[Git][security-tracker-team/security-tracker][master] automatic update

Thu May 8 21:12:47 BST 2025


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aa3a0c5d by security tracker role at 2025-05-08T20:12:40+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,109 @@
+CVE-2025-4475 (Issue in my product in blah version x on y allows bad person to break)
+	TODO: check
+CVE-2025-4208 (The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and mu ...)
+	TODO: check
+CVE-2025-4207 (Buffer over-read in PostgreSQL GB18030 encoding validation allows a da ...)
+	TODO: check
+CVE-2025-4132 (Rapid7 Corporate Website prior to May 2nd 2025, suffered from a URL Re ...)
+	TODO: check
+CVE-2025-4098 (Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is vulnerable t ...)
+	TODO: check
+CVE-2025-47730 (The TeleMessage archiving backend through 2025-05-05 accepts API calls ...)
+	TODO: check
+CVE-2025-47729 (The TeleMessage archiving backend through 2025-05-05 holds cleartext c ...)
+	TODO: check
+CVE-2025-46833 (Programs/P73_SimplePythonEncryption.py illustrates a simple Python enc ...)
+	TODO: check
+CVE-2025-46812 (Trix is a what-you-see-is-what-you-get rich text editor for everyday w ...)
+	TODO: check
+CVE-2025-46712 (Erlang/OTP is a set of libraries for the Erlang programming language.  ...)
+	TODO: check
+CVE-2025-45847 (ALFA AIP-W512 v3.2.2.2.3 was discovered to contain an authenticated st ...)
+	TODO: check
+CVE-2025-45846 (ALFA AIP-W512 v3.2.2.2.3 was discovered to contain an authenticated st ...)
+	TODO: check
+CVE-2025-45845 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an a ...)
+	TODO: check
+CVE-2025-45844 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an a ...)
+	TODO: check
+CVE-2025-45843 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an a ...)
+	TODO: check
+CVE-2025-45842 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an a ...)
+	TODO: check
+CVE-2025-45841 (TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an a ...)
+	TODO: check
+CVE-2025-45820 (Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerabl ...)
+	TODO: check
+CVE-2025-45819 (Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerabl ...)
+	TODO: check
+CVE-2025-45818 (Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerabl ...)
+	TODO: check
+CVE-2025-45798 (A command execution vulnerability exists in the TOTOLINK A950RG V4.1.2 ...)
+	TODO: check
+CVE-2025-45797 (TOTOlink A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vul ...)
+	TODO: check
+CVE-2025-45790 (TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow via the pr ...)
+	TODO: check
+CVE-2025-45789 (TOTOLINK A3100R V5.9c.1527 is vulnerable to buffer overflow via the ur ...)
+	TODO: check
+CVE-2025-45788 (TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow via the co ...)
+	TODO: check
+CVE-2025-45787 (TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow viathe com ...)
+	TODO: check
+CVE-2025-44023 (An issue in dlink DNS-320 v.1.00 and DNS-320LW v.1.01.0914.20212 allow ...)
+	TODO: check
+CVE-2025-44021 (OpenStack Ironic before 29.0.1 can write unintended files to a target  ...)
+	TODO: check
+CVE-2025-41450 (Improper Authentication vulnerability in Danfoss AKSM8xxA Series.This  ...)
+	TODO: check
+CVE-2025-40846 (Improper Input Validation, the returnUrl parameter in Account Security ...)
+	TODO: check
+CVE-2025-3862 (Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Sit ...)
+	TODO: check
+CVE-2025-3759 (Endpoint/cgi-bin-igd/netcore_set.cgiwhich is used for changing device  ...)
+	TODO: check
+CVE-2025-3758 (WF2220 exposes endpoint/cgi-bin-igd/netcore_get.cgithat returns config ...)
+	TODO: check
+CVE-2025-3506 (Files to be deployed with agents are accessible without authentication ...)
+	TODO: check
+CVE-2025-3468 (The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and mu ...)
+	TODO: check
+CVE-2025-30102 (Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.1.0, contains an  ...)
+	TODO: check
+CVE-2025-30101 (Dell PowerScale OneFS, versions 9.8.0.0 through 9.10.1.0, contain a ti ...)
