[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Wed Nov 28 08:10:25 GMT 2018


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
04fb4b7f by security tracker role at 2018-11-28T08:10:16Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2956,16 +2956,19 @@ CVE-2018-19486 (Git before 2.19.2 on Linux and UNIX executes commands from the c
 	NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=321fd82389742398d2924640ce3a61791fd27d60
 	NOTE: Introduced by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=e3a434468fecca7c14a6bef32050dfa60534fde6
 CVE-2018-19477 (psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote ...)
+	{DSA-4346-1}
 	- ghostscript 9.26~dfsg-1
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ef252e7dc214bcbd9a2539216aab9202848602bb (ghostscript-9.26)
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=606a22e77e7f081781e99e44644cd0119f559e03 (master)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700168
 CVE-2018-19476 (psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers ...)
+	{DSA-4346-1}
 	- ghostscript 9.26~dfsg-1
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=67d760ab775dae4efe803b5944b0439aa3c0b04a (ghostscript-9.26)
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=434753adbe8be5534bfb9b7d91746023e8073d16 (master)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700169
 CVE-2018-19475 (psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote ...)
+	{DSA-4346-1}
 	- ghostscript 9.26~dfsg-1
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3005fcb9bb160af199e761e03bc70a9f249a987e (ghostscript-9.26)
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=aeea342904978c9fe17d85f4906a0f6fcce2d315 (master)
@@ -3087,6 +3090,7 @@ CVE-2018-19411 (PRTG Network Monitor before 18.2.40.1683 allows an authenticated
 CVE-2018-19410 (PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated ...)
 	NOT-FOR-US: PRTG Network Monitor
 CVE-2018-19409 (An issue was discovered in Artifex Ghostscript before 9.26. ...)
+	{DSA-4346-1}
 	- ghostscript 9.26~dfsg-1
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700176
 	NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=661e8d8fb8248c38d67958beda32f3a5876d0c3f
@@ -4428,8 +4432,8 @@ CVE-2018-18984
 	RESERVED
 CVE-2018-18983
 	RESERVED
-CVE-2018-18982
-	RESERVED
+CVE-2018-18982 (NUUO CMS All versions 3.3 and prior the web server application allows ...)
+	TODO: check
 CVE-2018-18981
 	RESERVED
 CVE-2014-10077 (Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 ...)
@@ -7134,12 +7138,12 @@ CVE-2018-17938 (Zimbra Collaboration before 8.8.10 GA allows text content spoofi
 	NOT-FOR-US: Zimbra
 CVE-2018-17937
 	RESERVED
-CVE-2018-17936
-	RESERVED
+CVE-2018-17936 (NUUO CMS All versions 3.3 and prior the application allows the upload ...)
+	TODO: check
 CVE-2018-17935 (All versions of Telecrane F25 Series Radio Controls before 00.0A use ...)
 	NOT-FOR-US: Telecrane
-CVE-2018-17934
-	RESERVED
+CVE-2018-17934 (NUUO CMS All versions 3.3 and prior the application allows external ...)
+	TODO: check
 CVE-2018-17933 (VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may ...)
 	NOT-FOR-US: VGo Robot
 CVE-2018-17932
@@ -8685,8 +8689,8 @@ CVE-2018-17258
 	RESERVED
 CVE-2018-17257
 	RESERVED
-CVE-2018-17256
-	RESERVED
+CVE-2018-17256 (Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS ...)
+	TODO: check
 CVE-2018-17255 (Navigate CMS 2.8 has Reflected XSS via the navigate.php fid parameter. ...)
 	NOT-FOR-US: Navigate CMS
 CVE-2018-17254 (The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the ...)
@@ -11540,8 +11544,8 @@ CVE-2018-16132 (The image rendering component (createGenericPreview) of the Open
 	NOT-FOR-US: Signal app (specific on iOS)
 CVE-2018-16131 (The decodeRequest and decodeRequestWith directives in Lightbend Akka ...)
 	NOT-FOR-US: Lightbend Akka
-CVE-2018-16130
-	RESERVED
+CVE-2018-16130 (System command injection in request_mitv in Xiaomi Mi Router 3 version ...)
+	TODO: check
 CVE-2018-558213
 	REJECTED
 CVE-2018-16129
@@ -14501,10 +14505,10 @@ CVE-2018-14895
 	RESERVED
 CVE-2018-14894
 	RESERVED
-CVE-2018-14893
-	RESERVED
-CVE-2018-14892
-	RESERVED
+CVE-2018-14893 (A system command injection vulnerability in zyshclient in ZyXEL NSA325 ...)
+	TODO: check
+CVE-2018-14892 (Missing protections against Cross-Site Request Forgery in the web ...)
+	TODO: check
 CVE-2018-14891 (Management Console in Vectra Networks Cognito Brain and Sensor before ...)
 	NOT-FOR-US: Vectra Networks Cognito Brain and Sensor
 CVE-2018-14890 (Vectra Networks Cognito Brain and Sensor before 4.2 contains a ...)
