[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff
jmm at debian.org
Thu Apr 9 22:52:06 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
bf070d3e by Moritz Muehlenhoff at 2020-04-09T23:51:46+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2855,11 +2855,11 @@ CVE-2020-10633 (A non-persistent XSS (cross-site scripting) vulnerability exists
CVE-2020-10632
RESERVED
CVE-2020-10631 (An attacker could use a specially crafted URL to delete or read files ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10630
RESERVED
CVE-2020-10629 (WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. S ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10628
RESERVED
CVE-2020-10627
@@ -2867,23 +2867,23 @@ CVE-2020-10627
CVE-2020-10626
RESERVED
CVE-2020-10625 (WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remo ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10624
RESERVED
CVE-2020-10623 (Multiple vulnerabilities could allow an attacker with low privileges t ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10622
RESERVED
CVE-2020-10621 (Multiple issues exist that allow files to be uploaded and executed on ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10620
RESERVED
CVE-2020-10619 (An attacker could use a specially crafted URL to delete files outside ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10618
RESERVED
CVE-2020-10617 (There are multiple ways an unauthenticated attacker could perform SQL ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10616
RESERVED
CVE-2020-10615
@@ -2911,7 +2911,7 @@ CVE-2020-10605
CVE-2020-10604
RESERVED
CVE-2020-10603 (WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize use ...)
- TODO: check
+ NOT-FOR-US: WebAccess/NMS
CVE-2020-10602
RESERVED
CVE-2020-10601 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow ...)
@@ -3036,7 +3036,7 @@ CVE-2020-10553
CVE-2020-10552
RESERVED
CVE-2020-10551 (QQBrowser before 10.5.3870.400 installs a Windows service TsService.ex ...)
- TODO: check
+ NOT-FOR-US: QQBrowser
CVE-2020-10550
RESERVED
CVE-2020-10549
@@ -3418,7 +3418,7 @@ CVE-2020-10368
CVE-2020-10367
RESERVED
CVE-2020-10366 (LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a d ...)
- TODO: check
+ NOT-FOR-US: LogicalDoc
CVE-2020-10365 (LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the ...)
NOT-FOR-US: LogicalDoc
CVE-2020-10364 (The SSH daemon on MikroTik routers through v6.44.3 could allow remote ...)
@@ -3626,9 +3626,9 @@ CVE-2020-10264 (CB3 SW Version 3.3 and upwards, e-series SW Version 5.0 and upwa
CVE-2019-20509
REJECTED
CVE-2020-10263 (An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Atta ...)
- TODO: check
+ NOT-FOR-US: XIAOMI
CVE-2020-10262 (An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.58.10. Att ...)
- TODO: check
+ NOT-FOR-US: XIAOMI
CVE-2020-10261
RESERVED
CVE-2020-10260
@@ -5321,9 +5321,9 @@ CVE-2020-9502
CVE-2020-9501
RESERVED
CVE-2020-9500 (Some products of Dahua have Denial of Service vulnerabilities. After t ...)
- TODO: check
+ NOT-FOR-US: Dahua
CVE-2020-9499 (Some Dahua products have buffer overflow vulnerabilities. After the su ...)
- TODO: check
+ NOT-FOR-US: Dahua
CVE-2020-9498
RESERVED
CVE-2020-9497
@@ -6945,11 +6945,11 @@ CVE-2020-8830
CVE-2020-8829
RESERVED
CVE-2020-8828 (As of v1.5.0, the default admin password is set to the argocd-server p ...)
- TODO: check
+ NOT-FOR-US: Argo
CVE-2020-8827 (As of v1.5.0, the Argo API does not implement anti-automation measures ...)
- TODO: check
+ NOT-FOR-US: Argo
CVE-2020-8826 (As of v1.5.0, the Argo web interface authentication system issued immu ...)
- TODO: check
+ NOT-FOR-US: Argo
CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows store ...)
NOT-FOR-US: Vanilla Forums
CVE-2020-8824 (Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name ...)
@@ -6975,7 +6975,7 @@ CVE-2020-8815 (Improper connection handling in the base connection handler in IK
CVE-2020-8814
RESERVED
CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authenticate ...)
- TODO: check
+ NOT-FOR-US: Argo
CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...)
