[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Feb 13 08:12:17 GMT 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8ff1881e by security tracker role at 2024-02-13T08:12:03+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,11 +1,183 @@
-CVE-2024-1459 [directory traversal vulnerability]
+CVE-2024-25914 (Cross-Site Request Forgery (CSRF) vulnerability in Photoboxone SMTP Ma ...)
+ TODO: check
+CVE-2024-25643 (The SAP Fiori app (My Overtime Request) - version 605, does not perfor ...)
+ TODO: check
+CVE-2024-25642 (Due to improper validation of certificate in SAP Cloud Connector - ver ...)
+ TODO: check
+CVE-2024-25407 (SteVe v3.6.0 was discovered to use predictable transaction ID's when r ...)
+ TODO: check
+CVE-2024-25360 (A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks infor ...)
+ TODO: check
+CVE-2024-25112 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
+ TODO: check
+CVE-2024-25110 (The UAMQP is a general purpose C library for AMQP 1.0. During a call t ...)
+ TODO: check
+CVE-2024-25108 (Pixelfed is an open source photo sharing platform. When processing req ...)
+ TODO: check
+CVE-2024-24935 (Cross-Site Request Forgery (CSRF) vulnerability in WpSimpleTools Basic ...)
+ TODO: check
+CVE-2024-24929 (Cross-Site Request Forgery (CSRF) vulnerability in Ryan Duff, Peter We ...)
+ TODO: check
+CVE-2024-24887 (Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Pho ...)
+ TODO: check
+CVE-2024-24884 (Cross-Site Request Forgery (CSRF) vulnerability in ARI Soft Contact Fo ...)
+ TODO: check
+CVE-2024-24875 (Cross-Site Request Forgery (CSRF) vulnerability in Yannick Lefebvre Li ...)
+ TODO: check
+CVE-2024-24826 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
+ TODO: check
+CVE-2024-24743 (SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows ...)
+ TODO: check
+CVE-2024-24742 (SAP CRM WebClient UI- version S4FND 102, S4FND 103, S4FND 104, S4FND 1 ...)
+ TODO: check
+CVE-2024-24741 (SAP Master Data Governance for Material Data - versions 618, 619, 620, ...)
+ TODO: check
+CVE-2024-24740 (SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL ...)
+ TODO: check
+CVE-2024-24739 (SAP Bank Account Management (BAM) allows an authenticated user with re ...)
+ TODO: check
+CVE-2024-24337 (CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aq ...)
+ TODO: check
+CVE-2024-23833 (OpenRefine is a free, open source power tool for working with messy da ...)
+ TODO: check
+CVE-2024-23763 (SQL Injection vulnerability in Gambio through 4.9.2.0 allows attackers ...)
+ TODO: check
+CVE-2024-23762 (Unrestricted File Upload vulnerability in Content Manager feature in G ...)
+ TODO: check
+CVE-2024-23761 (Server Side Template Injection in Gambio 4.9.2.0 allows attackers to r ...)
+ TODO: check
+CVE-2024-23760 (Cleartext Storage of Sensitive Information in Gambio 4.9.2.0 allows at ...)
+ TODO: check
+CVE-2024-23759 (Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows att ...)
+ TODO: check
+CVE-2024-23512 (Deserialization of Untrusted Data vulnerability in wpxpo ProductX \u20 ...)
+ TODO: check
+CVE-2024-22454 (Dell PowerProtect Data Manager, version 19.15 and prior versions, cont ...)
+ TODO: check
+CVE-2024-22445 (Dell PowerProtect Data Manager, version 19.15 and prior versions, cont ...)
+ TODO: check
+CVE-2024-22230 (Dell Unity, versions prior to 5.4, contains a Cross-site scripting vul ...)
+ TODO: check
+CVE-2024-22228 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-22227 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-22226 (Dell Unity, versions prior to 5.4, contain a path traversal vulnerabil ...)
