[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Sep 30 21:52:24 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
97b7e4bd by Salvatore Bonaccorso at 2025-09-30T22:52:10+02:00
Process some NFUs

- - - - -
5388eceb by Salvatore Bonaccorso at 2025-09-30T22:52:10+02:00
auto-nfu: Add another product variant for NVIDIA CNA rule

- - - - -


2 changed files:

- data/CVE/list
- data/packages/nfu.yaml


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,31 +1,31 @@
 CVE-2025-8877 (The AffiliateWP plugin for WordPress is vulnerable to SQL Injection vi ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-8122 (Improper neutralization of input provided by an authorized user in art ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-8121 (Improper neutralization of input provided by an authorized user in art ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-8120 (Due to client-controlled permission check parameter, PAD CMS's upload  ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-8119 (PAD CMS is vulnerable to Cross-Site Request Forgery in reset password' ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-8118 (PAD CMS implements weak client-side brute-force protection by utilizin ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-8117 (PAD CMS improperly initializes parameter used for password recovery, w ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-8116 (PAD CMS is vulnerable to Reflected XSS in printing and save to PDF fun ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-7779 (Local privilege escalation due to insecure XPC service configuration.  ...)
 	NOT-FOR-US: Acronis
 CVE-2025-7065 (Due to client-controlled permission check parameter, PAD CMS's photo u ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-7063 (Due to client-controlled permission check parameter, PAD CMS's file up ...)
-	TODO: check
+	NOT-FOR-US: PAD CMS
 CVE-2025-6034 (There is a memory corruption vulnerability due to an out of bounds rea ...)
 	NOT-FOR-US: National Instruments
 CVE-2025-6033 (There is a memory corruption vulnerability due to an out of bounds wri ...)
 	NOT-FOR-US: National Instruments
 CVE-2025-57852 (A container privilege escalation flaw was found in KServe ModelMesh co ...)
-	TODO: check
+	NOT-FOR-US: KServe ModelMesh container images
 CVE-2025-57254 (An SQL injection vulnerability in user-login.php and index.php of Kart ...)
 	NOT-FOR-US: Karthikg1908 Hospital Management System (HMS)
 CVE-2025-56676 (TitanSystems Zender v3.9.7 contains an account takeover vulnerability  ...)
@@ -33,11 +33,11 @@ CVE-2025-56676 (TitanSystems Zender v3.9.7 contains an account takeover vulnerab
 CVE-2025-56675 (The EKEN video doorbell T6 BT60PLUS_MAIN_V1.0_GC1084_20230531 periodic ...)
 	NOT-FOR-US: EKEN video doorbell
 CVE-2025-56572 (An issue in finance.js v.4.1.0 allows a remote attacker to cause a den ...)
-	TODO: check
+	NOT-FOR-US: Finance.js
 CVE-2025-56571 (Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via ...)
-	TODO: check
+	NOT-FOR-US: Finance.js
 CVE-2025-56520 (Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (S ...)
-	TODO: check
+	NOT-FOR-US: Dify
 CVE-2025-56513 (NiceHash QuickMiner 6.12.0 perform software updates over HTTP without  ...)
 	NOT-FOR-US: NiceHash QuickMiner
 CVE-2025-56392 (An Insecure Direct Object Reference (IDOR) in the /dashboard/notes end ...)
@@ -45,63 +45,63 @@ CVE-2025-56392 (An Insecure Direct Object Reference (IDOR) in the /dashboard/not
 CVE-2025-56301 (An issue was discovered in Chipsalliance Rocket-Chip commit f517abbf41 ...)
 	NOT-FOR-US: Chipsalliance Rocket-Chip
 CVE-2025-56207 (A security flaw in the '_transfer' function of a smart contract implem ...)
-	TODO: check
+	NOT-FOR-US: Money Making Opportunity (MMO)
 CVE-2025-56200 (A URL validation bypass vulnerability exists in validator.js through v ...)
 	TODO: check
 CVE-2025-56132 (LiquidFiles filetransfer server is vulnerable to a user enumeration is ...)
-	TODO: check
+	NOT-FOR-US: LiquidFiles filetransfer server
 CVE-2025-56018 (SourceCodester Web-based Pharmacy Product Management System V1.0 is vu ...)
 	NOT-FOR-US: SourceCodester
 CVE-2025-55797 (An improper access control vulnerability in FormCms v0.5.4 in the /api ...)
-	TODO: check
+	NOT-FOR-US: FormCms
 CVE-2025-54477 (Improper handling of authentication requests lead to a user enumeratio ...)
 	NOT-FOR-US: Joomla
 CVE-2025-54476 (Improper handling of input could lead to an XSS vector in the checkAtt ...)
