[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Apr 3 21:12:46 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6f0cdae0 by security tracker role at 2025-04-03T20:12:38+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,230 @@
-CVE-2025-31115 [Threaded decoder frees memory too early]
+CVE-2025-3190
+ REJECTED
+CVE-2025-3177 (A vulnerability was found in FastCMS 0.1.5. It has been declared as cr ...)
+ TODO: check
+CVE-2025-3176 (A vulnerability was found in Project Worlds Online Lawyer Management S ...)
+ TODO: check
+CVE-2025-3175 (A vulnerability was found in Project Worlds Online Lawyer Management S ...)
+ TODO: check
+CVE-2025-3174 (A vulnerability has been found in Project Worlds Online Lawyer Managem ...)
+ TODO: check
+CVE-2025-3173 (A vulnerability, which was classified as critical, was found in Projec ...)
+ TODO: check
+CVE-2025-3172 (A vulnerability, which was classified as critical, has been found in P ...)
+ TODO: check
+CVE-2025-3171 (A vulnerability classified as critical was found in Project Worlds Onl ...)
+ TODO: check
+CVE-2025-3170 (A vulnerability classified as critical has been found in Project World ...)
+ TODO: check
+CVE-2025-3169 (A vulnerability was found in Projeqtor up to 12.0.2. It has been rated ...)
+ TODO: check
+CVE-2025-3168 (A vulnerability was found in PHPGurukul Time Table Generator System 1. ...)
+ TODO: check
+CVE-2025-3167 (A vulnerability, which was classified as problematic, has been found i ...)
+ TODO: check
+CVE-2025-3166 (A vulnerability classified as critical was found in code-projects Prod ...)
+ TODO: check
+CVE-2025-3165 (A vulnerability classified as critical has been found in thu-pacman ch ...)
+ TODO: check
+CVE-2025-3164 (A vulnerability was found in Tencent Music Entertainment SuperSonic up ...)
+ TODO: check
+CVE-2025-3163 (A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has bee ...)
+ TODO: check
+CVE-2025-3162 (A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has bee ...)
+ TODO: check
+CVE-2025-3161 (A vulnerability was found in Tenda AC10 16.03.10.13 and classified as ...)
+ TODO: check
+CVE-2025-3160 (A vulnerability has been found in Open Asset Import Library Assimp 5.4 ...)
+ TODO: check
+CVE-2025-3159 (A vulnerability, which was classified as critical, was found in Open A ...)
+ TODO: check
+CVE-2025-3158 (A vulnerability, which was classified as critical, has been found in O ...)
+ TODO: check
+CVE-2025-3157 (A vulnerability was found in Intelbras WRN 150 1.0.15_pt_ITB01. It has ...)
+ TODO: check
+CVE-2025-3155 (A flaw was found in Yelp. The Gnome user help application allows the h ...)
+ TODO: check
+CVE-2025-32054 (In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could b ...)
+ TODO: check
+CVE-2025-32052 (A flaw was found in libsoup. A vulnerability in the sniff_unknown() fu ...)
+ TODO: check
+CVE-2025-32051 (A flaw was found in libsoup. The libsoup soup_uri_decode_data_uri() fu ...)
+ TODO: check
+CVE-2025-32050 (A flaw was found in libsoup. The libsoup append_param_quoted() functio ...)
+ TODO: check
+CVE-2025-32049 (A flaw was found in libsoup. The SoupWebsocketConnection may accept a ...)
+ TODO: check
+CVE-2025-31911 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-31909 (Missing Authorization vulnerability in NotFound Apptivo Business Site ...)
+ TODO: check
+CVE-2025-31907 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31905 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31903 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31902 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31901 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31900 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31899 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31898 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31896 (Missing Authorization vulnerability in istmoplugins GetBookingsWP allo ...)
+ TODO: check
+CVE-2025-31893 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31876 (Missing Authorization vulnerability in gunnarpayday Payday allows Expl ...)
