[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Jun 24 21:16:12 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
316be68e by security tracker role at 2025-06-24T20:16:05+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,48 +1,160 @@
-CVE-2025-6436
+CVE-2025-6579 (A vulnerability was found in code-projects Car Rental System 1.0. It h ...)
+ TODO: check
+CVE-2025-6578 (A vulnerability was found in code-projects Simple Online Hotel Reserva ...)
+ TODO: check
+CVE-2025-6570 (A vulnerability, which was classified as critical, has been found in P ...)
+ TODO: check
+CVE-2025-6569 (A vulnerability classified as problematic was found in code-projects S ...)
+ TODO: check
+CVE-2025-6568 (A vulnerability classified as critical has been found in TOTOLINK EX12 ...)
+ TODO: check
+CVE-2025-6567 (A vulnerability was found in Campcodes Online Recruitment Management S ...)
+ TODO: check
+CVE-2025-6566 (A vulnerability was found in oatpp Oat++ up to 1.3.1. It has been decl ...)
+ TODO: check
+CVE-2025-6565 (A vulnerability was found in Netgear WNCE3001 1.0.0.50. It has been cl ...)
+ TODO: check
+CVE-2025-6557 (Insufficient data validation in DevTools in Google Chrome on Windows p ...)
+ TODO: check
+CVE-2025-6556 (Insufficient policy enforcement in Loader in Google Chrome prior to 13 ...)
+ TODO: check
+CVE-2025-6555 (Use after free in Animation in Google Chrome prior to 138.0.7204.49 al ...)
+ TODO: check
+CVE-2025-6206 (The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, Ch ...)
+ TODO: check
+CVE-2025-6032 (A flaw was found in Podman. The podman machine init command fails to v ...)
+ TODO: check
+CVE-2025-5318 (A flaw was found in the libssh library. An out-of-bounds read can be t ...)
+ TODO: check
+CVE-2025-5087 (Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely usin ...)
+ TODO: check
+CVE-2025-53073 (In Sentry 25.1.0 through 25.5.1, an authenticated attacker can access ...)
+ TODO: check
+CVE-2025-53021 (A session fixation vulnerability in Moodle 3.x through 3.11.18 allows ...)
+ TODO: check
+CVE-2025-52888 (Allure 2 is the version 2.x branch of Allure Report, a multi-language ...)
+ TODO: check
+CVE-2025-52882 (Claude Code is an agentic coding tool. Claude Code extensions in VSCod ...)
+ TODO: check
+CVE-2025-52880 (Komga is a media server for comics, mangas, BDs, magazines and eBooks. ...)
+ TODO: check
+CVE-2025-52571 (Hikka is a Telegram userbot. A vulnerability affects all users of vers ...)
+ TODO: check
+CVE-2025-52471 (ESF-IDF is the Espressif Internet of Things (IOT) Development Framewor ...)
+ TODO: check
+CVE-2025-50699 (PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cr ...)
+ TODO: check
+CVE-2025-50695 (PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cr ...)
+ TODO: check
+CVE-2025-50693 (PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to In ...)
+ TODO: check
+CVE-2025-4383 (Improper Restriction of Excessive Authentication Attempts vulnerabilit ...)
+ TODO: check
+CVE-2025-4378 (Cleartext Transmission of Sensitive Information, Use of Hard-coded Cre ...)
+ TODO: check
+CVE-2025-49853 (ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnera ...)
+ TODO: check
+CVE-2025-49852 (ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnera ...)
+ TODO: check
+CVE-2025-49851 (ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnera ...)
+ TODO: check
+CVE-2025-49147 (Umbraco, a free and open source .NET content management system, has a ...)
+ TODO: check
+CVE-2025-44531 (An issue in Realtek RTL8762EKF-EVB RTL8762E SDK v1.4.0 allows attacker ...)
+ TODO: check
+CVE-2025-3092 (An unauthenticated remote attacker can enumerate valid user names from ...)
+ TODO: check
+CVE-2025-3091 (An low privileged remote attacker in possession of the second factor f ...)
+ TODO: check
+CVE-2025-39205 (A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product ...)
