Rockwell Automation 1734-AENTR Series B and Series C contain Improper Access Control, Cross-site Scripting vulnerabilities.  A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings. Highest CVSSv3 score of 7.5
More info.

Microsoft has updated chromium-based Microsoft Edge which incorporates the latest security updates of the Chromium project. This update a fix for the vulnerability that is currently being exploited.
More info.

Zyxel has released LTE router patches addressing a vulnerability that allows remote attackers to exploit a CGI script vulnerability arising from a lack of an authentication.
More info.

Cisco has published 13 new bulletins, one rated High and the rest Moderate.
More info.

A vulnerability in the Apache Commons Beanutils used by Service Manager server has been addressed. The vulnerability could be exploited for remote code execution.  CVSSv3 score of 7.3
More info.

NetApp has published 8 new bulletins identfying security vulnerabilities in third-party software included in their products.  No patches yet.
More info.

An Improper Neutralization of Input During Web Page Generation in the SSL VPN portal of FortiProxy may allow an unauthenticated, remote attacker to perform a reflected Cross Site Scripting attack (XSS) by injecting malicious payload in the error, message or redir parameters. CVSSv3 score of 4.6
More info.

SUSE has updated the kernel firmware and others. More info.
Oracle Linux has updated the kernel and others. More info.
Mageia has updated the kernel, kernel firmware, and others. More info.

Microsoft has published an update that fixes 7 RCE vulnerabilities, to address multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
More info. And here.  And another article here.  Volexity report here.

Google has published an update for Chrome for Desktop that fixes 47 vulnerabilities, one of which is currently being exploited.
More info.

CompactLogix 5370 and ControlLogix 5570 Programmable Automation Controllers contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in DoS conditions. CVSSv3 score of 5.8
More info.

Trend Micro has released patches for products that utilize either the Virus Scan API (VSAPI) or Advanced Threat Scan Engine (ATSE) to resolve a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited. Highest CVSSv3 score of 5.5
More info.

HCL Domino is susceptible to a Buffer Overflow vulnerability. Using specially crafted inputs an attacker could crash the Domino server or inject malicious code into the system. CVSSv3 score of 8.1
More info.

VMware View Planner contains a remote code execution vulnerability. Improper input validation and lack of authorization lead to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container. CVSSv3 score of 8.6
More info.

Mageia has updated xterm and others. More info.

Google Android Monthly Patches have been published.  There are 12 addressed CVEs, plus the Qualcomm components.  Four allow remote code execution.  The most severe of the issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.
More info.

Google Pixel Monthly Patches are also out.  Android and Qualcomm vulnerabilties are addressed, as well as an additional 41 CVEs, with 8 of those rated High and the rest Moderate.
More info.

Samsung has published their Monthly Patch bulletin.  Along with Android patches, Samsung Mobile provides 19 SVE items.
More info.

Veritas has discovered an issue where Veritas Backup Exec could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme. CVSSv3 score of 8.2
More info.

Dell has published a security update EMC OpenManage Server Administrator (OMSA) that addresses multiple vulnerabilities. A remote unauthenticated attacker could potentially exploit the greatest vulnerability to gain admin access on the affected system. Highest CVSSv3 score of 8.6
More info. And here.

Red Hat has updated the kernel, bind, and others. More info.

Qualcomm Monthly Patches are out.  16 CVEs are addressed, four rated Critical, the rest High. Highest CVSSv3 score of 9.8
More info.

The Salt Project has released a security update to address 10 vulnerabilities with severity rating Medium to High. Highest CVSSv3 score of 8.1.
More info.

Dell PowerMax eNAS contains remediation for a Microsoft Netlogon vulnerability that may be exploited by malicious users to compromise the affected system. CVSSv3 score of 10.
Note Microsoft published this vulnerability August 2020.
More info.

Dell W-Series Access Points and Controllers contain remediation for an Aruba OS security vulnerability that may be exploited by malicious users to compromise the affected system. CVSSv3 score of 9.8
More info.

Dell EMC SRS Policy Manager contains remediation for an XML External Entity Injection Vulnerability that may be exploited by malicious users to compromise the affected system. CVSSv3 score of 7.2
More info.

Dell SupportAssist Enterprise contains remediation for multiple third-party component security vulnerabilities that may be exploited by malicious users to compromise the affected system. Dell rates this Critical.
Many of the addressed CVEs are several years old, the oldest one dates back to 2014.
More info.

