[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Apr 26 09:12:01 BST 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
821a6aa0 by security tracker role at 2024-04-26T08:11:46+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,109 @@
+CVE-2024-4163 (The Skylab IGX IIoT Gateway allowed users to connect to it via a limit ...)
+ TODO: check
+CVE-2024-4056 (Denial of service condition in M-Files Server in versions before 24.4. ...)
+ TODO: check
+CVE-2024-3890 (The Happy Addons for Elementor plugin for WordPress is vulnerable to S ...)
+ TODO: check
+CVE-2024-3678 (The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPre ...)
+ TODO: check
+CVE-2024-3265 (The Advanced Search WordPress plugin through 1.1.6 does not properly e ...)
+ TODO: check
+CVE-2024-3188 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate WordPress plugin b ...)
+ TODO: check
+CVE-2024-3075 (The MM-email2image WordPress plugin through 0.2.5 does not validate an ...)
+ TODO: check
+CVE-2024-3060 (The ENL Newsletter WordPress plugin through 1.0.1 does not sanitize an ...)
+ TODO: check
+CVE-2024-3059 (The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF c ...)
+ TODO: check
+CVE-2024-3058 (The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF c ...)
+ TODO: check
+CVE-2024-3048 (The Bannerlid WordPress plugin through 1.1.0 does not escape generated ...)
+ TODO: check
+CVE-2024-33673 (An issue was discovered in Veritas Backup Exec before 22.2 HotFix 9173 ...)
+ TODO: check
+CVE-2024-33672 (An issue was discovered in Veritas NetBackup before 10.4. The Multi-Th ...)
+ TODO: check
+CVE-2024-33671 (An issue was discovered in Veritas Backup Exec before 22.2 HotFix 9173 ...)
+ TODO: check
+CVE-2024-33670 (Passbolt API before 4.6.2 allows HTML injection in a URL parameter, re ...)
+ TODO: check
+CVE-2024-33669 (An issue was discovered in Passbolt Browser Extension before 4.6.2. It ...)
+ TODO: check
+CVE-2024-33668 (An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cach ...)
+ TODO: check
+CVE-2024-33667 (An issue was discovered in Zammad before 6.3.0. An authenticated agent ...)
+ TODO: check
+CVE-2024-33666 (An issue was discovered in Zammad before 6.3.0. Users with customer ac ...)
+ TODO: check
+CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key that is ...)
+ TODO: check
+CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...)
+ TODO: check
+CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...)
+ TODO: check
+CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...)
+ TODO: check
+CVE-2024-33651 (Cross-Site Request Forgery (CSRF) vulnerability in Matthew Fries MF Gi ...)
+ TODO: check
+CVE-2024-33650 (Cross-Site Request Forgery (CSRF) vulnerability in Cryout Creations Se ...)
+ TODO: check
+CVE-2024-33642 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-33639 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-33638 (Cross-Site Request Forgery (CSRF) vulnerability in Brijesh Kothari Sma ...)
+ TODO: check
+CVE-2024-33598 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-32868 (ZITADEL provides users the possibility to use Time-based One-Time-Pass ...)
+ TODO: check
+CVE-2024-32651 (changedetection.io is an open source web page change detection, websit ...)
+ TODO: check
+CVE-2024-32406 (Server-Side Template Injection (SSTI) vulnerability in inducer relate ...)
+ TODO: check
+CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer relate ...)
+ TODO: check
+CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...)
+ TODO: check
+CVE-2024-31610 (File Upload vulnerability in the function for employees to upload avat ...)
+ TODO: check
+CVE-2024-31609 (Cross Site Scripting (XSS) vulnerability in BOSSCMS v3.10 allows attac ...)
+ TODO: check
+CVE-2024-2920 (The WP-Members Membership Plugin plugin for WordPress is vulnerable to ...)
+ TODO: check
+CVE-2024-2908 (The Call Now Button WordPress plugin before 1.4.7 does not sanitise a ...)
+ TODO: check
+CVE-2024-2837 (The WP Chat App WordPress plugin before 3.6.4 does not sanitise and es ...)
+ TODO: check
+CVE-2024-2603 (The Salon booking system WordPress plugin through 9.6.5 does not sanit ...)
+ TODO: check
+CVE-2024-2439 (The Salon booking system WordPress plugin through 9.6.5 does not sanit ...)
+ TODO: check
+CVE-2024-2429 (The Salon booking system WordPress plugin through 9.6.5 does not have ...)
+ TODO: check
+CVE-2024-2310 (The WP Google Review Slider WordPress plugin before 13.6 does not sani ...)
