Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b652cab6 by security tracker role at 2025-12-19T20:13:36+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,119 @@
+CVE-2025-68478 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2025-68477 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2025-68457 (Orejime is a consent manager that focuses on accessibility. On
HTML el ...)
+ TODO: check
+CVE-2025-68430 (CVAT is an open source interactive video and image annotation
tool for ...)
+ TODO: check
+CVE-2025-67442 (EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The
/api/exp ...)
+ TODO: check
+CVE-2025-67048
+ REJECTED
+CVE-2025-67047
+ REJECTED
+CVE-2025-67046
+ REJECTED
+CVE-2025-67045
+ REJECTED
+CVE-2025-67044
+ REJECTED
+CVE-2025-67043
+ REJECTED
+CVE-2025-66911 (Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken
access ...)
+ TODO: check
+CVE-2025-66910 (Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext
passwor ...)
+ TODO: check
+CVE-2025-66909 (Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains
an image ...)
+ TODO: check
+CVE-2025-66908 (Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains
an impro ...)
+ TODO: check
+CVE-2025-66906 (Cross Site Request Forgery (CSRF) vulnerability in Turms Admin
API thr ...)
+ TODO: check
+CVE-2025-66905 (The Takes web framework's TkFiles take thru 2.0-SNAPSHOT fails
to cano ...)
+ TODO: check
+CVE-2025-66580 (Dive is an open-source MCP Host Desktop Application that
enables integ ...)
+ TODO: check
+CVE-2025-66524 (Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject
Processor, ...)
+ TODO: check
+CVE-2025-65035 (pluginsGLPI's Database Inventory Plugin "manages" the Teclib'
inventor ...)
+ TODO: check
+CVE-2025-63665 (An issue in GT Edge AI Platform Versions before v2.0.10-dev
allows att ...)
+ TODO: check
+CVE-2025-58053 (Galette is a membership management web application for non
profit orga ...)
+ TODO: check
+CVE-2025-58052 (Galette is a membership management web application for non
profit orga ...)
+ TODO: check
+CVE-2025-53922 (Galette is a membership management web application for non
profit orga ...)
+ TODO: check
+CVE-2025-50681 (igmpproxy 0.4 before commit 2b30c36 allows remote attackers to
cause a ...)
+ TODO: check
+CVE-2025-34433 (AVideo versions 14.3.1 prior to 20.1 contain an
unauthenticated remote ...)
+ TODO: check
+CVE-2025-1928 (Improper Restriction of Excessive Authentication Attempts
vulnerabilit ...)
+ TODO: check
+CVE-2025-1927 (Cross-Site Request Forgery (CSRF) vulnerability in Restajet
Informatio ...)
+ TODO: check
+CVE-2025-1885 (URL Redirection to Untrusted Site ('Open Redirect')
vulnerability in R ...)
+ TODO: check
+CVE-2025-14967 (A vulnerability was identified in itsourcecode Student
Management Syst ...)
+ TODO: check
+CVE-2025-14966 (A vulnerability was determined in FastAdmin up to
1.7.0.20250506. Affe ...)
+ TODO: check
+CVE-2025-14965 (A vulnerability was found in 1541492390c yougou-mall up to
0a771fa817c ...)
+ TODO: check
+CVE-2025-14964 (A vulnerability has been found in TOTOLINK T10
4.1.8cu.5083_B20200521. ...)
+ TODO: check
+CVE-2025-14962 (A flaw has been found in code-projects Simple Stock System
1.0. The im ...)
+ TODO: check
+CVE-2025-14961 (A vulnerability was detected in code-projects Simple Blood
Donor Manag ...)
+ TODO: check
+CVE-2025-14960 (A security vulnerability has been detected in code-projects
Simple Blo ...)
+ TODO: check
+CVE-2025-14959 (A weakness has been identified in code-projects Simple Stock
System 1. ...)
+ TODO: check
+CVE-2025-14958 (A security flaw has been discovered in floooh sokol up to
33e2271c431b ...)
+ TODO: check
+CVE-2025-14957 (A vulnerability was identified in WebAssembly Binaryen up to
125. This ...)
+ TODO: check
+CVE-2025-14956 (A vulnerability was determined in WebAssembly Binaryen up to
125. Affe ...)
+ TODO: check
+CVE-2025-14955 (A vulnerability was found in Open5GS up to 2.7.5. Affected by
this vul ...)
+ TODO: check
+CVE-2025-14954 (A vulnerability has been found in Open5GS up to 2.7.5.
