LanGuard reports



Supported OVAL Bulletins


More information on 2024 updates



ID:
CVE-2020-10148
Title:
Solarwinds Orion SUNBURST infection
Type:
Software
Bulletins:
CVE-2020-10148
Severity:
High
Description:
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Applies to:
Solarwinds Orion
Created:
2020-12-23
Updated:
2024-01-17

ID:
CISEC:8473
Title:
Windows Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8473
CVE-2020-17057
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8437
Title:
Windows WalletService Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8437
CVE-2020-16999
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8451
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8451
CVE-2020-17037
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8425
Title:
Windows USO Core Worker Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8425
CVE-2020-17075
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8472
Title:
Windows Update Stack Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8472
CVE-2020-17077
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8450
Title:
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8450
CVE-2020-17073
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8431
Title:
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8431
CVE-2020-17076
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8433
Title:
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8433
CVE-2020-17074
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8440
Title:
Windows Update Medic Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8440
CVE-2020-17070
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8463
Title:
Windows Spoofing Vulnerability
Type:
Software
Bulletins:
CISEC:8463
CVE-2020-1599
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8454
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8454
CVE-2020-17031
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8467
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8467
CVE-2020-17044
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8469
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8469
CVE-2020-17027
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8475
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8475
CVE-2020-17043
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8428
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8428
CVE-2020-17033
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8429
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8429
CVE-2020-17055
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8439
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8439
CVE-2020-17032
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8462
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8462
CVE-2020-17025
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8464
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8464
CVE-2020-17028
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8478
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8478
CVE-2020-17034
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8480
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8480
CVE-2020-17026
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8474
Title:
Windows Print Spooler Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8474
CVE-2020-17042
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8446
Title:
Windows Print Spooler Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8446
CVE-2020-17001
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8426
Title:
Windows Print Spooler Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8426
CVE-2020-17014
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8471
Title:
Windows Print Configuration Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8471
CVE-2020-17041
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8455
Title:
Windows Port Class Library Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8455
CVE-2020-17011
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8479
Title:
Windows Network File System Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8479
CVE-2020-17051
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8476
Title:
Windows Network File System Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8476
CVE-2020-17056
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8448
Title:
Windows Network File System Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8448
CVE-2020-17047
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8424
Title:
Windows NDIS Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8424
CVE-2020-17069
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8435
Title:
Windows MSCTF Server Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8435
CVE-2020-17030
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8423
Title:
Windows KernelStream Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8423
CVE-2020-17045
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8444
Title:
Windows Kernel Local Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8444
CVE-2020-17087
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8434
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8434
CVE-2020-17035
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8436
Title:
Windows Hyper-V Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:8436
CVE-2020-17040
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8427
Title:
Windows Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8427
CVE-2020-17004
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8438
Title:
Windows GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8438
CVE-2020-17068
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8456
Title:
Windows Function Discovery SSDP Provider Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8456
CVE-2020-17036
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8432
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8432
CVE-2020-17007
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8461
Title:
Windows Error Reporting Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8461
CVE-2020-17046
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8458
Title:
Windows Delivery Optimization Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8458
CVE-2020-17071
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8453
Title:
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8453
CVE-2020-17088
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8468
Title:
Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8468
CVE-2020-17024
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8466
Title:
Windows Canonical Display Driver Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8466
CVE-2020-17029
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8470
Title:
Windows Camera Codec Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8470
CVE-2020-17113
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8445
Title:
Windows Bind Filter Driver Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8445
CVE-2020-17012
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8442
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8442
CVE-2020-17013
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8449
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8449
CVE-2020-17038
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8460
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8460
CVE-2020-17010
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8441
Title:
Remote Desktop Protocol Server Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8441
CVE-2020-16997
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8443
Title:
Remote Desktop Protocol Client Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8443
CVE-2020-17000
Severity:
Low
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8459
Title:
Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:8459
CVE-2020-17090
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8430
Title:
Kerberos Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:8430
CVE-2020-17049
Severity:
High
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8465
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8465
CVE-2020-16998
Severity:
Medium
Description:
Applies to:
Created:
2020-12-11
Updated:
2024-01-17

ID:
CISEC:8381
Title:
Windows Text Services Framework Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8381
CVE-2020-16921
Severity:
Low
Description:
An information disclosure vulnerability exists in Text Services Framework when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit this vulnerability, an attacker would have to log on to an affected system and open a specially crafted file. The update addresses the vulnerability by correcting how Text Services Framework handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8386
Title:
Windows TCP/IP Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8386
CVE-2020-16898
Severity:
Medium
Description:
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8413
Title:
Windows TCP/IP Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8413
CVE-2020-16899
Severity:
High
Description:
A denial of service vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The vulnerability would not allow an attacker to execute code or to elevate user rights directly. The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8392
Title:
Windows Subsystem for Linux Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8392
CVE-2020-1423
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Subsystem for Linux handles files. An attacker who successfully exploited the vulnerability could execute code with elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Subsystem for Linux handles files.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8414
Title:
Windows Storage VSP Driver Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8414
CVE-2020-16885
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Storage VSP Driver improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage VSP Driver properly handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8397
Title:
Windows Storage Services Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8397
CVE-2020-0764
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8376
Title:
Windows Spoofing Vulnerability
Type:
Software
Bulletins:
CISEC:8376
CVE-2020-16922
Severity:
Low
Description:
A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8419
Title:
Windows SMBv3 Client/Server Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8419
CVE-2020-1284
Severity:
Medium
Description:
A denial of service vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An authenticated attacker who successfully exploited this vulnerability against an SMB Server could cause the affected system to crash. An unauthenticated attacker could also exploit this this vulnerability against an SMB client and cause the affected system to crash. To exploit the vulnerability against a server, an authenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8374
Title:
Windows Shell Infrastructure Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8374
CVE-2020-1098
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Shell infrastructure component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting the way in which the Shell infrastructure component handles objects in memory and preventing unintended elevation from lower integrity application.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8373
Title:
Windows Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:8373
CVE-2020-16910
Severity:
Medium
Description:
A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location. To exploit this vulnerability, an attacker could run a specially crafted application to bypass Unified Extensible Firmware Interface (UEFI) variable security in Windows. The security update addresses the vulnerability by correcting security feature behavior to enforce permissions.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8415
Title:
Windows Remote Desktop Service Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8415
CVE-2020-16863
Severity:
High
Description:
A denial of service vulnerability exists in Windows Remote Desktop Service when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the Remote Desktop Service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Service. The update addresses the vulnerability by correcting how Remote Desktop Service handles connection requests.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8385
Title:
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8385
CVE-2020-16896
Severity:
Medium
Description:
An information disclosure vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8398
Title:
Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8398
CVE-2020-16927
Severity:
High
Description:
A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8363
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8363
CVE-2020-16887
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8369
Title:
Windows NAT Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8369
CVE-2020-16894
Severity:
Medium
Description:
A remote code execution vulnerability exists when Windows Network Address Translation (NAT) fails to properly handle UDP traffic. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system. An attacker who successfully exploited the vulnerability could cause memory corruption on a host operating system. The security update addresses the vulnerability by correcting how Windows NAT handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8402
Title:
Windows KernelStream Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8402
CVE-2020-16889
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows KernelStream improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows KernelStream handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8379
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8379
CVE-2020-16901
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. To exploit this vulnerability, an authenticated attacker could run a specially crafted application. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. The update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8407
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8407
CVE-2020-16938
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8404
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8404
CVE-2020-16890
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8411
Title:
Windows iSCSI Target Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8411
CVE-2020-16980
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows iSCSI Target Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows iSCSI Target Service properly handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8420
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8420
CVE-2020-16902
Severity:
High
Description:
An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8391
Title:
Windows Image Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8391
CVE-2020-16892
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows kernel image properly handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8377
Title:
Windows Hyper-V Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8377
CVE-2020-16891
Severity:
High
Description:
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8370
Title:
Windows Hyper-V Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8370
CVE-2020-1080
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8401
Title:
Windows Hyper-V Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8401
CVE-2020-1047
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8395
Title:
Windows Hyper-V Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8395
CVE-2020-1243
Severity:
Medium
Description:
A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8393
Title:
Windows GDI+ Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8393
CVE-2020-16914
Severity:
Low
Description:
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface Plus (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI+ handles memory addresses.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8410
Title:
Windows Event System Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8410
CVE-2020-16900
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Event System improperly handles objects in memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Event System handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8368
Title:
Windows Error Reporting Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8368
CVE-2020-16895
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles process crashes.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8418
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8418
CVE-2020-16905
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8405
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8405
CVE-2020-16909
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8421
Title:
Windows Enterprise App Management Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8421
CVE-2020-16919
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Enterprise App Management Service improperly handles certain file operations. An attacker who successfully exploited this vulnerability could read arbitrary files. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Windows Enterprise App Management Service properly handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8390
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8390
CVE-2020-16877
Severity:
Low
Description:
An elevation of privilege vulnerability exists when Microsoft Windows improperly handles reparse points. An attacker who successfully exploited this vulnerability could overwrite or delete a targeted file that would normally require elevated permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and overwrite or delete files. The security update addresses the vulnerability by correcting how Windows handles reparse points.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8365
Title:
Windows COM Server Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8365
CVE-2020-16935
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8387
Title:
Windows COM Server Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8387
CVE-2020-16916
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8384
Title:
Windows Camera Codec Pack Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8384
CVE-2020-16968
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8406
Title:
Windows Camera Codec Pack Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8406
CVE-2020-16967
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8412
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8412
CVE-2020-16973
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8416
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8416
CVE-2020-16912
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8367
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8367
CVE-2020-16936
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8380
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8380
CVE-2020-16976
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8382
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8382
CVE-2020-16974
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8383
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8383
CVE-2020-16975
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8388
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8388
CVE-2020-16972
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8364
Title:
Windows Application Compatibility Client Library Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8364
CVE-2020-16920
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Application Compatibility Client Library improperly handles registry operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Application Compatibility Client Library properly handles registry operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8366
Title:
Windows Application Compatibility Client Library Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8366
CVE-2020-16876
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Application Compatibility Client Library improperly handles registry operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Application Compatibility Client Library properly handles registry operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8409
Title:
Windows - User Profile Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8409
CVE-2020-16940
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles junction points. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing. The security update addresses the vulnerability by correcting how the Windows User Profile Service handles junction points.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8378
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8378
CVE-2020-16907
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8389
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8389
CVE-2020-16913
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8417
Title:
Projected Filesystem Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:8417
CVE-2020-0805
Severity:
Low
Description:
A security feature bypass vulnerability exists when a Windows Projected Filesystem improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how Windows Projected Filesystem handle file redirections.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8394
Title:
NetBT Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8394
CVE-2020-16897
Severity:
Low
Description:
An information disclosure vulnerability exists when NetBIOS over TCP (NBT) Extensions (NetBT) improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how a NetBT handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8371
Title:
Microsoft Graphics Components Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8371
CVE-2020-16923
Severity:
Medium
Description:
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8400
Title:
Microsoft Graphics Components Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8400
CVE-2020-1167
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8372
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:8372
CVE-2020-16915
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8396
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8396
CVE-2020-16924
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8408
Title:
Group Policy Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8408
CVE-2020-16939
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how Group Policy checks access.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8403
Title:
GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8403
CVE-2020-16911
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8422
Title:
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8422
CVE-2020-1120
Severity:
Medium
Description:
A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-11-13
Updated:
2024-01-17

ID:
CISEC:8314
Title:
Windows Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8314
CVE-2020-1152
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how Windows handles calls to Win32k.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8344
Title:
Windows UPnP Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8344
CVE-2020-1598
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows UPnP service handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8353
Title:
Windows Text Service Module Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8353
CVE-2020-0908
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Text Service Module improperly handles memory. An attacker who successfully exploited the vulnerability could gain execution on a victim system. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (Chromium-based), and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. The security update addresses the vulnerability by correcting how the Windows Text Service Module handles memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8329
Title:
Windows Storage Services Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8329
CVE-2020-1559
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8341
Title:
Windows Storage Services Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8341
CVE-2020-0886
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8326
Title:
Windows State Repository Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8326
CVE-2020-0914
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8292
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8292
CVE-2020-1303
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8350
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8350
CVE-2020-1169
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8288
Title:
Windows RSoP Service Application Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8288
CVE-2020-0648
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows RSoP Service Application improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows RSoP Service Application handles memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8340
Title:
Windows Routing Utilities Denial of Service
Type:
Software
Bulletins:
CISEC:8340
CVE-2020-1038
Severity:
Medium
Description:
A denial of service vulnerability exists when Windows Routing Utilities improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8317
Title:
Windows Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8317
CVE-2020-1252
Severity:
Medium
Description:
A remote code execution vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could take control of an affected system. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a specially crafted application. The updates address the vulnerability by correcting how Windows handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8318
Title:
Windows Print Spooler Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8318
CVE-2020-1030
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8320
Title:
Windows Modules Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8320
CVE-2020-0911
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Modules Installer improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Modules Installer handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8304
Title:
Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8304
CVE-2020-0989
Severity:
Low
Description:
An information disclosure vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to read files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and access files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8325
Title:
Windows Media Audio Decoder Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8325
CVE-2020-1593
Severity:
Medium
Description:
A remote code execution vulnerability exists when Windows Media Audio Decoder improperly handles objects. An attacker who successfully exploited the vulnerability could take control of an affected system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Audio Decoder handles objects.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8349
Title:
Windows Media Audio Decoder Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8349
CVE-2020-1508
Severity:
High
Description:
A remote code execution vulnerability exists when Windows Media Audio Decoder improperly handles objects. An attacker who successfully exploited the vulnerability could take control of an affected system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Audio Decoder handles objects.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8293
Title:
Windows Language Pack Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8293
CVE-2020-1122
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8290
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8290
CVE-2020-1592
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. To exploit this vulnerability, an authenticated attacker could run a specially crafted application. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. The update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8309
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8309
CVE-2020-0928
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8310
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8310
CVE-2020-1033
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8319
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8319
CVE-2020-16854
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8345
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8345
CVE-2020-1589
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8298
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8298
CVE-2020-1034
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8301
Title:
Windows InstallService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8301
CVE-2020-1532
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows InstallService improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows InstallService handles memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8335
Title:
Windows Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8335
CVE-2020-1119
Severity:
Low
Description:
An information disclosure vulnerability exists when StartTileData.dll improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which StartTileData.dll handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8308
Title:
Windows Hyper-V Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8308
CVE-2020-0904
Severity:
Low
Description:
A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8322
Title:
Windows Hyper-V Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8322
CVE-2020-0890
Severity:
Medium
Description:
A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8352
Title:
Windows Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8352
CVE-2020-1097
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8354
Title:
Windows Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8354
CVE-2020-1091
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8303
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8303
CVE-2020-0998
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8315
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8315
CVE-2020-1256
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8332
Title:
Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8332
CVE-2020-0912
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Function Discovery SSDP Provider improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Function Discovery SSDP Provider handles memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8295
Title:
Windows Function Discovery Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8295
CVE-2020-1491
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8327
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8327
CVE-2020-1159
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the StartTileData.dll handles file creation in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the StartTileData.dll properly handles this type of function.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8333
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8333
CVE-2020-1376
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that fdSSDP.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the ssdpsrv.dll properly handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8334
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8334
CVE-2020-1052
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the ssdpsrv.dll properly handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8302
Title:
Windows dnsrslvr.dll Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8302
CVE-2020-0839
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the dnsrslvr.dll properly handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8342
Title:
Windows DNS Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8342
CVE-2020-1228
Severity:
Medium
Description:
A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8359
Title:
Windows DNS Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8359
CVE-2020-0836
Severity:
Medium
Description:
A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8328
Title:
Windows DHCP Server Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8328
CVE-2020-1031
Severity:
Medium
Description:
An information disclosure vulnerability exists in the way that the Windows Server DHCP service improperly discloses the contents of its memory. To exploit the vulnerability, an unauthenticated attacker could send a specially crafted packet to an affected DHCP server. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. The security update addresses the vulnerability by correcting how DHCP servers initializes memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8312
Title:
Windows Defender Application Control Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:8312
CVE-2020-0951
Severity:
High
Description:
A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement. An attacker who successfully exploited this vulnerability could execute PowerShell commands that would be blocked by WDAC. To exploit the vulnerability, an attacker need administrator access on a local machine where PowerShell is running. The attacker could then connect to a PowerShell session and send commands to execute arbitrary code. The update addresses the vulnerability by correcting how PowerShell commands are validated when WDAC protection is enabled.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8307
Title:
Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8307
CVE-2020-0782
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Cryptographic Catalog Services improperly handle objects in memory. An attacker who successfully exploited this vulnerability could modify the cryptographic catalog. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by addressing how the Windows Cryptographic Catalog Services handle objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8296
Title:
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8296
CVE-2020-1115
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8357
Title:
Windows CloudExperienceHost Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8357
CVE-2020-1471
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Microsoft Windows CloudExperienceHost fails to check COM objects. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The security update addresses the vulnerability by checking COM objects.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8336
Title:
Windows Camera Codec Pack Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8336
CVE-2020-0997
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8299
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8299
CVE-2020-0941
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8316
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8316
CVE-2020-1250
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8291
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8291
CVE-2020-1245
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8348
Title:
TLS Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8348
CVE-2020-1596
Severity:
Low
Description:
A information disclosure vulnerability exists when TLS components use weak hash algorithms. An attacker who successfully exploited this vulnerability could obtain information to further compromise a users's encrypted transmission channel. To exploit the vulnerability, an attacker would have to conduct a man-in-the-middle attack. The update addresses the vulnerability by correcting how TLS components use hash algorithms.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8323
Title:
Shell infrastructure component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8323
CVE-2020-0870
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Shell infrastructure component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting the way in which the Shell infrastructure component handles objects in memory and preventing unintended elevation from lower integrity application.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8311
Title:
Projected Filesystem Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8311
CVE-2020-16879
Severity:
Low
Description:
An information disclosure vulnerability exists when a Windows Projected Filesystem improperly handles file redirections. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how Windows Projected Filesystem handle file redirections.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8300
Title:
NTFS Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8300
CVE-2020-0838
Severity:
High
Description:
An elevation of privilege vulnerability exists when NTFS improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how NTFS checks access.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8346
Title:
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8346
CVE-2020-1319
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8356
Title:
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8356
CVE-2020-1129
Severity:
Medium
Description:
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8297
Title:
Microsoft Store Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8297
CVE-2020-1146
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8358
Title:
Microsoft Store Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8358
CVE-2020-0766
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8324
Title:
Microsoft splwow64 Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8324
CVE-2020-0875
Severity:
Medium
Description:
An information disclosure vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system (low-integrity to medium-integrity). This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8339
Title:
Microsoft splwow64 Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8339
CVE-2020-0790
Severity:
Medium
Description:
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls..
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8313
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8313
CVE-2020-0921
Severity:
Low
Description:
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8338
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8338
CVE-2020-1083
Severity:
Low
Description:
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8305
Title:
Microsoft COM for Windows Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8305
CVE-2020-0922
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft COM for Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file or lure the target to a website hosting malicious JavaScript. The security update addresses the vulnerability by correcting how Microsoft COM for Windows handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8294
Title:
Microsoft COM for Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8294
CVE-2020-1507
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that Microsoft COM for Windows handles objects in memory. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft COM for Windows handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8289
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8289
CVE-2020-1074
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8306
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8306
CVE-2020-1039
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8330
Title:
Group Policy Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8330
CVE-2020-1013
Severity:
High
Description:
An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8355
Title:
GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8355
CVE-2020-1285
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8343
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8343
CVE-2020-1308
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8347
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8347
CVE-2020-1053
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8351
Title:
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8351
CVE-2020-1590
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8331
Title:
ADFS Spoofing Vulnerability
Type:
Software
Bulletins:
CISEC:8331
CVE-2020-0837
Severity:
Medium
Description:
A spoofing vulnerability exists when Active Directory Federation Services (ADFS) improperly handles multi-factor authentication requests. To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication factors. This security update corrects how ADFS handles multi-factor authentication requests.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8321
Title:
Active Directory Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8321
CVE-2020-0718
Severity:
Medium
Description:
A remote code execution vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account To exploit the vulnerability, an authenticated attacker could send malicious requests to an Active Directory integrated DNS (ADIDNS) server. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8337
Title:
Active Directory Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8337
CVE-2020-0761
Severity:
Medium
Description:
A remote code execution vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account To exploit the vulnerability, an authenticated attacker could send malicious requests to an Active Directory integrated DNS (ADIDNS) server. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8286
Title:
Active Directory Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8286
CVE-2020-0664
Severity:
Medium
Description:
An information disclosure vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system. To exploit this condition, an authenticated attacker would need to send a specially crafted request to the AD|DNS service. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8287
Title:
Active Directory Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8287
CVE-2020-0856
Severity:
Medium
Description:
An information disclosure vulnerability exists when Active Directory integrated DNS (ADIDNS) mishandles objects in memory. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system. To exploit this condition, an authenticated attacker would need to send a specially crafted request to the AD|DNS service. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system. The update addresses the vulnerability by correcting how Active Directory integrated DNS (ADIDNS) handles objects in memory.
Applies to:
Created:
2020-10-09
Updated:
2024-01-17

