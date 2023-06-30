



Then on June 15th, a third round flaw, tracked as CVE-2023-35708, emerged, prompting the release of another patch.

It goes without saying that if you haven’t patched it yet, it’s imperative that you do so as soon as possible.

VMware

Software giant VMWare has issued a patch for a flaw in Aria Operations for Networks that has already been used in attacks. Tracked as CVE-2023-20887, the first is marked as critical with his CVSS score of 9.8. A malicious attacker with network access to VMware Aria Operations for Networks could perform a command injection attack to execute remote code, he warned in a VMWare advisory.

CVE-2023-20888 is an authenticated deserialization vulnerability with a CVSS score of 9.1. On the other hand, CVE-2023-20889 is an information disclosure vulnerability in the Critical severity range with a CVSS score of 8.8.

In late June, VMWare patched multiple issues in vCenter Server. Tracked as CVE-2023-20892, the first is a heap overflow vulnerability that could allow an attacker to execute code.

CVE-2023-20893 is a use-after-free vulnerability in the DCERPC protocol implementation that could allow an attacker to execute arbitrary code on the underlying operating system.

CVE-2023-20894 is an out-of-bounds write vulnerability with a CVSS score of 8.1, and CVE-2023-20895 is a memory corruption issue that could allow an attacker to bypass authentication.

Cisco

Cisco has patched a vulnerability in the client update process for AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. This flaw, tracked as CVE-2023-20178, could allow a low-privilege, authenticated local attacker to execute code with SYSTEM privileges. The fix is ​​especially urgent because security researcher Philippe Dragovy recently published a proof-of-concept exploit for the flaw.

Another patch of note includes CVE-2023-20105, which has a CVSS score of 9.6 and is rated Critically Impacted. A flaw in the Cisco Expressway Series and Cisco TelePresenceVideoCommunicationServer could allow an attacker to change the password of any user on the system (including admin read/write users) and impersonate that user.

Fortinet

Security firm Fortinet patched the vulnerability in June and warned it could be used in an attack. A heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, could allow remote attackers to execute arbitrary code or commands via specially crafted requests. The severity of the flaw is reflected in a CVSS score of 9.8, so please apply the patch as soon as possible.

SAP

SAP’s June patch day includes fixes for a number of defects, including two rated high severity. This patch contains CVE-2021-42063, a cross-site scripting vulnerability in SAP Knowledge Warehouse versions 7.30, 7.31, 7.40, and 7.50.

This flaw could allow an unprivileged attacker to perform an XSS attack, potentially leading to the disclosure of sensitive data. According to security firm Onapsys, the vulnerability could allow an attacker to gain user-level access, compromising the confidentiality, integrity and availability of the UI5 ​​Varian Management application.

