[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jun 29 21:12:39 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c1b0290c by security tracker role at 2023-06-29T20:12:28+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,53 @@
+CVE-2023-3458 (A vulnerability was found in SourceCodester Shopping Website 1.0. It h ...)
+ TODO: check
+CVE-2023-3457 (A vulnerability was found in SourceCodester Shopping Website 1.0. It h ...)
+ TODO: check
+CVE-2023-37256 (An issue was discovered in the Cargo extension for MediaWiki through 1 ...)
+ TODO: check
+CVE-2023-37255 (An issue was discovered in the CheckUser extension for MediaWiki throu ...)
+ TODO: check
+CVE-2023-37254 (An issue was discovered in the Cargo extension for MediaWiki through 1 ...)
+ TODO: check
+CVE-2023-37251 (An issue was discovered in the GoogleAnalyticsMetrics extension for Me ...)
+ TODO: check
+CVE-2023-36617 (A ReDoS issue was discovered in the URI component before 0.12.2 for Ru ...)
+ TODO: check
+CVE-2023-36488 (ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Sit ...)
+ TODO: check
+CVE-2023-36487 (The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_be ...)
+ TODO: check
+CVE-2023-36484 (ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross- ...)
+ TODO: check
+CVE-2023-36471 (Xwiki commons is the common modules used by other XWiki top level proj ...)
+ TODO: check
+CVE-2023-35938 (Tuleap is a Free & Open Source Suite to improve management of software ...)
+ TODO: check
+CVE-2023-35830 (STW (aka Sensor-Technik Wiedemann) TCG-4 Connectivity Module Deploymen ...)
+ TODO: check
+CVE-2023-34849 (An unauthorized command injection vulnerability exists in the ActionLo ...)
+ TODO: check
+CVE-2023-34844 (Play With Docker < 0.0.2 has an insecure CAP_SYS_ADMIN privileged mode ...)
+ TODO: check
+CVE-2023-34735 (Property Cloud Platform Management Center 1.0 is vulnerable to error-b ...)
+ TODO: check
+CVE-2023-34658 (Telegram v9.6.3 on iOS allows attackers to hide critical information o ...)
+ TODO: check
+CVE-2023-34656 (An issue was discovered with the JSESSION IDs in Xiamen Si Xin Communi ...)
+ TODO: check
+CVE-2023-34599 (Multiple Cross-Site Scripting (XSS) vulnerabilities have been identifi ...)
+ TODO: check
+CVE-2023-34598 (Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it' ...)
+ TODO: check
+CVE-2023-34487 (itsourcecode Online Hotel Management System Project In PHP v1.0.0 is v ...)
+ TODO: check
+CVE-2023-34486 (itsourcecode Online Hotel Management System Project In PHP v1.0.0 is v ...)
+ TODO: check
+CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access to the Or ...)
+ TODO: check
+CVE-2023-33277 (The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and ...)
+ TODO: check
+CVE-2023-33190 (Sealos is an open source cloud operating system distribution based on ...)
+ TODO: check
CVE-2023-XXXX [Heap overwrite in PGS subtitle overlay decoder]
- gst-plugins-bad1.0 <unfixed>
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0003.html
@@ -151,6 +201,7 @@ CVE-2023-32623 (Directory traversal vulnerability in Snow Monkey Forms versions
CVE-2022-48505 (This issue was addressed with improved data protection. This issue is ...)
NOT-FOR-US: Apple
CVE-2022-48503 (Processing web content may lead to arbitrary code execution)
+ {DSA-5241-1 DSA-5240-1}
- webkit2gtk 2.38.0-1
- wpewebkit 2.38.0-1
NOTE: https://webkitgtk.org/security/WSA-2023-0005.html
@@ -575,6 +626,7 @@ CVE-2023-32439 (A type confusion issue was addressed with improved checks. This
[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0005.html
CVE-2023-32435 (A memory corruption issue was addressed with improved state management ...)
+ {DSA-5396-1}
- webkit2gtk 2.40.0-1
- wpewebkit 2.40.2-2
[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
@@ -5828,8 +5880,8 @@ CVE-2023-2285 (The WP Activity Log Premium plugin for WordPress is vulnerable to
NOT-FOR-US: WP Activity Log Premium plugin for WordPress
CVE-2023-2284 (The WP Activity Log Premium plugin for WordPress is vulnerable to unau ...)
