Apple Security Advisory 2020-09-16-5 - Xcode 12.0 is now available and addresses a code execution vulnerability.
0f9f24437ee610dcd0ffba2b554069ca64830d85988a57f139b999368778dc87
Apple Security Advisory 2020-09-16-4 - watchOS 7.0 is now available and addresses cross site scripting vulnerabilities.
7f2be0ff36ed50f74ec3888638f8ae775f5077dd53d9d1b8c3925c3c8b82ce89
Apple Security Advisory 2020-09-16-3 - Safari 14.0 is now available and addresses code execution, cross site scripting, out of bounds write, and use-after-free vulnerabilities.
cae12a9373b83d218a96163e66f5f4bf1ba87f98cae36acd07e759d548a83cdb
Apple Security Advisory 2020-09-16-2 - tvOS 14.0 is now available and addresses cross site scripting vulnerabilities.
2c0cfb49a8acf362220ab9093a092bd0c1b1a10fe5bb67752992cccd85dde3e2
Ubuntu Security Notice 4519-1 - Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code.
75af37b6c9762703332730a796750331200cb5cb8f6f04b59195da4f428847a8
Apple Security Advisory 2020-09-16-1 - iOS 14.0 and iPadOS 14.0 are now available and address code execution, cross site scripting, out of bounds read, and out of bounds write vulnerabilities.
7fd9e27e217c184d9ba4d89012fdbb3e21ae0bc90b9b515446b2e0e9c773363a
TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.
820ebca1a60727c3c7198c5f8d186f030d053aca8aaa88544be3fdcb57017f5e
The Navy Federal site at navyfederal.org suffered from a cross site scripting vulnerability.
9139d239aff0e11b1a88e1a4303fccf0bce34f1d49073a50d2a694b0640107e6
Ubuntu Security Notice 4517-1 - It was discovered that Email-Address-List does not properly parse email addresses during email-ingestion. A remote attacker could use this issue to cause an algorithmic complexity attack, resulting in a denial of service.
0d797e79375d73b5524e94ff3a4eb33024ac16847fb2288f1c02bddeeaebcdde
Mantis Bug Tracker version 2.3.0 suffers from a remote code execution vulnerability.
c5bd41082422ed338ccc46ee3ad8d43820a3a1cd833484f28da741205e12c069
SpamTitan version 7.07 suffers from an authenticated remote code execution vulnerability.
4234f62e0c44c2e3dad423c5cc769129588ffafbed80a16f8610281916cc3da9
D-Link DGS-1210-28 suffers from a denial of service vulnerability.
1fcff2e0ab5633d0de2304376d33dafe34f1dc0823f5ddd9d8f8e6eff7f53ab6