[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Nov 20 20:13:23 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
fe47e152 by security tracker role at 2025-11-20T20:13:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,133 @@
+CVE-2025-65226 (Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the devic ...)
+ TODO: check
+CVE-2025-65223 (Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the urls ...)
+ TODO: check
+CVE-2025-65222 (Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the reboo ...)
+ TODO: check
+CVE-2025-65221 (Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the list ...)
+ TODO: check
+CVE-2025-65220 (Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow in: /goform/S ...)
+ TODO: check
+CVE-2025-64428 (Dataease is an open source data visualization analysis tool. Versions ...)
+ TODO: check
+CVE-2025-64185 (Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 an ...)
+ TODO: check
+CVE-2025-64027 (Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scriptin ...)
+ TODO: check
+CVE-2025-63889 (The fetch function in file thinkphp\library\think\Template.php in Thin ...)
+ TODO: check
+CVE-2025-63888 (The read function in file thinkphp\library\think\template\driver\File. ...)
+ TODO: check
+CVE-2025-63848 (Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2 ...)
+ TODO: check
+CVE-2025-63700 (An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypas ...)
+ TODO: check
+CVE-2025-62731 (SOPlanning is vulnerable to Stored XSS in /feriesendpoint. Malicious a ...)
+ TODO: check
+CVE-2025-62730 (SOPlanning is vulnerable to Privilege Escalation in user management ta ...)
+ TODO: check
+CVE-2025-62729 (SOPlanning is vulnerable to Stored XSS in /statusendpoint. Malicious a ...)
+ TODO: check
+CVE-2025-62724 (Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 an ...)
+ TODO: check
+CVE-2025-62709 (ClipBucket v5 is an open source video sharing platform. In ClipBucket ...)
+ TODO: check
+CVE-2025-62346 (A Cross-Site Request Forgery (CSRF) vulnerability was identified in HC ...)
+ TODO: check
+CVE-2025-62297 (SOPlanning is vulnerable to Stored XSS in /projetsendpoint. Malicious ...)
+ TODO: check
+CVE-2025-62296 (SOPlanning is vulnerable to Stored XSS in /tachesendpoint. Malicious a ...)
+ TODO: check
+CVE-2025-62295 (SOPlanning is vulnerable to Stored XSS in /groupe_formendpoint. Malici ...)
+ TODO: check
+CVE-2025-62294 (SOPlanning is vulnerable to Predictable Generation of Password Recover ...)
+ TODO: check
+CVE-2025-62293 (SOPlanning is vulnerable to Broken Access Control in /statusendpoint. ...)
+ TODO: check
+CVE-2025-60799 (phpPgAdmin 7.13.0 and earlier contains an incorrect access control vul ...)
+ TODO: check
+CVE-2025-60798 (phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability i ...)
+ TODO: check
+CVE-2025-60797 (phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability i ...)
+ TODO: check
+CVE-2025-60796 (phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting ( ...)
+ TODO: check
+CVE-2025-60794 (Session tokens and passwords in couch-auth 0.21.2 are stored in JavaSc ...)
+ TODO: check
+CVE-2025-60738 (An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and b ...)
+ TODO: check
+CVE-2025-60737 (Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Ve ...)
+ TODO: check
+CVE-2025-55128 (HackerOne community member Dao Hoang Anh (yoyomiski) has reported an u ...)
+ TODO: check
+CVE-2025-55127 (HackerOne community member Dao Hoang Anh (yoyomiski) has reported an i ...)
+ TODO: check
+CVE-2025-55126 (HackerOne community member Dang Hung Vi (vidang04) has reported a stor ...)
+ TODO: check
+CVE-2025-55124 (Improper neutralisation of input in Revive Adserver 6.0.0+ causes a re ...)
+ TODO: check
+CVE-2025-55123 (Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 an ...)
+ TODO: check
+CVE-2025-52671 (Debug information disclosure in the SQL error message to in Revive Ads ...)
+ TODO: check
+CVE-2025-52670 (Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and ear ...)
+ TODO: check
+CVE-2025-52669 (Insecure design policies in the user management system of Revive Adser ...)
