Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
aa3a0c5d by security tracker role at 2025-05-08T20:12:40+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,109 @@
+CVE-2025-4475 (Issue in my product in blah version x on y allows bad person to
break)
+ TODO: check
+CVE-2025-4208 (The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms
and mu ...)
+ TODO: check
+CVE-2025-4207 (Buffer over-read in PostgreSQL GB18030 encoding validation
allows a da ...)
+ TODO: check
+CVE-2025-4132 (Rapid7 Corporate Website prior to May 2nd 2025, suffered from a
URL Re ...)
+ TODO: check
+CVE-2025-4098 (Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is
vulnerable t ...)
+ TODO: check
+CVE-2025-47730 (The TeleMessage archiving backend through 2025-05-05 accepts
API calls ...)
+ TODO: check
+CVE-2025-47729 (The TeleMessage archiving backend through 2025-05-05 holds
cleartext c ...)
+ TODO: check
+CVE-2025-46833 (Programs/P73_SimplePythonEncryption.py illustrates a simple
Python enc ...)
+ TODO: check
+CVE-2025-46812 (Trix is a what-you-see-is-what-you-get rich text editor for
everyday w ...)
+ TODO: check
+CVE-2025-46712 (Erlang/OTP is a set of libraries for the Erlang programming
language. ...)
+ TODO: check
+CVE-2025-45847 (ALFA AIP-W512 v3.2.2.2.3 was discovered to contain an
authenticated st ...)
+ TODO: check
+CVE-2025-45846 (ALFA AIP-W512 v3.2.2.2.3 was discovered to contain an
authenticated st ...)
+ TODO: check
+CVE-2025-45845 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to
contain an a ...)
+ TODO: check
+CVE-2025-45844 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to
contain an a ...)
+ TODO: check
+CVE-2025-45843 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to
contain an a ...)
+ TODO: check
+CVE-2025-45842 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to
contain an a ...)
+ TODO: check
+CVE-2025-45841 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to
contain an a ...)
+ TODO: check
+CVE-2025-45820 (Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is
vulnerabl ...)
+ TODO: check
+CVE-2025-45819 (Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is
vulnerabl ...)
+ TODO: check
+CVE-2025-45818 (Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is
vulnerabl ...)
+ TODO: check
+CVE-2025-45798 (A command execution vulnerability exists in the TOTOLINK
A950RG V4.1.2 ...)
+ TODO: check
+CVE-2025-45797 (TOTOlink A950RG V4.1.2cu.5204_B20210112 contains a buffer
overflow vul ...)
+ TODO: check
+CVE-2025-45790 (TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow
via the pr ...)
+ TODO: check
+CVE-2025-45789 (TOTOLINK A3100R V5.9c.1527 is vulnerable to buffer overflow
via the ur ...)
+ TODO: check
+CVE-2025-45788 (TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow
via the co ...)
+ TODO: check
+CVE-2025-45787 (TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow
viathe com ...)
+ TODO: check
+CVE-2025-44023 (An issue in dlink DNS-320 v.1.00 and DNS-320LW
v.1.01.0914.20212 allow ...)
+ TODO: check
+CVE-2025-44021 (OpenStack Ironic before 29.0.1 can write unintended files to a
target ...)
+ TODO: check
+CVE-2025-41450 (Improper Authentication vulnerability in Danfoss AKSM8xxA
Series.This ...)
+ TODO: check
+CVE-2025-40846 (Improper Input Validation, the returnUrl parameter in Account
Security ...)
+ TODO: check
+CVE-2025-3862 (Contest Gallery plugin for WordPress is vulnerable to Stored
Cross-Sit ...)
+ TODO: check
+CVE-2025-3759 (Endpoint/cgi-bin-igd/netcore_set.cgiwhich is used for changing
device ...)
+ TODO: check
+CVE-2025-3758 (WF2220 exposes endpoint/cgi-bin-igd/netcore_get.cgithat returns
config ...)
+ TODO: check
+CVE-2025-3506 (Files to be deployed with agents are accessible without
authentication ...)
+ TODO: check
+CVE-2025-3468 (The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms
and mu ...)
+ TODO: check
+CVE-2025-30102 (Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.1.0,
contains an ...)
+ TODO: check
+CVE-2025-30101 (Dell PowerScale OneFS, versions 9.8.0.0 through 9.10.1.0,
contain a ti ...)
