Cisco has published 8 new bulletins and one updated bulletin.  Four new bulletins are rated High, four rated Medium.
More info.

A vulnerability in the Cisco AMP for Endpoints integration of Cisco AsyncOS for Cisco ESA and Cisco WSA could allow an unauthenticated, remote attacker to intercept traffic between an affected device and the AMP servers. This vulnerability is due to improper certificate validation when an affected device establishes TLS connections. A man-in-the-middle attacker could exploit this vulnerability by sending a crafted TLS packet to an affected device. CVSSv3 score of 7.4
More info.

A vulnerability in the Cisco ISE integration feature of the Cisco DNA Center Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability is due to an incomplete validation of the X.509 certificate used when establishing a connection between DNA Center and an ISE server. An attacker could exploit this vulnerability by supplying a crafted certificate and could then intercept communications between the ISE and DNA Center. CVSSv3 score of 7.4
More info.

Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated remote attacker to hijack a user session, execute arbitrary commands as a root user, conduct a XSS attack, and conduct an HTML injection attack. CVSSv3 score of 7.5
More info.

An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer. A specially crafted network request can lead to an out-of-bounds read.
More info. And here.

An ICU heap-based buffer overflow vulnerability Affects IBM Control Center. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSSv3 score of 9.8
More info.

Vulnerabilities in IBM Runtime Environment Java affect IBM Spectrum Protect Snapshot for VMware. Highest CVSSv3 score of 9.8
More info.

Dell has published an update for VxRail Appliance Security to fix multiple third-party component vulnerabilities. Dell rates this High.
More info.

A vulnerability in HPE BackBox Software can allow unauthorized access under certain conditions. The vulnerability is associated with a specific combination of user IDs while accessing the BackBox user interface.
More info.

OpenSUSE has updated the kernel. More info.

ThroughTek supplies multiple manufacturers of IP cameras with P2P connections as part of its cloud platform. ThroughTek P2P products do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds. CVSSv3 score of 9.1
Note that ThroughTek patched this mid-2020, but Camera suppliers aren't patching... imagine that.
More info. And here.

Automation Direct CLICK PLC CPU modules contain multiple vulnerabilities, including Authentication Bypass Using an Alternate Path or Channel, Cleartext Transmission of Sensitive Information, and Unprotected Storage of Credentials. Successful exploitation of these vulnerabilities could allow an attacker to log in as a currently or previously authenticated user or discover passwords for valid users. Highest CVSSv3 score of 9.8
More info.

CodeMeter Runtime Network Server contains a Heap Leak and DoS vulnerability. An attacker could send a specially crafted packet that could have the CodeMeter Runtime Network Server send back packets containing data from the heap or crash the server. CVSSv3 score of 9.1
More info.

CodeMeter Runtime CmWAN Server contains a DoS vulnerability. An attacker could send a specially crafted HTTP(S) request to the CodeMeter Runtime CmWANserver that causes the CodeMeter Runtime Server to crash. CVSSv3 score of 7.5
More info.

SonicWall is reporting a new vulnerability impacting EOL Secure Remote Access (SRA) products, specifically the SRA 4600 running an old version of firmware.  Updates from that line have been available for some time.
More info.

Microsoft has published security updates for Microsoft Office for Mac.
More info. And here.

SUSE has updated the kernel. More info.
CentOS has updated the kernel. More info.
Scientific Linux has updated the kernel and others. More info.
Alpine Linux has published a new version, 3.14.0. More info.

Apple published an update to address vulnerabilities in iOS prior to 12.5.4 (current version is 14.6. Exploitation of some these vulnerabilities could result in arbitrary code execution. Apple is aware of a report that some of these issues may have been actively exploited.
More info.

Dell EMC PowerStore Family remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. Dell rates this Critical.
More info.

SonicWall physical and virtual firewalls running certain versions of SonicOS may contain a vulnerability that could be leveraged for an unauthenticated Denial-of-Service (DoS) attack by sending a specially crafted POST request to the web interface. 
The vulnerability requires Web Management to be enabled on the WAN/LAN interface and requires the precondition of an ongoing active management session.
More info.

Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments. Highest CVSSv3 score of 9.8
More info.

Genivia gSOAP vulnerabilities, such as denial of service or execution of arbitrary code on the system, affect IBM Spectrum Protect for Virtual Environments:Data Protection for VMware and Spectrum Protect Client. Highest CVSSv3 score of 9.8
More info.

