[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Oct 10 21:13:04 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
10021f7f by security tracker role at 2025-10-10T20:12:57+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,141 @@
+CVE-2025-8887 (Authorization Bypass Through User-Controlled Key, Missing Authorizatio ...)
+ TODO: check
+CVE-2025-8886 (Incorrect Permission Assignment for Critical Resource, Exposure of Sen ...)
+ TODO: check
+CVE-2025-7781 (The WP JobHunt plugin for WordPress, used by the JobCareer theme, is v ...)
+ TODO: check
+CVE-2025-7374 (The WP JobHunt plugin for WordPress, used by the JobCareer theme, is v ...)
+ TODO: check
+CVE-2025-62245 (Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4. ...)
+ TODO: check
+CVE-2025-62239 (Cross-site scripting (XSS) vulnerability in workflow process builder i ...)
+ TODO: check
+CVE-2025-62238 (Stored cross-site scripting (XSS) vulnerability on the Membership page ...)
+ TODO: check
+CVE-2025-62237 (Stored cross-site scripting (XSS) vulnerability in Commerce\u2019s vie ...)
+ TODO: check
+CVE-2025-61929 (Cherry Studio is a desktop client that supports for multiple LLM provi ...)
+ TODO: check
+CVE-2025-61927 (Happy DOM is a JavaScript implementation of a web browser without its ...)
+ TODO: check
+CVE-2025-61925 (Astro is a web framework. Prior to version 5.14.2, Astro reflects the ...)
+ TODO: check
+CVE-2025-61921 (Sinatra is a domain-specific language for creating web applications in ...)
+ TODO: check
+CVE-2025-61920 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
+ TODO: check
+CVE-2025-61919 (Rack is a modular Ruby web server interface. Prior to versions 2.2.20, ...)
+ TODO: check
+CVE-2025-61864 (A use after free vulnerability exists in VS6ComFile!load_link_inf of V ...)
+ TODO: check
+CVE-2025-61863 (An out-of-bounds read vulnerability exists in VS6ComFile!CSaveData::de ...)
+ TODO: check
+CVE-2025-61862 (An out-of-bounds read vulnerability exists in VS6ComFile!get_ovlp_elem ...)
+ TODO: check
+CVE-2025-61861 (An out-of-bounds read vulnerability exists in VS6ComFile!load_link_inf ...)
+ TODO: check
+CVE-2025-61860 (An out-of-bounds read vulnerability exists in VS6MemInIF!set_temp_type ...)
+ TODO: check
+CVE-2025-61859 (An out-of-bounds write vulnerability exists in VS6ComFile!CItemDraw::i ...)
+ TODO: check
+CVE-2025-61858 (An out-of-bounds write vulnerability exists in VS6ComFile!set_Animatio ...)
+ TODO: check
+CVE-2025-61857 (An out-of-bounds write vulnerability exists in VS6ComFile!CItemExChang ...)
+ TODO: check
+CVE-2025-61856 (A stack-based buffer overflow vulnerability exists in VS6ComFile!CV7Ba ...)
+ TODO: check
+CVE-2025-61780 (Rack is a modular Ruby web server interface. Prior to versions 2.2.20, ...)
+ TODO: check
+CVE-2025-61689 (HTTP.jl is an HTTP client and server functionality for the Julia progr ...)
+ TODO: check
+CVE-2025-61505 (e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the ...)
+ TODO: check
+CVE-2025-61319 (ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting (XSS ...)
+ TODO: check
+CVE-2025-61152 (python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded ...)
+ TODO: check
+CVE-2025-60880 (An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 ...)
+ TODO: check
+CVE-2025-60869 (Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scriptin ...)
+ TODO: check
+CVE-2025-60868 (The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip ...)
+ TODO: check
+CVE-2025-60838 (An arbitrary file upload vulnerability in MCMS v6.0.1 allows attackers ...)
+ TODO: check
+CVE-2025-60378 (Stored HTML injection in RISE Ultimate Project Manager & CRM allows au ...)
+ TODO: check
+CVE-2025-60308 (code-projects Simple Online Hotel Reservation System 1.0 has a Cross S ...)
+ TODO: check
+CVE-2025-60307 (code-projects Computer Laboratory System 1.0 has a SQL injection vulne ...)
