[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Apr 22 21:12:28 BST 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e395f3b2 by security tracker role at 2024-04-22T20:12:15+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,8 +1,92 @@
-CVE-2024-27349
+CVE-2024-4040 (VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1. ...)
+ TODO: check
+CVE-2024-4026 (Cross-Site Scripting (XSS) vulnerability in the Holded application. Th ...)
+ TODO: check
+CVE-2024-3645 (The Essential Addons for Elementor Pro plugin for WordPress is vulnera ...)
+ TODO: check
+CVE-2024-32691 (Missing Authorization vulnerability in realmag777 Active Products Tabl ...)
+ TODO: check
+CVE-2024-32688 (Missing Authorization vulnerability in Long Watch Studio MyRewards.Thi ...)
+ TODO: check
+CVE-2024-32687 (Missing Authorization vulnerability in WPClever WPC Frequently Bought ...)
+ TODO: check
+CVE-2024-32684 (Missing Authorization vulnerability in Wpmet Wp Ultimate Review.This i ...)
+ TODO: check
+CVE-2024-32682 (Missing Authorization vulnerability in BdThemes Prime Slider \u2013 Ad ...)
+ TODO: check
+CVE-2024-32681 (Missing Authorization vulnerability in BdThemes Prime Slider \u2013 Ad ...)
+ TODO: check
+CVE-2024-32407 (An issue in inducer relate before v.2024.1 allows a remote attacker to ...)
+ TODO: check
+CVE-2024-32405 (Cross Site Scripting vulnerability in inducer relate before v.2024.1 a ...)
+ TODO: check
+CVE-2024-32399 (Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 a ...)
+ TODO: check
+CVE-2024-32368 (Insecure Permission vulnerability in Agasta Sanketlife 2.0 Pocket 12-L ...)
+ TODO: check
+CVE-2024-32238 (H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password ...)
+ TODO: check
+CVE-2024-32205
+ REJECTED
+CVE-2024-31666 (An issue in flusity-CMS v.2.33 allows a remote attacker to execute arb ...)
+ TODO: check
+CVE-2024-31545 (Computer Laboratory Management System v1.0 is vulnerable to SQL Inject ...)
+ TODO: check
+CVE-2024-29661 (A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to ...)
+ TODO: check
+CVE-2024-29376 (Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Pr ...)
+ TODO: check
+CVE-2024-28717 (An issue in OpenStack Storlets yoga-eom allows a remote attacker to ex ...)
+ TODO: check
+CVE-2024-28699 (A buffer overflow vulnerability in pdf2json v0.70 allows a local attac ...)
+ TODO: check
+CVE-2024-28436 (Cross Site Scripting vulnerability in D-Link DAP products DAP-2230, DA ...)
+ TODO: check
+CVE-2024-22856 (A SQL injection vulnerability via the Save Favorite Search function in ...)
+ TODO: check
+CVE-2024-22815 (An issue in the communication protocol of Tormach xsTECH CNC Router, P ...)
+ TODO: check
+CVE-2024-22813 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...)
+ TODO: check
+CVE-2024-22811 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...)
+ TODO: check
+CVE-2024-22809 (Incorrect access control in Tormach xsTECH CNC Router, PathPilot Contr ...)
+ TODO: check
+CVE-2024-22808 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...)
+ TODO: check
+CVE-2024-22807 (An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 all ...)
+ TODO: check
+CVE-2023-38302 (A certain software build for the Sharp Rouvo V device (SHARP/VZW_STTM2 ...)
+ TODO: check
+CVE-2023-38301 (An issue was discovered in a third-party component related to vendor.g ...)
+ TODO: check
+CVE-2023-38300 (A certain software build for the Orbic Maui device (Orbic/RC545L/RC545 ...)
+ TODO: check
+CVE-2023-38299 (Various software builds for the AT&T Calypso, Nokia C100, Nokia C200, ...)
+ TODO: check
+CVE-2023-38298 (Various software builds for the following TCL devices (30Z, A3X, 20XE, ...)
