An SQL injection vulnerability in the email quarantine release feature of XG Firewall was recently discovered and fixed. The remediation prevented remote execution of arbitrary code.
More info.

The ISC reports seeing active exploit attempts of the Citrix vulnerabilities reported earlier this week.
More info.

Vulnerabilities in MobileIron Core and Connector could allow an attacker to execute remote exploits without authentication. This was patched in June, reported July 1 publicly.
More info.

APM Connect UDLP products relying upon Apache Tomcat servers are vulnerable to GhostCat, which allows an attacker to execute malicious code and gain access to potentially sensitive information.
More info.

Multiple vulnerabilities were identified in Moxa’s MGate 5105-MB-EIP Series Protocol Gateways.  These vulnerabilities include Authentication Bypass by capture-replay and Exposure of Sensitive Information.
More info.

iDRAC component with Dell EMC Data Domain requires a security update to address a buffer overflow vulnerability. CVSSv3 score of 7, Dell rates this Medium.
More info.

Multiple components within Dell EMC DCA require a security update to address various vulnerabilities.  Dell rates this Critical.
More info.

A vulnerability has been identified in some components that ships with Hybrid Cloud Management. The vulnerability could be exploited to file content disclosure of the web application or remote code execution.
More info.

Ubuntu has updated openssl.  More info.
Mageia has updated samba and others.  More info.

Juniper Quarterly Patches are out, with 19 bulletins affecting JunOS, appliance BIOS firmware, Juniper Secure Analytics, and SRC Series implementation of Bouncy Castle.  Patched vulnerabilities include DoS, updates to vulnerable third-party software, DNS filtering bypass .  Some CVEs are from 2014.  Highest CVSSv3 score of 9.8.
More info.

On Juniper Networks SRX Series with ICAP redirect service enabled, processing a malformed HTTP message can lead to a DoS or RCE. CVSSv3 score of 9.8
More info. And here.

Rittal PDU units contain a hardcoded root backdoor account, CLI menu bypass, insecure storage of sensitive information, and outdated third-party software components.  Fixes were made for other devices, but not the PDU.
More info.

A potential vulnerability has been identified in a component that integrates with Cloud Service Automation. The vulnerability could be exploited to file content disclosure of the web application or remote code execution. CVSSv3 score of 9.8
More info.

IBM InfoSphere Information Server could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSSv3 score of 8.1
More info.

FreeBSD has updated ipv6, unbound, and one other. 
More info.

CentOS has updated firefox.  More info.
Oracle Linux has updated firefox and the kernel.  More info.
Debian has updated ruby, roundcube, and one other.  More info.
Ubuntu has updated thunderbird.  More info.

Palo Alto Networks has pushed out their Monthly Patches, consisting of 5 bulletins, one of which is Informational only.  Highest CVSSv3 score of 8.1
More info.

Grundfos Pumps Corporation CIM 500 contains two vulnerabilities. The first responds to unauthenticated requests for password storage files. The second is plaintext storage of passwords. Together, these vulnerabilities could allow access to cleartext credential data. Highest CVSSv3 score of 7.5.
More info.

F5 has updated the bulletin for the TMUI RCE vulnerability with new mitigation and IOC guidance.  Worth another look.  The ISC has reported backdoor install attempts in their honeypots.
More info.  And here.

Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway  and Citrix SD-WAN WANOP appliances. These vulnerabilities could result in a number of security issues including system compromise and XSS on the management network, as well as creation of a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, may result in the compromise of their local computer.
More info. And here.

An update for Firefox for Android fixes a Critical local file access vulnerability.
More info.

The Monthly Patch bulletin is out, listing nine vulnerabilities, one of which is listed as Critical.
More info.

There are some vulnerabilities in the Jackson-Databind library that affects IBM Engineering Lifecycle Optimization - Publishing.  IBM lists this as Critical, highest CVSSv3 score of 7.3.
More info.

Several Zyxel Router platforms are identified in a Home Router Security report published by FKIE.
More info.  And here.

