[Git][security-tracker-team/security-tracker][master] new web2py issue
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jun 27 17:52:17 BST 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
38987351 by Moritz Muehlenhoff at 2022-06-27T18:51:48+02:00
new web2py issue
ruby-diffy n/a
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1741,7 +1741,7 @@ CVE-2017-20068 (A vulnerability was found in Hindu Matrimonial Script. It has be
CVE-2017-20067 (A vulnerability was found in Hindu Matrimonial Script. It has been dec ...)
NOT-FOR-US: Hindu Matrimonial Script
CVE-2017-20066 (A vulnerability has been found in Adminer Login 1.4.4 and classified a ...)
- TODO: check
+ NOT-FOR-US: Wordpress plugin
CVE-2017-20065 (A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classifi ...)
NOT-FOR-US: Supsystic Popup Plugin
CVE-2017-20064 (A vulnerability was found in Elefant CMS 1.3.12-RC. It has been declar ...)
@@ -2403,7 +2403,7 @@ CVE-2022-33737
CVE-2022-33736
RESERVED
CVE-2022-33202 (Authentication bypass vulnerability in the setup screen of L2Blocker(o ...)
- TODO: check
+ NOT-FOR-US: L2Blocker
CVE-2022-2088
RESERVED
CVE-2022-2087 (A vulnerability, which was classified as problematic, was found in Sou ...)
@@ -3470,7 +3470,7 @@ CVE-2022-33211
CVE-2022-33210
RESERVED
CVE-2022-33146 (Open redirect vulnerability in web2py versions prior to 2.22.5 allows ...)
- TODO: check
+ - web2py <removed>
CVE-2022-32585
RESERVED
CVE-2022-28127
@@ -3643,13 +3643,13 @@ CVE-2022-33129
CVE-2022-33128 (RG-EG series gateway EG350 EG_RGOS 11.1(6) was discovered to contain a ...)
NOT-FOR-US: RG-EG series gateway EG350 EG_RGOS
CVE-2022-33127 (The function that calls the diff tool in Diffy 3.4.1 does not properly ...)
- TODO: check
+ - ruby-diffy <not-affected> (Windows-specific)
CVE-2022-33126
RESERVED
CVE-2022-33125
RESERVED
CVE-2022-33124 (** DISPUTED ** AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 UR ...)
- TODO: check
+ NOTE: Disputed aiohttp issue
CVE-2022-33123
RESERVED
CVE-2022-33122 (A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 al ...)
@@ -6155,7 +6155,7 @@ CVE-2022-32161
CVE-2022-32160
RESERVED
CVE-2022-32159 (In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are ...)
- TODO: check
+ NOT-FOR-US: openlibrary
CVE-2022-1963
RESERVED
CVE-2021-4233
@@ -9013,7 +9013,7 @@ CVE-2022-31097
CVE-2022-31096
RESERVED
CVE-2022-31095 (discourse-chat is a chat plugin for the Discourse application. Version ...)
- TODO: check
+ NOT-FOR-US: discourse-chat
CVE-2022-31094
RESERVED
CVE-2022-31093
@@ -9080,7 +9080,7 @@ CVE-2022-31064
CVE-2022-31063
RESERVED
CVE-2022-31062 (### Impact A plugin public script can be used to read content of syste ...)
- TODO: check
+ NOT-FOR-US: GLPI plugin
CVE-2022-31061
RESERVED
CVE-2022-31060 (Discourse is an open-source discussion platform. Prior to version 2.8. ...)
@@ -14267,7 +14267,7 @@ CVE-2022-29332 (D-LINK DIR-825 AC1200 R2 is vulnerable to Directory Traversal. A
CVE-2022-29331
RESERVED
CVE-2022-29330 (Missing access control in the backup system of Telesoft VitalPBX befor ...)
- TODO: check
+ NOT-FOR-US: Telesoft
CVE-2022-29329 (D-Link DAP-1330_OSS-firmware_1.00b21 was discovered to contain a heap ...)
NOT-FOR-US: D-Link
CVE-2022-29328 (D-Link DAP-1330_OSS-firmware_1.00b21 was discovered to contain a stack ...)
@@ -14737,7 +14737,7 @@ CVE-2022-29170 (Grafana is an open-source platform for monitoring and observabil
CVE-2022-29169 (BigBlueButton is an open source web conferencing system. Versions star ...)
NOT-FOR-US: BigBlueButton
CVE-2022-29168 (Wire is a secure messaging application. Wire is vulnerable to arbitrar ...)
