Bulletins:
CISEC:7835 CVE-2015-1210 |
Severity: Medium |
| Description: The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7882 |
Title: Use-after-free vulnerability IndexedDB implementation in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7882 CVE-2015-1276 |
Severity: High |
| Description: Use-after-free vulnerability in content/browser/indexed_db/indexed_db_backing_store.cc in the IndexedDB implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an abort action before a certain write operation. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7880 |
Title: Use-after-free vulnerability in the Speech subsystem in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7880 CVE-2015-1251 |
Severity: Medium |
| Description: Use-after-free vulnerability in the SpeechRecognitionClient implementation in the Speech subsystem in Google Chrome before 43.0.2357.65 allows remote attackers to execute arbitrary code via a crafted document. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7879 |
Title: Use-after-free vulnerability in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7879 CVE-2015-1294 |
Severity: High |
| Description: Use-after-free vulnerability in the SkMatrix::invertNonIdentity function in core/SkMatrix.cpp in Skia, as used in Google Chrome before 45.0.2454.85, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering the use of matrix elements that lead to an infinite result during an inversion calculation. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7850 |
Title: Use-after-free vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7850 CVE-2015-1277 |
Severity: High |
| Description: Use-after-free vulnerability in the accessibility implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging lack of certain validity checks for accessibility-tree data structures. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7886 |
Title: Use-after-free vulnerability in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7886 CVE-2015-1272 |
Severity: High |
| Description: Use-after-free vulnerability in the GPU process implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging the continued availability of a GPUChannelHost data structure during Blink shutdown, related to content/browser/gpu/browser_gpu_channel_host_factory.cc and content/renderer/render_thread_impl.cc. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7851 |
Title: Use-after-free vulnerability in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7851 CVE-2015-1255 |
Severity: Medium |
| Description: Use-after-free vulnerability in content/renderer/media/webaudio_capturer_source.cc in the WebAudio implementation in Google Chrome before 43.0.2357.65 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by leveraging improper handling of a stop action for an audio track. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7816 |
Title: Use-after-free vulnerability in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7816 CVE-2015-1237 |
Severity: High |
| Description: Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived function in content/renderer/render_frame_impl.cc in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger renderer IPC messages during a detach operation. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7820 |
Title: Use-after-free vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7820 CVE-2015-1221 |
Severity: High |
| Description: Use-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect ordering of operations in the Web SQL Database thread relative to Blink's main thread, related to the shutdown function in web/WebKit.cpp. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7878 |
Title: Use-after-free vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7878 CVE-2015-1220 |
Severity: Medium |
| Description: Use-after-free vulnerability in the GIFImageReader::parseData function in platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted frame size in a GIF image. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7900 |
Title: Use-after-free vulnerability in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7900 CVE-2015-1245 |
Severity: Medium |
| Description: Use-after-free vulnerability in the OpenPDFInReaderView::Update function in browser/ui/views/location_bar/open_pdf_in_reader_view.cc in Google Chrome before 41.0.2272.76 might allow user-assisted remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by triggering interaction with a PDFium "Open PDF in Reader" button that has an invalid tab association. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7831 |
Title: Use-after-free vulnerability in Blink, as used in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7831 CVE-2015-1299 |
Severity: High |
| Description: Use-after-free vulnerability in the shared-timer implementation in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging erroneous timer firing, related to ThreadTimers.cpp and Timer.cpp. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7877 |
Title: Use-after-free vulnerability in Blink, as used in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7877 CVE-2015-1256 |
Severity: High |
| Description: Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that leverages improper handling of a shadow tree for a use element. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7828 |
Title: Use-after-free vulnerability in Blink, as used in Google Chrome before 42.0.2311.135 |
Type: Web |
Bulletins:
CISEC:7828 CVE-2015-1243 |
Severity: High |
| Description: Use-after-free vulnerability in the MutationObserver::disconnect function in core/dom/MutationObserver.cpp in the DOM implementation in Blink, as used in Google Chrome before 42.0.2311.135, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering an attempt to unregister a MutationObserver object that is not currently registered. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7893 |
Title: Use-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7893 CVE-2015-1216 |
Severity: High |
| Description: Use-after-free vulnerability in the V8Window::namedPropertyGetterCustom function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a frame detachment. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7815 |
Title: Use-after-free vulnerability in Blink, as used in Google Chrome before 40.0.2214.111 |
Type: Web |
Bulletins:
CISEC:7815 CVE-2015-1209 |
Severity: High |
| Description: Use-after-free vulnerability in the VisibleSelection::nonBoundaryShadowTreeRootNode function in core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper handling of a shadow-root anchor. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7868 |
Title: Race condition in Google Chrome before 41.0.2272.118 |
Type: Web |
Bulletins:
CISEC:7868 CVE-2015-1234 |
Severity: Medium |
| Description: Race condition in gpu/command_buffer/service/gles2_cmd_decoder.cc in Google Chrome before 41.0.2272.118 allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact by manipulating OpenGL ES commands. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7875 |
Title: Multiple use-after-free vulnerabilities in Google Chrome before 45.0.2454.85 |
Type: Web |
Bulletins:
CISEC:7875 CVE-2015-1295 |
Severity: High |
| Description: Multiple use-after-free vulnerabilities in the PrintWebViewHelper class in components/printing/renderer/print_web_view_helper.cc in Google Chrome before 45.0.2454.85 allow user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact by triggering nested IPC messages during preparation for printing, as demonstrated by messages associated with PDF documents in conjunction with messages about printer capabilities. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7899 |
Title: Multiple use-after-free vulnerabilities in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7899 CVE-2015-1282 |
Severity: Medium |
| Description: Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/Document.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document, related to the (1) Document::delay and (2) Document::DoFieldDelay functions. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7827 |
Title: Multiple use-after-free vulnerabilities in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7827 CVE-2015-1260 |
Severity: High |
| Description: Multiple use-after-free vulnerabilities in content/renderer/media/user_media_client_impl.cc in the WebRTC implementation in Google Chrome before 43.0.2357.65 allow remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that executes upon completion of a getUserMedia request. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7849 |
Title: Multiple use-after-free vulnerabilities in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7849 CVE-2015-1222 |
Severity: High |
| Description: Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap implementation in content/browser/service_worker/service_worker_script_cache_map.cc in Google Chrome before 41.0.2272.76 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the NotifyStartedCaching and NotifyFinishedCaching functions. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7894 |
Title: Multiple use-after-free vulnerabilities in Blink, as used in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7894 CVE-2015-1223 |
Severity: High |
| Description: Multiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger extraneous change events, as demonstrated by events for invalid input or input to read-only fields, related to the initializeTypeInParsing and updateType functions. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7895 |
Title: Multiple use-after-free vulnerabilities in Blink, as used in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7895 CVE-2015-1218 |
Severity: High |
| Description: Multiple use-after-free vulnerabilities in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger movement of a SCRIPT element to different documents, related to (1) the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp and (2) the SVGScriptElement::didMoveToNewDocument function in core/svg/SVGScriptElement.cpp. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7871 |
Title: Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7871 CVE-2015-1289 |
Severity: High |
| Description: Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7836 |
Title: Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357.65 |
Type: Web |
Bulletins:
CISEC:7836 CVE-2015-1265 |
Severity: High |
| Description: Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7903 |
Title: Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.90 |
Type: Web |
Bulletins:
CISEC:7903 CVE-2015-1249 |
Severity: High |
| Description: Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.90 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7860 |
Title: Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.135 |
Type: Web |
Bulletins:
CISEC:7860 CVE-2015-1250 |
Severity: High |
| Description: Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.135 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7865 |
Title: Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7865 CVE-2015-1231 |
Severity: High |
| Description: Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7876 |
Title: Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 |
Type: Web |
Bulletins:
CISEC:7876 CVE-2015-1205 |
Severity: High |
| Description: Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7823 |
Title: Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 |
Type: Web |
Bulletins:
CISEC:7823 CVE-2015-1212 |
Severity: High |
| Description: Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7814 |
Title: Multiple integer overflows in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products |
Type: Web |
Bulletins:
CISEC:7814 CVE-2015-1283 |
Severity: Medium |
| Description: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7887 |
Title: Memory corruption in V8 in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7887 CVE-2015-1290 |
Severity: High |
| Description: Memory corruption in V8 in Google Chrome before 44.0.2403.89. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7842 |
Title: Integer overflow in Skia, as used in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7842 CVE-2015-1214 |
Severity: High |
| Description: Integer overflow in the SkAutoSTArray implementation in include/core/SkTemplates.h in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a reset action with a large count value, leading to an out-of-bounds write operation. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7843 |
Title: Integer overflow in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7843 CVE-2015-1279 |
Severity: High |
| Description: Integer overflow in the CJBig2_Image::expand function in fxcodec/jbig2/JBig2_Image.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via large height and stride values. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7888 |
Title: Integer overflow in Google Chrome before 41.0.2272.76 |
Type: Web |
Bulletins:
CISEC:7888 CVE-2015-1219 |
Severity: High |
| Description: Integer overflow in the SkMallocPixelRef::NewAllocate function in core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted allocation of a large amount of memory during WebGL rendering. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7834 |
Title: Heap-based buffer overflow in PDFium in Google Chrome before 44.0.2403.89 |
Type: Web |
Bulletins:
CISEC:7834 CVE-2015-1273 |
Severity: Medium |
| Description: Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid JPEG2000 data in a PDF document. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7862 |
Title: Double-free vulnerability in Google Chrome 41.0.2251.0 |
Type: Web |
Bulletins:
CISEC:7862 CVE-2015-1207 |
Severity: Medium |
| Description: Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chrome 41.0.2251.0 allows remote attackers to cause a denial of service (memory corruption and crash) via a crafted .m4a file. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7846 |
Title: Cross-site scripting |
Type: Web |
Bulletins:
CISEC:7846 CVE-2015-1264 |
Severity: Medium |
| Description: Cross-site scripting (XSS) vulnerability in Google Chrome before 43.0.2357.65 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted data that is improperly handled by the Bookmarks feature. | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7857 |
Title: Cross-site scripting |
Type: Web |
Bulletins:
CISEC:7857 CVE-2015-1286 |