+ TODO: check
+CVE-2025-60306 (code-projects Simple Car Rental System 1.0 has a permission bypass iss ...)
+ TODO: check
+CVE-2025-60305 (SourceCodester Online Student Clearance System 1.0 is vulnerable to In ...)
+ TODO: check
+CVE-2025-60269 (JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls functi ...)
+ TODO: check
+CVE-2025-60268 (An arbitrary file upload vulnerability exists in JeeWMS 20250820, whic ...)
+ TODO: check
+CVE-2025-59530 (quic-go is an implementation of the QUIC protocol in Go. In versions p ...)
+ TODO: check
+CVE-2025-55903 (A HTML injection vulnerability exists in Perfex CRM v3.3.1. The applic ...)
+ TODO: check
+CVE-2025-52655 (Inclusion of Functionality from Untrusted Control Sphere vulnerability ...)
+ TODO: check
+CVE-2025-52650 (Inline script execution allowed in CSP vulnerability has been identifi ...)
+ TODO: check
+CVE-2025-52635 (A rusted types in scripts not enforced in CSP vulnerability has been ...)
+ TODO: check
+CVE-2025-52634 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+ TODO: check
+CVE-2025-52632 (A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerabi ...)
+ TODO: check
+CVE-2025-52630 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+ TODO: check
+CVE-2025-52625 (A vulnerability Cacheable SSL Page Found vulnerability has been ident ...)
+ TODO: check
+CVE-2025-52624 (A vulnerabilityBypass of the script allowlist configuration in HCL AIO ...)
+ TODO: check
+CVE-2025-48043 (Incorrect Authorization vulnerability in ash-project ash allows Authen ...)
+ TODO: check
+CVE-2025-41089 (Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Sign ...)
+ TODO: check
+CVE-2025-41088 (Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, d ...)
+ TODO: check
+CVE-2025-40640 (Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by ...)
+ TODO: check
+CVE-2025-37727 (Insertion of sensitive information in log file in Elasticsearch can le ...)
+ TODO: check
+CVE-2025-30001 (Incorrect Execution-Assigned Permissions vulnerability in Apache Strea ...)
+ TODO: check
+CVE-2025-25018 (Improper Neutralization of Input During Web Page Generation in Kibana ...)
+ TODO: check
+CVE-2025-25017 (Improper Neutralization of Input During Web Page Generation in Kibana ...)
+ TODO: check
+CVE-2025-23309 (NVIDIA Display Driver contains a vulnerability where an uncontrolled D ...)
+ TODO: check
+CVE-2025-23282 (NVIDIA Display Driver for Linux contains a vulnerability where an atta ...)
+ TODO: check
+CVE-2025-23280 (NVIDIA Display Driver for Linux contains a vulnerability where an atta ...)
+ TODO: check
+CVE-2025-11618 (A missing validation check in FreeRTOS-Plus-TCP's UDP/IPv6 packet proc ...)
+ TODO: check
+CVE-2025-11617 (A missing validation check in FreeRTOS-Plus-TCP's IPv6 packet processi ...)
+ TODO: check
+CVE-2025-11616 (A missing validation check in FreeRTOS-Plus-TCP's ICMPv6 packet proces ...)
+ TODO: check
+CVE-2025-11581 (A security vulnerability has been detected in PowerJob up to 5.1.2. Th ...)
+ TODO: check
+CVE-2025-11580 (A weakness has been identified in PowerJob up to 5.1.2. This affects t ...)
+ TODO: check
+CVE-2025-11579 (github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dic ...)
+ TODO: check
+CVE-2025-11190 (The Kiwire Captive Portal contains an open redirection issue via the l ...)
+ TODO: check
+CVE-2025-11189 (The Kiwire Captive Portal contains a reflected cross-site scripting (X ...)
+ TODO: check
+CVE-2025-11188 (The Kiwire Captive Portal contains a blind SQL injection in the nas-id ...)
+ TODO: check
CVE-2025-11002
- 7zip 25.00+dfsg-1
[trixie] - 7zip <no-dsa> (Minor issue)
@@ -2763,11 +2901,11 @@ CVE-2025-52854 (A NULL pointer dereference vulnerability has been reported to af
NOT-FOR-US: QNAP
CVE-2025-52853 (A NULL pointer dereference vulnerability has been reported to affect s ...)
