[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Oct 17 21:13:12 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d266888b by security tracker role at 2025-10-17T20:13:04+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,91 @@
+CVE-2025-8414 (Due to improper input validation, a buffer overflow vulnerability is p ...)
+ TODO: check
+CVE-2025-62511 (yt-grabber-tui is a C++ terminal user interface application for downlo ...)
+ TODO: check
+CVE-2025-62505 (LobeChat is an open source chat application platform. The web-crawler ...)
+ TODO: check
+CVE-2025-62430 (ClipBucket v5 is an open source video sharing platform. ClipBucket v5 ...)
+ TODO: check
+CVE-2025-62424 (ClipBucket is a web-based video-sharing platform. In ClipBucket versio ...)
+ TODO: check
+CVE-2025-62422 (DataEase is an open source data visualization and analytics platform. ...)
+ TODO: check
+CVE-2025-62421 (DataEase is a data visualization and analytics platform. In DataEase v ...)
+ TODO: check
+CVE-2025-62420 (DataEase is a data visualization and analytics platform. In DataEase v ...)
+ TODO: check
+CVE-2025-62419 (DataEase is a data visualization and analytics platform. In DataEase v ...)
+ TODO: check
+CVE-2025-62356 (A path traversal vulnerability in all versions of the Qodo Qodo Gen ID ...)
+ TODO: check
+CVE-2025-62353 (A path traversal vulnerability in all versions of the Windsurf IDE ena ...)
+ TODO: check
+CVE-2025-62171 (ImageMagick is an open source software suite for displaying, convertin ...)
+ TODO: check
+CVE-2025-62168 (Squid is a caching proxy for the Web. In Squid versions prior to 7.2, ...)
+ TODO: check
+CVE-2025-60514 (Tillywork v0.1.3 and below is vulnerable to SQL Injection in app/commo ...)
+ TODO: check
+CVE-2025-60361 (radare2 v5.9.8 and before contains a memory leak in the function bochs ...)
+ TODO: check
+CVE-2025-60360 (radare2 v5.9.8 and before contains a memory leak in the function r2r_s ...)
+ TODO: check
+CVE-2025-60359 (radare2 v5.9.8 and before contains a memory leak in the function r_bin ...)
+ TODO: check
+CVE-2025-60279 (A server-side request forgery (SSRF) vulnerability in Illia Cloud illi ...)
+ TODO: check
+CVE-2025-59043 (OpenBao is an open source identity-based secrets management system. In ...)
+ TODO: check
+CVE-2025-58747 (Dify is an LLM application development platform. In Dify versions thro ...)
+ TODO: check
+CVE-2025-57567 (A remote code execution (RCE) vulnerability exists in the PluXml CMS t ...)
+ TODO: check
+CVE-2025-57164 (Flowise through v3.0.4 is vulnerable to remote code execution via unsa ...)
+ TODO: check
+CVE-2025-56320 (Enterprise Contract Management Portal v.22.4.0 is vulnerable to Stored ...)
+ TODO: check
+CVE-2025-56316 (A SQL injection vulnerability in the content_title parameter of the /c ...)
+ TODO: check
+CVE-2025-56221 (A lack of rate limiting in the login mechanism of SigningHub v8.6.8 al ...)
+ TODO: check
+CVE-2025-56218 (An arbitrary file upload vulnerability in SigningHub v8.6.8 allows att ...)
+ TODO: check
+CVE-2025-55085 (In NextX Duo before 6.4.4, in the HTTP client module, the network supp ...)
+ TODO: check
+CVE-2025-49655 (Deserialization of untrusted data can occur in versions of the Keras f ...)
+ TODO: check
+CVE-2025-48087 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-48044 (Incorrect Authorization vulnerability in ash-project ash allows Authen ...)
+ TODO: check
+CVE-2025-34282 (ThingsBoard versions < 4.2.1 contain a server-side request forgery (SS ...)
+ TODO: check
+CVE-2025-34281 (ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XS ...)
