[Git][security-tracker-team/security-tracker][master] new gitlab issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jul 7 09:42:42 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
12e9b965 by Moritz Muehlenhoff at 2021-07-07T10:42:17+02:00
new gitlab issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1766,7 +1766,7 @@ CVE-2021-35442
 CVE-2021-35441
 	RESERVED
 CVE-2021-35440 (Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). A URL for  ...)
-	TODO: check
+	NOT-FOR-US: Smashing
 CVE-2021-35439
 	RESERVED
 CVE-2021-35438 (phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-re ...)
@@ -4512,7 +4512,7 @@ CVE-2021-34192
 CVE-2021-34191
 	RESERVED
 CVE-2021-34190 (A stored cross site scripting (XSS) vulnerability in index.php?menu=bi ...)
-	TODO: check
+	NOT-FOR-US: Issabel PBX
 CVE-2021-34189
 	RESERVED
 CVE-2021-34188
@@ -8298,7 +8298,7 @@ CVE-2021-32561 (OctoPrint before 1.6.0 allows XSS because API error messages inc
 CVE-2021-32560 (The Logging subsystem in OctoPrint before 1.6.0 has incorrect access c ...)
 	NOT-FOR-US: OctoPrint
 CVE-2021-32559 (An integer overflow exists in pywin32 prior to version b301 when addin ...)
-	TODO: check
+	NOT-FOR-US: pywin32
 CVE-2021-32558
 	RESERVED
 CVE-2021-32557 (It was discovered that the process_report() function in data/whoopsie- ...)
@@ -10338,7 +10338,7 @@ CVE-2021-31773
 CVE-2021-31772
 	RESERVED
 CVE-2021-31771 (Splinterware System Scheduler Professional version 5.30 is subject to  ...)
-	TODO: check
+	NOT-FOR-US: Splinterware
 CVE-2021-31770
 	RESERVED
 CVE-2021-31769 (MyQ Server in MyQ X Smart before 8.2 allows remote code execution by u ...)
@@ -19714,7 +19714,7 @@ CVE-2021-27932
 CVE-2021-27931 (LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthent ...)
 	NOT-FOR-US: LumisXP (aka Lumis Experience Platform)
 CVE-2021-27930 (Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which  ...)
-	TODO: check
+	NOT-FOR-US: IrisNext
 CVE-2021-27929
 	RESERVED
 CVE-2021-27928 (A remote code execution issue was discovered in MariaDB 10.2 before 10 ...)
@@ -27962,7 +27962,7 @@ CVE-2021-24496
 CVE-2021-24495
 	RESERVED
 CVE-2021-24494 (The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape s ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24493
 	RESERVED
 CVE-2021-24492
@@ -28048,7 +28048,7 @@ CVE-2021-24453
 CVE-2021-24452
 	RESERVED
 CVE-2021-24451 (The Export Users With Meta WordPress plugin before 0.6.5 did not escap ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24450
 	RESERVED
 CVE-2021-24449
@@ -28136,11 +28136,11 @@ CVE-2021-24409
 CVE-2021-24408
 	RESERVED
 CVE-2021-24407 (The Jannah WordPress theme before 5.4.5 did not properly sanitize the  ...)
-	TODO: check
+	NOT-FOR-US: Wordpress theme
 CVE-2021-24406 (The wpForo Forum WordPress plugin before 1.9.7 did not validate the re ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24405 (The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any  ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24404
 	RESERVED
 CVE-2021-24403
@@ -28172,17 +28172,17 @@ CVE-2021-24391
 CVE-2021-24390
 	RESERVED
 CVE-2021-24389 (The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery  ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24388 (In the VikRentCar Car Rental Management System WordPress plugin before ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24387 (The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly ...)
-	TODO: check
+	NOT-FOR-US: Wordpress theme
 CVE-2021-24386 (The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24385
 	RESERVED
 CVE-2021-24384 (The joomsport_md_load AJAX action of the JoomSport WordPress plugin be ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-24383 (The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, va ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24382 (The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did n ...)
@@ -28200,7 +28200,7 @@ CVE-2021-24377 (The Autoptimize WordPress plugin before 2.7.8 attempts to remove
 CVE-2021-24376 (The Autoptimize WordPress plugin before 2.7.8 attempts to delete malic ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24375 (Lack of authentication or validation in motor_load_more, motor_gallery ...)
-	TODO: check
+	NOT-FOR-US: Wordpress theme
 CVE-2021-24374 (The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24373 (The WP Hardening – Fix Your WordPress Security WordPress plugin  ...)
