Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which could allow attackers to execute arbitrary code in Jira through deserialization due to a missing authentication vulnerability.
More info. And here.

The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a web browser. Specific crafted requests may cause a heap-based buffer overflow. Further on this could crash the web server, lead to a DoS or may be utilized for RCE. CVSSv3 score of 9.8
More info.

The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller, and includes a platform adaptation layer. The adaptation layer for VxWorks does not handle a shortage of sockets correctly, so that existing socket connections may be disconnected and cannot be re-established for some time. This vulnerability affects various communication servers in the CODESYS V3 Runtime Toolkit for VxWorks such as OPC UA or the UDP communication driver and others. CVSSv3 score of 7.5
More info.

The CODESYS Gateway routes the online communication between clients like the CODESYS Development System and CODESYS Control runtime systems. As optional component of CODESYS Control runtime systems, it may also run on PLC devices.  Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a DoS. CVSSv3 score of 7.5
More info.

The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a web browser. Specific web server requests may have read access to all files stored in the "visu" subfolder/placeholder of the PLC's file system, including private files, which may contain user IDs and password hashes of visualization users. CVSSv3 of 7.5
More info.

Microsoft has updated chromium-based Edge with the latest security updates for chromium.
More info. And here.

Tenable.sc leverages third-party software to help provide underlying functionality. Multiple third-party components were found to contain vulnerabilities, highest rating for the vulnerable software is Critical.
More info.

If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk.
More info.

Depending on the timing, it’s possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.
More info.

Multiple security vulnerabilities have been identified in HPE fibre channel and SAN switches with Brocade Fabric OS. These vulnerabilities could be remotely exploited to cause DoS, bypass authentication, and disclose sensitive information. CVSSv3 score of 5.3
More info.

Multiple security vulnerabilities have been identified in HPE SAN switches with Brocade Fabric OS. These vulnerabilities could be locally exploited to execute arbitrary code, and could allow an authenticated CLI attacker to write arbitrary content to files. The other vulnerabilities could be remotely exploited to cause DoS, and inject arbitrary HTTP headers. Highest CVSSv3 score of 7.8
More info.

SUSE has updated the kernel and curl. More info.
CentOS has updated the kernel. More info.
Amazon Linux and Amazon Linux 2 have updated the kernel. More info. And here.

Cisco has published 6 new bulletins and one updated bulletin.  One is rated High, the rest Medium. Highest CVSSv3 score of 8.3
More info.

A vulnerability in the Multiprotocol Label Switching (MPLS) packet handling function of Cisco SD-WAN Software could allow an unauthenticated, remote attacker to gain access to information stored in MPLS buffer memory. CVSSv3 score of 5.3
More info.

Two issues have been discovered in mymbCONNECT24 and mbCONNECT24, including allowing a remote attacker to enumerate valid users by checking what kind of response the server sends. Highest CVSSv3 score of 7.5
More info. And here.

Apple has published security updates for macOS Big Sur, Catalina, Mojave, and iPadOS.  They've also published the bulletins for the recent updates for iOS, Safari, watchOS, and tvOS.
More info.

SUSE has updated the kernel, curl and linuxptp. More info.
OpenSUSE has updated the kernel and curl. More info.
Arch Linux has updated the kernel, systemd, and curl. More info.
Oracle Linux has updated the kernel and systemd. More info.
Gentoo Linux has updated systemd. More info.
Mageia has updated the kernel and systemd. More info.

Oracle has released its Quarterly Patch Update to address 342 vulnerabilities across multiple products. 206 of these may be remotely exploitable without authentication. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. Highest CVSSv3 score of 10
More info.

A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows a remote attacker access to sensitive information and allows for the alteration of the router configuration. CVSSv3 score of 9.8
More info. And here.

In MIT krb5 releases 1.16 and later, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST.
More info.

Adobe has published security updates for Photoshop, Audition, Character Animator, Prelude, Premier Pro, After Effects, and Media Encoder. Several vulnerabilities lead to RCE, with a highest CVSSv3 score of 8.8
More info.

Google has published an udpate for Chrome for Desktop that fixes 35 security vulnerabilities, at least 9 of which are rated High.
More info.

curl has pubished 5 new bulletins, all rated Medium.
More info.

