Distributed Data Systems WebHMI contains an Authentication Bypass by Primary Weakness vulnerability, and an Unrestricted Upload of File with Dangerous Type vulnerability.  Highest CVSSv3 score of 10.
More info.

Hitachi Energy is aware of a vulnerability in the RTU500 series. An attacker could exploit this vulnerability only on RTU500 series in which BCI IEC 60870-5-104 is configured and enabled by project configuration. An attacker could cause the product to reboot. CVSSv3 score of 7.5
More info.

Hitachi Energy is aware of vulnerabilities in OpenSSL and libxml2 used in the RTU500 series An attacker who successfully exploited this vulnerability could eavesdrops on the traffic, retrieve information from memory or to cause a DoS.  Highest CVSSv3 score of 8.6
More info.

Security vulnerabilities in third party software have been addressed in IBM Cognos Analytics. Highest CVSSv3 score of 9.8
More info.

In response to a security issue with BMC's IPMI LAN+ interface, a new Power System firmware update is being released. CVSSv3 score of 10.
More info.

Multiple vulnerabilities in VMware vCenter plugins affect IBM Cloud Pak System. IBM Cloud Pak System. CVSSv3 score of 9.8
More info.

NetApp has published 5 new bulletins for vulnerabilities in third-party software included in their products.  No patches yet.
More info.

CentOS has updated the kernel. More info.

NSS is vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Mozilla rates this Critical.
More info.

SUSE has updated the kernel. More info.
OpenSUSE has updated the kernel. More info.
Mageia has updated the systemd, glibc, and others. More info.

A vulnerability exists that could allow an unauthenticated attacker to invoke queries to manipulate the Aanderaa GeoView database server. CVSSv3 score of 8.2
More info. And here.

Multiple product vulnerabilities were identified in Moxa’s ioPAC 8500 Series and ioPAC 8600 Series rugged modular programmable controllers, including RCE, cleartext transmission of sensitive information, hard-coded cryptographic key, and unprotected storage of credentials. No patches yet.
More info.

Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise. CVSSv3 score of 9.8
More info.

Red Hat has updated the kernel. More info.
Ubuntu has updated the kernel. More info.

Multiple DoS vulnerabilities exist in MELSEC iQ-R/Q/L series CPU module and MELIPC series. A remote attacker may stop the program execution or Ethernet communication of  the products by sending specially crafted packets. CVSSv3 score of 7.5
More info.

CODESYS Git lacks server certificate validation using HTTPS protocol. Therefore, the server connection is vulnerable to a man-in-the-middle attack. CVSSv3 score of 8.0
More info.

Number:Jack is a set of vulnerabilities in TCP/IP stacks in which ISNs are improperly generated, leaving TCP connections of a device open to attacks. B&R Vision cameras, Safe Logic, Bus Controller, and Motion components are impacted.  CVSSv3 score of 5.7
More info.

IBM Cúram Social Program Management uses the Apache Log4j libraries, for which there is a publicly known vulnerability. For this vulnerability, Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. CVSSv3 score of 9.8
More info.

A vulnerability in IBM SDK Java affects IBM Cloud Pak System. A stack-based buffer overflow exists allowing a remote attacker to send an overly long string and execute arbitrary code on the system or cause the application to crash. CVSSv3 score of 9.8
More info.

Multiple vulnerabilities have been found in Hitachi Ops Center Analyzer viewpoint and Hitachi Ops Center Viewpoint. Highest CVSSv3 score of 7.5
More info.

A command injection vulnerability and an improper authentication vulnerability have been reported to affect QNAP VS Series NVR running QVR. If exploited, these vulnerabilities allow remote attackers to run arbitrary commands and compromise the security of the system. QNAP rates these Critical and High.
More info. And here.

In some situations the X.509 verifier would discard an error on an unverified certificate chain, resulting in an authentication bypass.
More info.

Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. CVSSv3 score of 9.0
More info.

A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. CVSSv3 score of 5.3
More info.

A vulnerability affecting F-Secure antivirus engine was discovered whereby unpacking UPX file can lead to DoS. The vulnerability can be exploited remotely by an attacker, resulting in DoS of the antivirus engine.
More info.

SUSE has updated the kernel. More info.
Mageia has updated the kernel. More info.

