[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Oct 3 21:13:10 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
73ef2535 by security tracker role at 2025-10-03T20:13:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,273 @@
+CVE-2025-9945 (The Optimize More! \u2013 CSS plugin for WordPress is vulnerable to Cr ...)
+ TODO: check
+CVE-2025-9897 (The AP Background plugin for WordPress is vulnerable to Cross-Site Req ...)
+ TODO: check
+CVE-2025-9895 (The Notification Bar plugin for WordPress is vulnerable to Cross-Site ...)
+ TODO: check
+CVE-2025-9892 (The Restrict User Registration plugin for WordPress is vulnerable to C ...)
+ TODO: check
+CVE-2025-9889 (The ContentMX Content Publisher plugin for WordPress is vulnerable to ...)
+ TODO: check
+CVE-2025-9885 (The MPWizard \u2013 Create Mercado Pago Payment Links plugin for WordP ...)
+ TODO: check
+CVE-2025-9884 (The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-S ...)
+ TODO: check
+CVE-2025-9876 (The Ird Slider plugin for WordPress is vulnerable to Stored Cross-Site ...)
+ TODO: check
+CVE-2025-9875 (The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2025-9859 (The Fintelligence Calculator plugin for WordPress is vulnerable to Sto ...)
+ TODO: check
+CVE-2025-9858 (The Auto Bulb Finder for WordPress plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2025-9854 (The A Simple Multilanguage Plugin plugin for WordPress is vulnerable t ...)
+ TODO: check
+CVE-2025-9630 (The WP SinoType plugin for WordPress is vulnerable to Cross-Site Reque ...)
+ TODO: check
+CVE-2025-9561 (The AP Background plugin for WordPress is vulnerable to arbitrary file ...)
+ TODO: check
+CVE-2025-9372 (The Ultimate Multi Design Video Carousel plugin for WordPress is vulne ...)
+ TODO: check
+CVE-2025-9333 (The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site ...)
+ TODO: check
+CVE-2025-9332 (The Interactive Human Anatomy with Clickable Body Parts plugin for Wor ...)
+ TODO: check
+CVE-2025-9286 (The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerabl ...)
+ TODO: check
+CVE-2025-9213 (The TextBuilder plugin for WordPress is vulnerable to Cross-Site Reque ...)
+ TODO: check
+CVE-2025-9212 (The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file ...)
+ TODO: check
+CVE-2025-9209 (The RestroPress \u2013 Online Food Ordering System plugin for WordPres ...)
+ TODO: check
+CVE-2025-9206 (The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross- ...)
+ TODO: check
+CVE-2025-9204 (The X Addons for Elementor plugin for WordPress is vulnerable to Store ...)
+ TODO: check
+CVE-2025-9200 (The Blappsta Mobile App Plugin \u2013 Your native, mobile iPhone App a ...)
+ TODO: check
+CVE-2025-9199 (The Woo superb slideshow transition gallery with random effect plugin ...)
+ TODO: check
+CVE-2025-9198 (The Wp cycle text announcement plugin for WordPress is vulnerable to S ...)
+ TODO: check
+CVE-2025-9194 (The Constructor theme for WordPress is vulnerable to unauthorized modi ...)
+ TODO: check
+CVE-2025-9130 (The Unify plugin for WordPress is vulnerable to Stored Cross-Site Scri ...)
+ TODO: check
+CVE-2025-9129 (The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scri ...)
+ TODO: check
+CVE-2025-9080 (The Generic Elements plugin for WordPress is vulnerable to Stored Cros ...)
+ TODO: check
+CVE-2025-9077 (The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2025-9045 (The Easy Elementor Addons plugin for WordPress is vulnerable to Stored ...)
+ TODO: check
+CVE-2025-8776 (The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Store ...)
+ TODO: check
+CVE-2025-8669 (The Customify theme for WordPress is vulnerable to Cross-Site Request ...)
+ TODO: check
+CVE-2025-7825 (The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPres ...)
+ TODO: check
+CVE-2025-7721 (The JoomSport \u2013 for Sports: Team & League, Football, Hockey & mor ...)
+ TODO: check
+CVE-2025-6388 (The Spirit Framework plugin for WordPress is vulnerable to authenticat ...)
+ TODO: check
+CVE-2025-61593 (Cursor is a code editor built for programming with AI. In versions 1.7 ...)
+ TODO: check
+CVE-2025-61592 (Cursor is a code editor built for programming with AI. In versions 1.7 ...)
+ TODO: check
+CVE-2025-61591 (Cursor is a code editor built for programming with AI. In versions 1.7 ...)