+ TODO: check
+CVE-2025-31858 (Missing Authorization vulnerability in matthewrubin Local Magic allows ...)
+ TODO: check
+CVE-2025-31841 (Missing Authorization vulnerability in Frank P. Walentynowicz FPW Cate ...)
+ TODO: check
+CVE-2025-31827 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-31825 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-31800 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-31795 (Missing Authorization vulnerability in Plugin Devs Shopify to WooComme ...)
+ TODO: check
+CVE-2025-31794 (Missing Authorization vulnerability in Web Ready Now WR Price List Man ...)
+ TODO: check
+CVE-2025-31789 (Missing Authorization vulnerability in Matat Technologies TextMe SMS a ...)
+ TODO: check
+CVE-2025-31768 (Missing Authorization vulnerability in OTWthemes Widget Manager Light ...)
+ TODO: check
+CVE-2025-31758 (Missing Authorization vulnerability in BinaryCarpenter Free Woocommerc ...)
+ TODO: check
+CVE-2025-31746 (Missing Authorization vulnerability in Think201 Clients allows Exploit ...)
+ TODO: check
+CVE-2025-31739 (Missing Authorization vulnerability in Manuel Schmalstieg Minimalistic ...)
+ TODO: check
+CVE-2025-31736 (Missing Authorization vulnerability in richtexteditor Rich Text Editor ...)
+ TODO: check
+CVE-2025-31729 (Missing Authorization vulnerability in jeffikus WooTumblog allows Expl ...)
+ TODO: check
+CVE-2025-31626 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31622 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31582 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31581 (Missing Authorization vulnerability in Sandeep Kumar WP Video Playlist ...)
+ TODO: check
+CVE-2025-31573 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31558 (Insertion of Sensitive Information into Externally-Accessible File or ...)
+ TODO: check
+CVE-2025-31554 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-31541 (Missing Authorization vulnerability in turitop TuriTop Booking System ...)
+ TODO: check
+CVE-2025-31536 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31489 (MinIO is a High Performance Object Storage released under GNU Affero G ...)
+ TODO: check
+CVE-2025-31487 (The XWiki JIRA extension provides various integration points between X ...)
+ TODO: check
+CVE-2025-31486 (Vite is a frontend tooling framework for javascript. The contents of a ...)
+ TODO: check
+CVE-2025-31485 (API Platform Core is a system to create hypermedia-driven REST and Gra ...)
+ TODO: check
+CVE-2025-31483 (Miniflux is a feed reader. Due to a weak Content Security Policy on th ...)
+ TODO: check
+CVE-2025-31481 (API Platform Core is a system to create hypermedia-driven REST and Gra ...)
+ TODO: check
+CVE-2025-31468 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31467 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31442 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31436 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-31161 (CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication b ...)
+ TODO: check
+CVE-2025-31127 (Element X Android is a Matrix Android Client provided by element.io. I ...)
+ TODO: check
+CVE-2025-31126 (Element X iOS is a Matrix iOS Client provided by Element. In Element X ...)
+ TODO: check
+CVE-2025-31119 (generator-jhipster-entity-audit is a JHipster module to enable entity ...)
+ TODO: check
+CVE-2025-31098 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-31091 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-30916 (Missing Authorization vulnerability in enituretechnology Residential A ...)
+ TODO: check
+CVE-2025-30915 (Missing Authorization vulnerability in enituretechnology Small Package ...)
+ TODO: check
+CVE-2025-30908 (Cross-Site Request Forgery (CSRF) vulnerability in Shamalli Web Direct ...)
+ TODO: check
+CVE-2025-30889 (Deserialization of Untrusted Data vulnerability in PickPlugins Testimo ...)
+ TODO: check
+CVE-2025-30858 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-30616 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-30611 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-30596 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-30406 (Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.563 ...)
+ TODO: check
+CVE-2025-2946 (pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site ...)
