[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Feb 25 20:17:21 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
42a3c396 by security tracker role at 2025-02-25T20:12:32+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,188 @@
-CVE-2025-26601
+CVE-2025-27146 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-a ...)
+ TODO: check
+CVE-2025-27142 (LocalSend is a free, open-source app that allows users to securely sha ...)
+ TODO: check
+CVE-2025-27139 (Combodo iTop is a web based IT service management tool. Versions prior ...)
+ TODO: check
+CVE-2025-27135 (RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. ...)
+ TODO: check
+CVE-2025-27110 (Libmodsecurity is one component of the ModSecurity v3 project. The lib ...)
+ TODO: check
+CVE-2025-27000 (Missing Authorization vulnerability in George Pattichis Simple Photo F ...)
+ TODO: check
+CVE-2025-26995 (Missing Authorization vulnerability in Anton Vanyukov Market Exporter ...)
+ TODO: check
+CVE-2025-26993 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26991 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26987 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26985 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-26983 (Missing Authorization vulnerability in WPZOOM Recipe Card Blocks for G ...)
+ TODO: check
+CVE-2025-26981 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26980 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26979 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-26977 (Authorization Bypass Through User-Controlled Key vulnerability in Ninj ...)
+ TODO: check
+CVE-2025-26975 (Missing Authorization vulnerability in WP Chill Strong Testimonials al ...)
+ TODO: check
+CVE-2025-26974 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-26971 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-26966 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+ TODO: check
+CVE-2025-26965 (Authorization Bypass Through User-Controlled Key vulnerability in amel ...)
+ TODO: check
+CVE-2025-26964 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-26963 (Cross-Site Request Forgery (CSRF) vulnerability in flowdee ClickWhale ...)
+ TODO: check
+CVE-2025-26962 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26960 (Missing Authorization vulnerability in enituretechnology Small Package ...)
+ TODO: check
+CVE-2025-26957 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-26952 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26949 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26948 (Missing Authorization vulnerability in NotFound Pie Register Premium. ...)
+ TODO: check
+CVE-2025-26947 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26946 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-26945 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26943 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-26939 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26938 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26937 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26935 (Path Traversal vulnerability in wpjobportal WP Job Portal allows PHP L ...)
+ TODO: check
+CVE-2025-26932 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-26931 (Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Software ...)
+ TODO: check
+CVE-2025-26928 (Missing Authorization vulnerability in xfinitysoft Order Limit for Woo ...)
+ TODO: check
+CVE-2025-26926 (Cross-Site Request Forgery (CSRF) vulnerability in NotFound Booknetic. ...)
+ TODO: check
+CVE-2025-26915 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-26913 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26912 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26911 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
+ TODO: check
+CVE-2025-26907 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26905 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-26904 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26900 (Deserialization of Untrusted Data vulnerability in flexmls Flexmls\xae ...)
+ TODO: check
+CVE-2025-26897 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26896 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26893 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26891 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26887 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26884 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26882 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26881 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26878 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26877 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26876 (Path Traversal vulnerability in CodeManas Search with Typesense allows ...)
+ TODO: check
+CVE-2025-26871 (Missing Authorization vulnerability in WPDeveloper Essential Blocks fo ...)
+ TODO: check
+CVE-2025-26868 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-26753 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-26752 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-26751 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-25192 (GLPI is a free asset and IT management software package. Prior to vers ...)
+ TODO: check
+CVE-2025-23046 (GLPI is a free asset and IT management software package. Starting in v ...)
+ TODO: check
+CVE-2025-23024 (GLPI is a free asset and IT management software package. Starting in v ...)
+ TODO: check
+CVE-2025-21627 (GLPI is a free asset and IT management software package. In versions p ...)
+ TODO: check
+CVE-2025-21626 (GLPI is a free asset and IT management software package. Starting in v ...)
+ TODO: check
+CVE-2025-1676 (A vulnerability classified as critical was found in hzmanyun Education ...)