ID:
CISEC:8248
Title:
Vulnerability in the MySQL Server component of Oracle MySQL
Type:
Software
Bulletins:
CISEC:8248
CVE-2012-5611
Severity:
Medium
Description:
Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53 and other versions through 5.1.66, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
Applies to:
MariaDB
MySQL Server 5.1
MySQL Server 5.5
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8262
Title:
Vulnerability in the MySQL Server component of Oracle MySQL
Type:
Software
Bulletins:
CISEC:8262
CVE-2012-5612
Severity:
Medium
Description:
Heap-based buffer overflow in Oracle MySQL 5.5.19 and other versions through 5.5.28, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code, as demonstrated using certain variations of the (1) USE, (2) SHOW TABLES, (3) DESCRIBE, (4) SHOW FIELDS FROM, (5) SHOW COLUMNS FROM, (6) SHOW INDEX FROM, (7) CREATE TABLE, (8) DROP TABLE, (9) ALTER TABLE, (10) DELETE FROM, (11) UPDATE, and (12) SET PASSWORD commands.
Applies to:
MariaDB
MySQL Server 5.5
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8284
Title:
Vulnerability in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB before 5.5.52, and 10.0.x before 10.0.28, and 10.1.x before 10.1.18
Type:
Software
Bulletins:
CISEC:8284
CVE-2016-6664
Severity:
Medium
Description:
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB before 5.5.52, and 10.0.x before 10.0.28, and 10.1.x before 10.1.18, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
Applies to:
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
mariadb
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8260
Title:
Vulnerability in Oracle MySQL before 5.7.3 and MariaDB before 5.5.44
Type:
Software
Bulletins:
CISEC:8260
CVE-2015-3152
Severity:
Medium
Description:
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
Applies to:
MariaDB
MySQL
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8267
Title:
Vulnerability in Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier
Type:
Software
Bulletins:
CISEC:8267
CVE-2012-5615
Severity:
Medium
Description:
Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8279
Title:
Vulnerability in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6
Type:
Software
Bulletins:
CISEC:8279
CVE-2012-2122
Severity:
Medium
Description:
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
Applies to:
MariaDB
MySQL Server 5.1
MySQL Server 5.5
MySQL Server 5.6
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8258
Title:
Vulnerability in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier
Type:
Software
Bulletins:
CISEC:8258
CVE-2013-1861
Severity:
Medium
Description:
MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote attackers to cause a denial of service (crash) via a crafted geometry feature that specifies a large number of points, which is not properly handled when processing the binary representation of this feature, related to a numeric calculation error.
Applies to:
MariaDB
MySQL Server 5.6
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8265
Title:
Vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions
Type:
Software
Bulletins:
CISEC:8265
CVE-2012-5614
Severity:
Medium
Description:
Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (mysqld crash) via a SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements.
Applies to:
MariaDB
MySQL Server 5.1
MySQL Server 5.5
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8257
Title:
Vulnerability in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8257
CVE-2016-2047
Severity:
Medium
Description:
The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10, Oracle MySQL, and Percona Server do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "/CN=" string in a field in a certificate, as demonstrated by "/OU=/CN=bar.com/CN=foo.com."
Applies to:
MariaDB
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8264
Title:
Vulnerability in MariaDB before 10.1.30 and 10.2.x before 10.2.10
Type:
Software
Bulletins:
CISEC:8264
CVE-2017-15365
Severity:
Medium
Description:
sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking.
Applies to:
MariaDB
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8285
Title:
Vulnerability in MariaDB 10.4.7 through 10.4.11
Type:
Software
Bulletins:
CISEC:8285
CVE-2020-7221
Severity:
High
Description:
mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently.
Applies to:
MariaDB
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8276
Title:
Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier and MariaDB 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14
Type:
Software
Bulletins:
CISEC:8276
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier and MariaDB 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect availability via vectors related to InnoDB.
Applies to:
MariaDB
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8263
Title:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9
Type:
Software
Bulletins:
CISEC:8263
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9 allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Applies to:
MariaDB
MySQL Server 5.6
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8256
Title:
Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier
Type:
Software
Bulletins:
CISEC:8256
CVE-2016-5617
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Error Handling.
Applies to:
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
mariadb
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8268
Title:
Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier
Type:
Software
Bulletins:
CISEC:8268
CVE-2016-5616
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM.
Applies to:
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
mariadb
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8255
Title:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14
Type:
Software
Bulletins:
CISEC:8255
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect availability via vectors related to PS.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8271
Title:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14
Type:
Software
Bulletins:
CISEC:8271
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect confidentiality via vectors related to DML.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8275
Title:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14
Type:
Software
Bulletins:
CISEC:8275
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49 and 10.0.0 before 10.0.25 and 10.1.0 before 10.1.14 allows local users to affect availability via vectors related to FTS.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8246
Title:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12
Type:
Software
Bulletins:
CISEC:8246
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to DDL.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8250
Title:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12
Type:
Software
Bulletins:
CISEC:8250
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8254
Title:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12
Type:
Software
Bulletins:
CISEC:8254
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to Replication.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8259
Title:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12
Type:
Software
Bulletins:
CISEC:8259
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to PS.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8273
Title:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12
Type:
Software
Bulletins:
CISEC:8273
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect integrity and availability via vectors related to DML.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8277
Title:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12
Type:
Software
Bulletins:
CISEC:8277
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48 and 10.0.0 before 10.0.24 and 10.1.0 before 10.1.12 allows local users to affect availability via vectors related to DML.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8249
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8249
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8251
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8251
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8252
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8252
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8261
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8261
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8269
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8269
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8274
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8274
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8278
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8278
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8280
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8280
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
MySQL Server 5.7
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8282
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8282
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Applies to:
MariaDB
MySQL Server 5.5
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8253
Title:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10
Type:
Software
Bulletins:
CISEC:8253
Severity:
Low
Description:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.
Applies to:
MariaDB
MySQL Server 5.5
MySQL Server 5.6
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8247
Title:
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14
Type:
Software
Bulletins:
CISEC:8247
CVE-2012-5627
Severity:
Medium
Description:
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Applies to:
MariaDB
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8283
Title:
Multiple SQL injection vulnerabilities in Oracle MySQL
Type:
Software
Bulletins:
CISEC:8283
CVE-2012-4414
Severity:
Medium
Description:
Multiple SQL injection vulnerabilities in the replication code in Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62, 5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25, allow remote authenticated users to execute arbitrary SQL commands via vectors related to the binary log. NOTE: as of 20130116, Oracle has not commented on claims from a downstream vendor that the fix in MySQL 5.5.29 is incomplete.
Applies to:
MariaDB
MySQL Server 5.1
MySQL Server 5.5
Created:
2020-09-18
Updated:
2024-01-17

ID:
CISEC:8270
Title:
Buffer overflow in Oracle MySQL and MariaDB before 5.5.35
Type:
Software
Bulletins:
CISEC:8270
Severity:
Low
Description:
Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string.
Applies to:
MariaDB
Created:
2020-09-18
Updated:
2020-09-18