NOT-FOR-US: WP Activity Log Premium plugin for WordPress
-CVE-2023-31222
- RESERVED
+CVE-2023-31222 (Deserialization of untrusted datain Microsoft Messaging Queuing Servic ...)
+ TODO: check
CVE-2023-31221
RESERVED
CVE-2023-31220
@@ -6508,8 +6560,8 @@ CVE-2023-30957
RESERVED
CVE-2023-30956
RESERVED
-CVE-2023-30955
- RESERVED
+CVE-2023-30955 (A security defect was identified in Foundry workspace-server that enab ...)
+ TODO: check
CVE-2023-30954
RESERVED
CVE-2023-30953
@@ -6526,8 +6578,8 @@ CVE-2023-30948 (A security defect in Foundry's Comments functionality resulted i
NOT-FOR-US: Palantir
CVE-2023-30947
RESERVED
-CVE-2023-30946
- RESERVED
+CVE-2023-30946 (A security defect was identified in Foundry Issues. If a user was adde ...)
+ TODO: check
CVE-2023-30945 (Multiple Services such as VHS(Video History Server) and VCD(Video Clip ...)
NOT-FOR-US: Palantir
CVE-2023-30944 (The vulnerability was found Moodle which exists due to insufficient sa ...)
@@ -6868,6 +6920,7 @@ CVE-2023-2168 (The TaxoPress plugin for WordPress is vulnerable to Stored Cross-
CVE-2023-2167
RESERVED
CVE-2023-30861 (Flask is a lightweight WSGI web application framework. When all of the ...)
+ {DSA-5442-1}
- flask 2.2.2-3 (bug #1035670)
[buster] - flask <postponed> (Minor issue)
NOTE: https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq
@@ -7027,7 +7080,7 @@ CVE-2023-2164
RESERVED
CVE-2023-2163 [bpf: Fix incorrect verifier pruning due to missing register precision taints]
RESERVED
- - linux 6.1.27-1
+ - linux 6.1.27-1
[bullseye] - linux 5.10.179-1
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/71b547f561247897a0a14f3082730156c0533fed (6.3)
@@ -18903,8 +18956,8 @@ CVE-2023-26968 (In Atrocore 1.5.25, the Create Import Feed option with glyphicon
NOT-FOR-US: Atrocore
CVE-2023-26967
RESERVED
-CVE-2023-26966
- RESERVED
+CVE-2023-26966 (libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when lib ...)
+ TODO: check
CVE-2023-26965 (loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-ba ...)
- tiff 4.5.1~rc3-1
[bookworm] - tiff <no-dsa> (Minor issue)
@@ -19644,16 +19697,16 @@ CVE-2023-26618
RESERVED
CVE-2023-26617
RESERVED
-CVE-2023-26616
- RESERVED
+CVE-2023-26616 (D-Link DIR-823G firmware version 1.02B05 has a buffer overflow vulnera ...)
+ TODO: check
CVE-2023-26615 (D-Link DIR-823G firmware version 1.02B05 has a password reset vulnerab ...)
TODO: check
CVE-2023-26614
RESERVED
-CVE-2023-26613
- RESERVED
-CVE-2023-26612
- RESERVED
+CVE-2023-26613 (An OS command injection vulnerability in D-Link DIR-823G firmware vers ...)
+ TODO: check
+CVE-2023-26612 (D-Link DIR-823G firmware version 1.02B05 has a buffer overflow vulnera ...)
+ TODO: check
CVE-2023-26611
RESERVED
CVE-2023-26610
@@ -21204,8 +21257,8 @@ CVE-2023-26087
RESERVED
CVE-2023-26086
RESERVED
-CVE-2023-26085
- RESERVED
+CVE-2023-26085 (A possible out-of-bounds read and write (due to an improper length che ...)
+ TODO: check
CVE-2023-26084 (The armv8_dec_aes_gcm_full() API of Arm AArch64cryptolib before 86065c ...)
NOT-FOR-US: AArch64cryptolib
CVE-2023-26083 (Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Ker ...)
@@ -23498,8 +23551,8 @@ CVE-2023-25434 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContig
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/519
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 (v4.5.1rc1)
-CVE-2023-25433
- RESERVED
+CVE-2023-25433 (libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiff ...)
