[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Jun 17 21:12:47 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e2e83434 by security tracker role at 2025-06-17T20:12:40+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,235 @@
+CVE-2025-6199 (A flaw was found in the GIF parser of GdkPixbuf\u2019s LZW decoder. Wh ...)
+ TODO: check
+CVE-2025-6196 (A flaw was found in libgepub, a library used to read EPUB files. The s ...)
+ TODO: check
+CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complexity w ...)
+ TODO: check
+CVE-2025-6050 (Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Sit ...)
+ TODO: check
+CVE-2025-5777 (Insufficient input validation leading to memory overreadon the NetScal ...)
+ TODO: check
+CVE-2025-5700 (The Simple Logo Carousel plugin for WordPress is vulnerable to Stored ...)
+ TODO: check
+CVE-2025-5349 (Improper access control on the NetScaler Management Interface in NetSc ...)
+ TODO: check
+CVE-2025-5291 (The Master Slider \u2013 Responsive Touch Slider plugin for WordPress ...)
+ TODO: check
+CVE-2025-5141 (A binary in the BoKS Server Agent component of Fortra's Core Privilege ...)
+ TODO: check
+CVE-2025-4879 (Local Privilege escalation allows a low-privileged user to gain SYSTEM ...)
+ TODO: check
+CVE-2025-4754 (Insufficient Session Expiration vulnerability in ash-project ash_authe ...)
+ TODO: check
+CVE-2025-4404 (A privilege escalation from host to domain vulnerability was found in ...)
+ TODO: check
+CVE-2025-4365 (Arbitrary file read inNetScaler Console and NetScaler SDX (SVM))
+ TODO: check
+CVE-2025-49882 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49881 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49880 (Missing Authorization vulnerability in Emraan Cheema CubeWP Forms allo ...)
+ TODO: check
+CVE-2025-49879 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-49878 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49877 (Server-Side Request Forgery (SSRF) vulnerability in Metagauss ProfileG ...)
+ TODO: check
+CVE-2025-49875 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49874 (Missing Authorization vulnerability in tychesoftwares Arconix FAQ allo ...)
+ TODO: check
+CVE-2025-49872 (Missing Authorization vulnerability in WPExperts.io myCred allows Acce ...)
+ TODO: check
+CVE-2025-49871 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49868 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in F ...)
+ TODO: check
+CVE-2025-49865 (Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanc ...)
+ TODO: check
+CVE-2025-49864 (Missing Authorization vulnerability in AFS Analytics AFS Analytics all ...)
+ TODO: check
+CVE-2025-49863 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49862 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49861 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49859 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49858 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49857 (Missing Authorization vulnerability in WPExperts.io myCred allows Expl ...)
+ TODO: check
+CVE-2025-49856 (Cross-Site Request Forgery (CSRF) vulnerability in CyberChimps Respons ...)
+ TODO: check
+CVE-2025-49855 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49854 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-49850 (A Heap-based Buffer Overflow vulnerability exists within the parsing o ...)
+ TODO: check
+CVE-2025-49849 (An Out-of-bounds Read vulnerability exists within the parsing of PRJ f ...)
+ TODO: check
+CVE-2025-49848 (An Out-of-bounds Write vulnerability exists within the parsing of PRJ ...)
+ TODO: check
+CVE-2025-49847 (llama.cpp is an inference of several LLM models in C/C++. Prior to ver ...)
+ TODO: check
+CVE-2025-49842 (conda-forge-webservices is the web app deployed to run conda-forge adm ...)
+ TODO: check
+CVE-2025-49508 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49487 (An uncontrolled search path vulnerability in the Trend Micro Worry-Fre ...)
+ TODO: check
+CVE-2025-49452 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-49451 (Path Traversal vulnerability in yannisraft Aeroscroll Gallery \u2013 I ...)
+ TODO: check
+CVE-2025-49447 (Unrestricted Upload of File with Dangerous Type vulnerability in Fastw ...)
+ TODO: check
+CVE-2025-49444 (Unrestricted Upload of File with Dangerous Type vulnerability in merku ...)
+ TODO: check
+CVE-2025-49415 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2025-49331 (Deserialization of Untrusted Data vulnerability in impleCode eCommerce ...)
+ TODO: check
+CVE-2025-49330 (Deserialization of Untrusted Data vulnerability in CRM Perks Integrati ...)
+ TODO: check
+CVE-2025-49316 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49312 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49266 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-49261 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49260 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49259 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49258 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49257 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49256 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49255 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49254 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49253 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49252 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49251 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-49234 (Missing Authorization vulnerability in Deepak anand WP Dummy Content G ...)
