[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Oct 25 09:12:53 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9c7b5268 by security tracker role at 2023-10-25T08:12:36+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,103 @@
+CVE-2023-5758 (When opening a page in reader mode, the redirect URL could have caused ...)
+ TODO: check
+CVE-2023-5752 (When installing a package from a Mercurial VCS URL (ie "pip install ...)
+ TODO: check
+CVE-2023-5311 (The WP EXtra plugin for WordPress is vulnerable to unauthorized modifi ...)
+ TODO: check
+CVE-2023-4608 (An authenticated XCC user with elevated privileges can perform blind S ...)
+ TODO: check
+CVE-2023-4607 (An authenticated XCC user can change permissions for any user through ...)
+ TODO: check
+CVE-2023-4606 (An authenticated XCC user with Read-Only permission can change a diffe ...)
+ TODO: check
+CVE-2023-46574 (An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote att ...)
+ TODO: check
+CVE-2023-46358 (In the module "Referral and Affiliation Program" (referralbyphone) ver ...)
+ TODO: check
+CVE-2023-46347 (In the module "Step by Step products Pack" (ndk_steppingpack) version ...)
+ TODO: check
+CVE-2023-46346 (In the module "Product Catalog (CSV, Excel, XML) Export PRO" (exportpr ...)
+ TODO: check
+CVE-2023-46158 (IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 co ...)
+ TODO: check
+CVE-2023-46136 (Werkzeug is a comprehensive WSGI web application library. If an upload ...)
+ TODO: check
+CVE-2023-46135 (rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. ...)
+ TODO: check
+CVE-2023-46126 (Fides is an open-source privacy engineering platform for managing the ...)
+ TODO: check
+CVE-2023-46125 (Fides is an open-source privacy engineering platform for managing the ...)
+ TODO: check
+CVE-2023-46124 (Fides is an open-source privacy engineering platform for managing the ...)
+ TODO: check
+CVE-2023-46123 (jumpserver is an open source bastion machine, professional operation a ...)
+ TODO: check
+CVE-2023-46120 (The RabbitMQ Java client library allows Java and JVM-based application ...)
+ TODO: check
+CVE-2023-46119 (Parse Server is an open source backend that can be deployed to any inf ...)
+ TODO: check
+CVE-2023-46118 (RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API ...)
+ TODO: check
+CVE-2023-45555 (File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker t ...)
+ TODO: check
+CVE-2023-45554 (File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker t ...)
+ TODO: check
+CVE-2023-44794 (An issue in Dromara SaToken version 1.36.0 and before allows a remote ...)
+ TODO: check
+CVE-2023-44769 (A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 ...)
+ TODO: check
+CVE-2023-44767 (A File upload vulnerability in RiteCMS 3.0 allows a local attacker to ...)
+ TODO: check
+CVE-2023-43961 (An issue in Dromara SaToken version 1.3.50RC and before when using Spr ...)
+ TODO: check
+CVE-2023-43795 (GeoServer is an open source software server written in Java that allow ...)
+ TODO: check
+CVE-2023-43360 (Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a ...)
+ TODO: check
+CVE-2023-41721 (Instances of UniFi Network Application that (i) are run on a UniFi Gat ...)
+ TODO: check
+CVE-2023-41339 (GeoServer is an open source software server written in Java that allow ...)
+ TODO: check
+CVE-2023-3112 (A vulnerability was reported in Elliptic Labs Virtual Lock Sensor for ...)
+ TODO: check
+CVE-2023-39930 (A first-factor authentication bypass vulnerability exists in the PingF ...)
+ TODO: check
+CVE-2023-39740 (The leakage of the client secret in Onigiriya-musubee Line 13.6.1 allo ...)
+ TODO: check
+CVE-2023-39739 (The leakage of the client secret in REGINA SWEETS&BAKERY Line 13.6.1 a ...)
+ TODO: check
+CVE-2023-39737 (The leakage of the client secret in Matsuya Line 13.6.1 allows attacke ...)
+ TODO: check
+CVE-2023-39736 (The leakage of the client secret in Fukunaga_memberscard Line 13.6.1 a ...)
+ TODO: check
+CVE-2023-39735 (The leakage of the client secret in Uomasa_Saiji_news Line 13.6.1 allo ...)
