Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
70e47724 by security tracker role at 2018-08-03T20:10:17Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,75 @@
+CVE-2018-14914
+ RESERVED
+CVE-2018-14913
+ RESERVED
+CVE-2018-14912 (cgit_clone_objects in CGit before 1.2.1 has a directory
traversal ...)
+ TODO: check
+CVE-2018-14911 (A file upload vulnerability exists in ukcms v1.1.7 and
earlier. The ...)
+ TODO: check
+CVE-2018-14910 (SeaCMS v6.61 allows Remote Code execution by placing PHP code
in an ...)
+ TODO: check
+CVE-2018-14909
+ RESERVED
+CVE-2018-14908 (Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on
every ...)
+ TODO: check
+CVE-2018-14907 (The Web server in 3CX version 15.5.8801.3 is vulnerable to
Information ...)
+ TODO: check
+CVE-2018-14906 (The Web server in 3CX version 15.5.8801.3 is vulnerable to
Reflected ...)
+ TODO: check
+CVE-2018-14905 (The Web server in 3CX version 15.5.8801.3 is vulnerable to
Reflected ...)
+ TODO: check
+CVE-2018-14904 (Samsung Syncthru Web Service V4.05.61 is vulnerable to
Multiple ...)
+ TODO: check
+CVE-2018-14903
+ RESERVED
+CVE-2018-14902
+ RESERVED
+CVE-2018-14901
+ RESERVED
+CVE-2018-14900
+ RESERVED
+CVE-2018-14899
+ RESERVED
+CVE-2018-14898
+ RESERVED
+CVE-2018-14897
+ RESERVED
+CVE-2018-14896
+ RESERVED
+CVE-2018-14895
+ RESERVED
+CVE-2018-14894
+ RESERVED
+CVE-2018-14893
+ RESERVED
+CVE-2018-14892
+ RESERVED
+CVE-2018-14891
+ RESERVED
+CVE-2018-14890
+ RESERVED
+CVE-2018-14889
+ RESERVED
+CVE-2018-14888
+ RESERVED
+CVE-2018-14887
+ RESERVED
+CVE-2018-14886
+ RESERVED
+CVE-2018-14885
+ RESERVED
+CVE-2018-14884 (An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x
before ...)
+ TODO: check
+CVE-2018-14883 (An issue was discovered in PHP before 5.6.37, 7.0.x before
7.0.31, ...)
+ TODO: check
+CVE-2018-14882
+ RESERVED
+CVE-2018-14881
+ RESERVED
+CVE-2018-14880
+ RESERVED
+CVE-2018-14879
+ RESERVED
CVE-2018-XXXX [Default KeyInfo resolver doesn't check for empty element
content.]
[experimental] - xml-security-c 2.0.1-1
- xml-security-c <unfixed> (bug #905332)
@@ -241,12 +313,10 @@ CVE-2018-14776 (Click Studios Passwordstate before 8.3
Build 8397 allows XSS by
NOT-FOR-US: Click Studios Passwordstate
CVE-2018-14775 (tss_alloc in sys/arch/i386/i386/gdt.c in OpenBSD 6.2 and 6.3
has a ...)
NOT-FOR-US: OpenBSD
-CVE-2018-14774 [Possible host header injection when using HttpCache]
- RESERVED
+CVE-2018-14774 (An issue was discovered in HttpKernel in Symfony 2.7.0 through
2.7.48, ...)
- symfony 3.4.14+dfsg-1
NOTE:
https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache
-CVE-2018-14773 [Remove support for legacy and risky HTTP headers]
- RESERVED
+CVE-2018-14773 (An issue was discovered in Http Foundation in Symfony 2.7.0
through ...)
- symfony 3.4.14+dfsg-1
NOTE:
https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
CVE-2018-14772
@@ -376,8 +446,8 @@ CVE-2018-14730
RESERVED
CVE-2018-14729
RESERVED
-CVE-2018-14728
- RESERVED
+CVE-2018-14728 (upload.php in Responsive FileManager 9.13.1 allows SSRF via
the url ...)