+ TODO: check
+CVE-2025-52668 (Improper input neutralization in the stats-conversions.php script in R ...)
+ TODO: check
+CVE-2025-52667 (Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 ...)
+ TODO: check
+CVE-2025-52666 (Improper neutralisation of format characters in the settings of Revive ...)
+ TODO: check
+CVE-2025-52410 (Institute-of-Current-Students v1.0 contains a time-based blind SQL inj ...)
+ TODO: check
+CVE-2025-48987 (Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 an ...)
+ TODO: check
+CVE-2025-48986 (Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier ve ...)
+ TODO: check
+CVE-2025-41076 (In version 6.13.0 of LimeSurvey, any external user can cause a 500 err ...)
+ TODO: check
+CVE-2025-41075 (Vulnerability in LimeSurvey 6.13.0 in the endpoint /optinthat causes i ...)
+ TODO: check
+CVE-2025-41074 (Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that cause ...)
+ TODO: check
+CVE-2025-40605 (A Path Traversal vulnerability has been identified in the Email Securi ...)
+ TODO: check
+CVE-2025-40604 (Download of Code Without Integrity Check Vulnerability in the SonicWal ...)
+ TODO: check
+CVE-2025-40601 (A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN serv ...)
+ TODO: check
+CVE-2025-36161 (IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtai ...)
+ TODO: check
+CVE-2025-35029 (Medical Informatics Engineering Enterprise Health has a stored cross s ...)
+ TODO: check
+CVE-2025-34320 (BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint ...)
+ TODO: check
+CVE-2025-13469 (A security vulnerability has been detected in Public Knowledge Project ...)
+ TODO: check
+CVE-2025-13468 (A weakness has been identified in SourceCodester Alumni Management Sys ...)
+ TODO: check
+CVE-2025-13437 (When zx is invoked with --prefer-local=<path>, the CLI creates a symli ...)
+ TODO: check
+CVE-2025-13425 (A bug in the filesystem traversal fallback path causes fs/diriterate/d ...)
+ TODO: check
+CVE-2025-12414 (An attacker could take over a Looker account in a Looker instance conf ...)
+ TODO: check
+CVE-2025-12121 (Lite XL versions 2.1.8 and prior contain a vulnerability in the system ...)
+ TODO: check
+CVE-2025-12120 (Lite XL versions 2.1.8 and prior automatically execute the .lite_proje ...)
+ TODO: check
+CVE-2025-11676 (Improper input validation vulnerability in TP-Link System Inc. TL-WR94 ...)
+ TODO: check
+CVE-2025-10571 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+ TODO: check
+CVE-2025-0645 (Unrestricted Upload of File with Dangerous Type vulnerability in Narko ...)
+ TODO: check
+CVE-2025-0643 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2024-31405
+ REJECTED
CVE-2025-13402 [RNP PKESK Session Keys Generated as All-Zero]
- rnp <unfixed> (bug #1121081)
[trixie] - rnp <not-affected> (Vulnerable code introduced later)
@@ -1995,7 +2125,7 @@ CVE-2025-59088 (If kdcproxy receives a request for a realm which does not have s
[bullseye] - python-kdcproxy <postponed> (Minor issue)
NOTE: https://github.com/latchset/kdcproxy/pull/68
NOTE: Fixed by: https://github.com/latchset/kdcproxy/commit/1773f28eeea72ec6efcd433d3b66595c44d1253f
-CVE-2025-64524
+CVE-2025-64524 (cups-filters contains backends, filters, and other software required t ...)
- libcupsfilters <unfixed>
[trixie] - libcupsfilters <no-dsa> (Minor issue)
- cups-filters 1.28.17-7
@@ -3550,7 +3680,8 @@ CVE-2025-12875 (A weakness has been identified in mruby 3.4.0. This vulnerabilit
NOTE: https://github.com/mruby/mruby/issues/6650
NOTE: Introduced with: https://github.com/mruby/mruby/commit/9e8cda73f69493012c8784667b03016c2072ed2b
NOTE: Fixed by: https://github.com/mruby/mruby/commit/93619f06dd378db6766666b30c08978311c7ec94
-CVE-2025-12863 (A flaw was found in the xmlSetTreeDoc() function of the libxml2 XML pa ...)