IBM has released an update for IBM Security Identity Governance and Intelligence in response to a security vulnerability in open source software icu.  CVSSv3 score of 9.8
More info.

Arch Linux has updated the microcode. More info.
Oracle Linux has updated the kernel. More info.

Microsoft has updated chromium-based Edge for the latest updates in chromium.
More info.

Mageia has updated the kernel and microcode. More info.

ZOLL Defibrillator Dashboard contains multiple vulnerabilities, including Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Cryptographic Key, Cleartext Storage of Sensitive Information, Cross-site Scripting, Storing Passwords in a Recoverable Format, and Improper Privilege Management. Successful exploitation of these vulnerabilities could allow remote code execution, allow an attacker to gain access to credentials, or impact confidentiality, integrity, and availability of the application. Highest CVSSv3 score of 9.9
More info.

AGG Software Web Server included in AGG Data Logger software contains two vulnerabilities, including Path Traversal and Cross-site Scripting. Successful exploitation of these vulnerabilities could allow remote code execution and exposure of arbitrary system files. Highest CVSSv3 score of 8.2
More info.

Dell PowerFlex Appliance remediation is available for VMware security vulnerabilities that may be exploited by remote attackers to compromise the affected system. Dell rates this Critical. Note that this is the Critical vulnerability published by VMware last month that is currently being exploited. No patches yet.
More info.

An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software.
More info.

NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Monthly Patches are out for Palo Alto Networks, consisting of 3 bulletins, 1 High, 1 Medium, and 1 Low.  Highest CVSSv3 score of 7.8
More info.

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. CVSSv3 score of 6.7
More info.

Google has published an update for Chrome for Desktop, with 14 security fixes, one rated Critical, and one actively exploited.
More info.

Dell has published updates for Dell Integrated Data Protection Appliance to correct VMware vCenter vulnerabilities that may be exploited to compromise the affected system. Dell rates this Critical, as VMware did.
More info.

BD is investigating VMware vulnerabilities from Oct 2020 in their products. 
More info.

NETGEAR has released a fix for an authentication bypass security vulnerability on the WAC104. CVSSv3 score of 8.8
More info.

Oracle Linux has updated the kernel. More info.
Ubuntu has updated rpcbind. More info.

Multiple vulnerabilities have been identified for Bosch IP cameras. Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 to 4.9.
More info.

IBM Security Guardium is affected by multiple vulnerabilities in jackson-databind. CVSSv3 score of 9.8 for all the vulnerabilities.
More info.

IBM Cloud Pak for Applications nodejs and nodejs-express Appsody stacks is vulnerable to information disclosure, buffer overflow and prototype pollution exposures. Highest CVSSv3 score of 9.8
More info.

Memory corruption vulnerability in the driver file component in McAfee GetSusp could allow a program being investigated on the local machine to trigger a buffer overflow in GetSusp, leading to the execution of arbitrary code, potentially triggering a BSOD.
More info.

SUSE has updated the kernel. More info.
OpenSUSE has updated libx11. More info.
Red Hat has updated the kernel, microcode, and others. More info.
Ubuntu has updated the kernel and microcode. More info.

Microsoft Monthly Patches include patches for 50 vulnerabilities. Of these, 5 are Critical, 2 were previously disclosed and 6 are actively exploited. Highest CVSSv3 score of 9.4
More info. And here. And here.

Adobe Monthly Patches include 10 bulletins covering Connect, Acrobat and Reader, Photoshop, Experience Manager, Creative Cloud Desktop, RoboHelp Server, Photoshop Elements, Premier Elements, AfterEffects, and Animate.
More info.

Schneider Electric Monthly Patches include 6 new bulletins and 4 updated bulletins. Highest CVSSv3 score in the new bulletins is 9.8
More info.

Schneider Electric has published updates for vulnerabilities in PowerLogic PM55xx and PowerLogic PM8ECC products. A Weak Password Recovery Mechanism vulnerability could allow an attacker administrator level access to a device, and an Improper Authentication vulnerability could cause a DoS. Highest CVSSv3 score of 8.1
More info.

Schneider Electric has published updates for vulnerabilities in PowerLogic EGX100 and EGX300 products. A Weak Password Recovery Mechanism vulnerability could allow an attacker administrator level access to a device, an Improper Authentication vulnerability could cause a DoS, and an Improper Input Validation vulnerability could cause DoS or RCE via a specially crafted HTTP packet. These products are EOL, no patches will be coming. Highest CVSSv3 score of 9.8
More info.

