[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
403bb753 by security tracker role at 2025-11-25T08:13:02+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,155 @@
+CVE-2025-9803 (lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover d ...)
+	TODO: check
+CVE-2025-6389 (The Sneeit Framework plugin for WordPress is vulnerable to Remote Code ...)
+	TODO: check
+CVE-2025-66187
+	REJECTED
+CVE-2025-66186
+	REJECTED
+CVE-2025-66185
+	REJECTED
+CVE-2025-66184
+	REJECTED
+CVE-2025-66183
+	REJECTED
+CVE-2025-66182
+	REJECTED
+CVE-2025-66181
+	REJECTED
+CVE-2025-66180
+	REJECTED
+CVE-2025-66179
+	REJECTED
+CVE-2025-65951 (Inside Track / Entropy Derby is a research-grade horse-racing betting  ...)
+	TODO: check
+CVE-2025-65944 (Sentry-Javascript is an official Sentry SDKs for JavaScript. From vers ...)
+	TODO: check
+CVE-2025-64761 (OpenBao is an open source identity-based secrets management system. Pr ...)
+	TODO: check
+CVE-2025-64730 (Cross-site scripting vulnerability exists in SNC-CX600W all versions.  ...)
+	TODO: check
+CVE-2025-64693 (Security Point (Windows) of MaLion and MaLionCloud contains a heap-bas ...)
+	TODO: check
+CVE-2025-64304 ("FOD" App uses hard-coded cryptographic keys, which may allow a local  ...)
+	TODO: check
+CVE-2025-63674 (An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allo ...)
+	TODO: check
+CVE-2025-63498 (alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the ...)
+	TODO: check
+CVE-2025-62691 (Security Point (Windows) of MaLion and MaLionCloud contains a stack-ba ...)
+	TODO: check
+CVE-2025-62497 (Cross-site request forgery vulnerability exists in SNC-CX600W versions ...)
+	TODO: check
+CVE-2025-62155 (New API is a large language mode (LLM) gateway and artificial intellig ...)
+	TODO: check
+CVE-2025-59485 (Incorrect default permissions issue exists in Security Point (Windows) ...)
+	TODO: check
+CVE-2025-59373 (A local privilege escalation vulnerability exists in    the restore me ...)
+	TODO: check
+CVE-2025-59372 (A path traversal vulnerability has been identified in certain router m ...)
+	TODO: check
+CVE-2025-59371 (An authentication bypass vulnerability has been identified in the IFTT ...)
+	TODO: check
+CVE-2025-59370 (A command injection vulnerability has been identified in bwdpi. A remo ...)
+	TODO: check
+CVE-2025-59369 (A SQL injection vulnerability has been identified in bwdpi. A remote,  ...)
+	TODO: check
+CVE-2025-59368 (An integer underflow vulnerability has been identified in Aicloud. An  ...)
+	TODO: check
+CVE-2025-59366 (An authentication-bypass vulnerability exists in AiCloud. This vulnera ...)
+	TODO: check
+CVE-2025-59365 (A stack buffer overflow vulnerability has been identified in certain r ...)
+	TODO: check
+CVE-2025-54563 (An Incorrect Access Control vulnerability was found in the Application ...)
+	TODO: check
+CVE-2025-54347 (A Directory Traversal vulnerability was found in the Application Serve ...)
+	TODO: check
+CVE-2025-54341 (A vulnerability was found in the Application Server of Desktop Alert P ...)
+	TODO: check
+CVE-2025-54338 (An Incorrect Access Control vulnerability was found in the Application ...)
+	TODO: check
+CVE-2025-52538 (Improper input validation within the XOCL driver may allow a local att ...)
+	TODO: check
+CVE-2025-36150 (IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographi ...)
+	TODO: check
+CVE-2025-13644 (MongoDB Server may experience an invariant failure during batched dele ...)
+	TODO: check
+CVE-2025-13643 (A user with access to the cluster with a limited set of privilege acti ...)
+	TODO: check
+CVE-2025-13559 (The EduKart Pro plugin for WordPress is vulnerable to Privilege Escala ...)
+	TODO: check
+CVE-2025-13558 (The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPre ...)
+	TODO: check
+CVE-2025-13507 (Inconsistent object size validation in time series processing logic ma ...)
+	TODO: check
+CVE-2025-13452 (The Admin and Customer Messages After Order for WooCommerce: OrderConv ...)