@@ -28975,7 +28975,7 @@ CVE-2021-24007
 CVE-2021-24006
 	RESERVED
 CVE-2021-24005 (Usage of hard-coded cryptographic keys to encrypt configuration files  ...)
-	TODO: check
+	NOT-FOR-US: FortiGuard
 CVE-2021-24004
 	RESERVED
 CVE-2021-24003
@@ -30435,7 +30435,7 @@ CVE-2021-23403 (All versions of package ts-nodash are vulnerable to Prototype Po
 CVE-2021-23402 (All versions of package record-like-deep-assign are vulnerable to Prot ...)
 	NOT-FOR-US: Node record-like-deep-assign
 CVE-2021-23401 (This affects all versions of package Flask-User. When using the make_s ...)
-	TODO: check
+	NOT-FOR-US: Flask-User
 CVE-2021-23400 (The package nodemailer before 6.6.1 are vulnerable to HTTP Header Inje ...)
 	- node-nodemailer 6.4.17-3 (bug #990485)
 	NOTE: https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
@@ -33042,25 +33042,25 @@ CVE-2021-22234
 CVE-2021-22233
 	RESERVED
 CVE-2021-22232 (HTML injection was possible via the full name field before versions 13 ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22231
 	RESERVED
 CVE-2021-22230
 	RESERVED
 CVE-2021-22229 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22228 (An issue has been discovered in GitLab affecting all versions. Imprope ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22227
 	RESERVED
 CVE-2021-22226 (Under certain conditions, some users were able to push to protected br ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22225
 	RESERVED
 CVE-2021-22224
 	RESERVED
 CVE-2021-22223 (Client-Side code injection through Feature Flag name in GitLab CE/EE s ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22222 (Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allow ...)
 	[experimental] - wireshark 3.4.6-1~exp1
 	- wireshark <unfixed>
@@ -37937,15 +37937,15 @@ CVE-2021-20782
 CVE-2021-20781
 	RESERVED
 CVE-2021-20780 (Cross-site request forgery (CSRF) vulnerability in WPCS - WordPress Cu ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-20779 (Cross-site request forgery (CSRF) vulnerability in WordPress Email Tem ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-20778 (Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 seri ...)
 	NOT-FOR-US: EC-CUBE
 CVE-2021-20777 (Improper authorization in handler for custom URL scheme vulnerability  ...)
-	TODO: check
+	NOT-FOR-US: GU App for Android
 CVE-2021-20776 (Improper authentication vulnerability in SCT-40CM01SR and AT-40CM01SR  ...)
-	TODO: check
+	NOT-FOR-US: SCT-40CM01SR and AT-40CM01SR
 CVE-2021-20775
 	RESERVED
 CVE-2021-20774
@@ -38019,9 +38019,9 @@ CVE-2021-20741 (Cross-site scripting vulnerability in Hitachi Application Server
 CVE-2021-20740 (Hitachi Virtual File Platform Versions prior to 5.5.3-09 and Versions  ...)
 	NOT-FOR-US: Hitachi
 CVE-2021-20739 (WRC-300FEBK, WRC-F300NF, WRC-733FEBK, WRH-300RD, WRH-300BK, WRH-300SV, ...)
-	TODO: check
+	NOT-FOR-US: Elecom
 CVE-2021-20738 (WRC-1167FS-W, WRC-1167FS-B, and WRC-1167FSA all versions allow an unau ...)
-	TODO: check
+	NOT-FOR-US: Elecom
 CVE-2021-20737 (Improper authentication vulnerability in GROWI versions prior to v4.2. ...)
 	NOT-FOR-US: GROWI
 CVE-2021-20736 (NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allow ...)
@@ -60383,7 +60383,7 @@ CVE-2020-23699
 CVE-2020-23698
 	RESERVED
 CVE-2020-23697 (Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page fe ...)
-	TODO: check
+	NOT-FOR-US: Monstra CMS
 CVE-2020-23696
 	RESERVED
 CVE-2020-23695
@@ -63320,11 +63320,11 @@ CVE-2020-22253
 CVE-2020-22252
 	RESERVED
 CVE-2020-22251 (Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the logi ...)
-	TODO: check
+	- phplist <itp> (bug #612288)
 CVE-2020-22250
 	RESERVED
 CVE-2020-22249 (Remote Code Execution vulnerability in phplist 3.5.1. The application  ...)
-	TODO: check
+	- phplist <itp> (bug #612288)
 CVE-2020-22248
 	RESERVED
 CVE-2020-22247



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e9b96526fb1c4ceec271d3d60fece8fc0d898f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12e9b96526fb1c4ceec271d3d60fece8fc0d898f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210707/df966af4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list