Schneider Electric has identified a vulnerability in Modicon X80 BMXNOR0200H RTU product. Sensitive information could be exposed to a remote attacker concerning the current RTU configuration when a specially crafted HTTP request is sent.  No patch yet. Highest CVSSv3 score of 5.3
More info.

Schneider Electric embeds Rockwell Automation's IsaGRAF Workbench and IsaGRAF Runtime products, that have RCE, DoS, and Information Disclosure vulnerabilities. Highest CVSSv3 score of 9.1, all vulnerabilities have a temporal score of 10.
More info.

Thales Sentinel LDK Run-Time Environment contains an Incomplete Cleanup vulnerability.  Products that have uninstalled software using the Sentinel LDK Run-Time Environment may have a port left open that allows an attacker to connect. CVSSv3 score of 9.6
More info.

Rockwell Automation has reported 5 vulnerabilities in ISaGRAF Runtime. If successfully exploited, these vulnerabilities may result in a remote attacker being able to cause a DoS, RCE, or information disclosure. Highest CVSSv3 score of 9.1, all temporal scores are 10.
More info.

Qualcomm Monthly Patches include 10 vulnerabilities, 3 rated Critical, the rest High. Highest CVSSv3 score of 9.8
More info.

Google Android Monthly Patches contain 20 vulnerabilities, plus MediaTek and Qualcomm patches. Two vulnerabilities are rated Critical, with one of them allowing RCE.  The rest are rated High.
More info.

Google Pixel Monthly Patches contain 43 additional vulnerabilities, 4 rated High and the rest Moderate.
More info.

Samsung Monthly Patches include the Android patches and 11 additional Samsung bulletins. 3 are rated High, the rest Moderate.
More info.

Siemens Monthly Patches include 8 new bulletins and 9 updated bulletins. Highest CVSSv3 score in the new bulletins is 9.8
More info.

SIMATIC TIM 1531 IRC devices are vulnerable to multiple vulnerabilities in the third party component libcurl that could allow an attacker to extract sensitive information and pass a revoked certificate as valid. CVSSv3 score of 7.5
More info.

SIMATIC NET CP 443-1 OPC UA contains multiple vulnerabilities in the underlying third party component NTP. CVSSv3 score of 9.8
More info.

The latest update for TIM 1531 IRC fixes a vulnerability that could allow a remote attacker to cause a denial-of-service under certain circumstances. CVSSv3 score of 7.5
More info.

The latest updates for SIMATIC RF products fix a vulnerability that could allow an unauthorized attacker to crash the OPC UA service of the affected devices. CVSSv3 score of 7.5
More info.

SAP Security Patch Day saw the release of17 Security Notes. There were 2 updates to previously released Patch Day Security Notes. Two are rated Hot News, 4 High, and the rest Medium.
More info.

Dell VxRail remediation is available for VMware security vulnerabilities that may be exploited by remote attackers to compromise the affected system. Dell rates this Critical. Note that this is the Critical vulnerability published by VMware last month that is currently being exploited.
More info.

Microsoft has published an update for chromium-based Edge with the latests chromium security fixes. CVSSv3 score of 8.2
More info.

An OpenSSL vulnerability exists within Trend Micro TippingPoint TPS that can cause the appliance to enter Layer-2 Fallback mode and stop inspecting network traffic. CVSSv3 score of 5.9
More info.

Multiple vulnerabilities may affect JRE in IBM DataPower Gateway. Highest CVSSv3 score of 9.8
More info.

IBM Security Guardium is affected by multiple vulnerabilities. Highest CVSSv3 score of 9.9
More info.

An issue in Ajv affects UrbanCode Velocity. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. CVSSv3 score of 9.8
More info.

DELL Secure Remote Services (SRS) Virtual Edition contains remediation for multiple third-party components that may be exploited by remote attackers to compromise the affected system. Dell rates this Critical.
More info.

SUSE has updated the kernel. More info.
OpenSUSE has updated the kernel. More info.
Ubuntu has updated the kernel. More info.

Advantech iView contains two vulnerabilities, including SQL Injection and Missing Authentication for Critical Function. These allow an attacker to disclose information, change configurations, and execute arbitrary code.  Highest CVSSv3 score of 9.1.
More info.

Mozilla published an update to address vulnerabilities in Thunderbird. Exploitation of some of these vulnerabilities could result in arbitrary code execution.
More info.