SUSE has update java, perl, php, and many others.  More info.
OpenSUSE has updated python, the kernel, rust, and others. More info.
RedHat has updated php, the kernel, and others.  More info.
Oracle Linux has updated thunderbird and firefox.  More info.
Debian has updated php.  More info.
Ubuntu has updated cinder and os-brick.  More info.
Scientific Linux has updated firefox, the kernel, and others.  More info.

Monthly Patches are out for Google Android.  19 vulnerabilities are addressed, plus the Qualcomm closed source list.  Seven are rated Critical, 12 rated High.
More info.

Pixel Monthly Patches are out as well, with 3 vulnerabilities rated Moderate plus the Qualcomm closed source list.
More info.

Monthly Patches are out for Samsung as well.  Along with Google patches Samsung Mobile provided 14 additional vulnerability fixes, two rated High and the rest Moderate or Low.
More info.

A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gateway Option) could be exploited remotely to cause XSS. CVSSv3 score of 6.1
More info.

Multiple dnsmasq vulnerabilities exist in OWL 3G, OWL LTE, andOWL LTE M12 products.  Highest CVSSv3 score of 9.8
More info.

A Java SE vulnerability exists in Industrial HiVision. CVSSv3 score of 8.1
More info.

Note that although dated 15 June, these bulletins just showed up in the security portal.

SUSE has update openldap and others.  More info.
OpenSUSE has updated python, the kernel, rust, and others. More info.
RedHat has updated tomcat, the kernel, firefox, and others.  More info.
Oracle Linux has updated firefox.  More info.
Ubuntu has updated nss, the kernel, glibc, and others.  More info.
Mageia has updated mariadb, wireshark, and wifi-radar.  More info.

There are reports of active exploitation of the TMUI RCE vulnerability previously reported in Big-IP products, CVSSv3 score of 10.  Please patch.
More info.  And here. And here. And here.

SUSE has updated mozilla-nss/nspr, tomcat, and systemd.  More info.
OpenSUSE has updated python and others. More info.
Oracle Linux has updated nginx.  More info.
Debian has updated thunderbird and php.  More info.
Mageia has updated ntp, python, tomcat, firefox, and others.  More info.

OpenClinic GA contains multiple vulnerabilities that could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code. Highest CVSSv3 score of 9.8
More info.

Nortek Linear eMerge 50P/5000P contains multiple vulnerabilities that could allow a remote attacker to gain full system access. Highest CVSSv3 score of 10.
More info.

There are multiple vulnerabilities in TCP/IP stack of the firmware in several models of GOT2000 series. If these vulnerabilities are exploited by malicious attackers, the network functions of the products may enter a denial-of-service condition or malware may be executed.
More info.

IBM Content Navigator is vulnerable to a Prototype Pollution vulnerability. CVSSv3 score of 7.5.  IBM rates this Critical.
More info.

IBM Data Risk Manager is affected by multiple vulnerabilities in third-party software, notably Faster XML jackson-databind. Highest CVSSv3 score of 9.8. IBM rates this Critical.
More info.

Mozilla has published an update for Thunderbird that corrects several vulnerabilities, mostly rated High.
More info.

OpenSUSE has updated opera  More info.
RedHat has updated nginx.  More info.
Ubuntu has updated net-snmp, the kernel, firefox, and samba.  More info.

Cisco has published 8 new bulletins, one rated High, the rest Medium.  Vulnerabilities include XSS, Information Disclosure, and others.
More info.

A vulnerability in session management for the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to defeat authentication protections and gain unauthorized access to the management interface. CVSSv3 score of 8.1
More info.

It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
More info.

NetApp has published six new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Mozilla has updated Firefox and Firefox ESR to fix several vulnerabilities rated High and Moderate.
More info.

Samba has published an update that fixes four vulnerabilities, including two that result in a DoS condition. Highest CVSSv3 score of 7.5.
More info.

SUSE has updated ntp, unbound, python, and others.  More info.
Debian has updated firefox and chromium.  More info.
Ubuntu has updated libvncserver.  More info.

Microsoft has published two OOB patches for Critical vulnerabilities in the Codecs Library.  Both require a crafted image file, and allow remote code execution.
More info.  And here.