+ TODO: check
+CVE-2025-2945 (Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool ...)
+ TODO: check
+CVE-2025-2299 (The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cr ...)
+ TODO: check
+CVE-2025-29987 (Dell PowerProtect Data Domain with Data Domain Operating System (DD OS ...)
+ TODO: check
+CVE-2025-29647 (SeaCMS v13.3 has a SQL injection vulnerability in the component admin_ ...)
+ TODO: check
+CVE-2025-29570 (An issue in Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v3.2 al ...)
+ TODO: check
+CVE-2025-29504 (Insecure Permission vulnerability in student-manage 1 allows a local a ...)
+ TODO: check
+CVE-2025-29462 (A buffer overflow vulnerability has been discovered in Tenda Ac15 V15. ...)
+ TODO: check
+CVE-2025-29369 (Code-Projects Matrimonial Site V1.0 is vulnerable to SQL Injection in ...)
+ TODO: check
+CVE-2025-29064 (An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote atta ...)
+ TODO: check
+CVE-2025-26818 (Netwrix Password Secure through 9.2 allows command injection.)
+ TODO: check
+CVE-2025-26817 (Netwrix Password Secure 9.2.0.32454 allows OS command injection.)
+ TODO: check
+CVE-2025-22931 (An insecure direct object reference (IDOR) in the component /assets/st ...)
+ TODO: check
+CVE-2025-22930 (OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection v ...)
+ TODO: check
+CVE-2025-22929 (OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection v ...)
+ TODO: check
+CVE-2025-22928 (OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection v ...)
+ TODO: check
+CVE-2025-22927 (An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execut ...)
+ TODO: check
+CVE-2025-22926 (An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execut ...)
+ TODO: check
+CVE-2025-22457 (A stack-based buffer overflow in Ivanti Connect Secure before version ...)
+ TODO: check
+CVE-2025-0272 (HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This v ...)
+ TODO: check
+CVE-2024-9416 (The Modula Image Gallery plugin for WordPress is vulnerable to Stored ...)
+ TODO: check
+CVE-2024-45198 (insightsoftware Spark JDBC 2.6.21 has a remote code execution vulnerab ...)
+ TODO: check
+CVE-2024-22611 (OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\clas ...)
+ TODO: check
+CVE-2023-47639 (API Platform Core is a system to create hypermedia-driven REST and Gra ...)
+ TODO: check
+CVE-2025-31115 (XZ Utils provide a general-purpose data-compression library plus comma ...)
- xz-utils <unfixed>
[bullseye] - xz-utils <not-affected> (Vulnerable code introduce later)
NOTE: https://www.openwall.com/lists/oss-security/2025/04/03/1
@@ -100,7 +326,7 @@ CVE-2025-2784 (A flaw was found in libsoup. The package is vulnerable to a heap
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d (3.6.5)
NOTE: Depends on: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304 (3.6.5)
-CVE-2025-32053
+CVE-2025-32053 (A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() a ...)
- libsoup3 3.6.1-1
- libsoup2.4 <unfixed>
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/426
@@ -190,7 +416,7 @@ CVE-2024-37917 (Pexip Infinity before 35.0 has improper input validation that al
NOT-FOR-US: Pexip Infinity
CVE-2024-13673 (The Big Boom Directory plugin for WordPress is vulnerable to Stored Cr ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-53868 [request smuggling via chunked messages]
+CVE-2024-53868 (Apache Traffic Server allows request smuggling if chunked messages are ...)
- trafficserver <unfixed> (bug #1101996)
NOTE: https://www.openwall.com/lists/oss-security/2025/04/02/4
NOTE: https://github.com/apache/trafficserver/commit/f266206adb95951436a21850cef2ad8e9e4a28cf
@@ -1283,7 +1509,7 @@ CVE-2025-3034 (Memory safety bugs present in Firefox 136 and Thunderbird 136. So
- firefox 137.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-20/#CVE-2025-3034
CVE-2025-3030 (Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ES ...)