SUSE has updated the kernel and systemd. More info.
OpenSUSE has updated the kernel and systemd. More info.
Debian has updated the kernel and systemd. More info.
Red Hat has updated the kernel and glibc. More info.
Gentoo Linux has updated systemd. More info.
Ubuntu has updated the kernel and systemd. More info.

Microsoft Windows permissions on the SAM and SYSTEM hives are readable for any user on the system. Exploit requires an authenticated user.
More info.

Microsoft Edge has been updated with the latest chromium security patches.
More info.

A Use After Free vulnerability in FortiManager and FortiAnalyzer may allow a remote, unauthenticated attacker to execute code as root via sending a specifically crafted request to the fgfm port of the targeted device. CVSSv3 score of 7.5
FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models.
More info.

Advantech WebAccess/NMS contains a vulnerability that allows remote attackers to disclose sensitive information from the application. The specific flaw is a lack of authentication prior to allowing access to functionality. CVSSv3 score of 5.3
More info.

A DoS vulnerability exists in the Ethernet interface block of MELSEC-F series due to a NULL Pointer Dereference. A malicious attacker may cause DoS condition in communication with the product by sending specially crafted packets. In addition, system reset is required for recovery. CVSSv3 score of 7.5
More info.

The compact systems CS351E and CS351S and the communication module KE350G with integrated PLC contain vulnerable software from CODESYS GmbH, with a weakness in the protocol for the communication between the PLC runtime and clients. Attackers can send crafted communication packets which may result in a DoS or allow RCE. Highest CVSSv3 score of 9.8
More info.

Apple has published updates for Safari, iOS, watchOS, and tvOS.  Security details are not yet available.
More info.

WSO2 API Manager contains a vulnerability that allows remote attackers to execute arbitrary code. The service contains a hard-coded password for the administrator user. CVSSv3 score of 9.8
More info.

NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products. No patches yet.
More info.

Ubuntu has updated the kernel. More info.
Mageia has updated glibc. More info.

Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.  To exploit this a user on the Windows system must print to a malicious print server.
More info. And here. And here.

IBM Data Replication is affected by multiple vulnerabilities in IBM Java SDK.  Highest CVSSv3 score of 9.8
More info.

IBM Security SOAR includes an older version of Handlebars.js that may be exploited with automated tools. Highest CVSSv3 score of 9.8
More info.

HCL Digital Experience is susceptible to multiple open source vulnerabilities, including XSS. Highest CVSSv3 score is 6.1
More info.

HCL Launch contains an Apache Tomcat flaw that could allow a remote attacker to obtain sensitive information. CVSSv3 score of 8.2
More info.

Ypsomed mylife Cloud and mylife Mobile Application contains multiple vulnerabilities, including Insufficiently Protected Credentials, Not Using an Unpredictable IV with CBC Mode, and Use of Hard-coded Credentials. Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive application information or modify the integrity of data being transmitted. Highest CVSSv3 score of 6.3
More info.

Google has published an update for Chrome for Desktop that fixes 8 security vulnerabilities. 6 are rated High.
More info.

Multiple vulnerabilities exist in Advantech R-SeeNet monitoring software.  These vulnerabilities allow an attacker to execute arbitrary JavaScript code in the context of the targeted user's browser, execute OS commands by sending the targeted device a specially crafted HTTP request, or execute arbitrary PHP commands via a malicious HTTP request. Highest CVSSv3 score of 9.8
More info.

Multiple security vulnerabilities have been identified in HPE OfficeConnect Network Switches. These vulnerabilities could allow remote cross-site scripting (XSS) and arbitrary code execution. Highest CVSSv3 score of 6.1
More info.

NetApp has published 8 new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

OpenSUSE has updated the kernel. More info.
Oracle Linux has updated the kernel. More info.

The Wireshark DNP dissector could crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file, causing a DoS.
More info.

Palo Alto Networks Monthly Patches include 2 bulletins, both rated High.  Highest CVSSv3 score of 7.8
More info.

A reflected cross-site scripting (XSS) vulnerability exists in the Prisma Cloud Compute web console that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console while an authenticated administrator is using that web interface. CVSSv3 score of 7.5
More info.