+ TODO: check
CVE-2023-25432 (An issue was discovered in Online Reviewer Management System v1.0. The ...)
NOT-FOR-US: Online Reviewer Management System
CVE-2023-25431 (An issue was discovered in Online Reviewer Management System v1.0. The ...)
@@ -31110,8 +31163,7 @@ CVE-2023-22888
RESERVED
CVE-2023-22887
RESERVED
-CVE-2023-22886
- RESERVED
+CVE-2023-22886 (Improper Input Validation vulnerability in Apache Software Foundation ...)
NOT-FOR-US: Apache Airflow JDBC Provider
CVE-2023-22885
REJECTED
@@ -38806,7 +38858,7 @@ CVE-2022-46794 (Cross-Site Request Forgery (CSRF) vulnerability in weightbasedsh
NOT-FOR-US: WordPress plugin
CVE-2022-46793 (Cross-Site Request Forgery (CSRF) vulnerability in AdTribes.Io Product ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4366 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
+CVE-2022-4366 (Missing Authorization in GitHub repository lirantal/daloradius prior t ...)
NOT-FOR-US: daloRADIUS
CVE-2022-4365 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
- gitlab 15.10.8+ds1-2
@@ -43709,7 +43761,7 @@ CVE-2022-45201
RESERVED
CVE-2022-45200
RESERVED
-CVE-2022-3993 (Authentication Bypass by Primary Weakness in GitHub repository kareadi ...)
+CVE-2022-3993 (Missing Authorization in GitHub repository kareadita/kavita prior to 0 ...)
NOT-FOR-US: Kavita
CVE-2022-3992 (A vulnerability classified as problematic was found in SourceCodester ...)
NOT-FOR-US: SourceCodester Sanitization Management System
@@ -45106,10 +45158,10 @@ CVE-2022-44722
RESERVED
CVE-2022-44721
REJECTED
-CVE-2022-44720
- RESERVED
-CVE-2022-44719
- RESERVED
+CVE-2022-44720 (An issue was discovered in Weblib Ucopia before 6.0.13. OS Command Inj ...)
+ TODO: check
+CVE-2022-44719 (An issue was discovered in Weblib Ucopia before 6.0.13. The SSH Server ...)
+ TODO: check
CVE-2022-44718 (An issue was discovered in NetScout nGeniusONE 6.3.2 build 904. Open R ...)
NOT-FOR-US: NetScout
CVE-2022-44717 (An issue was discovered in NetScout nGeniusONE 6.3.2 build 904. Open R ...)
@@ -76974,7 +77026,7 @@ CVE-2022-2136 (The affected product is vulnerable to multiple SQL injections tha
NOT-FOR-US: iView
CVE-2022-2135 (The affected product is vulnerable to multiple SQL injections, which m ...)
NOT-FOR-US: iView
-CVE-2022-2134 (Denial of Service in GitHub repository inventree/inventree prior to 0. ...)
+CVE-2022-2134 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...)
NOT-FOR-US: inventree
CVE-2022-2133 (The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't valida ...)
NOT-FOR-US: WordPress plugin
@@ -79803,7 +79855,7 @@ CVE-2022-2064 (Insufficient Session Expiration in GitHub repository nocodb/nocod
NOT-FOR-US: nocodb
CVE-2022-2063 (Improper Privilege Management in GitHub repository nocodb/nocodb prior ...)
NOT-FOR-US: nocodb
-CVE-2022-2062 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
+CVE-2022-2062 (Generation of Error Message Containing Sensitive Information in GitHub ...)
NOT-FOR-US: nocodb
CVE-2022-2061 (Heap-based Buffer Overflow in GitHub repository hpjansson/chafa prior ...)
- chafa 1.12.1-1 (unimportant)
@@ -84776,7 +84828,7 @@ CVE-2022-1812 (Integer Overflow or Wraparound in GitHub repository publify/publi
NOT-FOR-US: Publify
CVE-2022-1811 (Unrestricted Upload of File with Dangerous Type in GitHub repository p ...)
NOT-FOR-US: Publify
-CVE-2022-1810 (Improper Access Control in GitHub repository publify/publify prior to ...)