+ TODO: check
+CVE-2024-22225 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-22224 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-22223 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-22222 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-22221 (Dell Unity, versions prior to 5.4, contains SQL Injection vulnerabilit ...)
+ TODO: check
+CVE-2024-22132 (SAP IDES ECC-systems contain code that permits the execution of arbitr ...)
+ TODO: check
+CVE-2024-22131 (In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750 ...)
+ TODO: check
+CVE-2024-22130 (Print preview option inSAP CRM WebClient UI - versions S4FND 102, S4FN ...)
+ TODO: check
+CVE-2024-22129 (SAP Companion - version <3.1.38, has a URL with parameter that could b ...)
+ TODO: check
+CVE-2024-22128 (SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_U ...)
+ TODO: check
+CVE-2024-22126 (The User Admin application of SAP NetWeaver AS for Java - version 7.50 ...)
+ TODO: check
+CVE-2024-22024 (An XML external entity or XXE vulnerability in the SAML component of I ...)
+ TODO: check
+CVE-2024-21491 (Versions of the package svix before 1.17.0 are vulnerable to Authentic ...)
+ TODO: check
+CVE-2024-1439 (Inadequate access control in Moodle LMS. This vulnerability could allo ...)
+ TODO: check
+CVE-2024-1420
+ REJECTED
+CVE-2024-0566 (The Smart Manager WordPress plugin before 8.28.0 does not properly san ...)
+ TODO: check
+CVE-2024-0421 (The MapPress Maps for WordPress plugin before 2.88.16 does not ensure ...)
+ TODO: check
+CVE-2024-0420 (The MapPress Maps for WordPress plugin before 2.88.15 does not sanitiz ...)
+ TODO: check
+CVE-2024-0250 (The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin ...)
+ TODO: check
+CVE-2024-0248 (The EazyDocs WordPress plugin before 2.4.0 re-introduced CVE-2023-6029 ...)
+ TODO: check
+CVE-2024-0170 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-0169 (Dell Unity, versions prior to 5.4, contains a cross-site scripting (XS ...)
+ TODO: check
+CVE-2024-0168 (Dell Unity, versions prior to 5.4, contains a Command Injection Vulner ...)
+ TODO: check
+CVE-2024-0167 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-0166 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-0165 (Dell Unity, versions prior to 5.4, contains an OS Command Injection Vu ...)
+ TODO: check
+CVE-2024-0164 (Dell Unity, versions prior to 5.4, contain an OS Command Injection Vul ...)
+ TODO: check
+CVE-2023-7233 (The GigPress WordPress plugin through 2.3.29 does not sanitise and esc ...)
+ TODO: check
+CVE-2023-6815 (Incorrect Privilege Assignment vulnerability in Mitsubishi Electric Co ...)
+ TODO: check
+CVE-2023-6591 (The Popup Box WordPress plugin before 20.9.0 does not sanitise and esc ...)
+ TODO: check
+CVE-2023-6501 (The Splashscreen WordPress plugin through 0.20 does not have CSRF chec ...)
+ TODO: check
+CVE-2023-6499 (The lasTunes WordPress plugin through 3.6.1 does not have CSRF check i ...)
+ TODO: check
+CVE-2023-6294 (The Popup Builder WordPress plugin before 4.2.6 does not validate a pa ...)
+ TODO: check
+CVE-2023-6082 (The chartjs WordPress plugin through 2023.2 does not sanitise and esca ...)
+ TODO: check
+CVE-2023-6081 (The chartjs WordPress plugin through 2023.2 does not sanitise and esca ...)
+ TODO: check
+CVE-2023-6036 (The Web3 WordPress plugin before 3.0.0 is vulnerable to an authenticat ...)
+ TODO: check
+CVE-2023-52431 (The Plack::Middleware::XSRFBlock package before 0.0.19 for Perl allows ...)
+ TODO: check
+CVE-2023-52430 (The caddy-security plugin 1.1.20 for Caddy allows reflected XSS via a ...)
