Batches of security advisories were rolled out by Drupal, Google and Cisco yesterday addressing a host of critical-rated issues for their products.
Drupal addressed a critical
vulnerability affecting Drupal 8.7 and 8.8. The issue is a Cross Site Scripting
vulnerability in third-party libraries. An attacker that can create or edit
content may be able to exploit this Cross Site Scripting vulnerability to
target users with access to the WYSIWYG CKEditor, and this may include site
admins with privileged access.
organization recommends updating to versions 8.7.12 and 8.8.4, respectively, to
obtain the proper patches. If updating is not possible it is suggested to
disable the CKEditor module until the update can be accomplished.
fixed six vulnerabilities in its Cisco SD-WAN cloud scale architecture. The
three rated, which are all due to insufficient input validation as potentially
having a high impact are:
- CVE-2020-3265 is a solution privilege
escalation could allow an authenticated, local attacker to elevate privileges
to root on the underlying operating system.
- CVE-2020-3265 is a solution command injection
vulnerability that if exploited could let a local attacker inject arbitrary commands
with root privileges.
- CVE-2020-3264 can be exploited by sending
specially crafted traffic to an affected device giving the attacker access to
information and allowing this person to make changes to the system that they
are not authorized to make.
issued 13 updates, all rated high, to its Chome Stable Channel with many
focusing on use after free issues.
CVE-2020-6449, CVE-2020-6429, CVE-2020-6428
and CVE-2020-6427 centered use after free audio flaw. CVE-2020-6422 and CVE-2020-6424
were use after free WebGL and use after free media.