Severity: Medium |
| Description: Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler::GetModuleSystem function in extensions/renderer/v8_context_native_handler.cc in Google Chrome before 44.0.2403.89 allows remote attackers to inject arbitrary web script or HTML by leveraging the lack of a certain V8 context restriction, aka a Blink "Universal XSS (UXSS)." | ||||
| Applies to: Google Chrome |
Created: 2020-07-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7785 |
Title: Windows WLAN Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7785 CVE-2020-1270 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the wlansvc.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7782 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7782 CVE-2020-1287 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7719 |
Title: Windows WalletService Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7719 CVE-2020-1294 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7776 |
Title: Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7776 CVE-2020-1313 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7777 |
Title: Windows Text Service Framework Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7777 CVE-2020-1314 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients. An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how TSF server handles messages in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7766 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7766 CVE-2020-1305 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7718 |
Title: Windows SMBv3 Client/Server Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7718 CVE-2020-1206 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7727 |
Title: Windows SMB Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7727 CVE-2020-1301 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server. The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7778 |
Title: Windows Shell Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7778 CVE-2020-1286 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. To exploit the vulnerability, an attacker must entice a user to open a specially crafted file. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and then convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force a user to visit the website. Instead, an attacker would have to convince a user to click a link and open the specially crafted file. This security update addresses the vulnerability by ensuring the Windows Shell properly validates file paths. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7757 |
Title: Windows Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7757 CVE-2020-1268 |
Severity: Low |
| Description: An information disclosure vulnerability exists when a Windows service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how a Windows service handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7763 |
Title: Windows Runtime Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7763 CVE-2020-1217 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7797 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7797 CVE-2020-1233 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7758 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7758 CVE-2020-1235 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7715 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7715 CVE-2020-1265 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7731 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7731 CVE-2020-1304 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7738 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7738 CVE-2020-1282 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7746 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7746 CVE-2020-1231 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7750 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7750 CVE-2020-1306 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7779 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7779 CVE-2020-1334 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7752 |
Title: Windows Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7752 CVE-2020-1300 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver. The update addresses the vulnerability by correcting how Windows handles cabinet files. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7760 |
Title: Windows Registry Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7760 CVE-2020-1194 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system. To exploit the vulnerability, an attacker who has access to the system could run a specially crafted application. The security update addresses the vulnerability by correcting how Windows Registry handles filesystem operations and only allowing the tracing to be captured under the default path. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7795 |
Title: Windows Print Configuration Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7795 CVE-2020-1196 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the printconfig.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7717 |
Title: Windows OLE Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7717 CVE-2020-1281 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. To exploit the vulnerability, an attacker would have to convince a user to open either a specially crafted file or a program from either a webpage or an email message. The update addresses the vulnerability by correcting how Windows OLE validates user input. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7787 |
Title: Windows Now Playing Session Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7787 CVE-2020-1201 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Now Playing Session Manager handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7774 |
Title: Windows Network List Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7774 CVE-2020-1209 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network List Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7728 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7728 CVE-2020-1291 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7780 |
Title: Windows Modules Installer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7780 CVE-2020-1254 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7720 |
Title: Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7720 CVE-2020-1204 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7764 |
Title: Windows Lockscreen Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7764 CVE-2020-1279 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7722 |
Title: Windows Kernel Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:7722 CVE-2020-1241 |
Severity: Medium |
| Description: A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system. The update addresses the vulnerability by correcting how Windows Kernel handles parameter sanitization. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7789 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7789 CVE-2020-1262 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7790 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7790 CVE-2020-1275 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7791 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7791 CVE-2020-1307 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7723 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7723 CVE-2020-1269 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7724 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7724 CVE-2020-1264 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7725 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7725 CVE-2020-1246 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7726 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7726 CVE-2020-1237 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7730 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7730 CVE-2020-1273 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7734 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7734 CVE-2020-1274 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7735 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7735 CVE-2020-0986 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7736 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7736 CVE-2020-1276 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7742 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7742 CVE-2020-1266 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7769 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7769 CVE-2020-1316 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7796 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7796 CVE-2020-1302 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7748 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7748 CVE-2020-1277 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7751 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7751 CVE-2020-1312 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7762 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7762 CVE-2020-1272 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7793 |
Title: Windows Host Guardian Service Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:7793 CVE-2020-1259 |
Severity: Medium |
| Description: A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7786 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7786 CVE-2020-1348 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7714 |
Title: Windows GDI Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7714 CVE-2020-0916 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7744 |
Title: Windows GDI Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7744 CVE-2020-0915 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7747 |
Title: Windows Feedback Hub Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7747 CVE-2020-1199 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system with Windows Mixed Reality installed. An attacker could then run a specially crafted application to take control of an affected system. The security update addresses the vulnerability by correcting how the Feedback Hub handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7775 |
Title: Windows Error Reporting Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7775 CVE-2020-1197 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles process crashes. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7792 |
Title: Windows Error Reporting Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7792 CVE-2020-1261 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or convince a target to run a crafted application. The security update addresses the vulnerability by correcting the way WER handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7759 |
Title: Windows Error Reporting Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7759 CVE-2020-1263 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or convince a target to run a crafted application. The security update addresses the vulnerability by correcting the way WER handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7773 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7773 CVE-2020-1234 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Error Reporting handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7799 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7799 CVE-2020-1162 |
Severity: Medium |
| Description: An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Security Health Service handles certain objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7756 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7756 CVE-2020-1324 |
Severity: Medium |
| Description: An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Security Health Service handles certain objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7741 |
Title: Windows Diagnostics & feedback Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7741 CVE-2020-1296 |
Severity: Low |
| Description: A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft. To exploit the vulnerability, an attacker would have to log on to an affected system and interact with the Windows Diagnostics & feedback Settings app. The security update addresses the vulnerability by correcting the way the Windows Diagnostics & feedback Settings app handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7765 |
Title: Windows Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7765 CVE-2020-1283 |
Severity: High |
| Description: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or to convince a user to open a specific file on a network share. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7767 |
Title: Windows Bluetooth Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7767 CVE-2020-1280 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Bluetooth Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7753 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7753 CVE-2020-1271 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7716 |
Title: Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7716 CVE-2020-1255 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. To exploit this vulnerability, an attacker would require permissions to upload files via BITS. An attacker could then submit a specially crafted request to upload a file. The security update addresses the vulnerability by correcting how Windows BITS validates file names. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7743 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7743 CVE-2020-1290 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7732 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7732 CVE-2020-1247 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7737 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7737 CVE-2020-1310 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7739 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7739 CVE-2020-1251 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7740 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7740 CVE-2020-1253 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7770 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7770 CVE-2020-1207 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7749 |
