[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 5 21:10:28 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f3ac9d21 by security tracker role at 2021-04-05T20:10:20+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,7 @@
+CVE-2021-30129
+ RESERVED
+CVE-2021-30128
+ RESERVED
CVE-2021-30127 (TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the adm ...)
TODO: check
CVE-2021-30126 (Lightmeter ControlCenter 1.1.0 through 1.5.x before 1.5.1 allows anyon ...)
@@ -34,8 +38,8 @@ CVE-2021-30111
RESERVED
CVE-2021-30110
RESERVED
-CVE-2021-30109
- RESERVED
+CVE-2021-30109 (Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under c ...)
+ TODO: check
CVE-2021-30108
RESERVED
CVE-2021-30107
@@ -136,14 +140,14 @@ CVE-2021-30060
RESERVED
CVE-2021-30059
RESERVED
-CVE-2021-30058
- RESERVED
-CVE-2021-30057
- RESERVED
-CVE-2021-30056
- RESERVED
-CVE-2021-30055
- RESERVED
+CVE-2021-30058 (Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). ...)
+ TODO: check
+CVE-2021-30057 (A stored HTML injection vulnerability exists in Knowage Suite version ...)
+ TODO: check
+CVE-2021-30056 (Knowage Suite before 7.4 is vulnerable to reflected cross-site scripti ...)
+ TODO: check
+CVE-2021-30055 (A SQL injection vulnerability in Knowage Suite version 7.1 exists in t ...)
+ TODO: check
CVE-2021-30054
RESERVED
CVE-2021-30053
@@ -259,8 +263,8 @@ CVE-2021-29998
RESERVED
CVE-2021-29997
RESERVED
-CVE-2021-29996
- RESERVED
+CVE-2021-29996 (Mark Text through 0.16.3 allows attackers arbitrary command execution. ...)
+ TODO: check
CVE-2021-29995
RESERVED
CVE-2021-29994
@@ -4460,6 +4464,7 @@ CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier A
NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2.
CVE-2021-3426 [Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.]
RESERVED
+ {DLA-2619-1}
[experimental] - python3.9 3.9.3-1
- python3.9 <unfixed>
[bullseye] - python3.9 <no-dsa> (Minor issue)
@@ -11225,6 +11230,7 @@ CVE-2021-3178 (** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10
NOTE: https://patchwork.kernel.org/project/linux-nfs/patch/20210111210129.GA11652@fieldses.org/
NOTE: Disputed/mild security relevance/impact
CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctyp ...)
+ {DLA-2619-1}
- python3.9 3.9.1-3
- python3.8 <removed>
- python3.7 <removed>
@@ -13565,30 +13571,30 @@ CVE-2021-24214
RESERVED
CVE-2021-24213
RESERVED
-CVE-2021-24212
- RESERVED
-CVE-2021-24211
- RESERVED
-CVE-2021-24210
- RESERVED
-CVE-2021-24209
- RESERVED
-CVE-2021-24208
- RESERVED
-CVE-2021-24207
- RESERVED
-CVE-2021-24206
- RESERVED
-CVE-2021-24205
- RESERVED
-CVE-2021-24204
- RESERVED
-CVE-2021-24203
- RESERVED
-CVE-2021-24202
- RESERVED
-CVE-2021-24201
- RESERVED
+CVE-2021-24212 (The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://wooc ...)
+ TODO: check
+CVE-2021-24211 (The WordPress Related Posts plugin through 3.6.4 contains an authentic ...)
+ TODO: check
+CVE-2021-24210 (There is an open redirect in the PhastPress WordPress plugin before 1. ...)
+ TODO: check
+CVE-2021-24209 (The WP Super Cache WordPress plugin before 1.7.2 was affected by an au ...)
+ TODO: check
+CVE-2021-24208 (The editor of the WP Page Builder WordPress plugin before 1.2.4 allows ...)
