[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Wed Jun 24 21:10:25 BST 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ed7480c3 by security tracker role at 2020-06-24T20:10:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,55 @@
+CVE-2020-15027
+	RESERVED
+CVE-2020-15026 (Bludit 3.12.0 allows admins to use a /plugin-backup-download?file=../  ...)
+	TODO: check
+CVE-2020-15025 (ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remo ...)
+	TODO: check
+CVE-2020-15024
+	RESERVED
+CVE-2020-15023
+	RESERVED
+CVE-2020-15022
+	RESERVED
+CVE-2020-15021
+	RESERVED
+CVE-2020-15020
+	RESERVED
+CVE-2020-15019
+	RESERVED
+CVE-2020-15018 (playSMS through 1.4.3 is vulnerable to session fixation. ...)
+	TODO: check
+CVE-2020-15017
+	RESERVED
+CVE-2020-15016
+	RESERVED
+CVE-2020-15015 (The FileExplorer component in GleamTech FileUltimate 6.1.5.0 allows XS ...)
+	TODO: check
+CVE-2020-15014 (pramodmahato BlogCMS through 2019-12-31 has admin/changepass.php CSRF. ...)
+	TODO: check
+CVE-2020-15013
+	RESERVED
+CVE-2020-15012
+	RESERVED
+CVE-2020-15011 (GNU Mailman before 2.1.33 allows arbitrary content injection via the C ...)
+	TODO: check
+CVE-2020-15010
+	RESERVED
+CVE-2020-15009
+	RESERVED
+CVE-2020-15008
+	RESERVED
+CVE-2020-15007 (A buffer overflow in the M_LoadDefaults function in m_misc.c in id Tec ...)
+	TODO: check
+CVE-2020-15006 (Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document ...)
+	TODO: check
+CVE-2020-15005
+	RESERVED
+CVE-2020-15004
+	RESERVED
+CVE-2020-15003
+	RESERVED
+CVE-2020-15002
+	RESERVED
 CVE-2020-15001
 	RESERVED
 CVE-2020-15000
@@ -1074,10 +1126,10 @@ CVE-2020-14475 (A reflected cross-site scripting (XSS) vulnerability in Dolibarr
 	NOTE: https://github.com/Dolibarr/dolibarr/commit/22ca5e067189bffe8066df26df923a386f044c08
 CVE-2020-14474
 	RESERVED
-CVE-2020-14473
-	RESERVED
-CVE-2020-14472
-	RESERVED
+CVE-2020-14473 (Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and ...)
+	TODO: check
+CVE-2020-14472 (DrayTek Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1 ...)
+	TODO: check
 CVE-2020-14471
 	RESERVED
 CVE-2020-14470 (In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authent ...)
@@ -2213,10 +2265,10 @@ CVE-2020-14097
 	RESERVED
 CVE-2020-14096
 	RESERVED
-CVE-2020-14095
-	RESERVED
-CVE-2020-14094
-	RESERVED
+CVE-2020-14095 (In Xiaomi router R3600, ROM version<1.0.20, a connect service suffe ...)
+	TODO: check
+CVE-2020-14094 (In Xiaomi router R3600, ROM version<1.0.20, the connection service  ...)
+	TODO: check
 CVE-2019-20838 (libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT w ...)
 	- pcre3 <unfixed> (unimportant)
 	NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision&revision=1740 (8.43)
@@ -2444,16 +2496,16 @@ CVE-2020-14020
 CVE-2020-14019 (Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/targ ...)
 	- python-rtslib-fb <unfixed>
 	NOTE: https://github.com/open-iscsi/rtslib-fb/pull/162
-CVE-2020-14018
-	RESERVED
-CVE-2020-14017
-	RESERVED
-CVE-2020-14016
-	RESERVED
-CVE-2020-14015
-	RESERVED
-CVE-2020-14014
-	RESERVED
+CVE-2020-14018 (An issue was discovered in Navigate CMS 2.9 r1433. There is a stored X ...)
+	TODO: check
+CVE-2020-14017 (An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well a ...)
+	TODO: check
+CVE-2020-14016 (An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password ...)
+	TODO: check
+CVE-2020-14015 (An issue was discovered in Navigate CMS 2.9 r1433. When performing a p ...)
+	TODO: check
+CVE-2020-14014 (An issue was discovered in Navigate CMS 2.9 r1433. The query parameter ...)
