[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Jul 8 05:00:57 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
43ba09d1 by Salvatore Bonaccorso at 2025-07-08T06:00:34+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -110,21 +110,21 @@ CVE-2025-6210 (A vulnerability in the ObsidianReader class of the run-llama/llam
 CVE-2025-6209 (A path traversal vulnerability exists in run-llama/llama_index version ...)
 	NOT-FOR-US: llama/llama_index
 CVE-2025-6044 (An Improper Access Control vulnerability in the Stylus Tools component ...)
-	TODO: check
+	NOT-FOR-US: Stylus Tools component of Google ChromeOS
 CVE-2025-5472 (The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable ...)
 	NOT-FOR-US: llama/llama_index
 CVE-2025-53543 (Kestra is an event-driven orchestration platform. The error message in ...)
-	TODO: check
+	NOT-FOR-US: Kestra
 CVE-2025-53540 (arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ES ...)
-	TODO: check
+	NOT-FOR-US: arduino-esp32
 CVE-2025-53539 (FastAPI Guard is a security library for FastAPI that provides middlewa ...)
-	TODO: check
+	NOT-FOR-US: FastAPI Guard
 CVE-2025-53536 (Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if ...)
-	TODO: check
+	NOT-FOR-US: Roo Code
 CVE-2025-53535 (Better Auth is an authentication and authorization library for TypeScr ...)
-	TODO: check
+	NOT-FOR-US: Better Auth
 CVE-2025-53532 (giscus is a commenting system powered by GitHub Discussions. A bug in  ...)
-	TODO: check
+	NOT-FOR-US: giscus
 CVE-2025-53531 (WeGIA is a web manager for charitable institutions. The Wegia server h ...)
 	NOT-FOR-US: WeGIA
 CVE-2025-53530 (WeGIA is a web manager for charitable institutions. The Wegia server h ...)
@@ -160,35 +160,35 @@ CVE-2025-53478 (The CheckUser extension\u2019s Special:Investigate interface is
 CVE-2025-53377 (WeGIA is a web manager for charitable institutions. A Reflected Cross- ...)
 	NOT-FOR-US: WeGIA
 CVE-2025-53376 (Dokploy is a self-hostable Platform as a Service (PaaS) that simplifie ...)
-	TODO: check
+	NOT-FOR-US: Dokploy
 CVE-2025-53375 (Dokploy is a self-hostable Platform as a Service (PaaS) that simplifie ...)
-	TODO: check
+	NOT-FOR-US: Dokploy
 CVE-2025-53374 (Dokploy is a self-hostable Platform as a Service (PaaS) that simplifie ...)
-	TODO: check
+	NOT-FOR-US: Dokploy
 CVE-2025-53373 (Natours is a Tour Booking API. The attacker can easily take over any v ...)
-	TODO: check
+	NOT-FOR-US: Natours
 CVE-2025-52492 (A vulnerability has been discovered in the firmware of Paxton Paxton10 ...)
-	TODO: check
+	NOT-FOR-US: firmware of Paxton Paxton10
 CVE-2025-4779 (lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cro ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2025-48367 (Redis is an open source, in-memory database that persists on disk. An  ...)
 	TODO: check
 CVE-2025-47202 (In RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exyn ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2025-45479 (Insufficient security mechanisms for created containers in educoder ch ...)
-	TODO: check
+	NOT-FOR-US: educoder challenges
 CVE-2025-45065 (employee record management system in php and mysql v1 was discovered t ...)
-	TODO: check
+	NOT-FOR-US: employee record management system
 CVE-2025-43933 (fblog through 983bede allows account takeover via the password reset f ...)
-	TODO: check
+	NOT-FOR-US: fblog
 CVE-2025-43932 (JobCenter through 7e7b0b2 allows account takeover via the password res ...)
-	TODO: check
+	NOT-FOR-US: JobCenter
 CVE-2025-43931 (flask-boilerplate through a170e7c allows account takeover via the pass ...)
 	TODO: check
 CVE-2025-43930 (Hashview 0.8.1 allows account takeover via the password reset feature  ...)
-	TODO: check
+	NOT-FOR-US: Hashview
 CVE-2025-3920 (A vulnerability was identified in SUR-FBD CMMS where hard-coded creden ...)
-	TODO: check
+	NOT-FOR-US: SUR-FBD CMMS
 CVE-2025-3777 (Hugging Face Transformers versions up to 4.49.0 are affected by an imp ...)
 	TODO: check
 CVE-2025-3705 (A physical attacker with no privileges can gain full control of the af ...)
@@ -196,9 +196,9 @@ CVE-2025-3705 (A physical attacker with no privileges can gain full control of t
 CVE-2025-3626 (A remote attacker with administrator account can gain full control of  ...)
 	TODO: check
 CVE-2025-3467 (An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3 ...)
-	TODO: check
+	NOT-FOR-US: Dify
 CVE-2025-3466 (langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized  ...)