+ TODO: check
+CVE-2025-39204 (A vulnerability exists in the Web interface of the MicroSCADA X SYS600 ...)
+ TODO: check
+CVE-2025-39203 (A vulnerability exists in the IEC 61850 of the MicroSCADA X SYS600 pro ...)
+ TODO: check
+CVE-2025-39202 (A vulnerability exists in in the Monitor Pro interface of the MicroSCA ...)
+ TODO: check
+CVE-2025-39201 (A vulnerability exists in MicroSCADA X SYS600 product. If exploited th ...)
+ TODO: check
+CVE-2025-36537 (Incorrect Permission Assignment for Critical Resource in the TeamViewe ...)
+ TODO: check
+CVE-2025-32978 (Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, ...)
+ TODO: check
+CVE-2025-32977 (Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, ...)
+ TODO: check
+CVE-2025-32976 (Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, ...)
+ TODO: check
+CVE-2025-32975 (Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, ...)
+ TODO: check
+CVE-2025-2566 (Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java dese ...)
+ TODO: check
+CVE-2025-2403 (A denial-of-service vulnerability due to improper prioritization of ne ...)
+ TODO: check
+CVE-2025-27828 (A vulnerability in the legacy chat component of Mitel MiContact Center ...)
+ TODO: check
+CVE-2025-27827 (A vulnerability in the legacy chat component of Mitel MiContact Center ...)
+ TODO: check
+CVE-2025-23265 (NVIDIA Megatron-LM for all platforms contains a vulnerability in a pyt ...)
+ TODO: check
+CVE-2025-23264 (NVIDIA Megatron-LM for all platforms contains a vulnerability in a pyt ...)
+ TODO: check
+CVE-2025-23260 (NVIDIA AIStore contains a vulnerability in the AIS Operator where a us ...)
+ TODO: check
+CVE-2025-1718 (An authenticated user with file access privilege via FTP access can ca ...)
+ TODO: check
+CVE-2024-56918 (In Netbox Community 4.1.7, the login page is vulnerable to cross-site ...)
+ TODO: check
+CVE-2024-56917 (Netbox Community 4.1.7 is vulnerable to Cross Site Scripting (XSS) via ...)
+ TODO: check
+CVE-2024-56916 (In Netbox Community 4.1.7, once authenticated, Configuration History > ...)
+ TODO: check
+CVE-2024-37743 (An issue in mmzdev KnowledgeGPT V.0.0.5 allows a remote attacker to ex ...)
+ TODO: check
+CVE-2025-6436 (Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of ...)
- firefox <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6436
-CVE-2025-6435
+CVE-2025-6435 (If a user saved a response from the Network tab in Devtools using the ...)
- firefox <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6435
-CVE-2025-6434
+CVE-2025-6434 (The exception page for the HTTPS-Only feature, displayed when a websit ...)
- firefox <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6434
-CVE-2025-6433
+CVE-2025-6433 (If a user visited a webpage with an invalid TLS certificate, and grant ...)
- firefox <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6433
-CVE-2025-6432
+CVE-2025-6432 (When Multi-Account Containers was enabled, DNS requests could have byp ...)
- firefox <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6432
-CVE-2025-6431
+CVE-2025-6431 (When a link can be opened in an external application, Firefox for Andr ...)
- firefox <not-affected> (Android-specific)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6431
-CVE-2025-6430
+CVE-2025-6430 (When a file download is specified via the `Content-Disposition` header ...)
- firefox <unfixed>
- firefox-esr <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6430
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/#CVE-2025-6430
-CVE-2025-6429
+CVE-2025-6429 (Firefox could have incorrectly parsed a URL and rewritten it to the yo ...)
- firefox <unfixed>
- firefox-esr <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6429
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/#CVE-2025-6429
-CVE-2025-6428
+CVE-2025-6428 (When a URL was provided in a link querystring parameter, Firefox for A ...)
- firefox <not-affected> (Android-specific)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6428
-CVE-2025-6427
+CVE-2025-6427 (An attacker was able to bypass the `connect-src` directive of a Conten ...)