Security vulnerabilities have been identified in IBM WebSphere Application Server used by InfoSphere Master Data Management. IBM WebSphere Application Server could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. CVSSv3 score of 9.8
More info. And here.

NetApp has published 10 new bulletins identifying security vulnerabilities in third-party software used by their products.  No patches yet.
More info.

Cisco has published 15 new bulletins, 6 rated High, the rest Medium.  Webex, SD-WAN, ASR, and others.
More info.

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to redirect users to a malicious file. CVSSv3 score of 4.7
More info.

HPE has identified several vulnerabilities in HP-UX SMH, including XSS, Buffer overflow, and HSTS vulnerability. Highest CVSSv3 score of 7.5
More info.

Multiple security vulnerabilities have been identified in HPE fibre channel and SAN switches with Brocade Fabric OS. These vulnerabilities could be remotely exploited to cause denial of service. Highest CVSSv3 score of 5.9
More info.

Updates for Dell VxRail are available to correct the latest VMware security vulnerabilities that may be exploited by remote attackers to compromise the affected system. Dell rates this Critical, as VMware did.
More info.

A DoS vulnerability was discovered in F-Secure endpoint protection products on Windows, Mac and Linux whereby the FSAVD component used in certain F-Secure products can crash while scanning larger packages/fuzzed files. The exploit can be triggered remotely by an attacker and cause a DoS of the antivirus engine.
More info.

Apache HTTP Server protocol handler for the HTTP/2 protocol contains a NULL pointer dereference on initialised memory vulnerability where a rejection response was not fully initialised in the HTTP/2 protocol handler. Since a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server.
More info.

An improper access control vulnerability in FortiWLC may allow an unauthenticated and remote attacker to access certain areas of the web management CGI functionality by just specifying the correct URL.
More info.

It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
More info.

A command injection vulnerability exists in Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.
More info.

A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.
More info.

Ubuntu has updated the kernel. More info.
Scientific Linux has updated runc and glib2. More info.

Mozilla has published updates for Firefox, Firefox ESR, and Firefox for IOS. The top vulnerability is rated High.
More info. And here. And here.

McAfee has reported multiple vulnerabilities in DBSec.  Highest CVSSv3 score of 9.6
More info.

Fortinet has published 16 new bulletins for their products.
More info.

An improper access control vulnerability in FortiProxy SSL VPN web portal may allow an unauthenticated and remote attacker to change local SSL-VPN users' passwords via specially crafted HTTP requests. CVSSv3 score of 8.9
More info.

Failure to sanitize input in the SSL VPN web portal may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting (XSS) attack by sending a request to the error page with malicious GET parameters. CVSSv3 score of 4.6
More info.

Arch Linux has updated dhcp, bind, and others. More info.
SUSE has updated dhcp, bind, and many others. More info.
Red Hat has updated the kernel, glib2 and others. More info.
Oracle Linux has updated the kernel. More info.

Yokogawa YFGW410, YFGW510, and YFGW520 products are affected by Treck IP Stack vulnerabilities as known Ripple20.
More info.

Multiple devices which are developed by Korenix Technology and also rebranded for Westermo and Pepperl+Fuchs Comtrol are prone to different critical vulnerabilities, including CSRF, use of insecure channel, executing commands without prior authentication, TFTP file uploads and downloads without authentication, and backdoor accounts.
More info.

Axios NPM library used by BigFix Inventory contains a SSRF vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. CVSSv3 score of 5.9
More info.

Mageia has updated the kernel. More info.

Multiple security vulnerabilities have been addressed in IBM Cognos Analytics, including allowing control requests in unauthenticated sessions. Highest CVSSv3 score of 10
More info.

Multiple Security vulnerabilities have been fixed in the IBM Application Gateway product. Highest CVSSv3 score of 9
More info.

OpenSUSE has updated libx11 and others. More info.
Debian has updated webkit2gtk. More info.

The daemon in GENIVI diagnostic log and trace (DLT), is vulnerable to a heap-based buffer overflow that could allow an attacker to remotely execute arbitrary code. CVSSv3 score of 9.8
More info. And here.

Mesa Labs AmegaView contains multiple vulnerabilities, including Command Injection, Improper Authentication, Authentication Bypass Using an Alternate Path or Channel, and Improper Privilege Management.  Highest CVSSv3 score of 10.  
This product will be EOL the end of 2021, and there will be no updates.
More info. And here.