Title: OpenSSH for Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7749 CVE-2020-1292 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. To exploit this vulnerability, an authenticated attacker would need to modify the OpenSSH for Windows configuration on a vulnerable system. The attacker would then need to convince a user to connect to the vulnerable OpenSSH for Windows server. The update addresses the vulnerability by restricting access to OpenSSH for Windows configuration settings. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7772 |
Title: OLE Automation Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7772 CVE-2020-1212 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how an OLE Automation component handles memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7781 |
Title: Microsoft Store Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7781 CVE-2020-1222 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7798 |
Title: Microsoft Store Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7798 CVE-2020-1309 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7794 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7794 CVE-2020-1160 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7783 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7783 CVE-2020-1239 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7771 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7771 CVE-2020-1238 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7755 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7755 CVE-2020-1232 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7729 |
Title: LNK Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7729 CVE-2020-1299 |
Severity: High |
| Description: A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7745 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7745 CVE-2020-1236 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7768 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7768 CVE-2020-1208 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7754 |
Title: Group Policy Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7754 CVE-2020-1317 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how Group Policy checks access. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7733 |
Title: GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7733 CVE-2020-1248 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7721 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7721 CVE-2020-1258 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7784 |
Title: Connected User Experiences and Telemetry Service Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7784 CVE-2020-1244 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7788 |
Title: Connected Devices Platform Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7788 CVE-2020-1211 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7761 |
Title: Component Object Model Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7761 CVE-2020-1311 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how COM handles special case IIDs, to help preclude unintended elevated system privileges. | ||||
| Applies to: |
Created: 2020-07-10 |
Updated: 2024-09-07 |
||
| ID: CISEC:7663 |
Title: Vulnerability in Acronis True Image up to and including version 2017 Build 8053 |
Type: Software |
Bulletins:
CISEC:7663 CVE-2017-3219 |
Severity: High |
| Description: Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash. | ||||
| Applies to: Acronis True Image |
Created: 2020-07-03 |
Updated: 2024-09-07 |
||
| ID: CISEC:7666 |
Title: Untrusted search path vulnerability in Amazon Kindle before 1.19 |
Type: Software |
Bulletins:
CISEC:7666 CVE-2017-6189 |
Severity: Medium |
| Description: Untrusted search path vulnerability in Amazon Kindle for PC before 1.19 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL in the current working directory of the Kindle Setup installer. | ||||
| Applies to: Amazon Kindle |
Created: 2020-07-03 |
Updated: 2024-09-07 |
||
| ID: CISEC:7653 |
Title: Microsoft Office Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7653 |
Severity: Low |
| Description: A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries, aka 'Microsoft Office Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0991. | ||||
| Applies to: Microsoft Access 2010 Microsoft Access 2013 Microsoft Access 2016 Microsoft Excel 2010 Microsoft Excel 2013 Microsoft Excel 2016 Microsoft Office 2010 Microsoft Office 2013 Microsoft Office 2016 Microsoft Outlook 2010 Microsoft Outlook 2013 |
Created: 2020-07-03 |
Updated: 2020-07-03 |
||
| ID: CISEC:7576 |
Title: Windows Update Stack Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7576 CVE-2020-1109 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7585 |
Title: Windows Update Stack Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7585 CVE-2020-1110 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7590 |
Title: Windows Task Scheduler Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:7590 CVE-2020-1113 |
Severity: High |
| Description: A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, a man-in-the-middle attacker would need to send a specially crafted request to a vulnerable system. The security update addresses the vulnerability by correcting how the Task Scheduler service validates connections. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7609 |
Title: Windows Subsystem for Linux Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7609 CVE-2020-1075 |
Severity: Low |
| Description: An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. A attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7619 |
Title: Windows Storage Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7619 CVE-2020-1138 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Storage Services handles file operations. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7564 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7564 CVE-2020-1190 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7584 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7584 CVE-2020-1189 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7596 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7596 CVE-2020-1188 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7599 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7599 CVE-2020-1184 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7600 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7600 CVE-2020-1191 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7602 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7602 CVE-2020-1187 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7603 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7603 CVE-2020-1186 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7604 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7604 CVE-2020-1124 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7606 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7606 CVE-2020-1134 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7617 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7617 CVE-2020-1144 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7618 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7618 CVE-2020-1131 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7558 |
Title: Windows State Repository Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7558 CVE-2020-1185 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7569 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7569 CVE-2020-1090 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7578 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7578 CVE-2020-1155 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7591 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7591 CVE-2020-1125 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7594 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7594 CVE-2020-1164 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7605 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7605 CVE-2020-1086 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7611 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7611 CVE-2020-1151 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7613 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7613 CVE-2020-1157 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7623 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7623 CVE-2020-1156 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7560 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7560 CVE-2020-1158 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7561 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7561 CVE-2020-1077 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7552 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7552 CVE-2020-1149 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7555 |
Title: Windows Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7555 CVE-2020-1139 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7550 |
Title: Windows Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7550 CVE-2020-1067 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. To exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions. The security update addresses the vulnerability by correcting how Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7620 |
Title: Windows Remote Access Common Dialog Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7620 CVE-2020-1071 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles errors tied to Remote Access Common Dialog. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability an attacker would need to physically access the booted machine to reach the logon screen. An attacker could then exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows handles errors tied to Remote Access Common Dialog. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7551 |
Title: Windows Push Notification Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7551 CVE-2020-1137 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7597 |
Title: Windows Printer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7597 CVE-2020-1081 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Printer Service improperly validates file paths while loading printer drivers. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows Printer Service validates file paths. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7607 |
Title: Windows Print Spooler Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7607 CVE-2020-1048 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7546 |
Title: Windows Print Spooler Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7546 CVE-2020-1070 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7579 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7579 CVE-2020-1072 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7573 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7573 CVE-2020-1087 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7595 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7595 CVE-2020-1114 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7574 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7574 CVE-2020-1078 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7622 |
Title: Windows Hyper-V Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7622 CVE-2020-0909 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets. To exploit the vulnerability, an attacker would send specially crafted network packets to the Hyper-V Server. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to properly handle these network packets. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7554 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7554 CVE-2020-1135 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7588 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7588 CVE-2020-1141 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7601 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7601 CVE-2020-1179 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7548 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7548 CVE-2020-0963 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7549 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7549 CVE-2020-1145 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7570 |
Title: Windows GDI Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7570 CVE-2020-1142 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7562 |
Title: Windows Error Reporting Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7562 CVE-2020-1132 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles file and folder links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles file and folder links. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7587 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7587 CVE-2020-1082 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7589 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7589 CVE-2020-1021 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7621 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7621 CVE-2020-1088 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7553 |
Title: Windows Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7553 CVE-2020-1076 |
Severity: Low |
| Description: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7608 |
Title: Windows CSRSS Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7608 CVE-2020-1116 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application. The update addresses the vulnerability by correcting how the Windows CSRSS handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7571 |
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7571 CVE-2020-1154 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7565 |
Title: Windows Clipboard Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7565 CVE-2020-1121 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7568 |
Title: Windows Clipboard Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7568 CVE-2020-1165 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7556 |
Title: Windows Clipboard Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7556 CVE-2020-1111 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7559 |
Title: Windows Clipboard Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7559 CVE-2020-1166 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7592 |