+ TODO: check
+CVE-2025-61590 (Cursor is a code editor built for programming with AI. Versions 1.6 an ...)
+ TODO: check
+CVE-2025-60787 (MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection i ...)
+ TODO: check
+CVE-2025-60454 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-60453 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-60452 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-60451 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-60450 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-60449 (An information disclosure vulnerability has been discovered in SeaCMS ...)
+ TODO: check
+CVE-2025-60448 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-60447 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-60445 (A stored Cross-Site Scripting (XSS) vulnerability has been discovered ...)
+ TODO: check
+CVE-2025-59829 (Claude Code is an agentic coding tool. Versions below 1.0.120 failed t ...)
+ TODO: check
+CVE-2025-59489 (Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux ...)
+ TODO: check
+CVE-2025-57714 (An unquoted search path or element vulnerability has been reported to ...)
+ TODO: check
+CVE-2025-57423 (A SQL injection vulnerability was discovered in the /articles endpoint ...)
+ TODO: check
+CVE-2025-56551 (An issue in DirectAdmin v1.680 allows unauthorized attackers to manipu ...)
+ TODO: check
+CVE-2025-55972 (A TCL Smart TV running a vulnerable UPnP/DLNA MediaRenderer implementa ...)
+ TODO: check
+CVE-2025-55971 (TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.00111 ...)
+ TODO: check
+CVE-2025-54374 (Eidos is an extensible framework for Personal Data Management. Version ...)
+ TODO: check
+CVE-2025-54154 (An improper authentication vulnerability has been reported to affect Q ...)
+ TODO: check
+CVE-2025-54153 (An SQL injection vulnerability has been reported to affect Qsync Centr ...)
+ TODO: check
+CVE-2025-53595 (An SQL injection vulnerability has been reported to affect Qsync Centr ...)
+ TODO: check
+CVE-2025-53407 (A use of externally-controlled format string vulnerability has been re ...)
+ TODO: check
+CVE-2025-53406 (A use of externally-controlled format string vulnerability has been re ...)
+ TODO: check
+CVE-2025-53354 (NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are ...)
+ TODO: check
+CVE-2025-52867 (An uncontrolled resource consumption vulnerability has been reported t ...)
+ TODO: check
+CVE-2025-52866 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52862 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52860 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52859 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52858 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52857 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52855 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52854 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52853 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52658 (HCL MyXalytics 6.6. product is affected by Use of Vulnerable/Outdate ...)
+ TODO: check
+CVE-2025-52656 (HCL MyXalytics: 6.6.is affected by Mass Assignment vulnerability. Mass ...)
+ TODO: check
+CVE-2025-52654 (A vulnerability in HCL HCL MyXalytics allows HTML InjectionThis issue ...)
+ TODO: check
+CVE-2025-52653 (HCL MyXalytics product is affected by Cross Site Scripting vulnerabili ...)
+ TODO: check
+CVE-2025-52433 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52432 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52429 (A use of externally-controlled format string vulnerability has been re ...)
+ TODO: check
+CVE-2025-52428 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52427 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-52424 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-49844 (Redis is an open source, in-memory database that persists on disk. Ver ...)
+ TODO: check
+CVE-2025-49641 (A regular Zabbix user with no permission to the Monitoring -> Problems ...)
+ TODO: check
+CVE-2025-48730 (A use of externally-controlled format string vulnerability has been re ...)
+ TODO: check
+CVE-2025-48729 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-48728 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-48727 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-48726 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-47214 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-47213 (A NULL pointer dereference vulnerability has been reported to affect s ...)
+ TODO: check
+CVE-2025-47212 (A command injection vulnerability has been reported to affect several ...)
+ TODO: check
+CVE-2025-47211 (A path traversal vulnerability has been reported to affect several QNA ...)
+ TODO: check
+CVE-2025-47210 (A NULL pointer dereference vulnerability has been reported to affect Q ...)
+ TODO: check
+CVE-2025-46819 (Redis is an open source, in-memory database that persists on disk. Ver ...)
+ TODO: check
+CVE-2025-46818 (Redis is an open source, in-memory database that persists on disk. Ver ...)
+ TODO: check
+CVE-2025-46817 (Redis is an open source, in-memory database that persists on disk. Ver ...)
+ TODO: check
+CVE-2025-44014 (An out-of-bounds write vulnerability has been reported to affect Qsync ...)
+ TODO: check
+CVE-2025-44012 (An allocation of resources without limits or throttling vulnerability ...)
+ TODO: check
+CVE-2025-44011 (A NULL pointer dereference vulnerability has been reported to affect Q ...)
+ TODO: check
+CVE-2025-44010 (A NULL pointer dereference vulnerability has been reported to affect Q ...)