CommScope Ruckus IoT Controller contains multiple vulnerabilities, including Hard-coded Credentials, Hidden Functionality, and Missing Authentication for Critical Function. 
More info. And here.

Two security vulnerabilities affect the Bosch B426, B426-CN/B429-CN, and B426-M. The user password is transmitted in clear text, and session hijacking is possible.  Highest CVSSv3 score of 8.8
More info.

SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. CVSSv3 score of 8.1
More info.

Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment.  Highest CVSSv3 score of 9.8
More info.

Vulnerabilities in Java are affecting Watson Knowledge Catalog for IBM Cloud Pak for Data. Highest CVSSv3 score of 9.8
More info.

An issue was identified in the IBM Runtime Java shipped with IBM MQ and IBM Spectrum Protect Snapshot. CVSSv3 score of 9.8
More info. And here.

Microsoft has updated chromium-based Edge with the latest fixes in chromium.
More info.

NetApp has published 10 new bulletins identifying security vulnerabilities in third-party software included in their products.  No patches yet.
More info.

A DoS vulnerability exists in MELSOFT transmission port (TCP/IP) of MELSEC iQ-R series CPU modules due to improper session management. An attacker can cause resource exhaustion and DoS condition on a target by not closing a connection properly. CVSSv3 score of 5.3
More info.

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Wireless Device Server. Buffer overflow, improper input validation, and unuathenticated data access vulnerabilities in the built-in web server allows remote attackers to initiate a DoS attack and execute arbitrary code (RCE).
More info.

B&R Automation Runtime (AR) includes an outdated version of ntpd which is affected by a large number of vulnerabilities. Highest CVSSv3 score of 7.5
More info.

One B&R POWERLINK stack is affected by two Amnesia vulnerabilities, and is used by a range of B&R field-level products. Highest CVSSv3 score of 8.2
More info.

RedHat has updated data grid. More info.

Multiple vulnerabilities in the vSphere Client (HTML5) were reported.  The vSphere Client contains a RCE vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.  A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVSSv3 base score of 9.8.
More info. And here.

Google has published a Chrome for Desktop update that includes 32 security fixes.
More info.

Curl has published 3 new bulletins identifying Use After Free, Use of Uninitialized Variable, and Exposure of Data Element to Wrong Session vulnerabilities.
More info.

Spacelabs utilizes Wind River VxWorks that was identified as one of the RTOS affected by BadAlloc for Patient Monitors.
More info. And here.

Rockwell Automation Micro800 and MicroLogix 1400 contains a MitM vulnerability. If successfully exploited, this vulnerability may result in DoS. To recover, a firmware flash on the controller will need to be performed, which will put the controller into the default state and the user program and data will be lost. CVSSv3 score of 6.1
This vulnerability cannot be remediated with a patch. 
More info.

RedHat has updated the kernel and others. More info.
SUSE has updated the kernel and others. More info.
Gentoo Linux has published 35 new bulletins. More info.
Ubuntu has updated libx11. More info.

Multiple vulnerabilities in the vSphere Client (HTML5) were reported.  The vSphere Client contains a RCE vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.  A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVSSv3 base score of 9.8.
More info. And here.

Apple has published security updates for Safari, macOS, iOS, watchOS, and tvOS.
More info.

macOS Big Sur and tvOS have vulnerabilities that are being actively exploited.
More info. And here.

IBM MQ Appliance has resolved a Java SE vulnerability. CVSSv3 score of 9.8
More info.

 IBM Security Guardium is affected by vulnerabilties in jackson-databind, IBM Java SDK, and Squid. Highest CVSSv3 score of 9.8
More info. And here. And here.

HCL Digital Experience is susceptible to multiple security vulnerabilities.
More info.

Debian has updated libx11. More info.
Mageia has updated libx11 and others. More info.

SolarWinds Network Performance Monitor contains a vulnerability within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. A remote attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. CVSSv3 score of 9.8
More info. And here.

Multiple vulnerabiilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js may affect IBM Spectrum Control.  Highest CVSSv3 score of 9.8
More info.

A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to modify files that impact system integrity.
More info.

The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).
More info.

NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Hitachi has published security updates for Ops Center Analyzer viewpoint and Ops Center Common Services.
More info.

There are multiple vulnerabilities in SDK Java that is used by Notes Standard Client. Highest CVSSv3 score of 10.
More info.

