[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Oct 23 21:13:10 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
41b21243 by security tracker role at 2025-10-23T20:13:01+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,193 @@
+CVE-2025-9981 (QuickCMS is vulnerable to multiple Stored XSS in slider editor functio ...)
+ TODO: check
+CVE-2025-9980 (QuickCMS is vulnerable to multiple Stored XSS in page editor functiona ...)
+ TODO: check
+CVE-2025-8427 (The Beaver Builder Plugin (Starter Version) plugin for WordPress is vu ...)
+ TODO: check
+CVE-2025-6980 (Captive Portal can expose sensitive information)
+ TODO: check
+CVE-2025-6979 (Captive Portal can allow authentication bypass)
+ TODO: check
+CVE-2025-6978 (Diagnostics command injection vulnerability)
+ TODO: check
+CVE-2025-62820 (Slack Nebula before 1.9.7 mishandles CIDR in some configurations and t ...)
+ TODO: check
+CVE-2025-62813 (LZ4 through 1.10.0 allows attackers to cause a denial of service (appl ...)
+ TODO: check
+CVE-2025-62812
+ REJECTED
+CVE-2025-62811
+ REJECTED
+CVE-2025-62810
+ REJECTED
+CVE-2025-62809
+ REJECTED
+CVE-2025-62808
+ REJECTED
+CVE-2025-62807
+ REJECTED
+CVE-2025-62806
+ REJECTED
+CVE-2025-62805
+ REJECTED
+CVE-2025-62804
+ REJECTED
+CVE-2025-62713 (Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to ...)
+ TODO: check
+CVE-2025-62710 (Sakai is a Collaboration and Learning Environment. Prior to versions 2 ...)
+ TODO: check
+CVE-2025-62708 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
+ TODO: check
+CVE-2025-62707 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
+ TODO: check
+CVE-2025-62706 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
+ TODO: check
+CVE-2025-62705 (OpenBao is an open source identity-based secrets management system. Pr ...)
+ TODO: check
+CVE-2025-62617 (Admidio is an open-source user management solution. Prior to version 4 ...)
+ TODO: check
+CVE-2025-62614 (BookLore is a self-hosted web app for organizing and managing personal ...)
+ TODO: check
+CVE-2025-62613 (VDO.Ninja is a tool that brings remote video feeds into OBS or other s ...)
+ TODO: check
+CVE-2025-62612 (FastGPT is an AI Agent building platform. Prior to version 4.11.1, in ...)
+ TODO: check
+CVE-2025-62517 (Rollbar.js offers error tracking and logging from Javascript to Rollba ...)
+ TODO: check
+CVE-2025-62499 (Movable Type contains a stored cross-site scripting vulnerability in E ...)
+ TODO: check
+CVE-2025-62401 (An issue in Moodle\u2019s timed assignment feature allowed students to ...)
+ TODO: check
+CVE-2025-62400 (Moodle exposed the names of hidden groups to users who had permission ...)
+ TODO: check
+CVE-2025-62399 (Moodle\u2019s mobile and web service authentication endpoints did not ...)
+ TODO: check
+CVE-2025-62398 (A serious authentication flaw allowed attackers with valid credentials ...)
+ TODO: check
+CVE-2025-62397 (The router\u2019s inconsistent response to invalid course IDs allowed ...)
+ TODO: check
+CVE-2025-62396 (An error-handling issue in the Moodle router (r.php) could cause the a ...)
+ TODO: check
+CVE-2025-62395 (A flaw in the cohort search web service allowed users with permissions ...)
+ TODO: check
+CVE-2025-62394 (Moodle failed to verify enrolment status correctly when sending quiz n ...)
+ TODO: check
+CVE-2025-62393 (A flaw was found in the course overview output function where user acc ...)
+ TODO: check
+CVE-2025-62256 (Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 thro ...)
+ TODO: check
+CVE-2025-62255 (Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Ba ...)
+ TODO: check
+CVE-2025-62236 (The Frontier Airlines website has a publicly available endpoint that v ...)
