[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Dec 5 08:13:27 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b6e9ae24 by security tracker role at 2025-12-05T08:13:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,223 @@
+CVE-2025-6946 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-66576 (Remote Keyboard Desktop 1.0.1 enables remote attackers to execute syst ...)
+ TODO: check
+CVE-2025-66575 (VeeVPN 1.6.1 contains an unquoted service path vulnerability in the Ve ...)
+ TODO: check
+CVE-2025-66574 (TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site ...)
+ TODO: check
+CVE-2025-66573 (Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API en ...)
+ TODO: check
+CVE-2025-66572 (Loaded Commerce 6.6 contains a client-side template injection vulnerab ...)
+ TODO: check
+CVE-2025-66571 (UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection ...)
+ TODO: check
+CVE-2025-66564 (Sigstore Timestamp Authority is a service for issuing RFC 3161 timesta ...)
+ TODO: check
+CVE-2025-66563 (Monkeytype is a minimalistic and customizable typing test. In 25.49.0 ...)
+ TODO: check
+CVE-2025-66561 (SysReptor is a fully customizable pentest reporting platform. Prior to ...)
+ TODO: check
+CVE-2025-66559 (Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup ...)
+ TODO: check
+CVE-2025-66555 (AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerabil ...)
+ TODO: check
+CVE-2025-66544
+ REJECTED
+CVE-2025-66543
+ REJECTED
+CVE-2025-66542
+ REJECTED
+CVE-2025-66541
+ REJECTED
+CVE-2025-66540
+ REJECTED
+CVE-2025-66539
+ REJECTED
+CVE-2025-66538
+ REJECTED
+CVE-2025-66537
+ REJECTED
+CVE-2025-66536
+ REJECTED
+CVE-2025-66509 (LaraDashboard is an all-In-one solution to start a Laravel Application ...)
+ TODO: check
+CVE-2025-66506 (Fulcio is a free-to-use certificate authority for issuing code signing ...)
+ TODO: check
+CVE-2025-66479 (Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforci ...)
+ TODO: check
+CVE-2025-66238 (DCIM dcTrack allows an attacker to misuse certain remote access featur ...)
+ TODO: check
+CVE-2025-66237 (DCIM dcTrack platforms utilize default and hard-coded credentials for ...)
+ TODO: check
+CVE-2025-65959 (Open WebUI is a self-hosted artificial intelligence platform designed ...)
+ TODO: check
+CVE-2025-65900 (Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerab ...)
+ TODO: check
+CVE-2025-65899 (Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in ...)
+ TODO: check
+CVE-2025-63896 (An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch C ...)
+ TODO: check
+CVE-2025-62223 (User interface (ui) misrepresentation of critical information in Micro ...)
+ TODO: check
+CVE-2025-55948 (This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6. ...)
+ TODO: check
+CVE-2025-53704 (The password reset mechanism for the Pivot client application is weak, ...)
+ TODO: check
+CVE-2025-32901 (In KDE Connect before 1.33.0 on Android, malicious device IDs (sent vi ...)
+ TODO: check
+CVE-2025-32900 (In the KDE Connect information-exchange protocol before 2025-04-18, a ...)
+ TODO: check
+CVE-2025-32899 (In KDE Connect before 1.33.0 on Android, a packet can be crafted that ...)
+ TODO: check
+CVE-2025-27935 (The OTP Integration Kit for PingFederate fails to enforce HTTP method ...)
+ TODO: check
+CVE-2025-27389 (A flaw exists in the verification of application installation sources ...)
+ TODO: check
+CVE-2025-1910 (The WatchGuard Mobile VPN with SSL Client on Windows allows a locally ...)
+ TODO: check
+CVE-2025-1547 (A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fi ...)
+ TODO: check
+CVE-2025-1545 (An XPath Injection vulnerability in WatchGuard Fireware OS may allow a ...)
+ TODO: check
+CVE-2025-14052 (A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. ...)
+ TODO: check
+CVE-2025-14051 (A flaw has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected ...)
+ TODO: check
+CVE-2025-13940 (An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard F ...)
+ TODO: check
+CVE-2025-13939 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-13938 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-13937 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-13936 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-13932 (The SolisCloud API suffers from a Broken Access Control vulnerability, ...)
+ TODO: check
+CVE-2025-13860 (The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored ...)
+ TODO: check
+CVE-2025-13684 (The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site ...)
+ TODO: check
+CVE-2025-13625 (The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2025-13623 (The Twitscription plugin for WordPress is vulnerable to Reflected Cros ...)
+ TODO: check
+CVE-2025-13622 (The Jabbernotification plugin for WordPress is vulnerable to Reflected ...)
+ TODO: check
+CVE-2025-13621 (The dream gallery plugin for WordPress is vulnerable to Cross-Site Req ...)
+ TODO: check
+CVE-2025-13543 (The PostGallery plugin for WordPress is vulnerable to arbitrary file u ...)
+ TODO: check
+CVE-2025-13528 (The Feedback Modal for Website plugin for WordPress is vulnerable to u ...)
+ TODO: check
+CVE-2025-13515 (The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflecte ...)
