Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8ff1881e by security tracker role at 2024-02-13T08:12:03+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,11 +1,183 @@
-CVE-2024-1459 [directory traversal vulnerability]
+CVE-2024-25914 (Cross-Site Request Forgery (CSRF) vulnerability in Photoboxone
SMTP Ma ...)
+ TODO: check
+CVE-2024-25643 (The SAP Fiori app (My Overtime Request) - version 605, does
not perfor ...)
+ TODO: check
+CVE-2024-25642 (Due to improper validation of certificate in SAP Cloud
Connector - ver ...)
+ TODO: check
+CVE-2024-25407 (SteVe v3.6.0 was discovered to use predictable transaction
ID's when r ...)
+ TODO: check
+CVE-2024-25360 (A hidden interface in Motorola CX2L Router firmware v1.0.1
leaks infor ...)
+ TODO: check
+CVE-2024-25112 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
+ TODO: check
+CVE-2024-25110 (The UAMQP is a general purpose C library for AMQP 1.0. During
a call t ...)
+ TODO: check
+CVE-2024-25108 (Pixelfed is an open source photo sharing platform. When
processing req ...)
+ TODO: check
+CVE-2024-24935 (Cross-Site Request Forgery (CSRF) vulnerability in
WpSimpleTools Basic ...)
+ TODO: check
+CVE-2024-24929 (Cross-Site Request Forgery (CSRF) vulnerability in Ryan Duff,
Peter We ...)
+ TODO: check
+CVE-2024-24887 (Cross-Site Request Forgery (CSRF) vulnerability in Contest
Gallery Pho ...)
+ TODO: check
+CVE-2024-24884 (Cross-Site Request Forgery (CSRF) vulnerability in ARI Soft
Contact Fo ...)
+ TODO: check
+CVE-2024-24875 (Cross-Site Request Forgery (CSRF) vulnerability in Yannick
Lefebvre Li ...)
+ TODO: check
+CVE-2024-24826 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
+ TODO: check
+CVE-2024-24743 (SAP NetWeaver AS Java (CAF - Guided Procedures) - version
7.50, allows ...)
+ TODO: check
+CVE-2024-24742 (SAP CRM WebClient UI- version S4FND 102, S4FND 103, S4FND 104,
S4FND 1 ...)
+ TODO: check
+CVE-2024-24741 (SAP Master Data Governance for Material Data - versions 618,
619, 620, ...)
+ TODO: check
+CVE-2024-24740 (SAP NetWeaver Application Server (ABAP) - versions KERNEL
7.53, KERNEL ...)
+ TODO: check
+CVE-2024-24739 (SAP Bank Account Management (BAM) allows an authenticated user
with re ...)
+ TODO: check
+CVE-2024-24337 (CSV Injection vulnerability in '/members/moremember.pl' and
'/admin/aq ...)
+ TODO: check
+CVE-2024-23833 (OpenRefine is a free, open source power tool for working with
messy da ...)
+ TODO: check
+CVE-2024-23763 (SQL Injection vulnerability in Gambio through 4.9.2.0 allows
attackers ...)
+ TODO: check
+CVE-2024-23762 (Unrestricted File Upload vulnerability in Content Manager
feature in G ...)
+ TODO: check
+CVE-2024-23761 (Server Side Template Injection in Gambio 4.9.2.0 allows
attackers to r ...)
+ TODO: check
+CVE-2024-23760 (Cleartext Storage of Sensitive Information in Gambio 4.9.2.0
allows at ...)
+ TODO: check
+CVE-2024-23759 (Deserialization of Untrusted Data in Gambio through 4.9.2.0
allows att ...)
+ TODO: check
+CVE-2024-23512 (Deserialization of Untrusted Data vulnerability in wpxpo
ProductX \u20 ...)
+ TODO: check
+CVE-2024-22454 (Dell PowerProtect Data Manager, version 19.15 and prior
versions, cont ...)
+ TODO: check
+CVE-2024-22445 (Dell PowerProtect Data Manager, version 19.15 and prior
versions, cont ...)
