[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Jul 1 09:12:08 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d75fe6fc by security tracker role at 2025-07-01T08:11:59+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,12 +1,167 @@
-CVE-2025-6554
+CVE-2025-6940 (A vulnerability classified as critical was found in TOTOLINK A702R 4.0 ...)
+ TODO: check
+CVE-2025-6939 (A vulnerability classified as critical has been found in TOTOLINK A300 ...)
+ TODO: check
+CVE-2025-6938 (A vulnerability was found in code-projects Simple Pizza Ordering Syste ...)
+ TODO: check
+CVE-2025-6937 (A vulnerability was found in code-projects Simple Pizza Ordering Syste ...)
+ TODO: check
+CVE-2025-6936 (A vulnerability was found in code-projects Simple Pizza Ordering Syste ...)
+ TODO: check
+CVE-2025-6935 (A vulnerability was found in Campcodes Sales and Inventory System 1.0 ...)
+ TODO: check
+CVE-2025-6934 (The Opal Estate Pro \u2013 Property Management and Submission plugin f ...)
+ TODO: check
+CVE-2025-6932 (A vulnerability, which was classified as problematic, was found in D-L ...)
+ TODO: check
+CVE-2025-6931 (A vulnerability classified as problematic was found in D-Link DCS-6517 ...)
+ TODO: check
+CVE-2025-6930 (A vulnerability classified as critical has been found in PHPGurukul Zo ...)
+ TODO: check
+CVE-2025-6929 (A vulnerability was found in PHPGurukul Zoo Management System 2.1. It ...)
+ TODO: check
+CVE-2025-6925 (A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and cla ...)
+ TODO: check
+CVE-2025-6917 (A vulnerability has been found in code-projects Online Hotel Booking 1 ...)
+ TODO: check
+CVE-2025-6916 (A vulnerability, which was classified as critical, was found in TOTOLI ...)
+ TODO: check
+CVE-2025-6915 (A vulnerability, which was classified as critical, has been found in P ...)
+ TODO: check
+CVE-2025-6914 (A vulnerability classified as critical was found in PHPGurukul Student ...)
+ TODO: check
+CVE-2025-6913 (A vulnerability classified as critical has been found in PHPGurukul St ...)
+ TODO: check
+CVE-2025-6912 (A vulnerability was found in PHPGurukul Student Record System 3.2. It ...)
+ TODO: check
+CVE-2025-6911 (A vulnerability was found in PHPGurukul Student Record System 3.2. It ...)
+ TODO: check
+CVE-2025-6910 (A vulnerability was found in PHPGurukul Student Record System 3.2. It ...)
+ TODO: check
+CVE-2025-6909 (A vulnerability has been found in PHPGurukul Old Age Home Management S ...)
+ TODO: check
+CVE-2025-6908 (A vulnerability, which was classified as critical, was found in PHPGur ...)
+ TODO: check
+CVE-2025-6907 (A vulnerability classified as critical was found in code-projects Car ...)
+ TODO: check
+CVE-2025-6906 (A vulnerability classified as critical has been found in code-projects ...)
+ TODO: check
+CVE-2025-6905 (A vulnerability, which was classified as critical, has been found in c ...)
+ TODO: check
+CVE-2025-6904 (A vulnerability was found in code-projects Car Rental System 1.0. It h ...)
+ TODO: check
+CVE-2025-6903 (A vulnerability was found in code-projects Car Rental System 1.0. It h ...)
+ TODO: check
+CVE-2025-6902 (A vulnerability was found in code-projects Inventory Management System ...)
+ TODO: check
+CVE-2025-6901 (A vulnerability was found in code-projects Inventory Management System ...)
+ TODO: check
+CVE-2025-6900 (A vulnerability has been found in code-projects Library System 1.0 and ...)
+ TODO: check
+CVE-2025-6899 (A vulnerability, which was classified as critical, was found in D-Link ...)
+ TODO: check
+CVE-2025-6081 (Insufficiently Protected Credentials in LDAP in Konica Minoltabizhub 2 ...)
+ TODO: check
+CVE-2025-5967 (A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a ...)
+ TODO: check
+CVE-2025-53416
+ REJECTED
+CVE-2025-53415 (Delta Electronics DTM SoftProject File Parsing Deserialization of Untr ...)