+ TODO: check
+CVE-2024-2159 (The Social Sharing Plugin WordPress plugin before 3.3.61 does not val ...)
+ TODO: check
+CVE-2024-22633 (Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 w ...)
+ TODO: check
+CVE-2024-22632 (Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 w ...)
+ TODO: check
+CVE-2024-0916 (Unauthenticatedfile upload allows remote code execution. This issue af ...)
+ TODO: check
+CVE-2024-0905 (The Fancy Product Designer WordPress plugin before 6.1.8 does not sani ...)
+ TODO: check
+CVE-2023-6116 (Team ENVY, a Security Research TEAM has found a flaw that allows for a ...)
+ TODO: check
+CVE-2023-6096 (Vladimir Kononovich, a Security Researcher has found a flaw that using ...)
+ TODO: check
+CVE-2023-6095 (Vladimir Kononovich, a Security Researcher has found a flaw that allow ...)
+ TODO: check
+CVE-2023-47252 (An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 ...)
+ TODO: check
+CVE-2022-48682 (In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows ...)
+ TODO: check
CVE-2024-27282
- ruby3.2 <unfixed>
- ruby3.1 <unfixed>
@@ -139,11 +245,11 @@ CVE-2023-51484 (Improper Authentication vulnerability in wp-buy Login as User or
TODO: check
CVE-2023-51482 (Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manag ...)
TODO: check
-CVE-2024-4173 (A vulnerability in Brocade SANnav ova versions before Brocade SANnav v ...)
+CVE-2024-4173 (A vulnerability in Brocade SANnav exposes Kafka in the wan interface. ...)
NOT-FOR-US: Brocade
CVE-2024-4161 (In Brocade SANnav, before Brocade SANnav v2.3.0, syslog traffic receiv ...)
NOT-FOR-US: Brocade
-CVE-2024-4159 (Brocade SANnav before Brocade SANnav v2.3.1 lacks protection mechanism ...)
+CVE-2024-4159 (Brocade SANnav before v2.3.0a lacks protection mechanisms on port 2377 ...)
NOT-FOR-US: Brocade
CVE-2024-3988 (The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data T ...)
NOT-FOR-US: WordPress plugin
@@ -476,7 +582,7 @@ CVE-2024-25583 (A crafted response from an upstream server the recursor has been
NOTE: Fixed by: https://github.com/PowerDNS/pdns/commit/3d16f2f49c22326e5a72f074c2a1f1b45769cb3f (rec-4.9.5)
NOTE: Introduced by: https://github.com/PowerDNS/pdns/commit/c090cc8b9198a9ee9155486894505a86878e30ee (rec-4.8.7)
NOTE: Fixed by: https://github.com/PowerDNS/pdns/commit/e1247da968077ee7c58fa41447057ee2a2b09fc9 (rec-4.8.8)
-CVE-2024-3154
+CVE-2024-3154 (A flaw was found in cri-o, where an arbitrary systemd property can be ...)
- cri-o <itp> (bug #979702)
CVE-2024-30171
- bouncycastle <unfixed>
@@ -936,7 +1042,7 @@ CVE-2024-29966 (Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded
NOT-FOR-US: Brocade SANnav
CVE-2024-29965 (In Brocade SANnav before v2.3.1, and v2.3.0a, it is possible to back u ...)
NOT-FOR-US: Brocade SANnav
-CVE-2024-29964 (Docker instances in Brocade SANnav before v2.3.1 and v2.3.0a have an i ...)
+CVE-2024-29964 (Brocade SANnav versions before v2.3.0a do not correctly set permission ...)
NOT-FOR-US: Brocade SANnav
CVE-2024-29963 (Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded keys ...)
NOT-FOR-US: Brocade SANnav
@@ -31577,7 +31683,7 @@ CVE-2023-32725 (The website configured in the URL widget will receive a session
CVE-2023-32230 (An improper handling of a malformed API request to an API server in Bo ...)
NOT-FOR-US: Bosch
CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...)
- {DSA-5601-1 DSA-5600-1 DSA-5599-1 DSA-5591-1 DSA-5588-1 DSA-5586-1 DLA-3730-1 DLA-3719-1 DLA-3718-1 DLA-3694-1}
+ {DSA-5601-1 DSA-5600-1 DSA-5599-1 DSA-5591-1 DSA-5588-1 DSA-5586-1 DLA-3794-1 DLA-3730-1 DLA-3719-1 DLA-3718-1 DLA-3694-1}
- dropbear 2022.83-4 (bug #1059001)
[bookworm] - dropbear 2022.83-1+deb12u1
[bullseye] - dropbear 2020.81-3+deb11u1
@@ -131545,10 +131651,10 @@ CVE-2022-36031 (Directus is a free and open-source data platform for headless co
NOT-FOR-US: Directus
CVE-2022-36030 (Project-nexus is a general-purpose blog website framework. Affected ve ...)