ID:
CISEC:8123
Title:
Windows Work Folders Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8123
CVE-2020-1516
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8143
Title:
Windows Work Folders Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8143
CVE-2020-1470
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8171
Title:
Windows Work Folders Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8171
CVE-2020-1484
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8133
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8133
CVE-2020-1552
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8166
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8166
CVE-2020-1533
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8167
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8167
CVE-2020-1556
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8155
Title:
Windows WaasMedic Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8155
CVE-2020-1548
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows WaasMedic Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to improperly disclose memory. The security update addresses the vulnerability by correcting how the Windows WaasMedic Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8161
Title:
Windows UPnP Device Host Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8161
CVE-2020-1519
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8168
Title:
Windows UPnP Device Host Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8168
CVE-2020-1538
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8163
Title:
Windows Telephony Server Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8163
CVE-2020-1515
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Telephony Server improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Telephony Server handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8165
Title:
Windows Storage Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8165
CVE-2020-1490
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Storage Services handles file operations.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8100
Title:
Windows State Repository Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8100
CVE-2020-1512
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8147
Title:
Windows Spoofing Vulnerability
Type:
Software
Bulletins:
CISEC:8147
CVE-2020-1464
Severity:
Low
Description:
A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8119
Title:
Windows Speech Shell Components Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8119
CVE-2020-1524
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Speech Shell Components improperly handle memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Speech Shell Components handle memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8095
Title:
Windows Speech Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8095
CVE-2020-1521
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Speech Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Speech Runtime handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8134
Title:
Windows Speech Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8134
CVE-2020-1522
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Speech Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Speech Runtime handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8141
Title:
Windows Server Resource Management Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8141
CVE-2020-1475
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the srmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the srmsvc.dll properly handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8160
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8160
CVE-2020-1553
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8136
Title:
Windows RRAS Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8136
CVE-2020-1383
Severity:
Low
Description:
An information disclosure vulnerability exists in RPC if the server has Routing and Remote Access enabled. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system To exploit this vulnerability, an attacker would need to run a specially crafted application against an RPC server which has Routing and Remote Access enabled. Routing and Remote Access is a non-default configuration; systems without it enabled are not vulnerable. The security update addresses the vulnerability by correcting how the Routing and Remote Access service handles requests.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8137
Title:
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8137
CVE-2020-1466
Severity:
Medium
Description:
A denial of service vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RD Gateway service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides RD Gateway services. The update addresses the vulnerability by correcting how RD Gateway handles connection requests.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8117
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8117
CVE-2020-1537
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Remote Access improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Remote Access properly handles file operations.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8125
Title:
Windows Remote Access Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8125
CVE-2020-1530
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Remote Access improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how Windows Remote Access handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8108
Title:
Windows Registry Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8108
CVE-2020-1377
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. A locally authenticated attacker could exploit this vulnerability by running a specially crafted application. The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8142
Title:
Windows Registry Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8142
CVE-2020-1378
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. A locally authenticated attacker could exploit this vulnerability by running a specially crafted application. The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8132
Title:
Windows Radio Manager API Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8132
CVE-2020-1528
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Radio Manager API improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Radio Manager API handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8130
Title:
Windows Print Spooler Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8130
CVE-2020-1337
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8102
Title:
Windows Network Connection Broker Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8102
CVE-2020-1526
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Network Connection Broker improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Network Connection Broker handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8154
Title:
Windows Media Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8154
CVE-2020-1339
Severity:
High
Description:
A remote code execution vulnerability exists when Windows Media Audio Codec improperly handles objects. An attacker who successfully exploited the vulnerability could take control of an affected system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Audio Codec handles objects.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8099
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8099
CVE-2020-1578
Severity:
Low
Description:
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8101
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8101
CVE-2020-1417
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8145
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8145
CVE-2020-1486
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8175
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8175
CVE-2020-1566
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8104
Title:
Windows Image Acquisition Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8104
CVE-2020-1485
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Image Acquisition (WIA) Service improperly discloses contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an authenticated attacker could connect an imaging device (camera, scanner, cellular phone) to an affected system and run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how the WIA Service handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8109
Title:
Windows Image Acquisition Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8109
CVE-2020-1474
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Image Acquisition (WIA) Service improperly discloses contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an authenticated attacker could connect an imaging device (camera, scanner, cellular phone) to an affected system and run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how the WIA Service handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8094
Title:
Windows Hard Link Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8094
CVE-2020-1467
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8111
Title:
Windows GDI Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8111
CVE-2020-1480
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8146
Title:
Windows GDI Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8146
CVE-2020-1529
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8162
Title:
Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8162
CVE-2020-1579
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Function Discovery SSDP Provider improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Function Discovery SSDP Provider handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8170
Title:
Windows Font Driver Host Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8170
CVE-2020-1520
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Font Driver Host improperly handles memory. An attacker who successfully exploited the vulnerability would gain execution on a victim system. The security update addresses the vulnerability by correcting how the Windows Font Driver Host handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8105
Title:
Windows File Server Resource Management Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8105
CVE-2020-1518
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows File Server Resource Management Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows File Server Resource Management Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8116
Title:
Windows File Server Resource Management Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8116
CVE-2020-1517
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows File Server Resource Management Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows File Server Resource Management Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8126
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8126
CVE-2020-1565
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how Windows handles junctions.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8097
Title:
Windows dnsrslvr.dll Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8097
CVE-2020-1584
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the dnsrslvr.dll properly handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8153
Title:
Windows Custom Protocol Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8153
CVE-2020-1527
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Custom Protocol Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Custom Protocol Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8113
Title:
Windows CSC Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8113
CVE-2020-1513
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8120
Title:
Windows CSC Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8120
CVE-2020-1489
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8144
Title:
Windows CDP User Components Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8144
CVE-2020-1549
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows CDP User Components improperly handle memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CDP User Components handle memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8150
Title:
Windows CDP User Components Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8150
CVE-2020-1550
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows CDP User Components improperly handle memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CDP User Components handle memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8149
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8149
CVE-2020-1534
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8093
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8093
CVE-2020-1543
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8098
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8098
CVE-2020-1535
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8115
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8115
CVE-2020-1546
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8122
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8122
CVE-2020-1536
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8135
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8135
CVE-2020-1545
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8139
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8139
CVE-2020-1540
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8140
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8140
CVE-2020-1541
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8148
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8148
CVE-2020-1544
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8151
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8151
CVE-2020-1551
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8152
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8152
CVE-2020-1542
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8169
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8169
CVE-2020-1547
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8173
Title:
Windows Backup Engine Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8173
CVE-2020-1539
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Engine handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8157
Title:
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8157
CVE-2020-1488
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8138
Title:
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8138
CVE-2020-1587
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Ancillary Function Driver for WinSock improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Ancillary Function Driver for WinSock handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8159
Title:
Windows Accounts Control Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8159
CVE-2020-1531
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Accounts Control improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Accounts Control handles memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8103
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8103
CVE-2020-1510
Severity:
Medium
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8206
Title:
Vulnerability PostgreSQL before 12.2, before 11.7, before 10.12 and before 9.6.17.
Type:
Software
Bulletins:
CISEC:8206
CVE-2020-1720
Severity:
Low
Description:
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8216
Title:
Vulnerability insufficiently random numbers
Type:
Software
Bulletins:
CISEC:8216
CVE-2013-1900
Severity:
High
Description:
PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions."
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8185
Title:
Vulnerability in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5
Type:
Software
Bulletins:
CISEC:8185
CVE-2012-3489
Severity:
Medium
Description:
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8227
Title:
Vulnerability in Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24
Type:
Software
Bulletins:
CISEC:8227
Severity:
Low
Description:
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8211
Title:
Vulnerability in PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24
Type:
Software
Bulletins:
CISEC:8211
Severity:
Low
Description:
It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8218
Title:
Vulnerability in PostgreSQL before 9.5.x before 9.5.2
Type:
Software
Bulletins:
CISEC:8218
CVE-2016-3065
Severity:
High
Description:
The (1) brin_page_type and (2) brin_metapage_info functions in the pageinspect extension in PostgreSQL before 9.5.x before 9.5.2 allows attackers to bypass intended access restrictions and consequently obtain sensitive server memory information or cause a denial of service (server crash) via a crafted bytea value in a BRIN index page.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8240
Title:
Vulnerability in PostgreSQL before 9.5.x before 9.5.2
Type:
Software
Bulletins:
CISEC:8240
CVE-2016-2193
Severity:
Medium
Description:
PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8242
Title:
Vulnerability in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5
Type:
Software
Bulletins:
CISEC:8242
CVE-2016-7048
Severity:
High
Description:
The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8225
Title:
Vulnerability in PostgreSQL before 9.2.22, 9.3.x before 9.3.18, 9.4.x before 9.4.13, 9.5.x before 9.5.8, and 9.6.x before 9.6.4
Type:
Software
Bulletins:
CISEC:8225
CVE-2017-7548
Severity:
Medium
Description:
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8219
Title:
Vulnerability in PostgreSQL before 9.2.22, 9.3.x before 9.3.18, 9.4.x before 9.4.13, 9.5.x before 9.5.8, and 9.6.x before 9.6.4
Type:
Software
Bulletins:
CISEC:8219
CVE-2017-7546
Severity:
High
Description:
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8202
Title:
Vulnerability in PostgreSQL before 9.2.22, 9.3.x before 9.3.18, 9.4.x before 9.4.13, 9.5.x before 9.5.8, and 9.6.x before 9.6.4
Type:
Software
Bulletins:
CISEC:8202
CVE-2017-7547
Severity:
Medium
Description:
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8224
Title:
Vulnerability in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3
Type:
Software
Bulletins:
CISEC:8224
CVE-2017-7486
Severity:
Medium
Description:
PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8236
Title:
Vulnerability in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3
Type:
Software
Bulletins:
CISEC:8236
CVE-2017-7485
Severity:
Medium
Description:
In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8190
Title:
Vulnerability in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3
Type:
Software
Bulletins:
CISEC:8190
CVE-2017-7484
Severity:
Medium
Description:
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8222
Title:
Vulnerability in PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4
Type:
Software
Bulletins:
CISEC:8222
CVE-2016-5423
Severity:
Medium
Description:
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8207
Title:
Vulnerability in PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4
Type:
Software
Bulletins:
CISEC:8207
CVE-2016-5424
Severity:
Medium
Description:
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8234
Title:
Vulnerability in PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1
Type:
Software
Bulletins:
CISEC:8234
CVE-2016-0766
Severity:
High
Description:
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8210
Title:
Vulnerability in PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1
Type:
Software
Bulletins:
CISEC:8210
CVE-2016-0773
Severity:
Medium
Description:
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8208
Title:
Vulnerability in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5
Type:
Software
Bulletins:
CISEC:8208
CVE-2015-5288
Severity:
Medium
Description:
The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8179
Title:
Vulnerability in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3
Type:
Software
Bulletins:
CISEC:8179
CVE-2014-0060
Severity:
Medium
Description:
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8180
Title:
Vulnerability in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3
Type:
Software
Bulletins:
CISEC:8180
CVE-2014-0066
Severity:
Medium
Description:
The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8237
Title:
Vulnerability in PostgreSQL before 11.1, 10.6
Type:
Software
Bulletins:
CISEC:8237
Severity:
Low
Description:
PostgreSQL before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8193
Title:
Vulnerability in PostgreSQL 9.3.x before 9.3.22, 9.4.x before 9.4.17, 9.5.x before 9.5.12, 9.6.x before 9.6.8 and 10.x before 10.3
Type:
Software
Bulletins:
CISEC:8193
CVE-2018-1058
Severity:
Medium
Description:
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8198
Title:
Vulnerability in PostgreSQL 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2
Type:
Software
Bulletins:
CISEC:8198
CVE-2018-1053
Severity:
Low
Description:
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8199
Title:
Vulnerability in PostgreSQL 9.3.3 and earlier
Type:
Software
Bulletins:
CISEC:8199
CVE-2014-0067
Severity:
Medium
Description:
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8197
Title:
Vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23
Type:
Software
Bulletins:
CISEC:8197
CVE-2013-1903
Severity:
High
Description:
PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 incorrectly provides the superuser password to scripts related to "graphical installers for Linux and Mac OS X," which has unspecified impact and attack vectors.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8177
Title:
Vulnerability in PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9
Type:
Software
Bulletins:
CISEC:8177
CVE-2013-1901
Severity:
Medium
Description:
PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8200
Title:
Vulnerability in PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23
Type:
Software
Bulletins:
CISEC:8200
CVE-2013-0255
Severity:
Medium
Description:
PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8205
Title:
Vulnerability in PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3
Type:
Software
Bulletins:
CISEC:8205
CVE-2012-0867
Severity:
Medium
Description:
PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8183
Title:
Vulnerability in PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4
Type:
Software
Bulletins:
CISEC:8183
CVE-2012-2655
Severity:
Medium
Description:
PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8232
Title:
Vulnerability in PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2
Type:
Software
Bulletins:
CISEC:8232
CVE-2009-4034
Severity:
Medium
Description:
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8184
Title:
Vulnerability in PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2
Type:
Software
Bulletins:
CISEC:8184
CVE-2009-4136
Severity:
Medium
Description:
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8189
Title:
Vulnerability in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4
Type:
Software
Bulletins:
CISEC:8189
CVE-2010-1975
Severity:
Medium
Description:
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8220
Title:
Vulnerability in PostgreSQL 11.x prior to 11.3
Type:
Software
Bulletins:
CISEC:8220
CVE-2019-10129
Severity:
Medium
Description:
A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any user can create a partitioned table suitable for this attack. (Exploit prerequisites are the same as for CVE-2018-1052).
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8192
Title:
Vulnerability in PostgreSQL 11.x before 11.5, 10.x before 10.10, 9.6.x before 9.6.15, 9.5.x before 9.5.19, 9.4.x before 9.4.24
Type:
Software
Bulletins:
CISEC:8192
CVE-2019-10208
Severity:
Medium
Description:
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8212
Title:
Vulnerability in PostgreSQL 11.x before 11.5
Type:
Software
Bulletins:
CISEC:8212
CVE-2019-10209
Severity:
Low
Description:
Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8196
Title:
Vulnerability in PostgreSQL 11.x before 11.3, 10.xbefore 10.8, 9.6.x before 9.6.13, 9.5.x before 9.5.17
Type:
Software
Bulletins:
CISEC:8196
CVE-2019-10130
Severity:
Medium
Description:
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8181
Title:
Vulnerability in PostgreSQL 10.x before 10.4, 9.6.x before 9.6.9
Type:
Software
Bulletins:
CISEC:8181
CVE-2018-1115
Severity:
Medium
Description:
postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8187
Title:
Vulnerability in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10
Type:
Software
Bulletins:
CISEC:8187
CVE-2017-15099
Severity:
Medium
Description:
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8204
Title:
Vulnerability in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20
Type:
Software
Bulletins:
CISEC:8204
CVE-2017-15098
Severity:
Medium
Description:
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8223
Title:
Vulnerability in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24
Type:
Software
Bulletins:
CISEC:8223
CVE-2017-12172
Severity:
High
Description:
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8221
Title:
Vulnerability in PostgreSQL
Type:
Software
Bulletins:
CISEC:8221
CVE-2010-1169
Severity:
High
Description:
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8229
Title:
Vulnerability in PostgreSQL
Type:
Software
Bulletins:
CISEC:8229
CVE-2014-0061
Severity:
Medium
Description:
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8186
Title:
Vulnerability in PostgreSQL
Type:
Software
Bulletins:
CISEC:8186
CVE-2010-1170
Severity:
Medium
Description:
The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8194
Title:
Vulnerability in PostgreSQL
Type:
Software
Bulletins:
CISEC:8194
CVE-2010-1447
Severity:
High
Description:
The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8195
Title:
Vulnerability in PostgreSQL
Type:
Software
Bulletins:
CISEC:8195
CVE-2013-1902
Severity:
High
Description:
PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X."
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8203
Title:
Vulnerability in PHP through 5.3.13, PostgreSQL 8.4 before 8.4.12, PostgreSQL 9.0 before 9.0.8, PostgreSQL 9.1 before 9.1.4
Type:
Software
Bulletins:
CISEC:8203
CVE-2012-2143
Severity:
Medium
Description:
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
Applies to:
PHP
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8213
Title:
Vulnerability in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5
Type:
Software
Bulletins:
CISEC:8213
CVE-2012-3488
Severity:
Medium
Description:
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8182
Title:
Unanticipated errors from the standard library in PostgreSQL
Type:
Software
Bulletins:
CISEC:8182
Severity:
Low
Description:
Unanticipated errors from the standard library in PostgreSQL before 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8226
Title:
Race condition INDEX and
Type:
Software
Bulletins:
CISEC:8226
CVE-2014-0062
Severity:
Medium
Description:
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8201
Title:
pgcrypto has multiple error messages for decryption with an incorrect key in PostgreSQL
Type:
Software
Bulletins:
CISEC:8201
Severity:
Low
Description:
pgcrypto has multiple error messages for decryption with an incorrect key in PostgreSQL before 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8114
Title:
Netlogon Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8114
CVE-2020-1472
Severity:
High
Description:
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8176
Title:
Multiple stack-based buffer overflows in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5
Type:
Software
Bulletins:
CISEC:8176
CVE-2015-5289
Severity:
Medium
Description:
Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8188
Title:
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3
Type:
Software
Bulletins:
CISEC:8188
CVE-2014-0063
Severity:
Medium
Description:
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8191
Title:
Multiple integer overflows in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3
Type:
Software
Bulletins:
CISEC:8191
CVE-2014-2669
Severity:
Medium
Description:
Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8245
Title:
Multiple integer overflows in PostgreSQL
Type:
Software
Bulletins:
CISEC:8245
CVE-2014-0064
Severity:
Medium
Description:
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8241
Title:
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3
Type:
Software
Bulletins:
CISEC:8241
CVE-2014-0065
Severity:
Medium
Description:
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8106
Title:
Microsoft Graphics Components Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8106
CVE-2020-1562
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8110
Title:
Microsoft Graphics Components Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8110
CVE-2020-1561
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8244
Title:
Memory errors in the pgcrypto extension in PostgreSQL
Type:
Software
Bulletins:
CISEC:8244
Severity:
Low
Description:
Memory errors in functions in the pgcrypto extension in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8178
Title:
Memory disclosure vulnerability in PostgreSQL 10.x before 10.2
Type:
Software
Bulletins:
CISEC:8178
CVE-2018-1052
Severity:
Medium
Description:
Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8096
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:8096
CVE-2020-1477
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8129
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:8129
CVE-2020-1492
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8131
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:8131
CVE-2020-1478
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8156
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:8156
CVE-2020-1554
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8158
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:8158
CVE-2020-1525
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8174
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:8174
CVE-2020-1379
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8112
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8112
CVE-2020-1487
Severity:
Medium
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8172
Title:
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8172
CVE-2020-1509
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the Local Security Authority Subsystem Service (LSASS) when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause an elevation of privilege on the target system's LSASS service. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8118
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8118
CVE-2020-1564
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8121
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8121
CVE-2020-1558
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8127
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8127
CVE-2020-1473
Severity:
Medium
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8128
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8128
CVE-2020-1557
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8215
Title:
Integer overflow in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2
Type:
Software
Bulletins:
CISEC:8215
CVE-2010-0733
Severity:
Low
Description:
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8243
Title:
EnterpriseDB Windows installer bundled OpenSSL executes code from unprotected directory
Type:
Software
Bulletins:
CISEC:8243
CVE-2019-10211
Severity:
High
Description:
When the database server or libpq client library initializes SSL, libeay32.dll attempts to read configuration from a hard-coded directory. Typically, the directory does not exist, but any local user could create it and inject configuration. This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL server or client. Most PostgreSQL client tools and libraries use libpq, and one can encounter this vulnerability by using any of them.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8235
Title:
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2
Type:
Software
Bulletins:
CISEC:8235
CVE-2015-3165
Severity:
Medium
Description:
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8164
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8164
CVE-2020-1479
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8107
Title:
DirectWrite Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8107
CVE-2020-1577
Severity:
Medium
Description:
An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8217
Title:
CRLF injection vulnerability in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3
Type:
Software
Bulletins:
CISEC:8217
CVE-2012-0868
Severity:
Medium
Description:
CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8228
Title:
CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3
Type:
Software
Bulletins:
CISEC:8228
CVE-2012-0866
Severity:
Medium
Description:
CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8238
Title:
Constraint violation errors in PostgreSQL
Type:
Software
Bulletins:
CISEC:8238
Severity:
Low
Description:
Constraint violation errors can cause display of values in columns which the user would not normally have rights to see in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8124
Title:
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8124
CVE-2020-1511
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8209
Title:
Buffer overruns in PostgreSQL
Type:
Software
Bulletins:
CISEC:8209
Severity:
Low
Description:
Buffer overruns in "to_char" functions in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8239
Title:
Buffer overrun in PostgreSQL
Type:
Software
Bulletins:
CISEC:8239
Severity:
Low
Description:
Buffer overrun in replacement printf family of functions in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8230
Title:
Buffer overflow intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20
Type:
Software
Bulletins:
CISEC:8230
CVE-2010-4015
Severity:
Medium
Description:
Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8214
Title:
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13
Type:
Software
Bulletins:
CISEC:8214
CVE-2013-1899
Severity:
Medium
Description:
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8231
Title:
Arbitrary code execution vulnerability in PostgreSQL 9.3 through 11.2
Type:
Software
Bulletins:
CISEC:8231
CVE-2019-9193
Severity:
High
Description:
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_read_server_files' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2024-01-17

ID:
CISEC:8233
Title:
An error in PostgreSQL
Type:
Software
Bulletins:
CISEC:8233
Severity:
Low
Description:
An error in extended protocol message reading in PostgreSQL before 9.4.1, 9.3.6, 9.2.10, 9.1.15 and 9.0.19.
Applies to:
PostgreSQL
Created:
2020-09-11
Updated:
2020-09-11

ID:
CISEC:8065
Title:
Vulnerability in JetBrains Hub versions earlier than 2019.1.11738
Type:
Software
Bulletins:
CISEC:8065
CVE-2019-18360
Severity:
Medium
Description:
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
Applies to:
JetBrains Hub
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8064
Title:
Vulnerability in JetBrains Hub before 2020.1.12099
Type:
Software
Bulletins:
CISEC:8064
CVE-2020-11691
Severity:
Medium
Description:
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
Applies to:
JetBrains Hub
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8062
Title:
Vulnerability in JetBrains Hub before 2018.4.11436
Type:
Software
Bulletins:
CISEC:8062
CVE-2019-14955
Severity:
Medium
Description:
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
Applies to:
JetBrains Hub
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8066
Title:
Vulnerability in JetBrains Hub before 2018.4.11298
Type:
Software
Bulletins:
CISEC:8066
CVE-2019-12847
Severity:
Medium
Description:
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
Applies to:
JetBrains Hub
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8061
Title:
Vulnerability in Bitdefender Total Security 21.0.24.62
Type:
Software
Bulletins:
CISEC:8061
CVE-2017-10950
Severity:
Medium
Description:
This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Bitdefender Total Security 21.0.24.62. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within processing of the 0x8000E038 IOCTL in the bdfwfpf driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker could leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-4776.
Applies to:
Bitdefender Total Security
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8058
Title:
Vulnerability in Bitdefender Total Security 2020 prior to 24.9
Type:
Software
Bulletins:
CISEC:8058
CVE-2020-8095
Severity:
Medium
Description:
A vulnerability in the improper handling of junctions before deletion in Bitdefender Total Security 2020 can allow an attacker to to trigger a denial of service on the affected device.
Applies to:
Bitdefender Total Security
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8048
Title:
Vulnerability in Bitdefender Total Security 2020 prior to 24.0.20.116
Type:
Software
Bulletins:
CISEC:8048
CVE-2020-8102
Severity:
Medium
Description:
Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process. This issue affects Bitdefender Total Security 2020 versions prior to 24.0.20.116.
Applies to:
Bitdefender Total Security
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8052
Title:
Vulnerability in Bitdefender Total Security 2020 prior to 24.0.12.69
Type:
Software
Bulletins:
CISEC:8052
CVE-2019-17100
Severity:
Medium
Description:
An Untrusted Search Path vulnerability in bdserviceshost.exe as used in Bitdefender Total Security 2020 prior to 24.0.12.69 allows an attacker to execute arbitrary code.
Applies to:
Bitdefender Total Security
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8050
Title:
Vulnerability in Bitdefender Safepay before 23.0.10.34
Type:
Software
Bulletins:
CISEC:8050
CVE-2019-6737
Severity:
Medium
Description:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIScript. The issue lies in the handling of the openFile method, which allows for an arbitrary file write with attacker controlled data. An attacker can leverage this vulnerability execute code in the context of the current process. Was ZDI-CAN-7247.
Applies to:
Bitdefender Safepay
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8057
Title:
Vulnerability in Bitdefender Safepay before 23.0.10.34
Type:
Software
Bulletins:
CISEC:8057
CVE-2019-6736
Severity:
Medium
Description:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of tiscript. When processing the System.Exec method the application does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7234.
Applies to:
Bitdefender Safepay
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8060
Title:
Vulnerability in Bitdefender Safepay before 23.0.10.34
Type:
Software
Bulletins:
CISEC:8060
CVE-2019-6738
Severity:
Medium
Description:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIScript. When processing the launch method the application does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability execute code in the context of the current process. Was ZDI-CAN-7250.
Applies to:
Bitdefender Safepay
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8053
Title:
Vulnerability in Bitdefender products
Type:
Software
Bulletins:
CISEC:8053
CVE-2019-14242
Severity:
High
Description:
An issue was discovered in Bitdefender products for Windows (Bitdefender Endpoint Security Tool versions prior to 6.6.8.115; and Bitdefender Antivirus Plus, Bitdefender Internet Security, and Bitdefender Total Security versions prior to 23.0.24.120) that can lead to local code injection. A local attacker with administrator privileges can create a malicious DLL file in %SystemRoot%\System32\ that will be executed with local user privileges.
Applies to:
Bitdefender Antivirus Plus
Bitdefender Internet Security
Bitdefender Total Security
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8059
Title:
Vulnerability in Bitdefender Endpoint Security Tools prior to 6.6.11.163
Type:
Software
Bulletins:
CISEC:8059
CVE-2019-17099
Severity:
Medium
Description:
An Untrusted Search Path vulnerability in EPSecurityService.exe as used in Bitdefender Endpoint Security Tools versions prior to 6.6.11.163 allows an attacker to load an arbitrary DLL file from the search path. This issue affects: Bitdefender EPSecurityService.exe versions prior to 6.6.11.163.
Applies to:
Bitdefender Endpoint Security Tools
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8051
Title:
Vulnerability in Bitdefender Antivirus Free prior to 1.0.17.178
Type:
Software
Bulletins:
CISEC:8051
CVE-2020-8103
Severity:
Low
Description:
A vulnerability in the improper handling of symbolic links in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects Bitdefender Antivirus Free versions prior to 1.0.17.178.
Applies to:
Bitdefender Antivirus Free
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8045
Title:
Vulnerability in Bitdefender Antivirus Free prior to 1.0.17
Type:
Software
Bulletins:
CISEC:8045
CVE-2020-8099
Severity:
Medium
Description:
A vulnerability in the improper handling of junctions in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects: Bitdefender Antivirus Free versions prior to 1.0.17.
Applies to:
Bitdefender Antivirus Free
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:8054
Title:
Vulnerability in Bitdefender Antivirus Free prior to 1.0.15.138
Type:
Software
Bulletins:
CISEC:8054
Severity:
Low
Description:
An Untrusted Search Path vulnerability in the ServiceInstance.dll library versions 1.0.15.119 and lower, as used in Bitdefender Antivirus Free 2020 versions prior to 1.0.15.138, allows an attacker to load an arbitrary DLL file from the search path.
Applies to:
Bitdefender Antivirus Free
Created:
2020-08-21
Updated:
2020-08-21

ID:
CISEC:8047
Title:
Code injection vulnerability in Bitdefender
Type:
Software
Bulletins:
CISEC:8047
CVE-2017-6186
Severity:
High
Description:
Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
Applies to:
Bitdefender Antivirus Plus
Bitdefender Internet Security
Bitdefender Total Security
Created:
2020-08-21
Updated:
2024-01-17

ID:
CISEC:7959
Title:
Windows WalletService Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7959
CVE-2020-1361
Severity:
Low
Description:
An information disclosure vulnerability exists in the way that the WalletService handles memory. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the WalletService handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8022
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8022
CVE-2020-1362
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8037
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8037
CVE-2020-1344
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7997
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7997
CVE-2020-1369
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8010
Title:
Windows WalletService Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:8010
CVE-2020-1364
Severity:
Low
Description:
A denial of service vulnerability exists in the way that the WalletService handles files. An attacker who successfully exploited the vulnerability could corrupt system files. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the WalletService handles files.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7996
Title:
Windows USO Core Worker Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7996
CVE-2020-1352
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows USO Core Worker improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows USO Core Worker handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8033
Title:
Windows UPnP Device Host Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8033
CVE-2020-1430
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7968
Title:
Windows UPnP Device Host Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7968
CVE-2020-1354
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows UPnP Device Host handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7958
Title:
Windows Update Stack Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7958
CVE-2020-1424
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7974
Title:
Windows System Events Broker Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7974
CVE-2020-1357
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows System Events Broker improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows System Events Broker properly handles file operations.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8025
Title:
Windows Sync Host Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8025
CVE-2020-1434
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Sync Host Service handles objects in memory. An attacker who successfully exploited the vulnerability could allow an application with limited privileges on an affected system to execute code at a medium integrity level. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Sync Host Service handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7976
Title:
Windows Storage Services Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7976
CVE-2020-1347
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7993
Title:
Windows Spatial Data Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7993
CVE-2020-1441
Severity:
Low
Description:
An elevation of privilege vulnerability exists when the Windows Spatial Data Service improperly handles objects in memory. An attacker could exploit the vulnerability to overwrite or modify a protected file leading to a privilege escalation. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by addressing how the Windows Spatial Data Service handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2021-12-30

