[Git][security-tracker-team/security-tracker][master] Associate some older NFUs with ghost, itp'ed entry
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Sep 18 06:19:31 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
abdc0738 by Salvatore Bonaccorso at 2025-09-18T07:18:55+02:00
Associate some older NFUs with ghost, itp'ed entry
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -120233,7 +120233,7 @@ CVE-2024-6337 (An Incorrect Authorization vulnerability was identified in GitHub
CVE-2024-6322 (Access control for plugin data sources protected by the ReqActions jso ...)
- grafana <removed>
CVE-2024-43409 (Ghost is a Node.js content management system. Improper authentication ...)
- NOT-FOR-US: Ghost
+ - ghost <itp> (bug #892150)
CVE-2024-43408 (Discourse Placeholder Forms will let you build dynamic documentation. ...)
NOT-FOR-US: Discourse Placeholder Forms
CVE-2024-43406 (LF Edge eKuiper is a lightweight IoT data analytics and stream process ...)
@@ -136779,7 +136779,7 @@ CVE-2024-36279 (Reliance on obfuscation or encryption of security-relevant input
CVE-2024-36277 (Improper verification of cryptographic signature issue exists in "Free ...)
NOT-FOR-US: FreeFrom
CVE-2024-34451 (Ghost through 5.85.1 allows remote attackers to bypass an authenticati ...)
- NOT-FOR-US: Ghost
+ - ghost <itp> (bug #892150)
CVE-2024-38468 (Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorize ...)
NOT-FOR-US: Shenzhen Guoxin Synthesis image system
CVE-2024-38467 (Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorize ...)
@@ -143381,7 +143381,7 @@ CVE-2024-35409 (WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.)
CVE-2024-35362 (Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via ecshop/arti ...)
NOT-FOR-US: Ecshop
CVE-2024-34448 (Ghost before 5.82.0 allows CSV Injection during a member CSV export.)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2024-33228 (An issue in the component segwindrvx64.sys of Insyde Software Corp SEG ...)
NOT-FOR-US: Insyde
CVE-2024-33227 (An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 ...)
@@ -177960,7 +177960,7 @@ CVE-2024-25713 (yyjson through 0.8.0 has a double free, leading to remote code e
CVE-2024-25712 (http-swagger before 1.2.6 allows XSS via PUT requests, because a file ...)
NOT-FOR-US: http-swagger
CVE-2024-23724 (Ghost through 5.76.0 allows stored XSS, and resultant privilege escala ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2024-21875 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
NOT-FOR-US: Team Hacker Hotel Badge
CVE-2024-1432 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceL ...)
@@ -182022,7 +182022,7 @@ CVE-2024-23730 (The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hu
CVE-2024-23726 (Ubee DDW365 XCNDDW365 devices have predictable default WPA2 PSKs that ...)
NOT-FOR-US: Ubee DDW365 XCNDDW365 and DDW366 XCNDXW3WB devices
CVE-2024-23725 (Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XS ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2024-0769 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DI ...)
NOT-FOR-US: D-Link
CVE-2024-0521 (Code Injection in paddlepaddle/paddle)
@@ -209295,7 +209295,7 @@ CVE-2023-4324 (Broadcom RAID Controller web interface is vulnerable due to insec
CVE-2023-4323 (Broadcom RAID Controller web interface is vulnerable to improper sessi ...)
NOT-FOR-US: Broadcom RAID Controller web interface
CVE-2023-40028 (Ghost is an open source content management system. Versions prior to 5 ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2023-40027 (Keystone is an open source headless CMS for Node.js \u2014 built with ...)
NOT-FOR-US: Keystone CMS
CVE-2023-39843 (Missing encryption in the RFID tag of Suleve 5-in-1 Smart Door Lock v1 ...)
@@ -221233,7 +221233,7 @@ CVE-2023-32269 (An issue was discovered in the Linux kernel before 6.1.11. In ne
[buster] - linux 4.19.282-1
NOTE: https://git.kernel.org/linus/611792920925fb088ddccbe2783c7f92fdfb6b64 (6.2-rc7)
CVE-2023-32235 (Ghost before 5.42.1 allows remote attackers to read arbitrary files wi ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2023-32233 (In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_ta ...)
{DSA-5402-1 DLA-3508-1 DLA-3446-1}
- linux 6.1.27-1
@@ -221964,7 +221964,7 @@ CVE-2023-31135 (Dgraph is an open source distributed GraphQL database. Existing
CVE-2023-31134 (Tauri is software for building applications for multi-platform deploym ...)
NOT-FOR-US: Tauri
CVE-2023-31133 (Ghost is an app for new-media creators with tools to build a website, ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2023-31132 (Cacti is an open source operational monitoring and fault management fr ...)
