[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Apr 10 21:12:45 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b09f2604 by security tracker role at 2025-04-10T20:12:37+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,14 +1,156 @@
-CVE-2025-32700
+CVE-2025-32755 (In jenkins/ssh-slave Docker images based on Debian, SSH host keys are ...)
+ TODO: check
+CVE-2025-32754 (In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys a ...)
+ TODO: check
+CVE-2025-32743 (In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c ...)
+ TODO: check
+CVE-2025-32687 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-32668 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-32395 (Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6 ...)
+ TODO: check
+CVE-2025-32391 (HedgeDoc is an open source, real-time, collaborative, markdown notes a ...)
+ TODO: check
+CVE-2025-32383 (MaxKB (Max Knowledge Base) is an open source knowledge base question-a ...)
+ TODO: check
+CVE-2025-32382 (Metabase is an open source Business Intelligence and Embedded Analytic ...)
+ TODO: check
+CVE-2025-32282 (Cross-Site Request Forgery (CSRF) vulnerability in ShareThis ShareThis ...)
+ TODO: check
+CVE-2025-32275 (Authentication Bypass by Spoofing vulnerability in Ays Pro Survey Make ...)
+ TODO: check
+CVE-2025-32260 (Missing Authorization vulnerability in Detheme DethemeKit For Elemento ...)
+ TODO: check
+CVE-2025-32259 (Missing Authorization vulnerability in Alimir WP ULike. This issue aff ...)
+ TODO: check
+CVE-2025-32244 (Missing Authorization vulnerability in QuantumCloud SEO Help allows Ex ...)
+ TODO: check
+CVE-2025-32243 (Missing Authorization vulnerability in Toast Plugins Internal Link Opt ...)
+ TODO: check
+CVE-2025-32242 (Missing Authorization vulnerability in Hive Support Hive Support allow ...)
+ TODO: check
+CVE-2025-32240 (Missing Authorization vulnerability in NotFound Site Notify allows Exp ...)
+ TODO: check
+CVE-2025-32236 (Missing Authorization vulnerability in Vagonic Woocommerce Products Re ...)
+ TODO: check
+CVE-2025-32230 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Bas ...)
+ TODO: check
+CVE-2025-32228 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
+ TODO: check
+CVE-2025-32227 (Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros For ...)
+ TODO: check
+CVE-2025-32221 (Missing Authorization vulnerability in Spider Themes EazyDocs allows E ...)
+ TODO: check
+CVE-2025-32216 (Missing Authorization vulnerability in Spider Themes Spider Elements \ ...)
+ TODO: check
+CVE-2025-32215 (Unrestricted Upload of File with Dangerous Type vulnerability in Abili ...)
+ TODO: check
+CVE-2025-32214 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-32213 (Missing Authorization vulnerability in flothemesplugins Flo Forms allo ...)
+ TODO: check
+CVE-2025-32212 (Missing Authorization vulnerability in Specia Theme Specia Companion a ...)
+ TODO: check
+CVE-2025-32210 (Missing Authorization vulnerability in CreativeMindsSolutions CM Regis ...)
+ TODO: check
+CVE-2025-32209 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-32208 (Missing Authorization vulnerability in Hive Support Hive Support allow ...)
+ TODO: check
+CVE-2025-32206 (Unrestricted Upload of File with Dangerous Type vulnerability in LABCA ...)
+ TODO: check
+CVE-2025-32205 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-32202 (Unrestricted Upload of File with Dangerous Type vulnerability in Brian ...)
+ TODO: check
+CVE-2025-32199 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-32198 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-32160 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-32158 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-32145 (Deserialization of Untrusted Data vulnerability in magepeopleteam WpEv ...)
+ TODO: check
+CVE-2025-32140 (Unrestricted Upload of File with Dangerous Type vulnerability in Nirma ...)
+ TODO: check
+CVE-2025-32139 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-32128 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-32119 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-32116 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-32115 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-32114 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-32027 (Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii ...)
+ TODO: check
+CVE-2025-31524 (Incorrect Privilege Assignment vulnerability in NotFound WP User Profi ...)
+ TODO: check
+CVE-2025-31411 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-30582 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-30148 (Silverstripe Framework is a PHP framework which powers the Silverstrip ...)
