Threatscape

All the following vulnerabilities were discovered either by Positive Research experts or by automated security products from Positive Technologies, including MaxPatrol and PT Application Inspector.

Medium (5.3) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

PT-2021-07: GPay payments above NoCVM limits, CryptoATC out of order

Fix date:	no patches available
Vector:	Local
Systems affected:	MasterCard Tokenisation Service (MDES)
Vendor:	MasterCard
Notification status:	October, 2021- Vendor notification date

Medium (4.9) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

PT-2021-06: Lack of integrity checks of the MCC field

Fix date:	no patches available
Vector:	Remote
Systems affected:	Visa Tokenisation Service (VTS) MasterCard Tokenisation Service (MDES)
Vendor:	EMVCo, Visa, MasterCard
Notification status:	October, 2021- Vendor notification date

Medium (4.1) CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

PT-2021-05: Lack of Amount/CVMResults fields checking for Public Transport Schemes

Fix date:	no patches available
Vector:	Local
Systems affected:	Visa Tokenisation Service (VTS) MasterCard Tokenisation Service (MDES)
Vendor:	EMVCo
Notification status:	October, 2021- Vendor notification date

Medium (4.9) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

PT-2021-04: AAC/ARQC cryptogram confusion

Fix date:	no patches available
Vector:	Remote
Systems affected:	Visa Tokenisation Service (VTS) MasterCard Tokenisation Service (MDES)
Vendor:	Visa Inc, MasterCard Inc.
Notification status:	October, 2021- Vendor notification date

Medium (5.3) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

PT-2021-03: Apple Pay authentication and fields validation issues

Fix date:	no patches available
Vector:	Local
Systems affected:	iOS/iPhone
Vendor:	Apple Inc
Notification status:	October, 2021- Vendor notification date

High (6.8) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PT-2021-02: Encryption bypass when downloading a firmware update in Diebold-Nixdorf RM3/CRS

Fix date:	no patches available
Vector:	Local
Systems affected:	RM3/CRS dispenser firmware (all versions up to and including 41128 1002 RM3_CRS.BTR + 170329 2332 RM3_CRS.FRM)
Vendor:	Diebold-Nixdorf
Notification status:	July, 2018 - Vendor notification date

High (6.8) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5

Fix date:	no patches available
Vector:	Local
Systems affected:	CMDv5 dispenser firmware (all versions up to and including 141128 1002 CD5_ATM.BTR + 170329 2332 CD5_ATM.FRM)
Vendor:	Diebold-Nixdorf
Notification status:	July, 2018 - Vendor notification date

High (7,5) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PT-2020-31: Denial of service in F5 Traffic Management Microkernel (TMM)

Fix date:	December 17, 2020
Vector:	Remote
Systems affected:	Traffic Management Microkernel (TMM)
Vendor:	F5 Networks
Notification status:	April 30, 2020 - Vendor notification date December 17, 2020 - Security advisory publication date

High (9,8) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

PT-2020-30: Multiple code execution in Cisco Integrated Management Controller (CIMC)

Fix date:	November 18, 2020
Vector:	Remote
Systems affected:	Cisco Integrated Management Controller (CIMC)
Vendor:	Cisco
Notification status:	April 11, 2020 - Vendor notification date November 18, 2020 - Security advisory publication date

High (9,4) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

PT-2020-29: Denial of service and potential arbitrary code execution in SonicOS

Fix date:	October 12, 2020
Vector:	Remote
Systems affected:	SonicOS SonicOSv
Vendor:	SonicWall
Notification status:	June 26, 2020 - Vendor notification date October 12, 2020 - Security advisory publication date

High (7.6) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

PT-2020-28: Undocumented physical access to the system (SBI bootloader memory write)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	All
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

High (7.3) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H

PT-2020-27: Undocumented physical access mode (VerixV shell.out)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	VerixV
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

High (8.2) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PT-2020-26: Buffer Overflow in Verix OS core (Run() system call)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	VerixV
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

High (8.2) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PT-2020-24: Integrity and origin control bypass (S1G file generation)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	VerixV
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

Medium (6.3) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

PT-2020-23: Multiple arbitrary command injections (file manager, etc.)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	MX900
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

High (8.2) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PT-2020-22: Insecure Permissions (svc_netcontrol arbitrary command injection and privilege escalation)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	MX900
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

High (8.2) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PT-2020-21: Installation of unsigned packages

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	MX900
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

High (8.8) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

PT-2020-20: Race condition privilege escalation (secins application RBAC bypass)

Fix date:	August 1, 2020
Vector:	Local
Systems affected:	MX900
Vendor:	Verifone
Notification status:	October 1, 2019 - Vendor notification date August 1, 2020 - Security advisory publication date

Medium (7.6) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

PT-2020-19: Buffer overflow via SOCKET_TASK in the NTPT3 protocol

Fix date:	March 1, 2020
Vector:	Remote
Systems affected:	Tellium 2
Vendor:	Ingenico
Notification status:	September 1, 2018 - Vendor notification date March 1, 2020 - Security advisory publication date

High (7.6) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

PT-2020-18: Arbitrary code execution via the TRACE protocol (r/w memory)

Fix date:	March 1, 2020
Vector:	Remote
Systems affected:	Tellium 2
Vendor:	Ingenico
Notification status:	September 1, 2018 - Vendor notification date March 1, 2020 - Security advisory publication date

Severity level

All levels

High

Medium

Low

Date filters

Date range

Year Year

Month Month

Starts:

Year Year

Month Month

Ends:

Year Year

Month Month

Vendor

Company name Company name

Systems affected

Software name Software name

Show threats with CVE-ID

Reset filter

Editor’s Choice

June 7, 2021 Positive Research 2021
December 7, 2020 Positive Research 2020
June 17, 2020 Vulnerabilities and threats in mobile banking