+ TODO: check
+CVE-2025-1262 (The Advanced Google reCaptcha plugin for WordPress is vulnerable to CA ...)
+ TODO: check
+CVE-2025-1204 (The "update" binary in the firmware of the affected product sends atte ...)
+ TODO: check
+CVE-2025-1068 (There is an untrusted search path vulnerability in Esri ArcGIS AllSour ...)
+ TODO: check
+CVE-2025-1067 (There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 ...)
+ TODO: check
+CVE-2024-54444 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-51539 (The Dell Secure Connect Gateway (SCG) Application and Appliance, versi ...)
+ TODO: check
+CVE-2024-45426 (Incorrect ownership assignment in some Zoom Workplace Apps may allow a ...)
+ TODO: check
+CVE-2024-45425 (Incorrect user management in some Zoom Workplace Apps may allow a priv ...)
+ TODO: check
+CVE-2024-45424 (Business logic error in some Zoom Workplace Apps may allow an unauthen ...)
+ TODO: check
+CVE-2024-45421 (Buffer overflow in some Zoom Apps may allow an authenticated user to c ...)
+ TODO: check
+CVE-2024-45418 (Symlink following in the installer for some Zoom apps for macOS before ...)
+ TODO: check
+CVE-2024-45417 (Uncontrolled resource consumption in the installer for some Zoom apps ...)
+ TODO: check
+CVE-2024-36259 (Improper access control in mail module of Odoo Community 17.0 and Odoo ...)
+ TODO: check
+CVE-2024-34036 (An issue was discovered in O-RAN Near Realtime RIC I-Release. To explo ...)
+ TODO: check
+CVE-2024-34035 (An issue was discovered in O-RAN Near Realtime RIC H-Release. To trigg ...)
+ TODO: check
+CVE-2024-34034 (An issue was discovered in FlexRIC 2.0.0. It crashes during a Subscrip ...)
+ TODO: check
+CVE-2024-13695 (The Enfold theme for WordPress is vulnerable to Server-Side Request Fo ...)
+ TODO: check
+CVE-2024-13693 (The Enfold theme for WordPress is vulnerable to unauthorized access of ...)
+ TODO: check
+CVE-2024-12424
+ REJECTED
+CVE-2024-12368 (Improper access control in the auth_oauth module of Odoo Community 15. ...)
+ TODO: check
+CVE-2024-11955 (A vulnerability was found in GLPI up to 10.0.17. It has been declared ...)
+ TODO: check
+CVE-2025-26601 (A use-after-free flaw was found in X.Org and Xwayland. When changing a ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
@@ -7,44 +191,44 @@ CVE-2025-26601
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f93a0c891494eb3334894442a92368030
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8817306af75a60f494ec9dbb1061e50db
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c285798984c6bb99e454a33772cde23d394d3dcd
-CVE-2025-26600
+CVE-2025-26600 (A use-after-free flaw was found in X.Org and Xwayland. When a device i ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14
-CVE-2025-26599
+CVE-2025-26599 (An access to an uninitialized pointer flaw was found in X.Org and Xway ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84bef2569b4ba4be59323cf575d1798ba9be
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8bedb90b039dc0f70ae69daf047ff9598
-CVE-2025-26598
+CVE-2025-26598 (An out-of-bounds write flaw was found in X.Org and Xwayland. The funct ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a9d57234c76c0b93f88dacb143d01bca2
-CVE-2025-26597
+CVE-2025-26597 (A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTy ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed94952b255c04fe910f6a1d9c852878dcd64
-CVE-2025-26596
+CVE-2025-26596 (A heap overflow flaw was found in X.Org and Xwayland. The computation ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01423fc065c950e1ff4e8ddf9f675df773
-CVE-2025-26595
+CVE-2025-26595 (A buffer overflow flaw was found in X.Org and Xwayland. The code in Xk ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda8753e994e15eb915d28cf487660ec8e722
-CVE-2025-26594
+CVE-2025-26594 (A use-after-free flaw was found in X.Org and Xwayland. The root cursor ...)