- lxc-templates <unfixed>
- lxc 1:3.0.3-1 (low)
@@ -9023,7 +9023,7 @@ CVE-2020-7924
CVE-2020-7923
RESERVED
CVE-2020-7922 (X.509 certificates generated by the MongoDB Enterprise Kubernetes Oper ...)
- TODO: check
+ NOT-FOR-US: MongoDB Enterprise
CVE-2020-7921
RESERVED
CVE-2019-20419
@@ -9686,23 +9686,23 @@ CVE-2020-7641
CVE-2020-7640
RESERVED
CVE-2020-7639 (eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.T ...)
- TODO: check
+ NOT-FOR-US: Node eivindfjeldstad-dot
CVE-2020-7638 (confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDe ...)
- TODO: check
+ NOT-FOR-US: Node confinit
CVE-2020-7637 (class-transformer through 0.2.3 is vulnerable to Prototype Pollution. ...)
- TODO: check
+ NOT-FOR-US: Node class-transformer
CVE-2020-7636 (adb-driver through 0.1.8 is vulnerable to Command Injection.It allows ...)
- TODO: check
+ NOT-FOR-US: Node adb-driver
CVE-2020-7635 (compass-compile through 0.0.1 is vulnerable to Command Injection.It al ...)
- TODO: check
+ NOT-FOR-US: Node compass-compile
CVE-2020-7634 (heroku-addonpool through 0.1.15 is vulnerable to Command Injection. ...)
- TODO: check
+ NOT-FOR-US: Node heroku-addonpool
CVE-2020-7633 (apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injectio ...)
- TODO: check
+ NOT-FOR-US: Node apiconnect-cli-plugins
CVE-2020-7632 (node-mpv through 1.4.3 is vulnerable to Command Injection. It allows e ...)
- TODO: check
+ NOT-FOR-US: Node node-mpv
CVE-2020-7631 (diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allow ...)
- TODO: check
+ NOT-FOR-US: Node diskusage-ng
CVE-2020-7630 (git-add-remote through 1.0.0 is vulnerable to Command Injection. It al ...)
NOT-FOR-US: git-add-remote node module
CVE-2020-7629 (install-package through 0.4.0 is vulnerable to Command Injection. It a ...)
@@ -9728,17 +9728,17 @@ CVE-2020-7620 (pomelo-monitor through 0.3.7 is vulnerable to Command Injection.I
CVE-2020-7619 (get-git-data through 1.3.1 is vulnerable to Command Injection. It is p ...)
NOT-FOR-US: get-git-data node module
CVE-2020-7618 (sds through 3.2.0 is vulnerable to Prototype Pollution.The library cou ...)
- TODO: check
+ NOT-FOR-US: Node sds
CVE-2020-7617 (ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The libr ...)
NOT-FOR-US: Node ini-parser
CVE-2020-7616 (express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollu ...)
- TODO: check
+ NOT-FOR-US: Node express-mock-middleware
CVE-2020-7615 (fsa through 0.5.1 is vulnerable to Command Injection. The first argume ...)
- TODO: check
+ NOT-FOR-US: Node fsa
CVE-2020-7614 (npm-programmatic through 0.0.12 is vulnerable to Command Injection.The ...)
- TODO: check
+ NOT-FOR-US: npm-programmatic
CVE-2020-7613 (clamscan through 1.2.0 is vulnerable to Command Injection. It is possi ...)
- TODO: check
+ NOT-FOR-US: Node clamscan
CVE-2020-7612
RESERVED
CVE-2020-7611 (All versions of io.micronaut:micronaut-http-client before 1.2.11 and a ...)
@@ -11217,7 +11217,7 @@ CVE-2020-6976 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and pr
CVE-2020-6975 (Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (820 ...)
NOT-FOR-US: Digi International ConnectPort LTS 32 MEI
CVE-2020-6974 (Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a pa ...)
- TODO: check
+ NOT-FOR-US: Honeywell
CVE-2020-6973 (Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (820 ...)
NOT-FOR-US: Digi International ConnectPort LTS 32 MEI
CVE-2020-6972 (In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell F ...)
@@ -12038,7 +12038,7 @@ CVE-2020-6649
CVE-2020-6648
RESERVED
CVE-2020-6647 (An improper neutralization of input vulnerability in the dashboard of ...)