Title: Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7592 CVE-2020-1112 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. To exploit this vulnerability, an attacker would require permissions to upload files via BITS. An attacker could then submit a specially crafted request to upload a file. The security update addresses the vulnerability by correcting how Windows BITS validates file names. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7598 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7598 CVE-2020-1054 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7612 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7612 CVE-2020-1143 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7580 |
Title: Microsoft Windows Transport Layer Security Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7580 CVE-2020-1118 |
Severity: High |
| Description: A denial of service vulnerability exists in the Windows implementation of Transport Layer Security (TLS) when it improperly handles certain key exchanges. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, a remote unauthenticated attacker could send a specially crafted request to a target system utilizing TLS 1.2 or lower, triggering the system to automatically reboot. The update addresses the vulnerability by changing the way TLS key exchange messages are validated. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7567 |
Title: Microsoft Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7567 CVE-2020-1079 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7610 |
Title: Microsoft Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7610 CVE-2020-1068 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows Media Service that allows file creation in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows Media Service handles file creation. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7547 |
Title: Microsoft Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7547 CVE-2020-1010 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows Block Level Backup Engine Service (wbengine) that allows file deletion in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows Block Level Backup Engine Service handles file operations. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7581 |
Title: Microsoft Script Runtime Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7581 CVE-2020-1061 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Microsoft Script Runtime handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Microsoft Script Runtime handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7582 |
Title: Microsoft Graphics Components Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7582 CVE-2020-1153 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7615 |
Title: Microsoft Color Management Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7615 CVE-2020-1117 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Color Management Module (ICM32.dll) handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. The security update addresses the vulnerability by correcting how Color Management Module handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7577 |
Title: Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability |
Type: Software |
Bulletins:
CISEC:7577 CVE-2020-1055 |
Severity: Medium |
| Description: A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize user inputs. An un-authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected ADFS server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. This security update addresses the vulnerability by ensuring that ADFS properly sanitizes user inputs. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7572 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7572 CVE-2020-1150 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7583 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7583 CVE-2020-1028 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7614 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7614 CVE-2020-1136 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7557 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7557 CVE-2020-1126 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7566 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7566 CVE-2020-1174 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7575 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7575 CVE-2020-1051 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7586 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7586 CVE-2020-1175 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7563 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7563 CVE-2020-1176 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7616 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7616 CVE-2020-1140 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7593 |
Title: Connected User Experiences and Telemetry Service Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7593 CVE-2020-1123 |
Severity: Low |
| Description: A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7545 |
Title: Connected User Experiences and Telemetry Service Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7545 CVE-2020-1084 |
Severity: Low |
| Description: A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service validates certain function values. | ||||
| Applies to: |
Created: 2020-06-12 |
Updated: 2024-09-07 |
||
| ID: CISEC:7516 |
Title: Windows VBScript Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7516 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'Windows VBScript Engine Remote Code Execution Vulnerability'. | ||||
| Applies to: Internet Explorer 11 Internet Explorer 9 |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7515 |
Title: VBScript Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7515 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'VBScript Remote Code Execution Vulnerability'. | ||||
| Applies to: Internet Explorer 11 Internet Explorer 9 |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7513 |
Title: Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7513 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. | ||||
| Applies to: Internet Explorer 11 Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7518 |
Title: Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7518 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0833, CVE-2020-0848. | ||||
| Applies to: Internet Explorer 11 Internet Explorer 9 |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7519 |
Title: Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7519 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0848. | ||||
| Applies to: Internet Explorer 11 Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7506 |
Title: Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7506 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0848. | ||||
| Applies to: Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7507 |
Title: Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7507 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0968. | ||||
| Applies to: Microsoft Edge (EdgeHTML-based) |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7508 |
Title: Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7508 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0848. | ||||
| Applies to: Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7512 |
Title: Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7512 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833. | ||||
| Applies to: Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7509 |
Title: Microsoft Edge Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7509 |
Severity: Low |
| Description: A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka 'Microsoft Edge Memory Corruption Vulnerability'. | ||||
| Applies to: Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7517 |
Title: Internet Explorer Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7517 |
Severity: Low |
| Description: A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'. | ||||
| Applies to: Internet Explorer 11 |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7514 |
Title: Chakra Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7514 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based)L, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. (CVE-2020-0812) A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. (CVE-2020-0825) | ||||
| Applies to: Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7510 |
Title: Chakra Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7510 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. | ||||
| Applies to: Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7511 |
Title: Chakra Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7511 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based)L, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. | ||||
| Applies to: Microsoft Edge |
Created: 2020-05-29 |
Updated: 2021-12-30 |
||
| ID: CISEC:7427 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7427 CVE-2020-1094 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7443 |
Title: Windows Update Stack Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7443 CVE-2020-0996 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7487 |
Title: Windows Update Stack Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7487 CVE-2020-0985 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7488 |
Title: Windows Token Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:7488 CVE-2020-0981 |
Severity: Medium |
| Description: A security feature bypass vulnerability exists when Windows fails to properly handle token relationships. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape. The update addresses the vulnerability by correcting how Windows handles token relationships | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7455 |
Title: Windows SMBv3 Client/Server Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7455 CVE-2020-0796 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7480 |
Title: Windows Scheduled Task Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7480 CVE-2020-0936 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how Windows scheduled tasks handle file redirections. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7454 |
Title: Windows Push Notification Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7454 CVE-2020-1016 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7436 |
Title: Windows Push Notification Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7436 CVE-2020-1017 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7469 |
Title: Windows Push Notification Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7469 CVE-2020-1001 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7482 |
Title: Windows Push Notification Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7482 CVE-2020-1006 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7486 |
Title: Windows Push Notification Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7486 CVE-2020-0940 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7426 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7426 CVE-2020-0821 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7493 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7493 CVE-2020-1007 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7477 |
Title: Windows Kernel Information Disclosure in CPU Memory Access |
Type: Software |
Bulletins:
CISEC:7477 CVE-2020-0955 |
Severity: Low |
| Description: An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7430 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7430 CVE-2020-1000 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7466 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7466 CVE-2020-1003 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7472 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7472 CVE-2020-1027 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7490 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7490 CVE-2020-0913 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7438 |
Title: Windows Hyper-V Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7438 CVE-2020-0910 |
Severity: High |
| Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7428 |
Title: Windows Hyper-V Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7428 CVE-2020-0917 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7464 |
Title: Windows Hyper-V Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7464 CVE-2020-0918 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7424 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7424 CVE-2020-1004 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7437 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7437 CVE-2020-0952 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7433 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7433 CVE-2020-0983 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Delivery Optimization service handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7440 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7440 CVE-2020-1009 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Microsoft Store Install Service properly handles this type of function. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7444 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7444 CVE-2020-1015 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the User-Mode Power Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7449 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7449 CVE-2020-0818 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists in the way that the sysmain.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the sysmain.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2021-12-30 |
||
| ID: CISEC:7450 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7450 CVE-2020-0934 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how WpcDesktopMonSvc manages memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7489 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7489 CVE-2020-1011 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7475 |
Title: Windows DNS Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7475 CVE-2020-0993 |
Severity: Medium |
| Description: A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7432 |