+CVE-2022-1810 (Authorization Bypass Through User-Controlled Key in GitHub repository ...)
NOT-FOR-US: Publify
CVE-2022-31269 (Nortek Linear eMerge E3-Series devices through 0.32-09c place admin cr ...)
NOT-FOR-US: Nortek Linear eMerge E3-Series devices
@@ -86438,7 +86490,7 @@ CVE-2022-26023 (A leftover debug code vulnerability exists in the console verify
NOT-FOR-US: InHand Networks InRouter302
CVE-2022-1715 (Account Takeover in GitHub repository neorazorx/facturascripts prior t ...)
NOT-FOR-US: neorazorx/facturascripts
-CVE-2022-1714 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...)
+CVE-2022-1714 (Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7 ...)
- radare2 <unfixed> (bug #1014478)
NOTE: https://huntr.dev/bounties/1c22055b-b015-47a8-a57b-4982978751d0
NOTE: https://github.com/radareorg/radare2/commit/3ecdbf8e21186a9c5a4d3cfa3b1e9fd27045340e
@@ -89017,7 +89069,7 @@ CVE-2022-1513 (A potential vulnerability was reported in Lenovo PCManager prior
NOT-FOR-US: Lenovo
CVE-2022-1512 (The ScrollReveal.js Effects WordPress plugin through 1.2 does not sani ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1511 (Improper Access Control in GitHub repository snipe/snipe-it prior to 5 ...)
+CVE-2022-1511 (Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4 ...)
- snipe-it <itp> (bug #1005172)
CVE-2022-1510 (An issue has been discovered in GitLab affecting all versions starting ...)
- gitlab 15.10.8+ds1-2
@@ -92607,7 +92659,7 @@ CVE-2022-1240 (Heap buffer overflow in libr/bin/format/mach0/mach0.c in GitHub r
NOTE: https://github.com/radareorg/radare2/commit/ca8d8b39f3e34a4fd943270330b80f1148129de4
CVE-2022-1239 (The HubSpot WordPress plugin before 8.8.15 does not validate the proxy ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1238 (Heap-based Buffer Overflow in libr/bin/format/ne/ne.c in GitHub reposi ...)
+CVE-2022-1238 (Out-of-bounds Write in libr/bin/format/ne/ne.c in GitHub repository ra ...)
- radare2 <unfixed> (bug #1014478)
NOTE: https://huntr.dev/bounties/47422cdf-aad2-4405-a6a1-6f63a3a93200
NOTE: https://github.com/radareorg/radare2/commit/c40a4f9862104ede15d0ba05ccbf805923070778
@@ -97907,7 +97959,7 @@ CVE-2022-0934 (A single-byte, non-arbitrary write/use-after-free flaw was found
NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39 (v2.87rc1)
CVE-2022-0933
RESERVED
-CVE-2022-0932 (Improper Authorization in GitHub repository saleor/saleor prior to 3.1 ...)
+CVE-2022-0932 (Missing Authorization in GitHub repository saleor/saleor prior to 3.1. ...)
NOT-FOR-US: saleor
CVE-2022-0931
RESERVED
@@ -98201,7 +98253,7 @@ CVE-2022-26779 (Apache CloudStack prior to 4.16.1.0 used insecure random number
NOT-FOR-US: Apache CloudStack
CVE-2022-0906 (Unrestricted file upload leads to stored XSS in GitHub repository micr ...)
NOT-FOR-US: microweber
-CVE-2022-0905 (Improper Authorization in GitHub repository go-gitea/gitea prior to 1. ...)
+CVE-2022-0905 (Missing Authorization in GitHub repository go-gitea/gitea prior to 1.1 ...)
- gitea <removed>
CVE-2022-0904 (A stack overflow bug in the document extractor in Mattermost Server in ...)
- mattermost-server <itp> (bug #823556)
@@ -98871,7 +98923,7 @@ CVE-2022-26019 (Improper access control vulnerability in pfSense CE and pfSense
NOT-FOR-US: pfSense
CVE-2022-24299 (Improper input validation vulnerability in pfSense CE and pfSense Plus ...)
NOT-FOR-US: pfSense
-CVE-2022-0871 (Improper Authorization in GitHub repository gogs/gogs prior to 0.12.5.)
+CVE-2022-0871 (Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.)