Juniper Networks Quarterly Patches are out, with 32 new bulletins.  Most are DoS vulnerabilities.  Highest CVSSv3 score of 10
More info.

Juniper Networks Contrail Cloud (CC) releases prior to 13.6.0 have RabbitMQ service enabled by default with hardcoded credentials.  CVSSv3 score of 8.6
More info.

A stack-based buffer overflow vulnerability in Juniper Networks SBR Carrier with EAP authentication configured, allows an attacker sending specific packets causing the radius daemon to crash resulting with a DoS or leading to RCE. CVSSv3 score of 10
More info.

Multiple vulnerabilities have been resolved in Junos OS and Junos OS Evolved, Junos Space, Juniper Secure Analytics, Contrail Networking, Contrail Insights, and CTPView by updating third party software or by fixing vulnerabilities found during external security research. Highest CVSSv3 score of 10.
More info. And here. And here. And here. And here. And here. And here.

Multiple vulnerabilities have been resolved in Junos OS Evolved by upgrading the kernel. CVSSv3 score of 8.2
More info.

Multiple vulnerabilities have been found in JP1/Automatic Job Management System 3 - Web Operation Assistant.
More info.

SUSE has updated the kernel. More info.
Arch Linux has updated systemd. More info.

SFCB (Small Footprint CIM Broker) as used in ESXi has an authentication bypass vulnerability. CVSSv3 score of 7.0
More info.

Mozilla has published updates for Thunderbird, Firefox, and Firefox ESR that patches vulnerabilities rated High that could allow DoS or arbitrary code execution.
More info.

UDP Technology makes IP Camera firmware under their name as well as nearly a dozen other manufacturers.  Authentication bypass and EoP vulnerabilities exist in the firmware.  Timeline shows updated firmware, but deployment across product lines and vendors is unknown.
More info. And here.

Threat actors are actively targeting SMA 100 series and SRA products running unpatched and EOL 8.x firmware in an imminent ransomware campaign using stolen credentials. Several products are EOL and unpatchable, SonicWall recommends disconnecting immediately. CVSSv3 score of 9.8
More info.

Kaseya has restored their SaaS platform and published security updates for on-premises VSA servers to correct vulnerabilities publicized the weekend of 2 July.
More info.

Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities, including SAD DNS. Highest CVSSv3 score of 7.4
More info.

SUSE has updated the kernel. More info.
OpenSUSE has updated the kernel. More info.
CentOS has updated xstream. More info.
Oracle Linux has updated xstream. More info.
Debian has updated linuxptp. More info.

SAP Security Patch Day includes 12 new Security Notes, and 3 updated Notes. The Highest CVSSv3 score for new Notes is 7.6 for a missing authorization check, and one of the updated Notes is CVSSv3 score of 10 for Chromium browser in the Business Client.
More info.

Microsoft Monthly Patches are out with patches for 117 vulnerabilities. Of these, 13 are critical, 6 were previously disclosed and 4 are being exploited, including PrintNightmare, RCE affecting Windows Scripting Engine, and two EoP vulnerabilities in the kernel.  Highest CVSSv3 score of 9.1
More info. And here. And here.

Adobe Patch Day includes security patches for Dimension, Illustrator, Framemaker, Bridge, and Acrobat and Reader.
More info.

Adobe Acrobat and Reader includes patches for RCE vulnerabilities.  Highest CVSSv3 score of 8.8
More info.

Monthly Patches are out for Schneider Electric, with 6 new bulletins and 6 updated bulletins.
More info.

Schneider Electric is aware of a Missing Authentication for Critical Function vulnerability in its Easergy T200 RTU. CVSSv3 score of 9.1
More info.

Multiple vulnerabilities exist in EVlink City / Parking / Smart Wallbox Charging Stations.  The bulletin is blank.
Update: the bulletin is available now, highest CVSSv3 score of 9.4
More info.

An improper authentication vulnerability in C-Bus Toolkit product exists that could allow an attacker to use a crafted webpage to obtain remote access to the system. CVSSv3 score of 6.5
More info.

Multiple vulnerabilities exist in EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect x70, and Modicon Controllers M580 and M340.  The bulletin is currently blank, but details are public.
Update: The bulletin is avaiilable now, highest CVSSv3 score of 9.8, not all products have patches.
More info. And here. And here.

