[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Oct 10 22:18:39 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ede12aff by Moritz Muehlenhoff at 2025-10-10T23:18:20+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -15,11 +15,11 @@ CVE-2025-62238 (Stored cross-site scripting (XSS) vulnerability on the Membershi
 CVE-2025-62237 (Stored cross-site scripting (XSS) vulnerability in Commerce\u2019s vie ...)
 	NOT-FOR-US: Liferay
 CVE-2025-61929 (Cherry Studio is a desktop client that supports for multiple LLM provi ...)
-	TODO: check
+	NOT-FOR-US: Cherry Studio
 CVE-2025-61927 (Happy DOM is a JavaScript implementation of a web browser without its  ...)
 	TODO: check
 CVE-2025-61925 (Astro is a web framework. Prior to version 5.14.2, Astro reflects the  ...)
-	TODO: check
+	NOT-FOR-US: Astro web framework
 CVE-2025-61921 (Sinatra is a domain-specific language for creating web applications in ...)
 	TODO: check
 CVE-2025-61920 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
@@ -29,41 +29,41 @@ CVE-2025-61919 (Rack is a modular Ruby web server interface. Prior to versions 2
 CVE-2025-61864 (A use after free vulnerability exists in VS6ComFile!load_link_inf of V ...)
 	TODO: check
 CVE-2025-61863 (An out-of-bounds read vulnerability exists in VS6ComFile!CSaveData::de ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61862 (An out-of-bounds read vulnerability exists in VS6ComFile!get_ovlp_elem ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61861 (An out-of-bounds read vulnerability exists in VS6ComFile!load_link_inf ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61860 (An out-of-bounds read vulnerability exists in VS6MemInIF!set_temp_type ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61859 (An out-of-bounds write vulnerability exists in VS6ComFile!CItemDraw::i ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61858 (An out-of-bounds write vulnerability exists in VS6ComFile!set_Animatio ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61857 (An out-of-bounds write vulnerability exists in VS6ComFile!CItemExChang ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61856 (A stack-based buffer overflow vulnerability exists in VS6ComFile!CV7Ba ...)
-	TODO: check
+	NOT-FOR-US: FUJI
 CVE-2025-61780 (Rack is a modular Ruby web server interface. Prior to versions 2.2.20, ...)
 	TODO: check
 CVE-2025-61689 (HTTP.jl is an HTTP client and server functionality for the Julia progr ...)
 	TODO: check
 CVE-2025-61505 (e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the  ...)
-	TODO: check
+	NOT-FOR-US: e107 CMS
 CVE-2025-61319 (ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting (XSS ...)
-	TODO: check
+	NOT-FOR-US: ReNgine
 CVE-2025-61152 (python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded ...)
 	TODO: check
 CVE-2025-60880 (An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6  ...)
 	TODO: check
 CVE-2025-60869 (Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scriptin ...)
-	TODO: check
+	NOT-FOR-US: Publii CMS
 CVE-2025-60868 (The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip  ...)
-	TODO: check
+	NOT-FOR-US: Statamic addon
 CVE-2025-60838 (An arbitrary file upload vulnerability in MCMS v6.0.1 allows attackers ...)
-	TODO: check
+	NOT-FOR-US: MCMS
 CVE-2025-60378 (Stored HTML injection in RISE Ultimate Project Manager & CRM allows au ...)
-	TODO: check
+	NOT-FOR-US: RISE Ultimate Project Manager & CRM
 CVE-2025-60308 (code-projects Simple Online Hotel Reservation System 1.0 has a Cross S ...)
 	NOT-FOR-US: code-projects
 CVE-2025-60307 (code-projects Computer Laboratory System 1.0 has a SQL injection vulne ...)
@@ -73,13 +73,13 @@ CVE-2025-60306 (code-projects Simple Car Rental System 1.0 has a permission bypa
 CVE-2025-60305 (SourceCodester Online Student Clearance System 1.0 is vulnerable to In ...)
 	NOT-FOR-US: SourceCodester
 CVE-2025-60269 (JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls functi ...)
-	TODO: check
+	NOT-FOR-US: JeeWMS
 CVE-2025-60268 (An arbitrary file upload vulnerability exists in JeeWMS 20250820, whic ...)
-	TODO: check
+	NOT-FOR-US: JeeWMS
 CVE-2025-59530 (quic-go is an implementation of the QUIC protocol in Go. In versions p ...)
 	TODO: check
 CVE-2025-55903 (A HTML injection vulnerability exists in Perfex CRM v3.3.1. The applic ...)
