[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 31 08:10:34 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b7bdc5f7 by security tracker role at 2020-12-31T08:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,109 @@
+CVE-2021-21493
+ RESERVED
+CVE-2021-21492
+ RESERVED
+CVE-2021-21491
+ RESERVED
+CVE-2021-21490
+ RESERVED
+CVE-2021-21489
+ RESERVED
+CVE-2021-21488
+ RESERVED
+CVE-2021-21487
+ RESERVED
+CVE-2021-21486
+ RESERVED
+CVE-2021-21485
+ RESERVED
+CVE-2021-21484
+ RESERVED
+CVE-2021-21483
+ RESERVED
+CVE-2021-21482
+ RESERVED
+CVE-2021-21481
+ RESERVED
+CVE-2021-21480
+ RESERVED
+CVE-2021-21479
+ RESERVED
+CVE-2021-21478
+ RESERVED
+CVE-2021-21477
+ RESERVED
+CVE-2021-21476
+ RESERVED
+CVE-2021-21475
+ RESERVED
+CVE-2021-21474
+ RESERVED
+CVE-2021-21473
+ RESERVED
+CVE-2021-21472
+ RESERVED
+CVE-2021-21471
+ RESERVED
+CVE-2021-21470
+ RESERVED
+CVE-2021-21469
+ RESERVED
+CVE-2021-21468
+ RESERVED
+CVE-2021-21467
+ RESERVED
+CVE-2021-21466
+ RESERVED
+CVE-2021-21465
+ RESERVED
+CVE-2021-21464
+ RESERVED
+CVE-2021-21463
+ RESERVED
+CVE-2021-21462
+ RESERVED
+CVE-2021-21461
+ RESERVED
+CVE-2021-21460
+ RESERVED
+CVE-2021-21459
+ RESERVED
+CVE-2021-21458
+ RESERVED
+CVE-2021-21457
+ RESERVED
+CVE-2021-21456
+ RESERVED
+CVE-2021-21455
+ RESERVED
+CVE-2021-21454
+ RESERVED
+CVE-2021-21453
+ RESERVED
+CVE-2021-21452
+ RESERVED
+CVE-2021-21451
+ RESERVED
+CVE-2021-21450
+ RESERVED
+CVE-2021-21449
+ RESERVED
+CVE-2021-21448
+ RESERVED
+CVE-2021-21447
+ RESERVED
+CVE-2021-21446
+ RESERVED
+CVE-2021-21445
+ RESERVED
+CVE-2021-21444
+ RESERVED
+CVE-2020-35856
+ RESERVED
+CVE-2020-35855
+ RESERVED
+CVE-2020-35854
+ RESERVED
CVE-2020-35853
RESERVED
CVE-2020-35852
@@ -255,8 +361,8 @@ CVE-2020-35738 (WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples i
[buster] - wavpack <no-dsa> (Minor issue)
NOTE: https://github.com/dbry/WavPack/issues/91
NOTE: https://github.com/dbry/WavPack/commit/89df160596132e3bd666322e1c20b2ebd4b92cd0
-CVE-2020-35737
- RESERVED
+CVE-2020-35737 (In Correspondence Management System (corms) in Newgen eGov 12.0, an at ...)
+ TODO: check
CVE-2020-35736 (GateOne 1.1 allows arbitrary file download without authentication via ...)
NOT-FOR-US: GateOne
CVE-2020-35735 (Vidyo 02-09-/D allows clickjacking via the portal/ URI. ...)
@@ -10250,8 +10356,8 @@ CVE-2020-28415 (A reflected cross-site scripting (XSS) vulnerability exists in t
NOT-FOR-US: TranzWare Payment Gateway
CVE-2020-28414 (A reflected cross-site scripting (XSS) vulnerability exists in the Tra ...)
NOT-FOR-US: TranzWare Payment Gateway
-CVE-2020-28413
- RESERVED
+CVE-2020-28413 (In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" ...)
+ TODO: check
CVE-2020-28412
RESERVED
CVE-2020-28411
@@ -12444,8 +12550,8 @@ CVE-2020-28097
RESERVED
CVE-2020-28096 (FOSCAM FHD X1 1.14.2.4 devices allow attackers (with physical UART acc ...)
NOT-FOR-US: FOSCAM FHD
-CVE-2020-28095
- RESERVED
+CVE-2020-28095 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP PO ...)
+ TODO: check
CVE-2020-28094 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, the default set ...)
NOT-FOR-US: Tenda
CVE-2020-28093 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, admin, support, ...)
@@ -14543,8 +14649,8 @@ CVE-2020-27536
RESERVED
CVE-2020-27535
RESERVED
-CVE-2020-27534
- RESERVED
+CVE-2020-27534 (util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 c ...)