+ TODO: check
CVE-2018-14727
RESERVED
CVE-2018-14726
@@ -402,8 +472,8 @@ CVE-2018-14717
RESERVED
CVE-2018-14716
RESERVED
-CVE-2018-14715
- RESERVED
+CVE-2018-14715 (The endCoinFlip function and throwSlammer function of the
smart ...)
+ TODO: check
CVE-2018-14714
RESERVED
CVE-2018-14713
@@ -705,8 +775,8 @@ CVE-2018-14595
RESERVED
CVE-2018-14594
RESERVED
-CVE-2018-14593
- RESERVED
+CVE-2018-14593 (An issue was discovered in Open Ticket Request System (OTRS)
6.0.x ...)
+ TODO: check
CVE-2018-14592
RESERVED
CVE-2018-14591
@@ -739,12 +809,11 @@ CVE-2018-14578
RESERVED
CVE-2018-14577
RESERVED
-CVE-2018-14576
- RESERVED
+CVE-2018-14576 (The mintToken function of a smart contract implementation for
...)
+ TODO: check
CVE-2018-14575
RESERVED
-CVE-2018-14574 [Open redirect possibility in CommonMiddleware]
- RESERVED
+CVE-2018-14574 (django.middleware.common.CommonMiddleware in Django 1.11.x
before ...)
- python-django 1:1.11.15-1 (bug #905216)
[jessie] - python-django <not-affected> (Vulnerable code not present)
NOTE:
https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
@@ -883,8 +952,8 @@ CVE-2018-14543 (There exists one NULL pointer dereference
vulnerability in ...)
NOT-FOR-US: Bento4
CVE-2018-14542
RESERVED
-CVE-2018-14541
- RESERVED
+CVE-2018-14541 (PHP Scripts Mall Basic B2B Script 2.0.0 has Reflected and
Stored XSS ...)
+ TODO: check
CVE-2018-14540
RESERVED
CVE-2018-14539
@@ -964,8 +1033,8 @@ CVE-2018-14507
RESERVED
CVE-2018-14506
RESERVED
-CVE-2018-14504
- RESERVED
+CVE-2018-14504 (An issue was discovered in manage_filter_edit_page.php in
MantisBT 2.x ...)
+ TODO: check
CVE-2018-14503
RESERVED
CVE-2018-14502
@@ -990,8 +1059,8 @@ CVE-2018-14499
RESERVED
CVE-2018-14498
RESERVED
-CVE-2018-14497
- RESERVED
+CVE-2018-14497 (Tenda D152 ADSL routers allow XSS via a crafted SSID. ...)
+ TODO: check
CVE-2018-14496
RESERVED
CVE-2018-14495
@@ -1041,8 +1110,8 @@ CVE-2018-14475
RESERVED
CVE-2018-14474 (views/auth.go in Orange Forum 1.4.0 allows Open Redirection
via the ...)
NOT-FOR-US: Orange Forum
-CVE-2018-14473
- RESERVED
+CVE-2018-14473 (OCS Inventory 2.4.1 lacks a proper XML parsing configuration,
allowing ...)
+ TODO: check
CVE-2018-14472 (An issue was discovered in WUZHI CMS 4.1.0. The vulnerable
file is ...)
NOT-FOR-US: WUZHI CMS
CVE-2018-14471 (dwg_obj_block_control_get_block_headers in dwg_api.c in GNU
LibreDWG ...)
@@ -1193,8 +1262,8 @@ CVE-2018-14419 (MetInfo 6.0.0 allows XSS via a modified
name of the navigation b
NOT-FOR-US: MetInfo
CVE-2018-14418 (In Msvod Cms v10, SQL Injection exists via an
images/lists?cid= URI. ...)
NOT-FOR-US: Msvod Cms
-CVE-2018-14417
- RESERVED
+CVE-2018-14417 (A command injection vulnerability was found in the web
administration ...)
+ TODO: check
CVE-2018-14416
RESERVED
CVE-2018-14415 (An issue was discovered in idreamsoft iCMS before 7.0.10. XSS
exists ...)
