[Git][security-tracker-team/security-tracker][master] new grafana issue
Moritz Muehlenhoff
jmm at debian.org
Thu Apr 30 09:40:28 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a0ccb8ad by Moritz Muehlenhoff at 2020-04-30T10:40:08+02:00
new grafana issue
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3,11 +3,11 @@ CVE-2020-12481
CVE-2020-12480
RESERVED
CVE-2020-12479 (TeamPass 2.1.27.36 allows any authenticated TeamPass user to trigger a ...)
- TODO: check
+ NOT-FOR-US: TeamPass
CVE-2020-12478 (TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve file ...)
- TODO: check
+ NOT-FOR-US: TeamPass
CVE-2020-12477 (The REST API functions in TeamPass 2.1.27.36 allow any user with a val ...)
- TODO: check
+ NOT-FOR-US: TeamPass
CVE-2020-12476
RESERVED
CVE-2020-12475
@@ -15,23 +15,23 @@ CVE-2020-12475
CVE-2020-12474
RESERVED
CVE-2020-12473 (MonoX through 5.1.40.5152 allows admins to execute arbitrary programs ...)
- TODO: check
+ NOT-FOR-US: MonoX
CVE-2020-12472 (MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comm ...)
- TODO: check
+ NOT-FOR-US: MonoX
CVE-2020-12471 (MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload ...)
- TODO: check
+ NOT-FOR-US: MonoX
CVE-2020-12470 (MonoX through 5.1.40.5152 allows administrators to execute arbitrary c ...)
- TODO: check
+ NOT-FOR-US: MonoX
CVE-2020-12469 (admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Inject ...)
- TODO: check
+ NOT-FOR-US: MonoX
CVE-2020-12468 (Subrion CMS 4.2.1 allows CSV injection via a phrase value within a lan ...)
- TODO: check
+ NOT-FOR-US: Subrion CMS
CVE-2020-12467 (Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in ...)
- TODO: check
+ NOT-FOR-US: Subrion CMS
CVE-2019-20793
RESERVED
CVE-2016-11061 (Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 7 ...)
- TODO: check
+ NOT-FOR-US: Xerox
CVE-2020-XXXX [CSRF attack can cause an authenticated user to be logged out]
- roundcube 1.4.4+dfsg.1-1 (bug #959142)
NOTE: https://github.com/roundcube/roundcubemail/pull/7302
@@ -56,13 +56,15 @@ CVE-2020-12463
CVE-2020-12462 (The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with ...)
NOT-FOR-US: ninja-forms plugin for WordPress
CVE-2020-12461 (PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an in ...)
- TODO: check
+ NOT-FOR-US: PHP-Fusion
CVE-2020-12460
RESERVED
CVE-2020-12459 (In certain Red Hat packages for Grafana 6.x through 6.3.6, the configu ...)
- TODO: check
+ NOT-FOR-US: Grafana as shipped in Red Hat
CVE-2020-12458 (An information-disclosure flaw was found in Grafana through 6.7.3. The ...)
- TODO: check
+ - grafana <removed>
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1827765
+ NOTE: https://github.com/grafana/grafana/issues/8283
CVE-2020-12457
RESERVED
CVE-2020-12456
@@ -86,7 +88,7 @@ CVE-2020-12448
CVE-2020-12447 (A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-000 ...)
NOT-FOR-US: Onkyo
CVE-2020-12446 (The ene.sys driver in G.SKILL Trident Z Lighting Control through 1.00. ...)
- TODO: check
+ NOT-FOR-US: G.SKILL Trident Z Lighting Control
CVE-2020-12445
RESERVED
CVE-2020-12444
@@ -102,7 +104,7 @@ CVE-2020-12440
CVE-2020-12439
RESERVED
CVE-2020-12438 (An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03 ...)
- TODO: check
+ NOT-FOR-US: PHP-Fusion
CVE-2020-12437
RESERVED
CVE-2020-12436
@@ -416,7 +418,7 @@ CVE-2020-12288
CVE-2020-12287
RESERVED
CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow in Mesh ...)
- TODO: check
+ NOT-FOR-US: OpenThread
CVE-2018-21232 (re2c before 2.0 has uncontrolled recursion that causes stack consumpti ...)
- re2c <unfixed>
[buster] - re2c <no-dsa> (Minor issue)
@@ -448,7 +450,7 @@ CVE-2017-18856 (NETGEAR ReadyNAS devices before 6.6.1 are affected by command in
CVE-2017-18855 (NETGEAR WNR854T devices before 1.5.2 are affected by command execution ...)
NOT-FOR-US: Netgear
CVE-2017-18854 (NETGEAR ReadyNAS 6.6.1 and earlier is affected by command injection. ...)
- TODO: check
+ NOT-FOR-US: Netgear
CVE-2017-18853 (Certain NETGEAR devices are affected by password recovery and file acc ...)
NOT-FOR-US: Netgear
CVE-2016-11060 (Certain NETGEAR devices are affected by insecure renegotiation. This a ...)
@@ -548,9 +550,9 @@ CVE-2019-20789 (Croogo before 3.0.7 allows XSS via the title to admin/menus/menu
CVE-2020-12253
RESERVED
CVE-2020-12252 (An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload funct ...)
- TODO: check
+ NOT-FOR-US: Gigamon
CVE-2020-12251 (An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload funct ...)
- TODO: check
+ NOT-FOR-US: Gigamon
CVE-2020-12250
RESERVED
CVE-2020-12249
@@ -560,7 +562,7 @@ CVE-2020-12248
CVE-2020-12247
RESERVED
CVE-2020-12246 (Beeline Smart Box 2.0.38 routers allow "Advanced settings > Other & ...)
- TODO: check
+ NOT-FOR-US: Beeline Smart Box
CVE-2020-12245 (Grafana before 6.7.3 allows table-panel XSS via column.title or cellLi ...)
- grafana <removed>
NOTE: https://github.com/grafana/grafana/pull/23816
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ccb8adf5cfbcc810be720d9b93252befc419cb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ccb8adf5cfbcc810be720d9b93252befc419cb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200430/df67da0b/attachment.html>
More information about the debian-security-tracker-commits
mailing list