ID:
CISEC:7970
Title:
Windows SharedStream Library Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7970
CVE-2020-1463
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the SharedStream Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the SharedStream Library properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8015
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8015
CVE-2020-1414
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8017
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8017
CVE-2020-1422
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8021
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8021
CVE-2020-1370
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8039
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8039
CVE-2020-1399
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7960
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7960
CVE-2020-1249
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7975
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7975
CVE-2020-1353
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7987
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7987
CVE-2020-1404
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7990
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7990
CVE-2020-1413
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7991
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7991
CVE-2020-1415
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8028
Title:
Windows Resource Policy Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8028
CVE-2020-1358
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Resource Policy component improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose information about the victim system's memory layout. The security update addresses the vulnerability by correcting how the Windows Resource Policy component handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7988
Title:
Windows Push Notification Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7988
CVE-2020-1387
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8006
Title:
Windows Profile Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8006
CVE-2020-1360
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Profile Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Profile Service properly handles file operations.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7963
Title:
Windows Print Workflow Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7963
CVE-2020-1366
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Print Workflow Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the AppContainer sandbox. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Windows Print Workflow Service handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8018
Title:
Windows Picker Platform Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8018
CVE-2020-1363
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Picker Platform improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Picker Platform handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8029
Title:
Windows Network Location Awareness Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8029
CVE-2020-1437
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Location Awareness Service handles objects in memory. An attacker who successfully exploited the vulnerability could allow an application with limited privileges on an affected system to execute code at a medium integrity level. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Network Location Awareness Service handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8042
Title:
Windows Network List Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8042
CVE-2020-1406
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network List Service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8008
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8008
CVE-2020-1373
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8011
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8011
CVE-2020-1438
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7995
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7995
CVE-2020-1390
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7979
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7979
CVE-2020-1428
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7981
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7981
CVE-2020-1427
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7986
Title:
Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7986
CVE-2020-1330
Severity:
Low
Description:
An information disclosure vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to read files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and access files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7973
Title:
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7973
CVE-2020-1405
Severity:
Low
Description:
An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7983
Title:
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7983
CVE-2020-1372
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles objects in memory. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8041
Title:
Windows Lockscreen Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8041
CVE-2020-1398
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly handle Ease of Access dialog. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. The security update addresses the vulnerability by ensuring that the Ease of Access dialog is handled properly.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8016
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8016
CVE-2020-1419
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel initializes memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8026
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8026
CVE-2020-1426
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8036
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8036
CVE-2020-1389
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel initializes memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7964
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7964
CVE-2020-1367
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7961
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7961
CVE-2020-1411
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7966
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7966
CVE-2020-1336
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8027
Title:
Windows iSCSI Target Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8027
CVE-2020-1356
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows iSCSI Target Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows iSCSI Target Service properly handles file operations.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7977
Title:
Windows Imaging Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7977
CVE-2020-1397
Severity:
Medium
Description:
An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit this vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit this vulnerability and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows Imaging Component handles objects in the memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8007
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8007
CVE-2020-1382
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8013
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8013
CVE-2020-1381
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7998
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7998
CVE-2020-1468
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7962
Title:
Windows Function Discovery Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7962
CVE-2020-1085
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7985
Title:
Windows Font Library Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7985
CVE-2020-1436
Severity:
Medium
Description:
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8012
Title:
Windows Font Driver Host Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8012
CVE-2020-1355
Severity:
Medium
Description:
A remote code execution vulnerability exists when the Windows Font Driver Host improperly handles memory. An attacker who successfully exploited the vulnerability would gain execution on a victim system. The security update addresses the vulnerability by correcting how the Windows Font Driver Host handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8032
Title:
Windows Event Logging Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8032
CVE-2020-1365
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Event Logging Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Event Logging Service handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7980
Title:
Windows Event Logging Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7980
CVE-2020-1371
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Event Logging Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Event Logging Service handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8019
Title:
Windows Error Reporting Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8019
CVE-2020-1429
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles process crashes.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7972
Title:
Windows Error Reporting Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7972
CVE-2020-1420
Severity:
Low
Description:
An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how Windows Error Reporting handles file operations.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8002
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8002
CVE-2020-1392
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Delivery Optimization service handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8009
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8009
CVE-2020-1395
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Speech Brokered API handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Speech Brokered API properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8023
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8023
CVE-2020-1388
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the psmsrv.dll properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8000
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8000
CVE-2020-1394
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Geolocation Framework handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Geolocation Framework properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8030
Title:
Windows DNS Server Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8030
CVE-2020-1350
Severity:
High
Description:
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server. The update addresses the vulnerability by modifying how Windows DNS servers handle requests.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8040
Title:
Windows Diagnostics Hub Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8040
CVE-2020-1418
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Diagnostics Execution Service fails to properly sanitize input, leading to an unsecure library-loading behavior. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Diagnostics Execution Service sanitizes input, to help preclude unintended elevated system privileges.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8001
Title:
Windows Credential Picker Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8001
CVE-2020-1385
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Credential Picker handles objects in memory. An attacker who successfully exploited the vulnerability could allow an application with limited privileges on an affected system to execute code at a medium integrity level. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Credential Picker handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7994
Title:
Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7994
CVE-2020-1368
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Credential Enrollment Manager service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Credential Enrollment Manager service properly handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7969
Title:
Windows COM Server Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7969
CVE-2020-1375
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7989
Title:
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7989
CVE-2020-1384
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Cryptography Next Generation (CNG) Key Isolation service improperly handles memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CNG Key Isolation Service handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7992
Title:
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7992
CVE-2020-1359
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Cryptography Next Generation (CNG) Key Isolation service improperly handles memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CNG Key Isolation Service handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7967
Title:
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7967
CVE-2020-1431
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8035
Title:
Windows ALPC Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:8035
CVE-2020-1396
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8034
Title:
Windows Agent Activation Runtime Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8034
CVE-2020-1391
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Agent Activation Runtime (AarSvc) fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application. The update addresses the vulnerability by correcting how the Windows Agent Activation Runtime handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8004
Title:
Windows Address Book Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8004
CVE-2020-1410
Severity:
High
Description:
A remote code execution vulnerability exists when Windows Address Book (WAB) improperly processes vcard files. To exploit the vulnerability, an attacker could send a malicious vcard that a victim opens using Windows Address Book (WAB). After successfully exploiting the vulnerability, an attacker could gain execution on a victim system. The security update addresses the vulnerability by correcting the way Windows Address Book handles bound checking.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7971
Title:
Windows ActiveX Installer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7971
CVE-2020-1402
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8003
Title:
Remote Desktop Client Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8003
CVE-2020-1374
Severity:
Medium
Description:
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8005
Title:
Microsoft Graphics Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8005
CVE-2020-1408
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability and then convince users to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7982
Title:
Microsoft Graphics Components Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7982
CVE-2020-1412
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8020
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:8020
CVE-2020-1351
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7965
Title:
Local Security Authority Subsystem Service Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7965
CVE-2020-1267
Severity:
Medium
Description:
This security update corrects a denial of service in the Local Security Authority Subsystem Service (LSASS) caused when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8031
Title:
LNK Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8031
CVE-2020-1421
Severity:
High
Description:
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker's choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8014
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8014
CVE-2020-1401
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8024
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8024
CVE-2020-1400
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:8038
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:8038
CVE-2020-1407
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7999
Title:
Group Policy Services Policy Processing Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7999
CVE-2020-1333
Severity:
Low
Description:
An elevation of privilege vulnerability exists when Group Policy Services Policy Processing improperly handle reparse points. An attacker who successfully exploited this vulnerability could overwrite a targeted file that would normally require elevated permissions. To exploit the vulnerability, an attacker would first have to log on to a system and create folders that will be used by Group Policy logging and tracing. The attacker could then run a specially crafted application to target a file for overwriting, and then wait for the administrator to apply the Group Policy logging and tracing settings on the vulnerable system. The security update addresses the vulnerability by correcting how Group Policy Services Policy Processing performs data logging.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7984
Title:
GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7984
CVE-2020-1435
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7978
Title:
Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7978
CVE-2020-1386
Severity:
Low
Description:
An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Connected User Experiences and Telemetry Service discloses file information.
Applies to:
Created:
2020-08-13
Updated:
2024-01-17

ID:
CISEC:7936
Title:
Vulnerability in Avira Antivirus through 15.0.2005.1866
Type:
Software
Bulletins:
CISEC:7936
CVE-2020-12680
Severity:
Low
Description:
Avira Free Antivirus through 15.0.2005.1866 allows local users to discover user credentials. The functions of the executable file Avira.PWM.NativeMessaging.exe are aimed at collecting credentials stored in Chrome, Firefox, Opera, and Edge. The executable does not verify the calling program and thus a request such as fetchChromePasswords or fetchCredentials will succeed. NOTE: some third parties have stated that this is "not a vulnerability."
Applies to:
Avira Antivirus
Created:
2020-07-31
Updated:
2024-01-17

ID:
CISEC:7935
Title:
Vulnerability in Avira Antivirus before 8.3.54.138
Type:
Software
Bulletins:
CISEC:7935
CVE-2020-9320
Severity:
Medium
Description:
Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet Security Suite for Windows, Prime, Free Security Suite for Windows, and Cross Platform Anti-malware SDK.
Applies to:
Avira Antivirus
Created:
2020-07-31
Updated:
2024-01-17

ID:
CISEC:7933
Title:
Vulnerability in Avira Antivirus before 15.0.2004.1825
Type:
Software
Bulletins:
CISEC:7933
CVE-2020-8961
Severity:
High
Description:
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific location, and pass this event to the driver, thereby defeating the anti-virus functionality.
Applies to:
Avira Antivirus
Created:
2020-07-31
Updated:
2024-01-17

ID:
CISEC:7934
Title:
Vulnerability in Avira Antivirus before 15.0.2003.1821
Type:
Software
Bulletins:
CISEC:7934
CVE-2020-12254
Severity:
Medium
Description:
Avira Antivirus before 15.0.2003.1821 on Windows allows privilege escalation or a denial of service via abuse of a symlink.
Applies to:
Avira Antivirus
Created:
2020-07-31
Updated:
2024-01-17

ID:
CISEC:7932
Title:
Vulnerability in Avira Antivirus
Type:
Software
Bulletins:
CISEC:7932
CVE-2016-10402
Severity:
High
Description:
Avira Antivirus engine versions before 8.3.36.60 allow remote code execution as NT AUTHORITY\SYSTEM via a section header with a very large relative virtual address in a PE file, causing an integer overflow and heap-based buffer underflow.
Applies to:
Avira Antivirus
Created:
2020-07-31
Updated:
2024-01-17

ID:
CISEC:7937
Title:
Vulnerability in Avira Antivirus
Type:
Software
Bulletins:
CISEC:7937
CVE-2019-18568
Severity:
High
Description:
Avira Free Antivirus 15.0.1907.1514 is prone to a local privilege escalation through the execution of kernel code from a restricted user.
Applies to:
Avira Antivirus
Created:
2020-07-31
Updated:
2024-01-17

ID:
CISEC:7939
Title:
Vulnerability in Avira Antivirus
Type:
Software
Bulletins:
CISEC:7939
CVE-2013-4602
Severity:
High
Description:
A Denial of Service (infinite loop) vulnerability exists in Avira AntiVir Engine before 8.2.12.58 via an unspecified function in the PDF Scanner Engine.
Applies to:
Avira Antivirus
Created:
2020-07-31
Updated:
2024-01-17

ID:
CISEC:7925
Title:
Vulnerability in Kaspersky products
Type:
Software
Bulletins:
CISEC:7925
CVE-2019-15689
Severity:
Medium
Description:
Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud prior to version 2020 patch E have bug that allows a local user to execute arbitrary code via execution compromised file placed by an attacker with administrator rights. No privilege escalation. Possible whitelisting bypass some of the security products.
Applies to:
Kaspersky Internet Security
Kaspersky Secure Connection
Kaspersky Security Cloud
Kaspersky Total Security
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7904
Title:
Vulnerability in Kaspersky Password Manager before 8.0.6.538
Type:
Software
Bulletins:
CISEC:7904
CVE-2018-6306
Severity:
Medium
Description:
Unauthorized code execution from specific DLL and is known as DLL Hijacking attack in Kaspersky Password Manager versions before 8.0.6.538.
Applies to:
Kaspersky Password Manager
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7921
Title:
Vulnerability in Kaspersky Embedded Systems Security 1.2.0.300 and 2.0.0.385
Type:
Software
Bulletins:
CISEC:7921
CVE-2017-12823
Severity:
Medium
Description:
Kernel pool memory corruption in one of drivers in Kaspersky Embedded Systems Security version 1.2.0.300 leads to local privilege escalation.
Applies to:
Kaspersky Embedded Systems Security
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7905
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7905
Severity:
Low
Description:
Kaspersky Lab has fixed a number of vulnerabilities found by Cisco TALOS. All these vulnerabilities could have been exploited only if machine already contained malicious program. TALOS-CAN-0166: a specially crafted call can cause an access violation in one of products drivers resulting in local denial of service.
Applies to:
Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2020-07-24

ID:
CISEC:7906
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7906
Severity:
Low
Description:
Kaspersky Lab has fixed vulnerability TALOS-CAN-0169 in Kaspersky Anti-Virus products. This vulnerability could have been exploited only if machine already contained malicious program that might used a bug in one of the products drivers to cause an access violation in it that results in local system denial of service.
Applies to:
Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2020-07-24

ID:
CISEC:7908
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7908
CVE-2016-4329
Severity:
Low
Description:
A local denial of service vulnerability exists in window broadcast message handling functionality of Kaspersky Anti-Virus software. Sending certain unhandled window messages, an attacker can cause application termination and in the same way bypass KAV self-protection mechanism.
Applies to:
Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7912
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7912
CVE-2015-8691
Severity:
Low
Description:
Kaspersky Lab has fixed vulnerability CVE-2015-8691 in Kaspersky Anti-Virus products which may lead to local privilege escalation. This vulnerability could have been exploited only if host machine already contained malicious program that might used a bug in one of the products drivers to write to arbitrary path without overwrite existing file.
Applies to:
Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2020-07-24

ID:
CISEC:7916
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7916
Severity:
Low
Description:
Kaspersky Lab has fixed a number of vulnerabilities found by Cisco TALOS. All these vulnerabilities could have been exploited only if machine already contained malicious program. TALOS-CAN-0168: a specially crafted call can cause the one of the products driver to return out of bounds kernel memory, potentially leaking sensitive information.
Applies to:
Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2020-07-24

ID:
CISEC:7919
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7919
Severity:
Low
Description:
Kaspersky Lab has fixed a number of vulnerabilities found by Cisco TALOS. All these vulnerabilities could have been exploited only if machine already contained malicious program. TALOS-CAN-0167: a specially crafted call can cause an access violation in one of products drivers resulting in local denial of service.
Applies to:
Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2020-07-24

ID:
CISEC:7923
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7923
Severity:
Low
Description:
Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security versions up to 2019 could potentially disclose unique Product ID by forcing victim to visit a specially crafted webpage (for example, via clicking phishing link).
Applies to:
Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2020-07-24

ID:
CISEC:7927
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7927
CVE-2019-15685
Severity:
Medium
Description:
Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component allowed an attacker remotely disable such product's security features as private browsing and anti-banner. Bypass.
Applies to:
Kaspersky Anti-Virus
Kaspersky Free
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7928
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7928
CVE-2019-15688
Severity:
Medium
Description:
Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component did not adequately inform the user about the threat of redirecting to an untrusted site. Bypass.
Applies to:
Kaspersky Anti-Virus
Kaspersky Free
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7929
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7929
CVE-2019-15687
Severity:
Medium
Description:
Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component was vulnerable to remote disclosure of various information about the user's system (like Windows version and version of the product, host unique ID). Information Disclosure.
Applies to:
Kaspersky Anti-Virus
Kaspersky Free
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7930
Title:
Vulnerability in Kaspersky Anti-Virus products
Type:
Software
Bulletins:
CISEC:7930
CVE-2019-15686
Severity:
Medium
Description:
Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component allowed an attacker remotely disable various anti-virus protection features. DoS, Bypass.
Applies to:
Kaspersky Anti-Virus
Kaspersky Free
Kaspersky Internet Security
Kaspersky Total Security
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7924
Title:
Vulnerability in AhnLab V3 Internet Security 2011.01.18.00, avast! Antivirus 4.8.1351.0 and 5.0.677.0, Kaspersky Anti-Virus 7.0.0.125, ClamAV 0.96.4, Emsisoft Anti-Malware 5.1.0.1
Type:
Software
Bulletins:
CISEC:7924
CVE-2012-1459
Severity:
Medium
Description:
The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, avast! Antivirus 4.8.1351.0 and 5.0.677.0, Kaspersky Anti-Virus 7.0.0.125, ClamAV 0.96.4, Emsisoft Anti-Malware 5.1.0.1 allows remote attackers to bypass malware detection via a TAR archive entry with a length field corresponding to that entire entry, plus part of the header of the next entry. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations.
Applies to:
AVG Antivirus
AhnLab V3 Internet Security
Avast! AntiVirus
ClamAV
Emsisoft Anti-Malware
Kaspersky Anti-Virus
Created:
2020-07-24
Updated:
2024-01-17

