[Git][security-tracker-team/security-tracker][master] new dompurify issue

Moritz Muehlenhoff jmm at debian.org
Wed Sep 25 09:26:54 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
317bbbe9 by Moritz Muehlenhoff at 2019-09-25T08:26:34Z
new dompurify issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -211,7 +211,7 @@ CVE-2019-16761
 CVE-2019-16760
 	RESERVED
 CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...)
-	TODO: check
+	NOT-FOR-US: vBulletin
 CVE-2019-16758
 	RESERVED
 CVE-2019-16757
@@ -227,7 +227,7 @@ CVE-2019-16753
 CVE-2019-16752
 	RESERVED
 CVE-2019-16751 (An issue was discovered in Devise Token Auth through 1.1.2. The omniau ...)
-	TODO: check
+	NOT-FOR-US: Devise Token Auth
 CVE-2019-16750
 	RESERVED
 CVE-2019-16749
@@ -270,7 +270,8 @@ CVE-2019-16731
 CVE-2019-16730
 	RESERVED
 CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...)
-	TODO: check
+	- dompurify.js <removed>
+	NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/
 CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel  ...)
 	- linux <unfixed>
 	NOTE: https://marc.info/?l=linux-wireless&m=156901391225058&w=2
@@ -279,9 +280,9 @@ CVE-2019-16727
 CVE-2019-16726
 	RESERVED
 CVE-2019-16725 (In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks  ...)
-	TODO: check
+	NOT-FOR-US: Joomla!
 CVE-2019-16724 (File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary ...)
-	TODO: check
+	NOT-FOR-US: File Sharing Wizard
 CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authorization c ...)
 	- cacti <unfixed> (bug #941036)
 	NOTE: https://github.com/Cacti/cacti/issues/2964
@@ -326,7 +327,7 @@ CVE-2019-16707 (Hunspell 1.7.0 has an invalid read operation in SuggestMgr::left
 CVE-2019-16706 (kkcms v1.3 has a CSRF vulnerablity that can add an user account via ad ...)
 	NOT-FOR-US: kkcms
 CVE-2018-21019 (Home Assistant before 0.67.0 was vulnerable to an information disclosu ...)
-	TODO: check
+	NOT-FOR-US: Home Assistant
 CVE-2019-16729 (pam-python before 1.0.7-1 has an issue in regard to the default enviro ...)
 	- pam-python 1.0.7-1
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1
@@ -338,11 +339,11 @@ CVE-2019-16705 (Ming (aka libming) 0.4.8 has an out of bounds read vulnerability
 	- ming <removed>
 	NOTE: https://github.com/libming/libming/issues/178
 CVE-2019-16704 (admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. ...)
-	TODO: check
+	NOT-FOR-US: PHPMyWind
 CVE-2019-16703 (admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. ...)
-	TODO: check
+	NOT-FOR-US: PHPMyWind
 CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary c ...)
-	TODO: check
+	NOT-FOR-US: Integard Pro
 CVE-2019-16701
 	RESERVED
 CVE-2019-16700
@@ -384,9 +385,9 @@ CVE-2019-16683
 CVE-2019-16682
 	RESERVED
 CVE-2018-21018 (Mastodon before 2.6.3 mishandles timeouts of incompletely established  ...)
-	TODO: check
+	NOT-FOR-US: Mastodon
 CVE-2019-16681 (The Traveloka application 3.14.0 for Android exports com.traveloka.and ...)
-	TODO: check
+	NOT-FOR-US: Traveloka
 CVE-2019-16680 (An issue was discovered in GNOME file-roller before 3.29.91. It allows ...)
 	- file-roller 3.30.0-1
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794337
@@ -804,7 +805,7 @@ CVE-2019-16520
 CVE-2019-16519
 	RESERVED
 CVE-2019-16518 (An issue was discovered on Swell Kit Mod devices that use the Vandy Va ...)
-	TODO: check
+	NOT-FOR-US: Swell Kit Mod devices
 CVE-2019-16517
 	RESERVED
 CVE-2019-16516
@@ -1079,7 +1080,7 @@ CVE-2019-16385
 CVE-2019-16384
 	RESERVED
 CVE-2019-16383 (MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2 ...)
-	TODO: check
+	NOT-FOR-US: Progress MOVEit Transfer
 CVE-2019-16382
 	RESERVED
 CVE-2019-16381



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317bbbe9cb1abc5e7341a1d8bbdb461840770ed8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317bbbe9cb1abc5e7341a1d8bbdb461840770ed8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190925/44ad4b1d/attachment.html>

More information about the debian-security-tracker-commits mailing list