[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Aug 21 21:12:24 BST 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c8dfbf51 by security tracker role at 2023-08-21T20:12:13+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,62 @@
-CVE-2023-4459 [net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()]
+CVE-2023-4456 (A flaw was found in openshift-logging LokiStack. The key used for cach ...)
+	TODO: check
+CVE-2023-4455 (Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallab ...)
+	TODO: check
+CVE-2023-4454 (Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallab ...)
+	TODO: check
+CVE-2023-4453 (Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pi ...)
+	TODO: check
+CVE-2023-4417 (Improper access controls in the entry duplication component in Devolut ...)
+	TODO: check
+CVE-2023-4373 (Inadequate validation of permissions when employing remote tools and m ...)
+	TODO: check
+CVE-2023-40735 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+	TODO: check
+CVE-2023-40352 (McAfee Safe Connect before 2.16.1.126 may allow an adversary with syst ...)
+	TODO: check
+CVE-2023-40068 (Cross-site scripting vulnerability in Advanced Custom Fields versions  ...)
+	TODO: check
+CVE-2023-3954 (The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15 ...)
+	TODO: check
+CVE-2023-3936 (The Blog2Social WordPress plugin before 7.2.1 does not sanitise and es ...)
+	TODO: check
+CVE-2023-3667 (The Bit Assist WordPress plugin before 1.1.9 does not sanitise and esc ...)
+	TODO: check
+CVE-2023-3604 (The Change WP Admin Login WordPress plugin before 1.1.4 discloses the  ...)
+	TODO: check
+CVE-2023-3481 (Critters versions 0.0.17-0.0.19 have an issue when parsing the HTML, w ...)
+	TODO: check
+CVE-2023-3366 (The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15 ...)
+	TODO: check
+CVE-2023-39939 (SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (My ...)
+	TODO: check
+CVE-2023-39660 (An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a rem ...)
+	TODO: check
+CVE-2023-39543 (Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2 ...)
+	TODO: check
+CVE-2023-39106 (An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows ...)
+	TODO: check
+CVE-2023-39094 (Cross Site Scripting vulnerability in ZeroWdd studentmanager v.1.0 all ...)
+	TODO: check
+CVE-2023-39061 (Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru ...)
+	TODO: check
+CVE-2023-38976 (An issue in weaviate v.1.20.0 allows a remote attacker to cause a deni ...)
+	TODO: check
+CVE-2023-38961 (Buffer Overflwo vulnerability in JerryScript Project jerryscript v.3.0 ...)
+	TODO: check
+CVE-2023-38899 (SQL injection vulnerability in berkaygediz O_Blog v.1.0 allows a local ...)
+	TODO: check
+CVE-2023-38836 (File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker  ...)
+	TODO: check
+CVE-2023-38158 (Microsoft Edge (Chromium-based) Information Disclosure Vulnerability)
+	TODO: check
+CVE-2023-38035 (A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sen ...)
+	TODO: check
+CVE-2023-36787 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability)
+	TODO: check
+CVE-2023-31447 (user_login.cgi on Draytek Vigor2620 devices before 3.9.8.4 (and on all ...)
+	TODO: check
+CVE-2023-4459 (A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in dri ...)
 	- linux 5.17.11-1
 	[bullseye] - linux 5.10.120-1
 	[buster] - linux 4.19.249-1
@@ -69,7 +127,7 @@ CVE-2023-4434 (Missing Authorization in GitHub repository hamza417/inure prior t
 	NOT-FOR-US: hamza417/inure
 CVE-2023-40711 (Veilid before 0.1.9 does not check the size of uncompressed data durin ...)
 	NOT-FOR-US: Veilid
-CVE-2023-37250 (Unity Parsec before 8 has a TOCTOU race condition that permits local a ...)
+CVE-2023-37250 (Unity Parsec has a TOCTOU race condition that permits local attackers  ...)
 	NOT-FOR-US: Unity Parsec
 CVE-2023-4433 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...)
 	NOT-FOR-US: Cockpit Content Platform (different from src:cockpit)
@@ -661,7 +719,7 @@ CVE-2023-38851 (Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote a
 	NOTE: Negligible security impact
 CVE-2023-38850 (Buffer Overflow vulnerability in Michaelrsweet codedoc v.3.7 allows an ...)
 	NOT-FOR-US: Codedoc
-CVE-2023-38840 (Bitwarden Windows Desktop v2023.5.1 and below allows an attacker with  ...)
+CVE-2023-38840 (Bitwarden Desktop 2023.7.0 and below allows an attacker with local acc ...)
 	NOT-FOR-US: Bitwarden
 CVE-2023-38402 (A vulnerability in the HPE Aruba Networking Virtual IntranetAccess (VI ...)
 	NOT-FOR-US: HPE
@@ -1265,7 +1323,7 @@ CVE-2023-32004 (A vulnerability has been discovered in Node.js version 20, speci
 CVE-2023-32003 (`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permis ...)
 	- nodejs <not-affected> (Only affects 20.x and later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003
-CVE-2023-32002
+CVE-2023-32002 (The use of `Module._load()` can bypass the policy mechanism and requir ...)
 	- nodejs <unfixed>
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002
@@ -18305,7 +18363,7 @@ CVE-2023-29362 (Remote Desktop Client Remote Code Execution Vulnerability)
 	NOT-FOR-US: Microsoft
 CVE-2023-29361 (Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerab ...)
 	NOT-FOR-US: Microsoft
-CVE-2023-29360 (Windows TPM Device Driver Elevation of Privilege Vulnerability)
+CVE-2023-29360 (Microsoft Streaming Service Elevation of Privilege Vulnerability)
 	NOT-FOR-US: Microsoft
 CVE-2023-29359 (GDI Elevation of Privilege Vulnerability)
 	NOT-FOR-US: Microsoft
@@ -46023,7 +46081,7 @@ CVE-2022-4369 (The WP-Lister Lite for Amazon WordPress plugin before 2.4.4 does
 CVE-2022-4368 (The WP CSV WordPress plugin through 1.8.0.0 does not sanitize and esca ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2022-4367
-	RESERVED
+	REJECTED
 CVE-2022-43501 (KASAGO TCP/IP stack provided by Zuken Elmic generates ISNs(Initial Seq ...)
 	NOT-FOR-US: Zuken Elmic
 CVE-2022-43460 (Driver Distributor v2.2.3.1 and earlier contains a vulnerability where ...)
@@ -199775,8 +199833,8 @@ CVE-2020-28717 (Cross Site Scripting (XSS) vulnerability in content1 parameter i
 	NOT-FOR-US: kindsoft kindeditor
 CVE-2020-28716
 	RESERVED
-CVE-2020-28715
-	RESERVED
+CVE-2020-28715 (An issue was discovered in kdmserver service in LeEco LeTV X43 version ...)
+	TODO: check
 CVE-2020-28714
 	RESERVED
 CVE-2020-28713 (Incorrect access control in push notification service in Night Owl Sma ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8dfbf51a965ae59d8366ebc85613a30ae374807

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8dfbf51a965ae59d8366ebc85613a30ae374807
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230821/8a235c6e/attachment.htm>

More information about the debian-security-tracker-commits mailing list