ID:
CISEC:7856
Title:
Vulnerability index error in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7856
CVE-2015-1232
Severity:
High
Description:
Array index error in the MidiManagerUsb::DispatchSendMidiData function in media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging renderer access to provide an invalid port index that triggers an out-of-bounds write operation, a different vulnerability than CVE-2015-1212.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7825
Title:
Vulnerability in Skia, as used in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7825
CVE-2015-1215
Severity:
High
Description:
The filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7896
Title:
Vulnerability in Skia, as used in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7896
CVE-2015-1213
Severity:
High
Description:
The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7822
Title:
Vulnerability in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7822
CVE-2015-1297
Severity:
High
Description:
The WebRequest API implementation in extensions/browser/api/web_request/web_request_api.cc in Google Chrome before 45.0.2454.85 does not properly consider a request's source before accepting the request, which allows remote attackers to bypass intended access restrictions via a crafted (1) app or (2) extension.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7839
Title:
Vulnerability in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7839
CVE-2015-1296
Severity:
Medium
Description:
The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK characters in the omnibox, which makes it easier for remote attackers to spoof the SSL lock icon by placing one of these characters at the end of a URL, as demonstrated by the omnibox in localizations for right-to-left languages.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7848
Title:
Vulnerability in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7848
CVE-2015-1298
Severity:
Medium
Description:
The RuntimeEventRouter::OnExtensionUninstalled function in extensions/browser/api/runtime/runtime_api.cc in Google Chrome before 45.0.2454.85 does not ensure that the setUninstallURL preference corresponds to the URL of a web site, which allows user-assisted remote attackers to trigger access to an arbitrary URL via a crafted extension that is uninstalled.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7854
Title:
Vulnerability in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7854
CVE-2015-1292
Severity:
Medium
Description:
The NavigatorServiceWorker::serviceWorker function in modules/serviceworkers/NavigatorServiceWorker.cpp in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to bypass the Same Origin Policy by accessing a Service Worker.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7881
Title:
Vulnerability in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7881
CVE-2015-1291
Severity:
Medium
Description:
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not check whether a node is expected, which allows remote attackers to bypass the Same Origin Policy or cause a denial of service (DOM tree corruption) via a web site with crafted JavaScript code and IFRAME elements.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7866
Title:
Vulnerability in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings
Type:
Web
Bulletins:
CISEC:7866
CVE-2015-1270
Severity:
Medium
Description:
The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU), as used in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7819
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7819
CVE-2015-1274
Severity:
Medium
Description:
Google Chrome before 44.0.2403.89 does not ensure that the auto-open list omits all dangerous file types, which makes it easier for remote attackers to execute arbitrary code by providing a crafted file and leveraging a user's previous "Always open files of this type" choice, related to download_commands.cc and download_prefs.cc.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7837
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7837
CVE-2015-1278
Severity:
Medium
Description:
content/browser/web_contents/web_contents_impl.cc in Google Chrome before 44.0.2403.89 does not ensure that a PDF document's modal dialog is closed upon navigation to an interstitial page, which allows remote attackers to spoof URLs via a crafted document, as demonstrated by the alert_dialog.pdf document.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7838
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7838
CVE-2015-1280
Severity:
High
Description:
SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging access to a renderer process and providing crafted serialized data.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7844
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7844
CVE-2015-1287
Severity:
Medium
Description:
Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks-mode exception that limits the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to core/fetch/CSSStyleSheetResource.cpp.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7847
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7847
CVE-2015-1284
Severity:
High
Description:
The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly check for a page's maximum number of frames, which allows remote attackers to cause a denial of service (invalid count value and use-after-free) or possibly have unspecified other impact via crafted JavaScript code that makes many createElement calls for IFRAME elements.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7863
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7863
CVE-2015-1271
Severity:
Medium
Description:
PDFium, as used in Google Chrome before 44.0.2403.89, does not properly handle certain out-of-memory conditions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted PDF document that triggers a large memory allocation.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7867
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7867
CVE-2015-1288
Severity:
Medium
Description:
The Spellcheck API implementation in Google Chrome before 44.0.2403.89 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file, a related issue to CVE-2015-1263.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7869
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7869
CVE-2015-1285
Severity:
Medium
Description:
The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 44.0.2403.89, does not properly choose a truncation point, which makes it easier for remote attackers to obtain sensitive information via an unspecified linear-time attack.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7898
Title:
Vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7898
CVE-2015-1281
Severity:
Medium
Description:
core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly determine the V8 context of a microtask, which allows remote attackers to bypass Content Security Policy (CSP) restrictions by providing an image from an unintended source.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7864
Title:
Vulnerability in Google Chrome before 43.0.2357.65, enables the inheritance of the designMode attribute
Type:
Web
Bulletins:
CISEC:7864
CVE-2015-1254
Severity:
Medium
Description:
core/dom/Document.cpp in Blink, as used in Google Chrome before 43.0.2357.65, enables the inheritance of the designMode attribute, which allows remote attackers to bypass the Same Origin Policy by leveraging the availability of editing.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7872
Title:
Vulnerability in Google Chrome before 43.0.2357.65 relies on libvpx code that was not built with an appropriate --size-limit value
Type:
Web
Bulletins:
CISEC:7872
CVE-2015-1258
Severity:
High
Description:
Google Chrome before 43.0.2357.65 relies on libvpx code that was not built with an appropriate --size-limit value, which allows remote attackers to trigger a negative value for a size field, and consequently cause a denial of service or possibly have unspecified other impact, via a crafted frame size in VP9 video data.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7821
Title:
Vulnerability in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7821
CVE-2015-1252
Severity:
High
Description:
common/partial_circular_buffer.cc in Google Chrome before 43.0.2357.65 does not properly handle wraps, which allows remote attackers to bypass a sandbox protection mechanism or cause a denial of service (out-of-bounds write) via vectors that trigger a write operation with a large amount of data, related to the PartialCircularBuffer::Write and PartialCircularBuffer::DoWrite functions.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7855
Title:
Vulnerability in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7855
CVE-2015-1263
Severity:
Medium
Description:
The Spellcheck API implementation in Google Chrome before 43.0.2357.65 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7901
Title:
Vulnerability in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7901
CVE-2015-1259
Severity:
High
Description:
PDFium, as used in Google Chrome before 43.0.2357.65, does not properly initialize memory, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7824
Title:
Vulnerability in Google Chrome before 43.0.2357.130
Type:
Web
Bulletins:
CISEC:7824
CVE-2015-1267
Severity:
Medium
Description:
Blink, as used in Google Chrome before 43.0.2357.130, does not properly restrict the creation context during creation of a DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that uses a Blink public API, related to WebArrayBufferConverter.cpp, WebBlob.cpp, WebDOMError.cpp, and WebDOMFileSystem.cpp.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7829
Title:
Vulnerability in Google Chrome before 43.0.2357.130
Type:
Web
Bulletins:
CISEC:7829
CVE-2015-1268
Severity:
Medium
Description:
bindings/scripts/v8_types.py in Blink, as used in Google Chrome before 43.0.2357.130, does not properly select a creation context for a return value's DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code, as demonstrated by use of a data: URL.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7841
Title:
Vulnerability in Google Chrome before 43.0.2357.130
Type:
Web
Bulletins:
CISEC:7841
CVE-2015-1266
Severity:
Medium
Description:
content/browser/webui/content_web_ui_controller_factory.cc in Google Chrome before 43.0.2357.130 does not properly consider the scheme in determining whether a URL is associated with a WebUI SiteInstance, which allows remote attackers to bypass intended access restrictions via a similar URL, as demonstrated by use of http://gpu when there is a WebUI class for handling chrome://gpu requests.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7885
Title:
Vulnerability in Google Chrome before 43.0.2357.130
Type:
Web
Bulletins:
CISEC:7885
CVE-2015-1269
Severity:
Medium
Description:
The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in Google Chrome before 43.0.2357.130 does not properly canonicalize DNS hostnames before making comparisons to HSTS or HPKP preload entries, which allows remote attackers to bypass intended access restrictions via a string that (1) ends in a . (dot) character or (2) is not entirely lowercase.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7812
Title:
Vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7812
CVE-2015-1238
Severity:
High
Description:
Skia, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7818
Title:
Vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7818
CVE-2015-1246
Severity:
Medium
Description:
Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7826
Title:
Vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7826
CVE-2015-1240
Severity:
Medium
Description:
gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WebGL program that triggers a state inconsistency.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7832
Title:
Vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7832
CVE-2015-1247
Severity:
Medium
Description:
The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search_engines/search_engine_tab_helper.cc in Google Chrome before 42.0.2311.90 does not prevent use of a file: URL for an OpenSearch descriptor XML document, which might allow remote attackers to obtain sensitive information from local files via a crafted (1) http or (2) https web site.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7840
Title:
Vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7840
CVE-2015-1244
Severity:
Medium
Description:
The URLRequest::GetHSTSRedirect function in url_request/url_request.cc in Google Chrome before 42.0.2311.90 does not replace the ws scheme with the wss scheme whenever an HSTS Policy is active, which makes it easier for remote attackers to obtain sensitive information by sniffing the network for WebSocket traffic.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7874
Title:
Vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7874
CVE-2015-1242
Severity:
High
Description:
The ReduceTransitionElementsKind function in hydrogen-check-elimination.cc in Google V8 before 4.2.77.8, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that leverages "type confusion" in the check-elimination optimization.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7891
Title:
Vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7891
CVE-2015-1241
Severity:
Medium
Description:
Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7813
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7813
CVE-2015-1227
Severity:
High
Description:
The DragImage::create function in platform/DragImage.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not initialize memory for image drawing, which allows remote attackers to have an unspecified impact by triggering a failed image decoding, as demonstrated by an image for which the default orientation cannot be used.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7817
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7817
CVE-2015-1217
Severity:
High
Description:
The V8LazyEventListener::prepareListenerObject function in bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, does not properly compile listeners, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7853
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7853
CVE-2015-1224
Severity:
Medium
Description:
The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does not ensure that alpha-plane dimensions are identical to image dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted VPx video data.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7859
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7859
CVE-2015-1226
Severity:
Medium
Description:
The DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7861
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7861
CVE-2015-1230
Severity:
High
Description:
The getHiddenProperty function in bindings/core/v8/V8EventListenerList.h in Blink, as used in Google Chrome before 41.0.2272.76, has a name conflict with the AudioContext class, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via JavaScript code that adds an AudioContext event listener and triggers "type confusion."
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7884
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7884
CVE-2015-1229
Severity:
Medium
Description:
net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7897
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7897
CVE-2015-1228
Severity:
High
Description:
The RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not force a relayout operation and consequently does not initialize memory for a data structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted Cascading Style Sheets (CSS) token sequence.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7902
Title:
Vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7902
CVE-2015-1225
Severity:
Medium
Description:
PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7845
Title:
Vulnerability in Google Chrome before 41.0.2272.118
Type:
Web
Bulletins:
CISEC:7845
CVE-2015-1233
Severity:
High
Description:
Google Chrome before 41.0.2272.118 does not properly handle the interaction of IPC, the Gamepad API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7870
Title:
Vulnerability in Google Chrome before 40.0.2214.91
Type:
Web
Bulletins:
CISEC:7870
CVE-2015-1248
Severity:
Medium
Description:
The FileSystem API in Google Chrome before 40.0.2214.91 allows remote attackers to bypass the SafeBrowsing for Executable Files protection mechanism by creating a .exe file in a temporary filesystem and then referencing this file with a filesystem:http: URL.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7889
Title:
Vulnerability in Google Chrome before 40.0.2214.111
Type:
Web
Bulletins:
CISEC:7889
CVE-2015-1211
Severity:
High
Description:
The OriginCanAccessServiceWorkers function in content/browser/service_worker/service_worker_dispatcher_host.cc in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android does not properly restrict the URI scheme during a ServiceWorker registration, which allows remote attackers to gain privileges via a filesystem: URI.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7890
Title:
Vulnerability in Blink, as used initialize a certain width field
Type:
Web
Bulletins:
CISEC:7890
CVE-2015-1262
Severity:
High
Description:
platform/fonts/shaping/HarfBuzzShaper.cpp in Blink, as used in Google Chrome before 43.0.2357.65, does not initialize a certain width field, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Unicode text.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7852
Title:
Vulnerability in Blink, as used in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7852
CVE-2015-1293
Severity:
High
Description:
The DOM implementation in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7830
Title:
Vulnerability in Blink, as used in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7830
CVE-2015-1257
Severity:
High
Description:
platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation in Blink, as used in Google Chrome before 43.0.2357.65, does not properly handle an insufficient number of values in an feColorMatrix filter, which allows remote attackers to cause a denial of service (container overflow) or possibly have unspecified other impact via a crafted document.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7892
Title:
Vulnerability in Blink, as used in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7892
CVE-2015-1253
Severity:
High
Description:
core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7873
Title:
Vulnerability in Blink, as used in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7873
CVE-2015-1235
Severity:
Medium
Description:
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7883
Title:
Vulnerability in Blink, as used in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7883
CVE-2015-1236
Severity:
Medium
Description:
The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a crafted web site containing a media element.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7835
Title:
Vulnerability in Blink, as used in Google Chrome before 40.0.2214.111
Type:
Web
Bulletins:
CISEC:7835
CVE-2015-1210
Severity:
Medium
Description:
The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7882
Title:
Use-after-free vulnerability IndexedDB implementation in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7882
CVE-2015-1276
Severity:
High
Description:
Use-after-free vulnerability in content/browser/indexed_db/indexed_db_backing_store.cc in the IndexedDB implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an abort action before a certain write operation.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7880
Title:
Use-after-free vulnerability in the Speech subsystem in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7880
CVE-2015-1251
Severity:
Medium
Description:
Use-after-free vulnerability in the SpeechRecognitionClient implementation in the Speech subsystem in Google Chrome before 43.0.2357.65 allows remote attackers to execute arbitrary code via a crafted document.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7879
Title:
Use-after-free vulnerability in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7879
CVE-2015-1294
Severity:
High
Description:
Use-after-free vulnerability in the SkMatrix::invertNonIdentity function in core/SkMatrix.cpp in Skia, as used in Google Chrome before 45.0.2454.85, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering the use of matrix elements that lead to an infinite result during an inversion calculation.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7850
Title:
Use-after-free vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7850
CVE-2015-1277
Severity:
High
Description:
Use-after-free vulnerability in the accessibility implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging lack of certain validity checks for accessibility-tree data structures.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7886
Title:
Use-after-free vulnerability in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7886
CVE-2015-1272
Severity:
High
Description:
Use-after-free vulnerability in the GPU process implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging the continued availability of a GPUChannelHost data structure during Blink shutdown, related to content/browser/gpu/browser_gpu_channel_host_factory.cc and content/renderer/render_thread_impl.cc.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7851
Title:
Use-after-free vulnerability in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7851
CVE-2015-1255
Severity:
Medium
Description:
Use-after-free vulnerability in content/renderer/media/webaudio_capturer_source.cc in the WebAudio implementation in Google Chrome before 43.0.2357.65 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by leveraging improper handling of a stop action for an audio track.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7816
Title:
Use-after-free vulnerability in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7816
CVE-2015-1237
Severity:
High
Description:
Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived function in content/renderer/render_frame_impl.cc in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger renderer IPC messages during a detach operation.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7820
Title:
Use-after-free vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7820
CVE-2015-1221
Severity:
High
Description:
Use-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect ordering of operations in the Web SQL Database thread relative to Blink's main thread, related to the shutdown function in web/WebKit.cpp.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7878
Title:
Use-after-free vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7878
CVE-2015-1220
Severity:
Medium
Description:
Use-after-free vulnerability in the GIFImageReader::parseData function in platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted frame size in a GIF image.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7900
Title:
Use-after-free vulnerability in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7900
CVE-2015-1245
Severity:
Medium
Description:
Use-after-free vulnerability in the OpenPDFInReaderView::Update function in browser/ui/views/location_bar/open_pdf_in_reader_view.cc in Google Chrome before 41.0.2272.76 might allow user-assisted remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by triggering interaction with a PDFium "Open PDF in Reader" button that has an invalid tab association.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7831
Title:
Use-after-free vulnerability in Blink, as used in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7831
CVE-2015-1299
Severity:
High
Description:
Use-after-free vulnerability in the shared-timer implementation in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging erroneous timer firing, related to ThreadTimers.cpp and Timer.cpp.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7877
Title:
Use-after-free vulnerability in Blink, as used in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7877
CVE-2015-1256
Severity:
High
Description:
Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that leverages improper handling of a shadow tree for a use element.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7828
Title:
Use-after-free vulnerability in Blink, as used in Google Chrome before 42.0.2311.135
Type:
Web
Bulletins:
CISEC:7828
CVE-2015-1243
Severity:
High
Description:
Use-after-free vulnerability in the MutationObserver::disconnect function in core/dom/MutationObserver.cpp in the DOM implementation in Blink, as used in Google Chrome before 42.0.2311.135, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering an attempt to unregister a MutationObserver object that is not currently registered.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7893
Title:
Use-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7893
CVE-2015-1216
Severity:
High
Description:
Use-after-free vulnerability in the V8Window::namedPropertyGetterCustom function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a frame detachment.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7815
Title:
Use-after-free vulnerability in Blink, as used in Google Chrome before 40.0.2214.111
Type:
Web
Bulletins:
CISEC:7815
CVE-2015-1209
Severity:
High
Description:
Use-after-free vulnerability in the VisibleSelection::nonBoundaryShadowTreeRootNode function in core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper handling of a shadow-root anchor.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7868
Title:
Race condition in Google Chrome before 41.0.2272.118
Type:
Web
Bulletins:
CISEC:7868
CVE-2015-1234
Severity:
Medium
Description:
Race condition in gpu/command_buffer/service/gles2_cmd_decoder.cc in Google Chrome before 41.0.2272.118 allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact by manipulating OpenGL ES commands.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7875
Title:
Multiple use-after-free vulnerabilities in Google Chrome before 45.0.2454.85
Type:
Web
Bulletins:
CISEC:7875
CVE-2015-1295
Severity:
High
Description:
Multiple use-after-free vulnerabilities in the PrintWebViewHelper class in components/printing/renderer/print_web_view_helper.cc in Google Chrome before 45.0.2454.85 allow user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact by triggering nested IPC messages during preparation for printing, as demonstrated by messages associated with PDF documents in conjunction with messages about printer capabilities.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7899
Title:
Multiple use-after-free vulnerabilities in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7899
CVE-2015-1282
Severity:
Medium
Description:
Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/Document.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document, related to the (1) Document::delay and (2) Document::DoFieldDelay functions.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7827
Title:
Multiple use-after-free vulnerabilities in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7827
CVE-2015-1260
Severity:
High
Description:
Multiple use-after-free vulnerabilities in content/renderer/media/user_media_client_impl.cc in the WebRTC implementation in Google Chrome before 43.0.2357.65 allow remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that executes upon completion of a getUserMedia request.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7849
Title:
Multiple use-after-free vulnerabilities in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7849
CVE-2015-1222
Severity:
High
Description:
Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap implementation in content/browser/service_worker/service_worker_script_cache_map.cc in Google Chrome before 41.0.2272.76 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the NotifyStartedCaching and NotifyFinishedCaching functions.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7894
Title:
Multiple use-after-free vulnerabilities in Blink, as used in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7894
CVE-2015-1223
Severity:
High
Description:
Multiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger extraneous change events, as demonstrated by events for invalid input or input to read-only fields, related to the initializeTypeInParsing and updateType functions.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7895
Title:
Multiple use-after-free vulnerabilities in Blink, as used in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7895
CVE-2015-1218
Severity:
High
Description:
Multiple use-after-free vulnerabilities in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger movement of a SCRIPT element to different documents, related to (1) the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp and (2) the SVGScriptElement::didMoveToNewDocument function in core/svg/SVGScriptElement.cpp.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7871
Title:
Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7871
CVE-2015-1289
Severity:
High
Description:
Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7836
Title:
Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357.65
Type:
Web
Bulletins:
CISEC:7836
CVE-2015-1265
Severity:
High
Description:
Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7903
Title:
Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.90
Type:
Web
Bulletins:
CISEC:7903
CVE-2015-1249
Severity:
High
Description:
Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.90 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7860
Title:
Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.135
Type:
Web
Bulletins:
CISEC:7860
CVE-2015-1250
Severity:
High
Description:
Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.135 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7865
Title:
Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7865
CVE-2015-1231
Severity:
High
Description:
Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7876
Title:
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91
Type:
Web
Bulletins:
CISEC:7876
CVE-2015-1205
Severity:
High
Description:
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7823
Title:
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111
Type:
Web
Bulletins:
CISEC:7823
CVE-2015-1212
Severity:
High
Description:
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7814
Title:
Multiple integer overflows in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products
Type:
Web
Bulletins:
CISEC:7814
CVE-2015-1283
Severity:
Medium
Description:
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7887
Title:
Memory corruption in V8 in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7887
CVE-2015-1290
Severity:
High
Description:
Memory corruption in V8 in Google Chrome before 44.0.2403.89.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7842
Title:
Integer overflow in Skia, as used in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7842
CVE-2015-1214
Severity:
High
Description:
Integer overflow in the SkAutoSTArray implementation in include/core/SkTemplates.h in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a reset action with a large count value, leading to an out-of-bounds write operation.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7843
Title:
Integer overflow in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7843
CVE-2015-1279
Severity:
High
Description:
Integer overflow in the CJBig2_Image::expand function in fxcodec/jbig2/JBig2_Image.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via large height and stride values.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7888
Title:
Integer overflow in Google Chrome before 41.0.2272.76
Type:
Web
Bulletins:
CISEC:7888
CVE-2015-1219
Severity:
High
Description:
Integer overflow in the SkMallocPixelRef::NewAllocate function in core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted allocation of a large amount of memory during WebGL rendering.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7834
Title:
Heap-based buffer overflow in PDFium in Google Chrome before 44.0.2403.89
Type:
Web
Bulletins:
CISEC:7834
CVE-2015-1273
Severity:
Medium
Description:
Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid JPEG2000 data in a PDF document.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7862
Title:
Double-free vulnerability in Google Chrome 41.0.2251.0
Type:
Web
Bulletins:
CISEC:7862
CVE-2015-1207
Severity:
Medium
Description:
Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chrome 41.0.2251.0 allows remote attackers to cause a denial of service (memory corruption and crash) via a crafted .m4a file.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7846
Title:
Cross-site scripting
Type:
Web
Bulletins:
CISEC:7846
CVE-2015-1264
Severity:
Medium
Description:
Cross-site scripting (XSS) vulnerability in Google Chrome before 43.0.2357.65 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted data that is improperly handled by the Bookmarks feature.
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7857
Title:
Cross-site scripting
Type:
Web
Bulletins:
CISEC:7857
CVE-2015-1286
Severity:
Medium
Description:
Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler::GetModuleSystem function in extensions/renderer/v8_context_native_handler.cc in Google Chrome before 44.0.2403.89 allows remote attackers to inject arbitrary web script or HTML by leveraging the lack of a certain V8 context restriction, aka a Blink "Universal XSS (UXSS)."
Applies to:
Google Chrome
Created:
2020-07-17
Updated:
2024-01-17