+	TODO: check
+CVE-2025-2806 (The tagDiv Composer plugin for WordPress, used by the Newspaper theme, ...)
+	TODO: check
+CVE-2025-28073 (phpList 3.6.3 is vulnerable to Reflected Cross-Site Scripting (XSS) vi ...)
+	TODO: check
+CVE-2025-27695 (Dell Wyse Management Suite, versions prior to WMS 5.1 contain an Authe ...)
+	TODO: check
+CVE-2025-1948 (In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client ...)
+	TODO: check
+CVE-2025-1254 (Out-of-bounds Read, Out-of-bounds Write vulnerability in RTI Connext P ...)
+	TODO: check
+CVE-2025-1253 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...)
+	TODO: check
+CVE-2025-1252 (Heap-based Buffer Overflow vulnerability in RTI Connext Professional ( ...)
+	TODO: check
+CVE-2025-0505 (On Arista CloudVision systems (virtual or physical on-premise deployme ...)
+	TODO: check
+CVE-2024-9448 (On affected platforms running Arista EOS with Traffic Policies configu ...)
+	TODO: check
+CVE-2024-8100 (On affected versions of the Arista CloudVision Portal (CVP on-prem), t ...)
+	TODO: check
+CVE-2024-6648 (Absolute Path Traversal vulnerability in AP Page Builder versions prio ...)
+	TODO: check
+CVE-2024-13009 (In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly  ...)
+	TODO: check
+CVE-2024-12378 (On affected platforms running Arista EOS with secure Vxlan configured, ...)
+	TODO: check
+CVE-2024-11186 (On affected versions of the CloudVision Portal, improper access contro ...)
+	TODO: check
+CVE-2023-51328 (PHPJabbers Cleaning Business Software v1.0 is vulnerable to Multiple S ...)
+	TODO: check
+CVE-2023-51295 (PHPJabbers Event Booking Calendar v4.0 is vulnerable to Multiple HTML  ...)
+	TODO: check
 CVE-2025-4127 (The WP SEO Structured Data Schema plugin for WordPress is vulnerable t ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-4043 (An admin user can gain unauthorized write access to the /etc/rc.local  ...)
@@ -40,7 +146,7 @@ CVE-2025-35995 (When a BIG-IP PEM system is licensed with URL categorization, an
 	NOT-FOR-US: F5
 CVE-2025-35939 (Craft CMS stores arbitrary content provided by unauthenticated users i ...)
 	NOT-FOR-US: Craft CMS
-CVE-2025-46336
+CVE-2025-46336 (Rack::Session is a session management implementation for Rack. In vers ...)
 	- ruby-rack-session <unfixed> (bug #1104928)
 	NOTE: https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
 	NOTE: Fixed by: https://github.com/rack/rack-session/commit/c58ad7952cc7d0649f0ea9c78d55049739c49e5a (v2.1.1)
@@ -575,7 +681,7 @@ CVE-2025-29746 (Cross Site Scripting vulnerability in Koillection v.1.6.10 allow
 	NOT-FOR-US: Koillection
 CVE-2025-29602 (flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Adminis ...)
 	- flatpress <itp> (bug #466297)
-CVE-2025-29448 (A business logic vulnerability in Easy Appointments v1.5.1 allows atta ...)
+CVE-2025-29448 (Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated  ...)
 	NOT-FOR-US: Easy Appointments
 CVE-2025-29154 (HTML injection vulnerability in lemeconsultoria HCM galera.app v.4.58. ...)
 	NOT-FOR-US: lemeconsultoria HCM galera.app
@@ -1312,7 +1418,7 @@ CVE-2025-2905 (An XML External Entity (XXE) vulnerability exists in the gateway
 	NOT-FOR-US: WSO2
 CVE-2025-29573 (Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 ...)
 	NOT-FOR-US: Mezzanine CMS
-CVE-2025-28168 (Outsystems Multiple File Upload < 3.1.0 is vulnerable to Unrestricted  ...)
+CVE-2025-28168 (The Multiple File Upload add-on component 3.1.0 for OutSystems is vuln ...)