- firefox <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6427
-CVE-2025-6426
+CVE-2025-6426 (The executable file warning did not warn users before opening files wi ...)
- firefox <not-affected> (MacOS-specific)
- firefox-esr <not-affected> (MacOS-specific)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6426
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/#CVE-2025-6426
-CVE-2025-6425
+CVE-2025-6425 (An attacker who enumerated resources from the WebCompat extension coul ...)
- firefox <unfixed>
- firefox-esr <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6425
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/#CVE-2025-6425
-CVE-2025-6424
+CVE-2025-6424 (A use-after-free in FontFaceSet resulted in a potentially exploitable ...)
- firefox <unfixed>
- firefox-esr <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6424
@@ -2591,11 +2703,13 @@ CVE-2025-38005 (In the Linux kernel, the following vulnerability has been resolv
[bookworm] - linux 6.1.140-1
NOTE: https://git.kernel.org/linus/fca280992af8c2fbd511bc43f65abb4a17363f2f (6.15-rc7)
CVE-2025-31698 (ACL configured in ip_allow.config or remap.config does not use IP addr ...)
+ {DSA-5948-1}
- trafficserver <unfixed> (bug #1108044)
NOTE: https://www.openwall.com/lists/oss-security/2025/06/17/7
NOTE: https://github.com/apache/trafficserver/commit/ce942e0acacd5cc9f38bd07565a1dfc5ffed0e33 (9.2.11-rc0)
NOTE: https://github.com/apache/trafficserver/commit/91a654dfa4de0c48aa222b87bfb909f9f21b03e0 (master)
CVE-2025-49763 (ESI plugin does not have the limit for maximum inclusion depth, and th ...)
+ {DSA-5948-1}
- trafficserver <unfixed> (bug #1108044)
NOTE: https://www.openwall.com/lists/oss-security/2025/06/17/7
NOTE: https://github.com/apache/trafficserver/commit/2db8b8dc96e57fc292850f77b9783630cc9590b9 (9.2.11-rc0)
@@ -19459,6 +19573,7 @@ CVE-2024-53568 (A stored cross-site scripting (XSS) vulnerability in the Image U
CVE-2024-46546 (NEXTU FLETA AX1500 WIFI6 Router v1.0.3 was discovered to contain a sta ...)
NOT-FOR-US: NEXTU FLETA AX1500 WIFI6 Router
CVE-2024-33452 (An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a r ...)
+ {DLA-4228-1}
- libnginx-mod-http-lua 1:0.10.27-1
- nginx 1.22.0-3
NOTE: src:nginx/1.22.0-3 removed the http-lua module and moved it to a separate package
@@ -25983,6 +26098,7 @@ CVE-2024-37917 (Pexip Infinity before 35.0 has improper input validation that al
CVE-2024-13673 (The Big Boom Directory plugin for WordPress is vulnerable to Stored Cr ...)
NOT-FOR-US: WordPress plugin
CVE-2024-53868 (Apache Traffic Server allows request smuggling if chunked messages are ...)
+ {DSA-5948-1}
- trafficserver <unfixed> (bug #1101996)
NOTE: https://www.openwall.com/lists/oss-security/2025/04/02/4
NOTE: https://github.com/apache/trafficserver/commit/f266206adb95951436a21850cef2ad8e9e4a28cf
@@ -32604,6 +32720,7 @@ CVE-2025-2359 (A vulnerability classified as critical has been found in D-Link D
CVE-2025-2358 (A vulnerability was found in Shenzhen Mingyuan Cloud Technology Mingyu ...)
NOT-FOR-US: Shenzhen Mingyuan Cloud Technology Mingyuan Real Estate ERP System
CVE-2025-2357 (A vulnerability was found in DCMTK 3.6.9. It has been declared as crit ...)
+ {DLA-4227-1}
- dcmtk 3.6.9-5 (bug #1100724)
[bookworm] - dcmtk <no-dsa> (Minor issue)
NOTE: https://support.dcmtk.org/redmine/issues/1155
@@ -42441,10 +42558,12 @@ CVE-2025-25892 (A buffer overflow vulnerability was discovered in D-Link DSL-378
CVE-2025-25891 (A buffer overflow vulnerability was discovered in D-Link DSL-3782 v1.0 ...)