+ TODO: check
+CVE-2025-29150 (BlueCMS 1.6 suffers from Arbitrary File Deletion via the id parameter ...)
+ TODO: check
+CVE-2025-29088 (An issue in sqlite v.3.49.0 allows an attacker to cause a denial of se ...)
+ TODO: check
+CVE-2025-29017 (A Remote Code Execution (RCE) vulnerability exists in Code Astro Inter ...)
+ TODO: check
+CVE-2025-27813 (MSI Center before 2.0.52.0 has Missing PE Signature Validation.)
+ TODO: check
+CVE-2025-27812 (MSI Center before 2.0.52.0 allows TOCTOU Local Privilege Escalation.)
+ TODO: check
+CVE-2025-27350 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-27081 (A potential security vulnerability in HPE NonStop OSM Service Connecti ...)
+ TODO: check
+CVE-2025-25197 (Silverstripe Elemental extends a page type to swap the content area fo ...)
+ TODO: check
+CVE-2025-24866 (Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access con ...)
+ TODO: check
+CVE-2025-23386 (A Incorrect Default Permissions vulnerability in the openSUSE Tumblewe ...)
+ TODO: check
+CVE-2025-23010 (An Improper Link Resolution Before File Access ('Link Following') vuln ...)
+ TODO: check
+CVE-2025-23009 (A local privilege escalation vulnerability in SonicWall NetExtender Wi ...)
+ TODO: check
+CVE-2025-23008 (An improper privilege management vulnerability in the SonicWall NetExt ...)
+ TODO: check
+CVE-2025-22375 (An authentication bypass vulnerability was found in Videx's CyberAudit ...)
+ TODO: check
+CVE-2025-22374 (A Server-Side Request Forgery (SSRF) vulnerability was discovered in t ...)
+ TODO: check
+CVE-2025-22279 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-22232 (Spring Cloud Config Server may not use Vault token sent by clients usi ...)
+ TODO: check
+CVE-2025-1073 (Panasonic IR Control Hub (IR Blaster) versions 1.17 and earlier may al ...)
+ TODO: check
+CVE-2023-43037 (IBM Maximo Application Suite 8.11 and 9.0 could allow an authenticated ...)
+ TODO: check
+CVE-2023-43035 (IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages t ...)
+ TODO: check
+CVE-2023-42007 (IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 is vulnerable to c ...)
+ TODO: check
+CVE-2025-32700 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
- mediawiki 1:1.43.1+dfsg-1
-CVE-2025-32699
+CVE-2025-32699 (Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation ...)
- mediawiki 1:1.43.1+dfsg-1
-CVE-2025-32698
+CVE-2025-32698 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
- mediawiki 1:1.43.1+dfsg-1
-CVE-2025-32697
+CVE-2025-32697 (Improper Preservation of Permissions vulnerability in Wikimedia Founda ...)
- mediawiki 1:1.43.1+dfsg-1
-CVE-2025-32696
+CVE-2025-32696 (Improper Preservation of Permissions vulnerability in Wikimedia Founda ...)
- mediawiki 1:1.43.1+dfsg-1
-CVE-2025-3469
+CVE-2025-3469 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
- mediawiki 1:1.43.1+dfsg-1
CVE-2025-3489 (A vulnerability was found in Nababur Simple-User-Management-System 1.0 ...)
NOT-FOR-US: Nababur Simple-User-Management-System
@@ -86,15 +228,15 @@ CVE-2025-2760 [GIMP XWD File Parsing Integer Overflow Remote Code Execution Vuln
- gimp 3.0.0-1
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-203/
NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/12790
-CVE-2025-2469
+CVE-2025-2469 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...)
- gitlab <not-affected> (Vulnerable code introduced later)
-CVE-2024-11129
+CVE-2024-11129 (An issue has been discovered in GitLab EE affecting all versions from ...)
- gitlab <not-affected> (Specific to EE)
-CVE-2025-2408
+CVE-2025-2408 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...)
- gitlab <unfixed>
-CVE-2025-0362
+CVE-2025-0362 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...)