+ TODO: check
+CVE-2025-49220 (An insecure deserialization operation in Trend Micro Apex Central belo ...)
+ TODO: check
+CVE-2025-49219 (An insecure deserialization operation in Trend Micro Apex Central belo ...)
+ TODO: check
+CVE-2025-49158 (An uncontrolled search path vulnerability in the Trend Micro Apex One ...)
+ TODO: check
+CVE-2025-49157 (A link following vulnerability in the Trend Micro Apex One Damage Clea ...)
+ TODO: check
+CVE-2025-49156 (A link following vulnerability in the Trend Micro Apex One scan engine ...)
+ TODO: check
+CVE-2025-49155 (An uncontrolled search path vulnerability in the Trend Micro Apex One ...)
+ TODO: check
+CVE-2025-49154 (An insecure access control vulnerability in Trend Micro Apex One and T ...)
+ TODO: check
+CVE-2025-49071 (Unrestricted Upload of File with Dangerous Type vulnerability in NasaT ...)
+ TODO: check
+CVE-2025-48333 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-48274 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-48145 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-48118 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-48111 (Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH PayPa ...)
+ TODO: check
+CVE-2025-47867 (A Local File Inclusion vulnerability in a Trend Micro Apex Central wid ...)
+ TODO: check
+CVE-2025-47866 (An unrestricted file upload vulnerability in a Trend Micro Apex Centra ...)
+ TODO: check
+CVE-2025-47865 (A Local File Inclusion vulnerability in a Trend Micro Apex Central wid ...)
+ TODO: check
+CVE-2025-47573 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-47572 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-47559 (Unrestricted Upload of File with Dangerous Type vulnerability in Roman ...)
+ TODO: check
+CVE-2025-47452 (Unrestricted Upload of File with Dangerous Type vulnerability in RexTh ...)
+ TODO: check
+CVE-2025-45880 (A cross-site scripting (XSS) vulnerability in the data resource manage ...)
+ TODO: check
+CVE-2025-45879 (A cross-site scripting (XSS) vulnerability in the e-mail manager funct ...)
+ TODO: check
+CVE-2025-45878 (A cross-site scripting (XSS) vulnerability in the report manager funct ...)
+ TODO: check
+CVE-2025-45526 (A denial of service (DoS) vulnerability has been identified in the Jav ...)
+ TODO: check
+CVE-2025-45525 (A null pointer dereference vulnerability was discovered in microlight. ...)
+ TODO: check
+CVE-2025-40674 (Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerabil ...)
+ TODO: check
+CVE-2025-3880 (The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordP ...)
+ TODO: check
+CVE-2025-3515 (The Drag and Drop Multiple File Upload for Contact Form 7 plugin for W ...)
+ TODO: check
+CVE-2025-39508 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-39486 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-39479 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-34511 (Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manag ...)
+ TODO: check
+CVE-2025-34510 (Sitecore Experience Manager (XM), Experience Platform (XP), and Experi ...)
+ TODO: check
+CVE-2025-34509 (Sitecore Experience Manager (XM) and Experience Platform (XP) versions ...)
+ TODO: check
+CVE-2025-34508 (A path traversal vulnerability exists in the file dropoff functionalit ...)
+ TODO: check
+CVE-2025-33122 (IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 could allow a user to gain elevated ...)
+ TODO: check
+CVE-2025-32549 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-32510 (Unrestricted Upload of File with Dangerous Type vulnerability in ovath ...)
+ TODO: check
+CVE-2025-31919 (Deserialization of Untrusted Data vulnerability in themeton Spare allo ...)
+ TODO: check
+CVE-2025-30988 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-30680 (A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex ...)
+ TODO: check
+CVE-2025-30679 (A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex ...)
+ TODO: check
+CVE-2025-30678 (A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex ...)
+ TODO: check
+CVE-2025-30618 (Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Paymen ...)
+ TODO: check
+CVE-2025-30562 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-29002 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-28991 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-28972 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-24773 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-24761 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-0320 (Local Privilege escalation allows a low-privileged user to gain SYSTEM ...)
+ TODO: check
+CVE-2024-40570 (SQL Injection vulnerability in SeaCMS v.12.9 allows a remote attacker ...)
+ TODO: check
CVE-2025-6019 [LPE from allow_active to root in libblockdev via udisks]
- libblockdev <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2025/06/17/4
@@ -14,38 +246,38 @@ CVE-2025-6192
CVE-2025-6191
- chromium <unfixed>
[bullseye] - chromium <end-of-life> (see #1061268)
-CVE-2025-49180
+CVE-2025-49180 (A flaw was found in the RandR extension, where the RRChangeProviderPro ...)