Affected is the ...)
+ TODO: check
+CVE-2025-14953 (A flaw has been found in Open5GS up to 2.7.5. This impacts the
functio ...)
+ TODO: check
+CVE-2025-14952 (A vulnerability was detected in Campcodes Supplier Management
System 1 ...)
+ TODO: check
+CVE-2025-14951 (A security vulnerability has been detected in code-projects
Scholars T ...)
+ TODO: check
+CVE-2025-14950 (A weakness has been identified in code-projects Scholars
Tracking Syst ...)
+ TODO: check
+CVE-2025-14946 (A flaw was found in libnbd. A malicious actor could exploit
this by co ...)
+ TODO: check
+CVE-2025-14882 (An API endpoint allowed access to sensitive files from other
users by ...)
+ TODO: check
+CVE-2025-14881 (Multiple API endpoints allowed access to sensitive files from
other us ...)
+ TODO: check
+CVE-2025-14847 (Mismatched length fields in Zlib compressed protocol headers
may allow ...)
+ TODO: check
+CVE-2025-14812 (ArcSearch for iOS versions prior to 1.45.2 could display a
different d ...)
+ TODO: check
+CVE-2025-14809 (ArcSearch for Android versions prior to 1.12.6 could display a
differe ...)
+ TODO: check
+CVE-2025-14455 (The Image Photo Gallery Final Tiles Grid plugin for WordPress
is vulne ...)
+ TODO: check
+CVE-2025-14151 (The SlimStat Analytics plugin for WordPress is vulnerable to
Stored Cr ...)
+ TODO: check
+CVE-2025-12874 (Inconsistent Interpretation of HTTP Requests ('HTTP
Request/Response S ...)
+ TODO: check
+CVE-2025-12361 (The myCred \u2013 Points Management System For Gamification,
Ranks, Ba ...)
+ TODO: check
+CVE-2025-11747 (The Colibri Page Builder plugin for WordPress is vulnerable to
Stored ...)
+ TODO: check
+CVE-2024-49587 (Glutton V1 service endpoints were exposed without any
authentication o ...)
+ TODO: check
CVE-2025-14840
NOT-FOR-US: Drupal addon
CVE-2025-68491
@@ -1196,23 +1312,23 @@ CVE-2025-44005 (An attacker can bypass authorization
checks and force a Step CA
NOT-FOR-US: smallstep Step-CA
CVE-2025-43873 (Successful exploitation of these vulnerabilities could allow
an attack ...)
NOT-FOR-US: Johnson Controls
-CVE-2025-34442 (AVideo versions prior to 20.0 disclose absolute filesystem
paths via m ...)
+CVE-2025-34442 (AVideo versions prior to 20.1 disclose absolute filesystem
paths via m ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34441 (AVideo versions prior to 20.0 expose sensitive user
information throug ...)
+CVE-2025-34441 (AVideo versions prior to 20.1 expose sensitive user
information throug ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34440 (AVideo versions prior to 20.0 contain an open redirect
vulnerability c ...)
+CVE-2025-34440 (AVideo versions prior to 20.1 contain an open redirect
vulnerability c ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34439 (AVideo versions prior to 20.0 arevulnerable to an open
redirect flaw d ...)
+CVE-2025-34439 (AVideo versions prior to 20.1 arevulnerable to an open
redirect flaw d ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34438 (AVideo versions prior to 20.0 contain an insecure direct
object refere ...)
+CVE-2025-34438 (AVideo versions prior to 20.1 contain an insecure direct
object refere ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34437 (AVideo versions prior to 20.0 permit any authenticated user to
upload ...)
+CVE-2025-34437 (AVideo versions prior to 20.1 permit any authenticated user to
upload ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34436 (AVideo versions prior to 20.0 allow any authenticated user to
upload f ...)
+CVE-2025-34436 (AVideo versions prior to 20.1 allow any authenticated user to
upload f ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34435 (AVideo versions prior to 20.0 arevulnerable to an insecure
direct obje ...)
+CVE-2025-34435 (AVideo versions prior to 20.1 arevulnerable to an insecure
direct obje ...)
NOT-FOR-US: WWBN AVideo
-CVE-2025-34434 (AVideo versions prior to 20.0 with the ImageGallery plugin
enabled is ...)
+CVE-2025-34434 (AVideo versions prior to 20.1 with the ImageGallery plugin
enabled is ...)