+ TODO: check
+CVE-2025-53096 (Sunshine is a self-hosted game stream host for Moonlight. Prior to ver ...)
+ TODO: check
+CVE-2025-53095 (Sunshine is a self-hosted game stream host for Moonlight. Prior to ver ...)
+ TODO: check
+CVE-2025-53017
+ REJECTED
+CVE-2025-53005 (DataEase is an open source business intelligence and data visualizatio ...)
+ TODO: check
+CVE-2025-53004 (DataEase is an open source business intelligence and data visualizatio ...)
+ TODO: check
+CVE-2025-53003 (The Janssen Project is an open-source identity and access management ( ...)
+ TODO: check
+CVE-2025-53001
+ REJECTED
+CVE-2025-52997 (File Browser provides a file managing interface within a specified dir ...)
+ TODO: check
+CVE-2025-52996 (File Browser provides a file managing interface within a specified dir ...)
+ TODO: check
+CVE-2025-52995 (File Browser provides a file managing interface within a specified dir ...)
+ TODO: check
+CVE-2025-52901 (File Browser provides a file managing interface within a specified dir ...)
+ TODO: check
+CVE-2025-52898 (Frappe is a full-stack web application framework. Prior to versions 14 ...)
+ TODO: check
+CVE-2025-52896 (Frappe is a full-stack web application framework. Prior to versions 14 ...)
+ TODO: check
+CVE-2025-52895 (Frappe is a full-stack web application framework. Prior to versions 14 ...)
+ TODO: check
+CVE-2025-52491 (Akamai CloudTest before 60 2025.06.09 (12989) allows SSRF.)
+ TODO: check
+CVE-2025-4407 (Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.Th ...)
+ TODO: check
+CVE-2025-49521 (A flaw was found in the EDA component of the Ansible Automation Platfo ...)
+ TODO: check
+CVE-2025-49520 (A flaw was found in Ansible Automation Platform\u2019s EDA component w ...)
+ TODO: check
+CVE-2025-49493 (Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion vi ...)
+ TODO: check
+CVE-2025-47871 (Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10. ...)
+ TODO: check
+CVE-2025-46702 (Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10. ...)
+ TODO: check
+CVE-2025-45931 (An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows ...)
+ TODO: check
+CVE-2025-45143 (string-math v1.2.2 was discovered to contain a Regex Denial of Service ...)
+ TODO: check
+CVE-2025-41439 (A reflected cross-site scripting vulnerability via a specific paramete ...)
+ TODO: check
+CVE-2025-40734 (Reflected Cross-Site Scripting (XSS) vulnerability in Daily Expense Ma ...)
+ TODO: check
+CVE-2025-40733 (Reflected Cross-Site Scripting (XSS) vulnerability in Daily Expense Ma ...)
+ TODO: check
+CVE-2025-40732 (user enumeration vulnerability in Daily Expense Manager v1.0. To explo ...)
+ TODO: check
+CVE-2025-40731 (SQL injection vulnerability in Daily Expense Manager v1.0. This vulner ...)
+ TODO: check
+CVE-2025-40710 (Host Header Injection (HHI) vulnerability in the Hotspot Shield VPN cl ...)
+ TODO: check
+CVE-2025-36593 (Dell OpenManage Network Integration, versions prior to 3.8, contains a ...)
+ TODO: check
+CVE-2025-36056 (IBM System Storage Virtualization Engine TS7700 3957 VED R5.4 8.54.2.1 ...)
+ TODO: check
+CVE-2025-2895 (IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.7, 2.3.3.7 iFix1, 2. ...)
+ TODO: check
+CVE-2025-2141 (IBM System Storage Virtualization Engine TS7700 3957 VED R5.4 8.54.2.1 ...)
+ TODO: check
+CVE-2025-26074 (Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary ...)
+ TODO: check
+CVE-2024-8419 (The endpoint hosts a script that allows an unauthorized remote attacke ...)
+ TODO: check
+CVE-2024-53621 (A buffer overflow in the formSetCfm() function of Tenda AC1206 1200M 1 ...)
+ TODO: check
+CVE-2024-49365 (tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version ...)
+ TODO: check
+CVE-2024-49364 (tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version ...)
+ TODO: check
+CVE-2024-46993 (Electron is an open source framework for writing cross-platform deskto ...)
