[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Apr 15 22:13:00 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a1997dbb by Salvatore Bonaccorso at 2025-04-15T23:12:15+02:00
Process some NFUs

Note the TOTOLINK CVEs did not got catched by the auto-nfu matching.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -76,7 +76,7 @@ CVE-2025-2567 (An attacker could modify or disable settings, disrupt fuel monito
 CVE-2025-2083 (The Logo Carousel Gutenberg Block plugin for WordPress is vulnerable t ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-29817 (Uncontrolled search path element in Power Automate allows an authorize ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2025-29705 (code-gen <=2.0.6 is vulnerable to Incorrect Access Control. The projec ...)
 	NOT-FOR-US: code-gen
 CVE-2025-29281 (In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary ...)
@@ -98,15 +98,15 @@ CVE-2025-28143 (Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.1
 CVE-2025-28142 (Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.15 was  ...)
 	NOT-FOR-US: Edimax
 CVE-2025-28137 (The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2025-28136 (TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer o ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2025-28100 (A SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a attacker  ...)
 	NOT-FOR-US: dingfanzuCMS
 CVE-2025-27980 (cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry ...)
 	NOT-FOR-US: cashbook
 CVE-2025-27791 (Collabora Online is a collaborative online office suite based on Libre ...)
-	TODO: check
+	NOT-FOR-US: Collabora Online
 CVE-2025-26992 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-26990 (Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Ele ...)
@@ -146,11 +146,11 @@ CVE-2025-24948 (In JotUrl 2.0, passwords are sent via HTTP GET-type requests, po
 CVE-2025-24358 (gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention mid ...)
 	TODO: check
 CVE-2025-22903 (TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a sta ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2025-22900 (Totolink N600R v4.3.0cu.7647_B20210106 was discovered to contain a sta ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2025-1688 (Milestone Systems has discovered a security vulnerability in Milestone ...)
-	TODO: check
+	NOT-FOR-US: Milestone XProtect installer
 CVE-2025-1292 (Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0 ...)
 	NOT-FOR-US: ChromeOS
 CVE-2025-1122 (Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0 ...)
@@ -166,11 +166,11 @@ CVE-2024-42193 (HCL BigFix Web Reports' service communicates over HTTPS but exhi
 CVE-2024-42189 (HCL BigFix Web Reports might be subject to a Denial of Service (DoS) a ...)
 	NOT-FOR-US: HCL
 CVE-2024-36842 (An issue in Oncord+ Android Infotainment Systems OS Android 12, Model  ...)
-	TODO: check
+	NOT-FOR-US: Oncord+ Android Infotainment Systems
 CVE-2024-13177 (Netskope Client on Mac OS is impacted by a vulnerability in which the  ...)
-	TODO: check
+	NOT-FOR-US: Netskope Client on Mac OS
 CVE-2024-11084 (Helix ALM prior to 2025.1 returns distinct error responses during auth ...)
-	TODO: check
+	NOT-FOR-US: Helix ALM
 CVE-2025-3523 (When an email contains multiple attachments with external links via th ...)
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/#CVE-2025-3523
@@ -334271,7 +334271,7 @@ CVE-2021-27290 (ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular
 	NOTE: https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
 	NOTE: https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2 (v8.0.1)
 CVE-2021-27289 (A replay attack vulnerability was discovered in a Zigbee smart home ki ...)
-	TODO: check
+	NOT-FOR-US: Zigbee
 CVE-2021-27288 (Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attack ...)
 	NOT-FOR-US: X2Engine X2CRM
 CVE-2021-27287
@@ -386683,7 +386683,7 @@ CVE-2020-18245
 CVE-2020-18244
 	RESERVED
 CVE-2020-18243 (SQL injection vulnerability found in Enricozab CMS v.1.0 allows a remo ...)
-	TODO: check
+	NOT-FOR-US: Enricozab CMS
 CVE-2020-18242
 	RESERVED
 CVE-2020-18241



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1997dbbde8556b3fb11532f7a8702d5a4a81432

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1997dbbde8556b3fb11532f7a8702d5a4a81432
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250415/43402f4b/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list