+ TODO: check
+CVE-2023-38297 (An issue was discovered in a third-party com.factory.mmigroup componen ...)
+ TODO: check
+CVE-2023-38296 (Various software builds for the following TCL 30Z and TCL A3X devices ...)
+ TODO: check
+CVE-2023-38295 (Certain software builds for the TCL 30Z and TCL 10 Android devices con ...)
+ TODO: check
+CVE-2023-38294 (Certain software builds for the Itel Vision 3 Turbo Android device con ...)
+ TODO: check
+CVE-2023-38293 (Certain software builds for the Nokia C200 and Nokia C100 Android devi ...)
+ TODO: check
+CVE-2023-38292 (Certain software builds for the TCL 20XE Android device contain a vuln ...)
+ TODO: check
+CVE-2023-38291 (An issue was discovered in a third-party component related to ro.boot. ...)
+ TODO: check
+CVE-2023-38290 (Certain software builds for the BLU View 2 and Sharp Rouvo V Android d ...)
+ TODO: check
+CVE-2024-27349 (Authentication Bypass by Spoofing vulnerability in Apache HugeGraph-Se ...)
NOT-FOR-US: Apache HugeGraph-Hubble
-CVE-2024-27348
+CVE-2024-27348 (RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server. ...)
NOT-FOR-US: Apache HugeGraph-Hubble
-CVE-2024-27347
+CVE-2024-27347 (Server-Side Request Forgery (SSRF) vulnerability in Apache HugeGraph-H ...)
NOT-FOR-US: Apache HugeGraph-Hubble
CVE-2024-4022 (A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-18 ...)
NOT-FOR-US: Keenetic router
@@ -1716,6 +1800,7 @@ CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...)
NOT-FOR-US: Oracle
CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
+ {DSA-5672-1 DSA-5671-1 DLA-3793-1}
- openjdk-8 <unfixed> (bug #1069678)
- openjdk-11 11.0.23+9-1
- openjdk-17 17.0.11+9-1
@@ -1738,6 +1823,7 @@ CVE-2024-21087 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...)
NOT-FOR-US: Oracle
CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...)
+ {DSA-5671-1 DLA-3793-1}
- openjdk-8 <unfixed> (bug #1069678)
- openjdk-11 11.0.23+9-1
CVE-2024-21084 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...)
@@ -1773,6 +1859,7 @@ CVE-2024-21070 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o
CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mysql-8.0 <unfixed> (bug #1069189)
CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
+ {DSA-5672-1 DSA-5671-1 DLA-3793-1}
- openjdk-8 <unfixed> (bug #1069678)
- openjdk-11 11.0.23+9-1
- openjdk-17 17.0.11+9-1
@@ -1888,10 +1975,12 @@ CVE-2024-21014 (Vulnerability in the Oracle Hospitality Simphony product of Orac
CVE-2024-21013 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mysql-8.0 <unfixed> (bug #1069189)
CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
+ {DSA-5672-1 DSA-5671-1 DLA-3793-1}
- openjdk-11 11.0.23+9-1
- openjdk-17 17.0.11+9-1
- openjdk-21 21.0.3+9-1
CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
+ {DSA-5672-1 DSA-5671-1 DLA-3793-1}
- openjdk-8 <unfixed> (bug #1069678)
- openjdk-11 11.0.23+9-1
- openjdk-17 17.0.11+9-1
@@ -2030,7 +2119,7 @@ CVE-2024-XXXX [Stored XSS in Avatar block]
NOTE: https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/
NOTE: https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
CVE-2024-3302 (There was no limit to the number of HTTP/2 CONTINUATION frames that wo ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 125.0.1-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -2041,7 +2130,7 @@ CVE-2024-3865 (Memory safety bugs present in Firefox 124. Some of these bugs sho
- firefox 125.0.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3865
CVE-2024-3864 (Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thund ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 125.0.1-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -2059,7 +2148,7 @@ CVE-2024-3862 (The MarkStack assignment operator, part of the JavaScript engine,
- firefox 125.0.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3862