ID:
CISEC:7785
Title:
Windows WLAN Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7785
CVE-2020-1270
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the wlansvc.dll properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7782
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7782
CVE-2020-1287
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7719
Title:
Windows WalletService Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7719
CVE-2020-1294
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7776
Title:
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7776
CVE-2020-1313
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7777
Title:
Windows Text Service Framework Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7777
CVE-2020-1314
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server fails to properly handle messages sent from TSF clients. An attacker who successfully exploited this vulnerability could run arbitrary code in a privileged process. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how TSF server handles messages in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7766
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7766
CVE-2020-1305
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7718
Title:
Windows SMBv3 Client/Server Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7718
CVE-2020-1206
Severity:
Medium
Description:
An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7727
Title:
Windows SMB Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7727
CVE-2020-1301
Severity:
Medium
Description:
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server. The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7778
Title:
Windows Shell Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7778
CVE-2020-1286
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. To exploit the vulnerability, an attacker must entice a user to open a specially crafted file. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and then convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force a user to visit the website. Instead, an attacker would have to convince a user to click a link and open the specially crafted file. This security update addresses the vulnerability by ensuring the Windows Shell properly validates file paths.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7757
Title:
Windows Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7757
CVE-2020-1268
Severity:
Low
Description:
An information disclosure vulnerability exists when a Windows service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how a Windows service handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7763
Title:
Windows Runtime Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7763
CVE-2020-1217
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read memory that was freed and might run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7797
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7797
CVE-2020-1233
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7758
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7758
CVE-2020-1235
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7715
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7715
CVE-2020-1265
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7731
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7731
CVE-2020-1304
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7738
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7738
CVE-2020-1282
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7746
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7746
CVE-2020-1231
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7750
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7750
CVE-2020-1306
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7779
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7779
CVE-2020-1334
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7752
Title:
Windows Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7752
CVE-2020-1300
Severity:
Medium
Description:
A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver. The update addresses the vulnerability by correcting how Windows handles cabinet files.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7760
Title:
Windows Registry Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7760
CVE-2020-1194
Severity:
Medium
Description:
A denial of service vulnerability exists when Windows Registry improperly handles filesystem operations. An attacker who successfully exploited the vulnerability could cause a denial of service against a system. To exploit the vulnerability, an attacker who has access to the system could run a specially crafted application. The security update addresses the vulnerability by correcting how Windows Registry handles filesystem operations and only allowing the tracing to be captured under the default path.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7795
Title:
Windows Print Configuration Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7795
CVE-2020-1196
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the printconfig.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the printconfig.dll properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7717
Title:
Windows OLE Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7717
CVE-2020-1281
Severity:
Medium
Description:
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. To exploit the vulnerability, an attacker would have to convince a user to open either a specially crafted file or a program from either a webpage or an email message. The update addresses the vulnerability by correcting how Windows OLE validates user input.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7787
Title:
Windows Now Playing Session Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7787
CVE-2020-1201
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way the Windows Now Playing Session Manager handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Now Playing Session Manager handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7774
Title:
Windows Network List Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7774
CVE-2020-1209
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network List Service properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7728
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7728
CVE-2020-1291
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7780
Title:
Windows Modules Installer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7780
CVE-2020-1254
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Modules Installer Service improperly handles class object members. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how Windows handles calls to preclude unintended elevation.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7720
Title:
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7720
CVE-2020-1204
Severity:
Low
Description:
An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7764
Title:
Windows Lockscreen Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7764
CVE-2020-1279
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Lockscreen fails to properly load spotlight images from a secure location. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. An authenticated attacker could modify a registry value to exploit this vulnerability. The security update addresses the vulnerability by ensuring that the spotlight images are always loaded from a secure location.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7722
Title:
Windows Kernel Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:7722
CVE-2020-1241
Severity:
Medium
Description:
A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters. To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system. The update addresses the vulnerability by correcting how Windows Kernel handles parameter sanitization.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7789
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7789
CVE-2020-1262
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7790
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7790
CVE-2020-1275
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7791
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7791
CVE-2020-1307
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7723
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7723
CVE-2020-1269
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7724
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7724
CVE-2020-1264
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7725
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7725
CVE-2020-1246
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7726
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7726
CVE-2020-1237
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7730
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7730
CVE-2020-1273
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7734
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7734
CVE-2020-1274
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7735
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7735
CVE-2020-0986
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7736
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7736
CVE-2020-1276
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7742
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7742
CVE-2020-1266
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7769
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7769
CVE-2020-1316
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7796
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7796
CVE-2020-1302
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7748
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7748
CVE-2020-1277
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7751
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7751
CVE-2020-1312
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7762
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7762
CVE-2020-1272
Severity:
High
Description:
An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7793
Title:
Windows Host Guardian Service Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:7793
CVE-2020-1259
Severity:
Medium
Description:
A security feature bypass vulnerability exists when Windows Host Guardian Service improperly handles hashes recorded and logged. An attacker who successfully exploited the vulnerability could tamper with the log file. In an attack scenario, an attacker can change existing event log types to a type the parsers do not interpret allowing an attacker to append their own hash without triggering an alert. The update addresses the vulnerability by correcting how Windows Host Guardian Service handles logging of the measured boot hash.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7786
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7786
CVE-2020-1348
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7714
Title:
Windows GDI Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7714
CVE-2020-0916
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7744
Title:
Windows GDI Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7744
CVE-2020-0915
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7747
Title:
Windows Feedback Hub Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7747
CVE-2020-1199
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Feedback Hub improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system with Windows Mixed Reality installed. An attacker could then run a specially crafted application to take control of an affected system. The security update addresses the vulnerability by correcting how the Feedback Hub handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7775
Title:
Windows Error Reporting Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7775
CVE-2020-1197
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles process crashes.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7792
Title:
Windows Error Reporting Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7792
CVE-2020-1261
Severity:
Low
Description:
An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or convince a target to run a crafted application. The security update addresses the vulnerability by correcting the way WER handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7759
Title:
Windows Error Reporting Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7759
CVE-2020-1263
Severity:
Low
Description:
An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or convince a target to run a crafted application. The security update addresses the vulnerability by correcting the way WER handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7773
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7773
CVE-2020-1234
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles objects in memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Error Reporting handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7799
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7799
CVE-2020-1162
Severity:
Medium
Description:
An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Security Health Service handles certain objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7756
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7756
CVE-2020-1324
Severity:
Medium
Description:
An elevation of privilege (user to user) vulnerability exists in Windows Security Health Service when handling certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Security Health Service handles certain objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7741
Title:
Windows Diagnostics & feedback Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7741
CVE-2020-1296
Severity:
Low
Description:
A vulnerability exists in the way the Windows Diagnostics & feedback settings app handles objects in memory. An attacker who successfully exploited this vulnerability could cause additional diagnostic data from the affected device to be sent to Microsoft. To exploit the vulnerability, an attacker would have to log on to an affected system and interact with the Windows Diagnostics & feedback Settings app. The security update addresses the vulnerability by correcting the way the Windows Diagnostics & feedback Settings app handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7765
Title:
Windows Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7765
CVE-2020-1283
Severity:
High
Description:
A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or to convince a user to open a specific file on a network share. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7767
Title:
Windows Bluetooth Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7767
CVE-2020-1280
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Bluetooth Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Bluetooth Service properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7753
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7753
CVE-2020-1271
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7716
Title:
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7716
CVE-2020-1255
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. To exploit this vulnerability, an attacker would require permissions to upload files via BITS. An attacker could then submit a specially crafted request to upload a file. The security update addresses the vulnerability by correcting how Windows BITS validates file names.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7743
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7743
CVE-2020-1290
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7732
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7732
CVE-2020-1247
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7737
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7737
CVE-2020-1310
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7739
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7739
CVE-2020-1251
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7740
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7740
CVE-2020-1253
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7770
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7770
CVE-2020-1207
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7749
Title:
OpenSSH for Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7749
CVE-2020-1292
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings. An attacker who successfully exploited this vulnerability could replace the shell with a malicious binary. To exploit this vulnerability, an authenticated attacker would need to modify the OpenSSH for Windows configuration on a vulnerable system. The attacker would then need to convince a user to connect to the vulnerable OpenSSH for Windows server. The update addresses the vulnerability by restricting access to OpenSSH for Windows configuration settings.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7772
Title:
OLE Automation Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7772
CVE-2020-1212
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when an OLE Automation component improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how an OLE Automation component handles memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7781
Title:
Microsoft Store Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7781
CVE-2020-1222
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7798
Title:
Microsoft Store Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7798
CVE-2020-1309
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7794
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7794
CVE-2020-1160
Severity:
Low
Description:
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7783
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7783
CVE-2020-1239
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7771
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7771
CVE-2020-1238
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7755
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7755
CVE-2020-1232
Severity:
Medium
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7729
Title:
LNK Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7729
CVE-2020-1299
Severity:
High
Description:
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7745
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7745
CVE-2020-1236
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7768
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7768
CVE-2020-1208
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7754
Title:
Group Policy Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7754
CVE-2020-1317
Severity:
High
Description:
An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how Group Policy checks access.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7733
Title:
GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7733
CVE-2020-1248
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7721
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7721
CVE-2020-1258
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7784
Title:
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7784
CVE-2020-1244
Severity:
Medium
Description:
A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7788
Title:
Connected Devices Platform Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7788
CVE-2020-1211
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7761
Title:
Component Object Model Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7761
CVE-2020-1311
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how COM handles special case IIDs, to help preclude unintended elevated system privileges.
Applies to:
Created:
2020-07-10
Updated:
2024-01-17

ID:
CISEC:7663
Title:
Vulnerability in Acronis True Image up to and including version 2017 Build 8053
Type:
Software
Bulletins:
CISEC:7663
CVE-2017-3219
Severity:
High
Description:
Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash.
Applies to:
Acronis True Image
Created:
2020-07-03
Updated:
2024-01-17

ID:
CISEC:7666
Title:
Untrusted search path vulnerability in Amazon Kindle before 1.19
Type:
Software
Bulletins:
CISEC:7666
CVE-2017-6189
Severity:
Medium
Description:
Untrusted search path vulnerability in Amazon Kindle for PC before 1.19 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL in the current working directory of the Kindle Setup installer.
Applies to:
Amazon Kindle
Created:
2020-07-03
Updated:
2024-01-17

ID:
CISEC:7653
Title:
Microsoft Office Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7653
Severity:
Low
Description:
A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries, aka 'Microsoft Office Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0991.
Applies to:
Microsoft Access 2010
Microsoft Access 2013
Microsoft Access 2016
Microsoft Excel 2010
Microsoft Excel 2013
Microsoft Excel 2016
Microsoft Office 2010
Microsoft Office 2013
Microsoft Office 2016
Microsoft Outlook 2010
Microsoft Outlook 2013
Created:
2020-07-03
Updated:
2020-07-03

ID:
CISEC:7576
Title:
Windows Update Stack Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7576
CVE-2020-1109
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7585
Title:
Windows Update Stack Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7585
CVE-2020-1110
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7590
Title:
Windows Task Scheduler Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:7590
CVE-2020-1113
Severity:
High
Description:
A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, a man-in-the-middle attacker would need to send a specially crafted request to a vulnerable system. The security update addresses the vulnerability by correcting how the Task Scheduler service validates connections.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7609
Title:
Windows Subsystem for Linux Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7609
CVE-2020-1075
Severity:
Low
Description:
An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. A attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7619
Title:
Windows Storage Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7619
CVE-2020-1138
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Storage Services handles file operations.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7564
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7564
CVE-2020-1190
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7584
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7584
CVE-2020-1189
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7596
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7596
CVE-2020-1188
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7599
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7599
CVE-2020-1184
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7600
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7600
CVE-2020-1191
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7602
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7602
CVE-2020-1187
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7603
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7603
CVE-2020-1186
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7604
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7604
CVE-2020-1124
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7606
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7606
CVE-2020-1134
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7617
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7617
CVE-2020-1144
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7618
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7618
CVE-2020-1131
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7558
Title:
Windows State Repository Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7558
CVE-2020-1185
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows State Repository Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows State Repository Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7569
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7569
CVE-2020-1090
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7578
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7578
CVE-2020-1155
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7591
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7591
CVE-2020-1125
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7594
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7594
CVE-2020-1164
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7605
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7605
CVE-2020-1086
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7611
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7611
CVE-2020-1151
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7613
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7613
CVE-2020-1157
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7623
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7623
CVE-2020-1156
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7560
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7560
CVE-2020-1158
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7561
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7561
CVE-2020-1077
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7552
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7552
CVE-2020-1149
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7555
Title:
Windows Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7555
CVE-2020-1139
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7550
Title:
Windows Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7550
CVE-2020-1067
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. To exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions. The security update addresses the vulnerability by correcting how Windows handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7620
Title:
Windows Remote Access Common Dialog Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7620
CVE-2020-1071
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles errors tied to Remote Access Common Dialog. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability an attacker would need to physically access the booted machine to reach the logon screen. An attacker could then exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows handles errors tied to Remote Access Common Dialog.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7551
Title:
Windows Push Notification Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7551
CVE-2020-1137
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7597
Title:
Windows Printer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7597
CVE-2020-1081
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Printer Service improperly validates file paths while loading printer drivers. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows Printer Service validates file paths.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7607
Title:
Windows Print Spooler Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7607
CVE-2020-1048
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7546
Title:
Windows Print Spooler Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7546
CVE-2020-1070
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7579
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7579
CVE-2020-1072
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7573
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7573
CVE-2020-1087
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7595
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7595
CVE-2020-1114
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7574
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7574
CVE-2020-1078
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7622
Title:
Windows Hyper-V Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7622
CVE-2020-0909
Severity:
Medium
Description:
A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets. To exploit the vulnerability, an attacker would send specially crafted network packets to the Hyper-V Server. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to properly handle these network packets.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7554
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7554
CVE-2020-1135
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7588
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7588
CVE-2020-1141
Severity:
Low
Description:
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7601
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7601
CVE-2020-1179
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7548
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7548
CVE-2020-0963
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7549
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7549
CVE-2020-1145
Severity:
Low
Description:
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7570
Title:
Windows GDI Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7570
CVE-2020-1142
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7562
Title:
Windows Error Reporting Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7562
CVE-2020-1132
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles file and folder links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles file and folder links.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7587
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7587
CVE-2020-1082
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7589
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7589
CVE-2020-1021
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7621
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7621
CVE-2020-1088
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7553
Title:
Windows Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7553
CVE-2020-1076
Severity:
Low
Description:
A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7608
Title:
Windows CSRSS Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7608
CVE-2020-1116
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application. The update addresses the vulnerability by correcting how the Windows CSRSS handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7571
Title:
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7571
CVE-2020-1154
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7565
Title:
Windows Clipboard Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7565
CVE-2020-1121
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7568
Title:
Windows Clipboard Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7568
CVE-2020-1165
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7556
Title:
Windows Clipboard Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7556
CVE-2020-1111
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7559
Title:
Windows Clipboard Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7559
CVE-2020-1166
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to Clipboard Service.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7592
Title:
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7592
CVE-2020-1112
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) IIS module improperly handles uploaded content. An attacker who successfully exploited this vulnerability could upload restricted file types to an IIS-hosted folder. To exploit this vulnerability, an attacker would require permissions to upload files via BITS. An attacker could then submit a specially crafted request to upload a file. The security update addresses the vulnerability by correcting how Windows BITS validates file names.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7598
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7598
CVE-2020-1054
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7612
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7612
CVE-2020-1143
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7580
Title:
Microsoft Windows Transport Layer Security Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7580
CVE-2020-1118
Severity:
High
Description:
A denial of service vulnerability exists in the Windows implementation of Transport Layer Security (TLS) when it improperly handles certain key exchanges. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, a remote unauthenticated attacker could send a specially crafted request to a target system utilizing TLS 1.2 or lower, triggering the system to automatically reboot. The update addresses the vulnerability by changing the way TLS key exchange messages are validated.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7567
Title:
Microsoft Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7567
CVE-2020-1079
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7610
Title:
Microsoft Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7610
CVE-2020-1068
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows Media Service that allows file creation in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows Media Service handles file creation.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7547
Title:
Microsoft Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7547
CVE-2020-1010
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows Block Level Backup Engine Service (wbengine) that allows file deletion in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows Block Level Backup Engine Service handles file operations.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7581
Title:
Microsoft Script Runtime Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7581
CVE-2020-1061
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Microsoft Script Runtime handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Microsoft Script Runtime handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7582
Title:
Microsoft Graphics Components Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7582
CVE-2020-1153
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7615
Title:
Microsoft Color Management Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7615
CVE-2020-1117
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Color Management Module (ICM32.dll) handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. The security update addresses the vulnerability by correcting how Color Management Module handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7577
Title:
Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability
Type:
Software
Bulletins:
CISEC:7577
CVE-2020-1055
Severity:
Medium
Description:
A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize user inputs. An un-authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected ADFS server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. This security update addresses the vulnerability by ensuring that ADFS properly sanitizes user inputs.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7572
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7572
CVE-2020-1150
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7583
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7583
CVE-2020-1028
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7614
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7614
CVE-2020-1136
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7557
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7557
CVE-2020-1126
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7566
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7566
CVE-2020-1174
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7575
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7575
CVE-2020-1051
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7586
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7586
CVE-2020-1175
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7563
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7563
CVE-2020-1176
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7616
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7616
CVE-2020-1140
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7593
Title:
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7593
CVE-2020-1123
Severity:
Low
Description:
A denial of service vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could cause a system to stop responding. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7545
Title:
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7545
CVE-2020-1084
Severity:
Low
Description:
A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service validates certain function values.
Applies to:
Created:
2020-06-12
Updated:
2024-01-17