-	TODO: check
+	NOT-FOR-US: Dify
 CVE-2025-3264 (A Regular Expression Denial of Service (ReDoS) vulnerability was disco ...)
 	TODO: check
 CVE-2025-3263 (A Regular Expression Denial of Service (ReDoS) vulnerability was disco ...)
@@ -206,17 +206,17 @@ CVE-2025-3263 (A Regular Expression Denial of Service (ReDoS) vulnerability was
 CVE-2025-3262 (A Regular Expression Denial of Service (ReDoS) vulnerability was disco ...)
 	TODO: check
 CVE-2025-3225 (An XML Entity Expansion vulnerability, also known as a 'billion laughs ...)
-	TODO: check
+	NOT-FOR-US: run-llama/llama_index
 CVE-2025-3046 (A vulnerability in the `ObsidianReader` class of the run-llama/llama_i ...)
-	TODO: check
+	NOT-FOR-US: run-llama/llama_index
 CVE-2025-3044 (A vulnerability in the ArxivReader class of the run-llama/llama_index  ...)
-	TODO: check
+	NOT-FOR-US: run-llama/llama_index
 CVE-2025-36014 (IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable t ...)
 	NOT-FOR-US: IBM
 CVE-2025-32023 (Redis is an open source, in-memory database that persists on disk. Fro ...)
 	TODO: check
 CVE-2025-26780 (An issue was discovered in L2 in Samsung Mobile Processor and Modem Ex ...)
-	TODO: check
+	NOT-FOR-US: Samsung
 CVE-2025-20325 (In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a ...)
 	NOT-FOR-US: Cisco
 CVE-2025-20324 (In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 an ...)
@@ -240,11 +240,11 @@ CVE-2024-43334 (Improper Neutralization of Input During Web Page Generation ('Cr
 CVE-2024-43190 (IBM Engineering Requirements Management DOORS 9.7.2.9, under certain c ...)
 	NOT-FOR-US: IBM
 CVE-2024-37658 (An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote a ...)
-	TODO: check
+	NOT-FOR-US: Gnuboard
 CVE-2024-37657 (An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote a ...)
-	TODO: check
+	NOT-FOR-US: Gnuboard
 CVE-2024-37656 (An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote a ...)
-	TODO: check
+	NOT-FOR-US: Gnuboard
 CVE-2024-25178 (LuaJIT through 2.1 has an out-of-bounds read in the stack-overflow han ...)
 	TODO: check
 CVE-2024-25177 (LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metatable, w ...)
@@ -252,7 +252,7 @@ CVE-2024-25177 (LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metata
 CVE-2024-25176 (LuaJIT through 2.1 has a stack-buffer-overflow in lj_strfmt_wfnum in l ...)
 	TODO: check
 CVE-2023-51232 (Directory Traversal vulnerability in dagster-webserver Dagster thru 1. ...)
-	TODO: check
+	NOT-FOR-US: dagster-webserver Dagster
 CVE-2025-XXXX [RSS/SEARCH: Prevent opening local files if web page is expected]
 	- qbittorrent 5.1.0-2 (bug #1108843)
 	[bookworm] - qbittorrent <no-dsa> (Minor issue)
@@ -308,7 +308,7 @@ CVE-2025-7094 (A vulnerability was found in Belkin F9K1122 1.00.33. It has been
 CVE-2025-7093 (A vulnerability was found in Belkin F9K1122 1.00.33. It has been decla ...)
 	NOT-FOR-US: Belkin
 CVE-2025-53473 (Server-side request forgery (SSRF) vulnerability exists n multiple ver ...)
-	TODO: check
+	NOT-FOR-US: Nimesa Backup and Recovery
 CVE-2025-53186 (Vulnerability that allows third-party call apps to send broadcasts wit ...)
 	NOT-FOR-US: Huawei
 CVE-2025-53185 (Virtual address reuse issue in the memory management module, which can ...)
@@ -350,11 +350,11 @@ CVE-2025-53168 (Vulnerability of bypassing the process to start SA and use relat
 CVE-2025-53167 (Authentication vulnerability in the distributed collaboration framewor ...)
 	NOT-FOR-US: Huawei
 CVE-2025-48501 (An OS command injection issue exists in Nimesa Backup and Recovery v2. ...)
-	TODO: check
+	NOT-FOR-US: Nimesa Backup and Recovery
 CVE-2025-41672 (A remote unauthenticated attacker may use default certificates to gene ...)
 	TODO: check
 CVE-2025-3108 (A critical deserialization vulnerability exists in the run-llama/llama ...)
-	TODO: check
+	NOT-FOR-US: run-llama/llama_index
 CVE-2025-24508 (Extraction of Account Connectivity Credentials (ACCs) from the IT Mana ...)
 	TODO: check
 CVE-2024-58117 (Stack overflow risk when vector images are parsed during file preview  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43ba09d123d6c4ba244648afe3b528e3ceb6b959

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43ba09d123d6c4ba244648afe3b528e3ceb6b959
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250708/58d2e587/attachment.htm>

More information about the debian-security-tracker-commits mailing list