Multiple vulnerabilities were discovered in Citrix Endpoint Management (CEM) on-premise instances, also referred to as XenMobile Server. The following CVEs are part of the [CTX277457](https://support.citrix.com/article/CTX277457) security bulletin: CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Of these, CVEs 2020-8208 and 2020-8209 are considered critical. Details on CVE-2020-8209 are [available from Positive Technologies here](https://www.ptsecurity.com/ww-en/about/news/citrix-fixes-xenmobile-vulnerability-found-by-positive-technologies/).

Multiple vulnerabilities were discovered in Citrix Endpoint Management (CEM) on-premise instances, also referred to as XenMobile Server. The following CVEs are part of the [CTX277457](https://support.citrix.com/article/CTX277457) security bulletin: CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Of these, CVEs 2020-8208 and 2020-8209 are considered critical. Details on CVE-2020-8209 are [available from Positive Technologies here](https://www.ptsecurity.com/ww-en/about/news/citrix-fixes-xenmobile-vulnerability-found-by-positive-technologies/).

Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.

Multiple vulnerabilities were discovered in Citrix Endpoint Management (CEM) on-premise instances, also referred to as XenMobile Server. The following CVEs are part of the [CTX277457](https://support.citrix.com/article/CTX277457) security bulletin: CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Of these, CVEs 2020-8208 and 2020-8209 are considered critical. Details on CVE-2020-8209 are [available from Positive Technologies here](https://www.ptsecurity.com/ww-en/about/news/citrix-fixes-xenmobile-vulnerability-found-by-positive-technologies/).

Multiple vulnerabilities were discovered in Citrix Endpoint Management (CEM) on-premise instances, also referred to as XenMobile Server. The following CVEs are part of the [CTX277457](https://support.citrix.com/article/CTX277457) security bulletin: CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Of these, CVEs 2020-8208 and 2020-8209 are considered critical. Details on CVE-2020-8209 are [available from Positive Technologies here](https://www.ptsecurity.com/ww-en/about/news/citrix-fixes-xenmobile-vulnerability-found-by-positive-technologies/).

Multiple vulnerabilities were discovered in Citrix Endpoint Management (CEM) on-premise instances, also referred to as XenMobile Server. The following CVEs are part of the [CTX277457](https://support.citrix.com/article/CTX277457) security bulletin: CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Of these, CVEs 2020-8208 and 2020-8209 are considered critical. Details on CVE-2020-8209 are [available from Positive Technologies here](https://www.ptsecurity.com/ww-en/about/news/citrix-fixes-xenmobile-vulnerability-found-by-positive-technologies/).

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verific…

cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.