- xorg-server 2:21.1.16-1.2
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d
-CVE-2025-49179
+CVE-2025-49179 (A flaw was found in the X Record extension. The RecordSanityCheckRegis ...)
- xorg-server 2:21.1.16-1.2
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4
-CVE-2025-49178
+CVE-2025-49178 (A flaw was found in the X server's request handling. Non-zero 'bytes t ...)
- xorg-server 2:21.1.16-1.2
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2
-CVE-2025-49177
+CVE-2025-49177 (A flaw was found in the XFIXES extension. The XFixesSetClientDisconnec ...)
- xorg-server 2:21.1.16-1.2
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af
-CVE-2025-49176
+CVE-2025-49176 (A flaw was found in the Big Requests extension. The request length is ...)
- xorg-server 2:21.1.16-1.2
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9
-CVE-2025-49175
+CVE-2025-49175 (A flaw was found in the X Rendering extension's handling of animated c ...)
- xorg-server 2:21.1.16-1.2
- xwayland <unfixed>
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee
-CVE-2025-6020 [pam_namespace: potential privilege escalation]
+CVE-2025-6020 (A flaw was found in linux-pam. The module pam_namespace may use access ...)
- pam <unfixed> (bug #1107919)
NOTE: https://www.openwall.com/lists/oss-security/2025/06/17/1
NOTE: https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx
@@ -6390,7 +6622,7 @@ CVE-2025-45753 (A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows
CVE-2025-44040 (An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges ...)
NOT-FOR-US: OrangeHRM
CVE-2025-3887 (GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code E ...)
- {DSA-5941-1}
+ {DSA-5941-1 DLA-4219-1}
- gst-plugins-bad1.0 1.26.1-1 (bug #1106285)
NOTE: https://gstreamer.freedesktop.org/security/sa-2025-0001.html
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d0e18d6353e4e448ccf3b06a967b394e664dd0b5 (main)
@@ -16073,7 +16305,7 @@ CVE-2025-46400 (In xfig diagramming tool, a segmentation fault while running fig
NOTE: Error covered with: https://sourceforge.net/p/mcj/fig2dev/ci/1e5515a1ea2ec8651cf85ab5000d026bb962492a/
NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0d9af89d9738aad31c2d0873ac1fa03c96/
NOTE: Crash in CLI tool, no security impact
-CVE-2025-46399 (In xfig diagramming tool, a segmentation fault in fig2dev allows memor ...)
+CVE-2025-46399 (A flaw was found in fig2dev. This vulnerability allows availability vi ...)
{DLA-4147-1}
- fig2dev 1:3.2.9a-4 (unimportant)
NOTE: https://sourceforge.net/p/mcj/tickets/190/
@@ -78867,7 +79099,7 @@ CVE-2024-47410 (Animate versions 23.0.7, 24.0.4 and earlier are affected by a St
NOT-FOR-US: Adobe
CVE-2024-47334 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-47196 (A vulnerability has been identified in ModelSim (All versions < V2024. ...)
+CVE-2024-47196 (A vulnerability has been identified in ModelSim (All versions < V2025. ...)
NOT-FOR-US: Siemens
CVE-2024-47195 (A vulnerability has been identified in ModelSim (All versions < V2024. ...)
NOT-FOR-US: Siemens
@@ -121300,7 +121532,7 @@ CVE-2024-34453 (TwoNav 2.1.13 contains an SSRF vulnerability via the url paramat
NOT-FOR-US: TwoNav
CVE-2024-34449 (Vditor 3.10.3 allows XSS via an attribute of an A element. NOTE: the v ...)
NOT-FOR-US: Vditor
-CVE-2024-34447 (An issue was discovered in Bouncy Castle Java Cryptography APIs before ...)
+CVE-2024-34447 (An issue was discovered in the Bouncy Castle Crypto Package For Java b ...)
- bouncycastle 1.80-1 (bug #1070655)
[bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <no-dsa> (Minor issue)
@@ -362677,7 +362909,7 @@ CVE-2021-23816
RESERVED
CVE-2021-23815
RESERVED
-CVE-2021-23814 (This affects the package unisharp/laravel-filemanager from 0.0.0. The ...)
+CVE-2021-23814 (This affects versions of the package unisharp/laravel-filemanager befo ...)
NOT-FOR-US: Laravel Filemanager
CVE-2021-23813
RESERVED
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2e834348d9d8dcf14a6d7174b091a61908090cb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2e834348d9d8dcf14a6d7174b091a61908090cb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250617/2a160241/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list