[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Nov 28 20:14:06 GMT 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7f6af1c1 by security tracker role at 2023-11-28T20:13:45+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,46 @@
-CVE-2023-46589 [HTTP request smuggling via malformed trailer headers]
+CVE-2023-6359 (A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LM ...)
+ TODO: check
+CVE-2023-6239 (Improperly calculated effective permissions in M-Files Server versions ...)
+ TODO: check
+CVE-2023-6201 (Improper Neutralization of Special Elements used in an OS Command ('OS ...)
+ TODO: check
+CVE-2023-6151 (Improper Privilege Management vulnerability in ESKOM Computer e-munici ...)
+ TODO: check
+CVE-2023-6150 (Improper Privilege Management vulnerability in ESKOM Computer e-munici ...)
+ TODO: check
+CVE-2023-49314 (Asana Desktop 2.1.0 on macOS allows code injection because of specific ...)
+ TODO: check
+CVE-2023-49313 (A dylib injection vulnerability in XMachOViewer 0.04 allows attackers ...)
+ TODO: check
+CVE-2023-49078 (raptor-web is a CMS for game server communities that can be used to ho ...)
+ TODO: check
+CVE-2023-49062 (Katran could disclose non-initialized kernel memory as part of an IP h ...)
+ TODO: check
+CVE-2023-48848 (An arbitrary file read vulnerability in ureport v2.2.9 allows a remote ...)
+ TODO: check
+CVE-2023-48121 (An authentication bypass vulnerability in the Direct Connection Module ...)
+ TODO: check
+CVE-2023-48042 (Amazzing Filter for Prestashop through 3.2.2 is vulnerable to Cross-Si ...)
+ TODO: check
+CVE-2023-45539 (HAProxy before 2.8.2 accepts # as part of the URI component, which mig ...)
+ TODO: check
+CVE-2023-45286 (A race condition in go-resty can result in HTTP request body disclosur ...)
+ TODO: check
+CVE-2023-42505 (An authenticated user with read permissions on database connections me ...)
+ TODO: check
+CVE-2023-42504 (An authenticated malicious user could initiate multiple concurrent req ...)
+ TODO: check
+CVE-2023-42502 (An authenticated attacker with update datasets permission could change ...)
+ TODO: check
+CVE-2023-42004 (IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable t ...)
+ TODO: check
+CVE-2023-41264 (Netwrix Usercube before 6.0.215, in certain misconfigured on-premises ...)
+ TODO: check
+CVE-2023-40056 (SQL Injection Remote Code Vulnerability was found in the SolarWinds Pl ...)
+ TODO: check
+CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, ...)
+ TODO: check
+CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 1 ...)
- tomcat10 <unfixed>
- tomcat9 9.0.70-2
- tomcat8 <removed>
@@ -112,7 +154,7 @@ CVE-2023-32063 (OroCalendarBundle enables a Calendar feature and related functio
NOT-FOR-US: OroCalendarBundle
CVE-2023-32062 (OroPlatform is a package that assists system and user calendar managem ...)
NOT-FOR-US: OroPlatform
-CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATF ...)
+CVE-2023-6329 (An authentication bypass vulnerability exists in Control iD iDSecure v ...)
NOT-FOR-US: Control iD iDSecure
CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before ...)
- check-mk <removed>
@@ -1083,7 +1125,7 @@ CVE-2023-48017 (Dreamer_cms 4.1.3 is vulnerable to Cross Site Request Forgery (C
NOT-FOR-US: Dreamer CMS
CVE-2023-46745 (LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitorin ...)
NOT-FOR-US: LibreNMS
-CVE-2023-46402 (git-urls version 1.0.1 is vulnerable to ReDOS (Regular Expression Deni ...)
+CVE-2023-46402 (git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in ...)
NOT-FOR-US: git-urls
CVE-2023-44796 (Cross Site Scripting (XSS) vulnerability in LimeSurvey before version ...)
- limesurvey <itp> (bug #472802)
@@ -1615,7 +1657,7 @@ CVE-2023-5985 (A CWE-79 Improper Neutralization of Input During Web Page Generat
NOT-FOR-US: Schneider Electric
CVE-2023-5984 (A CWE-494 Download of Code Without Integrity Check vulnerability exist ...)
NOT-FOR-US: Schneider Electric
-CVE-2023-5981 [ttiming side-channel inside RSA-PSK key exchange]
+CVE-2023-5981 (A vulnerability was found that the response times to malformed ciphert ...)
