[Git][security-tracker-team/security-tracker][master] new dompurify issue

Moritz Muehlenhoff Wed, 25 Sep 2019 01:27:21 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
317bbbe9 by Moritz Muehlenhoff at 2019-09-25T08:26:34Z
new dompurify issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -211,7 +211,7 @@ CVE-2019-16761
 CVE-2019-16760
        RESERVED
 CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution 
via the wi ...)
-       TODO: check
+       NOT-FOR-US: vBulletin
 CVE-2019-16758
        RESERVED
 CVE-2019-16757
@@ -227,7 +227,7 @@ CVE-2019-16753
 CVE-2019-16752
        RESERVED
 CVE-2019-16751 (An issue was discovered in Devise Token Auth through 1.1.2. 
The omniau ...)
-       TODO: check
+       NOT-FOR-US: Devise Token Auth
 CVE-2019-16750
        RESERVED
 CVE-2019-16749
@@ -270,7 +270,8 @@ CVE-2019-16731
 CVE-2019-16730
        RESERVED
 CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML 
mutation XSS (m ...)
-       TODO: check
+       - dompurify.js <removed>
+       NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/
 CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux 
kernel  ...)
        - linux <unfixed>
        NOTE: https://marc.info/?l=linux-wireless&m=156901391225058&w=2
@@ -279,9 +280,9 @@ CVE-2019-16727
 CVE-2019-16726
        RESERVED
 CVE-2019-16725 (In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS 
attacks  ...)
-       TODO: check
+       NOT-FOR-US: Joomla!
 CVE-2019-16724 (File Sharing Wizard 1.5.0 allows a remote attacker to obtain 
arbitrary ...)
-       TODO: check
+       NOT-FOR-US: File Sharing Wizard
 CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass 
authorization c ...)
        - cacti <unfixed> (bug #941036)
        NOTE: https://github.com/Cacti/cacti/issues/2964
@@ -326,7 +327,7 @@ CVE-2019-16707 (Hunspell 1.7.0 has an invalid read 
operation in SuggestMgr::left
 CVE-2019-16706 (kkcms v1.3 has a CSRF vulnerablity that can add an user 
account via ad ...)
        NOT-FOR-US: kkcms
 CVE-2018-21019 (Home Assistant before 0.67.0 was vulnerable to an information 
disclosu ...)
-       TODO: check
+       NOT-FOR-US: Home Assistant
 CVE-2019-16729 (pam-python before 1.0.7-1 has an issue in regard to the 
default enviro ...)
        - pam-python 1.0.7-1
        NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1
@@ -338,11 +339,11 @@ CVE-2019-16705 (Ming (aka libming) 0.4.8 has an out of 
bounds read vulnerability
        - ming <removed>
        NOTE: https://github.com/libming/libming/issues/178
 CVE-2019-16704 (admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. 
...)
-       TODO: check
+       NOT-FOR-US: PHPMyWind
 CVE-2019-16703 (admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. ...)
-       TODO: check
+       NOT-FOR-US: PHPMyWind
 CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute 
arbitrary c ...)
-       TODO: check
+       NOT-FOR-US: Integard Pro
 CVE-2019-16701
        RESERVED
 CVE-2019-16700
@@ -384,9 +385,9 @@ CVE-2019-16683
 CVE-2019-16682
        RESERVED
 CVE-2018-21018 (Mastodon before 2.6.3 mishandles timeouts of incompletely 
established  ...)
-       TODO: check
+       NOT-FOR-US: Mastodon
 CVE-2019-16681 (The Traveloka application 3.14.0 for Android exports 
com.traveloka.and ...)
-       TODO: check
+       NOT-FOR-US: Traveloka
 CVE-2019-16680 (An issue was discovered in GNOME file-roller before 3.29.91. 
It allows ...)
        - file-roller 3.30.0-1
        NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794337
@@ -804,7 +805,7 @@ CVE-2019-16520
 CVE-2019-16519
        RESERVED
 CVE-2019-16518 (An issue was discovered on Swell Kit Mod devices that use the 
Vandy Va ...)
-       TODO: check
+       NOT-FOR-US: Swell Kit Mod devices
 CVE-2019-16517
        RESERVED
 CVE-2019-16516
@@ -1079,7 +1080,7 @@ CVE-2019-16385
 CVE-2019-16384
        RESERVED
 CVE-2019-16383 (MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 
before 10.2 ...)
-       TODO: check
+       NOT-FOR-US: Progress MOVEit Transfer
 CVE-2019-16382
        RESERVED
 CVE-2019-16381



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/317bbbe9cb1abc5e7341a1d8bbdb461840770ed8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/317bbbe9cb1abc5e7341a1d8bbdb461840770ed8
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new dompurify issue

Reply via email to