- TODO: check
+ NOT-FOR-US: Fortiguard
CVE-2020-6646 (An improper neutralization of input vulnerability in FortiWeb allows a ...)
NOT-FOR-US: Fortiguard
CVE-2020-6645
@@ -13211,7 +13211,7 @@ CVE-2020-6173 (TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncont
CVE-2020-6172
RESERVED
CVE-2020-6171 (A cross-site scripting (XSS) vulnerability in the index page of the CL ...)
- TODO: check
+ NOT-FOR-US: Clink Office
CVE-2020-6170 (An authentication bypass vulnerability on Genexis Platinum-4410 v2.1 P ...)
NOT-FOR-US: Genexis
CVE-2020-6169
@@ -14115,11 +14115,11 @@ CVE-2020-5738
CVE-2020-5737
RESERVED
CVE-2020-5736 (Amcrest cameras and NVR are vulnerable to a null pointer dereference o ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2020-5735 (Amcrest cameras and NVR are vulnerable to a stack-based buffer overflo ...)
- TODO: check
+ NOT-FOR-US: Amcrest
CVE-2020-5734 (Classic buffer overflow in SolarWinds Dameware allows a remote, unauth ...)
- TODO: check
+ NOT-FOR-US: SolarWinds
CVE-2020-5733
RESERVED
CVE-2020-5732
@@ -14487,9 +14487,9 @@ CVE-2020-5552 (Cross-site scripting vulnerability in mailform version 1.04 allow
CVE-2020-5551 (Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenti ...)
NOT-FOR-US: Toyota
CVE-2020-5550 (Session fixation vulnerability in EasyBlocks IPv6 Ver. 2.0.1 and earli ...)
- TODO: check
+ NOT-FOR-US: EasyBlocks
CVE-2020-5549 (Cross-site request forgery (CSRF) vulnerability in EasyBlocks IPv6 Ver ...)
- TODO: check
+ NOT-FOR-US: EasyBlocks
CVE-2020-5548 (Yamaha LTE VoIP Router(NVR700W firmware Rev.15.00.15 and earlier), Yam ...)
NOT-FOR-US: Yamaha
CVE-2020-5547 (Resource Management Errors vulnerability in TCP function included in t ...)
@@ -15086,7 +15086,7 @@ CVE-2020-5304
CVE-2020-5303
RESERVED
CVE-2020-5302 (MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a b ...)
- TODO: check
+ NOT-FOR-US: MH-WikiBot
CVE-2020-5301
RESERVED
CVE-2020-5300 (In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect ...)
@@ -15184,7 +15184,7 @@ CVE-2020-5265
CVE-2020-5264
RESERVED
CVE-2020-5263 (auth0.js (NPM package auth0-js) greater than version 8.0.0 and before ...)
- TODO: check
+ NOT-FOR-US: Node auth0-js
CVE-2020-5262 (In EasyBuild before version 4.1.2, the GitHub Personal Access Token (P ...)
NOT-FOR-US: EasyBuild
CVE-2020-5261 (Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Sa ...)
@@ -23906,23 +23906,23 @@ CVE-2020-1994
CVE-2020-1993
RESERVED
CVE-2020-1992 (A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-70 ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1991 (An insecure temporary file vulnerability in Palo Alto Networks Traps a ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1990 (A stack-based buffer overflow vulnerability in the management server c ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1989 (An incorrect privilege assignment vulnerability when writing applicati ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1988 (An unquoted search path vulnerability in the Windows release of Global ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1987 (An information exposure vulnerability in the logging component of Palo ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1986 (Improper input validation vulnerability in Secdo allows an authenticat ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1985 (Incorrect Default Permissions on C:\Programdata\Secdo\Logs folder in S ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1984 (Secdo tries to execute a script at a hardcoded path if present, which ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1983
RESERVED
CVE-2020-1982
@@ -23934,7 +23934,7 @@ CVE-2020-1980 (A shell command injection vulnerability in the PAN-OS CLI allows
CVE-2020-1979 (A format string vulnerability in the PAN-OS log daemon (logd) on Panor ...)