{DLA-3660-1}
- gnutls28 <unfixed> (bug #1056188)
[bookworm] - gnutls28 <no-dsa> (Minor issue; can be fixed via point release)
@@ -8361,7 +8403,7 @@ CVE-2023-45360 (An issue was discovered in MediaWiki before 1.35.12, 1.36.x thro
[buster] - mediawiki <no-dsa> (Minor issue: prior to 1.32 any sysop could edit sitewide CSS/JS anyway)
NOTE: https://phabricator.wikimedia.org/T340221
CVE-2023-45362 (An issue was discovered in DifferenceEngine.php in MediaWiki before 1. ...)
- {DSA-5520-1}
+ {DSA-5520-1 DLA-3671-1}
- mediawiki 1:1.39.5-1
NOTE: https://phabricator.wikimedia.org/T341529
CVE-2023-45361
@@ -8514,7 +8556,7 @@ CVE-2023-45364 (An issue was discovered in includes/page/Article.php in MediaWik
[buster] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T264765
CVE-2023-45363 (An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, ...)
- {DSA-5520-1}
+ {DSA-5520-1 DLA-3671-1}
- mediawiki 1:1.39.5-1
NOTE: https://phabricator.wikimedia.org/T333050
CVE-2023-45356 (Atos Unify OpenScape 4000 Platform V10 R1 before Hotfix V10 R1.42.2 40 ...)
@@ -10882,7 +10924,7 @@ CVE-2023-40163 (An out-of-bounds write vulnerability exists in the allocate_buff
CVE-2023-3664 (The FileOrganizer WordPress plugin through 1.0.2 does not restrict fun ...)
NOT-FOR-US: WordPress plugin
CVE-2023-3550 (Mediawiki v1.40.0 does not validate namespaces used in XML files. The ...)
- {DSA-5520-1}
+ {DSA-5520-1 DLA-3671-1}
- mediawiki 1:1.39.5-1
NOTE: https://phabricator.wikimedia.org/T341565
CVE-2023-3547 (The All in One B2B for WooCommerce WordPress plugin through 1.0.3 does ...)
@@ -19221,7 +19263,7 @@ CVE-2023-37361 (REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via
NOT-FOR-US: REDCap
CVE-2023-35088 (Improper Neutralization of Special Elements Used in an SQL Command ('S ...)
NOT-FOR-US: Apache InLong
-CVE-2023-35078 (Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, throu ...)
+CVE-2023-35078 (An authentication bypass vulnerability in Ivanti EPMM allows unauthori ...)
NOT-FOR-US: Ivanti
CVE-2023-35067 (Plaintext Storage of a Password vulnerability in Infodrom Software E-I ...)
NOT-FOR-US: Infodrom
@@ -30500,8 +30542,7 @@ CVE-2023-30592
RESERVED
CVE-2023-30591 (Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attacker ...)
NOT-FOR-US: NodeBB
-CVE-2023-30590
- RESERVED
+CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffieHellm ...)
- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
[buster] - nodejs <postponed> (minor issue - Inconsistency Between Implementation and Documented Design)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
@@ -30514,8 +30555,7 @@ CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not st
NOTE: https://hackerone.com/reports/2001873
NOTE: https://github.com/advisories/GHSA-cggh-pq45-6h9x
NOTE: Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x)
-CVE-2023-30588
- RESERVED
+CVE-2023-30588 (When an invalid public key is used to create an x509 certificate using ...)
- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
[buster] - nodejs <not-affected> (X509Certificate API introduced later)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#process-interuption-due-to-invalid-public-key-information-in-x509-certificates-medium-cve-2023-30588
@@ -35002,8 +35042,8 @@ CVE-2023-29062
RESERVED
CVE-2023-29061
RESERVED
-CVE-2023-29060
- RESERVED
+CVE-2023-29060 (The FACSChorus\xe2\u201e\xa2 workstation operating system does not res ...)
+ TODO: check
CVE-2023-1764 (Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5 ...)
NOT-FOR-US: Canon
CVE-2023-1763 (Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5 ...)
@@ -79862,8 +79902,8 @@ CVE-2022-41680 (Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQ
NOT-FOR-US: Forma LMS
CVE-2022-41679 (Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scri ...)
NOT-FOR-US: Forma LMS
-CVE-2022-41678
- RESERVED
+CVE-2022-41678 (Once an user is authenticated on Jolokia, he can potentially trigger a ...)
+ TODO: check
CVE-2022-41677
RESERVED
CVE-2022-41658 (Insecure inherited permissions in the Intel(R) VTune(TM) Profiler soft ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f6af1c1efc8b09411f21f091907747c778509ed
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f6af1c1efc8b09411f21f091907747c778509ed
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231128/33464300/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list