+ TODO: check
+CVE-2024-22230 (Dell Unity, versions prior to 5.4, contains a Cross-site
scripting vul ...)
+ TODO: check
+CVE-2024-22228 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-22227 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-22226 (Dell Unity, versions prior to 5.4, contain a path traversal
vulnerabil ...)
+ TODO: check
+CVE-2024-22225 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-22224 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-22223 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-22222 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-22221 (Dell Unity, versions prior to 5.4, contains SQL Injection
vulnerabilit ...)
+ TODO: check
+CVE-2024-22132 (SAP IDES ECC-systems contain code that permits the execution
of arbitr ...)
+ TODO: check
+CVE-2024-22131 (In SAP ABA (Application Basis) - versions 700, 701, 702, 731,
740, 750 ...)
+ TODO: check
+CVE-2024-22130 (Print preview option inSAP CRM WebClient UI - versions S4FND
102, S4FN ...)
+ TODO: check
+CVE-2024-22129 (SAP Companion - version <3.1.38, has a URL with parameter that
could b ...)
+ TODO: check
+CVE-2024-22128 (SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI
756, SAP_U ...)
+ TODO: check
+CVE-2024-22126 (The User Admin application of SAP NetWeaver AS for Java -
version 7.50 ...)
+ TODO: check
+CVE-2024-22024 (An XML external entity or XXE vulnerability in the SAML
component of I ...)
+ TODO: check
+CVE-2024-21491 (Versions of the package svix before 1.17.0 are vulnerable to
Authentic ...)
+ TODO: check
+CVE-2024-1439 (Inadequate access control in Moodle LMS. This vulnerability
could allo ...)
+ TODO: check
+CVE-2024-1420
+ REJECTED
+CVE-2024-0566 (The Smart Manager WordPress plugin before 8.28.0 does not
properly san ...)
+ TODO: check
+CVE-2024-0421 (The MapPress Maps for WordPress plugin before 2.88.16 does not
ensure ...)
+ TODO: check
+CVE-2024-0420 (The MapPress Maps for WordPress plugin before 2.88.15 does not
sanitiz ...)
+ TODO: check
+CVE-2024-0250 (The Analytics Insights for Google Analytics 4 (AIWP) WordPress
plugin ...)
+ TODO: check
+CVE-2024-0248 (The EazyDocs WordPress plugin before 2.4.0 re-introduced
CVE-2023-6029 ...)
+ TODO: check
+CVE-2024-0170 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-0169 (Dell Unity, versions prior to 5.4, contains a cross-site
scripting (XS ...)
+ TODO: check
+CVE-2024-0168 (Dell Unity, versions prior to 5.4, contains a Command Injection
Vulner ...)
+ TODO: check
+CVE-2024-0167 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-0166 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-0165 (Dell Unity, versions prior to 5.4, contains an OS Command
Injection Vu ...)
+ TODO: check
+CVE-2024-0164 (Dell Unity, versions prior to 5.4, contain an OS Command
Injection Vul ...)
+ TODO: check
+CVE-2023-7233 (The GigPress WordPress plugin through 2.3.29 does not sanitise
and esc ...)
+ TODO: check
+CVE-2023-6815 (Incorrect Privilege Assignment vulnerability in Mitsubishi
Electric Co ...)
+ TODO: check
+CVE-2023-6591 (The Popup Box WordPress plugin before 20.9.0 does not sanitise
and esc ...)
+ TODO: check
+CVE-2023-6501 (The Splashscreen WordPress plugin through 0.20 does not have
CSRF chec ...)
+ TODO: check
+CVE-2023-6499 (The lasTunes WordPress plugin through 3.6.1 does not have CSRF
check i ...)
+ TODO: check
+CVE-2023-6294 (The Popup Builder WordPress plugin before 4.2.6 does not
validate a pa ...)
+ TODO: check
+CVE-2023-6082 (The chartjs WordPress plugin through 2023.2 does not sanitise
and esca ...)
+ TODO: check
+CVE-2023-6081 (The chartjs WordPress plugin through 2023.2 does not sanitise
and esca ...)