+ TODO: check
+CVE-2025-26625 (Git LFS is a Git extension for versioning large files. In Git LFS vers ...)
+ TODO: check
+CVE-2025-11925 (Incorrect Content-Type header in one of the APIs (`text/html` instead ...)
+ TODO: check
+CVE-2025-11911 (A vulnerability was detected in Shenzhen Ruiming Technology Streamax C ...)
+ TODO: check
+CVE-2025-11910 (A security vulnerability has been detected in Shenzhen Ruiming Technol ...)
+ TODO: check
+CVE-2025-11909 (A weakness has been identified in Shenzhen Ruiming Technology Streamax ...)
+ TODO: check
+CVE-2025-11908 (A security flaw has been discovered in Shenzhen Ruiming Technology Str ...)
+ TODO: check
+CVE-2025-11905 (A vulnerability was found in yanyutao0402 ChanCMS up to 3.3.2. This vu ...)
+ TODO: check
+CVE-2025-11904 (A vulnerability has been found in yanyutao0402 ChanCMS up to 3.3.2. Th ...)
+ TODO: check
+CVE-2025-11903 (A flaw has been found in yanyutao0402 ChanCMS up to 3.3.2. Affected by ...)
+ TODO: check
+CVE-2025-11902 (A vulnerability was detected in yanyutao0402 ChanCMS up to 3.3.2. Affe ...)
+ TODO: check
+CVE-2025-11895 (The Binary MLM Plan plugin for WordPress is vulnerable to insecure dir ...)
+ TODO: check
+CVE-2024-31573 (XMLUnit for Java before 2.10.0, in the default configuration, might al ...)
+ TODO: check
CVE-2025-6950 (An Use of Hard-coded Credentials vulnerability has been identified in ...)
NOT-FOR-US: Moxa
CVE-2025-6949 (An Execution with Unnecessary Privileges vulnerability has been identi ...)
@@ -87,7 +175,7 @@ CVE-2025-62490 (In quickjs, in js_print_object, when printing an array, the func
NOTE: Fixed in the 2025-09-13 release (https://bellard.org/quickjs/Changelog)
CVE-2025-62428 (Drawing-Captcha APP provides interactive, engaging verification for We ...)
NOT-FOR-US: Drawing-Captcha APP
-CVE-2025-62427 (The Angular CLI is a command-line interface tool for Angular applicati ...)
+CVE-2025-62427 (The Angular SSR is a server-rise rendering tool for Angular applicatio ...)
TODO: check
CVE-2025-62425 (MAS (Matrix Authentication Service) is a user management and authentic ...)
NOT-FOR-US: MAS (Matrix Authentication Service)
@@ -1515,7 +1603,7 @@ CVE-2025-11721 (Memory safety bug present in Firefox 143 and Thunderbird 143. Th
- firefox 144.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/#CVE-2025-11721
CVE-2025-11715 (Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3 ...)
- {DSA-6025-1}
+ {DSA-6025-1 DLA-4335-1}
- firefox 144.0-1
- firefox-esr 140.4.0esr-1
- thunderbird <unfixed>
@@ -1523,7 +1611,7 @@ CVE-2025-11715 (Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/#CVE-2025-11715
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-85/#CVE-2025-11715
CVE-2025-11714 (Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, T ...)
- {DSA-6025-1}
+ {DSA-6025-1 DLA-4335-1}
- firefox 144.0-1
- firefox-esr 140.4.0esr-1
- thunderbird <unfixed>
@@ -1547,7 +1635,7 @@ CVE-2025-11718 (When the address bar was hidden due to scrolling on Android, a m
- firefox 144.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/#CVE-2025-11718
CVE-2025-11712 (A malicious page could have used the type attribute of an OBJECT tag t ...)