Cisco Expressway Series is vulnerable to recently reported issues in Apache HTTP Server.  Highest CVSSv3 score of 9.0  No patches yet.
More info.

NetApp has published 5 bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

OpenSUSE has updated the kernel. More info.
Alpine Linux 3.15.0 is out. More info.

An issue was discovered in the Linux kernel used in Traffix SDC. The TIPC functionality allows remote attackers to exploit an insufficient validation vulnerability to access restricted information, modify files, or cause a DoS attack. CVSSv3 score of 8.1
More info.

The vSphere Web Client (FLEX/Flash) contains unauthorized arbitrary file read and SSRF vulnerabilities. Highest CVSSv3 score of 7.5.
More info.

Oracle Linux has updated the kernel. More info.

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Servers, including Hard-coded cryptographic keys in firmware and program module, Exposure of sensitive information, and vulnerabilities in third-party software.
More info.

Multiple product vulnerabilities were identified in Moxa’s ioLogik E2200 Series Controllers and I/Os and ioAdmin Configuration Utility, including Improper authentication, Use of client-side authentication, Hard-coded password, Improper access control, and several Buffer overflows.
More info.

Dell EMC Data Protection Central remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. Dell rates this Critical.
More info.

DELL EMC VNXe1600 contains remediation for multiple third-party components that may be exploited by malicious users to compromise the affected system. Dell rates this High.
More info.

An improper password management vulnerability has been found in specific home routers and WiFi systems. The vulnerability could allow an attacker to gain root access to the device if the remote assistance feature has been enabled by an authenticated user.
More info.

Reflected Cross-Site Scripting vulnerabilities in McAfee Policy Auditor allow a remote unauthenticated attacker to inject arbitrary web script or HTML via the profileNodeID and UID request parameters.  Highest CVSSv3 score of 6.1
More info.

Red Hat has updated the kernel. More info.

Sierra Wireless has published a bulletin covering multiple ALEOS security issues in AirLink products.  Highest CVSSv3 score of 7.5
More info.

Microsoft has updated chromium-based Edge to fix the latest security vulnerabilities.
More info.

Kaspersky has fixed several security problems in consumer products for Windows, including issues with installer being vulnerable to arbitrary file deletion and loading a specially crafted XML file. Also a component in Kaspersky Password Manager could allow an attacker to elevate a process Integrity level from Medium to High.
More info.

SUSE has updated the kernel. More info.

A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP could potentially allow a successful attacker to execute code in the context of the affected process. CVSSv3 score of 9.8
More info.

Dell EMC Secure Connect Gateway contains remediation for multiple security vulnerabilities including third-party software. Dell rates this Critical.
More info.

Dell EMC Streaming Data Platform contains remediation for multiple security vulnerabilities that may be exploited by remote attackers.  Dell rates this High. Highest CVSSv3 score of 8.8
More info.

Hitachi has published security bulletins for JP1/Automatic Operation, Command Suite, Automation Director, Configuration Manager, Infrastructure Analytics Advisor, Ops Center, and Cosminexus.
More info.

A heap-based buffer overflow vulnerability has been reported to affect QNAP NAS devices that have Apple File Protocol (AFP) enabled in QTS or QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP rates this High.
More info.

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running QmailAgent. If exploited, this vulnerability allows remote attackers to trick a victim into performing unintended actions on the web application while the victim is logged in.  QNAP rates this Medium.
More info.

A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP rates this Medium, and recommends uninstalling Ragic Cloud DB until a patch is available.
More info.

NetApp has published 6 security bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Remote buffer overflow and file management vulnerabilities have been identified in an optional management utility named the Emulex HBA Manager for use with HPE Fibre Channel Host Bus Adapters. Highest CVSSv3 score of 9.8
More info.

Crafted communication requests may cause a Null pointer dereference in affected CODESYS products and may result in a DoS. CVSSv3 score of 7.5
More info.

Thales CPL has recently identified a vulnerability in SafeNet Agent for Windows Logon under specific configurations. Login required to see bulletin.
More info.

Philips has identified that IntelliBridge EC40 and EC80 systems contains hard-coded credentials and authentication bypass using an alternate path or channel. These issues may allow an unauthorized attacker to execute software, modify device configuration, or view/update files, including unidentifiable patient data.
More info.