Title: Windows Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7432 CVE-2020-0794 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7452 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7452 CVE-2020-0699 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7481 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7481 CVE-2020-0962 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7445 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7445 CVE-2020-0958 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7484 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7484 CVE-2020-0957 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7491 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7491 CVE-2020-0956 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7448 |
Title: Remote Desktop Client Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7448 CVE-2020-0817 |
Severity: Low |
| Description: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2021-12-30 |
||
| ID: CISEC:7483 |
Title: Microsoft Windows Update Client Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7483 CVE-2020-1014 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by enabling the Windows Update client to properly handle user privileges. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7470 |
Title: Microsoft Windows Codecs Library Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7470 CVE-2020-0965 |
Severity: Medium |
| Description: A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7447 |
Title: Microsoft Graphics Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7447 CVE-2020-0687 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability and then convince users to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7457 |
Title: Microsoft Graphics Components Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7457 CVE-2020-0907 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7429 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7429 CVE-2020-0982 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7456 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7456 CVE-2020-0987 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7468 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7468 CVE-2020-1005 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7434 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7434 CVE-2020-0948 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7446 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7446 CVE-2020-0950 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7459 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7459 CVE-2020-0949 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7431 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7431 CVE-2020-0947 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7453 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7453 CVE-2020-0937 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7461 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7461 CVE-2020-0939 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7465 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7465 CVE-2020-0945 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7471 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7471 CVE-2020-0946 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7425 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7425 CVE-2020-0953 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7439 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7439 CVE-2020-0959 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7458 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7458 CVE-2020-0988 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7460 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7460 CVE-2020-0995 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7463 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7463 CVE-2020-0889 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7473 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7473 CVE-2020-0999 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7474 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7474 CVE-2020-1008 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7476 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7476 CVE-2020-0994 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7479 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7479 CVE-2020-0992 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7492 |
Title: Jet Database Engine Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7492 CVE-2020-0960 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7451 |
Title: GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7451 CVE-2020-0964 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7467 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7467 CVE-2020-0784 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7478 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7478 CVE-2020-0888 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7435 |
Title: Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7435 CVE-2020-1029 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7442 |
Title: Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7442 CVE-2020-0942 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7462 |
Title: Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7462 CVE-2020-0944 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7441 |
Title: Adobe Font Manager Library Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7441 CVE-2020-0938 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7485 |
Title: Adobe Font Manager Library Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7485 CVE-2020-1020 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. | ||||
| Applies to: |
Created: 2020-05-22 |
Updated: 2024-09-07 |
||
| ID: CISEC:7340 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7340 CVE-2020-0777 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7370 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7370 CVE-2020-0800 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7387 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7387 CVE-2020-0865 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7398 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7398 CVE-2020-0797 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7402 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7402 CVE-2020-0866 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7328 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7328 CVE-2020-0897 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7330 |
Title: Windows Work Folder Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7330 CVE-2020-0864 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7374 |
Title: Windows User Profile Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7374 CVE-2020-0785 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing. The security update addresses the vulnerability by correcting how the Windows User Profile Service handles symlinks. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7347 |
Title: Windows UPnP Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7347 CVE-2020-0781 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows UPnP service handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7359 |
Title: Windows UPnP Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7359 CVE-2020-0783 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows UPnP service handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7365 |
Title: Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7365 CVE-2020-0868 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7329 |
Title: Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7329 CVE-2020-0867 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7384 |
Title: Windows Tile Object Service Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7384 CVE-2020-0786 |
Severity: Medium |
| Description: A denial of service vulnerability exists when the Windows Tile Object Service improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would allow an attacker to overwrite system files. The update addresses the vulnerability by correcting how the Windows Tile Object Service handles hard links. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7339 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7339 CVE-2020-0857 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7334 |
Title: Windows Network List Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7334 CVE-2020-0780 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network List Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7364 |
Title: Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7364 CVE-2020-0861 |
Severity: High |
| Description: An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose kernel memory. The security update addresses the vulnerability by correcting how the Windows Network Driver Interface Specification (NDIS) handles memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7350 |
Title: Windows Network Connections Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7350 CVE-2020-0871 |
Severity: Low |
| Description: An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. To exploit this vulnerability, an authenticated attacker could run a specially crafted application in user mode. The update addresses the vulnerability by correcting how the Windows Network Connections Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7343 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7343 CVE-2020-0803 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7366 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7366 CVE-2020-0845 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7367 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7367 CVE-2020-0778 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7368 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7368 CVE-2020-0804 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7375 |
Title: Windows Network Connections Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7375 CVE-2020-0802 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7338 |
Title: Windows Modules Installer Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7338 CVE-2020-0859 |
Severity: Low |
| Description: An information vulnerability exists when Windows Modules Installer Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Modules Installer Service discloses file information. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7381 |
Title: Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7381 CVE-2020-0854 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7344 |
Title: Windows Language Pack Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7344 CVE-2020-0822 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7327 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7327 CVE-2020-0799 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel parses symbolic links. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7361 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7361 CVE-2020-0779 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7377 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7377 CVE-2020-0843 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7395 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7395 CVE-2020-0842 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7400 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7400 CVE-2020-0814 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7333 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7333 CVE-2020-0798 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7385 |
Title: Windows Imaging Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7385 CVE-2020-0853 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit this vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit this vulnerability and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows Imaging Component handles objects in the memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7341 |
Title: Windows Hard Link Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7341 CVE-2020-0840 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7355 |
Title: Windows Hard Link Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7355 CVE-2020-0896 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7358 |
Title: Windows Hard Link Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7358 CVE-2020-0841 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7331 |
Title: Windows Hard Link Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7331 CVE-2020-0849 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7372 |
Title: Windows Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7372 CVE-2020-0885 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7342 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7342 CVE-2020-0791 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7383 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7383 CVE-2020-0898 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7369 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7369 CVE-2020-0874 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7382 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7382 CVE-2020-0882 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7389 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7389 CVE-2020-0880 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7393 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7393 CVE-2020-0774 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7337 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7337 CVE-2020-0879 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7376 |
Title: Windows Error Reporting Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7376 CVE-2020-0775 |
Severity: Low |
| Description: An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how Windows Error Reporting handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7360 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7360 CVE-2020-0806 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7399 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7399 CVE-2020-0772 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Error Reporting handles memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7352 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7352 CVE-2020-0858 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how Windows handles junctions. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7388 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7388 CVE-2020-0776 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Server handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7351 |