@@ -2317,7 +2386,7 @@ CVE-2018-13990
RESERVED
CVE-2018-13989 (Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks
via a POST ...)
NOT-FOR-US: Grundig Smart Inter@ctive TV 3.0 devices
-CVE-2018-13988 (Poppler through 0.62 contains a Buffer Overflow vulnerability
due to ...)
+CVE-2018-13988 (Poppler through 0.62 contains an out of bounds read
vulnerability due ...)
- poppler <unfixed> (low; bug #904922)
[stretch] - poppler <no-dsa> (Minor issue)
[jessie] - poppler <no-dsa> (Minor issue)
@@ -3558,8 +3627,8 @@ CVE-2018-13418
RESERVED
CVE-2018-13417
RESERVED
-CVE-2018-13416
- RESERVED
+CVE-2018-13416 (In Universal Media Server (UMS) 7.1.0, the XML parsing engine
for ...)
+ TODO: check
CVE-2018-13415
RESERVED
CVE-2018-13414
@@ -4335,8 +4404,8 @@ CVE-2018-13057
RESERVED
CVE-2018-13056 (An issue was discovered on zzcms 8.3. There is a vulnerability
at ...)
NOT-FOR-US: zzcms
-CVE-2018-13055
- RESERVED
+CVE-2018-13055 (A cross-site scripting (XSS) vulnerability in the View Filters
page ...)
+ TODO: check
CVE-2018-13053 (The alarm_timer_nsleep function in kernel/time/alarmtimer.c in
the ...)
- linux <unfixed>
[jessie] - linux-4.9 <unfixed>
@@ -4485,8 +4554,8 @@ CVE-2018-12991
RESERVED
CVE-2018-12990 (phpwcms 1.8.9 allows remote attackers to discover the
installation path ...)
NOT-FOR-US: phpwcms
-CVE-2018-12989
- RESERVED
+CVE-2018-12989 (The report-viewing feature in Pearson VUE Certiport Console 8
and ...)
+ TODO: check
CVE-2018-12988 (GreenCMS 2.3.0603 has an arbitrary file download vulnerability
via an ...)
NOT-FOR-US: GreenCMS
CVE-2018-12987
@@ -5543,8 +5612,7 @@ CVE-2018-1000402 (Jenkins project Jenkins AWS CodeDeploy
Plugin version 1.19 and
NOT-FOR-US: Jenkins plugin
CVE-2018-1000401 (Jenkins project Jenkins AWS CodePipeline Plugin version 0.36
and ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-12607 [gitlab: Persistent XSS in charts]
- RESERVED
+CVE-2018-12607 (An issue was discovered in GitLab Community Edition and
Enterprise ...)
- gitlab <unfixed> (bug #902726)
[stretch] - gitlab <not-affected> (Only affects >= 10.5)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
@@ -5555,12 +5623,10 @@ CVE-2018-XXXX [gitlab: Activity feed publicly
displaying internal project names]
CVE-2018-XXXX [gitlab: Content injection via username]
- gitlab <unfixed> (bug #902726)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
-CVE-2018-12606 [gitlab: wiki XSS]
- RESERVED
+CVE-2018-12606 (An issue was discovered in GitLab Community Edition and
Enterprise ...)
- gitlab <unfixed> (bug #902726)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
-CVE-2018-12605 [gitlab: XSS in url_for(params)]
- RESERVED
+CVE-2018-12605 (An issue was discovered in GitLab Community Edition and
Enterprise ...)
- gitlab <unfixed> (bug #902726)
[stretch] - gitlab <not-affected> (Only affects 10.7)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
@@ -5876,10 +5942,10 @@ CVE-2018-12485
RESERVED
CVE-2018-12484
RESERVED
-CVE-2018-12483
- RESERVED
-CVE-2018-12482
- RESERVED
+CVE-2018-12483 (OCS Inventory 2.4.1 is prone to a remote command-execution ...)
+ TODO: check
+CVE-2018-12482 (OCS Inventory 2.4.1 contains multiple SQL injections in the
search ...)
+ TODO: check
CVE-2018-12481 (The Olive Tree Ftp Server application 1.32 for Android has a
"Sensitive ...)