+ TODO: check
+CVE-2024-46992 (Electron is an open source framework for writing cross-platform deskto ...)
+ TODO: check
+CVE-2024-12915 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2023-47310 (A misconfiguration in the default settings of MikroTik RouterOS 7 and ...)
+ TODO: check
+CVE-2025-6554 (Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a ...)
- chromium <unfixed>
[bullseye] - chromium <end-of-life> (see #1061268)
-CVE-2025-32463 [Local Privilege Escalation via chroot option]
+CVE-2025-32463 (Sudo before 1.9.17p1 allows local users to obtain root access because ...)
- sudo 1.9.16p2-3
[bookworm] - sudo <not-affected> (Vulnerable code introduced later)
[bullseye] - sudo <not-affected> (Vulnerable code introduced later)
NOTE: https://www.sudo.ws/security/advisories/chroot_bug/
-CVE-2025-32462 [Local Privilege Escalation via host option]
+CVE-2025-32462 (Sudo before 1.9.17p1, when used with a sudoers file that specifies a h ...)
+ {DSA-5954-1 DLA-4235-1}
- sudo 1.9.16p2-3
NOTE: https://www.sudo.ws/security/advisories/host_any/
CVE-2025-6297 [dpkg-deb: Fix cleanup for control member with restricted directories]
@@ -1791,7 +1946,7 @@ CVE-2025-6496 (A vulnerability was found in HTACG tidy-html5 5.8.0. It has been
[trixie] - tidy-html5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - tidy-html5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/htacg/tidy-html5/issues/1141
-CVE-2025-6494 (A vulnerability was found in sparklemotion nokogiri up to 1.18.7. It h ...)
+CVE-2025-6494 (A vulnerability was found in sparklemotion nokogiri c29c920907366cb74a ...)
- ruby-nokogiri <unfixed> (bug #1108237)
NOTE: https://github.com/sparklemotion/nokogiri/issues/3508
CVE-2025-6493 (A vulnerability was found in CodeMirror up to 5.17.0 and classified as ...)
@@ -1804,7 +1959,7 @@ CVE-2025-52926 (In scan.rs in spytrap-adb before 0.3.5, matches for known stalke
NOTE: https://github.com/spytrap-org/spytrap-adb/commit/277cec542466b75cf5a8c532581243fd4b7b9713 (v0.3.5)
CVE-2025-6492 (A vulnerability has been found in MarkText up to 0.17.1 and classified ...)
NOT-FOR-US: MarkText
-CVE-2025-6490 (A vulnerability was found in sparklemotion nokogiri up to 1.18.7 and c ...)
+CVE-2025-6490 (A vulnerability was found in sparklemotion nokogiri c29c920907366cb74a ...)
- ruby-nokogiri <unfixed> (bug #1108238)
NOTE: https://github.com/sparklemotion/nokogiri/issues/3500
CVE-2025-6489 (A vulnerability has been found in itsourcecode Agri-Trading Online Sho ...)
@@ -2542,7 +2697,7 @@ CVE-2025-50201 (WeGIA is a web manager for charitable institutions. Prior to ver
NOT-FOR-US: WeGIA
CVE-2025-50183 (OpenList Frontend is a UI component for OpenList. Prior to version 4.0 ...)
NOT-FOR-US: OpenList Frontend
-CVE-2025-50182 (urllib3 is a user-friendly HTTP client library for Python. Prior to 2. ...)
+CVE-2025-50182 (urllib3 is a user-friendly HTTP client library for Python. Starting in ...)
- python-urllib3 <unfixed> (bug #1108077)
[bookworm] - python-urllib3 <no-dsa> (Minor issue)
NOTE: https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
@@ -8672,15 +8827,15 @@ CVE-2024-1440 (An open redirection vulnerability exists in multiple WSO2 product
CVE-2024-12168 (Yandex Telemost for Desktop before 2.7.0has a DLL Hijacking Vulnerabil ...)
NOT-FOR-US: Yandex Telemost for Desktop
CVE-2024-52035 (An integer overflow vulnerability exists in the OLE Document File Allo ...)
- {DSA-5953-1}
+ {DSA-5953-1 DLA-4234-1}
- catdoc 1:0.95-6 (bug #1107168)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2131
CVE-2024-54028 (An integer underflow vulnerability exists in the OLE Document DIFAT Pa ...)