An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction.
More info.

The Traffic Management User Interface has a RCE vulnerability. This vulnerability allows unauthenticated attackers to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. Only the control plane is affected.
More info.

Dell has published a security update to address vulnerabilities in third-party software used in the EMC Cloud Tiering Appliance. This is rated Critical.
More info.

SUSE has updated mariadb, squid, ntp, and others.  More info.
RedHat has updated httpd-nghttpd.  More info.

When SAML authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled, improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. CVSSv3 score of 10.  Most versions have a patch.
More info.

Multiple vulnerabilities exist due to improper handling of XML in multiple Mitsubishi Electric FA engineering software products. When customers use a project file or a configuration data file that has been specially crafted by a malicious attacker, it could allow the attacker to send a file on the computer to the outside or cause a DoS.
More info.

IBM Tivoli Netcool Impact is affected by IBM Dojo Toolkit vulnerabilities that could allow a remote attacker to inject arbitrary code on the system. Highest CVSSv3 score of 7.5. IBM rates this Critical.
More info.

IBM Security QRadar Packet Capture uses third-party software with known vulnerabilities. Highest CVSSv3 score of 9.8
More info.

OpenSUSE has updated unbound, tomcat, squid, and others.  More info.
RedHat has updated the kernel and others.  More info.
Ubuntu has updated mailman.  More info.

IBM Spectrum Protect Plus could allow an attacker to obtain sensitive information due to insecure communications being used between the application and server.
More info.

PuTTY has released a new version with one security fix.
More info.

The NetApp HCI H610S Baseboard Management Controller (BMC) is shipped with a documented default account and password that should be changed during the initial node setup. During upgrades the account password is reset to the default documented value which could allow remote attackers to cause a Denial of Service (DoS).
More info.

Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.
More info.

Due to incorrect input validation Squid is vulnerable to a Request Smuggling and Poisoning attack against the HTTP cache. CVSSv3 score of 9.3, even with Privilege Required:Local.
More info.

SUSE has updated tomcat and others.  More info.
OpenSUSE has updated chromium and others.  More info.
Arch Linux has updated tomcat, freerdp, bind, chromium, and others.  More info.

ENTTEC Lighting Controllers models Datagate Mk2, Storm 24, and Pixelator, E-Streamer Mk2 contain multiple vulnerabilities including Use of Hard-coded Cryptographic Key, Cross-site Scripting, Improper Access Control, Incorrect Permission Assignment for Critical Resource. Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized SSH/SCP access to devices, inject malicious code, run commands with root privileges, and read, write, and execute files in system directories as any user. Highest CVSSv3 score of 8.8.  No patches yet.
More info.

Apache Tomcat updated to correct a security vulnerability. A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
More info.

Hitachi Device Manager contains a vulnerability to Denial of Service (DoS) attacks. The process of the database built in to the Hitachi Command Suite products could stop, even the service itself, which can cause malfunction of the Hitachi Device Manager server and the other Hitachi Command Suite products that are installed on the same machine.
More info.

Dell EMC PowerStore Family contains remediation to address exposing test interface ports vulnerability that may be exploited by malicious users to compromise the affected system.
More info.

SUSE has updated tigervnc, squid, unbound, and others.  More info.
Oracle Linux has updated nghttp2.  More info.
RedHat has updated nghttp2.  More info.

Multiple 0-day vulnerabilities have been reported in CentOS Web Panel.  More info.

Microsoft has updated chromium-based Edge to include the latest updates.
More info.

Multiple components within Dell EMC Avamar and NetWorker require a security update to address various vulnerabilities.  Dell rates this as Critical.
More info.

A potential security vulnerability has been identified in HPE Systems Insight Manager. The vulnerability could be remotely exploited to allow remote code execution. CVSSv3 score of 9.8.  No patch yet.
More info.

NetApp has published five new bulletins regarding vulnerabilities in third-party software included in NetApp products.  No patches yet.
More info.

Cisco IOS XE Software is affected by a vulnerability in Telnetd servers, only if the device is configured with the persistent Telnet feature.  CVSSv3 score of 9.8 Switch to SSH until a patch. (Really, why would you switch back?!)
More info.