NOT-FOR-US: Project-nexus
-CVE-2022-36029
- RESERVED
-CVE-2022-36028
- RESERVED
+CVE-2022-36029 (Greenlight is an end-user interface for BigBlueButton servers. Version ...)
+ TODO: check
+CVE-2022-36028 (Greenlight is an end-user interface for BigBlueButton servers. Version ...)
+ TODO: check
CVE-2022-36027 (TensorFlow is an open source platform for machine learning. When conve ...)
- tensorflow <itp> (bug #804612)
CVE-2022-36026 (TensorFlow is an open source platform for machine learning. If `Quanti ...)
@@ -204163,6 +204269,7 @@ CVE-2021-36368 (An issue was discovered in OpenSSH before 8.9. If a client is us
NOTE: https://bugzilla.mindrot.org/show_bug.cgi?id=3316
NOTE: https://docs.ssh-mitm.at/trivialauth.html
CVE-2021-36367 (PuTTY through 0.75 proceeds with establishing an SSH session even if i ...)
+ {DLA-3794-1}
- putty 0.75-3 (bug #990901)
[bullseye] - putty 0.74-1+deb11u1
[stretch] - putty <no-dsa> (Minor issue)
@@ -290617,6 +290724,7 @@ CVE-2020-14004 (An issue was discovered in Icinga2 before v2.12.0-rc1. The prepa
CVE-2020-14003
RESERVED
CVE-2020-14002 (PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an in ...)
+ {DLA-3794-1}
- putty 0.74-1
[stretch] - putty <no-dsa> (Minor issue)
[jessie] - putty <no-dsa> (Minor issue)
@@ -294168,6 +294276,7 @@ CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote aut
CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by calling Java ...)
NOT-FOR-US: Jinjava
CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted ...)
+ {DLA-3795-1}
- knot-resolver 5.1.1-0.1 (bug #961076)
NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
NOTE: commit: https://gitlab.labs.nic.cz/knot/knot-resolver/-/commit/54f05e4d7b2e47c0bdd30b84272fc503cc65304b
@@ -325404,6 +325513,7 @@ CVE-2019-19332 (An out-of-bounds memory write issue was found in the Linux Kerne
[stretch] - linux 4.9.210-1
NOTE: https://git.kernel.org/linus/433f4ba1904100da65a311033f17a9bf586b287e
CVE-2019-19331 (knot-resolver before version 4.3.0 is vulnerable to denial of service ...)
+ {DLA-3795-1}
- knot-resolver 5.0.1-1 (bug #946181)
NOTE: https://www.openwall.com/lists/oss-security/2019/12/04/4
CVE-2019-19329 (In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-0 ...)
@@ -334731,6 +334841,7 @@ CVE-2019-17071 (The client-dash (aka Client Dash) plugin 2.1.4 for WordPress all
CVE-2019-17070 (The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1. ...)
NOT-FOR-US: liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin for WordPress
CVE-2019-17069 (PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial o ...)
+ {DLA-3794-1}
- putty 0.73-1 (unimportant)
NOTE: https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html
NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=69201ad8936fe0ff1b8723b7a43accb5e9f1c888
@@ -356414,11 +356525,13 @@ CVE-2019-10192 (A heap-buffer overflow vulnerability was found in the Redis hype
NOTE: https://github.com/antirez/redis/commit/ef1833b3f9d02261617b757fd6ebe0ec3f1be507 (5.0.4)
NOTE: https://github.com/antirez/redis/commit/7f79849caa006f0d760b6c7e17f7796e3be92b4f (5.0.4)
CVE-2019-10191 (A vulnerability was discovered in DNS resolver of knot resolver before ...)
+ {DLA-3795-1}
- knot-resolver 5.0.1-1 (bug #932048)
NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html
NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/839
NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1
CVE-2019-10190 (A vulnerability was discovered in DNS resolver component of knot resol ...)
+ {DLA-3795-1}
- knot-resolver 5.0.1-1 (bug #932048)
NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html
NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/827
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/821a6aa03ab9aa6e9a7506d6cb2af1c941fd74df
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/821a6aa03ab9aa6e9a7506d6cb2af1c941fd74df
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240426/9b2205b1/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list