+ TODO: check
+CVE-2025-62169 (OctoPrint-SpoolManager is a plugin for managing spools and all their u ...)
+ TODO: check
+CVE-2025-61865 (NarSuS App registers a Windows service with an unquoted file path. A u ...)
+ TODO: check
+CVE-2025-61464 (gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order S ...)
+ TODO: check
+CVE-2025-61413 (A stored cross-site scripting (XSS) vulnerability in the /manager/page ...)
+ TODO: check
+CVE-2025-61136 (A Host Header Injection vulnerability in the password reset component ...)
+ TODO: check
+CVE-2025-61132 (A Host Header Injection vulnerability in the password reset component ...)
+ TODO: check
+CVE-2025-60859 (Cross Site Scripting (XSS) vulnerability in Gnuboard 5.6.15 allows aut ...)
+ TODO: check
+CVE-2025-60852 (A CSV Injection vulnerability existed in Instant Developer Foundation ...)
+ TODO: check
+CVE-2025-60837 (A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 al ...)
+ TODO: check
+CVE-2025-59048 (OpenBao's AWS Plugin generates AWS access credentials based on IAM pol ...)
+ TODO: check
+CVE-2025-58428 (The TLS4B ATG system's SOAP-based interface is vulnerable due to its a ...)
+ TODO: check
+CVE-2025-57240 (Cross site scripting (XSS) vulnerability in 17gz International Student ...)
+ TODO: check
+CVE-2025-56009 (Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4 ...)
+ TODO: check
+CVE-2025-56008 (Cross site scripting (XSS) vulnerability in KeeneticOS before 4.3 at " ...)
+ TODO: check
+CVE-2025-56007 (CRLF-injection in KeeneticOS before 4.3 at "/auth" API endpoint allows ...)
+ TODO: check
+CVE-2025-55067 (The TLS4B ATG system is vulnerable to improper handling of Unix time v ...)
+ TODO: check
+CVE-2025-54966 (An issue was discovered in BAE SOCET GXP before 4.6.0.2. Some endpoint ...)
+ TODO: check
+CVE-2025-54964 (An issue was discovered in BAE SOCET GXP before 4.6.0.2. An attacker w ...)
+ TODO: check
+CVE-2025-54856 (Movable Type contains a stored cross-site scripting vulnerability in E ...)
+ TODO: check
+CVE-2025-54808 (Oxford Nanopore Technologies' MinKNOW software at or prior to version ...)
+ TODO: check
+CVE-2025-54806 (GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability ...)
+ TODO: check
+CVE-2025-53702 (Vilar VS-IPC1002 IP cameras are vulnerable to DoS (Denial-of-Service) ...)
+ TODO: check
+CVE-2025-53701 (Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cross-sit ...)
+ TODO: check
+CVE-2025-50951 (FontForge v20230101 was discovered to contain a memory leak via the ut ...)
+ TODO: check
+CVE-2025-50950 (Audiofile v0.3.7 was discovered to contain a NULL pointer dereference ...)
+ TODO: check
+CVE-2025-50949 (FontForge v20230101 was discovered to contain a memory leak via the co ...)
+ TODO: check
+CVE-2025-48430 (Uncaught Exception (CWE-248) in the Command Centre Server allows an Au ...)
+ TODO: check
+CVE-2025-48428 (Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher ...)
+ TODO: check
+CVE-2025-47699 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
+ TODO: check
+CVE-2025-41402 (Client-Side Enforcement of Server-Side Security (CWE-602) in the Comma ...)
+ TODO: check
+CVE-2025-41073 (Path Traversal vulnerability in version 4.4.2236.1 of TESI Gandia Inte ...)
+ TODO: check
+CVE-2025-40643 (Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by ...)
+ TODO: check
+CVE-2025-35981 (Exposure of Private Personal Information to an Unauthorized Actor (CWE ...)
+ TODO: check
+CVE-2025-34156 (Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system inf ...)
+ TODO: check
+CVE-2025-34155 (Tibbo AggreGate Network Manager < 6.40.05 contains an observable respo ...)