- TODO: check
+ NOT-FOR-US: wire-webapp
CVE-2022-29167 (Hawk is an HTTP authentication scheme providing mechanisms for making ...)
NOT-FOR-US: Hawk (mozilla/hawk, different from itp'ed hawk, #634344)
CVE-2022-29166 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. The vulnerab ...)
@@ -14940,9 +14940,9 @@ CVE-2022-29099
CVE-2022-29098 (Dell PowerScale OneFS versions 8.2.0.x through 9.3.0.x, contain a weak ...)
NOT-FOR-US: Dell
CVE-2022-29097 (Dell WMS 3.6.1 and below contains a Path Traversal vulnerability in De ...)
- TODO: check
+ NOT-FOR-US: Dell
CVE-2022-29096 (Dell Wyse Management Suite 3.6.1 and below contains a Reflected Cross- ...)
- TODO: check
+ NOT-FOR-US: Dell
CVE-2022-29095 (Dell SupportAssist Client Consumer versions (3.10.4 and prior) and Del ...)
NOT-FOR-US: Dell SupportAssist
CVE-2022-29094 (Dell SupportAssist Client Consumer versions (3.10.4 and versions prior ...)
@@ -16315,9 +16315,9 @@ CVE-2022-28622
CVE-2022-28621
RESERVED
CVE-2022-28620 (A remote authentication bypass vulnerability was discovered in HPE Cra ...)
- TODO: check
+ NOT-FOR-US: HPE
CVE-2022-28619 (A potential security vulnerability has been identified in the installe ...)
- TODO: check
+ NOT-FOR-US: HPE
CVE-2022-28618 (A command injection security vulnerability has been identified in HPE ...)
NOT-FOR-US: HPE
CVE-2022-28617 (A remote bypass security restrictions vulnerability was discovered in ...)
@@ -20322,7 +20322,7 @@ CVE-2022-27239 (In cifs-utils through 6.14, a stack-based buffer overflow when p
NOTE: https://github.com/piastry/cifs-utils/pull/7
NOTE: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d (cifs-utils-6.15)
CVE-2022-27238 (BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross ...)
- TODO: check
+ NOT-FOR-US: BigBlueButton
CVE-2022-27237 (There is a cross-site scripting (XSS) vulnerability in an NI Web Serve ...)
NOT-FOR-US: NI
CVE-2022-27236
@@ -27037,7 +27037,7 @@ CVE-2022-24895
CVE-2022-24894
RESERVED
CVE-2022-24893 (ESP-IDF is the official development framework for Espressif SoCs. In E ...)
- TODO: check
+ NOT-FOR-US: ESP-IDF
CVE-2022-24892 (Shopware is an open source e-commerce software platform. Starting with ...)
NOT-FOR-US: Shopware
CVE-2022-24891 (ESAPI (The OWASP Enterprise Security API) is a free, open source, web ...)
@@ -33351,7 +33351,7 @@ CVE-2022-23172
CVE-2022-23171 (AtlasVPN - Privilege Escalation Lack of proper security controls on na ...)
NOT-FOR-US: AtlasVPN
CVE-2022-23170 (SysAid - Okta SSO integration - was found vulnerable to XML External E ...)
- TODO: check
+ NOT-FOR-US: SysAid
CVE-2022-23169 (attacker needs to craft a SQL payload. the vulnerable parameter is "ag ...)
NOT-FOR-US: Amodat
CVE-2022-23168 (The attacker could get access to the database. The SQL injection is in ...)
@@ -33656,25 +33656,25 @@ CVE-2022-23083 (NetMaster 12.2 Network Management for TCP/IP and NetMaster File
CVE-2022-23082 (In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path trave ...)
NOT-FOR-US: WhiteSource CureKit
CVE-2022-23081 (In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are ...)
- TODO: check
+ NOT-FOR-US: openlibrary
CVE-2022-23080 (In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to ser ...)
- TODO: check
+ NOT-FOR-US: directus
CVE-2022-23079 (In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host he ...)
- TODO: check
+ NOT-FOR-US: motor-admin
CVE-2022-23078 (In habitica versions v4.119.0 through v4.232.2 are vulnerable to open ...)
- TODO: check
+ NOT-FOR-US: habitica
CVE-2022-23077 (In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM X ...)
- TODO: check
+ NOT-FOR-US: habitica
CVE-2022-23076
RESERVED
CVE-2022-23075
RESERVED
CVE-2022-23074 (In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cro ...)