Siemens Monthly Patches include 18 new bulletins and 5 updated bulletins.
More info.

The latest update for RUGGEDCOM ROS devices fixes a buffer overflow vulnerability in the third party component that could allow an attacker with network access to an affected device to cause a remote code execution condition. CVSSv3 score of 8.1
More info.

SINAMICS PERFECT HARMONY GH180 Drives, SINUMERIK ONE, and SINUMERIK MC are affected by a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks on the CPU. CVSSv3 score of 8.1
More info. And here.

RuggedCom, SCALANCE, and SIMATIC RF products are affected by a DHCP client vulnerability in Wind River VxWorks, that could allow an attacker to cause a heap-based buffer overflow. They recommend disabling the DHCP client. CVSSv3 score of 9.8
More info.

A vulnerability in several product families could allow an attacker to perform a DoS attack if a large amount of Profinet Discovery and Configuration Protocol (DCP) reset packets is sent to the affected devices. CVSSv3 score of 7.5
More info.

Several Siemens products use a vulnerabile WIBU Systems CodeMeter Runtime for license management. CVSSv3 score of 9.1
More info.

The latest update for SINUMERIK Integrate Operate Client fixes a vulnerability that could allow an attacker to spoof any SSL server certificate and conduct man-in-the-middle attacks. CVSSv3 score of 7.4
More info.

Siemens products are affected by multiple vulnerabilities in an underlying LLDP third party library. CVSSv3 score of 9.8
More info.

Siemens products are affected by a vulnerability in OpenSSL that allows an unauthenticated attacker to cause a DoS if a maliciously crafted renegotiation message is sent. CVSSv3 score of 5.9
More info.

A security vulnerability exists in the latest Serv-U version. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system. This has been exploited in the wild.
More info.

HPE SimpliVity Systems are affected by vulnerabilities in VMware. The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in. CVSSv3 score of 9.8
More info.

NetApp has published 6 new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Oracle Linux has updated the kernel, xstream, and others. More info.
Mageia has updated the kernel, binutils, and others. More info.
Scientific Linux has updated xstream. More info.
Red Hat has updated xstream. More info.
Amazon Linux has updated the kernel and others. More info.

Dell has released 2021 R1plus operating system Security Update that addresses multiple third-party components within Dell Avamar and NetWorker products. Dell rates this Critical.
More info.

Dell has released a security update that addresses multiple third-party components within Dell PowerFlex appliance products. Dell rates this Critical.
More info.

IBM App Connect Enterprise v11 ships with Node.js for which vulnerabilities were reported and have been addressed. CVSSv3 score of 9.8
More info.

There is a vulnerability in Ruby On Rails that is used by IBM License Metric Tool. CVSSv3 score of 9.1
More info.

IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Solr. Highest CVSSv3 score of 9.1
More info.

IBM Security Identity Governance and Intelligence is affected by multiple vulnerabilities in icu. CVSSv3 score of 9.8
More info.

Multiple vulnerabilities in XStream that is used by IBM InfoSphere Information Server were addressed. Highest CVSSv3 score of 9.8
More info.

Netplex json-smart-v1 and json-smart-v2 are vulnerable to a denial of service. CVSSv3 score of 9.1
More info.

Multiple Out-of-Bound read vulnerability in SonicWall Switch when handling LLDP Protocol allows an attacker to cause a crash or potentially read sensitive information from the memory locations.
More info.

Security vulnerabilities have been identified in HPE Superdome X servers. The vulnerabilities could be remotely exploited to cause Remote Denial of Service (DoS). Highest CVSSv3 score of 7.5
More info.

Security vulnerabilities have been discovered in supported versions of Web Agents. An unauthenticated attacker can attack a non-default configured agent logout endpoint, causing a web server worker process to crash. This is rated High.
More info.

Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility of request smuggling when used with a reverse proxy.
More info.

NetApp has published 8 new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Zyxel has patched a previously reported vulnerability being targeting in Zyxel security appliances with remote management or SSL VPN enabled in the USG/ZyWALL, USG FLEX, ATP, and VPN series.
More info.