@@ -18344,8 +18348,8 @@ CVE-2018-13419 (An issue has been found in libsndfile 1.0.28. There is a memory
 	[stretch] - libsndfile <no-dsa> (Minor issue)
 	[jessie] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/398
-CVE-2018-13418
-	RESERVED
+CVE-2018-13418 (System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 ...)
+	TODO: check
 CVE-2018-13417 (In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for ...)
 	- azureus <removed>
 CVE-2018-13416 (In Universal Media Server (UMS) 7.1.0, the XML parsing engine for ...)
@@ -18467,32 +18471,32 @@ CVE-2018-13363
 	RESERVED
 CVE-2018-13362
 	RESERVED
-CVE-2018-13361
-	RESERVED
-CVE-2018-13360
-	RESERVED
-CVE-2018-13359
-	RESERVED
-CVE-2018-13358
-	RESERVED
-CVE-2018-13357
-	RESERVED
-CVE-2018-13356
-	RESERVED
-CVE-2018-13355
-	RESERVED
-CVE-2018-13354
-	RESERVED
-CVE-2018-13353
-	RESERVED
-CVE-2018-13352
-	RESERVED
-CVE-2018-13351
-	RESERVED
-CVE-2018-13350
-	RESERVED
-CVE-2018-13349
-	RESERVED
+CVE-2018-13361 (User enumeration in usertable.php in TerraMaster TOS version 3.1.03 ...)
+	TODO: check
+CVE-2018-13360 (Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 ...)
+	TODO: check
+CVE-2018-13359 (Cross-site scripting in usertable.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13358 (System command injection in ajaxdata.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13357 (Cross-site scripting in Control Panel in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13356 (Incorrect access control on ajaxdata.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13355 (Cross-site scripting in Control Panel in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13354 (System command injection in logtable.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13353 (System command injection in ajaxdata.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13352 (Session Exposure in the web application for TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13351 (Cross-site scripting in Control Panel in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13350 (SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows ...)
+	TODO: check
+CVE-2018-13349 (Cross-site scripting in the web application taskbar in TerraMaster TOS ...)
+	TODO: check
 CVE-2018-13345
 	RESERVED
 CVE-2018-13344
@@ -18507,26 +18511,26 @@ CVE-2018-13340 (Gleez CMS 1.2.0 has CSRF, as demonstrated by a /page/add request
 	NOT-FOR-US: Gleez CMS
 CVE-2018-13339 (Imperavi Redactor 3 in Angular Redactor 1.1.6, when HTML content mode ...)
 	NOT-FOR-US: Imperavi Redactor
-CVE-2018-13338
-	RESERVED
-CVE-2018-13337
-	RESERVED
-CVE-2018-13336
-	RESERVED
-CVE-2018-13335
-	RESERVED
-CVE-2018-13334
-	RESERVED
-CVE-2018-13333
-	RESERVED
-CVE-2018-13332
-	RESERVED
-CVE-2018-13331
-	RESERVED
-CVE-2018-13330
-	RESERVED
-CVE-2018-13329
-	RESERVED
+CVE-2018-13338 (System command injection in ajaxdata.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13337 (Session Fixation in the web application for TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13336 (System command injection in ajaxdata.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13335 (Cross-site scripting in Control Panel in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13334 (Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 ...)
+	TODO: check
+CVE-2018-13333 (Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 ...)
+	TODO: check
+CVE-2018-13332 (Directory Traversal in the explorer application in TerraMaster TOS ...)
+	TODO: check
+CVE-2018-13331 (Cross-site scripting in Control Panel in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13330 (System command injection in ajaxdata.php in TerraMaster TOS version ...)
+	TODO: check
+CVE-2018-13329 (Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 ...)
+	TODO: check
 CVE-2018-13328 (The transfer, transferFrom, and mint functions of a smart contract ...)
 	NOT-FOR-US: smart contract
 CVE-2018-13327 (The transfer and transferFrom functions of a smart contract ...)
@@ -18551,12 +18555,12 @@ CVE-2018-13318 (System command injection in User.create method in Buffalo TS5600
 	NOT-FOR-US: Buffalo
 CVE-2018-13317 (Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 ...)
 	NOT-FOR-US: TOTOLINK
-CVE-2018-13316
-	RESERVED
+CVE-2018-13316 (System command injection in formAliasIp in TOTOLINK A3002RU version ...)
+	TODO: check
 CVE-2018-13315 (Incorrect access control in formPasswordSetup in TOTOLINK A3002RU ...)
 	NOT-FOR-US: TOTOLINK
-CVE-2018-13314
-	RESERVED
+CVE-2018-13314 (System command injection in formAliasIp in TOTOLINK A3002RU version ...)
+	TODO: check
 CVE-2018-13313
 	RESERVED
 CVE-2018-13312 (Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version ...)
@@ -18569,10 +18573,10 @@ CVE-2018-13309 (Cross-site scripting in password.htm in TOTOLINK A3002RU version
 	NOT-FOR-US: TOTOLINK
 CVE-2018-13308 (Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version ...)
 	NOT-FOR-US: TOTOLINK
-CVE-2018-13307
-	RESERVED
-CVE-2018-13306
-	RESERVED
+CVE-2018-13307 (System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 ...)