+ TODO: check
+CVE-2021-24207 (By default, the WP Page Builder WordPress plugin before 1.2.4 allows s ...)
+ TODO: check
+CVE-2021-24206 (In the Elementor Website Builder WordPress plugin before 3.1.4, the im ...)
+ TODO: check
+CVE-2021-24205 (In the Elementor Website Builder WordPress plugin before 3.1.4, the ic ...)
+ TODO: check
+CVE-2021-24204 (In the Elementor Website Builder WordPress plugin before 3.1.4, the ac ...)
+ TODO: check
+CVE-2021-24203 (In the Elementor Website Builder WordPress plugin before 3.1.4, the di ...)
+ TODO: check
+CVE-2021-24202 (In the Elementor Website Builder WordPress plugin before 3.1.4, the he ...)
+ TODO: check
+CVE-2021-24201 (In the Elementor Website Builder WordPress plugin before 3.1.4, the co ...)
+ TODO: check
CVE-2021-24200
RESERVED
CVE-2021-24199
@@ -13597,8 +13603,8 @@ CVE-2021-24198
RESERVED
CVE-2021-24197
RESERVED
-CVE-2021-24196
- RESERVED
+CVE-2021-24196 (The Social Slider Widget WordPress plugin before 1.8.5 allowed Authent ...)
+ TODO: check
CVE-2021-24195
RESERVED
CVE-2021-24194
@@ -13615,82 +13621,82 @@ CVE-2021-24189
RESERVED
CVE-2021-24188
RESERVED
-CVE-2021-24187
- RESERVED
-CVE-2021-24186
- RESERVED
-CVE-2021-24185
- RESERVED
-CVE-2021-24184
- RESERVED
-CVE-2021-24183
- RESERVED
-CVE-2021-24182
- RESERVED
-CVE-2021-24181
- RESERVED
-CVE-2021-24180
- RESERVED
+CVE-2021-24187 (The setting page of the SEO Redirection Plugin – 301 Redirect Ma ...)
+ TODO: check
+CVE-2021-24186 (The tutor_answering_quiz_question/get_answer_by_id function pair from ...)
+ TODO: check
+CVE-2021-24185 (The tutor_place_rating AJAX action from the Tutor LMS – eLearnin ...)
+ TODO: check
+CVE-2021-24184 (Several AJAX endpoints in the Tutor LMS – eLearning and online c ...)
+ TODO: check
+CVE-2021-24183 (The tutor_quiz_builder_get_question_form AJAX action from the Tutor LM ...)
+ TODO: check
+CVE-2021-24182 (The tutor_quiz_builder_get_answers_by_question AJAX action from the Tu ...)
+ TODO: check
+CVE-2021-24181 (The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – ...)
+ TODO: check
+CVE-2021-24180 (Unvalidated input and lack of output encoding within the Related Posts ...)
+ TODO: check
CVE-2021-24179
RESERVED
CVE-2021-24178
RESERVED
-CVE-2021-24177
- RESERVED
-CVE-2021-24176
- RESERVED
-CVE-2021-24175
- RESERVED
-CVE-2021-24174
- RESERVED
-CVE-2021-24173
- RESERVED
-CVE-2021-24172
- RESERVED
-CVE-2021-24171
- RESERVED
-CVE-2021-24170
- RESERVED
-CVE-2021-24169
- RESERVED
-CVE-2021-24168
- RESERVED
-CVE-2021-24167
- RESERVED
-CVE-2021-24166
- RESERVED
-CVE-2021-24165
- RESERVED
-CVE-2021-24164
- RESERVED
-CVE-2021-24163
- RESERVED
-CVE-2021-24162
- RESERVED
-CVE-2021-24161
- RESERVED
-CVE-2021-24160
- RESERVED
-CVE-2021-24159
- RESERVED
-CVE-2021-24158
- RESERVED
-CVE-2021-24157
- RESERVED
-CVE-2021-24156
- RESERVED
-CVE-2021-24155
- RESERVED
-CVE-2021-24154
- RESERVED
-CVE-2021-24153
- RESERVED
-CVE-2021-24152
- RESERVED
+CVE-2021-24177 (In the default configuration of the File Manager WordPress plugin befo ...)