+ TODO: check
+CVE-2025-13512 (The CoSign Single Signon plugin for WordPress is vulnerable to Reflect ...)
+ TODO: check
+CVE-2025-13494 (The SSP Debug plugin for WordPress is vulnerable to Sensitive Informat ...)
+ TODO: check
+CVE-2025-13373 (Advantech iView versions 5.7.05.7057 and prior do not properly sanitiz ...)
+ TODO: check
+CVE-2025-13362 (The Norby AI plugin for WordPress is vulnerable to Cross-Site Request ...)
+ TODO: check
+CVE-2025-13360 (The Quantic Social Image Hover plugin for WordPress is vulnerable to C ...)
+ TODO: check
+CVE-2025-13313 (The CRM Memberships plugin for WordPress is vulnerable to privilege es ...)
+ TODO: check
+CVE-2025-13312 (The CRM Memberships plugin for WordPress is vulnerable to unauthorized ...)
+ TODO: check
+CVE-2025-13144 (The ContentStudio plugin for WordPress is vulnerable to Cross-Site Req ...)
+ TODO: check
+CVE-2025-13066 (The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary ...)
+ TODO: check
+CVE-2025-13006 (The SurveyFunnel \u2013 Survey Plugin for WordPress plugin for WordPre ...)
+ TODO: check
+CVE-2025-12997 (Insecure Direct Object Reference vulnerability in Medtronic CareLink N ...)
+ TODO: check
+CVE-2025-12996 (Medtronic CareLink Network allows a local attacker with access to log ...)
+ TODO: check
+CVE-2025-12995 (Medtronic CareLink Network allows an unauthenticated remote attacker t ...)
+ TODO: check
+CVE-2025-12994 (Medtronic CareLink Network allows an unauthenticated remote attacker t ...)
+ TODO: check
+CVE-2025-12986 (When a WF200/WGM160P device is configured to operate as an Access Poin ...)
+ TODO: check
+CVE-2025-12850 (The My auctions allegro plugin for WordPress is vulnerable to SQL Inje ...)
+ TODO: check
+CVE-2025-12804 (The Booking Calendar plugin for WordPress is vulnerable to Stored Cros ...)
+ TODO: check
+CVE-2025-12417 (The SurveyFunnel \u2013 Survey Plugin for WordPress plugin for WordPre ...)
+ TODO: check
+CVE-2025-12374 (The Email Verification, Email OTP, Block Spam Email, Passwordless logi ...)
+ TODO: check
+CVE-2025-12373 (The Torod \u2013 The smart shipping and delivery portal for e-shops an ...)
+ TODO: check
+CVE-2025-12370 (The Takeads plugin for WordPress is vulnerable to authorization bypass ...)
+ TODO: check
+CVE-2025-12368 (The Sermon Manager plugin for WordPress is vulnerable to Stored Cross- ...)
+ TODO: check
+CVE-2025-12355 (The Payaza plugin for WordPress is vulnerable to unauthorized modifica ...)
+ TODO: check
+CVE-2025-12354 (The Live CSS Preview plugin for WordPress is vulnerable to unauthorize ...)
+ TODO: check
+CVE-2025-12196 (An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI c ...)
+ TODO: check
+CVE-2025-12195 (An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI c ...)
+ TODO: check
+CVE-2025-12191 (The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to ...)
+ TODO: check
+CVE-2025-12190 (The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cr ...)
+ TODO: check
+CVE-2025-12189 (The Bread & Butter: Gate content + Capture leads + Collect first-party ...)
+ TODO: check
+CVE-2025-12186 (The Weekly Planner plugin for WordPress is vulnerable to Stored Cross- ...)
+ TODO: check
+CVE-2025-12181 (The ContentStudio plugin for WordPress is vulnerable to arbitrary file ...)
+ TODO: check
+CVE-2025-12165 (The Webcake \u2013 Landing Page Builder plugin for WordPress is vulner ...)
+ TODO: check
+CVE-2025-12163 (The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site ...)
+ TODO: check
+CVE-2025-12154 (The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary f ...)
+ TODO: check
+CVE-2025-12153 (The Featured Image via URL plugin for WordPress is vulnerable to arbit ...)
+ TODO: check
+CVE-2025-12133 (The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthor ...)
+ TODO: check
+CVE-2025-12130 (The WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace ...)
+ TODO: check
+CVE-2025-12128 (The Hide Categories Or Products On Shop Page plugin for WordPress is v ...)
+ TODO: check
+CVE-2025-12124 (The FitVids for WordPress plugin for WordPress is vulnerable to Stored ...)
+ TODO: check
+CVE-2025-12093 (The Voidek Employee Portal plugin for WordPress is vulnerable to unaut ...)
+ TODO: check
+CVE-2025-12026 (An Out-of-bounds Write vulnerability in WatchGuard Fireware OS\u2019s ...)
+ TODO: check
+CVE-2025-11838 (A memory corruption vulnerability in WatchGuard Fireware OS may allow ...)
+ TODO: check
+CVE-2025-11759 (The Backup, Restore and Migrate your sites with XCloner plugin for Wor ...)