Title: Windows Device Setup Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7351 CVE-2020-0819 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7378 |
Title: Windows Defender Security Center Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7378 CVE-2020-0763 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Defender Security Center handles certain objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7379 |
Title: Windows Defender Security Center Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7379 CVE-2020-0762 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Defender Security Center handles certain objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7348 |
Title: Windows CSC Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7348 CVE-2020-0769 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7401 |
Title: Windows CSC Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7401 CVE-2020-0771 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7363 |
Title: Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7363 CVE-2020-0787 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows BITS handles symbolic links. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7332 |
Title: Windows ALPC Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7332 CVE-2020-0834 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7357 |
Title: Windows ActiveX Installer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7357 CVE-2020-0770 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7362 |
Title: Windows ActiveX Installer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7362 CVE-2020-0773 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7391 |
Title: Windows ActiveX Installer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7391 CVE-2020-0860 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7354 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7354 CVE-2020-0876 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7349 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7349 CVE-2020-0887 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7371 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7371 CVE-2020-0877 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7336 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7336 CVE-2020-0788 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7386 |
Title: Provisioning Runtime Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7386 CVE-2020-0808 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way the Provisioning Runtime validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system. The security update addresses the vulnerability by correctly validating file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7373 |
Title: Microsoft IIS Server Tampering Vulnerability |
Type: Software |
Bulletins:
CISEC:7373 CVE-2020-0645 |
Severity: Medium |
| Description: A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. To exploit the vulnerability, an attacker would need to send a malformed HTTP request to an affected server. The update addresses the vulnerability by modifying how IIS Server handles malformed request headers. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7380 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7380 CVE-2020-0807 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7392 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7392 CVE-2020-0809 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7394 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7394 CVE-2020-0869 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7335 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7335 CVE-2020-0801 |
Severity: Medium |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7353 |
Title: Media Foundation Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7353 CVE-2020-0820 |
Severity: Low |
| Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7346 |
Title: LNK Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7346 CVE-2020-0684 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7396 |
Title: GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7396 CVE-2020-0883 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7397 |
Title: GDI+ Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7397 CVE-2020-0881 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7390 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7390 CVE-2020-0690 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7356 |
Title: Connected User Experiences and Telemetry Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7356 CVE-2020-0863 |
Severity: Low |
| Description: An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Connected User Experiences and Telemetry Service discloses file information. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:7345 |
Title: Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7345 CVE-2020-0844 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-04-17 |
Updated: 2024-09-07 |
||
| ID: CVE-2019-20781 |
Title: oval:com.altx-soft.win:def:68524: Vulnerability in LG Bridge before 1.2.54 |
Type: Miscellaneous |
Bulletins:
CVE-2019-20781 |
Severity: Medium |
| Description: An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur. | ||||
| Applies to: LG Bridge |
Created: 2020-04-05 |
Updated: 2024-09-07 |
||
| ID: CISEC:7274 |
Title: Adobe Photoshop CC 19.1.7 and earlier, and 20.0.2 and earlier have a heap corruption vulnerability |
Type: Software |
Bulletins:
CISEC:7274 |
Severity: Low |
| Description: Adobe Photoshop CC 19.1.7 and earlier, and 20.0.2 and earlier have a heap corruption vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| Applies to: Adobe Photoshop |
Created: 2020-03-27 |
Updated: 2020-03-27 |
||
| ID: CISEC:7273 |
Title: Multiple vulnerabilities on Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier |
Type: Software |
Bulletins:
CISEC:7273 |
Severity: Low |
| Description: Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability (CVE-2019-7969, CVE-2019-7970, CVE-2019-797, CVE-2019-7972, CVE-2019-7973, CVE-2019-7973, CVE-2019-7975, CVE-2019-7980), have a heap overflow vulnerability (CVE-2019-7978, CVE-2019-7985, CVE-2019-7990, CVE-2019-7993), have an out of bound write vulnerability (CVE-2019-7976, CVE-2019-7979, CVE-2019-7982, CVE-2019-7983, CVE-2019-7984, CVE-2019-7986, CVE-2019-7988, CVE-2019-7994, CVE-2019-7992, CVE-2019-7997, CVE-2019-7998, CVE-2019-8001), have a command injection vulnerability (CVE-2019-7968, CVE-2019-7989). Successful exploitation could lead to arbitrary code execution. Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability (CVE-2019-7977, CVE-2019-7981, CVE-2019-7987, CVE-2019-7991, CVE-2019-7995, CVE-2019-7996, CVE-2019-7999, CVE-2019-8000). Successful exploitation could lead to memory leak. | ||||
| Applies to: Adobe Photoshop |
Created: 2020-03-20 |
Updated: 2020-03-20 |
||
| ID: CISEC:7271 |
Title: Multiple vulnerabilities on Adobe Acrobat and Reader versions, 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier. |
Type: Software |
Bulletins:
CISEC:7271 |
Severity: Low |
| Description: Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a heap overflow vulnerability (CVE-2020-3742). Successful exploitation could lead to arbitrary code execution. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability (CVE-2020-3744, CVE-2020-3747, CVE-2020-3755). Successful exploitation could lead to information disclosure. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a stack exhaustion vulnerability (CVE-2020-3753, CVE-2020-3756). Successful exploitation could lead to memory leak. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a privilege escalation vulnerability (CVE-2020-3762, CVE-2020-3763). Successful exploitation could lead to arbitrary file system write. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a buffer error vulnerability (CVE-2020-3752, CVE-2020-3754) Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability (CVE-2020-3743, CVE-2020-3745, CVE-2020-3746, CVE-2020-3748, CVE-2020-3749, CVE-2020-3750, CVE-2020-3751) | ||||
| Applies to: Adobe Acrobat 2017 Adobe Acrobat DC Classic Adobe Acrobat DC Continuous Adobe Reader 2017 Adobe Reader DC Classic Adobe Reader DC Continuous |
Created: 2020-03-20 |
Updated: 2021-06-03 |
||
| ID: CISEC:7270 |
Title: Internet Explorer Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7270 |
Severity: Low |
| Description: A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'. | ||||
| Applies to: Internet Explorer 10 Internet Explorer 11 Internet Explorer 9 |
Created: 2020-03-20 |
Updated: 2021-12-30 |
||
| ID: CISEC:7212 |
Title: Windows Wireless Network Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7212 CVE-2020-0704 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Wireless Network Manager improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Wireless Network Manager handles memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7253 |
Title: Windows User Profile Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7253 CVE-2020-0730 |
Severity: Low |
| Description: An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing. The security update addresses the vulnerability by correcting how the Windows User Profile Service handles symlinks. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7243 |
Title: Windows SSH Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7243 CVE-2020-0757 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles Secure Socket Shell remote commands. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Secure Socket Shell handles remote commands. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7193 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7193 CVE-2020-0667 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7217 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7217 CVE-2020-0735 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7247 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7247 CVE-2020-0752 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7264 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7264 CVE-2020-0666 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7219 |
Title: Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7219 CVE-2020-0660 |
Severity: Medium |
| Description: A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7203 |
Title: Windows Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7203 CVE-2020-0662 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. To exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions. The security update addresses the vulnerability by correcting how Windows handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7258 |
Title: Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7258 CVE-2020-0705 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose uninitialized kernel memory. The security update addresses the vulnerability by correcting how the Windows Network Driver Interface Specification (NDIS) handles memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7210 |
Title: Windows Modules Installer Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7210 CVE-2020-0728 |
Severity: Medium |
| Description: An information vulnerability exists when Windows Modules Installer Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Modules Installer Service discloses file information. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7194 |
Title: Windows Key Isolation Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7194 CVE-2020-0756 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7202 |
Title: Windows Key Isolation Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7202 CVE-2020-0677 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7205 |
Title: Windows Key Isolation Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7205 CVE-2020-0755 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7228 |
Title: Windows Key Isolation Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7228 CVE-2020-0748 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7239 |
Title: Windows Key Isolation Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7239 CVE-2020-0676 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7251 |
Title: Windows Key Isolation Service Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7251 CVE-2020-0675 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7265 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7265 CVE-2020-0736 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7192 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7192 CVE-2020-0671 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7215 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7215 CVE-2020-0669 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7245 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7245 CVE-2020-0672 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7249 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7249 CVE-2020-0670 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7261 |
Title: Windows Kernel Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7261 CVE-2020-0668 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7197 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7197 CVE-2020-0686 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7263 |
Title: Windows Installer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7263 CVE-2020-0683 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7240 |
Title: Windows Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7240 CVE-2020-0698 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Telephony Service improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting how the Telephony Service handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7188 |
Title: Windows IME Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7188 CVE-2020-0707 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows IME improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows IME handles memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7241 |