+	TODO: check
 CVE-2020-14013
 	RESERVED
 CVE-2020-14012 (scp/categories.php in osTicket 1.14.2 allows XSS via a Knowledgebase C ...)
@@ -2466,12 +2518,12 @@ CVE-2020-14009
 	RESERVED
 CVE-2020-14008
 	RESERVED
-CVE-2020-14007
-	RESERVED
-CVE-2020-14006
-	RESERVED
-CVE-2020-14005
-	RESERVED
+CVE-2020-14007 (Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF ...)
+	TODO: check
+CVE-2020-14006 (Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF ...)
+	TODO: check
+CVE-2020-14005 (Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF ...)
+	TODO: check
 CVE-2020-14004 (An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dir ...)
 	- icinga2 <unfixed>
 	[jessie] - icinga2 <not-affected> (prepare-dirs script not shipped)
@@ -3273,8 +3325,8 @@ CVE-2020-13702 (** DISPUTED ** The Rolling Proximity Identifier used in the Appl
 	NOT-FOR-US: Apple/Google Exposure Notification API
 CVE-2020-13701
 	RESERVED
-CVE-2020-13700
-	RESERVED
+CVE-2020-13700 (An issue was discovered in the acf-to-rest-api plugin through 3.1.0 fo ...)
+	TODO: check
 CVE-2020-13699
 	RESERVED
 CVE-2020-13698
@@ -3769,10 +3821,10 @@ CVE-2020-13486 (The Knock Knock plugin before 1.2.8 for Craft CMS allows malicio
 	NOT-FOR-US: Craft CMS plugin
 CVE-2020-13485 (The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist  ...)
 	NOT-FOR-US: Craft CMS plugin
-CVE-2020-13484
-	RESERVED
-CVE-2020-13483
-	RESERVED
+CVE-2020-13484 (Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in th ...)
+	TODO: check
+CVE-2020-13483 (The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via ...)
+	TODO: check
 CVE-2020-13482 (EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way ...)
 	NOT-FOR-US: EM-HTTP-Request
 CVE-2020-13481
@@ -3851,8 +3903,8 @@ CVE-2020-13445 (In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pa
 	NOT-FOR-US: Liferay
 CVE-2020-13444 (Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 9 ...)
 	NOT-FOR-US: Liferay
-CVE-2020-13443
-	RESERVED
+CVE-2020-13443 (ExpressionEngine before 5.3.2 allows remote attackers to upload and ex ...)
+	TODO: check
 CVE-2020-13442 (A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 t ...)
 	NOT-FOR-US: DEXT5
 CVE-2020-13441
@@ -4314,8 +4366,8 @@ CVE-2020-13249 (libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 doe
 	- mariadb-10.1 <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed by: https://github.com/mariadb-corporation/mariadb-connector-c/commit/2759b87d72926b7c9b5426437a7c8dd15ff57945 (v3.1.8)
 	NOTE: Introduced around: https://github.com/mariadb-corporation/mariadb-connector-c/commit/b4efe73c9e725f97b3550371f8a78a10a20bf2fd (v3.0-cc-server-integ-0)
-CVE-2020-13248
-	RESERVED
+CVE-2020-13248 (BooleBox Secure File Sharing Utility (potentially all versions) allows ...)
+	TODO: check
 CVE-2020-13247
 	RESERVED
 CVE-2020-13246 (An issue was discovered in Gitea through 1.11.5. An attacker can trigg ...)
@@ -5130,55 +5182,49 @@ CVE-2020-12869
 	RESERVED
 CVE-2020-12868
 	RESERVED
-CVE-2020-12867 (A NULL pointer dereference in sanei_epson_net_read in SANE Backends th ...)
+CVE-2020-12867 (A NULL pointer dereference in sanei_epson_net_read in SANE Backends be ...)
 	{DLA-2231-1}
 	[experimental] - sane-backends 1.0.30-1~experimental1
 	- sane-backends <unfixed> (bug #961302)
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-1-ghsl-2020-075-null-pointer-dereference-in-sanei_epson_net_read
 	NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
-CVE-2020-12866
-	RESERVED
+CVE-2020-12866 (A NULL pointer dereference in SANE Backends before 1.0.30 allows a mal ...)
