[Git][security-tracker-team/security-tracker][master] new dompurify issue, NFUs
Moritz Muehlenhoff
jmm at debian.org
Thu Oct 8 12:16:26 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
823e3581 by Moritz Muehlenhoff at 2020-10-08T13:15:56+02:00
new dompurify issue, NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -19,7 +19,7 @@ CVE-2020-26878
CVE-2020-26877
RESERVED
CVE-2020-26876 (The wp-courses plugin through 2.0.27 for WordPress allows remote attac ...)
- TODO: check
+ NOT-FOR-US: Wordpress plugin
CVE-2020-26875
RESERVED
CVE-2020-26874
@@ -31,7 +31,8 @@ CVE-2020-26872
CVE-2020-26871
RESERVED
CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs becaus ...)
- TODO: check
+ - dompurify.js <removed>
+ NOTE: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
CVE-2020-26869
RESERVED
CVE-2020-26868
@@ -579,7 +580,7 @@ CVE-2020-26598 (An issue was discovered on LG mobile devices with Android OS 8.0
CVE-2020-26597 (An issue was discovered on LG mobile devices with Android OS 9.0 and 1 ...)
NOT-FOR-US: LG mobile devices
CVE-2020-26596 (The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for ...)
- TODO: check
+ NOT-FOR-US: Wordpress plugin
CVE-2020-26595
RESERVED
CVE-2020-26594
@@ -1910,7 +1911,7 @@ CVE-2020-25987 (MonoCMS Blog 1.0 stores hard-coded admin hashes in the log.xml f
CVE-2020-25986 (A Cross Site Request Forgery (CSRF) vulnerability in MonoCMS Blog 1.0 ...)
NOT-FOR-US: MonoCMS Blog
CVE-2020-25985 (MonoCMS Blog 1.0 is affected by: Arbitrary File Deletion. Any authenti ...)
- TODO: check
+ NOT-FOR-US: MonoCMS Blog
CVE-2020-25984
RESERVED
CVE-2020-25983
@@ -2150,7 +2151,7 @@ CVE-2020-25869 (An information leak was discovered in MediaWiki before 1.31.10 a
CVE-2020-25868
RESERVED
CVE-2020-25867 (SoPlanning before 1.47 doesn't correctly check the security key used t ...)
- TODO: check
+ NOT-FOR-US: SoPlanning
CVE-2020-25866 (In Wireshark 3.2.0 to 3.2.6 and 3.0.0 to 3.0.13, the BLIP protocol dis ...)
- wireshark 3.2.7-1
[buster] - wireshark <not-affected> (Vulnerable code not present)
@@ -2398,7 +2399,7 @@ CVE-2020-25770 (An out-of-bounds read information disclosure vulnerabilities in
CVE-2020-25769
RESERVED
CVE-2020-25768 (Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 hav ...)
- TODO: check
+ NOT-FOR-US: Contao CMS
CVE-2020-25767
RESERVED
CVE-2020-25766 (An issue was discovered in MISP before 2.4.132. It can perform an unwa ...)
@@ -3338,7 +3339,7 @@ CVE-2020-25345
CVE-2020-25344
RESERVED
CVE-2020-25343 (Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow ...)
- TODO: check
+ NOT-FOR-US: Symphony CMS
CVE-2020-25342
RESERVED
CVE-2020-25341
@@ -4543,7 +4544,7 @@ CVE-2020-24809
CVE-2020-24808
RESERVED
CVE-2020-24807 (** UNSUPPORTED WHEN ASSIGNED ** The socket.io-file package through 2.0 ...)
- TODO: check
+ NOT-FOR-US: Node socket.io-file
CVE-2020-24806
RESERVED
CVE-2020-24805
@@ -4718,7 +4719,7 @@ CVE-2020-24724
CVE-2020-24723
RESERVED
CVE-2020-24722 (** DISPUTED ** An issue was discovered in the GAEN (aka Google/Apple E ...)
- TODO: check
+ NOT-FOR-US: GAEN (Google Apple Encounter Notification) protocol
CVE-2020-24721 (An issue was discovered in the GAEN (aka Google/Apple Exposure Notific ...)
NOT-FOR-US: GAEN (Google Apple Encounter Notification) protocol
CVE-2020-24720
@@ -5771,7 +5772,7 @@ CVE-2020-24248
CVE-2020-24247
RESERVED
CVE-2020-24246 (Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to ...)
- TODO: check
+ NOT-FOR-US: Peplink Balance
CVE-2020-24245
RESERVED
CVE-2020-24244
@@ -19176,7 +19177,7 @@ CVE-2020-17553
CVE-2020-17552
RESERVED
CVE-2020-17551 (ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which ...)