 	NOT-FOR-US: Joomla
 CVE-2025-52050 (In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_wi ...)
-	TODO: check
+	NOT-FOR-US: Frappe ERPNext
 CVE-2025-52049 (In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() a ...)
-	TODO: check
+	NOT-FOR-US: Frappe ERPNext
 CVE-2025-52047 (In Frappe ErpNext v15.57.5, the function get_income_account() at erpne ...)
-	TODO: check
+	NOT-FOR-US: Frappe ERPNext
 CVE-2025-52043 (In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accou ...)
-	TODO: check
+	NOT-FOR-US: Frappe ERPNext
 CVE-2025-43827 (Insecure Direct Object Reference (IDOR) vulnerability with audit event ...)
 	NOT-FOR-US: Liferay
 CVE-2025-41099 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41098 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41097 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41096 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41095 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41094 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41093 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41092 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-41091 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplan ...)
-	TODO: check
+	NOT-FOR-US: BOLD Workplanner
 CVE-2025-36262 (IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2 ...)
 	NOT-FOR-US: IBM
 CVE-2025-36132 (IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2 ...)
 	NOT-FOR-US: IBM
 CVE-2025-34217 (Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Applic ...)
-	TODO: check
+	NOT-FOR-US: Vasion Print (formerly PrinterLogic)
 CVE-2025-28016 (A Reflected Cross-Site Scripting (XSS) vulnerability was found in logi ...)
 	NOT-FOR-US: PHPGurukul
 CVE-2025-23293 (NVIDIA Delegated Licensing Service for all appliance platforms contain ...)
-	TODO: check
+	NOT-FOR-US: NVIDIA
 CVE-2025-23292 (NVIDIA Delegated Licensing Service for all appliance platforms contain ...)
-	TODO: check
+	NOT-FOR-US: NVIDIA
 CVE-2025-23291 (NVIDIA Delegated Licensing Service for all appliance platforms contain ...)
-	TODO: check
+	NOT-FOR-US: NVIDIA
 CVE-2025-11195 (Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name ...)
-	TODO: check
+	NOT-FOR-US: Rapid7 AppSpider Pro
 CVE-2025-11178 (Local privilege escalation due to DLL hijacking vulnerability. The fol ...)
 	NOT-FOR-US: Acronis
 CVE-2025-11153 (This vulnerability affects Firefox < 143.0.3.)
@@ -111,11 +111,11 @@ CVE-2025-11152 (This vulnerability affects Firefox < 143.0.3.)
 CVE-2025-10859 (Cookie storage for non-HTML temporary documents was being shared incor ...)
 	TODO: check
 CVE-2025-10659 (The Telenium Online Web Application is vulnerable due to a PHP endpoin ...)
-	TODO: check
+	NOT-FOR-US: Telenium Online Web Application
 CVE-2025-10217 (A vulnerability exists in Asset Suite for an authenticated user to man ...)
 	NOT-FOR-US: Hitachi Energy
 CVE-2024-55017 (Account Takeover in Corezoid 6.6.0 in the OAuth2 implementation via an ...)
-	TODO: check
+	NOT-FOR-US: Corezoid
 CVE-2025-10725 (A flaw was found in Red Hat Openshift AI Service. A low-privileged att ...)
 	NOT-FOR-US: OpenShift AI
 CVE-2025-9230 (Issue summary: An application trying to decrypt CMS messages encrypted ...)
@@ -400,7 +400,7 @@ CVE-2025-35030 (Medical Informatics Engineering Enterprise Health has a cross si
 CVE-2025-34196 (Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions p ...)
 	NOT-FOR-US: Vasion Print (formerly PrinterLogic)
 CVE-2025-11155 (The credentials required to access the device's web server are sent in ...)
-	TODO: check
+	NOT-FOR-US: SATO
 CVE-2025-11150
 	REJECTED
 CVE-2025-11147 (Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vuln ...)


=====================================
data/packages/nfu.yaml
=====================================
@@ -367,6 +367,7 @@
     - cna: nvidia
     - anyOf:
       - product: AIStore
+      - product: DLS component of NVIDIA License System
       - product: Megatron LM
       - product: Megatron-LM
       - product: NVDebug tool



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a9721ae6f3604b89df07154c7f53dcb19f7d6f2a...5388eceb566b41d59d6b6c750be76ed89e47e19c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a9721ae6f3604b89df07154c7f53dcb19f7d6f2a...5388eceb566b41d59d6b6c750be76ed89e47e19c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250930/cd758354/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list