Apache Tomcat has fixed an Information Exposure vulnerability.  When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
More info.

Synology has published seven new security bulletins identifying vulnerabilities in their products.  Four are rated Important, two are Moderate, and one is Low.
More info.

Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).
More info.

OpenSUSE has updated salt, glibc, and others. More info.

Microsoft has updated to the notice for the spoofing vulnerability in Microsoft Exchange Server to add an FAQ detailing further steps that must be performed to enable the protections from the vulnerability.
More info.

Genugate is a multi-level firewall product from the manufacturer genua GmbH. An attacker can exploit a vulnerability in genua genugate with unspecified effects.  Bulletin requires login to view.
More info.

ProSoft Technology ICX35 contains an access control vulnerability.  Changing the password on the module webpage does not require the user to type in the current password first, allowing an attacker to change the current user’s password and alter device configurations. CVSSv3 score of 8.2
More info.

Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. Highest CVSSv3 score of 9.8
More info.

NetApp has published six new bulletins identifying vulnerabilities in third-party software included in their products.  No pathes yet.
More info.

SUSE has updated salt, glibc, and others. More info.

Cisco has published 12 new bulletins, 3 rated Critical, 4 rated High, and the rest Medium.
More info.

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device and receive a token with administrator-level privileges. CVSSv3 score of 10
More info.

Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. CVSSv3 score of 9.8
More info.

A vulnerability in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS Software could allow an unauthenticated, remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device. CVSSv3 score of 9.8
More info.

A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The software improperly releases resources when it processes certain IPv6 packets that are destined to an affected device. A successful exploit could cause the network stack to run out of available buffers, requiring manual intervention to restore normal operations on the affected device. CVSSv3 score of 8.1
More info.

A vulnerability with BGP for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure mode could allow an unauthenticated, remote attacker to send a crafted BGP update to an affected device and cause a routing process to crash, which could lead to a DoS condition. CVSSv3 score of 8.6
More info.

Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code. CVSSv3 score of 10
More info.

Ubuntu has updated the kernel, screen, xterm, and others. More info.

Advantech industrial cellular routers are vulnerable to the DNS cache poisoning attack known as DNSpooq. The routers are not affected by the high-severity buffer overflow vulnerabilities.
More info.

Mozilla has published updates for Thunderbird, Firefox, and Firefox ESR to fix CSP issues, and memory bugs that could be used to execute arbitrary code. Several of the vulnerabilities are rated High severity.
More info.

The vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVSSv3 score of 9.8
We rarely report VMware because it almost always requires a malicious guest login, so take note...
More info.

FreeBSD has published several security bulletins, including a regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not.  This means that rules denying access may be ignored.
More info.

A security vulnerability in Node.js nodemailer module affects IBM Cloud Automation Manager and IBM Cloud Pak for Multicloud Management. By using a specially-crafted recipient email address, an attacker could exploit this vulnerability to execute arbitrary commands on the system.CVSSv3 score of 9.8
More info. More info.

IBM Cloud Pak for Security is vulnerable to cookie spoofing due to a vulnerability found in the DBusServer. An attacker could exploit this vulnerability to bypass authentication to allow a DBusServer with a different uid to read and write in arbitrary locations. CVSSv3 score of 9.1
More info.

Red Hat has updated xterm and others. More info.

PEPPERL+FUCHS has provided firmware updates for multiple vulnerabilities previously reported in Comtrol RocketLinx products. These vulnerabilities may allow remote attackers access, program execution and to tap information. Highest CVSSv3 score of 9.8
More info.

Multiple vulnerabilities exist in IBM Runtime Environment Java used by IBM Integration Designer. Highest CVSSv3 score of 9.8
More info.

Oracle Linux has updated stunnel and xterm. More info.

Multiple security vulnerabilities in third-party software affect IBM Spectrum Symphony and Spectrum Conductor.  IBM has published an interim fix.  Highest CVSSv3 score of 9.8
More info. And here.

Multiple vulnerabilities in Apache POI and Apache Tika affect the Search component of HCL Commerce. These vulnerabilities could lead to denial of service or reading files on the file system. The real issue is the ages of the addressed CVEs, some date back several years.  Highest CVSSv3 score of 7.8
More info.

SonicWall conducted additional reviews to further strengthen the code for the SMA 100 series product line, and has published new firmware.
More info.