 	NOT-FOR-US: Outsystems Multiple File Upload
 CVE-2025-28062 (A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ER ...)
 	NOT-FOR-US: ERPNEXT
@@ -1369,12 +1475,12 @@ CVE-2025-47268 (ping in iputils through 20240905 allows a denial of service (app
 	NOTE: https://github.com/Zephkek/ping-rtt-overflow/
 	NOTE: Fixed by: https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40
 	NOTE: Negligible security impact
-CVE-2025-43926 [ZSA-2025-07]
+CVE-2025-43926 (An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. ...)
 	[experimental] - znuny 6.5.15-1
 	- znuny 6.5.15-2 (bug #1104739)
 	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2025-07
-CVE-2025-26847 [ZSA-2025-06]
+CVE-2025-26847 (An issue was discovered in Znuny before 7.1.5. When generating a suppo ...)
 	[experimental] - znuny 6.5.15-1
 	- znuny 6.5.15-2 (bug #1104739)
 	[bookworm] - znuny <no-dsa> (Non-free not supported)
@@ -3806,7 +3912,7 @@ CVE-2025-2817 (Thunderbird's update mechanism allowed a medium-integrity user pr
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/#CVE-2025-2817
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/#CVE-2025-2817
 CVE-2025-30087 [Cross Site Scripting via injection of malicious parameters in a search URL]
-	{DSA-5911-1 DSA-5909-1}
+	{DSA-5911-1 DSA-5909-1 DLA-4157-1}
 	- request-tracker5 5.0.7+dfsg-3 (bug #1104422)
 	- request-tracker4 <unfixed> (bug #1104424)
 	NOTE: Fixed by: https://github.com/bestpractical/rt/commit/ac9af1b7fe8dc6af9b6b4627b92fd316d563e0ab (rt-4.4.8)
@@ -3815,7 +3921,7 @@ CVE-2025-30087 [Cross Site Scripting via injection of malicious parameters in a
 	NOTE: Fixed by: https://github.com/bestpractical/rt/commit/367359e56a599b72c8e38e177eaba9d32e9a5471 (rt-5.0.8)
 	NOTE: Fixed by: https://github.com/bestpractical/rt/commit/e24ca3b0a63ce9c2b5d4e01cc419af5056deb346 (rt-5.0.8)
 CVE-2025-2545 (Vulnerability in Best Practical Solutions, LLC's Request Tracker v5.0. ...)
-	{DSA-5911-1 DSA-5909-1}
+	{DSA-5911-1 DSA-5909-1 DLA-4157-1}
 	- request-tracker5 5.0.7+dfsg-3 (bug #1104422)
 	- request-tracker4 <unfixed> (bug #1104424)
 	NOTE: Fixed by: https://github.com/bestpractical/rt/commit/a5042a30aaa0fcf4255d0a06ee2659d302742fc3 (rt-4.4.8)
@@ -6499,7 +6605,7 @@ CVE-2025-24907 (Overview         The product uses external input to construct a
 	NOT-FOR-US: Hitachi Vantara Pentaho Data Integration & Analytics
 CVE-2025-1704 (ComponentInstaller Modification in ComponentInstaller in Google Chrome ...)
 	NOT-FOR-US: ChromeOS
-CVE-2025-1568 (or other security impacts via manipulating IPSET_ATTR_CIDR Netlink att ...)
+CVE-2025-1568 (Access Control Vulnerability in Gerrit chromiumos project configuratio ...)
 	NOT-FOR-US: ChromeOS
 CVE-2025-1566 (DNS Leak in Native System VPN in Google ChromeOS Dev Channel on Chrome ...)
 	NOT-FOR-US: ChromeOS
@@ -8936,6 +9042,7 @@ CVE-2025-3102 (The SureTriggers: All-in-One Automation Platform plugin for WordP
 CVE-2025-3023
 	REJECTED
 CVE-2025-32728 (In sshd in OpenSSH before 10.0, the DisableForwarding directive does n ...)