CVE-2024-3861 (If an AlignedBuffer were assigned to itself, the subsequent self-move ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 125.0.1-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -2070,7 +2159,7 @@ CVE-2024-3860 (An out-of-memory condition during object initialization could res
- firefox 125.0.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3860
CVE-2024-3859 (On 32-bit versions there were integer-overflows that led to an out-of- ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 125.0.1-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -2081,7 +2170,7 @@ CVE-2024-3858 (It was possible to mutate a JavaScript object so that the JIT cou
- firefox 125.0.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3858
CVE-2024-3857 (The JIT created incorrect code for arguments in certain cases. This le ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 125.0.1-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -2095,7 +2184,7 @@ CVE-2024-3855 (In certain cases the JIT incorrectly optimized MSubstr operations
- firefox 125.0.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3855
CVE-2024-3854 (In some code patterns the JIT incorrectly optimized switch statements ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 125.0.1-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -2106,7 +2195,7 @@ CVE-2024-3853 (A use-after-free could result if a JavaScript realm was in the pr
- firefox 125.0.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/#CVE-2024-3853
CVE-2024-3852 (GetBoundName could return the wrong version of an object when JIT opti ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 125.0.1-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -10849,7 +10938,7 @@ CVE-2024-2610 (Using a markup injection an attacker could have stolen nonce valu
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/#CVE-2024-2610
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-14/#CVE-2024-2610
CVE-2024-2609 (The permission prompt input delay could expire while the window is not ...)
- {DSA-5670-1 DSA-5663-1 DLA-3790-1}
+ {DSA-5670-1 DSA-5663-1 DLA-3791-1 DLA-3790-1}
- firefox 124.0-1
- firefox-esr 115.10.0esr-1
- thunderbird 1:115.10.1-1
@@ -43452,7 +43541,7 @@ CVE-2023-42669 (A vulnerability was found in Samba's "rpcecho" development serve
[buster] - samba <ignored> (Domain controller functionality is EOLed, see DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2023-42669.html
CVE-2023-4091 (A vulnerability was discovered in Samba, where the flaw allows SMB cli ...)
- {DSA-5647-1 DSA-5525-1}
+ {DSA-5647-1 DSA-5525-1 DLA-3792-1}
- samba 2:4.19.1+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2023-4091.html
NOTE: In scope for continued Samba support
@@ -97276,8 +97365,8 @@ CVE-2022-46899 (An issue was discovered in Vocera Report Server and Voice Server
NOT-FOR-US: Vocera Report Server and Voice Server
CVE-2022-46898 (An issue was discovered in Vocera Report Server and Voice Server 5.x t ...)
NOT-FOR-US: Vocera Report Server and Voice Server
-CVE-2022-46897
- RESERVED
+CVE-2022-46897 (An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5. ...)
+ TODO: check
CVE-2022-46896
RESERVED
CVE-2022-46895
@@ -112669,7 +112758,7 @@ CVE-2022-42705 (A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28
CVE-2022-42704 (A cross-site scripting (XSS) vulnerability in Employee Service Center ...)
NOT-FOR-US: Employee Service Center
CVE-2022-3437 (A heap-based buffer overflow vulnerability was found in Samba within t ...)
- {DSA-5647-1 DSA-5287-1 DLA-3206-1}
+ {DSA-5647-1 DSA-5287-1 DLA-3792-1 DLA-3206-1}
- samba 2:4.16.6+dfsg-1
- heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187)
NOTE: https://www.samba.org/samba/security/CVE-2022-3437.html
@@ -132040,8 +132129,8 @@ CVE-2022-35505 (A segmentation fault in TripleCross v0.1.0 occurs when sending a
NOT-FOR-US: TripleCross
CVE-2022-35504
RESERVED
-CVE-2022-35503
- RESERVED
+CVE-2022-35503 (Improper verification of a user input in Open Source MANO v7-v12 allow ...)
+ TODO: check
CVE-2022-35502
RESERVED
CVE-2022-35501 (Stored Cross-site Scripting (XSS) exists in the Amasty Blog Pro 2.10.3 ...)