+ TODO: check
+CVE-2025-23352 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...)
+ TODO: check
+CVE-2025-23347 (NVIDIA Project G-Assist contains a vulnerability where an attacker mig ...)
+ TODO: check
+CVE-2025-1680 (An acceptance of extraneous untrusted data with trusted data vulnerabi ...)
+ TODO: check
+CVE-2025-1679 (Cross-site Scripting has been identified in Moxa\u2019s Ethernet switc ...)
+ TODO: check
+CVE-2025-12114 (Enabledserial console could potentially leak information that might he ...)
+ TODO: check
+CVE-2025-12110 (A flaw was found in Keycloak. An offline session continues to be valid ...)
+ TODO: check
+CVE-2025-12105 (A flaw was found in the asynchronous message queue handling of the lib ...)
+ TODO: check
+CVE-2025-12104 (Outdated and Vulnerable UI Dependencies might potentially lead to expl ...)
+ TODO: check
+CVE-2025-12044 (Vault and Vault Enterprise (\u201cVault\u201d) are vulnerable to an un ...)
+ TODO: check
+CVE-2025-11621 (Vault and Vault Enterprise\u2019s (\u201cVault\u201d) AWS Auth method ...)
+ TODO: check
+CVE-2025-11575 (Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC ...)
+ TODO: check
+CVE-2025-11128 (The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & ...)
+ TODO: check
+CVE-2025-11023 (Inclusion of Functionality from Untrusted Control Sphere, Improper Con ...)
+ TODO: check
+CVE-2025-10937 (Oxford Nanopore Technologies' MinKNOW software at or prior to version ...)
+ TODO: check
+CVE-2025-10914 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-10727 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-10705 (The MxChat \u2013 AI Chatbot for WordPress plugin for WordPress is vul ...)
+ TODO: check
+CVE-2025-10355 (Open redirection vulnerability in MOLGENIS EMX2 v11.14.0. This vulnera ...)
+ TODO: check
+CVE-2024-14011
+ REJECTED
CVE-2025-11989
- gitlab <not-affected> (Specific to EE)
CVE-2025-6601
@@ -24,6 +214,7 @@ CVE-2025-9158
[bookworm] - request-tracker5 <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://github.com/bestpractical/rt/commit/04b5694e6cd150492aa51b8edaba75f5997ea40c (rt-5.0.9)
CVE-2025-61873
+ {DSA-6032-1 DSA-6031-1}
- request-tracker5 <unfixed>
- request-tracker4 <unfixed>
NOTE: Fixed by: https://github.com/bestpractical/rt/commit/cade8b90c696e8c08438be2cb469a78342b5cb0f (rt-5.0.9)
@@ -893,12 +1084,15 @@ CVE-2022-50556 (In the Linux kernel, the following vulnerability has been resolv
[bullseye] - linux 5.10.178-1
NOTE: https://git.kernel.org/linus/834c23e4f798dcdc8af251b3c428ceef94741991 (6.3-rc1)
CVE-2025-40780 (In specific circumstances, due to a weakness in the Pseudo Random Numb ...)
+ {DSA-6033-1}
- bind9 1:9.20.15-1
NOTE: https://kb.isc.org/docs/cve-2025-40780
CVE-2025-40778 (Under certain circumstances, BIND is too lenient when accepting record ...)
+ {DSA-6033-1}
- bind9 1:9.20.15-1
NOTE: https://kb.isc.org/docs/cve-2025-40778
CVE-2025-8677 (Querying for records within a specially crafted zone containing certai ...)
+ {DSA-6033-1}
- bind9 1:9.20.15-1
NOTE: https://kb.isc.org/docs/cve-2025-8677
CVE-2025-62775 (Mercku M6a devices through 2.1.0 allow root TELNET logins via the web ...)
@@ -950,6 +1144,7 @@ CVE-2025-62525 (OpenWrt Project is a Linux operating system targeting embedded d
NOT-FOR-US: OpenWRT (ltq-ptm)
NOTE: https://openwrt.org/advisory/2025-10-22-2
CVE-2025-12036
+ {DSA-6036-1}
- chromium 141.0.7390.122-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-9428 (Zohocorp ManageEngine Analytics Plus versions6171 and prior are vulner ...)