NOT-FOR-US: Olive Tree Ftp Server application for Android
CVE-2018-12480
@@ -8710,6 +8776,7 @@ CVE-2018-11407 (An issue was discovered in the Ldap
component in Symfony 2.8.x b
[stretch] - symfony <not-affected> (Incomplete fix for CVE-2016-2403
not applied)
NOTE:
https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
CVE-2018-11406 (An issue was discovered in the Security component in Symfony
2.7.x ...)
+ {DSA-4262-1}
- symfony 3.4.12+dfsg-1
NOTE: https://symfony.com/blog/cve-2018-11406-csrf-token-fixation
CVE-2018-11405 (Kliqqi 2.0.2 has CSRF in admin/admin_users.php. ...)
@@ -8753,9 +8820,11 @@ CVE-2018-11388
CVE-2018-11387
RESERVED
CVE-2018-11386 (An issue was discovered in the HttpFoundation component in
Symfony ...)
+ {DSA-4262-1}
- symfony 3.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
CVE-2018-11385 (An issue was discovered in the Security component in Symfony
2.7.x ...)
+ {DSA-4262-1}
- symfony 3.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication
CVE-2018-11384 (The sh_op() function in radare2 2.5.0 allows remote attackers
to cause ...)
@@ -10527,7 +10596,7 @@ CVE-2018-10760 (Unrestricted file upload vulnerability
in the Files plugin in ..
CVE-2018-10759 (PHP remote file inclusion vulnerability in
public/patch/patch.php in ...)
NOT-FOR-US: Project Pier
CVE-2018-11319 (Syntastic (aka vim-syntastic) through 3.9.0 does not properly
handle ...)
- {DLA-1444-1}
+ {DSA-4261-1 DLA-1444-1}
- vim-syntastic 3.9.0-1 (bug #894736)
NOTE: https://github.com/vim-syntastic/syntastic/issues/2170
NOTE:
https://github.com/vim-syntastic/syntastic/commit/6d7c0b394e001233dd09ec473fbea2002c72632f
@@ -17966,8 +18035,8 @@ CVE-2018-7750 (transport.py in the SSH server
implementation of Paramiko before
CVE-2018-7749 (The SSH server implementation of AsyncSSH before 1.12.1 does
not ...)
- python-asyncssh 1.12.1-1 (bug #892787)
NOTE:
https://github.com/ronf/asyncssh/commit/16e6ebfa893167c7d9d3f6dc7a2c0d197e47f43a
-CVE-2018-7748
- RESERVED
+CVE-2018-7748 (report_viewer.do in ServiceNow Release Jakarta Patch 8 and
earlier ...)
+ TODO: check
CVE-2018-7747 (Multiple cross-site scripting (XSS) vulnerabilities in the
Caldera ...)
NOT-FOR-US: Caldera Forms plugin for WordPress
CVE-2018-7746 (An issue was discovered in Western Bridge Cobub Razor 0.7.2.
...)
@@ -21736,8 +21805,8 @@ CVE-2018-6592 (Unisys Stealth 3.3 Windows endpoints
before 3.3.016.1 allow local
NOT-FOR-US: Unisys Stealth Windows endpoints
CVE-2018-6591 (Converse.js and Inverse.js through 3.3 allow remote attackers
to obtain ...)
NOT-FOR-US: Converse.js
-CVE-2018-6590
- RESERVED
+CVE-2018-6590 (CA API Developer Portal 4.x, prior to v4.2.5.3 and v4.2.7.1,
has an ...)
+ TODO: check
CVE-2018-6589 (CA Spectrum 10.1 prior to 10.01.02.PTF_10.1.239 and 10.2.x
prior to ...)
NOT-FOR-US: CA Spectrum
CVE-2018-6588 (CA API Developer Portal 3.5 up to and including 3.5 CR5 has a
...)
@@ -25434,10 +25503,10 @@ CVE-2018-5492
RESERVED
CVE-2018-5491
RESERVED
-CVE-2018-5490
- RESERVED
-CVE-2018-5489
- RESERVED
+CVE-2018-5490 (Read-Only export policy rules are not correctly enforced in
Clustered ...)