NOT-FOR-US: WWBN AVideo
CVE-2025-26381 (Successful exploitation of this vulnerability could allow an
attacker ...)
NOT-FOR-US: Johnson Controls
@@ -2581,6 +2697,7 @@ CVE-2023-38913 (SQL injection vulnerability in
anirbandutta9 NEWS-BUZZ v.1.0 all
CVE-2023-36338 (Inventory Management System 1 was discovered to contain a SQL
injectio ...)
NOT-FOR-US: Inventory Management System
CVE-2025-14282 [privilege escalation via unix stream socket forwarding]
+ {DSA-6086-1}
- dropbear 2025.89-1 (bug #1123069)
[bookworm] - dropbear <not-affected> (Vulnerable code introduced later)
[bullseye] - dropbear <not-affected> (Vulnerable code introduced later)
@@ -4046,6 +4163,7 @@ CVE-2025-67897 (In Sequoia before 2.1.0, aes_key_unwrap
panics if passed a ciphe
[bullseye] - rust-sequoia-openpgp <ignored> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5
(openpgp/v2.1.0)
CVE-2025-67484
+ {DSA-6085-1}
- mediawiki 1:1.43.6+dfsg-1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T401987
@@ -4062,6 +4180,7 @@ CVE-2025-67483
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217337 (master)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217299
(REL1_43)
CVE-2025-67482
+ {DSA-6085-1}
- mediawiki 1:1.43.6+dfsg-1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: http://phabricator.wikimedia.org/T408135
@@ -4069,6 +4188,7 @@ CVE-2025-67482
NOTE:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Scribunto/+/1217293
(REL1_43)
NOTE:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Scribunto/+/1217289
(REL1_39)
CVE-2025-67481
+ {DSA-6085-1}
- mediawiki 1:1.43.6+dfsg-1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T251032
@@ -4076,6 +4196,7 @@ CVE-2025-67481
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217300
(REL1_43)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217287
(REL1_39)
CVE-2025-67480
+ {DSA-6085-1}
- mediawiki 1:1.43.6+dfsg-1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T401053
@@ -4083,6 +4204,7 @@ CVE-2025-67480
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217298
(REL1_43)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217286
(REL1_39)
CVE-2025-67479
+ {DSA-6085-1}
- mediawiki 1:1.43.6+dfsg-1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T407131
@@ -4090,6 +4212,7 @@ CVE-2025-67479
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217297
(REL1_43)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217285
(REL1_39)
CVE-2025-67478
+ {DSA-6085-1}
- mediawiki 1:1.43.6+dfsg-1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T385403
@@ -4110,6 +4233,7 @@ CVE-2025-67476
NOTE: https://phabricator.wikimedia.org/T405859
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217333 (master)
CVE-2025-67475
+ {DSA-6085-1}
- mediawiki 1:1.43.6+dfsg-1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T406664
@@ -14670,8 +14794,8 @@ CVE-2025-64682 (In JetBrains Hub before 2025.3.104432 a
race condition allowed b
NOT-FOR-US: JetBrains
CVE-2025-64681 (In JetBrains Hub before 2025.3.104992 a race condition allowed
bypass ...)
NOT-FOR-US: JetBrains
-CVE-2025-64457
- REJECTED
+CVE-2025-64457 (In JetBrains ReSharper, Rider and dotTrace before 2025.2.5
local privi ...)
+ TODO: check
CVE-2025-64456 (In JetBrains ReSharper before 2025.2.4 missing signature
verification ...)
NOT-FOR-US: JetBrains
CVE-2025-63835 (A stack-based buffer overflow vulnerability was discovered in
Tenda AC ...)
@@ -17268,7 +17392,7 @@ CVE-2025-40106 (In the Linux kernel, the following
vulnerability has been resolv
[trixie] - linux 6.12.57-1
NOTE:
https://git.kernel.org/linus/87b318ba81dda2ee7b603f4f6c55e78ec3e95974 (6.18-rc3)
CVE-2025-11261
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T406322
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193414
@@ -18076,7 +18200,8 @@ CVE-2025-34302 (IPFire versions prior to 2.29 (Core
Update 198) contain a stored
NOT-FOR-US: IPFire
CVE-2025-34301 (IPFire versions prior to 2.29 (Core Update 198) contain a
stored cross ...)
NOT-FOR-US: IPFire
-CVE-2025-34294 (Wazuh's File Integrity Monitoring (FIM), when configured with
automati ...)