- xorg-server <unfixed>
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
@@ -3224,7 +3408,7 @@ CVE-2025-24036 (Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability)
NOT-FOR-US: Microsoft
CVE-2025-23403 (A vulnerability has been identified in SIMATIC IPC DiagBase (All versi ...)
NOT-FOR-US: Siemens
-CVE-2025-23363 (A vulnerability has been identified in Teamcenter (All versions < V14. ...)
+CVE-2025-23363 (A vulnerability has been identified in Teamcenter (All versions). The ...)
NOT-FOR-US: Siemens
CVE-2025-22467 (A stack-based buffer overflow in Ivanti Connect Secure before version ...)
NOT-FOR-US: Ivanti
@@ -8802,6 +8986,7 @@ CVE-2025-0411 (7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability al
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-045/
NOTE: https://www.openwall.com/lists/oss-security/2025/01/24/6
CVE-2025-23085 (A memory leak could occur when a remote peer abruptly closes the socke ...)
+ {DLA-4067-1}
- nodejs 20.18.2+dfsg-1 (bug #1094134)
NOTE: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases#goaway-http2-frames-cause-memory-leak-outside-heap-cve-2025-23085---medium
NOTE: Fixed by: https://github.com/nodejs/node/commit/3c7686163ed4c6ae3e5901b758b7a7d4fd5bb0c0 (v23.6.1)
@@ -13230,6 +13415,7 @@ CVE-2025-22449 (Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite perm
CVE-2025-22445 (Mattermost versions 10.x <= 10.2 fail to accurately reflect missing se ...)
- mattermost-server <itp> (bug #823556)
CVE-2025-22145 (Carbon is an international PHP extension for DateTime. Application pas ...)
+ {DLA-4068-1}
- php-nesbot-carbon 2.72.6-1 (bug #1092680)
[bookworm] - php-nesbot-carbon <no-dsa> (Minor issue)
NOTE: https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
@@ -18230,7 +18416,7 @@ CVE-2024-51471 (IBM MQ Appliance 9.3 LTS, 9.3 CD, and 9.4 LTSweb console could a
NOT-FOR-US: IBM
CVE-2024-49765 (Discourse is an open source platform for community discussion. Sites t ...)
NOT-FOR-US: Discourse
-CVE-2024-49336 (IBM Security Guardium 11.5 is vulnerable to server-side request forger ...)
+CVE-2024-49336 (IBM Security Guardium 11.5 and 12.0 is vulnerable to server-side reque ...)
NOT-FOR-US: IBM
CVE-2024-47093 (Improper neutralization of input in Nagvis before version 1.9.42 which ...)
- nagvis 1:1.9.42-1
@@ -23812,7 +23998,7 @@ CVE-2024-35367 (FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8ds
[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
NOTE: https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 (n7.0)
CVE-2024-35366 (FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the par ...)
- {DSA-5712-1}
+ {DSA-5721-1 DSA-5712-1}
- ffmpeg 7:7.0.1-3
NOTE: https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6 (n7.0)
NOTE: https://github.com/ffmpeg/ffmpeg/commit/4db0eb4653efad967ddcf71f564fd2f1169bafcb (n5.1.5)
@@ -169459,8 +169645,8 @@ CVE-2023-25576 (@fastify/multipart is a Fastify plugin to parse the multipart co
NOT-FOR-US: Fastify plugin
CVE-2023-25575 (API Platform Core is the server component of API Platform: hypermedia ...)
NOT-FOR-US: API Platform Core
-CVE-2023-25574
- RESERVED
+CVE-2023-25574 (`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learni ...)
+ TODO: check
CVE-2023-25573 (metersphere is an open source continuous testing platform. In affected ...)
NOT-FOR-US: metersphere
CVE-2023-25572 (react-admin is a frontend framework for building browser applications ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42a3c396a802f3d176fb6443418ca37dc489a436
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42a3c396a802f3d176fb6443418ca37dc489a436
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250225/2974e0cb/attachment.htm>
More information about the debian-security-tracker-commits
mailing list