NOT-FOR-US: QNAP
-CVE-2025-52658 (HCL MyXalytics 6.6. product is affected by Use of Vulnerable/Outdate ...)
+CVE-2025-52658 (HCL MyXalytics is affected by the use of vulnerable/outdated versions ...)
NOT-FOR-US: HCL
CVE-2025-52656 (HCL MyXalytics: 6.6.is affected by Mass Assignment vulnerability. Mass ...)
NOT-FOR-US: HCL
-CVE-2025-52654 (A vulnerability in HCL HCL MyXalytics allows HTML InjectionThis issue ...)
+CVE-2025-52654 (HCL MyXalytics v6.6 is affected by an HTML Injection. This issue occur ...)
NOT-FOR-US: HCL
CVE-2025-52653 (HCL MyXalytics product is affected by Cross Site Scripting vulnerabili ...)
NOT-FOR-US: HCL
@@ -3248,7 +3386,7 @@ CVE-2025-40990 (Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by
NOT-FOR-US: Ekushey CRM
CVE-2025-40989 (Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creat ...)
NOT-FOR-US: Ekushey CRM
-CVE-2025-40646 (Exposure of sensitive information in Viday. This vulnerability could a ...)
+CVE-2025-40646 (Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by ...)
NOT-FOR-US: Viday
CVE-2025-40645 (Exposure of sensitive information in Viday. This vulnerability could a ...)
NOT-FOR-US: Viday
@@ -6358,7 +6496,7 @@ CVE-2025-60020 (nncp before 8.12.0 allows path traversal (for reading or writing
NOTE: http://www.nncpgo.org/Release-8_005f12_005f0.html
NOTE: http://lists.cypherpunks.su/archive/nncp-devel/CAO-d-4riai9EZx4gVfekow-BCtTn07k8BB1ZdsopPVw=scWD1A@mail.gmail.com/T/#md678a00df1020bb811f47f42ef33c54b789cddd7
CVE-2025-9900 (A flaw was found in Libtiff. This vulnerability is a "write-what-where ...)
- {DLA-4315-1}
+ {DSA-6023-1 DLA-4315-1}
- tiff 4.7.1-1
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/704
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/732
@@ -6433,6 +6571,7 @@ CVE-2025-42907 (SAP BI Platform allows an attacker to modify the IP address of t
CVE-2025-26399 (SolarWinds Web Help Desk was found to be susceptible to an unauthentic ...)
NOT-FOR-US: SolarWinds
CVE-2025-1131 (A local privilege escalation vulnerability exists in the safe_asterisk ...)
+ {DLA-4326-1}
- asterisk 1:22.5.1~dfsg+~cs6.15.60671435-1
NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
NOTE: https://github.com/asterisk/asterisk/commit/f97361952023625e8dd49ca03454777fad19fedb (23.0.0-pre1)
@@ -11379,7 +11518,7 @@ CVE-2022-50241 (In the Linux kernel, the following vulnerability has been resolv
- linux 6.0.3-1
[bullseye] - linux 5.10.158-1
NOTE: https://git.kernel.org/linus/019805fea91599b22dfa62ffb29c022f35abeb06 (6.1-rc1)
-CVE-2022-50240 (In the Linux kernel, the following vulnerability has been resolved: b ...)
+CVE-2022-50240 (In the Linux kernel, the following vulnerability has been resolved: a ...)
- linux 5.19.6-1
[bullseye] - linux 5.10.158-1
NOTE: https://git.kernel.org/linus/a43cfc87caaf46710c8027a8c23b8a55f1078f19 (6.0-rc1)
@@ -16613,6 +16752,7 @@ CVE-2025-55583 (D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains
CVE-2025-55175 (QuickCMS is vulnerable to Reflected XSS via sLangEditparameter in admi ...)
NOT-FOR-US: QuickCMS
CVE-2025-54995 (Asterisk is an open source private branch exchange and telephony toolk ...)
+ {DLA-4326-1}
- asterisk 1:22.2.0~dfsg+~cs6.15.60671435-1
NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2
NOTE: https://github.com/asterisk/asterisk/pull/1405
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10021f7f8d453452aa1ddac8c84f2d08a466a518
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10021f7f8d453452aa1ddac8c84f2d08a466a518
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251010/6572ab41/attachment.htm>
More information about the debian-security-tracker-commits
mailing list