- {DSA-5953-1}
+ {DSA-5953-1 DLA-4234-1}
- catdoc 1:0.95-6 (bug #1107168)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2132
CVE-2024-48877 (A memory corruption vulnerability exists in the Shared String Table Re ...)
- {DSA-5953-1}
+ {DSA-5953-1 DLA-4234-1}
- catdoc 1:0.95-6 (bug #1107168)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2128
CVE-2025-5436 (A vulnerability was found in Multilaser Sirius RE016 MLT1.0. It has be ...)
@@ -230293,6 +230448,7 @@ CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before
NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
NOTE: Fixed by https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443
CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...)
+ {DLA-4236-1}
- mbedtls 2.28.2-1
[buster] - mbedtls <postponed> (Minor issue)
NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
@@ -309421,7 +309577,7 @@ CVE-2021-44733 (A use-after-free exists in drivers/tee/tee_shm.c in the TEE subs
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2030747
CVE-2021-44732 (Mbed TLS before 3.0.1 has a double free in certain out-of-memory condi ...)
- {DLA-3249-1}
+ {DLA-4236-1 DLA-3249-1}
[experimental] - mbedtls 2.28.0-0.1
- mbedtls 2.28.0-0.3 (bug #1002631)
NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
@@ -313900,7 +314056,7 @@ CVE-2021-43668 (Go-Ethereum 1.10.9 nodes crash (denial of service) after receivi
CVE-2021-43667 (A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0 ...)
NOT-FOR-US: HyperLedger
CVE-2021-43666 (A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier ...)
- {DLA-3249-1}
+ {DLA-4236-1 DLA-3249-1}
- mbedtls 2.28.0-1
NOTE: https://github.com/ARMmbed/mbedtls/issues/5136
NOTE: Backport 2.16: https://github.com/ARMmbed/mbedtls/pull/5311
@@ -334439,6 +334595,7 @@ CVE-2021-36649
CVE-2021-36648
RESERVED
CVE-2021-36647 (Use of a Broken or Risky Cryptographic Algorithm in the function mbedt ...)
+ {DLA-4236-1}
- mbedtls 2.16.11-0.1
[buster] - mbedtls <no-dsa> (Minor issue)
NOTE: https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1/
@@ -366288,7 +366445,7 @@ CVE-2021-24121
CVE-2021-24120
RESERVED
CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in b ...)
- {DLA-3249-1 DLA-2826-1}
+ {DLA-4236-1 DLA-3249-1 DLA-2826-1}
- mbedtls 2.16.11-0.1
NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
CVE-2021-24118
@@ -721620,21 +721777,21 @@ CVE-2012-6443
CVE-2012-6453 (Cross-site scripting (XSS) vulnerability in the RSS Reader extension b ...)
{DSA-2596-1}
- mediawiki-extensions 2.11 (bug #696179)
-CVE-2012-6442 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...)
+CVE-2012-6442 (When an affected product receives a valid CIP message from an unauthor ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
-CVE-2012-6441 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...)
+CVE-2012-6441 (An information exposure of confidential information results when the d ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
-CVE-2012-6440 (The web-server password-authentication functionality in Rockwell Autom ...)
+CVE-2012-6440 (The Web server password authentication mechanism used by the products ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
-CVE-2012-6439 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...)
+CVE-2012-6439 (When an affected product receives a valid CIP message from an unautho ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
-CVE-2012-6438 (Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT ...)
+CVE-2012-6438 (The device does not properly validate the data being sent to the buffe ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
-CVE-2012-6437 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...)
+CVE-2012-6437 (The device does not properly authenticate users and the potential exis ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
-CVE-2012-6436 (Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT ...)
+CVE-2012-6436 (The device does not properly validate the data being sent to the buffe ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
-CVE-2012-6435 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...)
+CVE-2012-6435 (When an affected product receives a valid CIP message from an unauthor ...)
NOT-FOR-US: Rockwell Automation EtherNet/IP
CVE-2012-6434 (Multiple cross-site request forgery (CSRF) vulnerabilities in e107_adm ...)
NOT-FOR-US: e107
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75fe6fc508f9dcfffdbec7c72bed0674169efc9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75fe6fc508f9dcfffdbec7c72bed0674169efc9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250701/32f2771f/attachment.htm>
More information about the debian-security-tracker-commits
mailing list