In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow exists. When using /video redirection, a manipulated server can instruct the client to allocate a buffer with a smaller size than requested due to an integer overflow in size calculation. With later messages, the server can manipulate the client to write data out of bound to the previously allocated buffer. This has been patched in 2.1.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Affected versions**

<= 2.0.0

**Description**

**Impact**

*   All FreeRDP clients, all platforms

When using /video redirection a manipulated server can instruct the client to allocate a buffer which is allocated with a smaller size than requested due to an integer overflow in size calculation.  
With later messages the server can manipulate the client to write data out of bound to the previously allocated buffer.

**Workarounds**

Deactivate VIDEO redirection client side, don´ t use /video

**References**

*   https://pub.freerdp.com/cve/CVE-2020-11038/

CVE-2020-11038: Integer overflow in VIDEO channel

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.

**Mozilla Foundation Security Advisory 2020-16**

Announced

May 5, 2020

Impact

critical

Products

Firefox

Fixed in

*   Firefox 76

**#CVE-2020-12387: Use-after-free during worker shutdown**

Reporter

Looben Yang

Impact

critical

**Description**

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.

**References**

*   Bug 1545345

**#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens**

Reporter

James Forshaw of Google Project Zero

Impact

critical

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1618911

**#CVE-2020-12389: Sandbox escape with improperly separated process types**

Reporter

Niklas Baumstark

Impact

high

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1554110

**#CVE-2020-6831: Buffer overflow in SCTP chunk input validation**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

high

**Description**

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1632241

**#CVE-2020-12390: Incorrect serialization of nsIPrincipal.origin for IPv6 addresses**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks

**References**

*   Bug 1141959

**#CVE-2020-12391: Content-Security-Policy bypass using object elements**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Documents formed using `data:` URLs in an `object` element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.

**References**

*   Bug 1457100

**#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.

**References**

*   Bug 1614468

**#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

David Yesland

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1615471

**#CVE-2020-12394: URL spoofing in location bar when unfocussed**

Reporter

Kestrel

Impact

low

**Description**

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element.

**References**

*   Bug 1628288

**#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Alexandru Michis, Jason Kratzer, philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

**#CVE-2020-12396: Memory safety bugs fixed in Firefox 76**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Frederik Braun, Andrew McCreight, C.M.Chang, and Dan Minor reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76

CVE-2020-12394: Security Vulnerabilities fixed in Firefox 76

An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.

CVE-2020-13388: Joel

There is a buffer overwrite vulnerability in the Quram qmg library of Samsung's Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. The Samsung ID is SVE-2020-16747.

CVE-2020-8899

GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage in coders/png.c.

CVE-2020-12672

An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.

author

Qing Xu <m1s5p6688@gmail.com>

2020-01-02 10:39:27 +0800

committer

Kalle Valo <kvalo@codeaurora.org>

2020-01-27 16:34:34 +0200

commit

b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d (patch)

tree

4b890433ba96c95b071b24e02bbb45ae1f4974b7

parent

3a9b153c5591548612c3955c9600a98150c81875 (diff)

download

linux-b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d.tar.gz  

mwifiex: Fix possible buffer overflows in mwifiex\_cmd\_append\_vsie\_tlv()

mwifiex\_cmd\_append\_vsie\_tlv() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu <m1s5p6688@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

\-rw-r--r--

drivers/net/wireless/marvell/mwifiex/scan.c

7

1 files changed, 7 insertions, 0 deletions

diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c  
index 98f942b797f7b..a7968a84aaf88 100644  
\--- a/drivers/net/wireless/marvell/mwifiex/scan.c  
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c

@@ -2884,6 +2884,13 @@ mwifiex\_cmd\_append\_vsie\_tlv(struct mwifiex\_private \*priv,

vs\_param\_set->header.len =

cpu\_to\_le16((((u16) priv->vs\_ie\[id\].ie\[1\])

& 0x00FF) + 2);

\+ if (le16\_to\_cpu(vs\_param\_set->header.len) >

\+ MWIFIEX\_MAX\_VSIE\_LEN) {

\+ mwifiex\_dbg(priv->adapter, ERROR,

\+ "Invalid param length!\\n");

\+ break;

\+ }

+

memcpy(vs\_param\_set->ie, priv->vs\_ie\[id\].ie,

le16\_to\_cpu(vs\_param\_set->header.len));

\*buffer += le16\_to\_cpu(vs\_param\_set->header.len) +

CVE-2020-12653: git/torvalds/linux.git - Linux kernel source tree

ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE-306: Missing Authentication for Critical Function.

Back to Search

**ABB MicroSCADA wserver.exe Remote Code Execution**

**Description**

This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe component, which allows arbitrary commands. The component is disabled by default, but required when a project uses the SCIL function WORKSTATION\_CALL. This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on Windows XP SP3 and Windows 7 SP1.

**Author(s)**

*   Brian Gorenc
*   juan vazquez <juan.vazquez@metasploit.com>

**Platform**

Windows

**Architectures**

x86

**Development**

*   Source Code
*   History

**Module Options**

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

    msf > use exploit/windows/scada/abb_wserver_exec
    msf exploit(abb_wserver_exec) > show targets
        ...targets...
    msf exploit(abb_wserver_exec) > set TARGET < target-id >
    msf exploit(abb_wserver_exec) > show options
        ...show and set options...
    msf exploit(abb_wserver_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;

CVE-2019-5620: ABB MicroSCADA wserver.exe Remote Code Execution

An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.

CVE-2020-12465

cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.1 and 4.2.2 has a heap-based buffer overflow during JPEG_MARKER_SOS handling because of a missing length check.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2020-12284: 19734 - oss-fuzz - OSS-Fuzz: Fuzzing the planet

Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

Tag

#buffer_overflow