[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs
Salvatore Bonaccorso
carnil at debian.org
Sun Nov 1 08:38:41 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e0099239 by Salvatore Bonaccorso at 2020-11-01T09:37:59+01:00
Process NFUs
- - - - -
309e46a2 by Salvatore Bonaccorso at 2020-11-01T09:38:15+01:00
Add new issues for nextcloud-server (itp'ed)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,7 @@
CVE-2020-28042 (ServiceStack before 5.9.2 mishandles JWT signature verification unless ...)
TODO: check
CVE-2020-28041 (The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 ...)
- TODO: check
+ NOT-FOR-US: Netgear
CVE-2020-28040 (WordPress before 5.5.2 allows CSRF attacks that change a theme's backg ...)
- wordpress <unfixed>
NOTE: https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
@@ -25842,7 +25842,7 @@ CVE-2020-15916 (goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 dev
CVE-2020-15915
RESERVED
CVE-2020-15914 (A cross-site scripting (XSS) vulnerability exists in the Origin Client ...)
- TODO: check
+ NOT-FOR-US: EA Origin Client
CVE-2020-15913
RESERVED
CVE-2020-15912 (** DISPUTED ** Tesla Model 3 vehicles allow attackers to open a door b ...)
@@ -27540,15 +27540,15 @@ CVE-2020-15279
CVE-2020-15278 (Red Discord Bot before version 3.4.1 has an unauthorized privilege esc ...)
NOT-FOR-US: Red Discord Bot
CVE-2020-15277 (baserCMS before version 4.4.1 is affected by Remote Code Execution (RC ...)
- TODO: check
+ NOT-FOR-US: baserCMS
CVE-2020-15276 (baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. A ...)
- TODO: check
+ NOT-FOR-US: baserCMS
CVE-2020-15275
RESERVED
CVE-2020-15274 (In Wiki.js before version 2.5.162, an XSS payload can be injected in a ...)
NOT-FOR-US: Wiki.js
CVE-2020-15273 (baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. T ...)
- TODO: check
+ NOT-FOR-US: baserCMS
CVE-2020-15272 (In the git-tag-annotation-action (open source GitHub Action) before ve ...)
NOT-FOR-US: git-tag-annotation-action
CVE-2020-15271 (In lookatme (python/pypi package) versions prior to 2.3.0, the package ...)
@@ -47200,7 +47200,7 @@ CVE-2020-8238 (A vulnerability in the authenticated user web interface of Pulse
CVE-2020-8237 (Prototype pollution in json-bigint npm package < 1.0.0 may lead to ...)
NOT-FOR-US: Node json-bigint
CVE-2020-8236 (A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the ...)
- TODO: check
+ - nextcloud-server <itp> (bug #941708)
CVE-2020-8235 (Missing access control in Nextcloud Deck 1.0.4 caused an insecure dire ...)
NOT-FOR-US: Nextcloud Deck
CVE-2020-8234 (A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 w ...)
@@ -47336,7 +47336,7 @@ CVE-2020-8184 (A reliance on cookies without validation/integrity check security
NOTE: https://hackerone.com/reports/895727
NOTE: Fixed by: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
CVE-2020-8183 (A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of ...)
- TODO: check
+ - nextcloud-server <itp> (bug #941708)
CVE-2020-8182 (Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to ...)
NOT-FOR-US: Nextcloud Deck
CVE-2020-8181 (A missing file type check in Nextcloud Contacts 3.2.0 allowed a malici ...)
@@ -47367,7 +47367,7 @@ CVE-2020-8174 (napi_get_value_string_*() allows various kinds of memory corrupti
[jessie] - nodejs <end-of-life> (Nodejs in jessie not covered by security support)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/#napi_get_value_string_-allows-various-kinds-of-memory-corruption-high-cve-2020-8174
CVE-2020-8173 (A too small set of random characters being used for encryption in Next ...)
- TODO: check
+ - nextcloud-server <itp> (bug #941708)
CVE-2020-8172 (TLS session reuse can lead to host certificate verification bypass in ...)
- nodejs <not-affected> (Only affects 12.x and later)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/#tls-session-reuse-can-lead-to-host-certificate-verification-bypass-high-cve-2020-8172
@@ -49359,7 +49359,7 @@ CVE-2020-7375
CVE-2020-7374 (Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scan ...)
NOT-FOR-US: Documalis Free PDF Editor
CVE-2020-7373 (vBulletin 5.5.4 through 5.6.2 allows remote command execution via craf ...)
- TODO: check
+ NOT-FOR-US: vBulletin
CVE-2020-7372
RESERVED
CVE-2020-7371 (User Interface (UI) Misrepresentation of Critical Information vulnerab ...)
@@ -52965,7 +52965,7 @@ CVE-2020-6016
CVE-2020-6015
RESERVED
CVE-2020-6014 (Check Point Endpoint Security Client for Windows, with Anti-Bot or Thr ...)
- TODO: check
+ NOT-FOR-US: Check Point Endpoint Security Client
CVE-2020-6013 (ZoneAlarm Firewall and Antivirus products before version 15.8.109.1843 ...)
NOT-FOR-US: ZoneAlarm
CVE-2020-6012 (ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the ...)
@@ -54237,7 +54237,7 @@ CVE-2020-5427
CVE-2020-5426
RESERVED
CVE-2020-5425 (Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x v ...)
- TODO: check
+ NOT-FOR-US: Vmware
CVE-2020-5424
RESERVED
CVE-2020-5423
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4360691cb759d1f19f5e0f3525a777fbea5514c4...309e46a2a78baa5bf7b419a97932a62de281f166
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4360691cb759d1f19f5e0f3525a777fbea5514c4...309e46a2a78baa5bf7b419a97932a62de281f166
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201101/47a81c8c/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list