+	TODO: check
+CVE-2018-13306 (System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 ...)
+	TODO: check
 CVE-2018-13305 (In FFmpeg 4.0.1, due to a missing check for negative values of the ...)
 	- ffmpeg <not-affected> (Vulnerable code not present)
 	- libav <undetermined>
@@ -19218,10 +19222,10 @@ CVE-2018-13025 (protected/apps/admin/controller/photoController.php in YXcms 1.4
 	NOT-FOR-US: YXcms
 CVE-2018-13024 (Metinfo v6.0.0 allows remote attackers to write code into a .php file, ...)
 	NOT-FOR-US: Metinfo
-CVE-2018-13023
-	RESERVED
-CVE-2018-13022
-	RESERVED
+CVE-2018-13023 (System command injection vulnerability in wifi_access in Xiaomi Mi ...)
+	TODO: check
+CVE-2018-13022 (Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi ...)
+	TODO: check
 CVE-2018-13021 (An issue was discovered in HongCMS 3.0.0. There is an Arbitrary Script ...)
 	NOT-FOR-US: HongCMS
 CVE-2018-13020
@@ -27266,8 +27270,8 @@ CVE-2018-10144
 	RESERVED
 CVE-2018-10143
 	RESERVED
-CVE-2018-10142
-	RESERVED
+CVE-2018-10142 (The Expedition Migration tool 1.0.106 and earlier may allow an ...)
+	TODO: check
 CVE-2018-10141 (GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before ...)
 	NOT-FOR-US: Palo Alto Networks PAN-OS
 CVE-2018-10140 (The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 ...)
@@ -32690,8 +32694,8 @@ CVE-2018-7990 (Mate10 Pro Huawei smart phones with the versions before 8.1.0.326
 	NOT-FOR-US: Huawei
 CVE-2018-7989 (Huawei Mate 10 pro smartphones with the versions before BLA-AL00B ...)
 	NOT-FOR-US: Huawei
-CVE-2018-7988
-	RESERVED
+CVE-2018-7988 (There is a Factory Reset Protection (FRP) bypass vulnerability on ...)
+	TODO: check
 CVE-2018-7987
 	RESERVED
 CVE-2018-7986
@@ -32712,8 +32716,8 @@ CVE-2018-7979
 	RESERVED
 CVE-2018-7978
 	RESERVED
-CVE-2018-7977
-	RESERVED
+CVE-2018-7977 (There is an information leakage vulnerability on several Huawei ...)
+	TODO: check
 CVE-2018-7976 (There is a stored cross-site scripting (XSS) vulnerability in Huawei ...)
 	NOT-FOR-US: Huawei
 CVE-2018-7975
@@ -32744,14 +32748,14 @@ CVE-2018-7963
 	RESERVED
 CVE-2018-7962
 	RESERVED
-CVE-2018-7961
-	RESERVED
-CVE-2018-7960
-	RESERVED
-CVE-2018-7959
-	RESERVED
-CVE-2018-7958
-	RESERVED
+CVE-2018-7961 (There is a smart SMS verification code vulnerability in some Huawei ...)
+	TODO: check
+CVE-2018-7960 (There is a SRTP icon display vulnerability in Huawei eSpace product. ...)
+	TODO: check
+CVE-2018-7959 (There is a short key vulnerability in Huawei eSpace product. An ...)
+	TODO: check
+CVE-2018-7958 (There is an anonymous TLS cipher suites supported vulnerability in ...)
+	TODO: check
 CVE-2018-7957 (Huawei smartphones with software Victoria-AL00 8.0.0.336a(C00) have an ...)
 	NOT-FOR-US: Huawei
 CVE-2018-7956
@@ -32774,8 +32778,8 @@ CVE-2018-7948
 	RESERVED
 CVE-2018-7947 (Huawei mobile phones with versions earlier before Emily-AL00A ...)
 	NOT-FOR-US: Huawei
-CVE-2018-7946
-	RESERVED
+CVE-2018-7946 (There is an information leak vulnerability in some Huawei smartphones. ...)
+	TODO: check
 CVE-2018-7945
 	RESERVED
 CVE-2018-7944 (Huawei smart phones Emily-AL00A with software 8.1.0.106(SP2C00) and ...)
@@ -55167,12 +55171,12 @@ CVE-2018-0723
 	RESERVED
 CVE-2018-0722
 	RESERVED
-CVE-2018-0721
-	RESERVED
+CVE-2018-0721 (Buffer Overflow vulnerability in QNAP QTS 4.2.6 build 20180711 and ...)
+	TODO: check
 CVE-2018-0720
 	RESERVED
-CVE-2018-0719
-	RESERVED
+CVE-2018-0719 (Cross-site scripting (XSS) vulnerability in QNAP QTS 4.2.6 build ...)
+	TODO: check
 CVE-2018-0718 (Command injection vulnerability in Music Station 5.1.2 and earlier ...)
 	NOT-FOR-US: Music Station
 CVE-2018-0717



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/04fb4b7f9ff851df4ec33f15eff3aa1fc475cacb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/04fb4b7f9ff851df4ec33f15eff3aa1fc475cacb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181128/a8677200/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list