+ TODO: check
+CVE-2021-24176 (The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the re ...)
+ TODO: check
+CVE-2021-24175 (The Plus Addons for Elementor Page Builder WordPress plugin before 4.1 ...)
+ TODO: check
+CVE-2021-24174 (The Database Backups WordPress plugin through 1.2.2.6 does not have CS ...)
+ TODO: check
+CVE-2021-24173 (The VM Backups WordPress plugin through 1.0 does not have CSRF checks, ...)
+ TODO: check
+CVE-2021-24172 (The VM Backups WordPress plugin through 1.0 does not have CSRF checks, ...)
+ TODO: check
+CVE-2021-24171 (The WooCommerce Upload Files WordPress plugin before 59.4 ran a single ...)
+ TODO: check
+CVE-2021-24170 (The REST API endpoint get_users in the User Profile Picture WordPress ...)
+ TODO: check
+CVE-2021-24169 (This Advanced Order Export For WooCommerce WordPress plugin before 3.1 ...)
+ TODO: check
+CVE-2021-24168 (The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not prop ...)
+ TODO: check
+CVE-2021-24167 (When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_lo ...)
+ TODO: check
+CVE-2021-24166 (The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form R ...)
+ TODO: check
+CVE-2021-24165 (In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp ...)
+ TODO: check
+CVE-2021-24164 (In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low- ...)
+ TODO: check
+CVE-2021-24163 (The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, di ...)
+ TODO: check
+CVE-2021-24162 (In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, a ...)
+ TODO: check
+CVE-2021-24161 (In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, a ...)
+ TODO: check
+CVE-2021-24160 (In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, s ...)
+ TODO: check
+CVE-2021-24159 (Due to the lack of sanitization and lack of nonce protection on the cu ...)
+ TODO: check
+CVE-2021-24158 (Orbit Fox by ThemeIsle has a feature to add a registration form to bot ...)
+ TODO: check
+CVE-2021-24157 (Orbit Fox by ThemeIsle has a feature to add custom scripts to the head ...)
+ TODO: check
+CVE-2021-24156 (Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0 ...)
+ TODO: check
+CVE-2021-24155 (The WordPress Backup and Migrate Plugin – Backup Guard WordPress ...)
+ TODO: check
+CVE-2021-24154 (The Theme Editor WordPress plugin before 2.6 did not validate the GET ...)
+ TODO: check
+CVE-2021-24153 (A Stored Cross-Site Scripting vulnerability was discovered in the Yoas ...)
+ TODO: check
+CVE-2021-24152 (The "All Subscribers" setting page of Popup Builder was vulnerable to ...)
+ TODO: check
CVE-2021-24151
RESERVED
-CVE-2021-24150
- RESERVED
+CVE-2021-24150 (The LikeBtn WordPress Like Button Rating ♥ LikeBtn WordPress plu ...)
+ TODO: check
CVE-2021-24149 (Unvalidated input in the Modern Events Calendar Lite WordPress plugin, ...)
NOT-FOR-US: Modern Events Calendar Lite WordPress plugin
CVE-2021-24148 (A business logic issue in the MStore API WordPress plugin, versions be ...)
@@ -15570,7 +15576,7 @@ CVE-2021-23337 (Lodash versions prior to 4.17.21 are vulnerable to Command Injec
[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724
CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...)
- {DLA-2569-1}
+ {DLA-2619-1 DLA-2569-1}
- python-django 2:2.2.19-1 (bug #983090)
[buster] - python-django <no-dsa> (Minor issue; can be fixed via point release)
- python3.9 3.9.2-1
@@ -20915,6 +20921,7 @@ CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy that provides authe
CVE-2021-21410
RESERVED
CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...)