 	[experimental] - sane-backends 1.0.30-1~experimental1
 	- sane-backends <unfixed> (bug #961302)
 	[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-2-ghsl-2020-079-null-pointer-dereference-in-epsonds_net_read
 	NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
-CVE-2020-12865
-	RESERVED
+CVE-2020-12865 (A heap buffer overflow in SANE Backends before 1.0.30 may allow a mali ...)
 	[experimental] - sane-backends 1.0.30-1~experimental1
 	- sane-backends <unfixed> (bug #961302)
 	[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-9-ghsl-2020-084-buffer-overflow-in-esci2_img
 	NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
-CVE-2020-12864
-	RESERVED
+CVE-2020-12864 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...)
 	[experimental] - sane-backends 1.0.30-1~experimental1
 	- sane-backends <unfixed> (bug #961302)
 	[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-4-ghsl-2020-081-reading-uninitialized-data-in-epsonds_net_read
 	NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
-CVE-2020-12863
-	RESERVED
+CVE-2020-12863 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...)
 	[experimental] - sane-backends 1.0.30-1~experimental1
 	- sane-backends <unfixed> (bug #961302)
 	[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-7-ghsl-2020-083-out-of-bounds-read-in-esci2_check_header
 	NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
-CVE-2020-12862
-	RESERVED
+CVE-2020-12862 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...)
 	[experimental] - sane-backends 1.0.30-1~experimental1
 	- sane-backends <unfixed> (bug #961302)
 	[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279
 	NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-5-ghsl-2020-082-out-of-bounds-read-in-decode_binary
 	NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
-CVE-2020-12861
-	RESERVED
+CVE-2020-12861 (A heap buffer overflow in SANE Backends before 1.0.30 allows a malicio ...)
 	[experimental] - sane-backends 1.0.30-1~experimental1
 	- sane-backends <unfixed> (bug #961302)
 	[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
@@ -7418,12 +7464,12 @@ CVE-2020-11963 (IQrouter through 3.3.1, when unconfigured, has multiple remote c
 	NOT-FOR-US: IQrouter
 CVE-2020-11962
 	RESERVED
-CVE-2020-11961
-	RESERVED
-CVE-2020-11960
-	RESERVED
-CVE-2020-11959
-	RESERVED
+CVE-2020-11961 (Xiaomi router R3600 ROM before 1.0.50 is affected by a sensitive infor ...)
+	TODO: check
+CVE-2020-11960 (Xiaomi router R3600 ROM before 1.0.50 is affected by a vulnerability w ...)
+	TODO: check
+CVE-2020-11959 (An unsafe configuration of nginx lead to information leak in Xiaomi ro ...)
+	TODO: check
 CVE-2020-11958 (re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/sc ...)
 	- re2c <unfixed> (bug #963158)
 	[buster] - re2c <not-affected> (Vulnerability introduced later)
@@ -12585,8 +12631,8 @@ CVE-2020-10563 (An issue was discovered in DEVOME GRR before 3.4.1c. frmcontactl
 	NOT-FOR-US: DEVOME GRR
 CVE-2020-10562 (An issue was discovered in DEVOME GRR before 3.4.1c. admin_edit_room.p ...)
 	NOT-FOR-US: DEVOME GRR
-CVE-2020-10561
-	RESERVED
+CVE-2020-10561 (An issue was discovered on Xiaomi Mi Jia ink-jet printer < 3.4.6_01 ...)
+	TODO: check
 CVE-2020-10560 (An issue was discovered in Open Source Social Network (OSSN) through 5 ...)
 	NOT-FOR-US: Open Source Social Network (OSSN)
 CVE-2020-10559
@@ -14920,8 +14966,8 @@ CVE-2020-9496
 	RESERVED
 CVE-2020-9495 (Apache Archiva login service before 2.2.5 is vulnerable to LDAP inject ...)
 	NOT-FOR-US: Apache Archiva
-CVE-2020-9494
-	RESERVED
+CVE-2020-9494 (Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8. ...)
+	TODO: check
 CVE-2020-9493
 	RESERVED
 CVE-2020-9492
@@ -19356,8 +19402,8 @@ CVE-2020-7669
 	RESERVED
 CVE-2020-7668 (The ExtractTo function doesn't securely escape file paths in zip archi ...)
 	TODO: check
-CVE-2020-7667
-	RESERVED
+CVE-2020-7667 (The CPIO extraction functionality doesn't sanitize the paths of the ar ...)