ID:
CISEC:7516
Title:
Windows VBScript Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7516
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'Windows VBScript Engine Remote Code Execution Vulnerability'.
Applies to:
Internet Explorer 11
Internet Explorer 9
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7515
Title:
VBScript Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7515
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'VBScript Remote Code Execution Vulnerability'.
Applies to:
Internet Explorer 11
Internet Explorer 9
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7513
Title:
Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7513
Severity:
Low
Description:
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'.
Applies to:
Internet Explorer 11
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7518
Title:
Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7518
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0833, CVE-2020-0848.
Applies to:
Internet Explorer 11
Internet Explorer 9
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7519
Title:
Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7519
Severity:
Low
Description:
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0848.
Applies to:
Internet Explorer 11
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7506
Title:
Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7506
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0848.
Applies to:
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7507
Title:
Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7507
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0968.
Applies to:
Microsoft Edge (EdgeHTML-based)
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7508
Title:
Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7508
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0848.
Applies to:
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7512
Title:
Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7512
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833.
Applies to:
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7509
Title:
Microsoft Edge Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7509
Severity:
Low
Description:
A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka 'Microsoft Edge Memory Corruption Vulnerability'.
Applies to:
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7517
Title:
Internet Explorer Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7517
Severity:
Low
Description:
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'.
Applies to:
Internet Explorer 11
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7514
Title:
Chakra Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7514
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based)L, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. (CVE-2020-0812) A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. (CVE-2020-0825)
Applies to:
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7510
Title:
Chakra Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7510
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.
Applies to:
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7511
Title:
Chakra Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7511
Severity:
Low
Description:
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based)L, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.
Applies to:
Microsoft Edge
Created:
2020-05-29
Updated:
2021-12-30

ID:
CISEC:7427
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7427
CVE-2020-1094
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7443
Title:
Windows Update Stack Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7443
CVE-2020-0996
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7487
Title:
Windows Update Stack Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7487
CVE-2020-0985
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7488
Title:
Windows Token Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:7488
CVE-2020-0981
Severity:
Medium
Description:
A security feature bypass vulnerability exists when Windows fails to properly handle token relationships. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape. The update addresses the vulnerability by correcting how Windows handles token relationships
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7455
Title:
Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7455
CVE-2020-0796
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7480
Title:
Windows Scheduled Task Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7480
CVE-2020-0936
Severity:
Low
Description:
An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how Windows scheduled tasks handle file redirections.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7454
Title:
Windows Push Notification Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7454
CVE-2020-1016
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7436
Title:
Windows Push Notification Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7436
CVE-2020-1017
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7469
Title:
Windows Push Notification Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7469
CVE-2020-1001
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7482
Title:
Windows Push Notification Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7482
CVE-2020-1006
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7486
Title:
Windows Push Notification Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7486
CVE-2020-0940
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7426
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7426
CVE-2020-0821
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7493
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7493
CVE-2020-1007
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7477
Title:
Windows Kernel Information Disclosure in CPU Memory Access
Type:
Software
Bulletins:
CISEC:7477
CVE-2020-0955
Severity:
Low
Description:
An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7430
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7430
CVE-2020-1000
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7466
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7466
CVE-2020-1003
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7472
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7472
CVE-2020-1027
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7490
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7490
CVE-2020-0913
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7438
Title:
Windows Hyper-V Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7438
CVE-2020-0910
Severity:
High
Description:
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7428
Title:
Windows Hyper-V Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7428
CVE-2020-0917
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7464
Title:
Windows Hyper-V Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7464
CVE-2020-0918
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7424
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7424
CVE-2020-1004
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7437
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7437
CVE-2020-0952
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7433
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7433
CVE-2020-0983
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Delivery Optimization service handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7440
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7440
CVE-2020-1009
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Microsoft Store Install Service properly handles this type of function.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7444
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7444
CVE-2020-1015
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the User-Mode Power Service properly handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7449
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7449
CVE-2020-0818
Severity:
Low
Description:
An elevation of privilege vulnerability exists in the way that the sysmain.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the sysmain.dll properly handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2021-12-30

ID:
CISEC:7450
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7450
CVE-2020-0934
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how WpcDesktopMonSvc manages memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7489
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7489
CVE-2020-1011
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7475
Title:
Windows DNS Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7475
CVE-2020-0993
Severity:
Medium
Description:
A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7432
Title:
Windows Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7432
CVE-2020-0794
Severity:
Medium
Description:
A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7452
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7452
CVE-2020-0699
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7481
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7481
CVE-2020-0962
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7445
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7445
CVE-2020-0958
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7484
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7484
CVE-2020-0957
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7491
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7491
CVE-2020-0956
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7448
Title:
Remote Desktop Client Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7448
CVE-2020-0817
Severity:
Low
Description:
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.
Applies to:
Created:
2020-05-22
Updated:
2021-12-30

ID:
CISEC:7483
Title:
Microsoft Windows Update Client Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7483
CVE-2020-1014
Severity:
High
Description:
An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by enabling the Windows Update client to properly handle user privileges.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7470
Title:
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7470
CVE-2020-0965
Severity:
Medium
Description:
A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7447
Title:
Microsoft Graphics Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7447
CVE-2020-0687
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability and then convince users to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7457
Title:
Microsoft Graphics Components Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7457
CVE-2020-0907
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7429
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7429
CVE-2020-0982
Severity:
Low
Description:
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7456
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7456
CVE-2020-0987
Severity:
Low
Description:
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7468
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7468
CVE-2020-1005
Severity:
Low
Description:
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7434
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7434
CVE-2020-0948
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7446
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7446
CVE-2020-0950
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7459
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7459
CVE-2020-0949
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7431
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7431
CVE-2020-0947
Severity:
Medium
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7453
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7453
CVE-2020-0937
Severity:
Medium
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7461
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7461
CVE-2020-0939
Severity:
Medium
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7465
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7465
CVE-2020-0945
Severity:
Medium
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7471
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7471
CVE-2020-0946
Severity:
Medium
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log onto an affected system and open a specially crafted file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7425
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7425
CVE-2020-0953
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7439
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7439
CVE-2020-0959
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7458
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7458
CVE-2020-0988
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7460
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7460
CVE-2020-0995
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7463
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7463
CVE-2020-0889
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7473
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7473
CVE-2020-0999
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7474
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7474
CVE-2020-1008
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7476
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7476
CVE-2020-0994
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7479
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7479
CVE-2020-0992
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7492
Title:
Jet Database Engine Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7492
CVE-2020-0960
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7451
Title:
GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7451
CVE-2020-0964
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7467
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7467
CVE-2020-0784
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7478
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7478
CVE-2020-0888
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7435
Title:
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7435
CVE-2020-1029
Severity:
High
Description:
An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7442
Title:
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7442
CVE-2020-0942
Severity:
Low
Description:
An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7462
Title:
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7462
CVE-2020-0944
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7441
Title:
Adobe Font Manager Library Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7441
CVE-2020-0938
Severity:
Medium
Description:
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7485
Title:
Adobe Font Manager Library Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7485
CVE-2020-1020
Severity:
Medium
Description:
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.
Applies to:
Created:
2020-05-22
Updated:
2024-01-17

ID:
CISEC:7340
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7340
CVE-2020-0777
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7370
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7370
CVE-2020-0800
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7387
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7387
CVE-2020-0865
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7398
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7398
CVE-2020-0797
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7402
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7402
CVE-2020-0866
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7328
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7328
CVE-2020-0897
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7330
Title:
Windows Work Folder Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7330
CVE-2020-0864
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7374
Title:
Windows User Profile Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7374
CVE-2020-0785
Severity:
Low
Description:
An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing. The security update addresses the vulnerability by correcting how the Windows User Profile Service handles symlinks.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7347
Title:
Windows UPnP Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7347
CVE-2020-0781
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows UPnP service handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7359
Title:
Windows UPnP Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7359
CVE-2020-0783
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows UPnP service handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7365
Title:
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7365
CVE-2020-0868
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7329
Title:
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7329
CVE-2020-0867
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Update Orchestrator Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7384
Title:
Windows Tile Object Service Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7384
CVE-2020-0786
Severity:
Medium
Description:
A denial of service vulnerability exists when the Windows Tile Object Service improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would allow an attacker to overwrite system files. The update addresses the vulnerability by correcting how the Windows Tile Object Service handles hard links.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7339
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7339
CVE-2020-0857
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7334
Title:
Windows Network List Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7334
CVE-2020-0780
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network List Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network List Service properly handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7364
Title:
Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7364
CVE-2020-0861
Severity:
High
Description:
An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose kernel memory. The security update addresses the vulnerability by correcting how the Windows Network Driver Interface Specification (NDIS) handles memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7350
Title:
Windows Network Connections Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7350
CVE-2020-0871
Severity:
Low
Description:
An information disclosure vulnerability exists when Windows Network Connections Service fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. To exploit this vulnerability, an authenticated attacker could run a specially crafted application in user mode. The update addresses the vulnerability by correcting how the Windows Network Connections Service handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7343
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7343
CVE-2020-0803
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7366
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7366
CVE-2020-0845
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7367
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7367
CVE-2020-0778
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7368
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7368
CVE-2020-0804
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7375
Title:
Windows Network Connections Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7375
CVE-2020-0802
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Network Connections Service properly handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7338
Title:
Windows Modules Installer Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7338
CVE-2020-0859
Severity:
Low
Description:
An information vulnerability exists when Windows Modules Installer Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Modules Installer Service discloses file information.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7381
Title:
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7381
CVE-2020-0854
Severity:
Low
Description:
An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to delete files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and remove files. The security update addresses the vulnerability by correcting the how Windows MDM Diagnostics handles files.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7344
Title:
Windows Language Pack Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7344
CVE-2020-0822
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Language Pack Installer handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7327
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7327
CVE-2020-0799
Severity:
High
Description:
An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel parses symbolic links.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7361
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7361
CVE-2020-0779
Severity:
Low
Description:
An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7377
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7377
CVE-2020-0843
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7395
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7395
CVE-2020-0842
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7400
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7400
CVE-2020-0814
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7333
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7333
CVE-2020-0798
Severity:
High
Description:
An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7385
Title:
Windows Imaging Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7385
CVE-2020-0853
Severity:
Medium
Description:
An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who succesfully exploited this vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit this vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit this vulnerability and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows Imaging Component handles objects in the memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7341
Title:
Windows Hard Link Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7341
CVE-2020-0840
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7355
Title:
Windows Hard Link Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7355
CVE-2020-0896
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7358
Title:
Windows Hard Link Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7358
CVE-2020-0841
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7331
Title:
Windows Hard Link Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7331
CVE-2020-0849
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7372
Title:
Windows Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7372
CVE-2020-0885
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7342
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7342
CVE-2020-0791
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7383
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7383
CVE-2020-0898
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7369
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7369
CVE-2020-0874
Severity:
Low
Description:
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7382
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7382
CVE-2020-0882
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7389
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7389
CVE-2020-0880
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7393
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7393
CVE-2020-0774
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7337
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7337
CVE-2020-0879
Severity:
Low
Description:
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI handles memory addresses.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7376
Title:
Windows Error Reporting Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7376
CVE-2020-0775
Severity:
Low
Description:
An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how Windows Error Reporting handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7360
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7360
CVE-2020-0806
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7399
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7399
CVE-2020-0772
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Error Reporting improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Error Reporting handles memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7352
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7352
CVE-2020-0858
Severity:
High
Description:
An elevation of privilege vulnerability exists when the "Public Account Pictures" folder improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how Windows handles junctions.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7388
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7388
CVE-2020-0776
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Server handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7351
Title:
Windows Device Setup Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7351
CVE-2020-0819
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Device Setup Manager improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Device Setup Manager handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7378
Title:
Windows Defender Security Center Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7378
CVE-2020-0763
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Defender Security Center handles certain objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7379
Title:
Windows Defender Security Center Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7379
CVE-2020-0762
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability to elevate privileges. The update addresses the vulnerability by correcting how Windows Defender Security Center handles certain objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7348
Title:
Windows CSC Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7348
CVE-2020-0769
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7401
Title:
Windows CSC Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7401
CVE-2020-0771
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows CSC Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows CSC Service handles memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7363
Title:
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7363
CVE-2020-0787
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows BITS handles symbolic links.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7332
Title:
Windows ALPC Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7332
CVE-2020-0834
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7357
Title:
Windows ActiveX Installer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7357
CVE-2020-0770
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7362
Title:
Windows ActiveX Installer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7362
CVE-2020-0773
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7391
Title:
Windows ActiveX Installer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7391
CVE-2020-0860
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows ActiveX Installer Service handles memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7354
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7354
CVE-2020-0876
Severity:
Medium
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7349
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7349
CVE-2020-0887
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7371
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7371
CVE-2020-0877
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7336
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7336
CVE-2020-0788
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7386
Title:
Provisioning Runtime Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7386
CVE-2020-0808
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way the Provisioning Runtime validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system. The security update addresses the vulnerability by correctly validating file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7373
Title:
Microsoft IIS Server Tampering Vulnerability
Type:
Software
Bulletins:
CISEC:7373
CVE-2020-0645
Severity:
Medium
Description:
A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers. An attacker who successfully exploited the vulnerability could cause a vulnerable server to improperly process HTTP headers and tamper with the responses returned to clients. To exploit the vulnerability, an attacker would need to send a malformed HTTP request to an affected server. The update addresses the vulnerability by modifying how IIS Server handles malformed request headers.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7380
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7380
CVE-2020-0807
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7392
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7392
CVE-2020-0809
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7394
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7394
CVE-2020-0869
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7335
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7335
CVE-2020-0801
Severity:
Medium
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7353
Title:
Media Foundation Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7353
CVE-2020-0820
Severity:
Low
Description:
An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An attacker who had already gained execution on the victim system could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Media Foundation handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7346
Title:
LNK Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7346
CVE-2020-0684
Severity:
Medium
Description:
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7396
Title:
GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7396
CVE-2020-0883
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7397
Title:
GDI+ Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7397
CVE-2020-0881
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file. The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7390
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7390
CVE-2020-0690
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7356
Title:
Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7356
CVE-2020-0863
Severity:
Low
Description:
An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Connected User Experiences and Telemetry Service discloses file information.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CISEC:7345
Title:
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7345
CVE-2020-0844
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-04-17
Updated:
2024-01-17

ID:
CVE-2019-20781
Title:
oval:com.altx-soft.win:def:68524: Vulnerability in LG Bridge before 1.2.54
Type:
Miscellaneous
Bulletins:
CVE-2019-20781
Severity:
Medium
Description:
An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur.
Applies to:
LG Bridge
Created:
2020-04-05
Updated:
2024-01-17

ID:
CISEC:7274
Title:
Adobe Photoshop CC 19.1.7 and earlier, and 20.0.2 and earlier have a heap corruption vulnerability
Type:
Software
Bulletins:
CISEC:7274
Severity:
Low
Description:
Adobe Photoshop CC 19.1.7 and earlier, and 20.0.2 and earlier have a heap corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
Applies to:
Adobe Photoshop
Created:
2020-03-27
Updated:
2020-03-27

ID:
CISEC:7273
Title:
Multiple vulnerabilities on Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier
Type:
Software
Bulletins:
CISEC:7273
Severity:
Low
Description:
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability (CVE-2019-7969, CVE-2019-7970, CVE-2019-797, CVE-2019-7972, CVE-2019-7973, CVE-2019-7973, CVE-2019-7975, CVE-2019-7980), have a heap overflow vulnerability (CVE-2019-7978, CVE-2019-7985, CVE-2019-7990, CVE-2019-7993), have an out of bound write vulnerability (CVE-2019-7976, CVE-2019-7979, CVE-2019-7982, CVE-2019-7983, CVE-2019-7984, CVE-2019-7986, CVE-2019-7988, CVE-2019-7994, CVE-2019-7992, CVE-2019-7997, CVE-2019-7998, CVE-2019-8001), have a command injection vulnerability (CVE-2019-7968, CVE-2019-7989). Successful exploitation could lead to arbitrary code execution. Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability (CVE-2019-7977, CVE-2019-7981, CVE-2019-7987, CVE-2019-7991, CVE-2019-7995, CVE-2019-7996, CVE-2019-7999, CVE-2019-8000). Successful exploitation could lead to memory leak.
Applies to:
Adobe Photoshop
Created:
2020-03-20
Updated:
2020-03-20

ID:
CISEC:7271
Title:
Multiple vulnerabilities on Adobe Acrobat and Reader versions, 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier.
Type:
Software
Bulletins:
CISEC:7271
Severity:
Low
Description:
Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a heap overflow vulnerability (CVE-2020-3742). Successful exploitation could lead to arbitrary code execution. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability (CVE-2020-3744, CVE-2020-3747, CVE-2020-3755). Successful exploitation could lead to information disclosure. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a stack exhaustion vulnerability (CVE-2020-3753, CVE-2020-3756). Successful exploitation could lead to memory leak. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a privilege escalation vulnerability (CVE-2020-3762, CVE-2020-3763). Successful exploitation could lead to arbitrary file system write. Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a buffer error vulnerability (CVE-2020-3752, CVE-2020-3754) Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability (CVE-2020-3743, CVE-2020-3745, CVE-2020-3746, CVE-2020-3748, CVE-2020-3749, CVE-2020-3750, CVE-2020-3751)
Applies to:
Adobe Acrobat 2017
Adobe Acrobat DC Classic
Adobe Acrobat DC Continuous
Adobe Reader 2017
Adobe Reader DC Classic
Adobe Reader DC Continuous
Created:
2020-03-20
Updated:
2021-06-03

ID:
CISEC:7270
Title:
Internet Explorer Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7270
Severity:
Low
Description:
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'.
Applies to:
Internet Explorer 10
Internet Explorer 11
Internet Explorer 9
Created:
2020-03-20
Updated:
2021-12-30