+ TODO: check
CVE-2020-27533 (A Cross Site Scripting (XSS) issue was discovered in the search featur ...)
NOT-FOR-US: DedeCMS
CVE-2020-27532
@@ -17293,8 +17399,8 @@ CVE-2020-26298
RESERVED
CVE-2020-26297
RESERVED
-CVE-2020-26296
- RESERVED
+CVE-2020-26296 (Vega is a visualization grammar, a declarative format for creating, sa ...)
+ TODO: check
CVE-2020-26295
RESERVED
CVE-2020-26294
@@ -17303,14 +17409,14 @@ CVE-2020-26293
RESERVED
CVE-2020-26292
RESERVED
-CVE-2020-26291
- RESERVED
+CVE-2020-26291 (URI.js is a javascript URL mutation library (npm package urijs). In UR ...)
+ TODO: check
CVE-2020-26290 (Dex is a federated OpenID Connect provider written in Go. In Dex befor ...)
TODO: check
CVE-2020-26289 (date-and-time is an npm package for manipulating date and time. In dat ...)
TODO: check
-CVE-2020-26288
- RESERVED
+CVE-2020-26288 (Parse Server is an open source backend that can be deployed to any inf ...)
+ TODO: check
CVE-2020-26287 (HedgeDoc is a collaborative platform for writing and sharing markdown. ...)
NOT-FOR-US: HedgeDoc
CVE-2020-26286 (HedgeDoc is a collaborative platform for writing and sharing markdown. ...)
@@ -17433,6 +17539,7 @@ CVE-2020-26239 (Scratch Addons is a WebExtension that supports both Chrome and F
CVE-2020-26238 (Cron-utils is a Java library to parse, validate, migrate crons as well ...)
NOT-FOR-US: cron-utils Java library
CVE-2020-26237 (Highlight.js is a syntax highlighter written in JavaScript. Highlight. ...)
+ {DLA-2511-1}
- highlight.js 9.18.1+dfsg1-3 (bug #976446)
NOTE: https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx
NOTE: https://github.com/highlightjs/highlight.js/pull/2636
@@ -31291,8 +31398,8 @@ CVE-2020-19666
RESERVED
CVE-2020-19665
RESERVED
-CVE-2020-19664
- RESERVED
+CVE-2020-19664 (DrayTek Vigor2960 1.5.1 allows remote command execution via shell meta ...)
+ TODO: check
CVE-2020-19663
RESERVED
CVE-2020-19662
@@ -35978,8 +36085,8 @@ CVE-2020-17365 (Improper directory permissions in the Hotspot Shield VPN client
NOT-FOR-US: Hotspot Shield VPN client for Windows
CVE-2020-17364 (USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs. ...)
NOT-FOR-US: User-friendly SVN
-CVE-2020-17363
- RESERVED
+CVE-2020-17363 (USVN (aka User-friendly SVN) before 1.0.9 allows remote code execution ...)
+ TODO: check
CVE-2020-17362 (search.php in the Nova Lite theme before 1.3.9 for WordPress allows Re ...)
NOT-FOR-US: Nova Lite theme for WordPress
CVE-2020-17361 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in ReadyTalk A ...)
@@ -38585,7 +38692,7 @@ CVE-2020-16134 (An issue was discovered on Swisscom Internet Box 2, Internet Box
CVE-2020-16133
RESERVED
CVE-2020-16132
- RESERVED
+ REJECTED
CVE-2017-18923 (beroNet VoIP Gateways before 3.0.16 have a PHP script that allows down ...)
NOT-FOR-US: beroNet
CVE-2020-16131 (Tiki before 21.2 allows XSS because [\s\/"\'] is not properly consider ...)
@@ -45537,8 +45644,8 @@ CVE-2020-13656 (In Morgan Stanley Hobbes through 2020-05-21, the array implement
NOT-FOR-US: Hobbes
CVE-2020-13655 (An issue was discovered in Collabtive 3.0 and later. managefile.php is ...)
- collabtive <removed>
-CVE-2020-13654
- RESERVED
+CVE-2020-13654 (XWiki Platform before 12.8 mishandles escaping in the property display ...)
+ TODO: check
CVE-2020-13653 (An XSS vulnerability exists in the Webmail component of Zimbra Collabo ...)
NOT-FOR-US: Zimbra
CVE-2020-13652 (An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 bef ...)
@@ -45565,8 +45672,7 @@ CVE-2020-13645 (In GNOME glib-networking through 2.64.2, the implementation of G
NOTE: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
NOTE: Updating glib-networking to address CVE-2020-13645 will need a compatibility
NOTE: update as well for balsa (cf. https://bugs.debian.org/961792)
-CVE-2019-20808 [out-of-bounds read in ati_cursor_define() function in hw/display/ati.c leads to DoS]
- RESERVED
+CVE-2019-20808 (In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA imp ...)