-	TODO: check
+	NOT-FOR-US: Perfex CRM
 CVE-2025-52655 (Inclusion of Functionality from Untrusted Control Sphere vulnerability ...)
 	NOT-FOR-US: HCL
 CVE-2025-52650 (Inline script execution allowed in CSP vulnerability has been identifi ...)
@@ -99,19 +99,19 @@ CVE-2025-52624 (A vulnerabilityBypass of the script allowlist configuration in H
 CVE-2025-48043 (Incorrect Authorization vulnerability in ash-project ash allows Authen ...)
 	TODO: check
 CVE-2025-41089 (Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Sign ...)
-	TODO: check
+	NOT-FOR-US: Xibo CMS
 CVE-2025-41088 (Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, d ...)
-	TODO: check
+	NOT-FOR-US: Xibo CMS
 CVE-2025-40640 (Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by ...)
-	TODO: check
+	NOT-FOR-US: Energy CRM
 CVE-2025-37727 (Insertion of sensitive information in log file in Elasticsearch can le ...)
-	TODO: check
+	- elasticsearch <removed>
 CVE-2025-30001 (Incorrect Execution-Assigned Permissions vulnerability in Apache Strea ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2025-25018 (Improper Neutralization of Input During Web Page Generation in Kibana  ...)
-	TODO: check
+	- kibana <itp> (bug #700337)
 CVE-2025-25017 (Improper Neutralization of Input During Web Page Generation in Kibana  ...)
-	TODO: check
+	- kibana <itp> (bug #700337)
 CVE-2025-23309 (NVIDIA Display Driver contains a vulnerability where an uncontrolled D ...)
 	TODO: check
 CVE-2025-23282 (NVIDIA Display Driver for Linux contains a vulnerability where an atta ...)
@@ -125,17 +125,17 @@ CVE-2025-11617 (A missing validation check in FreeRTOS-Plus-TCP's IPv6 packet pr
 CVE-2025-11616 (A missing validation check in FreeRTOS-Plus-TCP's ICMPv6 packet proces ...)
 	NOT-FOR-US: Amazon
 CVE-2025-11581 (A security vulnerability has been detected in PowerJob up to 5.1.2. Th ...)
-	TODO: check
+	NOT-FOR-US: PowerJob
 CVE-2025-11580 (A weakness has been identified in PowerJob up to 5.1.2. This affects t ...)
-	TODO: check
+	NOT-FOR-US: PowerJob
 CVE-2025-11579 (github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dic ...)
 	TODO: check
 CVE-2025-11190 (The Kiwire Captive Portal contains an open redirection issue via the l ...)
-	TODO: check
+	NOT-FOR-US: Kiwire Captive Portal
 CVE-2025-11189 (The Kiwire Captive Portal contains a reflected cross-site scripting (X ...)
-	TODO: check
+	NOT-FOR-US: Kiwire Captive Portal
 CVE-2025-11188 (The Kiwire Captive Portal contains a blind SQL injection in the nas-id ...)
-	TODO: check
+	NOT-FOR-US: Kiwire Captive Portal
 CVE-2025-11002
 	- 7zip 25.00+dfsg-1
 	[trixie] - 7zip <no-dsa> (Minor issue)
@@ -552,13 +552,13 @@ CVE-2025-11198 (A Missing Authentication for Critical Function vulnerability in
 CVE-2025-10862 (The Popup builder with Gamification, Multi-Step Popups, Page-Level Tar ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-10284 (BBOT's unarchive module could be abused by supplying malicious archive ...)
-	TODO: check
+	NOT-FOR-US: bbot
 CVE-2025-10283 (BBOT's gitdumper module could be abused to execute commands through a  ...)
-	TODO: check
+	NOT-FOR-US: bbot
 CVE-2025-10282 (BBOT's gitlab module could be abused to disclose a GitLab API key to a ...)
-	TODO: check
+	NOT-FOR-US: bbot
 CVE-2025-10281 (BBOT's git_clone module could be abused to disclose a GitHub API key t ...)
-	TODO: check
+	NOT-FOR-US: bbot
 CVE-2025-10249 (The Slider Revolution plugin for WordPress is vulnerable to unauthoriz ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-10240 (A vulnerability exists in the Progress Flowmon web application prior t ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede12afffb3fda918ec0b765c997dd312c82e13f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede12afffb3fda918ec0b765c997dd312c82e13f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251010/ff1f5ba0/attachment.htm>

More information about the debian-security-tracker-commits mailing list