- TODO: check
+ NOT-FOR-US: Recipes
CVE-2022-23073 (In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cros ...)
- TODO: check
+ NOT-FOR-US: Recipes
CVE-2022-23072 (In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cros ...)
- TODO: check
+ NOT-FOR-US: Recipes
CVE-2022-23071 (In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side ...)
NOT-FOR-US: Recipes
CVE-2022-23070
@@ -33702,13 +33702,13 @@ CVE-2022-23060 (A Stored Cross Site Scripting (XSS) vulnerability exists in Shop
CVE-2022-23059 (A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer v ...)
NOT-FOR-US: Shopizer
CVE-2022-23058 (ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulne ...)
- TODO: check
+ NOT-FOR-US: ERPNext
CVE-2022-23057 (In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-S ...)
- TODO: check
+ NOT-FOR-US: ERPNext
CVE-2022-23056 (In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable t ...)
- TODO: check
+ NOT-FOR-US: ERPNext
CVE-2022-23055 (In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Mi ...)
- TODO: check
+ NOT-FOR-US: ERPNext
CVE-2022-23054 (Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via ...)
NOT-FOR-US: Openmct
CVE-2022-23053 (Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via ...)
@@ -33906,7 +33906,7 @@ CVE-2022-22982
CVE-2022-22981
RESERVED
CVE-2022-22980 (A Spring Data MongoDB application is vulnerable to SpEL Injection when ...)
- TODO: check
+ NOT-FOR-US: Spring Data MongoDB
CVE-2022-22979 (In Spring Cloud Function versions prior to 3.2.6, it is possible for a ...)
TODO: check
CVE-2022-22978 (In Spring Security versions 5.5.6 and 5.6.3 and older unsupported vers ...)
@@ -41046,7 +41046,7 @@ CVE-2022-21831 (A code injection vulnerability exists in the Active Storage >
CVE-2022-21830 (A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 ...)
NOT-FOR-US: Rocket.Chat.Livechat
CVE-2022-21829 (Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can down ...)
- TODO: check
+ NOT-FOR-US: Concrete CMS
CVE-2022-21828 (A user with high privilege access to the Incapptic Connect web console ...)
NOT-FOR-US: Ivanti
CVE-2022-21827 (An improper privilege vulnerability has been discovered in Citrix Gate ...)
@@ -47614,9 +47614,9 @@ CVE-2022-20831
CVE-2022-20830
RESERVED
CVE-2022-20829 (A vulnerability in the packaging of Cisco Adaptive Security Device Man ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20828 (A vulnerability in the CLI parser of Cisco FirePOWER Software for Adap ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2022-20827
RESERVED
CVE-2022-20826
@@ -52338,7 +52338,7 @@ CVE-2021-42058
CVE-2021-42057 (Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The ev ...)
NOT-FOR-US: Obsidian Dataview
CVE-2021-42056 (Thales Safenet Authentication Client (SAC) for Linux and Windows throu ...)
- TODO: check
+ NOT-FOR-US: Thales
CVE-2021-42055 (ASUSTek ZenBook Pro Due 15 UX582 laptop firmware through 203 has Insec ...)
NOT-FOR-US: ASUSTek ZenBook Pro Due 15 UX582 laptop firmware
CVE-2021-42054 (ACCEL-PPP 1.12.0 has an out-of-bounds read in triton_context_schedule ...)
@@ -53430,17 +53430,17 @@ CVE-2021-41641 (Deno <=1.14.0 file sandbox does not handle symbolic links cor
CVE-2021-41640
RESERVED
CVE-2021-41639 (MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in ...)
- TODO: check
+ NOT-FOR-US: MELAG
CVE-2021-41638 (The authentication checks of the MELAG FTP Server in version 2.2.0.4 a ...)
- TODO: check
+ NOT-FOR-US: MELAG
CVE-2021-41637 (Weak access control permissions in MELAG FTP Server 2.2.0.4 allow the ...)
- TODO: check
+ NOT-FOR-US: MELAG
CVE-2021-41636 (MELAG FTP Server 2.2.0.4 allows an attacker to use the CWD command to ...)
- TODO: check
+ NOT-FOR-US: MELAG
CVE-2021-41635 (When installed as Windows service MELAG FTP Server 2.2.0.4 is run as S ...)
- TODO: check
+ NOT-FOR-US: MELAG
CVE-2021-41634 (A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an ...)
