A vulnerability was discovered under Pulse Connect Secure (PCS).  This includes an authentication by-pass vulnerability that can allow a remote unauthenticated attacker to perform remote arbitrary file execution on the Pulse Connect Secure gateway.  CVSSv3 score of 10. This is actively being exploited.  No patches yet, only workaround.
More info. And here. And here.

Delta Industrial Automation COMMGR contains a Stack-based Buffer Overflow. Successful exploitation of this vulnerability could allow for RCE or DoS. CVSSv3 score of 9.8
More info.

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities, including a vulnerability in the web-based management interface of ClearPass that allows an unauthenticated remote attacker to conduct a SSRF attack, leading to RCE and total cluster compromise. CVSSv3 score of 9.8
More info.

Aruba has released updates to the AirWave Management Platform that address multiple security vulnerabilities, including an authentication bypass in AirWave Web-based Management Interfacewhich allows an unauthenticated attacker to assume an administrative role. Highest CVSSv3 score of 8.1
More info.

TIBCO Administrator contains an easily exploitable vulnerability that allows an unauthenticated attacker to social engineer a legitimate user with network access to execute a Stored XSS attack targeting the affected system. CVSSv3 score of 9.6
More info.

Google has updated Chrome to fix seven vulnerabilities, most rated High.  Actively exploited.
More info.

Oracle Quarterly Patches are out, with fixes for 390 vulnerabilities, 221 of which can be remotely exploited without authentication.  Highest CVSSv3 score of 9.8, for many of them.
More info.

Meinberg has updated LANTIME firmware to include fixes for vulnerabilities in OpenSSL, sudo, and the Meinberg LTOS web interface. 
More info.

Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. If the link is specifically crafted this could lead to untrusted code execution.
More info.

Vulnerabilities in Java affects IBM Cloud Application Business Insights and InfoSphere Streams. Highest CVSSv3 score of 9.8
More info. And here.

Dell has published updates for Unity, UnityVSA, and Unity XT to correct multiple security vulnerabilities, including plain-text password storage, that may be exploited by malicious users to compromise the affected system. Dell rates this Critical.
More info.

Dell NetWorker stores plain-text credentials in server log files. Dell rates this High.
More info.

SonicWall has published patches to mitigate three zero-day vulnerabilities to its hosted and on-premises email security products. These include allowing an attacker to create an administrative account, One has been seen exploited in the wild.
More info.

SUSE has updated the kernel and others. More info.
OpenSUSE has updated the kernel. More info.
Red Hat has updated the kernel and others. More info.
Ubuntu has updated openslp. More info.
Mageia has updated the kernel and others. More info.

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. This is rated Critical.
More info.

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This is rated Critical.
More info.

GitLab has released new versions that contain important security fixes, including fixes for RCE vulnerabilities.
More info.

Multiple vulnerabilities in FasterXML jackson-databind and Bouncy Castle affect Apache Solr shipped with IBM Operations Analytics - Log Analysis.  Highest CVSSv3 score of 9.8
More info. And here.

IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js.  Highest CVSSv3 score of 9.8
More info.

A vulnerability in IBM Java SDK affects IBM Transformation Extender.  CVSSv3 score of 9.8
More info.

NetApp has published six new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Mozilla has published security bulletins for Firefox, Firefox ESR, and Thunderbird, all rated High.
More info.

EIPStackGroup has published a security bulletin for OpENer EtherNet/IP for several vulnerabilities, including Incorrect Conversion Between Numeric Types, Out-of-bounds Read, and Reachable Assertion. Successful exploitation of these vulnerabilities could cause a denial-of-service condition and data exposure. Highest CVSSv3 score of 8.2
More info.

Microsoft has updated chromium-based Edge to include  the latest security vulnerability fixes provided from Google.
More info.

Several McAfee products have been updated with the latest OpenSSL updates.  Highest CVSSv3 score of 7.4
More info.

Endpoint Security for Windows has been updated to fix a Cleartext transmission of sensitive information vulnerability.  CVSSv3 score of 4.8
More info.

F5OS and Traffix SDC contains NSS vulnerabilities.  Highest CVSSv3 score of 6.8  No patches yet.
More info. And here.

A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP rates this High.
More info.

SUSE has updated the kernel, xorg-x11-server, and others. More info.
Red Hat has updated libldb and others. More info.
Oracle Linux has updated libldb, sudo, and others. More info.
Ubuntu has updated the kernel, networkmanager, and others. More info.
Mageia has updated x11-server and others. More info.
Alpine Linux has updated to 3.13.5, as well as updates for older versions. More info.

Juniper Networks Quarterly Patches are out, with 60 new bulletins.  Products addressed include Junos OS, Junos OS Evolved, Junos Space, Secure Analytics, Paragon Active Assurance, NFX Series, SRC Series, Contrail Insights
More info.

NFX Series: Hard-coded credentials allows an attacker to take control of any instance through administrative interfaces. CVSSv3 score of 10.
More info.

Palo Alto Networks Monthly Patches brings 4 bulletins, ranging from CVSSv3 score of 6.7 to 2.3.  All vulnerabilities require privileges.
More info.

Microsoft has updated Chrome-based Edge to include the two recent security fixes.
More info. And here.

Vulnerabilities in IBM Java, Java runtime, and Java SDK affects several IBM products. Highest CVSSv3 score of 9.8
More info.

Network Performance Insight are affected by jackson-databind and Apache Cassandra vulnerabilities. Highest CVSSv3 score of 9.8
More info. And here.

TensorFlow is vulnerable to a heap-based buffer overflow and denial of service on IBM Watson Machine Learning on CP4D. Highest CVSSv3 score of 9.
More info.