NOT-FOR-US: Go Git Service
CVE-2022-0870 (Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prio ...)
NOT-FOR-US: Go Git Service
@@ -100859,9 +100911,9 @@ CVE-2022-0758 (Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflect
NOT-FOR-US: Rapid7 Nexpose
CVE-2022-0757 (Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL I ...)
NOT-FOR-US: Rapid7 Nexpose
-CVE-2022-0756 (Improper Authorization in GitHub repository salesagility/suitecrm prio ...)
+CVE-2022-0756 (Missing Authorization in GitHub repository salesagility/suitecrm prior ...)
NOT-FOR-US: SuiteCRM
-CVE-2022-0755 (Improper Access Control in GitHub repository salesagility/suitecrm pri ...)
+CVE-2022-0755 (Missing Authorization in GitHub repository salesagility/suitecrm prior ...)
NOT-FOR-US: SuiteCRM
CVE-2022-0754 (SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12 ...)
NOT-FOR-US: SuiteCRM
@@ -101346,7 +101398,7 @@ CVE-2022-0728 (The Easy Smooth Scroll Links WordPress plugin before 2.23.1 does
NOT-FOR-US: WordPress plugin
CVE-2022-0727 (Improper Access Control in GitHub repository chocobozzz/peertube prior ...)
- peertube <itp> (bug #950821)
-CVE-2022-0726 (Improper Authorization in GitHub repository chocobozzz/peertube prior ...)
+CVE-2022-0726 (Missing Authorization in GitHub repository chocobozzz/peertube prior t ...)
- peertube <itp> (bug #950821)
CVE-2022-0725 (A flaw was found in keepass. The vulnerability occurs due to logging t ...)
NOTE: Non-issue, broken report against keepass2, couldn't be reproduced with
@@ -102927,7 +102979,7 @@ CVE-2022-0598 (The Login with phone number WordPress plugin before 1.3.8 does no
NOT-FOR-US: WordPress plugin
CVE-2022-0597 (Open Redirect in Packagist microweber/microweber prior to 1.2.11.)
NOT-FOR-US: microweber
-CVE-2022-0596 (Business Logic Errors in Packagist microweber/microweber prior to 1.2. ...)
+CVE-2022-0596 (Improper Validation of Specified Quantity in Input in Packagist microw ...)
NOT-FOR-US: microweber
CVE-2022-0595 (The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 ...)
NOT-FOR-US: WordPress plugin
@@ -116826,7 +116878,7 @@ CVE-2022-21949 (A Improper Restriction of XML External Entity Reference vulnerab
NOTE: https://github.com/coolo/xmlhash/commit/544e614e2674ad26b97a234baa013723c829b751 (1.3.8)
CVE-2022-21948 (An Improper Neutralization of Input During Web Page Generation ('Cross ...)
NOT-FOR-US: OpenSuSE paste
-CVE-2022-21947 (A Improper Access Control vulnerability in Rancher Desktop of SUSE all ...)
+CVE-2022-21947 (A Exposure of Resource to Wrong Sphere vulnerability in Rancher Deskto ...)
NOT-FOR-US: Rancher
CVE-2022-21946 (A Incorrect Permission Assignment for Critical Resource vulnerability ...)
NOT-FOR-US: SUSE cscreen
@@ -482804,8 +482856,8 @@ CVE-2015-1315 (Buffer overflow in the charset_to_intern function in unix/unix.c
- unzip <not-affected> (*-unzip60-alt-iconv-utf8 patch not applied in Debian)
CVE-2015-1314 (The USAA Mobile Banking application before 7.10.1 for Android displays ...)
NOT-FOR-US: USAA Mobile Banking application for Android
-CVE-2015-1313
- RESERVED
+CVE-2015-1313 (JetBrains TeamCity 8 and 9 before 9.0.2 allows bypass of account-creat ...)
+ TODO: check
CVE-2015-1312 (The Dealer Portal in SAP ERP does not properly restrict access, which ...)
NOT-FOR-US: SAP
CVE-2015-1311 (The Extended Application Services (XS) in SAP HANA allows remote attac ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b0290c3f83f4ce8d43afa572871ace04bcffeb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b0290c3f83f4ce8d43afa572871ace04bcffeb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230629/dd597a36/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list