+ TODO: check
+CVE-2025-44009 (A NULL pointer dereference vulnerability has been reported to affect Q ...)
+ TODO: check
+CVE-2025-44008 (A NULL pointer dereference vulnerability has been reported to affect Q ...)
+ TODO: check
+CVE-2025-44007 (An allocation of resources without limits or throttling vulnerability ...)
+ TODO: check
+CVE-2025-44006 (An allocation of resources without limits or throttling vulnerability ...)
+ TODO: check
+CVE-2025-40636 (SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4 ...)
+ TODO: check
+CVE-2025-34226 (OpenPLC Runtime v3 contains an input validation flaw in the /upload-pr ...)
+ TODO: check
+CVE-2025-33040 (An allocation of resources without limits or throttling vulnerability ...)
+ TODO: check
+CVE-2025-33039 (An allocation of resources without limits or throttling vulnerability ...)
+ TODO: check
+CVE-2025-33034 (A path traversal vulnerability has been reported to affect Qsync Centr ...)
+ TODO: check
+CVE-2025-27237 (In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file ...)
+ TODO: check
+CVE-2025-27236 (A regular Zabbix user can search other users in their user group via Z ...)
+ TODO: check
+CVE-2025-27231 (The LDAP 'Bind password' value cannot be read after saving, but a Supe ...)
+ TODO: check
+CVE-2025-11234 (A flaw was found in QEMU. If the QIOChannelWebsock object is freed whi ...)
+ TODO: check
+CVE-2025-11223 (Installer of Panasonic AutoDownloader version 1.2.8 contains ...)
+ TODO: check
+CVE-2025-10729 (The module will parse a <pattern> node which is not a child of a struc ...)
+ TODO: check
+CVE-2025-10728 (When the module renders a Svg file that contains a <pattern> element, ...)
+ TODO: check
+CVE-2025-10726 (The WPRecovery plugin for WordPress is vulnerable to SQL Injection via ...)
+ TODO: check
+CVE-2025-10609 (Use of Hard-coded Credentials vulnerability in Logo Software Inc. Tige ...)
+ TODO: check
+CVE-2025-10582 (The WP Dispatcher plugin for WordPress is vulnerable to SQL Injection ...)
+ TODO: check
+CVE-2025-10547 (An uninitialized variable in the HTTP CGI request arguments processing ...)
+ TODO: check
+CVE-2025-10311 (The Comment Info Detector plugin for WordPress is vulnerable to Cross- ...)
+ TODO: check
+CVE-2025-10309 (The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Requ ...)
+ TODO: check
+CVE-2025-10306 (The Backup Bolt plugin for WordPress is vulnerable to arbitrary file d ...)
+ TODO: check
+CVE-2025-10302 (The Ultimate Viral Quiz plugin for WordPress is vulnerable to Cross-Si ...)
+ TODO: check
+CVE-2025-10212 (The SiteAlert (Formerly WP Health) plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2025-10192 (The WP Photo Effects plugin for WordPress is vulnerable to Stored Cros ...)
+ TODO: check
+CVE-2025-10165 (The AP Background plugin for WordPress is vulnerable to Stored Cross-S ...)
+ TODO: check
+CVE-2025-10053 (The TableGen \u2013 Data Table Generator plugin for WordPress is vulne ...)
+ TODO: check
+CVE-2025-0876 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-0616 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2024-56804 (An SQL injection vulnerability has been reported to affect Video Stati ...)
+ TODO: check
CVE-2025-XXXX [fetchmail-SA-2025-01: SMTP AUTH denial of service]
- fetchmail 6.5.6-1 (bug #1117136)
[trixie] - fetchmail <no-dsa> (Minor issue)
@@ -24,6 +294,7 @@ CVE-2025-61654 [Exclude deleted entries when counting thanks]
NOTE: https://phabricator.wikimedia.org/T397497
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Thanks/+/1193250
CVE-2025-11230 [BUG/CRITICAL: mjson: fix possible DoS when parsing numbers]
+ {DSA-6017-1}
- haproxy 3.2.5-2
[bullseye] - haproxy <not-affected> (Vulnerable code introduced later)
NOTE: Introduced with: https://github.com/haproxy/haproxy/commit/41007a6835fe29f865e01d8fbeb96114c0d01828 (v2.4-dev17)
@@ -272,7 +543,7 @@ CVE-2025-54290 (Information disclosure in image export API in Canonical LXD befo
- incus <unfixed>
- lxd <removed>
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35
-CVE-2025-54289 (Privilege Escalation in operations API in Canonical LXD 6.5 on multipl ...)