+	{DLA-4156-1}
 	- openssh 1:10.0p1-1 (bug #1102603)
 	[bookworm] - openssh <no-dsa> (Minor issue)
 	NOTE: https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html
@@ -28484,7 +28591,7 @@ CVE-2025-21702 (In the Linux kernel, the following vulnerability has been resolv
 	{DSA-5900-1}
 	- linux 6.12.15-1
 	NOTE: https://git.kernel.org/linus/647cef20e649c576dff271e018d5d15d998b629d (6.14-rc2)
-CVE-2025-26842 [znuny: Information disclosure of S/MIME encrypted emails]
+CVE-2025-26842 (An issue was discovered in Znuny through 7.1.3. If access to a ticket  ...)
 	- znuny 6.5.13-1
 	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2025-01
@@ -28492,7 +28599,7 @@ CVE-2025-26846 [znuny: Wrong permissions check in the generic interface]
 	- znuny 6.5.13-1
 	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2025-02
-CVE-2025-26845 [znuny: privilege escalation in backup script]
+CVE-2025-26845 (An Eval Injection issue was discovered in Znuny through 7.1.3. A user  ...)
 	- znuny 6.5.13-1
 	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2025-03
@@ -28500,7 +28607,7 @@ CVE-2025-XXXX [znuny: Missing HTTP headers for attachments]
 	- znuny 6.5.13-1
 	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2025-04
-CVE-2025-26844 [znuny: HTTP Cookie not set correctly]
+CVE-2025-26844 (An issue was discovered in Znuny through 7.1.3. A cookie is set withou ...)
 	- znuny 6.5.13-1
 	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2025-05
@@ -70262,7 +70369,7 @@ CVE-2024-30134 (The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is
 	NOT-FOR-US: HCL
 CVE-2023-46175 (IBM Cloud Pak for Multicloud Management 2.3 through 2.3 FP8 stores use ...)
 	NOT-FOR-US: IBM
-CVE-2024-47177 (CUPS is a standards-based, open-source printing system, and cups-filte ...)
+CVE-2024-47177 (** DISPUTED ** CUPS is a standards-based, open-source printing system, ...)
 	- cups-filters <unfixed> (bug #1082822)
 	[trixie] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
 	[bookworm] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
@@ -120385,7 +120492,7 @@ CVE-2024-3299 (Out-Of-Bounds Write, Use of Uninitialized Resource and Use-After-
 CVE-2024-3298 (Out-Of-Bounds Write and Type Confusion vulnerabilities exist in the fi ...)
 	NOT-FOR-US: Solidworks
 CVE-2024-3262 (Information exposure vulnerability in RT software affecting version 4. ...)
-	{DSA-5911-1 DSA-5909-1}
+	{DSA-5911-1 DSA-5909-1 DLA-4157-1}
 	- request-tracker4 4.4.7+dfsg-2 (bug #1068452)
 	[buster] - request-tracker4 <no-dsa> (Minor issue)
 	- request-tracker5 5.0.7+dfsg-1 (bug #1068453)
@@ -396765,11 +396872,11 @@ CVE-2020-17388 (This vulnerability allows remote attackers to execute arbitrary
 	NOT-FOR-US: Marvell QConvergeConsole
 CVE-2020-17387 (This vulnerability allows remote attackers to execute arbitrary code o ...)
 	NOT-FOR-US: Marvell QConvergeConsole
-CVE-2020-17386 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputte ...)
+CVE-2020-17386 (Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputt ...)
 	NOT-FOR-US: Cellopoint Cellos
-CVE-2020-17385 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputte ...)
+CVE-2020-17385 (Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputt ...)
 	NOT-FOR-US: Cellopoint Cellos
-CVE-2020-17384 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputte ...)
+CVE-2020-17384 (Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputt ...)
 	NOT-FOR-US: Cellopoint Cellos
 CVE-2020-17383 (A directory traversal vulnerability on Telos Z/IP One devices through  ...)
 	NOT-FOR-US: Telos Z/IP ONE Broadcast



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa3a0c5da3377f54c168b8e65ec4ef5ec408828e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa3a0c5da3377f54c168b8e65ec4ef5ec408828e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250508/22abeed0/attachment-0001.htm>
