CVE-2020-11022

CVE-2020-11022 affects jQuery versions >=1.2 and =3.5.0 or apply vendor guidance where applicable.

CVE-2020-11023

The connected Astra Linux bulletin confirms CVE-2020-11023: in jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing elements from untrusted sources to DOM manipulation methods (e.g., .html(), .append()) may lead to untrusted code execution. Patch released in jQuery 3.5.0. Remediat...

CVE-2020-15801

CVE-2020-15801 (Siemens SIMATIC S7-1500) : The Tenable plugin for Tenable OT documents a vulnerability affecting the SIMATIC S7-1500 family (CPU 1518-4 PN/DP MFP, SIPLUS variants) with all versions prior to V3.1.0. The issue stems from Python 3.8.4 behavior: sys.path restrictions in python38._pth...

CVE-2020-14967

CVE-2020-14967 affects the jsrsasign package for Node.js prior to version 8.0.18. The RSA PKCS1 v1.5 decryption path does not detect ciphertext modifications when zeros are prepended to ciphertexts, allowing modified ciphertexts to be decrypted without error and potentially triggering memory corr...

CVE-2020-14966

The CVE-2020-14966 issue affects the jsrsasign package up to version 8.0.18 in Node.js. Root cause: malleability in ECDSA signatures from insufficient checks of ASN.1/DER encoding, specifically overflow in sequence length and prepended/appended zeroes to integers, allowing altered signatures to v...

CVE-2020-7699

CVE-2020-7699 affects the Node.js Express Fileupload package: versions prior to 1.1.8 are vulnerable when the parseNested option is enabled. The root cause is a prototype pollution issue that can enable denial of service or arbitrary code execution via specially crafted HTTP requests. A fix is av...

CVE-2020-14968

The CVE-2020-14968 issue affects the jsrsasign package for Node.js prior to 8.0.17. Its RSASSA-PSS verification accepts signatures prepended with zero bytes, enabling an attacker to create multiple valid signatures where only one should exist and potentially trigger memory corruption. The confirm...