- {DSA-6025-1}
+ {DSA-6025-1 DLA-4335-1}
- firefox 144.0-1
- firefox-esr 140.4.0esr-1
- thunderbird <unfixed>
@@ -1561,7 +1649,7 @@ CVE-2025-11716 (Links in a sandboxed iframe could open an external app on Androi
- firefox <not-affected> (Only affects Firefox on Android)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/#CVE-2025-11716
CVE-2025-11711 (There was a way to change the value of JavaScript Object properties th ...)
- {DSA-6025-1}
+ {DSA-6025-1 DLA-4335-1}
- firefox 144.0-1
- firefox-esr 140.4.0esr-1
- thunderbird <unfixed>
@@ -1569,7 +1657,7 @@ CVE-2025-11711 (There was a way to change the value of JavaScript Object propert
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/#CVE-2025-11711
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-85/#CVE-2025-11711
CVE-2025-11710 (A compromised web process using malicious IPC messages could have caus ...)
- {DSA-6025-1}
+ {DSA-6025-1 DLA-4335-1}
- firefox 144.0-1
- firefox-esr 140.4.0esr-1
- thunderbird <unfixed>
@@ -1577,7 +1665,7 @@ CVE-2025-11710 (A compromised web process using malicious IPC messages could hav
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/#CVE-2025-11710
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-85/#CVE-2025-11710
CVE-2025-11709 (A compromised web process was able to trigger out of bounds reads and ...)
- {DSA-6025-1}
+ {DSA-6025-1 DLA-4335-1}
- firefox 144.0-1
- firefox-esr 140.4.0esr-1
- thunderbird <unfixed>
@@ -1585,7 +1673,7 @@ CVE-2025-11709 (A compromised web process was able to trigger out of bounds read
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/#CVE-2025-11709
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-85/#CVE-2025-11709
CVE-2025-11708 (Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerabilit ...)
- {DSA-6025-1}
+ {DSA-6025-1 DLA-4335-1}
- firefox 144.0-1
- firefox-esr 140.4.0esr-1
- thunderbird <unfixed>
@@ -5650,6 +5738,7 @@ CVE-2025-54468 (A vulnerability has been identified within Rancher Manager where
CVE-2025-54315 (The Matrix specification before 1.16 (i.e., with a room version before ...)
NOT-FOR-US: Matrix specification
CVE-2025-54293 (Path Traversal in the log file retrieval function in Canonical LXD 5.0 ...)
+ {DSA-6028-1 DSA-6027-1}
- incus 6.0.5-1
- lxd <removed>
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h
@@ -5657,32 +5746,38 @@ CVE-2025-54292 (Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5
NOT-FOR-US: Canonical LXD LXD-UI (not bundled in src:lxd or src:incus)
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3
CVE-2025-54291 (Information disclosure in images API in Canonical LXD before 6.5 and 5 ...)
+ {DSA-6027-1}
- incus 6.0.5-1
- lxd <removed>
[trixie] - lxd <no-dsa> (Minor issue, no fixed planned by upstream for 5.0)
[bookworm] - lxd <no-dsa> (Minor issue, no fixed planned by upstream for 5.0)
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7
CVE-2025-54290 (Information disclosure in image export API in Canonical LXD before 6.5 ...)
+ {DSA-6027-1}
- incus 6.0.5-1
- lxd <removed>
[trixie] - lxd <no-dsa> (Minor issue, no fixed planned by upstream for 5.0)
[bookworm] - lxd <no-dsa> (Minor issue, no fixed planned by upstream for 5.0)
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35
CVE-2025-54289 (Privilege Escalation in operations API in Canonical LXD <6.5 on multip ...)
+ {DSA-6027-1}
- incus 6.0.5-1
- lxd <removed>
[trixie] - lxd <no-dsa> (Minor issue, no fixed planned by upstream for 5.0)
[bookworm] - lxd <no-dsa> (Minor issue, no fixed planned by upstream for 5.0)
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228
CVE-2025-54288 (Information Spoofing in devLXD Server in Canonical LXD versions 4.0 an ...)
+ {DSA-6028-1 DSA-6027-1}
- incus 6.0.5-1
- lxd <removed>
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525
CVE-2025-54287 (Template Injection in instance snapshot creation component in Canonica ...)