+	TODO: check
 CVE-2020-7666
 	RESERVED
 CVE-2020-7665
@@ -21180,8 +21226,8 @@ CVE-2020-6872
 	RESERVED
 CVE-2020-6871
 	RESERVED
-CVE-2020-6870
-	RESERVED
+CVE-2020-6870 (The version V12.17.20T115 of ZTE U31R20 product is impacted by a desig ...)
+	TODO: check
 CVE-2020-6869 (All versions up to 10.06 of ZTEMarket APK are impacted by an informati ...)
 	TODO: check
 CVE-2020-6868 (ZTE's PON terminal product is impacted by the access control vulnerabi ...)
@@ -27275,8 +27321,8 @@ CVE-2020-4415 (IBM Spectrum Protect 7.1 and 8.1 server is vulnerable to a stack-
 	NOT-FOR-US: IBM
 CVE-2020-4414
 	RESERVED
-CVE-2020-4413
-	RESERVED
+CVE-2020-4413 (IBM Security Secret Server 10.7 could allow a remote attacker to obtai ...)
+	TODO: check
 CVE-2020-4412 (The Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4. ...)
 	NOT-FOR-US: IBM
 CVE-2020-4411 (The Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4. ...)
@@ -27417,10 +27463,10 @@ CVE-2020-4344
 	RESERVED
 CVE-2020-4343 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...)
 	NOT-FOR-US: IBM
-CVE-2020-4342
-	RESERVED
-CVE-2020-4341
-	RESERVED
+CVE-2020-4342 (IBM Security Secret Server 10.7 could disclose sensitive information i ...)
+	TODO: check
+CVE-2020-4341 (IBM Security Secret Server 10.7 could allow a remote attacker to obtai ...)
+	TODO: check
 CVE-2020-4340
 	RESERVED
 CVE-2020-4339
@@ -27447,18 +27493,18 @@ CVE-2020-4329 (IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 1
 	NOT-FOR-US: IBM
 CVE-2020-4328
 	RESERVED
-CVE-2020-4327
-	RESERVED
+CVE-2020-4327 (IBM Security Secret Server 10.7 could allow a remote attacker to obtai ...)
+	TODO: check
 CVE-2020-4326
 	RESERVED
 CVE-2020-4325 (The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0 ...)
 	NOT-FOR-US: IBM
 CVE-2020-4324
 	RESERVED
-CVE-2020-4323
-	RESERVED
-CVE-2020-4322
-	RESERVED
+CVE-2020-4323 (IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. ...)
+	TODO: check
+CVE-2020-4322 (IBM Security Secret Server 10.7 could allow a remote attacker to hijac ...)
+	TODO: check
 CVE-2020-4321
 	RESERVED
 CVE-2020-4320 (IBM MQ Appliance and IBM MQ AMQP Channels 8.0, 9.0 LTS, 9.1 LTS, and 9 ...)
@@ -27959,8 +28005,8 @@ CVE-2020-4073
 	RESERVED
 CVE-2020-4072
 	RESERVED
-CVE-2020-4071
-	RESERVED
+CVE-2020-4071 (In django-basic-auth-ip-whitelist before 0.3.4, a potential timing att ...)
+	TODO: check
 CVE-2020-4070 (In CSS Validator less than or equal to commit 54d68a1, there is a cros ...)
 	TODO: check
 CVE-2020-4069
@@ -28173,8 +28219,8 @@ CVE-2020-3971
 	RESERVED
 CVE-2020-3970
 	RESERVED
-CVE-2020-3969
-	RESERVED
+CVE-2020-3969 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...)
+	TODO: check
 CVE-2020-3968
 	RESERVED
 CVE-2020-3967
@@ -28187,8 +28233,8 @@ CVE-2020-3964
 	RESERVED
 CVE-2020-3963
 	RESERVED
-CVE-2020-3962
-	RESERVED
+CVE-2020-3962 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...)
+	TODO: check
 CVE-2020-3961 (VMware Horizon Client for Windows (prior to 5.4.3) contains a privileg ...)
 	NOT-FOR-US: VMware
 CVE-2020-3960



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed7480c3ba12f46c5f6141dc5113251b9aeb26e4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed7480c3ba12f46c5f6141dc5113251b9aeb26e4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200624/37072b22/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list