+CVE-2025-34294
+ REJECTED
NOT-FOR-US: Wazuh
CVE-2025-27093 (Sliver is a command and control framework that uses a custom
Wireguard ...)
NOT-FOR-US: Sliver
@@ -27226,12 +27351,12 @@ CVE-2025-61962 (In fetchmail before 6.5.6, the SMTP
client can crash when authen
NOTE: Fixed by:
https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8
(6.5.6)
NOTE: Followup:
https://gitlab.com/fetchmail/fetchmail/-/commit/3c9e49d70e5d958f10b94fc58b3c5046f87cff7a
(6.5.7)
CVE-2025-61656 [Sanitize attributes unwrapped from data-ve-attributes]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T397232
NOTE:
https://gerrit.wikimedia.org/r/c/VisualEditor/VisualEditor/+/1193247
CVE-2025-61655 [Properly escape and parse system messages]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T395858
NOTE:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/1193248
@@ -27302,12 +27427,12 @@ CVE-2025-10895
CVE-2025-10653 (An unauthenticated debug port may allow access to the device
file syst ...)
NOT-FOR-US: Raise3D
CVE-2025-61653 [Add authorizeRead check for extracts endpoint]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: http://phabricator.wikimedia.org/T397577
NOTE:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TextExtracts/+/1193249
CVE-2025-11173
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T401862
NOTE: https://phabricator.wikimedia.org/T402094
@@ -27327,7 +27452,7 @@ CVE-2025-61652 [In API check user read permissions
before showing PageInfo]
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T397580
CVE-2025-61635 [ApiFancyCaptchaReload: Reuse badcaptcha rate limit]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: http://phabricator.wikimedia.org/T355073
NOTE:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1193206
@@ -27338,7 +27463,7 @@ CVE-2025-61658
CVE-2025-61651
NOT-FOR-US: MediaWiki extension CheckUser
CVE-2025-61646 [Prevent leaking hidden usernames in Watchlist/RecentChanges]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T398706
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193226
@@ -27347,7 +27472,7 @@ CVE-2025-61645 [Fix i18n XSS in CodexTablePager]
NOTE: http://phabricator.wikimedia.org/T403761
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193202
CVE-2025-61643 [Don't send suppressed recent changes to RCFeeds]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T403757
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193223
@@ -27582,22 +27707,22 @@ CVE-2025-61642 [Escape submit button label for
Codex-based HTMLForms]
NOTE: https://phabricator.wikimedia.org/T402313
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193175
CVE-2025-61641 [api: Disable maxsize in QueryAllPages in miser mode]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T298690
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193174
CVE-2025-61640 [Parse messages instead of inserting them as HTML]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T402075
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193173
CVE-2025-61639 [Use ManualLogEntry::getDeleted in ::getRecentChange]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T280413
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193178
CVE-2025-61638 [Sanitize data- attributes]
- {DLA-4355-1}
+ {DSA-6085-1 DLA-4355-1}
- mediawiki 1:1.43.5+dfsg-1
NOTE: https://phabricator.wikimedia.org/T401099
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193172
@@ -182878,7 +183003,7 @@ CVE-2023-45586 (An insufficient verification of data
authenticity vulnerability
NOT-FOR-US: FortiGuard
CVE-2023-45583 (A use of externally-controlled format string in Fortinet
FortiProxy ve ...)
NOT-FOR-US: FortiGuard
-CVE-2023-44247 (A double free vulnerability [CWE-415] in Fortinet FortiOS
before 7.0.0 ...)
+CVE-2023-44247 (A double free vulnerability [CWE-415] vulnerability in
Fortinet FortiO ...)
NOT-FOR-US: FortiGuard
CVE-2023-40720 (An authorization bypass through user-controlled key
vulnerability [CWE ...)
NOT-FOR-US: FortiGuard
@@ -256124,8 +256249,8 @@ CVE-2023-30973
RESERVED
CVE-2023-30972
RESERVED
-CVE-2023-30971
- RESERVED
+CVE-2023-30971 (Gotham Gaia application was found to be exposing multiple
unauthentica ...)
+ TODO: check
CVE-2023-30970 (Gotham Table service and Forward App were found to be
vulnerable to a ...)
NOT-FOR-US: Gotham Table service and Forward App
CVE-2023-30969 (The Palantir Tiles1 service was found to be vulnerable to an
API wide ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b652cab64da9b207bfec02bae65525ded767b432
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b652cab64da9b207bfec02bae65525ded767b432
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