+ {DSA-6028-1 DSA-6027-1}
- incus 6.0.5-1
- lxd <removed>
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6
CVE-2025-54286 (Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions ...)
+ {DSA-6028-1 DSA-6027-1}
- incus 6.0.5-1
- lxd <removed>
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h
@@ -5815,7 +5910,7 @@ CVE-2025-58776 (KV Studio versions 12.23 and prior contain a stack-based buffer
NOT-FOR-US: KV Studio
CVE-2025-58775 (KV STUDIO and VT5-WX15/WX12 contain a stack-based buffer overflow vuln ...)
NOT-FOR-US: KV STUDIO and VT5-WX15/WX12
-CVE-2025-57389 (A reflected cross-site scripted (XSS) vulnerability in the /admin/syst ...)
+CVE-2025-57389 (A reflected cross-site scripting (XSS) vulnerability in the /admin/sys ...)
NOT-FOR-US: OpenWRT
CVE-2025-54811 (OpenPLC_V3 has a vulnerability in the enipThread function that occurs ...)
NOT-FOR-US: OpenPLC
@@ -231654,7 +231749,7 @@ CVE-2023-2782 (Sensitive information disclosure due to improper authorization. T
CVE-2023-2481 (Compiler removal of buffer clearing in sli_se_opaque_import_key ...)
NOT-FOR-US: Silicon Labs Gecko Platform SDK
CVE-2023-33204 (sysstat through 12.7.2 allows a multiplication integer overflow in che ...)
- {DLA-3434-1}
+ {DLA-4336-1 DLA-3434-1}
- sysstat 12.6.1-2 (bug #1036294)
[bookworm] - sysstat <ignored> (Minor issue, limited to 32 bit archs)
NOTE: https://github.com/sysstat/sysstat/pull/360
@@ -240752,10 +240847,10 @@ CVE-2023-28817
RESERVED
CVE-2023-28816
RESERVED
-CVE-2023-28815
- RESERVED
-CVE-2023-28814
- RESERVED
+CVE-2023-28815 (Some versions of Hikvision's iSecure Center Product contain insufficie ...)
+ TODO: check
+CVE-2023-28814 (Some versions of Hikvision's iSecure Center Product have an improper f ...)
+ TODO: check
CVE-2023-28813 (An attacker could exploit a vulnerability by sending crafted messages ...)
NOT-FOR-US: Hikvision Web Browser Plug-in LocalServiceComponents
CVE-2023-28812 (There is a buffer overflow vulnerability in a web browser plug-in coul ...)
@@ -290627,7 +290722,7 @@ CVE-2022-39379 (Fluentd collects events from various data sources and writes the
CVE-2022-39378 (Discourse is a platform for community discussion. Under certain condit ...)
NOT-FOR-US: Discourse
CVE-2022-39377 (sysstat is a set of system performance tools for the Linux operating s ...)
- {DLA-3188-1}
+ {DLA-4336-1 DLA-3188-1}
- sysstat 12.6.1-1 (bug #1023832)
NOTE: https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
NOTE: https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540 (v12.7.1)
@@ -346478,7 +346573,7 @@ CVE-2021-44961 (A memory leakage flaw exists in the class PerimeterGenerator of
NOTE: https://hackmd.io/nDT_UKLyRQendxDwil9A4w
NOTE: memory overusage in GUI tool, no security impact
CVE-2021-44960 (In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the ...)
- {DLA-3376-1}
+ {DLA-4337-1 DLA-3376-1}
- svgpp 1.3.0+dfsg1-5 (bug #1014599)
NOTE: https://github.com/svgpp/svgpp/issues/101
NOTE: https://github.com/svgpp/svgpp/commit/0bc57f2cc6d9d86a0fa1ce73e508c2b5994b4b91
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d266888b75c893cadf463dc27303a2971c39ccbe
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d266888b75c893cadf463dc27303a2971c39ccbe
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251017/6794d652/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list