VARIoT IoT vulnerabilities database

Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. Nokia IMPACT Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Nokia IMPACT is a set of intelligent management platform for the Internet of Things of Nokia (Finland). An attacker could use this vulnerability to execute code

D-Link DIR-855L A1, DAP-1533 A1, DIR-862L A1, DIR-835 A1, DIR-615 I3, DIR-825 C1 are all wireless router products of D-Link. There are command execution vulnerabilities in several D-Link routers. An attacker could exploit this vulnerability to gain administrator privileges.

Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header. The GoAhead WebsRedirect uses a static host buffer that has a limited length and can overflow. This can cause a copy of the Host header to fail, leaving that buffer uninitialized, which may leak uninitialized data in a response. Embedthis GoAhead Contains a buffer error vulnerability.Information may be obtained. Embedthis Software GoAhead is an embedded Web server of American Embedthis Software company. A buffer error vulnerability exists in Embedthis Software GoAhead versions prior to 5.0.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

The Sony Playstation 4 is a home console. There are unexplained vulnerabilities in Sony Playstation 4 (PS4). An attacker could exploit the vulnerability to use a malicious program to obtain quarantined private data.

Apple iPhone 3GS bootrom malloc implementation returns a non-NULL pointer when unable to allocate memory, aka 'alloc8'. An attacker with physical access to the device can install arbitrary firmware. Apple iPhone 3GS Contains a privilege management vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apple iPhone 3GS is a smart phone from Apple Inc. of the United States. There are security holes in Apple iPhone 3GS (old bootrom and new bootrom)

The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code. NSSLGlobal SatLink VSAT Modem Unit (VMU) The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. NSSLGlobal Technologies SatLink VSAT Modem Unit (VMU) is a Very Small Aperture Terminal (VSAT) modem from NSSLGlobal Technologies. Cross-site scripting vulnerability exists in the web interface in NSSLGlobal Technologies SatLink VMU versions prior to 18.1.0. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. Pivotal RabbitMQ and RabbitMQ for Pivotal Platform Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. ========================================================================== Ubuntu Security Notice USN-5004-1 June 24, 2021 rabbitmq-server vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Several security issues were fixed in rabbitmq-server. Software Description: - rabbitmq-server: AMQP server written in Erlang Details: It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. (CVE-2019-11287) Jonathan Knudsen discovered RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. (CVE-2021-22116) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: rabbitmq-server 3.8.9-2ubuntu0.1 Ubuntu 20.10: rabbitmq-server 3.8.5-1ubuntu0.2 Ubuntu 20.04 LTS: rabbitmq-server 3.8.2-0ubuntu1.3 Ubuntu 18.04 LTS: rabbitmq-server 3.6.10-1ubuntu0.5 Ubuntu 16.04 ESM: rabbitmq-server 3.5.7-1ubuntu0.16.04.4+esm1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: rabbitmq-server security update Advisory ID: RHSA-2020:0078-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0078 Issue date: 2020-01-13 CVE Names: CVE-2019-11287 ===================================================================== 1. Summary: An update for rabbitmq-server is now available for Red Hat OpenStack Platform 15 (Stein). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 15.0 - ppc64le, x86_64 3. Description: RabbitMQ is an implementation of AMQP, the emerging standard for high performance enterprise messaging. The RabbitMQ server is a robust and scalable implementation of an AMQP broker. Security Fix(es): * "X-Reason" HTTP Header can be leveraged to insert a malicious string leading to DoS (CVE-2019-11287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat OpenStack Platform 15.0: Source: rabbitmq-server-3.7.22-1.el8ost.src.rpm ppc64le: rabbitmq-server-3.7.22-1.el8ost.ppc64le.rpm x86_64: rabbitmq-server-3.7.22-1.el8ost.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11287 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXhxCd9zjgjWX9erEAQhcJhAAkFi7Cpsx7AQav3E+LgCF0GblFmJWFP3L qg5F2/2FFdd1fFfHN3FvT9km571u1Hm9oPjKe4g2SgkrOmsP+mEsqD6nXHg1vHGw yOZ4GSGO0bde/Zj5USrmxFIwZcmbl5MzIrCqtx9fNPQPZzI4Hk8qmpINvc6wBZFs aZafHly3mPvxP28rAnEtkjUCEzRuXnovQDrCW8sfNCT1Vhayg+A0cS2iM8rHak25 SNlac9rq3dVkw1wWdgeVmNwu1bCcKopXLYrwVC70esX9fZxnCtPB0iTjy3g4qvxV xfcdsLLQOAYQZdBDtn1M+1GjjG7NLqcP6jD8ySBM+uNwyNiH20LpXmMO9ShysM31 BrYG+aNJyb8AmrMtNF/MijJqv1SYakhHANK0OsdkgGokZWss7yhe7qOpZVU83z41 owwpUrSsBO2xRb85nzo7AcoI0na/f965KyQjt7P1stMiTaXd84VucWlNcEH+I4ox 0zbC4AWgKTbvnMNA2WDSPpx2fkcBS3PdjBi/1MqGES6srz+4oH8MunlqojqKjK9j /YkttwQD78cswQPm1LBaZNaFpqtFnFnAjN18E+phb2Y01hTCvwqVj05fp+eDNQM+ N20HEjc8EDWAmyOGqripUnQ+rRBuPSfkU686szcZwrHFqrz/sh8h0qFRca/Za+4v qUGcuX2aS7Q= =/zG9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands. Refer to the vendor information and take appropriate measures. Sangoma Technologies Asterisk is an open source telephone exchange (PBX) system software. The software supports voice mail, multi-party voice conferencing, interactive voice response (IVR), and more. Affected Versions Product Release Series Asterisk Open Source 13.x All releases Asterisk Open Source 16.x All releases Asterisk Open Source 17.x All releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source 13.29.2 Asterisk Open Source 16.6.2 Asterisk Open Source 17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-007-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-007-16.diff Asterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-007-17.diff Asterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-007-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28580 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-007.pdf and http://downloads.digium.com/pub/security/AST-2019-007.html Revision History Date Editor Revisions Made October 24, 2019 George Joseph Initial Revision November 21, 2019 Ben Ford Added “Posted On” date Asterisk Project Security Advisory - AST-2019-007 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form