- qemu 1:4.2-1
[buster] - qemu <not-affected> (Vulnerable code introduced later)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
@@ -48059,8 +48165,8 @@ CVE-2020-12659 (An issue was discovered in the Linux kernel before 5.6.7. xdp_um
[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/99e3a236dd43d06c65af0a2ef9cb44306aef6e02 (5.7-rc2)
-CVE-2020-12658
- RESERVED
+CVE-2020-12658 (gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex befor ...)
+ TODO: check
CVE-2020-12657 (An issue was discovered in the Linux kernel before 5.6.5. There is a u ...)
- linux 5.6.7-1
[buster] - linux 4.19.118-1
@@ -49916,8 +50022,8 @@ CVE-2020-11949 (testserver.cgi of the web service on VIVOTEK Network Cameras bef
NOT-FOR-US: VIVOTEK Network Cameras
CVE-2020-11948
RESERVED
-CVE-2020-11947 [heap-based buffer over-read]
- RESERVED
+CVE-2020-11947 (iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buf ...)
+ {DSA-4665-1}
- qemu 1:4.2-7
NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ff0507c239a246fd7215b31c5658fc6a3ee1e4c5 (v5.0.0-rc4)
CVE-2020-11946 (Zoho ManageEngine OpManager before 125120 allows an unauthenticated us ...)
@@ -53152,8 +53258,8 @@ CVE-2020-11105 (An issue was discovered in USC iLab cereal through 1.3.0. It emp
NOT-FOR-US: USC iLab cereal
CVE-2020-11104 (An issue was discovered in USC iLab cereal through 1.3.0. Serializatio ...)
NOT-FOR-US: USC iLab cereal
-CVE-2020-11103
- RESERVED
+CVE-2020-11103 (JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, ...)
+ TODO: check
CVE-2020-11102 (hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying ...)
- qemu 1:4.2-4 (bug #956145)
[buster] - qemu <not-affected> (Vulnerable code/Tulip NIC emulator added later)
@@ -89210,8 +89316,8 @@ CVE-2019-16749
CVE-2019-16748 (In wolfSSL through 4.1.0, there is a missing sanity check of memory ac ...)
- wolfssl 4.2.0+dfsg-1
NOTE: https://github.com/wolfSSL/wolfssl/issues/2459
-CVE-2019-16747
- RESERVED
+CVE-2019-16747 (In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an inval ...)
+ TODO: check
CVE-2019-16745 (eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection. ...)
NOT-FOR-US: eBrigade
CVE-2019-16744 (eBrigade before 5.0 has evenements.php cid SQL Injection. ...)
@@ -90409,8 +90515,8 @@ CVE-2019-16283
RESERVED
CVE-2019-16282 (In NCH Express Invoice v7.12, persistent cross site scripting (XSS) ex ...)
NOT-FOR-US: NCH Express Invoice
-CVE-2019-16281
- RESERVED
+CVE-2019-16281 (Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token ...)
+ TODO: check
CVE-2019-16280
RESERVED
CVE-2019-16279 (A memory error in the function SSL_accept in nostromo nhttpd through 1 ...)
@@ -92822,8 +92928,8 @@ CVE-2019-15525 (There is Missing SSL Certificate Validation in the pw3270 termin
NOT-FOR-US: pw3270 terminal emulator
CVE-2019-15524 (CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php ...)
NOT-FOR-US: CSZ CMS
-CVE-2019-15523
- RESERVED
+CVE-2019-15523 (An issue was discovered in LINBIT csync2 through 2.0. It does not corr ...)
+ TODO: check
CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...)
- csync2 2.0-25-gc0faaf9-1 (bug #955445)
[buster] - csync2 2.0-22-gce67c55-1+deb10u1
@@ -94247,12 +94353,12 @@ CVE-2019-15082 (The 360-product-rotation plugin before 1.4.8 for WordPress has r
NOT-FOR-US: Wordpress plugin
CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...)
NOT-FOR-US: OpenCart
-CVE-2019-15080
- RESERVED
-CVE-2019-15079
- RESERVED
-CVE-2019-15078
- RESERVED
+CVE-2019-15080 (An issue was discovered in a smart contract implementation for MORPH T ...)
+ TODO: check
+CVE-2019-15079 (A typo exists in the constructor of a smart contract implementation fo ...)
+ TODO: check
+CVE-2019-15078 (An issue was discovered in a smart contract implementation for AIRDROP ...)