Title: Windows Imaging Library Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7241 CVE-2020-0708 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when the Windows Imaging Library improperly handles memory. To exploit this vulnerability, an attacker would first have to coerce a victim to open a specially crafted file. The security update addresses the vulnerability by correcting how the Windows Imaging Library handles memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7196 |
Title: Windows Hyper-V Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7196 CVE-2020-0661 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving a number of conditions where Hyper-V would fail to prevent a guest operating system from sending malicious requests. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7227 |
Title: Windows Hyper-V Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7227 CVE-2020-0751 |
Severity: Low |
| Description: A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7201 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7201 CVE-2020-0792 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7222 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7222 CVE-2020-0745 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7250 |
Title: Windows Graphics Component Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7250 CVE-2020-0715 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7208 |
Title: Windows Function Discovery Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7208 CVE-2020-0679 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7254 |
Title: Windows Function Discovery Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7254 CVE-2020-0680 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7257 |
Title: Windows Function Discovery Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7257 CVE-2020-0682 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7237 |
Title: Windows Error Reporting Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7237 CVE-2020-0678 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles hard links. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7252 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7252 CVE-2020-0754 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7260 |
Title: Windows Error Reporting Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7260 CVE-2020-0753 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7207 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7207 CVE-2020-0737 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the tapisrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the tapisrv.dll properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7226 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7226 CVE-2020-0739 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the dssvc.dll handles file creation allowing for a file overwrite or creation in a secured location. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the dssvc.dll properly handles this type of functionality. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7191 |
Title: Windows Data Sharing Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7191 CVE-2020-0659 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7214 |
Title: Windows Data Sharing Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7214 CVE-2020-0747 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7231 |
Title: Windows Common Log File System Driver Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7231 CVE-2020-0658 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7259 |
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7259 CVE-2020-0657 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7262 |
Title: Windows COM Server Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7262 CVE-2020-0685 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7195 |
Title: Windows Client License Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7195 CVE-2020-0701 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Client License Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7206 |
Title: Windows Backup Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7206 CVE-2020-0703 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7233 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7233 CVE-2020-0717 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7235 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7235 CVE-2020-0716 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7198 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7198 CVE-2020-0719 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7199 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7199 CVE-2020-0720 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7204 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7204 CVE-2020-0724 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7211 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7211 CVE-2020-0723 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7218 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7218 CVE-2020-0721 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7221 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7221 CVE-2020-0725 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7223 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7223 CVE-2020-0731 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7225 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7225 CVE-2020-0726 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7242 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7242 CVE-2020-0722 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7244 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7244 CVE-2020-0691 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7216 |
Title: Remote Desktop Services Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7216 CVE-2020-0655 |
Severity: High |
| Description: A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to Remote Desktop Services. The update addresses the vulnerability by correcting how Remote Desktop Services handles clipboard redirection. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7232 |
Title: Remote Desktop Client Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7232 CVE-2020-0681 |
Severity: High |
| Description: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7255 |
Title: Remote Desktop Client Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7255 CVE-2020-0734 |
Severity: High |
| Description: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7229 |
Title: Microsoft Secure Boot Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:7229 CVE-2020-0689 |
Severity: Medium |
| Description: A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability can bypass secure boot and load untrusted software. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by blocking vulnerable third-party bootloaders. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7234 |
Title: Microsoft Graphics Components Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7234 CVE-2020-0746 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information that could be useful for further exploitation. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7213 |
Title: Media Foundation Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7213 CVE-2020-0738 |
Severity: High |
| Description: A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7236 |
Title: LNK Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7236 CVE-2020-0729 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7190 |
Title: DirectX Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7190 CVE-2020-0714 |
Severity: Low |
| Description: An information disclosure vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7189 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7189 CVE-2020-0732 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7209 |
Title: DirectX Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7209 CVE-2020-0709 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7266 |
Title: Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7266 CVE-2020-0727 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when the Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7200 |
Title: Connected Devices Platform Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7200 CVE-2020-0742 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7224 |
Title: Connected Devices Platform Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7224 CVE-2020-0750 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7238 |
Title: Connected Devices Platform Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7238 CVE-2020-0749 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7246 |
Title: Connected Devices Platform Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7246 CVE-2020-0743 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7248 |
Title: Connected Devices Platform Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7248 CVE-2020-0741 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7256 |
Title: Connected Devices Platform Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7256 CVE-2020-0740 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7220 |
Title: Active Directory Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7220 CVE-2020-0665 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. To exploit this vulnerability, an attacker would first need to compromise an Active Directory forest. An attacker who successfully exploited this vulnerability could request delegation of a TGT for an identity from the trusted forest. This update addresses the vulnerability by ensuring new Active Directory Forest trusts disable TGT delegation by default. The update does not change existing TGT delegation configurations. | ||||
| Applies to: |
Created: 2020-03-13 |
Updated: 2024-09-07 |
||
| ID: CISEC:7174 |
Title: Brackets versions 1.14 and earlier have a command injection vulnerability |
Type: Software |
Bulletins:
CISEC:7174 CVE-2019-8255 |
Severity: High |
| Description: Brackets versions 1.14 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| Applies to: Adobe Brackets |
Created: 2020-03-06 |
Updated: 2024-09-07 |
||
| ID: CISEC:7173 |
Title: Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 have a memory corruption vulnerability |
Type: Software |
Bulletins:
CISEC:7173 |
Severity: Low |
| Description: Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| Applies to: Adobe Photoshop |
Created: 2020-02-28 |
Updated: 2020-02-28 |
||
| ID: CISEC:7160 |
Title: VBScript Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7160 CVE-2019-1208 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'VBScript Remote Code Execution Vulnerability'. | ||||
| Applies to: Microsoft Internet Explorer 10 Microsoft Internet Explorer 11 Microsoft Internet Explorer 9 |
Created: 2020-02-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:7164 |
Title: Multiple vulnerabilities on Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier. |
Type: Software |
Bulletins:
CISEC:7164 |
Severity: Low |
| Description: Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have a heap overflow vulnerability (CVE-2019-16451); have a buffer error vulnerability (CVE-2019-16462); have a security bypass vulnerability (CVE-2019-16453); have an out-of-bounds write vulnerability (CVE-2019-16450, CVE-2019-16454); have an use after free vulnerability (CVE-2019-16445, CVE-2019-16448, CVE-2019-16452, CVE-2019-16459, CVE-2019-16464); have an untrusted pointer dereference vulnerability (CVE-2019-16446, CVE-2019-16455, CVE-2019-16460, CVE-2019-16463). Successful exploitation could lead to arbitrary code execution. Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have a binary planting (default folder privilege escalation) vulnerability (CVE-2019-16444). Successful exploitation could lead to privilege escalation. Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an out-of-bounds read vulnerability (CVE-2019-16449, CVE-2019-16456, CVE-2019-16457, CVE-2019-16458, CVE-2019-16461, CVE-2019-16465). Successful exploitation could lead to information disclosure. | ||||
| Applies to: Adobe Acrobat 2017 Adobe Acrobat DC Classic Adobe Acrobat DC Continuous Adobe Reader 2017 Adobe Reader DC Classic Adobe Reader DC Continuous |
Created: 2020-02-21 |
Updated: 2021-06-04 |
||
| ID: CISEC:7162 |
Title: Microsoft Browser Spoofing Vulnerability |
Type: Software |
Bulletins:
CISEC:7162 CVE-2019-1357 |
Severity: Medium |
| Description: A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies, aka 'Microsoft Browser Spoofing Vulnerability'. | ||||
| Applies to: Microsoft Edge Microsoft Internet Explorer 11 |
Created: 2020-02-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:7163 |
Title: Microsoft Browser Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:7163 CVE-2019-1220 |
Severity: Medium |
| Description: A security feature bypass vulnerability exists when Microsoft Browsers fail to validate the correct Security Zone of requests for specific URLs, aka 'Microsoft Browser Security Feature Bypass Vulnerability'. | ||||
| Applies to: Microsoft Edge Microsoft Internet Explorer 10 Microsoft Internet Explorer 11 Microsoft Internet Explorer 9 |
Created: 2020-02-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:7161 |
Title: Chakra Scripting Engine Memory Corruption Vulnerability |
Type: Software |
Bulletins:
CISEC:7161 CVE-2019-1217 |
Severity: High |
| Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. | ||||
| Applies to: Microsoft Edge |
Created: 2020-02-21 |
Updated: 2024-09-07 |
||
| ID: CISEC:7158 |
Title: Adobe Bridge CC versions 9.1 and earlier have a memory corruption vulnerability |
Type: Software |
Bulletins:
CISEC:7158 |
Severity: Low |
| Description: Adobe Bridge CC versions 9.1 and earlier have a memory corruption vulnerability. Successful exploitation could lead to information disclosure. | ||||
| Applies to: Adobe Bridge |
Created: 2020-02-21 |
Updated: 2020-02-21 |
||
| ID: CISEC:7157 |
Title: Adobe Bridge CC version 9.0.2 and earlier versions have an out of bound read vulnerability |
Type: Software |
Bulletins:
CISEC:7157 |
Severity: Low |
| Description: Adobe Bridge CC version 9.0.2 and earlier versions have an out of bound read vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user. | ||||
