CVE-2020-10630

SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output used as a webpage that is served to other users.

Source: CVE-2020-10630

CVE-2020-10634

SAE IT-systems FW-50 Remote Telemetry Unit (RTU). A specially crafted request could allow an attacker to view the file structure of the affected device and access files that should be inaccessible.

Source: CVE-2020-10634

CVE-2020-11032

In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances.

Exploiting this vulnerability requires a technician account.

This is fixed in version 9.4.6.

Source: CVE-2020-11032

CVE-2020-10859

Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.

Source: CVE-2020-10859

CVE-2020-11051

In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. The rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This vulnerability only impacts editors loading the malicious page in the Markdown editor. This has been patched in 2.3.81.

Source: CVE-2020-11051

CVE-2020-12144

Details The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated. This makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted portal. Product affected All versions affected prior to Silver Peak Unity ECOS™ 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+ Silver Peak Products Applicability Unity EdgeConnect, NX, VX Applicable Unity Orchestrator Applicable EdgeConnect in AWS, Azure, GCP Applicable Silver Peak Cloud Services Not Applicable Resolution • Changes have been made to strengthen the initial exchange between the EdgeConnect appliance and the Cloud Portal. After the changes, EdgeConnect will validate the certificate used to identify the Silver Peak Cloud Portal to EdgeConnect. • TLS itself is continually subject to newly discovered and exploitable vulnerabilities. As such, all versions of EdgeConnect software implement additional out-of-band and user-controlled authentication mechanisms. Any required configuration • Do not change Cloud Portal’s IP address as discovered by the EdgeConnect appliance. • Upgrade to Silver Peak Unity ECOS™ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+. • In Orchestrator, enable the “Verify Portal Certificate� option under Advanced Security Settings.

Source: CVE-2020-12144

CVE-2020-12142

a. IPSec UDP key material can be retrieved from machine-to-machine interfaces and human-accessible interfaces by a user with admin credentials. Such a user, with the required system knowledge, could use this material to decrypt in-flight communication. b. The vulnerability requires administrative access and shell access to the EdgeConnect appliance. An admin user can access IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell. Resolution • EdgeConnect software has been modified to prevent users from accessing IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell. • EdgeConnect software has been modified to allow customers to choose not to persist the IPSec seed for additional security. Any required configuration Upgrade to Silver Peak Unity ECOS™ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+. 8. Product affected All versions affected prior to Silver Peak Unity ECOS™ 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+ Silver Peak Products Applicability Unity EdgeConnect, NX, VX Applicable Unity Orchestrator Applicable EdgeConnect in AWS, Azure, GCP Applicable Silver Peak Cloud Services Not Applicable

Source: CVE-2020-12142

CVE-2020-12143

Summary – The certificate used to identify Orchestrator to EdgeConnect devices is not validated Details: The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator. Product affected – All versions affected prior to Silver Peak Unity ECOSâ„¢ 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestratorâ„¢ 8.9.2+ 1. Silver Peak product(s) Applicability 2. Unity EdgeConnect, NX, VX Applicable 3. Unity Orchestrator Applicable 4. EdgeConnect in AWS, Azure, GCP Applicable 5. Silver Peak Cloud Services Not Applicable Resolution • Changes have been made to strengthen the initial exchange between the EdgeConnect appliance and the Orchestrator. After the changes, EdgeConnect will validate the certificate used to identify the Orchestrator to EdgeConnect. • TLS itself is continually subject to newly discovered and exploitable vulnerabilities. As such, all versions of EdgeConnect software implement additional out-of-band and user-controlled authentication mechanisms. Any required configuration • Do not change Orchestrator’s IP address as discovered by the EdgeConnect appliance. • Upgrade to Silver Peak Unity ECOSâ„¢ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestratorâ„¢ 8.9.2+. • In Orchestrator, enable the “Verify Orchestrator Certificateâ€� option under Advanced Security Settings.

Source: CVE-2020-12143

CVE-2020-11495

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Source: CVE-2020-11495

CVE-2020-8829

CSRF on Intelbras CIP 92200 devices allows an attacker to access the panel and perform scraping or other analysis.

Source: CVE-2020-8829