[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 30 08:31:41 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2083b028 by Salvatore Bonaccorso at 2020-12-30T09:31:21+01:00
Process some NFUs
- - - - -
f74a565b by Salvatore Bonaccorso at 2020-12-30T09:31:21+01:00
Add CVE-2020-35850/cockpit
Classification could range between unimportant or no-dsa, as Martin Pitt
stated
My initial classification of this is somewhere between
"enhancement" and "mild unexpected security-related issue", so
let's not rush this.
https://github.com/cockpit-project/cockpit/issues/15077#issuecomment-751797360
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -19,15 +19,16 @@ CVE-2021-21435
CVE-2021-21434
RESERVED
CVE-2020-35850 (** DISPUTED ** An SSRF issue was discovered in cockpit-project.org Coc ...)
- TODO: check
+ - cockpit <unfixed>
+ NOTE: https://github.com/cockpit-project/cockpit/issues/15077
CVE-2020-35849
RESERVED
CVE-2020-35848 (Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controll ...)
- TODO: check
+ NOT-FOR-US: Agentejo Cockpit
CVE-2020-35847 (Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controll ...)
- TODO: check
+ NOT-FOR-US: Agentejo Cockpit
CVE-2020-35846 (Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controll ...)
- TODO: check
+ NOT-FOR-US: Agentejo Cockpit
CVE-2020-35845
RESERVED
CVE-2020-35844
@@ -6238,7 +6239,7 @@ CVE-2020-29596 (MiniWeb HTTP server 0.8.19 allows remote attackers to cause a de
CVE-2020-29595 (PlugIns\IDE_ACDStd.apl in ACDSee Photo Studio Studio Professional 2021 ...)
NOT-FOR-US: ACDSee Photo Studio Studio Professional
CVE-2020-29594 (Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x be ...)
- TODO: check
+ NOT-FOR-US: Rocket.Chat
CVE-2020-29593
RESERVED
CVE-2020-29592
@@ -6783,9 +6784,9 @@ CVE-2020-29473
CVE-2020-29472 (EGavilan Media Under Construction page with cPanel 1.0 contains a SQL ...)
NOT-FOR-US: cPanel
CVE-2020-29471 (OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Prof ...)
- TODO: check
+ NOT-FOR-US: OpenCart
CVE-2020-29470 (OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subj ...)
- TODO: check
+ NOT-FOR-US: OpenCart
CVE-2020-29469
RESERVED
CVE-2020-29468
@@ -14232,11 +14233,11 @@ CVE-2020-27647
CVE-2020-27646 (Biscom Secure File Transfer (SFT) before 5.1.1082 and 6.x before 6.0.1 ...)
NOT-FOR-US: Biscom Secure File Transfer (SFT)
CVE-2020-27645 (The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unqu ...)
- TODO: check
+ NOT-FOR-US: 1E Client
CVE-2020-27644 (The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unqu ...)
- TODO: check
+ NOT-FOR-US: 1E Client
CVE-2020-27643 (The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0 ...)
- TODO: check
+ NOT-FOR-US: 1E Client
CVE-2020-27642 (A cross-site scripting (XSS) vulnerability exists in the 'merge accoun ...)
NOT-FOR-US: BigBlueButton
CVE-2020-27641
@@ -38248,7 +38249,7 @@ CVE-2020-16269 (radare2 4.5.0 misparses DWARF information in executable files, c
- radare2 <unfixed>
NOTE: https://github.com/radareorg/radare2/issues/17383
CVE-2020-16268 (The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote a ...)
- TODO: check
+ NOT-FOR-US: 1E Client
CVE-2020-16267 (Zoho ManageEngine Applications Manager version 14740 and prior allows ...)
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2020-16266 (An XSS issue was discovered in MantisBT before 2.24.2. Improper escapi ...)
@@ -55916,15 +55917,15 @@ CVE-2020-10212 (upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SS
CVE-2020-10211 (A remote code execution vulnerability in UCB component of Mitel MiVoic ...)
NOT-FOR-US: Mitel
CVE-2020-10210 (Because of hard-coded SSH keys for the root user in Amino Communicatio ...)
- TODO: check
+ NOT-FOR-US: Amino Communications
CVE-2020-10209 (Command Injection in the CPE WAN Management Protocol (CWMP) registrati ...)
- TODO: check
+ NOT-FOR-US: Amino Communications
CVE-2020-10208 (Command Injection in EntoneWebEngine in Amino Communications AK45x ser ...)
- TODO: check
+ NOT-FOR-US: Amino Communications
CVE-2020-10207 (Use of Hard-coded Credentials in EntoneWebEngine in Amino Communicatio ...)
- TODO: check
+ NOT-FOR-US: Amino Communications
CVE-2020-10206 (Use of a Hard-coded Password in VNCserver in Amino Communications AK45 ...)
- TODO: check
+ NOT-FOR-US: Amino Communications
CVE-2020-10205
RESERVED
CVE-2020-10204 (Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution. ...)
@@ -56085,7 +56086,7 @@ CVE-2020-10150
CVE-2020-10149
RESERVED
CVE-2020-10148 (The SolarWinds Orion API is vulnerable to an authentication bypass tha ...)
- TODO: check
+ NOT-FOR-US: SolarWinds
CVE-2020-10147
RESERVED
CVE-2020-10146 (The Microsoft Teams online service contains a stored cross-site script ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8583d9b17f6b09921081de585a2b2edf3b5df018...f74a565bc1360e66df6b77d707b58155812d05ec
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8583d9b17f6b09921081de585a2b2edf3b5df018...f74a565bc1360e66df6b77d707b58155812d05ec
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201230/2560ed33/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list