@@ -4032,7 +4227,7 @@ CVE-2025-25017 (Improper Neutralization of Input During Web Page Generation in K
- kibana <itp> (bug #700337)
CVE-2025-23309 (NVIDIA Display Driver contains a vulnerability where an uncontrolled D ...)
NOT-FOR-US: NVIDIA display drivers for Windows
-CVE-2025-23345
+CVE-2025-23345 (NVIDIA Display Driver for Windows and Linux contains a vulnerability i ...)
- nvidia-graphics-drivers <unfixed>
[trixie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
@@ -4057,7 +4252,7 @@ CVE-2025-23345
[bookworm] - nvidia-graphics-drivers-tesla-535 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-550 <unfixed>
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5703
-CVE-2025-23332
+CVE-2025-23332 (NVIDIA Display Driver for Linux contains a vulnerability in a kernel m ...)
- nvidia-graphics-drivers <unfixed>
[trixie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
@@ -4082,7 +4277,7 @@ CVE-2025-23332
[bookworm] - nvidia-graphics-drivers-tesla-535 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-550 <unfixed>
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5703
-CVE-2025-23330
+CVE-2025-23330 (NVIDIA Display Driver for Linux contains a vulnerability where an atta ...)
- nvidia-graphics-drivers <unfixed>
[trixie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
@@ -4107,7 +4302,7 @@ CVE-2025-23330
[bookworm] - nvidia-graphics-drivers-tesla-535 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-550 <unfixed>
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5703
-CVE-2025-23300
+CVE-2025-23300 (NVIDIA Display Driver for Linux contains a vulnerability in the kernel ...)
- nvidia-graphics-drivers <unfixed>
[trixie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
@@ -5281,7 +5476,7 @@ CVE-2025-25009 (Improper Neutralization of Input During Web Page Generation in K
- kibana <itp> (bug #700337)
CVE-2025-11419
- keycloak <itp> (bug #1088287)
-CVE-2025-11429
+CVE-2025-11429 (A flaw was found in Keycloak. Keycloak does not immediately enforce th ...)
- keycloak <itp> (bug #1088287)
CVE-2023-53687 (In the Linux kernel, the following vulnerability has been resolved: t ...)
- linux 6.4.11-1
@@ -17886,7 +18081,7 @@ CVE-2025-58445 (Atlantis is a self-hosted golang application that listens for Te
CVE-2025-58443 (FOG is a free open-source cloning/imaging/rescue suite/inventory manag ...)
NOT-FOR-US: FOG
CVE-2025-58438 (internetarchive is a Python and Command-Line Interface to Archive.org ...)
- {DLA-4314-1}
+ {DSA-6035-1 DLA-4314-1}
- python-internetarchive 5.5.1-1 (bug #1114635)
NOTE: https://github.com/jjjake/internetarchive/security/advisories/GHSA-wx3r-v6h7-frjp
NOTE: Merge commit: https://github.com/jjjake/internetarchive/commit/cba2d459e10a9489fb35caeba0b03e80f5f5d7c2 (v5.5.1)
@@ -36008,6 +36203,7 @@ CVE-2025-7363 (The TitleIcon extension for MediaWiki is vulnerable to stored XSS
CVE-2025-7362 (The MsUpload extension for MediaWiki is vulnerable to stored XSS via t ...)
NOT-FOR-US: MediaWiki extension MsUpload
CVE-2025-7345 (A flaw exists in gdk\u2011pixbuf within the gdk_pixbuf__jpeg_image_loa ...)
+ {DLA-4344-1}
- gdk-pixbuf 2.42.12+dfsg-4 (bug #1109262)
[bookworm] - gdk-pixbuf <postponed> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/249
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b21243fcfafd47e0aca2448d079be135581af0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b21243fcfafd47e0aca2448d079be135581af0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251023/91464743/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list