NOT-FOR-US: PAN-OS
CVE-2020-1978 (TechSupport files generated on Palo Alto Networks VM Series firewalls ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks
CVE-2020-1977 (Insufficient Cross-Site Request Forgery (XSRF) protection on Expeditio ...)
NOT-FOR-US: Palo Alto
CVE-2020-1976 (A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalPr ...)
@@ -24431,7 +24431,7 @@ CVE-2020-1897
CVE-2020-1896
RESERVED
CVE-2020-1895 (A large heap overflow could occur in Instagram for Android when attemp ...)
- TODO: check
+ NOT-FOR-US: Instagram for Android
CVE-2020-1894
RESERVED
CVE-2020-1893 (Insufficient boundary checks when decoding JSON in TryParse reads out ...)
@@ -24451,7 +24451,7 @@ CVE-2020-1887 (Incorrect validation of the TLS SNI hostname in osquery versions
CVE-2020-1886
RESERVED
CVE-2020-1885 (Writing to an unprivileged file from a privileged OVRRedir.exe process ...)
- TODO: check
+ NOT-FOR-US: Oculus Desktop
CVE-2019-19512
RESERVED
CVE-2019-19511
@@ -32908,7 +32908,7 @@ CVE-2019-17659
CVE-2019-17658 (An unquoted service path vulnerability in the FortiClient FortiTray co ...)
NOT-FOR-US: Fortiguard
CVE-2019-17657 (An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSw ...)
- TODO: check
+ NOT-FOR-US: Fortiguard
CVE-2019-17656
RESERVED
CVE-2019-17655
@@ -38265,7 +38265,7 @@ CVE-2019-15790
RESERVED
NOT-FOR-US: Apport
CVE-2019-15789 (Privilege escalation vulnerability in MicroK8s allows a low privilege ...)
- TODO: check
+ NOT-FOR-US: MicroK8s
CVE-2019-15807 (In the Linux kernel before 5.1.13, there is a memory leak in drivers/s ...)
{DLA-1930-1 DLA-1919-1}
- linux 5.2.6-1
@@ -46801,7 +46801,7 @@ CVE-2019-13561 (D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote atta
CVE-2019-13560 (D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers ...)
NOT-FOR-US: D-Link
CVE-2019-13559 (GE Mark VIe Controller is shipped with pre-configured hard-coded crede ...)
- TODO: check
+ NOT-FOR-US: GE Mark VIe Controller
CVE-2019-13558 (In WebAccess versions 8.4.1 and prior, an exploit executed over the ne ...)
NOT-FOR-US: WebAccess
CVE-2019-13557 (In Tasy EMR, Tasy WebPortal Versions 3.02.1757 and prior, there is an ...)
@@ -46811,7 +46811,7 @@ CVE-2019-13556 (In WebAccess versions 8.4.1 and prior, multiple stack-based buff
CVE-2019-13555 (In Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU: serial n ...)
NOT-FOR-US: Mitsubishi
CVE-2019-13554 (GE Mark VIe Controller has an unsecured Telnet protocol that may allow ...)
- TODO: check
+ NOT-FOR-US: GE Mark VIe Controller
CVE-2019-13553 (Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb ...)
NOT-FOR-US: Rittal Chiller SK 3232-Series
CVE-2019-13552 (In WebAccess versions 8.4.1 and prior, multiple command injection vuln ...)
@@ -72121,11 +72121,11 @@ CVE-2019-4395 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.
CVE-2019-4394 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 con ...)
NOT-FOR-US: IBM
CVE-2019-4393 (HCL AppScan Standard is vulnerable to excessive authorization attempts ...)
- TODO: check
+ NOT-FOR-US: HCL AppScan
CVE-2019-4392 (HCL AppScan Standard Edition 9.0.3.13 and earlier uses hard-coded cred ...)
NOT-FOR-US: HCL AppScan
CVE-2019-4391 (HCL AppScan Standard is vulnerable to XML External Entity Injection (X ...)
- TODO: check
+ NOT-FOR-US: HCL AppScan
CVE-2019-4390
RESERVED
CVE-2019-4389
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf070d3e976a6ff290f8852fc42f3ab42fec1bf1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf070d3e976a6ff290f8852fc42f3ab42fec1bf1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200409/053d3e74/attachment.html>
More information about the debian-security-tracker-commits
mailing list