[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Jun 11 21:13:01 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
27e2fbd1 by security tracker role at 2025-06-11T20:12:54+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,81 @@
+CVE-2025-6002 (An unrestricted file upload vulnerability exists in the Product Image ...)
+ TODO: check
+CVE-2025-6001 (A Cross-Site Request Forgery (CSRF) vulnerability exists in the produc ...)
+ TODO: check
+CVE-2025-5687 (A vulnerability in Mozilla VPN on macOS allows privilege escalation fr ...)
+ TODO: check
+CVE-2025-5144 (The The Events Calendar plugin for WordPress is vulnerable to Stored C ...)
+ TODO: check
+CVE-2025-4922 (Nomad Community and Nomad Enterprise (\u201cNomad\u201d) prefix-based ...)
+ TODO: check
+CVE-2025-4605 (A maliciously crafted .usdc file, when loaded through Autodesk Maya, c ...)
+ TODO: check
+CVE-2025-4573 (Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5 ...)
+ TODO: check
+CVE-2025-4315 (The CubeWP \u2013 All-in-One Dynamic Content Framework plugin for Word ...)
+ TODO: check
+CVE-2025-4128 (Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to proper ...)
+ TODO: check
+CVE-2025-49150 (Cursor is a code editor built for programming with AI. Prior to 0.51.0 ...)
+ TODO: check
+CVE-2025-49148 (ClipShare is a lightweight and cross-platform tool for clipboard shari ...)
+ TODO: check
+CVE-2025-49146 (pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until ...)
+ TODO: check
+CVE-2025-48448 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
+ TODO: check
+CVE-2025-48447 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-48446 (Incorrect Authorization vulnerability in Drupal Commerce Alphabank Red ...)
+ TODO: check
+CVE-2025-48445 (Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Red ...)
+ TODO: check
+CVE-2025-48444 (Missing Authorization vulnerability in Drupal Quick Node Block allows ...)
+ TODO: check
+CVE-2025-48013 (Missing Authorization vulnerability in Drupal Quick Node Block allows ...)
+ TODO: check
+CVE-2025-41663 (An unauthenticated remote attacker in a man-in-the-middle position can ...)
+ TODO: check
+CVE-2025-41662 (An unauthenticated remote attacker can execute arbitrary commands with ...)
+ TODO: check
+CVE-2025-41661 (An unauthenticated remote attacker can execute arbitrary commands with ...)
+ TODO: check
+CVE-2025-40915 (Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number sour ...)
+ TODO: check
+CVE-2025-40914 (Perl CryptX before version 0.087 contains a dependency that may be sus ...)
+ TODO: check
+CVE-2025-40912 (CryptX for Perl before version 0.065 contains a dependency that may be ...)
+ TODO: check
+CVE-2025-3473 (IBM Security Guardium 12.1 could allow a local privileged user to esca ...)
+ TODO: check
+CVE-2025-3302 (The Xagio SEO \u2013 AI Powered SEO plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2025-35941 (A password is exposed locally.)
+ TODO: check
+CVE-2025-32711 (Ai command injection in M365 Copilot allows an unauthorized attacker t ...)
+ TODO: check
+CVE-2025-32466 (A SQL injection vulnerability in RSMediaGallery! component 1.7.4 - 2.1 ...)
+ TODO: check
+CVE-2025-32465 (A stored XSS vulnerability in RSTickets! component 1.9.12 - 3.3.0 for ...)
+ TODO: check
+CVE-2025-30085 (Remote code execution vulnerability in RSForm!pro component 3.0.0 - 3. ...)
+ TODO: check
+CVE-2025-26412 (The SIMCom SIM7600G modem supports an undocumented AT command, which a ...)
+ TODO: check
+CVE-2025-26383 (The iSTAR Configuration Utility (ICU) tool leaks memory, which could r ...)
+ TODO: check
+CVE-2025-25032 (IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 1 ...)
+ TODO: check
+CVE-2025-1699 (An incorrect default permissions vulnerability was reported in the Mot ...)
+ TODO: check
+CVE-2025-1698 (Null pointer exception vulnerabilities were reported in the fingerprin ...)
+ TODO: check
+CVE-2025-0923 (IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 1 ...)
+ TODO: check
+CVE-2025-0917 (IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 1 ...)
+ TODO: check
+CVE-2025-0163 (IBM Security Verify Access Appliance and Docker 10.0 through 10.0.8 co ...)
+ TODO: check
CVE-2025-5991 (There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandle ...)
- qt6-base <unfixed>
- qtbase-opensource-src <unfixed>
@@ -523,14 +601,14 @@ CVE-2024-1244 (Improper input validation in the OSSEC HIDS agent for Windows pri
NOT-FOR-US: OSSEC-HIDS Agent
CVE-2024-1243 (Improper input validation in the Wazuh agent for Windows prior to vers ...)