+ TODO: check
+CVE-2023-52060 (A Cross-Site Request Forgery (CSRF) in Gestsup v3.2.46 allows attacker ...)
+ TODO: check
+CVE-2023-52059 (A cross-site scripting (XSS) vulnerability in Gestsup v3.2.46 allows a ...)
+ TODO: check
+CVE-2023-50358 (An OS command injection vulnerability has been reported to affect seve ...)
+ TODO: check
+CVE-2023-49339 (Ellucian Banner 9.17 allows Insecure Direct Object Reference (IDOR) vi ...)
+ TODO: check
+CVE-2023-47218 (An OS command injection vulnerability has been reported to affect seve ...)
+ TODO: check
+CVE-2023-46615 (Deserialization of Untrusted Data vulnerability in Kalli Dan. KD Comin ...)
+ TODO: check
+CVE-2023-42374 (An issue in mystenlabs Sui Blockchain before v.1.6.3 allow a remote at ...)
+ TODO: check
+CVE-2023-41708 (References to the "app loader" functionality could contain redirects t ...)
+ TODO: check
+CVE-2023-41707 (Processing of user-defined mail search expressions is not limited. Ava ...)
+ TODO: check
+CVE-2023-41706 (Processing time of drive search expressions now gets monitored, and th ...)
+ TODO: check
+CVE-2023-41705 (Processing of user-defined DAV user-agent strings is not limited. Avai ...)
+ TODO: check
+CVE-2023-41704 (Processing of CID references at E-Mail can be abused to inject malicio ...)
+ TODO: check
+CVE-2023-41703 (User ID references at mentions in document comments were not correctly ...)
+ TODO: check
+CVE-2022-48623 (The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-boun ...)
+ TODO: check
+CVE-2021-4437 (A vulnerability, which was classified as problematic, has been found i ...)
+ TODO: check
+CVE-2024-1459 (A path traversal vulnerability was found in Undertow. This issue may a ...)
- undertow <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259475
-CVE-2024-1454 [Memory use after free in AuthentIC driver when updating token info]
+CVE-2024-1454 (The use-after-free vulnerability was found in the AuthentIC driver in ...)
- opensc <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2263929
NOTE: Fixed by: https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9
-CVE-2023-6681 [JWCrypto: denail of service Via specifically crafted JWE]
+CVE-2023-6681 (A vulnerability was found in JWCrypto. This flaw allows an attacker to ...)
- python-jwcrypto <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2260843
CVE-2023-6110 [deleting a non existing access rule deletes another existing access rule in it's scope]
@@ -607,7 +779,7 @@ CVE-2023-6386 [ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax]
CVE-2023-6840 (An issue has been discovered in GitLab EE affecting all versions from ...)
- gitlab 16.6.7-1
NOTE: https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/#project-maintainers-can-bypass-groups-scan-result-policy-block_branch_modification-setting
-CVE-2024-1250 [Restrict group access token creation for custom roles]
+CVE-2024-1250 (An issue has been discovered in GitLab EE affecting all versions start ...)
- gitlab <not-affected> (Only affects 16.8.y)
NOTE: https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/#restrict-group-access-token-creation-for-custom-roles
CVE-2024-25201 (Espruino 2v20 (commit fcc9ba4) was discovered to contain an Out-of-bou ...)
@@ -1298,12 +1470,12 @@ CVE-2024-24262 (media-server v1.0.0 was discovered to contain a Use-After-Free (
NOT-FOR-US: media-server
CVE-2024-24260 (media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) v ...)
NOT-FOR-US: media-server
-CVE-2024-24259
+CVE-2024-24259 (freeglut through 3.4.0 was discovered to contain a memory leak via the ...)
- freeglut <unfixed> (bug #1063801)
NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md
NOTE: https://github.com/freeglut/freeglut/pull/155
NOTE: Fixed by: https://github.com/freeglut/freeglut/commit/9ad320c1ad1a25558998ddfe47674511567fec57
-CVE-2024-24258
+CVE-2024-24258 (freeglut 3.4.0 was discovered to contain a memory leak via the menuEnt ...)