Cisco has published 8 new bulletins and 2 updated bulletins. Two are rated High, the rest Medium. Nearly all require authentication.
More info.

A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. CVSSv3 score of 4.7
More info.

Multiple security vulnerabilities in Node.js affecs Cloud Pak for Multicloud Management Managed Service, and Cloud Automation Manager. Highest CVSSv3 score of 9.8
More info. And here. And here. And here. And here. And here. And here.

Xerox has published security updates for FreeFlow Print Server and Xerox Phaser and WorkCentre products.
More info.

Mageia has updated the kernel. More info.

Advantech BB-ESWGP506-2SFP-T uses hard-coded credentials for the telnet service, which listens on TCP port 23 by default, allowing RCE as administrator. CVSSv3 score of 9.8
More info.

Beckhoff TwinCat products use vulnerable version of OPC UA
More info. And here. And here.

Multiple security vulnerabilities in Jackson-Databind affect IBM Sterling B2B Integrator.  CVSSv3 score of 9.8
More info. And here.

A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring.  CVSSv3 score of 9.8
More info.

Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. Highest CVSSv3 score of 9.8
More info.

IBM Resilient SOAR is using components with known vulnerabilities. HIghest CVSSv3 score of 9.8
More info.

Emerson Rosemount X-STREAM Gas Analyzer contains multiple vulnerabilities that could allow an attacker to obtain sensitive information, modify configuration, or affect the availability of the device. Highest CVSSv3 score of 7.5
More info. And here.

Bosch products IndraMotion MTX, MLC and MLD and the ctrlX CORE PLC contain vulnerabilities in third-party software from CODESYS.  CVSSv3 score of 7.3
More info.

There are multiple vulnerabilities in IBM SDK Java that is used by Remote Control. Highest CVSSv3 score of 9.8
More info.

Weak TLS-RSA key exchange algorithm is enabled in BigFix Remote Control. CVSSv3 score of 3.7
More info.

There are multiple vulnerabilities in OpenSSL that is used by OSD Metal Server Web UI. CVSSv3 score of 7.5
More info.

A XML Entity Expansion vulnerability in XMLBeans affects HCL Commerce. CVSSv3 score of 9.1
More info.

Multiple vulnerabilities in Jackson Dataformat, Netty Handler and Elastic Search affect HCL Commerce. Highest CVSSv3 score of 7.5
More info.

IBM Java SDK vulnerabilities have been fixed in IBM Netezza Analytics for NPS.  Highest CVSSv3 score of 10
More info.

The latest version of NetBSD contains security fixes.
More info.

SUSE has updated the kernel. More info.

Connected infusion pump Perfusor, Infusomat, Infusomat P from both Space and compactplus families contain multiple vulnerabilities that could allow a sophisticated attacker to compromise the security of the Space or compactplus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution. Under certain conditions, successful exploitation of these vulnerabilities could allow an attacker to change the configuration of a connected infusion pump which may alter infusions after a successful attack. CVSSv3 score of 9.7
More info.

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of XStream. Highest CVSSv3 score of 9.8
More info.

Multiple security vulnerabilities have been identified in HPE fibre channel and SAN switches with Brocade Fabric OS (FOS). These vulnerabilities could be locally exploited to execute arbitrary code, and to allow an authenticated CLI attacker to write arbitrary content to files. The other vulnerabilities could be remotely exploited to cause denial of service, and inject arbitrary HTTP headers. Highest CVSSv3 score of 7.8
More info.

Multiple security vulnerabilities have been identified in the HPE B-Series SANnav Management Portal, also known as HPE SANnav Management Software. The vulnerabilities could be remotely exploited to carry out requests to servers or services which otherwise would be inaccessible, expose docker ports, disclose internal server information, disclose sensitive information, access files and create directories without permission, and cause denial of service. Highest CVSSv3 score of 8.8
More info.

Multiple security vulnerabilities have been identified in HPE fibre channel and SAN switches with Brocade Fabric OS (FOS). These vulnerabilities could be locally exploited to execute arbitrary code, and to allow an authenticated CLI attacker to write arbitrary content to files. The other vulnerabilities could be remotely exploited to bypass authentication, disclose sensitive information, and cause denial of service. Highest CVSSv3 score of 7.9
More info.

Brocade has published 21 new security bulletins affecting Brocade FabricOS and Brocade SANnav.  5 are rated High, the rest Medium and Low.
More info.