+ TODO: check
+CVE-2025-2806 (The tagDiv Composer plugin for WordPress, used by the Newspaper
theme, ...)
+ TODO: check
+CVE-2025-28073 (phpList 3.6.3 is vulnerable to Reflected Cross-Site Scripting
(XSS) vi ...)
+ TODO: check
+CVE-2025-27695 (Dell Wyse Management Suite, versions prior to WMS 5.1 contain
an Authe ...)
+ TODO: check
+CVE-2025-1948 (In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2
client ...)
+ TODO: check
+CVE-2025-1254 (Out-of-bounds Read, Out-of-bounds Write vulnerability in RTI
Connext P ...)
+ TODO: check
+CVE-2025-1253 (Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow') ...)
+ TODO: check
+CVE-2025-1252 (Heap-based Buffer Overflow vulnerability in RTI Connext
Professional ( ...)
+ TODO: check
+CVE-2025-0505 (On Arista CloudVision systems (virtual or physical on-premise
deployme ...)
+ TODO: check
+CVE-2024-9448 (On affected platforms running Arista EOS with Traffic Policies
configu ...)
+ TODO: check
+CVE-2024-8100 (On affected versions of the Arista CloudVision Portal (CVP
on-prem), t ...)
+ TODO: check
+CVE-2024-6648 (Absolute Path Traversal vulnerability in AP Page Builder
versions prio ...)
+ TODO: check
+CVE-2024-13009 (In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be
incorrectly ...)
+ TODO: check
+CVE-2024-12378 (On affected platforms running Arista EOS with secure Vxlan
configured, ...)
+ TODO: check
+CVE-2024-11186 (On affected versions of the CloudVision Portal, improper
access contro ...)
+ TODO: check
+CVE-2023-51328 (PHPJabbers Cleaning Business Software v1.0 is vulnerable to
Multiple S ...)
+ TODO: check
+CVE-2023-51295 (PHPJabbers Event Booking Calendar v4.0 is vulnerable to
Multiple HTML ...)
+ TODO: check
CVE-2025-4127 (The WP SEO Structured Data Schema plugin for WordPress is
vulnerable t ...)
NOT-FOR-US: WordPress plugin
CVE-2025-4043 (An admin user can gain unauthorized write access to the
/etc/rc.local ...)
@@ -40,7 +146,7 @@ CVE-2025-35995 (When a BIG-IP PEM system is licensed with
URL categorization, an
NOT-FOR-US: F5
CVE-2025-35939 (Craft CMS stores arbitrary content provided by unauthenticated
users i ...)
NOT-FOR-US: Craft CMS
-CVE-2025-46336
+CVE-2025-46336 (Rack::Session is a session management implementation for Rack.
In vers ...)
- ruby-rack-session <unfixed> (bug #1104928)
NOTE:
https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
NOTE: Fixed by:
https://github.com/rack/rack-session/commit/c58ad7952cc7d0649f0ea9c78d55049739c49e5a
(v2.1.1)
@@ -575,7 +681,7 @@ CVE-2025-29746 (Cross Site Scripting vulnerability in
Koillection v.1.6.10 allow
NOT-FOR-US: Koillection
CVE-2025-29602 (flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in
Adminis ...)
- flatpress <itp> (bug #466297)
-CVE-2025-29448 (A business logic vulnerability in Easy Appointments v1.5.1
allows atta ...)
+CVE-2025-29448 (Booking logic flaw in Easy!Appointments v1.5.1 allows
unauthenticated ...)
NOT-FOR-US: Easy Appointments
CVE-2025-29154 (HTML injection vulnerability in lemeconsultoria HCM galera.app
v.4.58. ...)
NOT-FOR-US: lemeconsultoria HCM galera.app
@@ -1312,7 +1418,7 @@ CVE-2025-2905 (An XML External Entity (XXE) vulnerability
exists in the gateway
NOT-FOR-US: WSO2
CVE-2025-29573 (Cross-Site Scripting (XSS) vulnerability exists in Mezzanine
CMS 6.0.0 ...)
NOT-FOR-US: Mezzanine CMS
-CVE-2025-28168 (Outsystems Multiple File Upload < 3.1.0 is vulnerable to
Unrestricted ...)