+ TODO: check
+CVE-2023-39734 (The leakage of the client secret in VISION MEAT WORKS TrackDiner10/10_ ...)
+ TODO: check
+CVE-2023-39733 (The leakage of the client secret in TonTon-Tei Line v13.6.1 allows att ...)
+ TODO: check
+CVE-2023-39732 (The leakage of the client secret in Tokueimaru_waiting Line 13.6.1 all ...)
+ TODO: check
+CVE-2023-39219 (PingFederate Administrative Console dependency contains a weakness whe ...)
+ TODO: check
+CVE-2023-38041 (A logged in user may elevate its permissions by abusing a Time-of-Chec ...)
+ TODO: check
+CVE-2023-37283 (Under a very specific and highly unrecommended configuration, authenti ...)
+ TODO: check
+CVE-2023-36085 (The sisqualWFM 7.1.319.103 thru 7.1.319.111 for Android, has a host he ...)
+ TODO: check
+CVE-2023-34085 (When an AWS DynamoDB table is used for user attribute storage, it is p ...)
+ TODO: check
+CVE-2023-34056 (vCenter Server contains a partial information disclosure vulnerability ...)
+ TODO: check
+CVE-2023-34048 (vCenter Server contains an out-of-bounds write vulnerability in the im ...)
+ TODO: check
+CVE-2023-31582 (jose4j before v0.9.3 allows attackers to set a low iteration count of ...)
+ TODO: check
+CVE-2023-31581 (Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.)
+ TODO: check
+CVE-2023-31580 (light-oauth2 before version 2.1.27 obtains the public key without any ...)
+ TODO: check
CVE-2023-5574 [Use-after-free bug in DamageDestroy]
- xorg-server <unfixed>
[bookworm] - xorg-server <no-dsa> (Minor issue)
@@ -1026,7 +1126,7 @@ CVE-2023-5632 (In Eclipse Mosquito before and including 2.0.5, establishing a co
NOTE: https://github.com/eclipse/mosquitto/pull/2053
NOTE: https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d (v2.0.6)
CVE-2023-5631 (Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 al ...)
- {DSA-5531-1}
+ {DSA-5531-1 DLA-3630-1}
- roundcube 1.6.4+dfsg-1 (bug #1054079)
NOTE: https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d (1.6.4)
CVE-2023-4601 (A stack-based buffer overflow vulnerability exists in NI System Config ...)
@@ -1103,7 +1203,7 @@ CVE-2023-32088 (Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an
NOT-FOR-US: Pega Platform
CVE-2023-32087 (Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS i ...)
NOT-FOR-US: Pega Platform
-CVE-2023-5568 [Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19]
+CVE-2023-5568 (A heap-based Buffer Overflow flaw was discovered in Samba. It could al ...)
- samba 2:4.19.2+dfsg-1
[bookworm] - samba <not-affected> (Vulnerable code introduced later)
[bullseye] - samba <not-affected> (Vulnerable code introduced later)
@@ -4543,6 +4643,7 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu
NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
CVE-2023-40476 [Integer overflow in H.265 video parser leading to stack overwrite]
+ {DSA-5533-1}
- gst-plugins-bad1.0 <unfixed> (bug #1053259)
- gst-plugins-bad0.10 <removed>
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0008.html
@@ -4550,6 +4651,7 @@ CVE-2023-40476 [Integer overflow in H.265 video parser leading to stack overwrit
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fddda166222a067d0e511950a0a8cfb9f5a521b7 (1.22.6)
CVE-2023-40475 [Integer overflow leading to heap overwrite in MXF file handling with AES3 audio]
+ {DSA-5533-1}
- gst-plugins-bad1.0 <unfixed> (bug #1053260)
- gst-plugins-bad0.10 <removed>
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0007.html
@@ -4557,6 +4659,7 @@ CVE-2023-40475 [Integer overflow leading to heap overwrite in MXF file handling
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1edd1c38dcc5d27e7c5649d999ee8278872a16d4 (1.22.6)
CVE-2023-40474 [Integer overflow leading to heap overwrite in MXF file handling with uncompressed video]
+ {DSA-5533-1}
- gst-plugins-bad1.0 <unfixed> (bug #1053261)
- gst-plugins-bad0.10 <removed>
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0006.html
@@ -8516,7 +8619,7 @@ CVE-2023-4624 (Server-Side Request Forgery (SSRF) in GitHub repository bookstack
NOT-FOR-US: bookstack
CVE-2023-4600 (The AffiliateWP for WordPress is vulnerable to unauthorized modificati ...)