ID:
CISEC:7212
Title:
Windows Wireless Network Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7212
CVE-2020-0704
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Wireless Network Manager improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Wireless Network Manager handles memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7253
Title:
Windows User Profile Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7253
CVE-2020-0730
Severity:
Low
Description:
An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing. The security update addresses the vulnerability by correcting how the Windows User Profile Service handles symlinks.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7243
Title:
Windows SSH Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7243
CVE-2020-0757
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles Secure Socket Shell remote commands. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Secure Socket Shell handles remote commands.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7193
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7193
CVE-2020-0667
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7217
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7217
CVE-2020-0735
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7247
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7247
CVE-2020-0752
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7264
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7264
CVE-2020-0666
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7219
Title:
Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7219
CVE-2020-0660
Severity:
Medium
Description:
A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7203
Title:
Windows Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7203
CVE-2020-0662
Severity:
High
Description:
A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. To exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions. The security update addresses the vulnerability by correcting how Windows handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7258
Title:
Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7258
CVE-2020-0705
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose uninitialized kernel memory. The security update addresses the vulnerability by correcting how the Windows Network Driver Interface Specification (NDIS) handles memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7210
Title:
Windows Modules Installer Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7210
CVE-2020-0728
Severity:
Medium
Description:
An information vulnerability exists when Windows Modules Installer Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Modules Installer Service discloses file information.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7194
Title:
Windows Key Isolation Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7194
CVE-2020-0756
Severity:
Low
Description:
An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7202
Title:
Windows Key Isolation Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7202
CVE-2020-0677
Severity:
Low
Description:
An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7205
Title:
Windows Key Isolation Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7205
CVE-2020-0755
Severity:
Low
Description:
An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7228
Title:
Windows Key Isolation Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7228
CVE-2020-0748
Severity:
Low
Description:
An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7239
Title:
Windows Key Isolation Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7239
CVE-2020-0676
Severity:
Low
Description:
An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7251
Title:
Windows Key Isolation Service Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7251
CVE-2020-0675
Severity:
Low
Description:
An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the service handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7265
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7265
CVE-2020-0736
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7192
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7192
CVE-2020-0671
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7215
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7215
CVE-2020-0669
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7245
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7245
CVE-2020-0672
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7249
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7249
CVE-2020-0670
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7261
Title:
Windows Kernel Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7261
CVE-2020-0668
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7197
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7197
CVE-2020-0686
Severity:
High
Description:
An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7263
Title:
Windows Installer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7263
CVE-2020-0683
Severity:
High
Description:
An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7240
Title:
Windows Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7240
CVE-2020-0698
Severity:
Low
Description:
An information disclosure vulnerability exists when the Telephony Service improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting how the Telephony Service handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7188
Title:
Windows IME Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7188
CVE-2020-0707
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows IME improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows IME handles memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7241
Title:
Windows Imaging Library Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7241
CVE-2020-0708
Severity:
Medium
Description:
A remote code execution vulnerability exists when the Windows Imaging Library improperly handles memory. To exploit this vulnerability, an attacker would first have to coerce a victim to open a specially crafted file. The security update addresses the vulnerability by correcting how the Windows Imaging Library handles memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7196
Title:
Windows Hyper-V Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7196
CVE-2020-0661
Severity:
Medium
Description:
A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving a number of conditions where Hyper-V would fail to prevent a guest operating system from sending malicious requests.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7227
Title:
Windows Hyper-V Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7227
CVE-2020-0751
Severity:
Low
Description:
A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7201
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7201
CVE-2020-0792
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7222
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7222
CVE-2020-0745
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7250
Title:
Windows Graphics Component Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7250
CVE-2020-0715
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7208
Title:
Windows Function Discovery Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7208
CVE-2020-0679
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7254
Title:
Windows Function Discovery Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7254
CVE-2020-0680
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7257
Title:
Windows Function Discovery Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7257
CVE-2020-0682
Severity:
High
Description:
An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Function Discovery Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7237
Title:
Windows Error Reporting Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7237
CVE-2020-0678
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles hard links.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7252
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7252
CVE-2020-0754
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7260
Title:
Windows Error Reporting Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7260
CVE-2020-0753
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by correcting the way that WER handles and executes files.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7207
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7207
CVE-2020-0737
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the tapisrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the tapisrv.dll properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7226
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7226
CVE-2020-0739
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the dssvc.dll handles file creation allowing for a file overwrite or creation in a secured location. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the dssvc.dll properly handles this type of functionality.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7191
Title:
Windows Data Sharing Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7191
CVE-2020-0659
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7214
Title:
Windows Data Sharing Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7214
CVE-2020-0747
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7231
Title:
Windows Common Log File System Driver Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7231
CVE-2020-0658
Severity:
Low
Description:
An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7259
Title:
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7259
CVE-2020-0657
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7262
Title:
Windows COM Server Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7262
CVE-2020-0685
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7195
Title:
Windows Client License Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7195
CVE-2020-0701
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Client License Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7206
Title:
Windows Backup Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7206
CVE-2020-0703
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Backup Service handles file operations.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7233
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7233
CVE-2020-0717
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7235
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7235
CVE-2020-0716
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7198
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7198
CVE-2020-0719
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7199
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7199
CVE-2020-0720
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7204
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7204
CVE-2020-0724
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7211
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7211
CVE-2020-0723
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7218
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7218
CVE-2020-0721
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7221
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7221
CVE-2020-0725
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7223
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7223
CVE-2020-0731
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7225
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7225
CVE-2020-0726
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7242
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7242
CVE-2020-0722
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7244
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7244
CVE-2020-0691
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7216
Title:
Remote Desktop Services Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7216
CVE-2020-0655
Severity:
High
Description:
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to Remote Desktop Services. The update addresses the vulnerability by correcting how Remote Desktop Services handles clipboard redirection.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7232
Title:
Remote Desktop Client Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7232
CVE-2020-0681
Severity:
High
Description:
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7255
Title:
Remote Desktop Client Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7255
CVE-2020-0734
Severity:
High
Description:
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7229
Title:
Microsoft Secure Boot Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:7229
CVE-2020-0689
Severity:
Medium
Description:
A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability can bypass secure boot and load untrusted software. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by blocking vulnerable third-party bootloaders.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7234
Title:
Microsoft Graphics Components Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7234
CVE-2020-0746
Severity:
Medium
Description:
An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information that could be useful for further exploitation. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7213
Title:
Media Foundation Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7213
CVE-2020-0738
Severity:
High
Description:
A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7236
Title:
LNK Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7236
CVE-2020-0729
Severity:
Medium
Description:
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system. The security update addresses the vulnerability by correcting the processing of shortcut LNK references.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7190
Title:
DirectX Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7190
CVE-2020-0714
Severity:
Low
Description:
An information disclosure vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7189
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7189
CVE-2020-0732
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7209
Title:
DirectX Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7209
CVE-2020-0709
Severity:
High
Description:
An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7266
Title:
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7266
CVE-2020-0727
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when the Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7200
Title:
Connected Devices Platform Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7200
CVE-2020-0742
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7224
Title:
Connected Devices Platform Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7224
CVE-2020-0750
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7238
Title:
Connected Devices Platform Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7238
CVE-2020-0749
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7246
Title:
Connected Devices Platform Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7246
CVE-2020-0743
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7248
Title:
Connected Devices Platform Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7248
CVE-2020-0741
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7256
Title:
Connected Devices Platform Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7256
CVE-2020-0740
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Connected Devices Platform Service properly handles objects in memory.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7220
Title:
Active Directory Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7220
CVE-2020-0665
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. To exploit this vulnerability, an attacker would first need to compromise an Active Directory forest. An attacker who successfully exploited this vulnerability could request delegation of a TGT for an identity from the trusted forest. This update addresses the vulnerability by ensuring new Active Directory Forest trusts disable TGT delegation by default. The update does not change existing TGT delegation configurations.
Applies to:
Created:
2020-03-13
Updated:
2024-01-17

ID:
CISEC:7174
Title:
Brackets versions 1.14 and earlier have a command injection vulnerability
Type:
Software
Bulletins:
CISEC:7174
CVE-2019-8255
Severity:
High
Description:
Brackets versions 1.14 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
Applies to:
Adobe Brackets
Created:
2020-03-06
Updated:
2024-01-17

ID:
CISEC:7173
Title:
Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 have a memory corruption vulnerability
Type:
Software
Bulletins:
CISEC:7173
Severity:
Low
Description:
Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
Applies to:
Adobe Photoshop
Created:
2020-02-28
Updated:
2020-02-28

ID:
CISEC:7160
Title:
VBScript Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7160
CVE-2019-1208
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'VBScript Remote Code Execution Vulnerability'.
Applies to:
Microsoft Internet Explorer 10
Microsoft Internet Explorer 11
Microsoft Internet Explorer 9
Created:
2020-02-21
Updated:
2024-01-17

ID:
CISEC:7164
Title:
Multiple vulnerabilities on Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier.
Type:
Software
Bulletins:
CISEC:7164
Severity:
Low
Description:
Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have a heap overflow vulnerability (CVE-2019-16451); have a buffer error vulnerability (CVE-2019-16462); have a security bypass vulnerability (CVE-2019-16453); have an out-of-bounds write vulnerability (CVE-2019-16450, CVE-2019-16454); have an use after free vulnerability (CVE-2019-16445, CVE-2019-16448, CVE-2019-16452, CVE-2019-16459, CVE-2019-16464); have an untrusted pointer dereference vulnerability (CVE-2019-16446, CVE-2019-16455, CVE-2019-16460, CVE-2019-16463). Successful exploitation could lead to arbitrary code execution. Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have a binary planting (default folder privilege escalation) vulnerability (CVE-2019-16444). Successful exploitation could lead to privilege escalation. Adobe Acrobat and Reader versions, 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an out-of-bounds read vulnerability (CVE-2019-16449, CVE-2019-16456, CVE-2019-16457, CVE-2019-16458, CVE-2019-16461, CVE-2019-16465). Successful exploitation could lead to information disclosure.
Applies to:
Adobe Acrobat 2017
Adobe Acrobat DC Classic
Adobe Acrobat DC Continuous
Adobe Reader 2017
Adobe Reader DC Classic
Adobe Reader DC Continuous
Created:
2020-02-21
Updated:
2021-06-04

ID:
CISEC:7162
Title:
Microsoft Browser Spoofing Vulnerability
Type:
Software
Bulletins:
CISEC:7162
CVE-2019-1357
Severity:
Medium
Description:
A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies, aka 'Microsoft Browser Spoofing Vulnerability'.
Applies to:
Microsoft Edge
Microsoft Internet Explorer 11
Created:
2020-02-21
Updated:
2024-01-17

ID:
CISEC:7163
Title:
Microsoft Browser Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:7163
CVE-2019-1220
Severity:
Medium
Description:
A security feature bypass vulnerability exists when Microsoft Browsers fail to validate the correct Security Zone of requests for specific URLs, aka 'Microsoft Browser Security Feature Bypass Vulnerability'.
Applies to:
Microsoft Edge
Microsoft Internet Explorer 10
Microsoft Internet Explorer 11
Microsoft Internet Explorer 9
Created:
2020-02-21
Updated:
2024-01-17

ID:
CISEC:7161
Title:
Chakra Scripting Engine Memory Corruption Vulnerability
Type:
Software
Bulletins:
CISEC:7161
CVE-2019-1217
Severity:
High
Description:
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.
Applies to:
Microsoft Edge
Created:
2020-02-21
Updated:
2024-01-17

ID:
CISEC:7158
Title:
Adobe Bridge CC versions 9.1 and earlier have a memory corruption vulnerability
Type:
Software
Bulletins:
CISEC:7158
Severity:
Low
Description:
Adobe Bridge CC versions 9.1 and earlier have a memory corruption vulnerability. Successful exploitation could lead to information disclosure.
Applies to:
Adobe Bridge
Created:
2020-02-21
Updated:
2020-02-21

ID:
CISEC:7157
Title:
Adobe Bridge CC version 9.0.2 and earlier versions have an out of bound read vulnerability
Type:
Software
Bulletins:
CISEC:7157
Severity:
Low
Description:
Adobe Bridge CC version 9.0.2 and earlier versions have an out of bound read vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
Applies to:
Adobe Bridge
Created:
2020-02-21
Updated:
2020-02-21

ID:
CISEC:7138
Title:
Windows Subsystem for Linux Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7138
CVE-2020-0636
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Subsystem for Linux handles files. An attacker who successfully exploited the vulnerability could execute code with elevated privileges. To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Subsystem for Linux handles files.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7128
Title:
Windows Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:7128
CVE-2020-0621
Severity:
Low
Description:
A security feature bypass vulnerability exists in Windows 10 when third party filters are called during a password update. Successful exploitation of the vulnerability could allow a user to make use of a blocked password for their account. To exploit the vulnerability, an attacker would need have access and the current password for the target user. The update addresses how password filters are called during a password update.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7122
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7122
CVE-2020-0627
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7124
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7124
CVE-2020-0632
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7135
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7135
CVE-2020-0625
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7136
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7136
CVE-2020-0630
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7137
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7137
CVE-2020-0626
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7139
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7139
CVE-2020-0614
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7142
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7142
CVE-2020-0613
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7146
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7146
CVE-2020-0631
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7148
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7148
CVE-2020-0629
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7149
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7149
CVE-2020-0628
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7154
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7154
CVE-2020-0633
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7155
Title:
Windows Search Indexer Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7155
CVE-2020-0623
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Search Indexer properly handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7133
Title:
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7133
CVE-2020-0609
Severity:
High
Description:
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP. The update addresses the vulnerability by correcting how RD Gateway handles connection requests.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7134
Title:
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7134
CVE-2020-0610
Severity:
High
Description:
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP. The update addresses the vulnerability by correcting how RD Gateway handles connection requests.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7151
Title:
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7151
CVE-2020-0612
Severity:
Medium
Description:
A denial of service vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RD Gateway service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides RD Gateway services. The update addresses the vulnerability by correcting how RD Gateway handles connection requests.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7145
Title:
Windows GDI+ Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7145
CVE-2020-0643
Severity:
Low
Description:
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface Plus (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how GDI+ handles memory addresses.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7125
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7125
CVE-2020-0635
Severity:
High
Description:
An elevation of privilege vulnerability exists in Microsoft Windows when Windows fails to properly handle certain symbolic links. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows handles symbolic links.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7152
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7152
CVE-2020-0644
Severity:
High
Description:
An elevation of privilege vulnerability exists when Microsoft Windows implements predictable memory section names. An attacker who successfully exploited this vulnerability could run arbitrary code as system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to elevate privileges. The update addresses the vulnerability by correcting how Windows assigns memory to specific processes.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7156
Title:
Windows CryptoAPI Spoofing Vulnerability
Type:
Software
Bulletins:
CISEC:7156
CVE-2020-0601
Severity:
Medium
Description:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7143
Title:
Windows Common Log File System Driver Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7143
CVE-2020-0615
Severity:
Low
Description:
An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7144
Title:
Windows Common Log File System Driver Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7144
CVE-2020-0639
Severity:
Low
Description:
An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7132
Title:
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7132
CVE-2020-0634
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system. The security update addresses the vulnerability by correcting how CLFS handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7121
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7121
CVE-2020-0608
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7123
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7123
CVE-2020-0624
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7130
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7130
CVE-2020-0642
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7147
Title:
Update Notification Manager Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7147
CVE-2020-0638
Severity:
Medium
Description:
An elevation of privilege vulnerability exists in the way the Update Notification Manager handles files. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Update Notification Manager handles files.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7126
Title:
Remote Desktop Web Access Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7126
CVE-2020-0637
Severity:
Medium
Description:
An information disclosure vulnerability exists when Remote Desktop Web Access improperly handles credential information. An attacker who successfully exploited this vulnerability could obtain legitimate users' credentials. To exploit this vulnerability, an attacker would need access to a vulnerable server with the Remote Desktop Web Access role. The security update addresses the vulnerability by correcting how Remote Desktop Web Access handles credential information.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7140
Title:
Remote Desktop Client Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:7140
CVE-2020-0611
Severity:
Medium
Description:
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7150
Title:
Microsoft Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7150
CVE-2020-0641
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows Media Service that allows file creation in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows Media Service handles file creation.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7129
Title:
Microsoft Windows Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7129
CVE-2020-0616
Severity:
Medium
Description:
A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would allow an attacker to overwrite system files. The update addresses the vulnerability by correcting ACLs to system files.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7153
Title:
Microsoft Graphics Components Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7153
CVE-2020-0607
Severity:
Medium
Description:
An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information that could be useful for further exploitation. To exploit the vulnerability, a user would have to open a specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7141
Title:
Microsoft Graphics Component Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:7141
CVE-2020-0622
Severity:
Low
Description:
An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The update addresses the vulnerability by correcting the way in which the Windows Graphics Component handles objects in memory.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7127
Title:
Microsoft Cryptographic Services Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:7127
CVE-2020-0620
Severity:
Medium
Description:
An elevation of privilege vulnerability exists when Microsoft Cryptographic Services improperly handles files. An attacker could exploit the vulnerability to overwrite or modify a protected file leading to a privilege escalation. To exploit the vulnerability, an attacker would first require execution on the victim system. The security update addresses the vulnerability by addressing how Microsoft Cryptographic Services handles files.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:7131
Title:
Hyper-V Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:7131
CVE-2020-0617
Severity:
Medium
Description:
A denial of service vulnerability exists when Microsoft Hyper-V Virtual PCI on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by properly validating input.
Applies to:
Created:
2020-02-14
Updated:
2024-01-17

ID:
CISEC:6833
Title:
Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
Type:
Software
Bulletins:
CISEC:6833
CVE-2019-1453
Severity:
Medium
Description:
A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services. The update addresses the vulnerability by correcting how RDP handles connection requests.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6830
Title:
Windows Printer Service Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:6830
CVE-2019-1477
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows Printer Service improperly validates file paths while loading printer drivers. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows Printer Service validates file paths.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6836
Title:
Windows OLE Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:6836
CVE-2019-1484
Severity:
Medium
Description:
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file or a program, causing Windows to execute arbitrary code. The update addresses the vulnerability by correcting how Windows OLE validates user input.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6828
Title:
Windows Media Player Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6828
CVE-2019-1480
Severity:
Medium
Description:
An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. To exploit this vulnerability, an attacker would have to log on to an affected system and open a specifically crafted file. The update addresses the vulnerability by correcting how Windows Media Player handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6829
Title:
Windows Media Player Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6829
CVE-2019-1481
Severity:
Medium
Description:
An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. To exploit this vulnerability, an attacker would have to log on to an affected system and open a specifically crafted file. The update addresses the vulnerability by correcting how Windows Media Player handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6840
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6840
CVE-2019-1474
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6842
Title:
Windows Kernel Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6842
CVE-2019-1472
Severity:
Low
Description:
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6844
Title:
Windows Hyper-V Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:6844
CVE-2019-1471
Severity:
Medium
Description:
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6839
Title:
Windows Hyper-V Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6839
CVE-2019-1470
Severity:
Medium
Description:
An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker on a guest operating system could run a specially crafted application that could cause the Hyper-V host operating system to disclose memory information. An attacker who successfully exploited the vulnerability could gain access to information on the Hyper-V host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6826
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6826
CVE-2019-1465
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6831
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6831
CVE-2019-1466
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6834
Title:
Windows GDI Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6834
CVE-2019-1467
Severity:
Medium
Description:
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6832
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:6832
CVE-2019-1476
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6835
Title:
Windows Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:6835
CVE-2019-1483
Severity:
High
Description:
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Server handles junctions.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6838
Title:
Windows COM Server Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:6838
CVE-2019-1478
Severity:
High
Description:
An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6827
Title:
Win32k Information Disclosure Vulnerability
Type:
Software
Bulletins:
CISEC:6827
CVE-2019-1469
Severity:
Low
Description:
An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6843
Title:
Win32k Graphics Remote Code Execution Vulnerability
Type:
Software
Bulletins:
CISEC:6843
CVE-2019-1468
Severity:
High
Description:
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit this vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6841
Title:
Win32k Elevation of Privilege Vulnerability
Type:
Software
Bulletins:
CISEC:6841
CVE-2019-1458
Severity:
High
Description:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17

ID:
CISEC:6837
Title:
Microsoft Defender Security Feature Bypass Vulnerability
Type:
Software
Bulletins:
CISEC:6837
CVE-2019-1488
Severity:
Low
Description:
A security feature bypass vulnerability exists when Microsoft Defender improperly handles specific buffers. An attacker could exploit the vulnerability to trigger warnings and false positives when no threat is present. To exploit the vulnerability, an attacker would first require execution permissions on the victim system. The security update addresses the vulnerability by ensuring Microsoft Defender properly handles these buffers.
Applies to:
Created:
2020-01-17
Updated:
2024-01-17