+CVE-2025-28168 (The Multiple File Upload add-on component 3.1.0 for OutSystems
is vuln ...)
NOT-FOR-US: Outsystems Multiple File Upload
CVE-2025-28062 (A Cross-Site Request Forgery (CSRF) vulnerability was
discovered in ER ...)
NOT-FOR-US: ERPNEXT
@@ -1369,12 +1475,12 @@ CVE-2025-47268 (ping in iputils through 20240905 allows
a denial of service (app
NOTE: https://github.com/Zephkek/ping-rtt-overflow/
NOTE: Fixed by:
https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40
NOTE: Negligible security impact
-CVE-2025-43926 [ZSA-2025-07]
+CVE-2025-43926 (An issue was discovered in Znuny through 6.5.14 and 7.x
through 7.1.6. ...)
[experimental] - znuny 6.5.15-1
- znuny 6.5.15-2 (bug #1104739)
[bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2025-07
-CVE-2025-26847 [ZSA-2025-06]
+CVE-2025-26847 (An issue was discovered in Znuny before 7.1.5. When generating
a suppo ...)
[experimental] - znuny 6.5.15-1
- znuny 6.5.15-2 (bug #1104739)
[bookworm] - znuny <no-dsa> (Non-free not supported)
@@ -3806,7 +3912,7 @@ CVE-2025-2817 (Thunderbird's update mechanism allowed a
medium-integrity user pr
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/#CVE-2025-2817
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/#CVE-2025-2817
CVE-2025-30087 [Cross Site Scripting via injection of malicious parameters in
a search URL]
- {DSA-5911-1 DSA-5909-1}
+ {DSA-5911-1 DSA-5909-1 DLA-4157-1}
- request-tracker5 5.0.7+dfsg-3 (bug #1104422)
- request-tracker4 <unfixed> (bug #1104424)
NOTE: Fixed by:
https://github.com/bestpractical/rt/commit/ac9af1b7fe8dc6af9b6b4627b92fd316d563e0ab
(rt-4.4.8)
@@ -3815,7 +3921,7 @@ CVE-2025-30087 [Cross Site Scripting via injection of
malicious parameters in a
NOTE: Fixed by:
https://github.com/bestpractical/rt/commit/367359e56a599b72c8e38e177eaba9d32e9a5471
(rt-5.0.8)
NOTE: Fixed by:
https://github.com/bestpractical/rt/commit/e24ca3b0a63ce9c2b5d4e01cc419af5056deb346
(rt-5.0.8)
CVE-2025-2545 (Vulnerability in Best Practical Solutions, LLC's Request
Tracker v5.0. ...)
- {DSA-5911-1 DSA-5909-1}
+ {DSA-5911-1 DSA-5909-1 DLA-4157-1}
- request-tracker5 5.0.7+dfsg-3 (bug #1104422)
- request-tracker4 <unfixed> (bug #1104424)
NOTE: Fixed by:
https://github.com/bestpractical/rt/commit/a5042a30aaa0fcf4255d0a06ee2659d302742fc3
(rt-4.4.8)
@@ -6499,7 +6605,7 @@ CVE-2025-24907 (Overview The product uses
external input to construct a
NOT-FOR-US: Hitachi Vantara Pentaho Data Integration & Analytics
CVE-2025-1704 (ComponentInstaller Modification in ComponentInstaller in Google
Chrome ...)
NOT-FOR-US: ChromeOS
-CVE-2025-1568 (or other security impacts via manipulating IPSET_ATTR_CIDR
Netlink att ...)
+CVE-2025-1568 (Access Control Vulnerability in Gerrit chromiumos project
configuratio ...)
NOT-FOR-US: ChromeOS
CVE-2025-1566 (DNS Leak in Native System VPN in Google ChromeOS Dev Channel on
Chrome ...)
NOT-FOR-US: ChromeOS
@@ -8936,6 +9042,7 @@ CVE-2025-3102 (The SureTriggers: All-in-One Automation
Platform plugin for WordP
CVE-2025-3023
REJECTED
CVE-2025-32728 (In sshd in OpenSSH before 10.0, the DisableForwarding
directive does n ...)