+	TODO: check
+CVE-2025-13414 (The Chamber Dashboard Business Directory plugin for WordPress is vulne ...)
+	TODO: check
+CVE-2025-13405 (The Ace Post Type Builder plugin for WordPress is vulnerable to unauth ...)
+	TODO: check
+CVE-2025-13404 (The atec Duplicate Page & Post plugin for WordPress is vulnerable to u ...)
+	TODO: check
+CVE-2025-13389 (The Admin and Customer Messages After Order for WooCommerce: OrderConv ...)
+	TODO: check
+CVE-2025-13386 (The Social Images Widget plugin for WordPress is vulnerable to unautho ...)
+	TODO: check
+CVE-2025-13385 (The Bookme \u2013 Free Online Appointment Booking and Scheduling Plugi ...)
+	TODO: check
+CVE-2025-13383 (The Job Board by BestWebSoft plugin for WordPress is vulnerable to Sto ...)
+	TODO: check
+CVE-2025-13382 (The Frontend File Manager Plugin for WordPress is vulnerable to Insecu ...)
+	TODO: check
+CVE-2025-13380 (The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for ...)
+	TODO: check
+CVE-2025-13376 (The ProjectList plugin for WordPress is vulnerable to arbitrary file u ...)
+	TODO: check
+CVE-2025-13370 (The ProjectList plugin for WordPress is vulnerable to time-based SQL I ...)
+	TODO: check
+CVE-2025-13311 (The Just Highlight plugin for WordPress is vulnerable to Stored Cross- ...)
+	TODO: check
+CVE-2025-13068 (The Telegram Bot & Channel plugin for WordPress is vulnerable to Store ...)
+	TODO: check
+CVE-2025-12893 (Clients may successfully perform a TLS handshake with a MongoDB server ...)
+	TODO: check
+CVE-2025-12742 (A Looker user with a Developer role could cause Looker to execute a ma ...)
+	TODO: check
+CVE-2025-12645 (The Inline frame \u2013 Iframe plugin for WordPress is vulnerable to S ...)
+	TODO: check
+CVE-2025-12634 (The Refund Request for WooCommerce plugin for WordPress is vulnerable  ...)
+	TODO: check
+CVE-2025-12587 (The Peer Publish plugin for WordPress is vulnerable to Cross-Site Requ ...)
+	TODO: check
+CVE-2025-12586 (The Conditional Maintenance Mode for WordPress plugin for WordPress is ...)
+	TODO: check
+CVE-2025-12525 (The Locker Content plugin for WordPress is vulnerable to Sensitive Inf ...)
+	TODO: check
+CVE-2025-12043 (The Autochat Automatic Conversation plugin for WordPress is vulnerable ...)
+	TODO: check
+CVE-2025-12040 (The Wishlist for WooCommerce plugin for WordPress is vulnerable to Ins ...)
+	TODO: check
+CVE-2025-12032 (The Zweb Social Mobile \u2013 \u1ee8ng D\u1ee5ng N\xfat G\u1ecdi Mobil ...)
+	TODO: check
+CVE-2025-12025 (The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cro ...)
+	TODO: check
+CVE-2025-12003 (A path traversal vulnerability has been identified in WebDAV, which ma ...)
+	TODO: check
+CVE-2025-10646 (The Search Exclude plugin for WordPress is vulnerable to unauthorized  ...)
+	TODO: check
+CVE-2025-10144 (The Perfect Brands for WooCommerce plugin for WordPress is vulnerable  ...)
+	TODO: check
+CVE-2025-0007 (Insufficient validation within Xilinx Run Time framework could allow a ...)
+	TODO: check
+CVE-2025-0003 (Inadequate lock protection within Xilinx Run time may allow a local at ...)
+	TODO: check
+CVE-2024-47856 (In RSA Authentication Agent before 7.4.7, service paths and shortcut p ...)
+	TODO: check
+CVE-2024-14007 (Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by  ...)
+	TODO: check
+CVE-2023-7330 (Ruijie NBR series routers contain an unauthenticated arbitrary file up ...)
+	TODO: check
+CVE-2018-25126 (Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by  ...)
+	TODO: check
 CVE-2025-65998 (Apache Syncope can be configured to store the user password values in  ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2025-65503 (Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 a ...)