- gitlab <unfixed>
-CVE-2025-1677
+CVE-2025-1677 (A Denial of Service (DoS) issue has been discovered in GitLab CE/EE af ...)
- gitlab <unfixed>
CVE-2025-3475 (Allocation of Resources Without Limits or Throttling, Incorrect Author ...)
NOT-FOR-US: Drupal core and addons
@@ -7437,7 +7579,7 @@ CVE-2025-30472 (Corosync through 3.1.9, if encryption is disabled or the attacke
NOTE: https://github.com/corosync/corosync/issues/778
NOTE: https://github.com/corosync/corosync/pull/779
NOTE: https://github.com/corosync/corosync/commit/7839990f9cdf34e55435ed90109e82709032466a
-CVE-2025-30204 (golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 ...)
+CVE-2025-30204 (golang-jwt is a Go implementation of JSON Web Tokens. Starting in vers ...)
- golang-github-golang-jwt-jwt-v5 5.2.2-1
- golang-github-golang-jwt-jwt 5.0.0+really4.5.2-1
[bookworm] - golang-github-golang-jwt-jwt <no-dsa> (Minor issue)
@@ -7868,7 +8010,8 @@ CVE-2024-9056 (BentoML version v1.3.4post1 is vulnerable to a Denial of Service
NOT-FOR-US: bentoml/bentoml
CVE-2024-9053 (vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncE ...)
- vllm <itp> (bug #1095237)
-CVE-2024-9052 (vllm-project vllm version 0.6.0 contains a vulnerability in the distri ...)
+CVE-2024-9052
+ REJECTED
- vllm <itp> (bug #1095237)
CVE-2024-9016 (man-group dtale version <= 3.13.1 contains a vulnerability where the q ...)
NOT-FOR-US: man-group/dtale
@@ -8667,7 +8810,7 @@ CVE-2025-29917 [decode_base64: signature can do large memory allocation]
[bookworm] - suricata <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/OISF/suricata/commit/32d0bd2bbb4d486623dec85a94952fde2515f2f0 (master)
NOTE: Fixed by: https://github.com/OISF/suricata/commit/bab716776ba3561cfbfd1a57fc18ff1f6859f019 (suricata-7.0.9)
-CVE-2025-29916 [datasets: hashsize setting via rules can cause high memory usage]
+CVE-2025-29916 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
- suricata 1:7.0.9-1
[bookworm] - suricata <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/OISF/suricata/commit/d32a39ca4b53d7f659f4f0a2a5c162ef97dc4797 (master)
@@ -8675,7 +8818,7 @@ CVE-2025-29916 [datasets: hashsize setting via rules can cause high memory usage
NOTE: Fixed by: https://github.com/OISF/suricata/commit/2f432c99a9734ea3a75c9218f35060e11a7a39ad (suricata-7.0.9)
NOTE: Fixed by: https://github.com/OISF/suricata/commit/e28c8c655a324a18932655a2c2b8f0d5aa1c55d7 (suricata-7.0.9)
NOTE: Fixed by: https://github.com/OISF/suricata/commit/d86c5f9f0c75736d4fce93e27c0773fcb27e1047 (suricata-7.0.9)
-CVE-2025-29915 [af-packet: defrag option can lead to truncated packets]
+CVE-2025-29915 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
- suricata 1:7.0.9-1
[bookworm] - suricata <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/OISF/suricata/commit/25d0fba91274e8d26e804f278c281a5c9f5309e9 (master)
@@ -9680,7 +9823,7 @@ CVE-2025-24974 (DataEase is an open source business intelligence and data visual
NOT-FOR-US: DataEase
CVE-2025-24053 (Improper authentication in Microsoft Dataverse allows an authorized at ...)
NOT-FOR-US: Microsoft
-CVE-2025-21104 (Dell NetWorker, 19.11.0.3 and below versions, contain(s) an Open Redir ...)
+CVE-2025-21104 (Dell NetWorker, versions prior to 19.12.0.1 and versions prior to 19.1 ...)
NOT-FOR-US: Dell / EMC
CVE-2025-1767 (This CVE only affects Kubernetes clusters that utilize the in-tree git ...)