Philips has identified vulnerabilities in Patient Information Center iX  and Efficia CM Series software including Improper input validation, a hard-coded cryptographic key, and Insecure cryptographic algorithm. Successful exploitation of these vulnerabilities may allow an unauthorized attacker access to data and cause a DoS resulting in temporary interruption of viewing of physiological data at the central station. Exploitation does not enable modification or change to point of care devices.
More info.

Wireshark has fixed nine vulnerabilities leading to DoS.
More info.

A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device. Actively being exploited.
More info. And here.

Red Hat has updated binutils. More info.
CentOS has updated the kernel and binutils. More info.
Oracle Linux has updated the kernel and binutils. More info.

TIBCO PartnerExpress contains vulnerabilities that allows an remote attacker with network access to execute a clickjacking attack or obtain session tokens for the affected system on the affected system. An attacker can gain full administrative access to the affected system. CVSSv3 score of 9.8
More info. And here.

WAGO has published 3 new bulletins identifying vulnerabilities in CODESYS Runtime, WebVisualisation, and Nucleus RTOS TCP stack that affect their products. Highest CVSSv3 score of 9.8
More info.

Dell has published an EMC Avamar Security Update for vulnerabilities in third-party software included in the product. Dell rates this Critical.
More info.

Multiple vulnerabilities in OpenSSL used by IBM InfoSphere Information Server were addressed. Highest CVSSv3 score of 9.8
More info.

SUSE has updated the kernel. More info.
OpenSUSE has updated the kernel. More info.
Oracle Linux has updated the kernel, binutils, glibc, and others. More info.

Google has published an update for Chrome for Desktop that includes 25 security fixes, the most severe of which could allow for arbitrary code execution.
More info. And here.

A vulnerability in IBM SDK Java affects IBM Cloud Pak System. CVSSv3 score of 9.8
More info.

A buffer overflow issue was identified in the OpenSSL component of IBM MQ and IBM Websphere MQ. CVSSv3 score of 9.8
More info. And here.

Veritas has discovered an issue where Veritas Enterprise Vault could allow RCE on a vulnerable Enterprise Vault Server. CVSSv3 score of 9.8  Only mitigations, no patches yet.
More info.

An Information Tampering vulnerability exists in GOT2000 series, GOT SIMPLE series and GT SoftGOT2000 due to improper input validation for device value. An attacker may write a value that exceeds the configured input range limit by sending a malicious packet to rewrite the device value, affecting system operation. CVSSv3 score of 7.5  Mitigations only.
More info.

OpenSUSE has updated the kernel. More info.
Red Hat has updated the kernel. More info.

The LANTIME Firmware includes updates to the kernel, software tools, and changes to the Meinberg LTOS Web Interface to fix several vulnerabilities.
More info.

OpenSUSE has updated binutils. More info.
Red Hat has updated the kernel and binutils. More info.

Thirteen vulnerabilities have been found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.  Seven of these are exploitable by remote attackers for DoS, RCE, or Information Exposure.  Highest CVSSv3 score of 8.6
More info.

A vulnerability exists in Hitachi Command Suite, Hitachi Ops Center API Configuration Manager，Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. CVSSv3 score of 9.0
More info.

A stack buffer overflow vulnerability has been reported to affect QNAP NAS running Multimedia Console. If exploited, this vulnerability allows attackers to execute arbitrary code. CVSSv3 score of 8.5
More info.

NETGEAR is aware of industry-wide WiFi WPS and IEEE-1905 security vulnerabilities on products containing MediaTek microchips. CVSSv3 score of 8.2
More info.

NetApp has published 6 security bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Alpine Linux has updated for busybox vulnerabilities. More info. And here.

Palo Alto Networks has 8 new bulletins, 1 rated Critical, 6 rated High, and 1 rated Medium.  Highest CVSSv3 score of 9.8  Exploits exist.
More info.

A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. CVSSv3 score of 9.8
More info.

An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. CVSSv3 score of 8.1
More info.

An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. CVSSv3 score of 8.1
More info.

An improper handling of exceptional conditions vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to send specifically crafted traffic to a GlobalProtect interface that causes the service to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. CVSSv3 score of 7.5
More info.