+CVE-2025-12863
+ REJECTED
- libxml2 2.15.1+dfsg-0.4 (bug #1120364; unimportant)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1012
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/349
@@ -5247,7 +5378,7 @@ CVE-2024-51317 (An issue in NetSurf v.3.11 allows a remote attacker to execute a
[bullseye] - netsurf <postponed> (Minor issue)
NOTE: https://github.com/Fysac/netsurf-disclosure/tree/main/CVE-2024-51317
NOTE: https://github.com/netsurf-browser/libdom/commit/7d317df204d18f161f0a8ffed958ef60eb2692fe
-CVE-2025-62875 [Denial-of-Service via UNIX Domain Socket]
+CVE-2025-62875 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...)
- opensmtpd 7.8.0p0-1 (bug #1119840)
[trixie] - opensmtpd <no-dsa> (Minor issue)
[bookworm] - opensmtpd <no-dsa> (Minor issue)
@@ -20045,7 +20176,8 @@ CVE-2025-57903 (Improper Neutralization of Input During Web Page Generation ('Cr
NOT-FOR-US: WordPress plugin or theme
CVE-2025-57902 (Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman ...)
NOT-FOR-US: WordPress plugin or theme
-CVE-2025-57901 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+CVE-2025-57901
+ REJECTED
NOT-FOR-US: WordPress plugin or theme
CVE-2025-57900 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
@@ -23034,7 +23166,7 @@ CVE-2025-43370 (A path handling issue was addressed with improved validation. Th
CVE-2025-43369 (This issue was addressed with improved handling of symlinks. This issu ...)
NOT-FOR-US: Apple
CVE-2025-43368 (A use-after-free issue was addressed with improved memory management. ...)
- {DSA-6042-1}
+ {DSA-6042-1 DLA-4375-1}
- webkit2gtk 2.50.0-1
- wpewebkit 2.50.0-1
[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
@@ -23054,7 +23186,7 @@ CVE-2025-43358 (A permissions issue was addressed with additional sandbox restri
CVE-2025-43357 (This issue was addressed with improved redaction of sensitive informat ...)
NOT-FOR-US: Apple
CVE-2025-43356 (The issue was addressed with improved handling of caches. This issue i ...)
- {DSA-6042-1}
+ {DSA-6042-1 DLA-4375-1}
- webkit2gtk 2.50.0-1
- wpewebkit 2.50.0-1
[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
@@ -23076,7 +23208,7 @@ CVE-2025-43346 (An out-of-bounds access issue was addressed with improved bounds
CVE-2025-43344 (An out-of-bounds access issue was addressed with improved bounds check ...)
NOT-FOR-US: Apple
CVE-2025-43343 (The issue was addressed with improved memory handling. This issue is f ...)
- {DSA-6042-1}
+ {DSA-6042-1 DLA-4375-1}
- webkit2gtk 2.50.1-1
- wpewebkit 2.50.1-1
[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
@@ -23084,7 +23216,7 @@ CVE-2025-43343 (The issue was addressed with improved memory handling. This issu
[bullseye] - wpewebkit <end-of-life> (see #1035997)
NOTE: https://webkitgtk.org/security/WSA-2025-0007.html
CVE-2025-43342 (A correctness issue was addressed with improved checks. This issue is ...)
- {DSA-6042-1}
+ {DSA-6042-1 DLA-4375-1}
- webkit2gtk 2.50.0-1
- wpewebkit 2.50.0-1
[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
@@ -23176,7 +23308,7 @@ CVE-2025-43283 (An out-of-bounds read was addressed with improved bounds checkin
CVE-2025-43279 (A privacy issue was addressed with improved private data redaction for ...)
NOT-FOR-US: Apple
CVE-2025-43272 (The issue was addressed with improved memory handling. This issue is f ...)
- {DSA-6042-1}
+ {DSA-6042-1 DLA-4375-1}
- webkit2gtk 2.50.0-1
- wpewebkit 2.50.0-1
[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe47e15210ee5a54756f41761710249c0b91cac9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe47e15210ee5a54756f41761710249c0b91cac9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251120/1dc40230/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list