+ TODO: check
CVE-2019-15077
RESERVED
CVE-2019-15076
@@ -102189,8 +102295,8 @@ CVE-2019-12955
RESERVED
CVE-2019-12954 (SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, ...)
NOT-FOR-US: SolarWinds
-CVE-2019-12953
- RESERVED
+CVE-2019-12953 (Dropbear 2011.54 through 2018.76 has an inconsistent failure delay tha ...)
+ TODO: check
CVE-2019-12952
RESERVED
CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...)
@@ -102702,8 +102808,8 @@ CVE-2019-12770
RESERVED
CVE-2019-12769 (SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 ...)
NOT-FOR-US: SolarWinds
-CVE-2019-12768
- RESERVED
+CVE-2019-12768 (An issue was discovered on D-Link DAP-1650 devices through v1.03b07 be ...)
+ TODO: check
CVE-2019-12767 (An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H ...)
NOT-FOR-US: D-Link
CVE-2019-12766 (An issue was discovered in Joomla! before 3.9.7. The subform fieldtype ...)
@@ -104357,7 +104463,7 @@ CVE-2019-12157 (In JetBrains TeamCity versions before 2018.2.5 and UpSource vers
NOT-FOR-US: JetBrains TeamCity
CVE-2019-12156 (Server metadata could be exposed because one of the error messages ref ...)
NOT-FOR-US: JetBrains TeamCity
-CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NUL ...)
+CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4 ...)
{DSA-4454-1 DLA-1927-1}
- qemu 1:3.1+dfsg-8 (bug #929353)
[buster] - qemu 1:3.1+dfsg-8~deb10u1
@@ -117552,10 +117658,10 @@ CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.
NOT-FOR-US: Bosch Smart Camera App
CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...)
NOT-FOR-US: NICE Engage
-CVE-2019-7726
- RESERVED
-CVE-2019-7725
- RESERVED
+CVE-2019-7726 (modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL IN ...)
+ TODO: check
+CVE-2019-7725 (includes/core/is_user.php in NukeViet before 4.3.04 deserializes the u ...)
+ TODO: check
CVE-2019-7724
RESERVED
CVE-2019-7723
@@ -146378,8 +146484,8 @@ CVE-2018-16797 (A heap-based buffer overflow in PotPlayerMini.exe in PotPlayer 1
NOT-FOR-US: PotPlayer
CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Files wit ...)
NOT-FOR-US: HiScout GRC Suite
-CVE-2018-16795
- RESERVED
+CVE-2018-16795 (OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/a ...)
+ TODO: check
CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory ...)
NOT-FOR-US: Microsoft ADFS 4.0 Windows Server
CVE-2018-16793 (Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions ...)
@@ -153558,8 +153664,8 @@ CVE-2018-14069 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnera
NOT-FOR-US: SRCMS
CVE-2018-14068 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability ...)
NOT-FOR-US: SRCMS
-CVE-2018-14067
- RESERVED
+CVE-2018-14067 (Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injec ...)
+ TODO: check
CVE-2018-14066 (The content://wappush content provider in com.android.provider.telepho ...)
NOT-FOR-US: Lenovo
CVE-2018-14065 (XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. ...)
@@ -246042,18 +246148,18 @@ CVE-2016-9028 (Unauthorized redirect vulnerability in Citrix NetScaler ADC befor
NOT-FOR-US: Citrix
CVE-2016-9027
RESERVED
-CVE-2016-9026
- RESERVED
-CVE-2016-9025
- RESERVED
+CVE-2016-9026 (Exponent CMS before 2.6.0 has improper input validation in fileControl ...)
+ TODO: check
+CVE-2016-9025 (Exponent CMS before 2.6.0 has improper input validation in purchaseOrd ...)
+ TODO: check
CVE-2016-9024
RESERVED
-CVE-2016-9023
- RESERVED
-CVE-2016-9022
- RESERVED
-CVE-2016-9021
- RESERVED
+CVE-2016-9023 (Exponent CMS before 2.6.0 has improper input validation in cron/find_h ...)
+ TODO: check
+CVE-2016-9022 (Exponent CMS before 2.6.0 has improper input validation in usersContro ...)
+ TODO: check
+CVE-2016-9021 (Exponent CMS before 2.6.0 has improper input validation in storeContro ...)
+ TODO: check
CVE-2016-9020 (SQL injection vulnerability in framework/modules/help/controllers/help ...)
NOT-FOR-US: Exponent CMS
CVE-2016-9019 (SQL injection vulnerability in the activate_address function in framew ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7bdc5f70e64dfe62b9c86a9911fccac307abaf2
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7bdc5f70e64dfe62b9c86a9911fccac307abaf2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201231/1338f162/attachment.html>
More information about the debian-security-tracker-commits
mailing list