Dell Networking W-Series remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system. Dell rates this Critical.
More info.

Dell PowerEdge VRTX and Dell Networking X-Series remediation is available for a weak password encryption vulnerability that may be exploited by malicious users to compromise the affected system. Dell rates this High.
More info. And here.

Google has published updates for Chrome for Desktop that fixes 37 security vulnerabilities.
More info.

Microsoft Monthly Patches are out and includes 114 vulnerabilities, 19 rated Critical, 4 previously disclosed, and 1 being exploited. Highest CVSSv3 score of 9.8.
More info. And here. And here.

There is another set of Microsoft Exchange Server Remote Code Execution vulnerabilites across versons 2013 - 2019. No known exploits are being reported. CVSSv3 score of 9.8
More info. And here. And here.

Adobe has published security updates for PhotoShop, Digital Editions, Bridge, and RoboHelp.  The first three contain Critical vulnerability fixes.
More info.

JTEKT Corporation's TOYOPUC products contain an Improper Resource Shutdown or Release vulnerability.  Successful exploitation of this vulnerability could allow an unauthorized user to stop Ethernet communications between devices from being established. CVSSv3 score of 7.5
More info.

Advantech WebAccess/SCADA contains an Incorrect Permission Assignment for Critical Resource vulnerability. Successful exploitation of this vulnerability could allow an attacker to login as an ‘admin’ to fully control the system. CVSSv3 score of 8.8
More info.

Google has published an update for Chrome for Desktop that includes two security fixes, both rated High and being exploited in the wild.  One more vulnerability exists but has not yet been fixed. No public exploit for that yet.
More info. And here.

NAME:WRECK is a set of DNS vulnerabilities that could cause either DoS or Remote Code Execution, allowing attackers to take targeted devices offline or to gain control over them. NAME:WRECK vulnerabilities impact FreeBSD software used in high-performance servers in millions of IT networks, and popular firmware, such as Nucleus NET used in critical IoT/OT devices, as well as NetX and IPnet.
More info. And here.

Several of the Siemens products from yesterday's patch day include these vulnerabilities.

OpenClinic GA contains several vulnerabilities that could allow an adversary to carrot out a wide range of malicious actions, including injecting SQL code into the targeted server or elevating their privileges. Highest CVSSv3 score of 10
More info. And here.

SUSE has updated the kernel, xorg-x11-server, and others. More info.
CentOS has updated screen. More info.
Ubuntu has updated the kernel, x.org x server, and others. More info.

Siemens has published 14 new bulletins and 17 updated bulletins for their Monthly Patches. The highest CVSSv3 score of the new bulletins is 10.
More info.

Siemens has released hotfixes for Siveillance Video Open Network Bridge (ONVIF) which fix a security vulnerability related to unsecure storage of ONVIF user credentials. The vulnerability could allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server. CVSSv3 score of 9.9
More info.

Due to SmartClient Installation technology (ClickOnce) a customer/integrator needs to create a customer specific Smartclient installer. The mentioned products delivered a trusted but yet expired codesigning certificate. An attacker could have exploited the vulnerability by spoofing the code-signing certificate and signing a malicious executable resulting in having a trusted digital signature from a trusted provider. The certificate was revoked immediately. CVSSv3 score of 10
More info.

Siemens products include in Control Center Server (CCS) from PKE. Multiple vulnerabilities exist in CCS, including authentication bypass, path traversal, information disclosure, privilege escalation, SQL injection, XSS, and insufficient logging. Highest CVSSv3 score of 9.9
More info. And here.

Several Siemens products contain identified in DNS implementations, also known as "NAME:WRECK" vulnerabilities. The DNS client of affected products contains multiple vulnerabilities related to the handling of DNS responses and requests. The most severe could allow an attacker to manipulate the DNS responses and cause a DoS or remote code execution. Highest CVSSv3 score of 8.1
More info. And here. And here.

Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. CVSSv3 score of 9.8 No patches yet.
More info.

The IPv6 stack of several Siemens products contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a DoS. CVSSv3 score of 7.5
More info.

The latest update for SINEMA Remote Connect Server fixes two DoS vulnerabilities in the underlying third-party XML parser. CVSSv3 score of 7.5
More info.

There are multiple vulnerabilities in the underlying NTP component of Siemens TIM 4R-IE, which is included in SIPLUS NET products. Highest CVSSv3 score of 9.8.  No patches, only workarounds.
More info.

SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as initially reported in Siemens Security Advisory SSA-705111 for the Mentor DNS Module. CVSSv3 score of 6.5. No patches yet.
More info.

Schneider Electric Monthly Patches are out with two new bulletins and two updated bulletins.
More info.

Schneider Electric is aware of multiple Microsoft Windows vulnerabilities in its NTZ Mekhanotronika Rus. LLC control panels. An attacker may be able to take control of the system through the exploitation of the vulnerabilities. Highest CVSSv3 score of 7.8
More info.

SAP Monthly Patch Day includes the release of 14 Security Notes. There were 5 updates to previously released Patch Day Security Notes. One of the new notes is rated Hot News and allows RCE with a CVSSv3 score of 9.9.  Four of the new notes are rated High, the rest Medium.
More info.

Dell PowerScale OneFS contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. Highest CVSSv3 score of 9.8
More info. And here.

SUSE has updated the kernel and others. More info.
Red Hat has updated the kernel and others. More info.
Oracle Linux has updated the kernel. More info.

SUSE has updated fwupdate, wpa-supplicant, and others. More info.
OpenSUSE has updated the kernel and others. More info.
CentOS has update dthe kernel and libldb. More info.