SUSE has updated the kernel and others. More info.
Red Hat has updated stunnel and xterm. More info.

Hitachi has published updates for Ops Center Analyzer and Ops Center Common Services.
More info.

NetApp has published nine new security bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

BIG-IP uses curl, which is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. An attacker could provide a forged OCSP response to make it appear that a TLS certificate is valid when it may have actually been revoked. CVSSv3 score of 7.4. No patches yet.
More info.

BIG-IP uses curl, which is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.A malicious FTP server can trigger a stack overflow and cause a DoS. CVSSv3 score of 6.5. No patches yet.
More info.

Oracle Linux has updated the kernel. More info.

Cisco has published 4 new bulletins, one rated High the rest Medium. 
More info.

A vulnerability in the SSH service of the Cisco StarOS operating system could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a denial of service (DoS) condition. CVSSv3 score of 5.3
More info.

Microsoft has updated Chromium-based Edge with the latest updates.
More info.

A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack. CVSSv3 score of 8.1
More info.

SUSE has updated.  More info.
Debian has updated. More info.

Multiple Mitsubishi Electric FA engineering software products have  multiple DoS vulnerabilities. If a malicious attacker sends specially crafted packets and the software products receive the packets, the attacker may cause a DoS. CVSSv3 score of 7.5
More info.

A vulnerability has been discovered in WebKitGTK and WPE WebKit which could allow for arbitrary code execution. This vulnerability occurs when processing specially crafted web content due to a use after free error. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.
More info. And here.

Debian has updated. More info.
Ubuntu has updated. More info.

Johnson Controls has confirmed a Path Traversal vulnerability impacting the Metasys Report Engine (MRE) Web Services. The vulnerability could allow a remote unauthenticated attacker to access and download arbitrary files from the system.
More info.

OpenSSL has published an update that corrects three vulnerabilities, one rated Moderate and two rated Low.  OpenSSL attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. A maliciously constructed issuer field may result in a NULL pointer deref and a crash leading to a potential DoS attack.
More info.

Alpine Linux has published version 3.13.2. More info.
Amazon Linux has updated the kernel and others. More info.

Google has published an update for Chrome for Desktop with 10 security fixes, at least 8 of those rated High.  Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser.
More info.

A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code.
More info.

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. One allows remote attackers to conduct stored XSS attacks.  Highest CVSSv3 score of 8.0
More info.

For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot, affected mGuard devices may unexpectedly receive or send data on disabled switch ports. This includes the unexpected provision of administrative interfaces. Attackers may try to access confidential data or compromise the availability of mGuard services by flooding or resource exhaustion. CVSSv3 score of 5.4
More info.

SUSE has updated the kernel. More info.
Red Hat has updated JBoss Middleware components. More info.
Oracle Linux has updated the kernel. More info.

The Hilscher PROFINET IO Device V3 protocol stack included in many PEPPERL+FUCHS products contain a buffer overflow vulnerability that may allow remote attackers to cause a DoS. CVSSv3 score of 7.5  No patches are available, use external protective measures.
More info. And here.

The Hilscher EtherNet/IP Core V2 included in many PEPPERL+FUCHS products contain a memory corruption vulnerability that allows remote attackers to cause a DoS or inject arbitrary code through the network. CVSSv3 score of 7.5  No patches are available, use external protective measures.
More info. And here.

Dell EMC VPLEX contains updates for security vulnerabilities in third-party software included in the platform.  These vulnerabilities may be exploited by malicious users to compromise the affected system.  Dell rates this Critical.
More info.

The host SSH server of Brocade Fabric OS utilize keys of less than 2048 bits, which may be vulnerable to man-in-the-middle attacks and/or insecure SSH communications. CVSSv3 score of 5.3  Workaround provided.
More info.

RedHat has updated the kernel and others. More info.
Mageia has updated the kernel and others. More info.

A Critical vulnerability has been discovered in the utilized component 499ES EtherNet/IP Stack by Real Time Automation (RTA). Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow a remote attacker to send a specially crafted packet that may result in a DoS or RCE. CVSSv3 score of 9.8
Note the RTA IP Stack vulnerabilities have been out for several months.
More info. And here.

IBM WebSphere Application Server is shipped as a component of HCL Digital Experience. WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection Vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSSv3 score of 8.2
More info.