- cacti <not-affected> (Only affect Cacti Installer on Windows)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-rf5w-pq3f-9876
@@ -236312,7 +236312,7 @@ CVE-2023-0997 (A vulnerability was found in SourceCodester Moosikay E-Commerce S
CVE-2023-26511 (A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Prop ...)
NOT-FOR-US: Propius MachineSelector
CVE-2023-26510 (Ghost 5.35.0 allows authorization bypass: contributors can view draft ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2023-26509 (AnyDesk 7.0.8 allows remote Denial of Service.)
NOT-FOR-US: AnyDesk
CVE-2023-26508
@@ -254239,13 +254239,13 @@ CVE-2022-47199
CVE-2022-47198
RESERVED
CVE-2022-47197 (An insecure default vulnerability exists in the Post Creation function ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-47196 (An insecure default vulnerability exists in the Post Creation function ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-47195 (An insecure default vulnerability exists in the Post Creation function ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-47194 (An insecure default vulnerability exists in the Post Creation function ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-46736
REJECTED
CVE-2022-46729
@@ -272980,7 +272980,7 @@ CVE-2022-41702 (The affected product DIAEnergie (versions prior to v1.9.01.002)
CVE-2022-41701 (The affected product DIAEnergie (versions prior to v1.9.01.002) is vul ...)
NOT-FOR-US: DIAEnergie
CVE-2022-41697 (A user enumeration vulnerability exists in the login functionality of ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-41688 (Delta Electronics InfraSuite Device Master versions 00.00.01a and prio ...)
NOT-FOR-US: Delta Electronics
CVE-2022-41683
@@ -272988,7 +272988,7 @@ CVE-2022-41683
CVE-2022-41657 (Delta Electronics InfraSuite Device Master Versions 00.00.01a and prio ...)
NOT-FOR-US: Delta Electronics
CVE-2022-41654 (An authentication bypass vulnerability exists in the newsletter subscr ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-41653 (Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and pr ...)
NOT-FOR-US: Daikin
CVE-2022-41651 (The affected product DIAEnergie (versions prior to v1.9.01.002) is vul ...)
@@ -310449,7 +310449,7 @@ CVE-2022-28399
CVE-2022-28398
RESERVED
CVE-2022-28397 (An arbitrary file upload vulnerability in the file upload module of Gh ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-28396
REJECTED
CVE-2022-28395
@@ -314595,7 +314595,7 @@ CVE-2022-27141
CVE-2022-27140 (An arbitrary file upload vulnerability in the file upload module of ex ...)
NOT-FOR-US: Express FileUpload
CVE-2022-27139 (An arbitrary file upload vulnerability in the file upload module of Gh ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2022-27138
RESERVED
CVE-2022-27137
@@ -354286,7 +354286,7 @@ CVE-2021-39194 (kaml is an open source implementation of the YAML format with su
CVE-2021-39193 (Frontier is Substrate's Ethereum compatibility layer. Prior to commit ...)
NOT-FOR-US: Frontier
CVE-2021-39192 (Ghost is a Node.js content management system. An error in the implemen ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2021-39191 (mod_auth_openidc is an authentication/authorization module for the Apa ...)
{DLA-3499-1}
- libapache2-mod-auth-openidc 2.4.9.4-1 (bug #993648)
@@ -379333,7 +379333,7 @@ CVE-2021-29486 (cumulative-distribution-function is an open source npm library u
CVE-2021-29485 (Ratpack is a toolkit for creating web applications. In versions prior ...)
NOT-FOR-US: Ratpack
CVE-2021-29484 (Ghost is a Node.js CMS. An unused endpoint added during the developmen ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2021-29483 (ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' ...)
NOT-FOR-US: ManageWiki MediaWiki extension
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/M7MVMBYMLNIVLHCWL2KKZGH36HYN4YON/
@@ -464617,7 +464617,7 @@ CVE-2020-8136 (Prototype pollution vulnerability in fastify-multipart < 1.0.5 al
CVE-2020-8135 (The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Fo ...)
NOT-FOR-US: Node uppy
CVE-2020-8134 (Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 ...)
- NOT-FOR-US: Ghost CMS
+ - ghost <itp> (bug #892150)
CVE-2020-8133 (A wrong generation of the passphrase for the encrypted block in Nextcl ...)
- nextcloud-server <itp> (bug #941708)
CVE-2020-8132 (Lack of input validation in pdf-image npm package version <= 2.0.0 may ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abdc0738d90da9216852a5457a6e2731dde6ef7d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abdc0738d90da9216852a5457a6e2731dde6ef7d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250918/7b46af09/attachment.htm>
More information about the debian-security-tracker-commits
mailing list