+ {DLA-4156-1}
- openssh 1:10.0p1-1 (bug #1102603)
[bookworm] - openssh <no-dsa> (Minor issue)
NOTE:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html
@@ -28484,7 +28591,7 @@ CVE-2025-21702 (In the Linux kernel, the following
vulnerability has been resolv
{DSA-5900-1}
- linux 6.12.15-1
NOTE:
https://git.kernel.org/linus/647cef20e649c576dff271e018d5d15d998b629d (6.14-rc2)
-CVE-2025-26842 [znuny: Information disclosure of S/MIME encrypted emails]
+CVE-2025-26842 (An issue was discovered in Znuny through 7.1.3. If access to a
ticket ...)
- znuny 6.5.13-1
[bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2025-01
@@ -28492,7 +28599,7 @@ CVE-2025-26846 [znuny: Wrong permissions check in the
generic interface]
- znuny 6.5.13-1
[bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2025-02
-CVE-2025-26845 [znuny: privilege escalation in backup script]
+CVE-2025-26845 (An Eval Injection issue was discovered in Znuny through 7.1.3.
A user ...)
- znuny 6.5.13-1
[bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2025-03
@@ -28500,7 +28607,7 @@ CVE-2025-XXXX [znuny: Missing HTTP headers for
attachments]
- znuny 6.5.13-1
[bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2025-04
-CVE-2025-26844 [znuny: HTTP Cookie not set correctly]
+CVE-2025-26844 (An issue was discovered in Znuny through 7.1.3. A cookie is
set withou ...)
- znuny 6.5.13-1
[bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2025-05
@@ -70262,7 +70369,7 @@ CVE-2024-30134 (The HCL Traveler for Microsoft Outlook
executable (HTMO.exe) is
NOT-FOR-US: HCL
CVE-2023-46175 (IBM Cloud Pak for Multicloud Management 2.3 through 2.3 FP8
stores use ...)
NOT-FOR-US: IBM
-CVE-2024-47177 (CUPS is a standards-based, open-source printing system, and
cups-filte ...)
+CVE-2024-47177 (** DISPUTED ** CUPS is a standards-based, open-source printing
system, ...)
- cups-filters <unfixed> (bug #1082822)
[trixie] - cups-filters <ignored> (Mitigated with fixes around
CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
[bookworm] - cups-filters <ignored> (Mitigated with fixes around
CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
@@ -120385,7 +120492,7 @@ CVE-2024-3299 (Out-Of-Bounds Write, Use of
Uninitialized Resource and Use-After-
CVE-2024-3298 (Out-Of-Bounds Write and Type Confusion vulnerabilities exist in
the fi ...)
NOT-FOR-US: Solidworks
CVE-2024-3262 (Information exposure vulnerability in RT software affecting
version 4. ...)
- {DSA-5911-1 DSA-5909-1}
+ {DSA-5911-1 DSA-5909-1 DLA-4157-1}
- request-tracker4 4.4.7+dfsg-2 (bug #1068452)
[buster] - request-tracker4 <no-dsa> (Minor issue)
- request-tracker5 5.0.7+dfsg-1 (bug #1068453)
@@ -396765,11 +396872,11 @@ CVE-2020-17388 (This vulnerability allows remote
attackers to execute arbitrary
NOT-FOR-US: Marvell QConvergeConsole
CVE-2020-17387 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
NOT-FOR-US: Marvell QConvergeConsole
-CVE-2020-17386 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL
inputte ...)
+CVE-2020-17386 (Cellopoint CelloOS v4.1.10 Build 20190922 does not validate
URL inputt ...)
NOT-FOR-US: Cellopoint Cellos
-CVE-2020-17385 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL
inputte ...)
+CVE-2020-17385 (Cellopoint CelloOS v4.1.10 Build 20190922 does not validate
URL inputt ...)
NOT-FOR-US: Cellopoint Cellos
-CVE-2020-17384 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL
inputte ...)
+CVE-2020-17384 (Cellopoint CelloOS v4.1.10 Build 20190922 does not validate
URL inputt ...)
NOT-FOR-US: Cellopoint Cellos
CVE-2020-17383 (A directory traversal vulnerability on Telos Z/IP One devices
through ...)
NOT-FOR-US: Telos Z/IP ONE Broadcast
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa3a0c5da3377f54c168b8e65ec4ef5ec408828e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa3a0c5da3377f54c168b8e65ec4ef5ec408828e
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