- TODO: check
+ NOT-FOR-US: ImpressCMS
CVE-2020-17550
RESERVED
CVE-2020-17549
@@ -23883,7 +23884,7 @@ CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for And
CVE-2019-20894 (Traefik 2.x, in certain configurations, allows HTTPS sessions to proce ...)
NOT-FOR-US: Traefik
CVE-2020-15501 (** UNSUPPORTED WHEN ASSIGNED ** Smarter Coffee Maker before 2nd genera ...)
- TODO: check
+ NOT-FOR-US: Smarter Coffee Maker
CVE-2020-15500 (An issue was discovered in server.js in TileServer GL through 3.0.0. T ...)
NOT-FOR-US: TileServer GL
CVE-2020-15499 (An issue was discovered on ASUS RT-AC1900P routers before 3.0.0.4.385_ ...)
@@ -24491,15 +24492,15 @@ CVE-2020-15241
CVE-2020-15240
RESERVED
CVE-2020-15239 (In xmpp-http-upload before version 0.4.0, when the GET method is attac ...)
- TODO: check
+ NOT-FOR-US: xmpp-http-upload
CVE-2020-15238
RESERVED
CVE-2020-15237 (In Shrine before version 3.3.0, when using the `derivation_endpoint` p ...)
- TODO: check
+ NOT-FOR-US: Shrine
CVE-2020-15236 (In Wiki.js before version 2.5.151, directory traversal outside of Wiki ...)
- TODO: check
+ NOT-FOR-US: Wiki.js
CVE-2020-15235 (In RACTF before commit f3dc89b, unauthenticated users are able to get ...)
- TODO: check
+ NOT-FOR-US: RACTF
CVE-2020-15234 (ORY Fosite is a security first OAuth2 & OpenID Connect framework f ...)
NOT-FOR-US: ORY Fosite
CVE-2020-15233 (ORY Fosite is a security first OAuth2 & OpenID Connect framework f ...)
@@ -24518,7 +24519,7 @@ CVE-2020-15227 (Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.
- php-nette <removed>
NOTE: https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
CVE-2020-15226 (In GLPI before version 9.5.2, there is a SQL Injection in the API's se ...)
- TODO: check
+ - glpi <removed>
CVE-2020-15225
RESERVED
CVE-2020-15224
@@ -24536,13 +24537,13 @@ CVE-2020-15219
CVE-2020-15218
RESERVED
CVE-2020-15217 (In GLPI before version 9.5.2, there is a leakage of user information t ...)
- TODO: check
+ - glpi <removed>
CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go) before ve ...)
- golang-github-russellhaering-goxmldsig <unfixed> (bug #971615)
NOTE: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
NOTE: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vuln ...)
- TODO: check
+ - electron <itp> (bug #842420)
CVE-2020-15214 (In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segme ...)
- tensorflow <itp> (bug #804612)
CVE-2020-15213 (In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segme ...)
@@ -24618,13 +24619,13 @@ CVE-2020-15179 (The ScratchSig extension for MediaWiki before version 1.0.1 allo
CVE-2020-15178 (In PrestaShop contactform module (prestashop/contactform) before versi ...)
NOT-FOR-US: PrestaShop
CVE-2020-15177 (In GLPI before version 9.5.2, the `install/install.php` endpoint insec ...)
- TODO: check
+ - glpi <removed>
CVE-2020-15176 (In GLPI before version 9.5.2, when supplying a back tick in input that ...)
- TODO: check
+ - glpi <removed>
CVE-2020-15175 (In GLPI before version 9.5.2, the `pluginimage.send.php` ...)
- TODO: check
+ - glpi <removed>
CVE-2020-15174 (In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the ...)
- TODO: check
+ - electron <itp> (bug #842420)
CVE-2020-15173 (In ACCEL-PPP (an implementation of PPTP/PPPoE/L2TP/SSTP), there is a b ...)
NOT-FOR-US: ACCEL-PPP
CVE-2020-15172 (The Act module for Red Discord Bot before commit 6b9f3b86 is vulnerabl ...)
@@ -27376,7 +27377,7 @@ CVE-2020-14185
CVE-2020-14184
RESERVED
CVE-2020-14183 (Affected versions of Jira Server & Data Center allow a remote atta ...)
- TODO: check
+ NOT-FOR-US: Atlassian
CVE-2020-14182
RESERVED
CVE-2020-14181 (Affected versions of Atlassian Jira Server and Data Center allow an un ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/823e35819d5e377034672a1544fe82e27a2bd084
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/823e35819d5e377034672a1544fe82e27a2bd084
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201008/c912cf9c/attachment.html>
More information about the debian-security-tracker-commits
mailing list