[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Nov 23 08:12:12 GMT 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7338ce99 by security tracker role at 2023-11-23T08:12:01+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,74 @@
-CVE-2023-48706 [heap-use-after-free in ex_substitute]
+CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...)
+	TODO: check
+CVE-2023-49102 (NZBGet 21.1 allows authenticated remote code execution because the una ...)
+	TODO: check
+CVE-2023-48107 (Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an  ...)
+	TODO: check
+CVE-2023-48105 (An heap overflow vulnerability was discovered in Bytecode alliance was ...)
+	TODO: check
+CVE-2023-47839 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47835 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47834 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47833 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47831 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47829 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47821 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47817 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47816 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47815 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47814 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47813 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47812 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47811 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47810 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47809 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47808 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47790 (Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS ...)
+	TODO: check
+CVE-2023-47786 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47773 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47768 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47767 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47766 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-47668 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+	TODO: check
+CVE-2023-44290 (Dell Command | Monitor versions prior to 10.10.0, contain an improper  ...)
+	TODO: check
+CVE-2023-44289 (Dell Command | Configure versions prior to 4.11.0, contain an improper ...)
+	TODO: check
+CVE-2023-43086 (Dell Command | Configure, versions prior to 4.11.0, contains an improp ...)
+	TODO: check
+CVE-2023-41140 (A maliciously crafted PRT file when parsed through Autodesk AutoCAD 20 ...)
+	TODO: check
+CVE-2023-41139 (A maliciously crafted STP file when parsed through Autodesk AutoCAD 20 ...)
+	TODO: check
+CVE-2023-40002 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+	TODO: check
+CVE-2023-39253 (Dell OS Recovery Tool, versions 2.2.4013, 2.3.7012.0, and 2.3.7515.0 c ...)
+	TODO: check
+CVE-2023-48706 (Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-a ...)
 	- vim <unfixed> (unimportant)
 	NOTE: https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
 	NOTE: Fixed by: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf8 (v9.0.2121)
@@ -1310,9 +1380,9 @@ CVE-2023-39199 (Cryptographic issues with In-Meeting Chat for some Zoom clients
 	NOT-FOR-US: Zoom
 CVE-2023-38544 (A logged in user can modify specific files that may lead to unauthoriz ...)
 	NOT-FOR-US: Ivanti
-CVE-2023-38543 (When a specific component is loaded a local attacker and is able to se ...)
+CVE-2023-38543 (A vulnerability exists on all versions of the Ivanti Secure Access Cli ...)
 	NOT-FOR-US: Ivanti
-CVE-2023-38043 (When a specific component is loaded a local attacker and is able to se ...)
+CVE-2023-38043 (A vulnerability exists on all versions of the Ivanti Secure Access Cli ...)
 	NOT-FOR-US: Ivanti
 CVE-2023-36558 (ASP.NET Core - Security Feature Bypass Vulnerability)
 	NOT-FOR-US: Microsoft
@@ -30024,8 +30094,7 @@ CVE-2023-30582
 	RESERVED
 	- nodejs <not-affected> (Vulnerable code introduced in 20.x)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#fswatchfile-bypass-in-experimental-permission-model-medium-cve-2023-30582
-CVE-2023-30581
-	RESERVED
+CVE-2023-30581 (The use of __proto__ in process.mainModule.__proto__.require() can byp ...)
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#mainmoduleproto-bypass-experimental-policy-mechanism-high-cve-2023-30581
@@ -34452,14 +34521,14 @@ CVE-2023-29078
 	REJECTED
 CVE-2023-29077
 	RESERVED
-CVE-2023-29076
-	RESERVED
-CVE-2023-29075
-	RESERVED
-CVE-2023-29074
-	RESERVED
-CVE-2023-29073
-	RESERVED
+CVE-2023-29076 (A maliciously crafted MODEL, SLDASM, SAT or CATPART file when parsed t ...)
+	TODO: check
+CVE-2023-29075 (A maliciously crafted PRT file when parsed through Autodesk AutoCAD 20 ...)
+	TODO: check
+CVE-2023-29074 (A maliciously crafted CATPART file when parsed through Autodesk AutoCA ...)
+	TODO: check
+CVE-2023-29073 (A maliciously crafted MODEL file when parsed through Autodesk AutoCAD  ...)
+	TODO: check
 CVE-2023-29072
 	RESERVED
 CVE-2023-29071
@@ -35477,8 +35546,8 @@ CVE-2023-28813
 	RESERVED
 CVE-2023-28812
 	RESERVED
-CVE-2023-28811
-	RESERVED
+CVE-2023-28811 (There is a buffer overflow in the password recovery feature of Hikvisi ...)
+	TODO: check
 CVE-2023-28810 (Some access control/intercom products have unauthorized modification o ...)
 	NOT-FOR-US: hikvison
 CVE-2023-28809 (Some access control products are vulnerable to a session hijacking att ...)
@@ -39845,9 +39914,9 @@ CVE-2023-1165 (A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has
 	NOT-FOR-US: Zhong Bang CRMEB Java
 CVE-2023-1164 (A vulnerability was found in KylinSoft kylin-activation on KylinOS and ...)
 	NOT-FOR-US: KylinSoft
-CVE-2023-1163 (A vulnerability has been found in DrayTek Vigor 2960 1.5.1.4 and class ...)
+CVE-2023-1163 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in Dray ...)
 	NOT-FOR-US: DrayTek Vigor 2960
-CVE-2023-1162 (A vulnerability, which was classified as critical, was found in DrayTe ...)
+CVE-2023-1162 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified  ...)
 	NOT-FOR-US: DrayTek Vigor 2960
 CVE-2023-1161 (ISO 15765 and ISO 10681 dissector crash in Wireshark 4.0.0 to 4.0.3 an ...)
 	{DSA-5429-1 DLA-3402-1}
@@ -42502,7 +42571,7 @@ CVE-2023-1011 (The AI ChatBot WordPress plugin before 4.4.5 does not escape most
 	NOT-FOR-US: WordPress plugin
 CVE-2023-1010 (A vulnerability classified as critical was found in vox2png 1.0. Affec ...)
 	NOT-FOR-US: vox2png
-CVE-2023-1009 (A vulnerability classified as problematic has been found in DrayTek Vi ...)
+CVE-2023-1009 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical ...)
 	NOT-FOR-US: DrayTek Vigor 2960
 CVE-2023-1008 (A vulnerability was found in Twister Antivirus 8.17. It has been rated ...)
 	NOT-FOR-US: Twister Antivirus
@@ -50217,8 +50286,8 @@ CVE-2023-23980 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i
 	NOT-FOR-US: WordPress plugin
 CVE-2023-23979 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Q ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2023-23978
-	RESERVED
+CVE-2023-23978 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+	TODO: check
 CVE-2023-23977 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2023-23976



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7338ce997d412d7b8f50d3baaf8d2d7077ee6061

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7338ce997d412d7b8f50d3baaf8d2d7077ee6061
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231123/45c0d2fa/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list