NOT-FOR-US: AffiliateWP for WordPress
-CVE-2023-4571 (In Splunk IT Service Intelligence (ITSI) versions below below 4.13.3, ...)
+CVE-2023-4571 (In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15 ...)
NOT-FOR-US: Splunk
CVE-2023-4209 (The POEditor WordPress plugin before 0.9.8 does not have CSRF checks i ...)
NOT-FOR-US: WordPress plugin
@@ -12850,7 +12953,7 @@ CVE-2023-4010 (A flaw was found in the USB Host Controller Driver framework in t
- linux <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2227726
NOTE: https://github.com/wanrenmi/a-usb-kernel-bug
-CVE-2023-3997 (Splunk SOAR versions lower than 6.1.0 are indirectly affected by a pot ...)
+CVE-2023-3997 (Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a po ...)
NOT-FOR-US: Splunk SOAR
CVE-2023-3983 (An authenticated SQL injection vulnerability exists in Advantech iView ...)
NOT-FOR-US: Advantech iView
@@ -26555,8 +26658,8 @@ CVE-2023-29975
RESERVED
CVE-2023-29974
RESERVED
-CVE-2023-29973
- RESERVED
+CVE-2023-29973 (Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead ...)
+ TODO: check
CVE-2023-29972
RESERVED
CVE-2023-29971
@@ -38155,8 +38258,8 @@ CVE-2023-26221
RESERVED
CVE-2023-26220 (The Spotfire Library component of TIBCO Software Inc.'s Spotfire Analy ...)
NOT-FOR-US: TIBCO
-CVE-2023-26219
- RESERVED
+CVE-2023-26219 (The Hawk Console and Hawk Agent components of TIBCO Software Inc.'s TI ...)
+ TODO: check
CVE-2023-26218 (The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contain ...)
NOT-FOR-US: TIBCO
CVE-2023-26217 (The Data Exchange Add-on component of TIBCO Software Inc.'s TIBCO EBX ...)
@@ -45723,8 +45826,8 @@ CVE-2023-23769
RESERVED
CVE-2023-23768
RESERVED
-CVE-2023-23767
- RESERVED
+CVE-2023-23767 (Incorrect Permission Assignment for Critical Resource in GitHub Enterp ...)
+ TODO: check
CVE-2023-23766 (An incorrect comparison vulnerability was identified in GitHub Enterpr ...)
NOT-FOR-US: Github Enterprise Server
CVE-2023-23765 (An incorrect comparison vulnerability was identified in GitHub Enterpr ...)
@@ -68066,10 +68169,10 @@ CVE-2022-3701
RESERVED
CVE-2022-3700
RESERVED
-CVE-2022-3699
- RESERVED
-CVE-2022-3698
- RESERVED
+CVE-2022-3699 (A privilege escalation vulnerability was reported in the Lenovo Hardwa ...)
+ TODO: check
+CVE-2022-3698 (A denial of service vulnerability was reported in the Lenovo HardwareS ...)
+ TODO: check
CVE-2022-3697 (A flaw was found in Ansible in the amazon.aws collection when using th ...)
- ansible 7.0.0+dfsg-1
[bullseye] - ansible <no-dsa> (Minor issue)
@@ -125126,8 +125229,8 @@ CVE-2022-0355 (Improper Removal of Sensitive Information Before Storage or Trans
NOT-FOR-US: simple-get nodejs module
CVE-2022-0354 (A vulnerability was reported in Lenovo System Update that could allow ...)
NOT-FOR-US: Lenovo
-CVE-2022-0353
- RESERVED
+CVE-2022-0353 (A denial of service vulnerability was reported in the Lenovo HardwareS ...)
+ TODO: check
CVE-2021-4212 (A potential vulnerability in the SMI callback function used in the Leg ...)
NOT-FOR-US: Lenovo
CVE-2021-4211 (A potential vulnerability in the SMI callback function used in the SMB ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c7b5268a2cf19915ee1c3f0e67a7f6396b429dd
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c7b5268a2cf19915ee1c3f0e67a7f6396b429dd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231025/69bffd0b/attachment.htm>
More information about the debian-security-tracker-commits
mailing list