- TODO: check
+ NOT-FOR-US: MELAG
CVE-2021-41633
RESERVED
CVE-2021-41632
@@ -55283,7 +55283,7 @@ CVE-2021-40896
CVE-2021-40895
RESERVED
CVE-2021-40894 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...)
- TODO: check
+ NOT-FOR-US: underscore-99xp
CVE-2021-40893 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...)
TODO: check
CVE-2021-40892 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...)
@@ -56312,9 +56312,9 @@ CVE-2021-40513
CVE-2021-40512
RESERVED
CVE-2021-40511 (OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion ( ...)
- TODO: check
+ NOT-FOR-US: OBDA Mastro
CVE-2021-40510 (XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows rem ...)
- TODO: check
+ NOT-FOR-US: OBDA Mastro
CVE-2021-40509 (ViewCommon.java in JForum2 2.7.0 allows XSS via a user signature. ...)
NOT-FOR-US: JForum2
CVE-2021-3768 (bookstack is vulnerable to Improper Neutralization of Input During Web ...)
@@ -58959,9 +58959,9 @@ CVE-2021-39411 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in PHP
CVE-2021-39410
RESERVED
CVE-2021-39409 (A vulnerability exists in Online Student Rate System v1.0 that allows ...)
- TODO: check
+ NOT-FOR-US: Online Student Rate System
CVE-2021-39408 (Cross Site Scripting (XSS) vulnerability exists in Online Student Rate ...)
- TODO: check
+ NOT-FOR-US: Online Student Rate System
CVE-2021-39407
RESERVED
CVE-2021-39406
@@ -65774,7 +65774,7 @@ CVE-2021-36763 (In CODESYS V3 web server before 3.5.17.10, files or directories
CVE-2021-36762 (An issue was discovered in HCC Embedded InterNiche NicheStack through ...)
NOT-FOR-US: HCC Embedded InterNiche NicheStack
CVE-2021-36761 (The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF. ...)
- TODO: check
+ NOT-FOR-US: Qlik
CVE-2021-36760 (In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server ...)
NOT-FOR-US: WSO2
CVE-2021-36759
@@ -80973,7 +80973,7 @@ CVE-2021-30653 (This issue was addressed with improved checks. This issue is fix
CVE-2021-30652 (A race condition was addressed with additional validation. This issue ...)
NOT-FOR-US: Apple
CVE-2021-30651 (A malicious authenticated SMG administrator user can obtain passwords ...)
- TODO: check
+ NOT-FOR-US: Symantec
CVE-2021-30650 (A reflected cross-site scripting (XSS) vulnerability in the Symantec L ...)
NOT-FOR-US: Symantec
CVE-2021-30649
@@ -82107,19 +82107,19 @@ CVE-2021-30349 (Improper access control sequence for AC database after memory al
CVE-2021-30348 (Improper validation of LLM utility timers availability can lead to den ...)
NOT-FOR-US: Qualcomm
CVE-2021-30347 (Improper integrity check can lead to race condition between tasks PDCP ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2021-30346 (RPM secure Stream can access any secure resource due to improper SMMU ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2021-30345 (RPM secure Stream can access any secure resource due to improper SMMU ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2021-30344 (Improper authorization of a replayed LTE security mode command can lea ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2021-30343 (Improper integrity check can lead to race condition between tasks PDCP ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2021-30342 (Improper integrity check can lead to race condition between tasks PDCP ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2021-30341 (Improper buffer size validation of DSM packet received can lead to mem ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2021-30340 (Reachable assertion due to improper validation of coreset in PDCCH con ...)
NOT-FOR-US: Snapdragon
CVE-2021-30339 (Reading PRNG output may lead to improper key generation due to lack of ...)
@@ -85440,7 +85440,7 @@ CVE-2021-29057
CVE-2021-29056 (Cross Site Scripting (XSS) vulnerability exists in Pixelimity 1.0 via ...)
NOT-FOR-US: Pixelimity
CVE-2021-29055 (Cross Site Scripting (XSS) vulnerability in sourcecodester School File ...)
- TODO: check
+ NOT-FOR-US: sourcecodester
CVE-2021-29054 (Certain Papoo products are affected by: Cross Site Request Forgery (CS ...)
NOT-FOR-US: Papoo
CVE-2021-29053 (Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Lif ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38987351d96ee2515a50377d9a352ae13be57281
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38987351d96ee2515a50377d9a352ae13be57281
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220627/d8876f3c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list