+ {DSA-4885-1}
- netty 1:4.1.48-4 (bug #986217)
[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
@@ -21203,6 +21210,7 @@ CVE-2021-21297 (Node-Red is a low-code programming for event-driven applications
CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version 3.7.0 ...)
NOT-FOR-US: Fleet
CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network application ...)
+ {DSA-4885-1}
- netty 1:4.1.48-3 (bug #984948)
[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
NOTE: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
@@ -21216,7 +21224,7 @@ CVE-2021-21292 (Traccar is an open source GPS tracking system. In Traccar before
CVE-2021-21291 (OAuth2 Proxy is an open-source reverse proxy and static file server th ...)
- oauth2-proxy <itp> (bug #982891)
CVE-2021-21290 (Netty is an open-source, asynchronous event-driven network application ...)
- {DLA-2555-1}
+ {DSA-4885-1 DLA-2555-1}
- netty 1:4.1.48-2 (bug #982580)
NOTE: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
NOTE: https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec
@@ -73376,7 +73384,7 @@ CVE-2020-11614 (Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest
CVE-2020-11613 (Mids' Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulne ...)
NOT-FOR-US: Mids' Reborn Hero Designer
CVE-2020-11612 (The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memo ...)
- {DLA-2364-1}
+ {DSA-4885-1 DLA-2364-1}
- netty 1:4.1.48-1
[jessie] - netty <ignored> (OOM DoS with fix/mitigation involving new API; too intrusive to backport due to more limited 3.x buffer API)
NOTE: https://github.com/netty/netty/issues/6168
@@ -81979,7 +81987,7 @@ CVE-2020-8434 (Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3
CVE-2020-8433
RESERVED
CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length ...)
- {DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
+ {DSA-4885-1 DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950967)
- netty-3.9 <removed>
NOTE: https://github.com/netty/netty/issues/9861
@@ -81987,7 +81995,7 @@ CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-L
NOTE: https://github.com/netty/netty/commit/629034624626b722128e0fcc6b3ec9d406cb3706 (4.1)
NOTE: https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c (tests)
CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...)
- {DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
+ {DSA-4885-1 DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950966)
- netty-3.9 <removed>
NOTE: https://github.com/netty/netty/issues/9866
@@ -84930,7 +84938,7 @@ CVE-2019-20382 (QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc
NOTE: https://www.openwall.com/lists/oss-security/2020/03/05/1
NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles ...)
- {DLA-2364-1 DLA-2110-1 DLA-2109-1}
+ {DSA-4885-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950967)
- netty-3.9 <removed>
[stretch] - netty-3.9 <not-affected> (Incomplete fix for CVE-2019-16869 was not applied)
@@ -91093,8 +91101,8 @@ CVE-2020-4999
RESERVED
CVE-2020-4998
RESERVED
-CVE-2020-4997
- RESERVED
+CVE-2020-4997 (IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scr ...)
+ TODO: check
CVE-2020-4996 (IBM Security Identity Governance and Intelligence 5.2.6 could allow a ...)
NOT-FOR-US: IBM
CVE-2020-4995 (IBM Security Identity Governance and Intelligence 5.2.6 does not inval ...)
@@ -91503,8 +91511,8 @@ CVE-2020-4794 (IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Bu
NOT-FOR-US: IBM
CVE-2020-4793
RESERVED
-CVE-2020-4792
- RESERVED
+CVE-2020-4792 (IBM Edge 4.2 is vulnerable to cross-site scripting. This vulnerability ...)
+ TODO: check
CVE-2020-4791 (IBM Security Identity Governance and Intelligence 5.2.6 could allow an ...)
NOT-FOR-US: IBM
CVE-2020-4790 (IBM Security Identity Governance and Intelligence 5.2.6 could allow a ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ac9d216c27ab62e093208ba9d3d1b880bceb16
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ac9d216c27ab62e093208ba9d3d1b880bceb16
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210405/d9315dfa/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list