CWE-20

A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka ‘Microsoft Power BI Report Server Spoofing Vulnerability’.

A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka ‘Microsoft Graphics Components Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-16923.

An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the NSFileDownloader function to pass parameters to a binary (such as curl or wget) and remotely execute code on a victim’s server.

An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite a binary and remotely execute code on a victim’s server.

Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to local configuration files can therefore insert malicious commands that are executed after compiling them to valid parameter files (“PDLs”), transferring them to the device, and restarting the device.