| Applies to: Adobe Bridge |
Created: 2020-02-21 |
Updated: 2020-02-21 |
||
| ID: CISEC:7138 |
Title: Windows Subsystem for Linux Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7138 CVE-2020-0636 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Subsystem for Linux handles files. An attacker who successfully exploited the vulnerability could execute code with elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Subsystem for Linux handles files. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7128 |
Title: Windows Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:7128 CVE-2020-0621 |
Severity: Low |
| Description: A security feature bypass vulnerability exists in Windows 10 when third party filters are called during a password update. Successful exploitation of the vulnerability could allow a user to make use of a blocked password for their account. To exploit the vulnerability, an attacker would need have access and the current password for the target user. The update addresses how password filters are called during a password update. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7122 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7122 CVE-2020-0627 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7124 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7124 CVE-2020-0632 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7135 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7135 CVE-2020-0625 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7136 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7136 CVE-2020-0630 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7137 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7137 CVE-2020-0626 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7139 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7139 CVE-2020-0614 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7142 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7142 CVE-2020-0613 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7146 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7146 CVE-2020-0631 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7148 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7148 CVE-2020-0629 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7149 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7149 CVE-2020-0628 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7154 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7154 CVE-2020-0633 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7155 |
Title: Windows Search Indexer Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7155 CVE-2020-0623 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7133 |
Title: Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7133 CVE-2020-0609 |
Severity: High |
| Description: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP. The update addresses the vulnerability by correcting how RD Gateway handles connection requests. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7134 |
Title: Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7134 CVE-2020-0610 |
Severity: High |
| Description: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP. The update addresses the vulnerability by correcting how RD Gateway handles connection requests. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7151 |
Title: Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7151 CVE-2020-0612 |
Severity: Medium |
| Description: A denial of service vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RD Gateway service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides RD Gateway services. The update addresses the vulnerability by correcting how RD Gateway handles connection requests. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7145 |
Title: Windows GDI+ Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7145 CVE-2020-0643 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface Plus (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI+ handles memory addresses. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7125 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7125 CVE-2020-0635 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Microsoft Windows when Windows fails to properly handle certain symbolic links. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows handles symbolic links. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7152 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7152 CVE-2020-0644 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Microsoft Windows implements predictable memory section names. An attacker who successfully exploited this vulnerability could run arbitrary code as system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to elevate privileges. The update addresses the vulnerability by correcting how Windows assigns memory to specific processes. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7156 |
Title: Windows CryptoAPI Spoofing Vulnerability |
Type: Software |
Bulletins:
CISEC:7156 CVE-2020-0601 |
Severity: Medium |
| Description: A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7143 |
Title: Windows Common Log File System Driver Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7143 CVE-2020-0615 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7144 |
Title: Windows Common Log File System Driver Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7144 CVE-2020-0639 |
Severity: Low |
| Description: An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7132 |
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7132 CVE-2020-0634 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7121 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7121 CVE-2020-0608 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7123 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7123 CVE-2020-0624 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7130 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7130 CVE-2020-0642 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7147 |
Title: Update Notification Manager Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7147 CVE-2020-0638 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists in the way the Update Notification Manager handles files. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Update Notification Manager handles files. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7126 |
Title: Remote Desktop Web Access Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7126 CVE-2020-0637 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Remote Desktop Web Access improperly handles credential information. An attacker who successfully exploited this vulnerability could obtain legitimate users' credentials. To exploit this vulnerability, an attacker would need access to a vulnerable server with the Remote Desktop Web Access role. The security update addresses the vulnerability by correcting how Remote Desktop Web Access handles credential information. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7140 |
Title: Remote Desktop Client Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:7140 CVE-2020-0611 |
Severity: Medium |
| Description: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7150 |
Title: Microsoft Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7150 CVE-2020-0641 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows Media Service that allows file creation in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows Media Service handles file creation. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7129 |
Title: Microsoft Windows Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7129 CVE-2020-0616 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would allow an attacker to overwrite system files. The update addresses the vulnerability by correcting ACLs to system files. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7153 |
Title: Microsoft Graphics Components Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7153 CVE-2020-0607 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information that could be useful for further exploitation. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7141 |
Title: Microsoft Graphics Component Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:7141 CVE-2020-0622 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7127 |
Title: Microsoft Cryptographic Services Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:7127 CVE-2020-0620 |
Severity: Medium |
| Description: An elevation of privilege vulnerability exists when Microsoft Cryptographic Services improperly handles files. An attacker could exploit the vulnerability to overwrite or modify a protected file leading to a privilege escalation. To exploit the vulnerability, an attacker would first require execution on the victim system. The security update addresses the vulnerability by addressing how Microsoft Cryptographic Services handles files. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:7131 |
Title: Hyper-V Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:7131 CVE-2020-0617 |
Severity: Medium |
| Description: A denial of service vulnerability exists when Microsoft Hyper-V Virtual PCI on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by properly validating input. | ||||
| Applies to: |
Created: 2020-02-14 |
Updated: 2024-09-07 |
||
| ID: CISEC:6833 |
Title: Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability |
Type: Software |
Bulletins:
CISEC:6833 CVE-2019-1453 |
Severity: Medium |
| Description: A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6830 |
Title: Windows Printer Service Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:6830 CVE-2019-1477 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows Printer Service improperly validates file paths while loading printer drivers. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows Printer Service validates file paths. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6836 |
Title: Windows OLE Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:6836 CVE-2019-1484 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file or a program, causing Windows to execute arbitrary code. The update addresses the vulnerability by correcting how Windows OLE validates user input. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6828 |
Title: Windows Media Player Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6828 CVE-2019-1480 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. To exploit this vulnerability, an attacker would have to log on to an affected system and open a specifically crafted file. The update addresses the vulnerability by correcting how Windows Media Player handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6829 |
Title: Windows Media Player Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6829 CVE-2019-1481 |
Severity: Medium |
| Description: An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. To exploit this vulnerability, an attacker would have to log on to an affected system and open a specifically crafted file. The update addresses the vulnerability by correcting how Windows Media Player handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6840 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6840 CVE-2019-1474 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6842 |
Title: Windows Kernel Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6842 CVE-2019-1472 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6844 |
Title: Windows Hyper-V Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:6844 CVE-2019-1471 |
Severity: Medium |
| Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6839 |
Title: Windows Hyper-V Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6839 CVE-2019-1470 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker on a guest operating system could run a specially crafted application that could cause the Hyper-V host operating system to disclose memory information. An attacker who successfully exploited the vulnerability could gain access to information on the Hyper-V host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6826 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6826 CVE-2019-1465 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6831 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6831 CVE-2019-1466 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6834 |
Title: Windows GDI Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6834 CVE-2019-1467 |
Severity: Medium |
| Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6832 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:6832 CVE-2019-1476 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6835 |
Title: Windows Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:6835 CVE-2019-1483 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Server handles junctions. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6838 |
Title: Windows COM Server Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:6838 CVE-2019-1478 |
Severity: High |
| Description: An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6827 |
Title: Win32k Information Disclosure Vulnerability |
Type: Software |
Bulletins:
CISEC:6827 CVE-2019-1469 |
Severity: Low |
| Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6843 |
Title: Win32k Graphics Remote Code Execution Vulnerability |
Type: Software |
Bulletins:
CISEC:6843 CVE-2019-1468 |
Severity: High |
| Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit this vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6841 |
Title: Win32k Elevation of Privilege Vulnerability |
Type: Software |
Bulletins:
CISEC:6841 CVE-2019-1458 |
Severity: High |
| Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
| ID: CISEC:6837 |
Title: Microsoft Defender Security Feature Bypass Vulnerability |
Type: Software |
Bulletins:
CISEC:6837 CVE-2019-1488 |
Severity: Low |
| Description: A security feature bypass vulnerability exists when Microsoft Defender improperly handles specific buffers. An attacker could exploit the vulnerability to trigger warnings and false positives when no threat is present. To exploit the vulnerability, an attacker would first require execution permissions on the victim system. The security update addresses the vulnerability by ensuring Microsoft Defender properly handles these buffers. | ||||
| Applies to: |
Created: 2020-01-17 |
Updated: 2024-09-07 |
||
