[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Apr 16 14:05:38 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
899e4a92 by Moritz Muehlenhoff at 2025-04-16T15:04:14+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -27,39 +27,39 @@ CVE-2025-3077 (The Betheme theme for WordPress is vulnerable to Stored Cross-Sit
 CVE-2025-32923 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-32784 (conda-forge-webservices is the web app deployed to run conda-forge adm ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-32782 (Ash Authentication provides authentication for the Ash framework. The  ...)
-	TODO: check
+	NOT-FOR-US: Ash Authentication
 CVE-2025-32778 (Web-Check is an all-in-one OSINT tool for analyzing any website. A com ...)
-	TODO: check
+	NOT-FOR-US: Web-Check
 CVE-2025-32435 (Hydra is a Continuous Integration service for Nix based projects. Eval ...)
-	TODO: check
+	NOT-FOR-US: Hydra
 CVE-2025-32388 (SvelteKit is a framework for rapidly developing robust, performant web ...)
-	TODO: check
+	NOT-FOR-US: SvelteKit
 CVE-2025-32385 (EspoCRM is an Open Source Customer Relationship Management software. P ...)
-	TODO: check
+	NOT-FOR-US: EspoCRM
 CVE-2025-32021 (Weblate is a web based localization tool. Prior to version 5.11, when  ...)
-	TODO: check
+	- weblate <itp> (bug #745661)
 CVE-2025-31950 (An unauthenticated attacker can obtain EV charger energy consumption i ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31949 (An authenticated attacker can obtain any plant name by knowing the pla ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31945 (An unauthenticated attacker can obtain other users' charger informatio ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31941 (An unauthenticated attacker can obtain a list of smart devices by know ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31933 (An unauthenticated attacker can check the existence of usernames in th ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31654 (An attacker can get information about the groups of the smart home dev ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31499 (Jellyfin is an open source self hosted media server. Versions before 1 ...)
-	TODO: check
+	- jellyfin <itp> (bug #994189)
 CVE-2025-31360 (Unauthenticated attackers can trigger device actions associated with s ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31357 (An unauthenticated attacker can obtain a user's plant list by knowing  ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-31147 (Unauthenticated attackers can query information about total energy con ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-30984 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-30982 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -185,17 +185,17 @@ CVE-2025-30682 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
 CVE-2025-30681 (Vulnerability in the MySQL Server product of Oracle MySQL (component:  ...)
 	- mysql-8.0 <unfixed>
 CVE-2025-30514 (Unauthenticated attackers can obtain restricted information about a us ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-30512 (Unauthenticated attackers can send configuration settings to device an ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-30511 (An authenticated attacker can achieve stored XSS by exploiting imprope ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-30510 (An attacker can upload an arbitrary file instead of a plant image.)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-30257 (Unauthenticated attackers can retrieve serial number of smart meters a ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-30254 (An unauthenticated attacker can obtain a serial number of a smart mete ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-30100 (Dell Alienware Command Center 6.x, versions prior to 6.7.37.0 contain  ...)
 	NOT-FOR-US: Dell / EMC
 CVE-2025-2497 (A maliciously crafted DWG file, when parsed through Autodesk Revit, ca ...)
@@ -205,39 +205,39 @@ CVE-2025-2314 (The User Profile Builder \u2013 Beautiful User Registration Forms
 CVE-2025-29471 (Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 a ...)
 	TODO: check
 CVE-2025-27939 (An attacker can change registered email addresses of other users and t ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27938 (Unauthenticated attackers can obtain restricted information about a us ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27929 (Unauthenticated attackers can retrieve full list of users associated w ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27927 (An unauthenticated attackers can obtain a list of smart devices by kno ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27892 (Shopware prior to version 6.5.8.13 is affected by a SQL injection vuln ...)
-	TODO: check
+	NOT-FOR-US: Shopware
 CVE-2025-27719 (Unauthenticated attackers can query an API endpoint and get device det ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27575 (An unauthenticated attacker can obtain EV charger version and firmware ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27571 (Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11 ...)
-	TODO: check
+	- mattermost-server <itp> (bug #823556)
 CVE-2025-27568 (An unauthenticated attacker can get users' emails by knowing usernames ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27565 (An unauthenticated attacker can delete any user's "rooms" by knowing t ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27561 (Unauthenticated attackers can rename "rooms" of arbitrary users.)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-27538 (Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce ...)
-	TODO: check
+	- mattermost-server <itp> (bug #823556)
 CVE-2025-27011 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-27008 (Missing Authorization vulnerability in NotFound Unlimited Timeline all ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-26998 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-26996 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-26953 (Missing Authorization vulnerability in NotFound JetMenu allows Accessi ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-26951 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-26950 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -277,9 +277,9 @@ CVE-2025-25458 (Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow
 CVE-2025-25453 (Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in Adv ...)
 	NOT-FOR-US: Tenda
 CVE-2025-25276 (An unauthenticated attacker can hijack other users' devices and potent ...)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-24850 (An attacker can export other users' plant information.)
-	TODO: check
+	NOT-FOR-US: Growatt Cloud portal
 CVE-2025-24839 (Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11 ...)
 	- mattermost-server <itp> (bug #823556)
 CVE-2025-24487 (An unauthenticated attacker can infer the existence of usernames in th ...)
@@ -341,7 +341,7 @@ CVE-2025-1274 (A maliciously crafted RCS file, when parsed through Autodesk Revi
 CVE-2025-1273 (A maliciously crafted PDF file, when linked or imported into Autodesk  ...)
 	NOT-FOR-US: Autodesk
 CVE-2025-0101 (A low privileged user can set the date of the devices to the 19th of J ...)
-	TODO: check
+	NOT-FOR-US: WAGO
 CVE-2024-49200 (An issue was discovered in AcpiS3SaveDxe and ChipsetSvcDxe in Insyde I ...)
 	NOT-FOR-US: InsydeH2O
 CVE-2024-44843 (An issue in the web socket handshake process of SteVe v3.7.1 allows at ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/899e4a926db3e4d9bc3e399989b4a42c4615cdb6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/899e4a926db3e4d9bc3e399989b4a42c4615cdb6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250416/6d68a121/attachment.htm>

More information about the debian-security-tracker-commits mailing list