- kubernetes 1.20.5+really1.20.2-1
@@ -13050,7 +13193,7 @@ CVE-2024-51963 (There is a stored Cross-site Scripting vulnerability in ArcGIS S
NOT-FOR-US: Esri
CVE-2024-51962 (A SQL injection vulnerability in ArcGIS Server allows an EDIToperation ...)
NOT-FOR-US: Esri
-CVE-2024-51961 (There is a local file inclusion vulnerability in ArcGIS Server 10.9.1 ...)
+CVE-2024-51961 (There is a local file inclusion vulnerability in ArcGIS Server 11.3 an ...)
NOT-FOR-US: Esri
CVE-2024-51960 (There is a stored Cross-site Scripting vulnerability in ArcGIS Server ...)
NOT-FOR-US: Esri
@@ -13062,7 +13205,7 @@ CVE-2024-51957 (There is a stored Cross-site Scripting vulnerability in ArcGIS S
NOT-FOR-US: Esri
CVE-2024-51956 (There is a stored Cross-site Scripting vulnerability in ArcGIS Server ...)
NOT-FOR-US: Esri
-CVE-2024-51954 (There is an improper access control issue in ArcGIS Server versions 10 ...)
+CVE-2024-51954 (There is an improper access control issue in ArcGIS Server versions 11 ...)
NOT-FOR-US: Esri
CVE-2024-51953 (There is a stored Cross-site Scripting vulnerability in ArcGIS Server ...)
NOT-FOR-US: Esri
@@ -77021,7 +77164,7 @@ CVE-2023-7272 (In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a larg
NOT-FOR-US: Eclipse Parsson
CVE-2023-52291 (In streampark, the project module integrates Maven's compilation capab ...)
NOT-FOR-US: Apache StreamPark
-CVE-2023-4976 (A flaw exists in Purity//FB whereby a local account is permitted to au ...)
+CVE-2023-4976 (A flaw exists in FlashBlade whereby a local account is permitted to au ...)
NOT-FOR-US: Purity//FB
CVE-2023-42010 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 a ...)
NOT-FOR-US: IBM
@@ -111205,7 +111348,7 @@ CVE-2024-25709 (There is a stored Cross-site Scripting vulnerability in Esri Por
NOT-FOR-US: Esri Portal
CVE-2024-25708 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...)
NOT-FOR-US: Esri Portal
-CVE-2024-25706 (There is an HTML injection vulnerability in Esri Portal for ArcGIS <=1 ...)
+CVE-2024-25706 (There is an HTML injection vulnerability in Esri Portal for ArcGIS 11. ...)
NOT-FOR-US: Esri Portal
CVE-2024-25705 (There is a cross site scripting vulnerability in the Esri Portal for A ...)
NOT-FOR-US: Esri Portal
@@ -111213,8 +111356,8 @@ CVE-2024-25704
REJECTED
CVE-2024-25703
REJECTED
-CVE-2024-25700
- REJECTED
+CVE-2024-25700 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...)
+ TODO: check
CVE-2024-25699 (There is a difficult to exploit improper authentication issue in the H ...)
NOT-FOR-US: Esri Portal
CVE-2024-25698 (There is a reflected cross site scripting vulnerability in the home ap ...)
@@ -186669,7 +186812,7 @@ CVE-2023-25838 (There is SQL injection vulnerabilityin Esri ArcGIS Insights 2022
NOT-FOR-US: Esri ArcGIS
CVE-2023-25837 (There is a Cross-site Scripting vulnerabilityin Esri ArcGIS Enterprise ...)
NOT-FOR-US: Esri
-CVE-2023-25836 (There is a Cross-site Scripting vulnerabilityin Esri Portal Sites in v ...)
+CVE-2023-25836 (There is a Cross-site Scripting vulnerabilityin Esri Portal for ArcGIS ...)
NOT-FOR-US: Esri
CVE-2023-25835 (There is a stored Cross-site Scripting vulnerabilityin Esri Portal for ...)
NOT-FOR-US: Esri
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b09f260402bd32c1e839f22f44f1d38abe1f6a39
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b09f260402bd32c1e839f22f44f1d38abe1f6a39
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250410/54acd615/attachment.htm>
More information about the debian-security-tracker-commits
mailing list