Disclosure Date: May 08, 2019 (last updated February 13, 2020)
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user.
This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.
Disclosure Date: March 28, 2019 (last updated March 10, 2020)
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.
Disclosure Date: May 24, 2018 (last updated March 10, 2020)
The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 22.214.171.124 allows remote attackers to obtain sensitive configuration information via a direct request, as demonstrated by happyaxis.jsp. IBM X-Force ID: 84354.
The windows task scheduler allows a split token administrator to register a task which runs as a batch job from a limited privilege context. This doesn't require a user's password to accomplish as the task will be run non-interactively and so doesn't need access to the password in order to access remote resources. Due to the way that batch logons work in the latest versions of Windows for a split token admin user this actually creates the fully privileged token to execute the task under.
Disclosure Date: April 27, 2020 (last updated May 02, 2020)
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
To quote the Reuters report: "To execute the hack, Avraham said victims would be sent an apparently blank email message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photos and contact details."
So, it sounds like a font or other kind of render thing in Mail.App. No clicks required other than opening the email.
Disclosure Date: April 15, 2020 (last updated May 26, 2020)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0 and 184.108.40.206.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Disclosure Date: April 22, 2020 (last updated May 30, 2020)
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 220.127.116.1187. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.
Disclosure Date: April 21, 2020 (last updated May 30, 2020)
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.