+ TODO: check
+CVE-2018-5489 (NetApp 7-Mode Transition Tool allows users with valid
credentials to ...)
+ TODO: check
CVE-2018-5488 (NetApp SANtricity Web Services Proxy versions 1.10.x000.0002
through ...)
NOT-FOR-US: NetApp SANtricity Web Services Proxy
CVE-2018-5487 (NetApp OnCommand Unified Manager for Linux versions 7.2 through
7.3 ...)
@@ -35771,8 +35840,8 @@ CVE-2018-1526
RESERVED
CVE-2018-1525
RESERVED
-CVE-2018-1524
- RESERVED
+CVE-2018-1524 (IBM Maximo Asset Management 7.6 through 7.6.3 installs with a
default ...)
+ TODO: check
CVE-2018-1523 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through
6.0.5 ...)
NOT-FOR-US: IBM
CVE-2018-1522
@@ -42072,6 +42141,7 @@ CVE-2017-16791
RESERVED
CVE-2017-16790 [Ensure that submitted data are uploaded files]
RESERVED
+ {DSA-4262-1}
- symfony 3.4.0+dfsg-1
NOTE:
https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
NOTE: https://github.com/symfony/symfony/pull/24993
@@ -42385,15 +42455,18 @@ CVE-2017-16655
RESERVED
CVE-2017-16654 [Intl bundle readers breaking out of paths]
RESERVED
+ {DSA-4262-1}
- symfony 3.4.0+dfsg-1
NOTE:
https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths
NOTE: https://github.com/symfony/symfony/pull/24994
CVE-2017-16653 [CSRF protection does not use different tokens for HTTP and
HTTPS]
RESERVED
+ {DSA-4262-1}
- symfony 3.4.0+dfsg-1
NOTE:
https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https
NOTE: https://github.com/symfony/symfony/pull/24992
CVE-2017-16652 (An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x
before ...)
+ {DSA-4262-1}
- symfony 3.4.0+dfsg-1
NOTE:
https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
NOTE: https://github.com/symfony/symfony/pull/24995
@@ -46220,8 +46293,8 @@ CVE-2017-15360 (PRTG Network Monitor version
17.3.33.2830 is vulnerable to store
NOT-FOR-US: PRTG Network Monitor
CVE-2017-15359 (In the 3CX Phone System 15.5.3554.1, the Management Console
typically ...)
NOT-FOR-US: 3CX Phone System
-CVE-2017-15358
- RESERVED
+CVE-2017-15358 (Race condition in the Charles Proxy Settings suid binary in
Charles ...)
+ TODO: check
CVE-2017-15357 (The setpermissions function in the auto-updater in Arq before
5.9.7 ...)
NOT-FOR-US: Arq
CVE-2017-15356 (Huawei DP300, V500R002C00, RP200, V600R006C00, TE30,
V100R001C10, ...)
@@ -67550,8 +67623,8 @@ CVE-2017-8318
RESERVED
CVE-2017-8317
RESERVED
-CVE-2017-8316
- RESERVED
+CVE-2017-8316 (IntelliJ IDEA XML parser was found vulnerable to XML External
Entity ...)
+ TODO: check
CVE-2017-8315 (Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and
earlier ...)
- eclipse <undetermined>
NOTE: Upstream bug with details is restricted
@@ -114533,6 +114606,7 @@ CVE-2016-2405 (Huawei Policy Center with software
before V100R003C10SPC020 allow
CVE-2016-2404 (Huawei switches S5700, S6700, S7700, S9700 with software ...)
NOT-FOR-US: Huawei
CVE-2016-2403 (Symfony before 2.8.6 and 3.x before 3.0.6 allows remote
attackers to ...)
+ {DSA-4262-1}
- symfony 2.8.6+dfsg-1
[jessie] - symfony <not-affected> (Vulnerable code not present)
NOTE:
http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/70e477246c0a9940188b4176446d654d0657533c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/70e477246c0a9940188b4176446d654d0657533c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