- {DSA-5889-1 DLA-4110-1 DLA-4109-1}
+ {DSA-5891-1 DSA-5889-1 DLA-4110-1 DLA-4109-1}
- firefox 137.0-1
- firefox-esr 128.9.0esr-1
- thunderbird 1:128.9.0esr-1
@@ -1297,7 +1523,7 @@ CVE-2025-3035 (By first using the AI chatbot in one tab and later activating it
- firefox 137.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-20/#CVE-2025-3035
CVE-2025-3029 (A crafted URL containing specific Unicode characters could have hidden ...)
- {DSA-5889-1 DLA-4110-1 DLA-4109-1}
+ {DSA-5891-1 DSA-5889-1 DLA-4110-1 DLA-4109-1}
- firefox 137.0-1
- firefox-esr 128.9.0esr-1
- thunderbird 1:128.9.0esr-1
@@ -1311,7 +1537,7 @@ CVE-2025-3031 (An attacker could read 32 bits of values spilled onto the stack i
- firefox 137.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-20/#CVE-2025-3031
CVE-2025-3028 (JavaScript code running while transforming a document with the XSLTPro ...)
- {DSA-5889-1 DLA-4110-1 DLA-4109-1}
+ {DSA-5891-1 DSA-5889-1 DLA-4110-1 DLA-4109-1}
- firefox 137.0-1
- firefox-esr 128.9.0esr-1
- thunderbird 1:128.9.0esr-1
@@ -4960,6 +5186,7 @@ CVE-2024-13737 (The Motors \u2013 Car Dealer, Classifieds & Listing plugin for W
CVE-2025-26796 (** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input Durin ...)
NOT-FOR-US: Apache Oozie
CVE-2025-30349 (Horde IMP through 6.2.27, as used with Horde Application Framework thr ...)
+ {DLA-4113-1}
- php-horde-imp <unfixed> (bug #1102003)
[bookworm] - php-horde-imp <ignored> (Horde in Bookworm is broken due to PHP 8 issues and will be removed in the next point release)
NOTE: https://web.archive.org/web/20250321152616/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html
@@ -80600,7 +80827,7 @@ CVE-2024-5594 (OpenVPN before 2.6.11 does not santize PUSH_REPLY messages proper
- openvpn 2.6.11-1 (bug #1074488)
[bookworm] - openvpn <no-dsa> (Minor issue)
NOTE: https://github.com/OpenVPN/openvpn/commit/90e7a858e5594d9a019ad2b4ac6154124986291a (v2.6.11)
-CVE-2024-4877
+CVE-2024-4877 (OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, le ...)
- openvpn <not-affected> (Only affects Windows)
CVE-2024-6269 (A vulnerability has been found in Ruijie RG-UAC 1.0 and classified as ...)
NOT-FOR-US: Ruijie RG-UAC
@@ -181998,7 +182225,7 @@ CVE-2023-26544 (In the Linux kernel 6.0.8, there is a use-after-free in run_unpa
NOTE: NTFS3 driver not enabled in Debian.
CVE-2023-1031 (MonicaHQ version 4.0.0 allows an authenticated remote attacker to exec ...)
NOT-FOR-US: MonicaHQ
-CVE-2023-1030 (A vulnerability has been found in SourceCodester Online Boat Reservati ...)
+CVE-2023-1030 (A vulnerability has been found in SourceCodester/code-projects Online ...)
NOT-FOR-US: SourceCodester Online BoatReservation System
CVE-2023-1029 (The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Reque ...)
NOT-FOR-US: WP Meta SEO plugin for WordPress
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f0cdae0ff2d6084a2954ab15b70605269c23004
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f0cdae0ff2d6084a2954ab15b70605269c23004
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250403/05c5b4ea/attachment.htm>
More information about the debian-security-tracker-commits
mailing list