Ivanti Avalanche contains a vulnerability that allows remote attackers to execute arbitrary code. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. CVSSv3 score of 9.8
More info.

Ivanti Avalanche contains a vulnerability that allows remote attackers to bypass authentication. The specific flaw exists within the SettingsDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. CVSSv3 score of 9.1
More info.

Apple has published a security update for iCloud for Windows. Highest CVSSv3 score of 8.8
More info.

When the server is configured to use trust authentication or cert authentication, a MitM attacker can inject arbitrary SQL queries when a connection is first established or inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
More info.

VMware Tanzu Application Service for VMs uses Cloud Controller (CAPI) from Cloud Foundry which is vulnerable to an unauthenticated DoS vulnerability. A remote attacker can cause a DoS by using REST HTTP requests and generating an enormous SQL query leading to database unavailability. CVSSv3 score of 7.5.
More info.

SUSE has updated the kernel. More info.
OpenSUSE has updated the kernel. More info.
Ubuntu has updated the kernel. More info.
Mageia has updated the kernel and microcode. More info.

Samba has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system.
More info.

Vulnerabilities have been discovered in Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition. These vulnerabilities, if exploited, could result in a remote attacker causing a DoS.  Note that a configuration change is required after patching.
More info.

A new bulletin has been published for InterNiche TCP/IP stack and InterNiche Lite.  Details are unavailable without a login.
More info.

Intel has published 25 new bulletins, one of which allows a remote attacker to cause a DoS, CVSSv3 score of 5.8
More info. And here.

NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability for several products.
More info.

SUSE has updated the kernel and binutils. More info.
OpenSUSE has updated the kernel and binutils. More info.
Red Hat has updated the kernel and binutils. More info.
Ubuntu has updated the kernel. More info.

Microsoft Monthly Patches are out with 55 vulnerabilities, 6 are rated Critical, 4 were previously disclosed, and 2 are being actively exploited. Highest CVSSv3 score of 9.0.
More info. And here. And here.

Adobe has released 3 new bulletins in their Monthly Patch set, for Creative Cloud, InCopy, and RoboHelp Server.
More info.

Adobe has released a security hotfix for RoboHelp Server. This update resolves a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution in the context of the current user. CVSSv3 score of 8.8
More info.

Siemens Monthly Patches are out, with 13 new bulletins and 10 updated. Highest CVSSv3 score of 9.9.
More info.

NUCLEUS:13 vulnerabilities in the Nucleus TCP/IP stack affect several Siemens products lines, including Capital VSTAR and Nucleus, APOGEE, and TALON. Highest CVSSv3 score of 9.8
More info. And here.

Climatix POL909 contains an information disclosure vulnerability which could allow an attacker in a MitM position to read sensitive data, such as administrator credentials, or modify data in transit. CVSSv3 score of 6.4
More info.

Siemens has released hotfixes for Siveillance Video DLNA Server, which fix a path traversal vulnerability that could allow an unauthenticated remote attacker to access sensitive information on the DLNA server. CVSSv3 score of 8.6
More info.

The Scalance W1750D device contains multiple vulnerabilities that could allow an attacker to execute code on the affected device(s), read arbitrary files, or create a denial-of-service condition. Highest CVSSv3 score of 9.8
More info.

Schneider Electric has released 7 new bulletins and 3 updated in their Monthly Patch set.  Vulnerabiltiies include Microsoft Print Spooler, BadAlloc, and Bluetooth.
More info.

A vulnerability in their SCADAPack 300E Series RTU products could cause a DoS of the RTU when receiving a specially crafted request over Modbus. CVSSv3 score of 7.5
More info.

SAP Security Patch Day includes 5 new bulletins and 2 updates.  Of the new bulletins, 1 is rated Hot News, 1 is rated High, and 3 are rated Medium.  The Hot News bulletin is a Missing Authorization Check in ABAP Platform kernel, with a CVSSv3 score of 9.6
More info.

A vulnerability in BIND could be abused by an attacker to significantly degrade resolver performance in BIG-IP and BIG-IQ products. CVSSv3 score of 5.3
More info.

Crafted web server requests may cause invalid memory accesses to crash the CODESYS web server or may read stack or heap memory. CVSSv3 score of 8.2  POC is publicly available.
More info.