A vulnerability in the email parsing module Clam AntiVirus (ClamAV) Software versions 0.102.0, 0.101.4 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to inefficient MIME parsing routines that result in extremely long scan times of specially formatted email files. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to scan the crafted email file indefinitely, resulting in a denial of service condition. Clam AntiVirus (ClamAV) software Contains a resource exhaustion vulnerability.Denial of service (DoS) May be in a state. Clam AntiVirus is an open source antivirus engine from the ClamAV team for detecting Trojans, viruses, malware and other malicious threats. A resource management error vulnerability exists in Clam AntiVirus versions prior to 0.102.1 and versions prior to 0.101.5. ========================================================================= Ubuntu Security Notice USN-4230-2 January 23, 2020 clamav vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM - Ubuntu 12.04 ESM Summary: ClamAV could be made to crash if it opened a specially crafted file. Software Description: - clamav: Anti-virus utility for Unix Details: USN-4230-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled certain MIME messages. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: clamav 0.102.1+dfsg-0ubuntu0.14.04.1+esm1 Ubuntu 12.04 ESM: clamav 0.102.1+dfsg-0ubuntu0.12.04.1 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4230-2 https://usn.ubuntu.com/4230-1 CVE-2019-15961 . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202003-46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: ClamAV: Multiple vulnerabilities Date: March 19, 2020 Bugs: #702010, #708424 ID: 202003-46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in ClamAV, the worst of which could result in a Denial of Service condition. Background ========== ClamAV is a GPL virus scanner. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-antivirus/clamav < 0.102.2 >= 0.102.2 Description =========== Multiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.102.2" References ========== [ 1 ] CVE-2019-15961 https://nvd.nist.gov/vuln/detail/CVE-2019-15961 [ 2 ] CVE-2020-3123 https://nvd.nist.gov/vuln/detail/CVE-2020-3123 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202003-46 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Stack-based buffer overflow in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to execute arbitrary code by providing a long string to the blocking.asp page via a GET or POST request. Vulnerable parameters are flag, mac, and cat_id. Asuswrt-Merlin The firmware contains a vulnerability related to out-of-bounds writing.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS Asuswrt-Merlin is a firmware that runs in its router

In Lexmark Services Monitor 2.27.4.0.39 (running on TCP port 2070), a remote attacker can use a directory traversal technique using /../../../ or ..%2F..%2F..%2F to obtain local files on the host operating system. Lexmark Services Monitor Contains a path traversal vulnerability.Information may be obtained. Lexmark Services Monitor is a service monitor for Lexmark products from Lexmark

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS1 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability. Tenda AC9 is a wireless router. Tenda AC9 /goform/WanParameterSetting implements a security vulnerability in handling DNS1 POST parameters, allowing remote attackers to use the vulnerability to submit special requests and execute arbitrary OS commands

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS2 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability. Tenda AC9 is a wireless router from China's Tenda. The / goform / WanParameterSetting function in Tenda AC9 has an operating system command injection vulnerability. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data