NOT-FOR-US: Wazuh agent for Windows
-CVE-2025-5986
+CVE-2025-5986 (A crafted HTML email using mailbox:/// links can trigger automatic, un ...)
- thunderbird <unfixed>
[bookworm] - thunderbird <postponed> (Minor issue, fix along with June update)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/#CVE-2025-5986
-CVE-2025-49710
+CVE-2025-49710 (An integer overflow was present in `OrderedHashTable` used by the Java ...)
- firefox 139.0.4-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/#CVE-2025-49710
-CVE-2025-49709
+CVE-2025-49709 (Certain canvas operations could have lead to memory corruption. This v ...)
- firefox 139.0.4-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/#CVE-2025-49709
CVE-2025-49091 (KDE Konsole before 25.04.2 allows remote code execution in a certain s ...)
@@ -2332,7 +2410,7 @@ CVE-2025-27445 (A path traversal vulnerability in RSFirewall component 2.9.7 - 3
NOT-FOR-US: Joomla
CVE-2025-0691 (Improper access control in permissions component in Devolutions Server ...)
NOT-FOR-US: Devolutions
-CVE-2025-22874
+CVE-2025-22874 (Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsag ...)
- golang-1.24 <unfixed> (bug #1107364)
- golang-1.23 <not-affected> (Vulnerable code not present)
- golang-1.19 <not-affected> (Vulnerable code not present)
@@ -2340,7 +2418,7 @@ CVE-2025-22874
NOTE: https://github.com/golang/go/issues/73612
NOTE: Fixed by: https://github.com/golang/go/commit/03811ab1b31525e8d779997db169c6fedab7c505 (go1.24.4)
NOTE: Introduced with: https://github.com/golang/go/commit/e8d95619978c4602d4446f113b3b69b7a22308fa (go1.24rc1)
-CVE-2025-0913
+CVE-2025-0913 (os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and ...)
- golang-1.24 <not-affected> (Only affects Go on Windows)
- golang-1.23 <not-affected> (Only affects Go on Windows)
- golang-1.19 <not-affected> (Only affects Go on Windows)
@@ -2348,7 +2426,7 @@ CVE-2025-0913
NOTE: https://github.com/golang/go/issues/73702
NOTE: Fixed by: https://github.com/golang/go/commit/9f9cf28f8fe67e6c17123cae2d89f116504f2be1 (go1.24.4)
NOTE: Fixed by: https://github.com/golang/go/commit/c2c89d95516d2a6b51aa1766ed5f76e542ab282c (go1.23.10)
-CVE-2025-4673
+CVE-2025-4673 (Proxy-Authorization and Proxy-Authenticate headers persisted on cross- ...)
- golang-1.24 <unfixed> (bug #1107364)
- golang-1.23 <unfixed> (bug #1107390)
- golang-1.19 <removed>
@@ -4691,7 +4769,7 @@ CVE-2025-5145 (A vulnerability, which was classified as critical, was found in N
NOT-FOR-US: Netcore
CVE-2025-5140 (A vulnerability classified as critical has been found in Seeyon Zhiyua ...)
NOT-FOR-US: Seeyon Zhiyuan OA Web Application System
-CVE-2025-5139 (A vulnerability was found in Qualitor 8.20. It has been rated as criti ...)
+CVE-2025-5139 (A vulnerability was found in Qualitor 8.20/8.24. It has been rated as ...)
NOT-FOR-US: Qualitor
CVE-2025-5138 (A vulnerability was found in Bitwarden up to 2.25.1. It has been decla ...)
NOT-FOR-US: Bitwarden
@@ -5428,6 +5506,7 @@ CVE-2025-45753 (A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows
CVE-2025-44040 (An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges ...)
NOT-FOR-US: OrangeHRM
CVE-2025-3887 (GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code E ...)
+ {DSA-5941-1}
- gst-plugins-bad1.0 1.26.1-1 (bug #1106285)
NOTE: https://gstreamer.freedesktop.org/security/sa-2025-0001.html
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d0e18d6353e4e448ccf3b06a967b394e664dd0b5 (main)
@@ -8239,7 +8318,8 @@ CVE-2025-3909 (Thunderbird's handling of the X-Mozilla-External-Attachment-URL h
{DSA-5921-1 DLA-4167-1}
- thunderbird 1:128.10.1esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-34/#CVE-2025-3909
-CVE-2025-3877 (A crafted HTML email using mailbox:/// links can trigger automatic, un ...)
+CVE-2025-3877
+ REJECTED
{DSA-5921-1 DLA-4167-1}
- thunderbird 1:128.10.1esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-34/#CVE-2025-3877
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e2fbd10a0262cbd025311ecc74b62958f1214a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e2fbd10a0262cbd025311ecc74b62958f1214a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250611/dc2414ad/attachment.htm>
More information about the debian-security-tracker-commits
mailing list