@@ -293,25 +445,25 @@ CVE-2025-13318 (The Booking Calendar Contact Form plugin for WordPress is vulner
 	NOT-FOR-US: WordPress plugin
 CVE-2025-13136 (The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2025-64505
+CVE-2025-64505 (LIBPNG is a reference library for use in applications that read, creat ...)
 	- libpng1.6 1.6.51-1 (bug #1121219)
 	NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42
 	NOTE: https://github.com/pnggroup/libpng/pull/748
 	NOTE: https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37 (v1.6.51)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/11/22/1
-CVE-2025-64506
+CVE-2025-64506 (LIBPNG is a reference library for use in applications that read, creat ...)
 	- libpng1.6 1.6.51-1 (bug #1121218)
 	NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6
 	NOTE: https://github.com/pnggroup/libpng/pull/749
 	NOTE: https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821 (v1.6.51)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/11/22/1
-CVE-2025-64720
+CVE-2025-64720 (LIBPNG is a reference library for use in applications that read, creat ...)
 	- libpng1.6 1.6.51-1 (bug #1121217)
 	NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww
 	NOTE: https://github.com/pnggroup/libpng/issues/686
 	NOTE: https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 (v1.6.51)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/11/22/1
-CVE-2025-65018
+CVE-2025-65018 (LIBPNG is a reference library for use in applications that read, creat ...)
 	- libpng1.6 1.6.51-1 (bug #1121216)
 	NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g
 	NOTE: https://github.com/pnggroup/libpng/issues/755
@@ -504,11 +656,11 @@ CVE-2025-62608 (MLX is an array framework for machine learning on Apple silicon.
 	NOT-FOR-US: MLX
 CVE-2025-54866 (Wazuh is a free and open source platform used for threat prevention, d ...)
 	NOT-FOR-US: Wazuh
-CVE-2025-29933
+CVE-2025-29933 (Improper input validation within AMD uProf can allow a local attacker  ...)
 	NOT-FOR-US: AMD
-CVE-2025-48510
+CVE-2025-48510 (Improper return value within AMD uProf can allow a local attacker to b ...)
 	NOT-FOR-US: AMD
-CVE-2025-48511
+CVE-2025-48511 (Improper input validation within AMD uprof can allow a local attacker  ...)
 	NOT-FOR-US: AMD
 CVE-2025-48502 (Improper input validation within AMD uprof can allow a local attacker  ...)
 	NOT-FOR-US: AMD
@@ -1734,7 +1886,7 @@ CVE-2025-40936 (A vulnerability has been identified in PS/IGES Parasolid Transla
 	NOT-FOR-US: Siemens
 CVE-2025-40834 (A vulnerability has been identified in Mendix RichText (All versions > ...)
 	NOT-FOR-US: Siemens
-CVE-2025-34323 (Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local ...)
+CVE-2025-34323 (NagiosLog Server versions prior to 2026R1.0.1 are vulnerable to local  ...)
 	NOT-FOR-US: Nagios Log Server
 CVE-2025-34322 (Nagios Log Server versions prior to 2026R1.0.1 contain an authenticate ...)
 	NOT-FOR-US: Nagios Log Server
@@ -38222,6 +38374,7 @@ CVE-2025-8507 (A vulnerability was found in Portabilis i-Educar 2.9. It has been
 CVE-2025-8506 (A vulnerability was found in 495300897 wx-shop up to de1b6633136869577 ...)
 	NOT-FOR-US: wx-shop
 CVE-2025-54956 (The gh package before 1.5.0 for R delivers an HTTP response in a data  ...)
+	{DLA-4378-1}
 	- r-cran-gh 1.5.0-1 (bug #1110481)
 	[trixie] - r-cran-gh <no-dsa> (Minor issue)
 	[bookworm] - r-cran-gh <no-dsa> (Minor issue)
@@ -226846,6 +226999,7 @@ CVE-2023-41867 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ac
 CVE-2023-41863 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Pepro Dev.  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2023-41419 (An issue in Gevent before version 23.9.0 allows a remote attacker to e ...)
+	{DLA-4377-1}
 	- python-gevent 23.9.1-0.1
 	[bookworm] - python-gevent <no-dsa> (Minor issue)
 	NOTE: https://github.com/gevent/gevent/issues/1989



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/403bb7538abaf1f9ff5fcd8d53f6e65407a4aa8f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/403bb7538abaf1f9ff5fcd8d53f6e65407a4aa8f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251125/75b02866/attachment.htm>