NOT-FOR-US: D-Link
CVE-2025-25475 (A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCM ...)
+ {DLA-4227-1}
- dcmtk 3.6.9-4 (bug #1098373)
[bookworm] - dcmtk 3.6.7-9~deb12u3
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=bffa3e9116abb7038b432443f16b1bd390e80245
CVE-2025-25474 (DCMTK v3.6.9+ DEV was discovered to contain a buffer overflow via the ...)
+ {DLA-4227-1}
- dcmtk 3.6.9-4 (bug #1098374)
[bookworm] - dcmtk 3.6.7-9~deb12u3
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d205bcd307164c99e0d4bbf412110372658d847
@@ -42456,6 +42575,7 @@ CVE-2025-25473 (FFmpeg git master before commit c08d30 was discovered to contain
NOTE: https://trac.ffmpeg.org/ticket/11419
NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c08d300481b8ebb846cd43a473988fdbc6793d1b
CVE-2025-25472 (A buffer overflow in DCMTK git master v3.6.9+ DEV allows attackers to ...)
+ {DLA-4227-1}
- dcmtk 3.6.9-4
[bookworm] - dcmtk 3.6.7-9~deb12u3
NOTE: Introduced by fix for CVE-2024-47796: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
@@ -53733,7 +53853,7 @@ CVE-2024-47895 (Kernel software installed and running inside a Guest VM may post
CVE-2024-47894 (Kernel software installed and running inside a Guest VM may post impro ...)
NOT-FOR-US: Imagination GPU Driver
CVE-2024-47796 (An improper array index validation vulnerability exists in the nowindo ...)
- {DLA-4038-1}
+ {DLA-4227-1 DLA-4038-1}
- dcmtk 3.6.8-7 (bug #1093043)
[bookworm] - dcmtk 3.6.7-9~deb12u2
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2122
@@ -266871,11 +266991,13 @@ CVE-2022-2121 (OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer de
NOTE: https://support.dcmtk.org/redmine/issues/1021
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=3e996a2749a9355c9b680fa464ecfd9ab9ff567f (DCMTK-3.6.7)
CVE-2022-2120 (OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) i ...)
+ {DLA-4227-1}
- dcmtk 3.6.7-6 (bug #1017743)
[buster] - dcmtk <no-dsa> (Minor issue)
NOTE: https://support.dcmtk.org/redmine/issues/1021
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=f06a867513524664a1b03dfcf812d8b60fdd02cc
CVE-2022-2119 (OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SC ...)
+ {DLA-4227-1}
- dcmtk 3.6.7-6 (bug #1017743)
[buster] - dcmtk <no-dsa> (Minor issue)
NOTE: https://support.dcmtk.org/redmine/issues/1021
@@ -320019,8 +320141,8 @@ CVE-2021-41693
RESERVED
CVE-2021-41692
RESERVED
-CVE-2021-41691
- RESERVED
+CVE-2021-41691 (A SQL injection vulnerability exists in OS4Ed Open Source Information ...)
+ TODO: check
CVE-2021-41690 (DCMTK through 3.6.6 does not handle memory free properly. The malloced ...)
{DLA-4038-1 DLA-3847-1}
- dcmtk 3.6.7-1
@@ -349773,6 +349895,7 @@ CVE-2020-36310 (An issue was discovered in the Linux kernel before 5.8. arch/x86
[stretch] - linux <not-affected> (Vulnerability introduced later)
NOTE: https://git.kernel.org/linus/e72436bc3a5206f95bb384e741154166ddb3202e
CVE-2020-36309 (ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty ...)
+ {DLA-4228-1}
- libnginx-mod-http-lua <not-affected> (Fixed before initial upload to Debian)
- nginx 1.22.0-3 (bug #986787)
[buster] - nginx <ignored> (Minor issue, too intrusive to backport, see #986787)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316be68e907a07ad03e22537d07b9703c3ab11bf
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316be68e907a07ad03e22537d07b9703c3ab11bf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250624/b5d2bc4f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list