IBM QRadar Network Security is affected by multiple vulnerabilities in third-party software. Highest CVSSv3 score of 8.8
More info.

SUSE has updated curl and others.  More info.
Ubuntu has updated curl.  More info.

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware, including a Use-after-free vulnerability in the SVGA device. They all require local access. Patches and updates for most are available.  VMware rates this Critical. Highest CVSSv3 score of 9.3
More info.

There is a vulnerability due to cleartext communication between Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules, and GX Works3/GX Works2. There are risks of communication data eavesdropping/tampering, unauthorized operation, and DoS attacks from attackers. CVSSv3 score of 10.0
They recommend setting up a VPN.
More info.

Honeywell ControlEdge PLC and RTU transmits unencrypted passwords and session tokens on the network in cleartext. CVSSv3 score of 5.9
More info.

IBM Security Guardium contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSSv3 score of 6.8
More info.

An improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys.
More info.

Vigor3900, Vigor2960, and Vigor300B contain a stack-based buffer overflow vulnerability, and a remote code injection/execution vulnerability.
More info. And here.

SUSE has updated the kernel, mariadb, php5, and others.  More info.
OpenSUSE has updated java, opera, and mozilla-nss.  More info.
RedHat has updated the kernel, docker, ntp, and others.  More info.
CentOS has updated the kernel, ntp, and unbound.  More info.
Oracle Linux has updated the kernel, thunderbird, and ntp.  More info.

IBM Security Guardium may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.
More info.

Multiple components within Dell EMC VxRail Appliance require a security update to address various vulnerabilities. Dell rates this Critical.
More info. And here.

Xerox has released updates for FreeFlow Print Server versions with Oracle, Microsoft, Java, and Firefox patches.
More info. And here.

An insufficient control of network message volume vulnerability in FortiAnalyzer may allow an unauthenticated remote attacker to perform NTP amplification attacks (thereby causing reflected denial of service on arbitrary targets) via sending specially crafted mode 6 queries to the FortiAnalyzer built-in NTP server.
More info.

BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones.
More info.

Google has released an update for Chrome for Desktop that contains two security fixes.
More info.

Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process.  CVSSv3 score of 8.8
More info.

OpenSUSE has updated chromium, perl, php, fwupd, and others.  More info.
Oracle Linux has updated unbound.  More info.
Ubuntu has updated mutt and nfs-utils.  More info.

A heap overflow vulnerability in awarrensmtp, a component of XG Firewall firmware, was recently discovered. The vulnerability can potentially allow a remote attacker to execute arbitrary code.
More info.

Squid is vulnerable to a DoS attack when processing objects in an SMP cache. CVSSv3 score of 7.3
More info.

Due to use of a potentially dangerous function Squid and the default certificate validation helper are vulnerable to a DoS attack when processing TLS certificates. CVSSv3 score of 8.3
More info.

Schneider Electric is aware of recently published research and a proof of concept that demonstrates how one of the Treck vulnerabilities can be exploited to affect a specific version and model of a Schneider Electric APC Smart-UPS device using a specific version of Network Management Card firmware. No patches yet, but mitigation strategies.
More info.

Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management. Highest CVSSv3 score of 9.8
More info.

The Apache Commons FileUpload vulnerability affects IBM eDiscovery Manager. CVSSv3 score of 9.8
More info.

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of FasterXML jackson-databind. Highest CVSSv3 score of 9.8
More info.

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Python. Highest CVSSv3 score of 9.8
More info.

An insufficient session expiration vulnerability in FortiDeceptor may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.
More info.

An expression language injection vulnerability in FortiSIEM may allow a remote attacker to inject arbitrary javascript code in the victim's browser's context via the JBoss RichFaces library.
More info.

SUSE has updated the kernel, java, perl, and others.  More info.
RedHat has updated chromium, unbound, gnutls, and others. More info.
Oracle Linux has updated thunderbird.  More info.
Debian has updated mutt and neomutt.  More info.
Mageia has updated gnutls.  More info.