- freeglut <unfixed> (bug #1063801)
NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md
NOTE: https://github.com/freeglut/freeglut/pull/155
@@ -2217,7 +2389,7 @@ CVE-2023-31505 (An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, a
NOT-FOR-US: Schlix CMS
CVE-2023-2439 (The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Sc ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-1062 [a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)]
+CVE-2024-1062 (A heap overflow flaw was found in 389-ds-base. This issue leads to a d ...)
- 389-ds-base <unfixed>
[bookworm] - 389-ds-base <no-dsa> (Minor issue)
[bullseye] - 389-ds-base <no-dsa> (Minor issue)
@@ -53613,8 +53785,8 @@ CVE-2023-28020 (URL redirection in Login page in HCL BigFix WebUI allows malicio
NOT-FOR-US: HCL
CVE-2023-28019 (Insufficient validation in Bigfix WebUI API App site version < 14 allo ...)
NOT-FOR-US: HCL
-CVE-2023-28018
- RESERVED
+CVE-2023-28018 (HCL Connections is vulnerable to a denial of service, caused by improp ...)
+ TODO: check
CVE-2023-28017 (HCL Connections is vulnerable to a cross-site scripting attack where a ...)
NOT-FOR-US: HCL
CVE-2023-28016 (Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal S ...)
@@ -102508,8 +102680,8 @@ CVE-2020-36601 (Out-of-bounds write vulnerability in the kernel modules. Success
NOT-FOR-US: Huawei
CVE-2020-36600 (Out-of-bounds write vulnerability in the power consumption module. Suc ...)
NOT-FOR-US: Huawei
-CVE-2022-38714
- RESERVED
+CVE-2022-38714 (IBM DataStage on Cloud Pak for Data 4.0.6 to 4.5.2 stores sensitive cr ...)
+ TODO: check
CVE-2022-38713
RESERVED
CVE-2022-38712 ("IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Web services ...)
@@ -114948,12 +115120,12 @@ CVE-2022-34313 (IBM CICS TX 11.1 does not set the secure attribute on authorizat
NOT-FOR-US: IBM
CVE-2022-34312 (IBM CICS TX 11.1 allows web pages to be stored locally which can be re ...)
NOT-FOR-US: IBM
-CVE-2022-34311
- RESERVED
-CVE-2022-34310
- RESERVED
-CVE-2022-34309
- RESERVED
+CVE-2022-34311 (IBM CICS TX Standard and Advanced 11.1 could allow a user with physica ...)
+ TODO: check
+CVE-2022-34310 (IBM CICS TX Standard and Advanced 11.1 uses weaker than expected crypt ...)
+ TODO: check
+CVE-2022-34309 (IBM CICS TX Standard and Advanced 11.1 uses weaker than expected crypt ...)
+ TODO: check
CVE-2022-34308 (IBM CICS TX 11.1 could allow a local user to cause a denial of service ...)
NOT-FOR-US: IBM
CVE-2022-34307 (IBM CICS TX 11.1 does not set the secure attribute on authorization to ...)
@@ -151233,8 +151405,8 @@ CVE-2022-22508 (Improper Input Validation vulnerability in multiple CODESYS V3 p
NOT-FOR-US: CODESYS
CVE-2022-22507
REJECTED
-CVE-2022-22506
- RESERVED
+CVE-2022-22506 (IBM Robotic Process Automation 21.0.2 contains a vulnerability that co ...)
+ TODO: check
CVE-2022-22505 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 contains a v ...)
NOT-FOR-US: IBM
CVE-2022-22504
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ff1881e345fa9d109c75cac1adcb810ef77459d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ff1881e345fa9d109c75cac1adcb810ef77459d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240213/31d7315a/attachment.htm>
More information about the debian-security-tracker-commits
mailing list