+ TODO: check
+CVE-2025-10285 (The web interface of the Silicon Labs Simplicity Device Manager is exp ...)
+ TODO: check
+CVE-2025-10055 (The Time Sheets plugin for WordPress is vulnerable to Cross-Site Reque ...)
+ TODO: check
+CVE-2024-58278 (perl2exe <= V30.10C contains an arbitrary code execution vulnerability ...)
+ TODO: check
+CVE-2024-58277 (R Radio Network FM Transmitter 1.07 allows unauthenticated attackers t ...)
+ TODO: check
+CVE-2024-58276 (Obi08/Enrollment System 1.0 contains a SQL injection vulnerability in ...)
+ TODO: check
+CVE-2024-58275 (Easywall 0.3.1 allows authenticated remote command execution via a com ...)
+ TODO: check
+CVE-2023-53735 (WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in th ...)
+ TODO: check
+CVE-2023-53734 (dawa-pharma-1.0 allows unauthenticated attackers to execute SQL querie ...)
+ TODO: check
+CVE-2016-20023 (In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users c ...)
+ TODO: check
CVE-2025-14025
NOT-FOR-US: Ansible Automation Platform
CVE-2025-9127 (A vulnerability exists in PX Enterprise whereby sensitive information ...)
@@ -828,44 +1048,57 @@ CVE-2025-13731 (The Nexter Extension \u2013 Site Enhancements Toolkit plugin for
CVE-2025-13724 (The VikRentCar Car Rental Management System plugin for WordPress is vu ...)
NOT-FOR-US: WordPress plugin
CVE-2025-13721 (Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote at ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13720 (Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a r ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13658 (A vulnerability in Longwatch devices allows unauthenticated HTTP GET r ...)
NOT-FOR-US: Industrial Video & Control
CVE-2025-13640 (Inappropriate implementation in Passwords in Google Chrome prior to 14 ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13639 (Inappropriate implementation in WebRTC in Google Chrome prior to 143.0 ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13638 (Use after free in Media Stream in Google Chrome prior to 143.0.7499.41 ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13637 (Inappropriate implementation in Downloads in Google Chrome prior to 14 ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13636 (Inappropriate implementation in Split View in Google Chrome prior to 1 ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13635 (Inappropriate implementation in Downloads in Google Chrome prior to 14 ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13634 (Inappropriate implementation in Downloads in Google Chrome on Windows ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13633 (Use after free in Digital Credentials in Google Chrome prior to 143.0. ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13632 (Inappropriate implementation in DevTools in Google Chrome prior to 143 ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13631 (Inappropriate implementation in Google Updater in Google Chrome on Mac ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13630 (Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a ...)
+ {DSA-6072-1}
- chromium 143.0.7499.40-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-13542 (The DesignThemes LMS plugin for WordPress is vulnerable to Privilege E ...)
@@ -1769,7 +2002,7 @@ CVE-2019-25226 (Dongyoung Media DM-AP240T/W wireless access points contain an un
NOT-FOR-US: Dongyoung Media DM-AP240T/W wireless access points
CVE-2025-40934 (XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML ...)
NOT-FOR-US: XML-Sig Perl module
-CVE-2025-66270
+CVE-2025-66270 (The KDE Connect protocol 8 before 2025-11-28 does not correlate device ...)
{DSA-6066-1 DSA-6063-1}
- kdeconnect 25.11.80+git20251121.7090b106-1
[bookworm] - kdeconnect <not-affected> (Vulnerable code not present)
@@ -1781,7 +2014,7 @@ CVE-2025-66270
NOTE: Introduced by: https://invent.kde.org/network/kdeconnect-kde/-/commit/98256fda3dfdf50edd7555f21cba46fd1e596523 (v25.03.80)
NOTE: Fixed by: https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/3223595bb648ad09afd150ec56dadfe1f33bd641 (v70)
NOTE: Introduced by: https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/cf099c63c7981e69bd095fcbe3215cf87b5328f8 (v59)
-CVE-2025-32898
+CVE-2025-32898 (The KDE Connect verification-code protocol before 2025-04-18 uses only ...)
- kdeconnect 25.04.0-1
[bookworm] - kdeconnect <ignored> (Minor issue, design limitation of protocol version prior to 8)
[bullseye] - kdeconnect <ignored> (Minor issue, design limitation of protocol version prior to 8)
@@ -12270,7 +12503,7 @@ CVE-2025-11804 (The JB News Ticker plugin for WordPress is vulnerable to Stored
CVE-2025-11750 (In langgenius/dify-web version 1.6.0, the authentication mechanism rev ...)
NOT-FOR-US: langgenius/dify-web
CVE-2025-11411 (NLnet Labs Unbound up to and including version 1.24.2 is vulnerable to ...)
- {DLA-4365-2 DLA-4365-1}
+ {DSA-6071-1 DLA-4365-2 DLA-4365-1}
- unbound 1.24.2-1
[bookworm] - unbound <no-dsa> (Minor issue; will be fixed via point release for more exposure before release)
NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6e9ae248be9429d8f961774e747a7c52824c423
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6e9ae248be9429d8f961774e747a7c52824c423
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251205/580c71e3/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list