@@ -135003,12 +135092,12 @@ CVE-2022-34564
RESERVED
CVE-2022-34563
RESERVED
-CVE-2022-34562
- RESERVED
-CVE-2022-34561
- RESERVED
-CVE-2022-34560
- RESERVED
+CVE-2022-34562 (A cross-site scripting (XSS) vulnerability in PHPFox v4.8.9 allows att ...)
+ TODO: check
+CVE-2022-34561 (A cross-site scripting (XSS) vulnerability in PHPFox v4.8.9 allows att ...)
+ TODO: check
+CVE-2022-34560 (A cross-site scripting (XSS) vulnerability in PHPFox v4.8.9 allows att ...)
+ TODO: check
CVE-2022-34559
RESERVED
CVE-2022-34558 (WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon ...)
@@ -136627,7 +136716,7 @@ CVE-2022-2129 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.)
CVE-2022-2128 (Unrestricted Upload of File with Dangerous Type in GitHub repository p ...)
NOT-FOR-US: Trudesk
CVE-2022-2127 (An out-of-bounds read vulnerability was found in Samba due to insuffic ...)
- {DSA-5647-1 DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1 DLA-3792-1}
- samba 2:4.18.5+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2022-2127.html
NOTE: In scope for continued Samba support
@@ -139671,7 +139760,7 @@ CVE-2022-32743 (Samba does not validate the Validated-DNS-Host-Name right for th
[bullseye] - samba <no-dsa> (Minor issue)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14833
CVE-2022-32742 (A flaw was found in Samba. Some SMB1 write requests were not correctly ...)
- {DSA-5205-1}
+ {DSA-5205-1 DLA-3792-1}
- samba 2:4.16.4+dfsg-1 (bug #1016449)
NOTE: https://www.samba.org/samba/security/CVE-2022-32742.html
CVE-2022-32741 (Attacker is able to determine if the provided username exists (and it' ...)
@@ -288684,7 +288773,7 @@ CVE-2020-14385 (A flaw was found in the Linux kernel before 5.9-rc4. A failure o
CVE-2020-14384 (A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. ...)
NOT-FOR-US: JBossWeb
CVE-2020-14383 (A flaw was found in samba's DNS server. An authenticated user could us ...)
- {DLA-2463-1}
+ {DLA-3792-1 DLA-2463-1}
[experimental] - samba 2:4.13.2+dfsg-1
- samba 2:4.13.2+dfsg-2 (bug #973398)
NOTE: https://www.samba.org/samba/security/CVE-2020-14383.html
@@ -288970,7 +289059,7 @@ CVE-2020-14325 (Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Im
CVE-2020-14324 (A high severity vulnerability was found in all active versions of Red ...)
NOT-FOR-US: Red Hat CloudForm
CVE-2020-14323 (A null pointer dereference flaw was found in samba's Winbind service i ...)
- {DLA-2463-1}
+ {DLA-3792-1 DLA-2463-1}
[experimental] - samba 2:4.13.2+dfsg-1
- samba 2:4.13.2+dfsg-2 (bug #973399)
NOTE: https://www.samba.org/samba/security/CVE-2020-14323.html
@@ -288984,7 +289073,7 @@ CVE-2020-14320 (In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin
CVE-2020-14319 (It was found that the AMQ Online console is vulnerable to a Cross-Site ...)
NOT-FOR-US: AMQ Online
CVE-2020-14318 (A flaw was found in the way samba handled file and directory permissio ...)
- {DLA-2463-1}
+ {DLA-3792-1 DLA-2463-1}
[experimental] - samba 2:4.13.2+dfsg-1
- samba 2:4.13.2+dfsg-2 (bug #973400)
NOTE: https://www.samba.org/samba/security/CVE-2020-14318.html
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e395f3b20dfbadddd92aa26b4d12c4e5bb23fa14
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e395f3b20dfbadddd92aa26b4d12c4e5bb23fa14
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240422/6469d139/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list