When Beckhoff TwinCAT is configured to use the Profinet driver, a denial of service of the controller could be reached by sending a malformed UDP packet to the device. This issue affects TwinCAT 2 version 2304 (and prior) and TwinCAT 3.1 version 4204.0 (and prior). Beckhoff TwinCAT Contains a vulnerability related to division by zero.Service operation interruption (DoS) There is a possibility of being put into a state. Beckhoff TwinCAT is a software system consisting of a real-time environment and a real-time system that executes control programs in the development environment of the German Beckhoff company. This system is mainly used for PLC (Programmable Logic Controller) programming, diagnostics, and system configuration. There are security vulnerabilities in Beckhoff TwinCAT 2 Build 2304 and earlier and 3.1 Build 4024.0 and earlier

An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport. Sangoma Technologies Asterisk is an open source telephone exchange (PBX) system software. The software supports voice mail, multi-party voice conferencing, interactive voice response (IVR), and more. An attacker could use this vulnerability to cause a denial of service. Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Minor Exploits Known No Reported On October 17, 2019 Reported By Andrey V. T. Modules Affected channels/chan_sip.c Resolution Using any other option value for “nat” will prevent the attack (such as “nat=no” or “nat=force_rport”), but will need to be tested on an individual basis to ensure that it works for the user’s deployment. On the fixed versions of Asterisk, it will no longer set the address of the peer before authentication is successful when a SIP request comes in. Affected Versions Product Release Series Asterisk Open Source 13.x All releases Asterisk Open Source 16.x All releases Asterisk Open Source 17.x All releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source 13.29.2 Asterisk Open Source 16.6.2 Asterisk Open Source 17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-006-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-006-16.diff Asterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-006-17.diff Asterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-006-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28589 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-006.pdf and http://downloads.digium.com/pub/security/AST-2019-006.html Revision History Date Editor Revisions Made October 22, 2019 Ben Ford Initial Revision November 14, 2019 Ben Ford Corrected and updated fields for versioning, and added CVE November 21, 2019 Ben Ford Added “Posted On” date Asterisk Project Security Advisory - AST-2019-006 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form

Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. Belkin Linksys Velop The device contains an authentication bypass vulnerability with a user-controlled key.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Belkin Linksys Velop is a modular mesh home WiFi system. Belkin Linksys Velop /sysinfo_json.cgi has a security vulnerability

An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940. This vulnerability CVE-CVE-2019-18940 Is a different vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Sangoma Technologies Asterisk is an open source telephone exchange (PBX) system software. The software supports voicemail, multi-party voice conferencing, interactive voice response (IVR), and more. The vulnerability originates from improper design or implementation during code development of a network system or product. An attacker could use this vulnerability to execute malicious code. Asterisk Project Security Advisory - Product Asterisk Summary Re-invite with T.38 and malformed SDP causes crash. Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On November 07, 2019 Reported By Salah Ahmed Posted On November 21, 2019 Last Updated On November 21, 2019 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-18976 Description If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur. Modules Affected res_pjsip_t38.c Resolution If T.38 faxing is not needed, then the “t38_udptl” configuration option in pjsip.conf can be set to “no” to disable the functionality. This option automatically defaults to “no” and would have to be manually turned on to experience this crash. If T.38 faxing is needed, then Asterisk should be upgraded to a fixed version. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Certified Asterisk 13.21 All versions Corrected In Product Release Asterisk Open Source 13.29.2 Certified Asterisk 13.21-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-008-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-008-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28612 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made November 12, 2019 Ben Ford Initial Revision November 21, 2019 Ben Ford Added “Posted On” date Asterisk Project Security Advisory - Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. Vtiger Contains a vulnerability with inappropriate default permissions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. Vtiger CRM 7.x prior to 7.2.0 has a security vulnerability in the My Preferences save functionality. An attacker could exploit this vulnerability to modify their own persona

Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload. Zoho ManageEngine OpManager and Firewall Analyzer Contains a vulnerability with inappropriate default permissions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both ZOHO ManageEngine OpManager and ZOHO ManageEngine Firewall Analyzer are products of ZOHO, an American company. ZOHO ManageEngine OpManager is a set of network, server and virtualization monitoring software. ZOHO ManageEngine Firewall Analyzer is a set of web-based firewall log analysis tools, which can collect, correlate, analyze and report logs on firewalls, proxy servers and Radius servers throughout the enterprise. There are security vulnerabilities in ZOHO ManageEngine OpManager version 12.4.072 and ZOHO ManageEngine Firewall Analyzer version 12.4.072

Possible double free issue in kernel while handling the camera sensor and its sub modules power sequence in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MDM9206, MDM9207C, MDM9607, MSM8909, MSM8909W, Nicobar, QCA9980, QCS405, QCS605, SDM845, SDX24, SM7150, SM8150. plural Snapdragon The product contains a vulnerability related to the use of freed memory.Information is acquired, information is falsified, and denial of service (DoS) May be in a state