+CVE-2025-54289 (Privilege Escalation in operations API in Canonical LXD <6.5 on multip ...)
- incus <unfixed>
- lxd <removed>
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228
@@ -1558,7 +1829,7 @@ CVE-2024-55017 (Account Takeover in Corezoid 6.6.0 in the OAuth2 implementation
CVE-2025-10725 (A flaw was found in Red Hat Openshift AI Service. A low-privileged att ...)
NOT-FOR-US: OpenShift AI
CVE-2025-9230 (Issue summary: An application trying to decrypt CMS messages encrypted ...)
- {DSA-6015-1}
+ {DSA-6015-1 DLA-4321-1}
- openssl 3.5.4-1
NOTE: https://openssl-library.org/news/secadv/20250930.txt
NOTE: Fixed by: https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 (openssl-3.3.5)
@@ -2494,6 +2765,7 @@ CVE-2025-10920 [ZDI-CAN-27684: GIMP ICNS File Parsing Out-Of-Bounds Write Remote
NOTE: Introduced after: https://gitlab.gnome.org/GNOME/gimp/-/commit/00232e17875d4676a2c797a429db23b1a9815db8 (GIMP_2_99_14)
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gimp/-/commit/5f4329d324b0db7a857918941ef7e1d27f3d3992
CVE-2025-10921 [GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability]
+ {DSA-6018-1}
- gegl 1:0.4.62-3.1 (bug #1116470)
NOTE: https://gitlab.gnome.org/GNOME/gegl/-/issues/430
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gegl/-/commit/0e68b7471dabf2800d780819c19bd5e6462f565f
@@ -5051,7 +5323,7 @@ CVE-2024-48851 (Improper Validation of Specified Type of Input vulnerability in
NOT-FOR-US: ABB group
CVE-2024-25011 (Ericsson Catalog Manager and Ericsson Order Care APIs do not have auth ...)
NOT-FOR-US: Ericsson
-CVE-2024-13151 (Authorization Bypass Through User-Controlled SQL Primary Key, CWE - 89 ...)
+CVE-2024-13151 (CWE - 89 - Improper Neutralization of Special Elements used in an SQL ...)
NOT-FOR-US: Diva
CVE-2023-49367 (An issue in user interface in Kyocera Command Center RX EXOSYS M5521cd ...)
NOT-FOR-US: Kyocera Command Center RX EXOSYS M5521cdn
@@ -211079,7 +211351,7 @@ CVE-2023-39928 (A use-after-free vulnerability exists in the MediaRecorder API o
[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
NOTE: https://webkitgtk.org/security/WSA-2023-0009.html
-CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1 contains ...)
+CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1 as well a ...)
- routinator <itp> (bug #929024)
CVE-2023-39915 (NLnet Labs' Routinator up to and including version 0.12.1 may crash wh ...)
- routinator <itp> (bug #929024)
@@ -352478,8 +352750,8 @@ CVE-2021-42195 (An issue was discovered in swftools through 20201222. A heap-buf
NOTE: https://github.com/matthiaskramm/swftools/issues/174
CVE-2021-42194 (The wechat_return function in /controller/Index.php of EyouCms V1.5.4- ...)
NOT-FOR-US: Eyoucms
-CVE-2021-42193
- RESERVED
+CVE-2021-42193 (nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/ ...)
+ TODO: check
CVE-2021-42192 (Konga v0.14.9 is affected by an incorrect access control vulnerability ...)
NOT-FOR-US: KONGA
CVE-2021-42191
@@ -729628,13 +729900,13 @@ CVE-2014-2354 (Cogent DataHub before 7.3.5 does not use a salt during password h
NOT-FOR-US: Cogent DataHub
CVE-2014-2353 (Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3. ...)
NOT-FOR-US: Cogent DataHub
-CVE-2014-2352 (Directory traversal vulnerability in Cogent DataHub before 7.3.5 allow ...)
+CVE-2014-2352 (The directory specifier can include designators that can be used to t ...)
NOT-FOR-US: Cogent DataHub
CVE-2014-2351 (SQL injection vulnerability in the LiveData service in CSWorks before ...)
NOT-FOR-US: CSWorks
CVE-2014-2350 (Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentia ...)
NOT-FOR-US: Emerson DeltaV
-CVE-2014-2349 (Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 allows local users to mo ...)
+CVE-2014-2349 (Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentia ...)
NOT-FOR-US: Emerson DeltaV
CVE-2014-2348
RESERVED
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73ef253569da73f3cd4eb0f2ab0d93405c5054ab
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73ef253569da73f3cd4eb0f2ab0d93405c5054ab
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251003/87746c57/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list