+ TODO: check
+CVE-2023-6036 (The Web3 WordPress plugin before 3.0.0 is vulnerable to an
authenticat ...)
+ TODO: check
+CVE-2023-52431 (The Plack::Middleware::XSRFBlock package before 0.0.19 for
Perl allows ...)
+ TODO: check
+CVE-2023-52430 (The caddy-security plugin 1.1.20 for Caddy allows reflected
XSS via a ...)
+ TODO: check
+CVE-2023-52060 (A Cross-Site Request Forgery (CSRF) in Gestsup v3.2.46 allows
attacker ...)
+ TODO: check
+CVE-2023-52059 (A cross-site scripting (XSS) vulnerability in Gestsup v3.2.46
allows a ...)
+ TODO: check
+CVE-2023-50358 (An OS command injection vulnerability has been reported to
affect seve ...)
+ TODO: check
+CVE-2023-49339 (Ellucian Banner 9.17 allows Insecure Direct Object Reference
(IDOR) vi ...)
+ TODO: check
+CVE-2023-47218 (An OS command injection vulnerability has been reported to
affect seve ...)
+ TODO: check
+CVE-2023-46615 (Deserialization of Untrusted Data vulnerability in Kalli Dan.
KD Comin ...)
+ TODO: check
+CVE-2023-42374 (An issue in mystenlabs Sui Blockchain before v.1.6.3 allow a
remote at ...)
+ TODO: check
+CVE-2023-41708 (References to the "app loader" functionality could contain
redirects t ...)
+ TODO: check
+CVE-2023-41707 (Processing of user-defined mail search expressions is not
limited. Ava ...)
+ TODO: check
+CVE-2023-41706 (Processing time of drive search expressions now gets
monitored, and th ...)
+ TODO: check
+CVE-2023-41705 (Processing of user-defined DAV user-agent strings is not
limited. Avai ...)
+ TODO: check
+CVE-2023-41704 (Processing of CID references at E-Mail can be abused to inject
malicio ...)
+ TODO: check
+CVE-2023-41703 (User ID references at mentions in document comments were not
correctly ...)
+ TODO: check
+CVE-2022-48623 (The Cpanel::JSON::XS package before 4.33 for Perl performs
out-of-boun ...)
+ TODO: check
+CVE-2021-4437 (A vulnerability, which was classified as problematic, has been
found i ...)
+ TODO: check
+CVE-2024-1459 (A path traversal vulnerability was found in Undertow. This
issue may a ...)
- undertow <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259475
-CVE-2024-1454 [Memory use after free in AuthentIC driver when updating token
info]
+CVE-2024-1454 (The use-after-free vulnerability was found in the AuthentIC
driver in ...)
- opensc <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2263929
NOTE: Fixed by:
https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9
-CVE-2023-6681 [JWCrypto: denail of service Via specifically crafted JWE]
+CVE-2023-6681 (A vulnerability was found in JWCrypto. This flaw allows an
attacker to ...)
- python-jwcrypto <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2260843
CVE-2023-6110 [deleting a non existing access rule deletes another existing
access rule in it's scope]
@@ -607,7 +779,7 @@ CVE-2023-6386 [ReDoS in CI/CD Pipeline Editor while
verifying Pipeline syntax]
CVE-2023-6840 (An issue has been discovered in GitLab EE affecting all
versions from ...)
- gitlab 16.6.7-1
NOTE:
https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/#project-maintainers-can-bypass-groups-scan-result-policy-block_branch_modification-setting
-CVE-2024-1250 [Restrict group access token creation for custom roles]
+CVE-2024-1250 (An issue has been discovered in GitLab EE affecting all
versions start ...)
- gitlab <not-affected> (Only affects 16.8.y)
NOTE:
https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/#restrict-group-access-token-creation-for-custom-roles
CVE-2024-25201 (Espruino 2v20 (commit fcc9ba4) was discovered to contain an
Out-of-bou ...)
@@ -1298,12 +1470,12 @@ CVE-2024-24262 (media-server v1.0.0 was discovered to
contain a Use-After-Free (
NOT-FOR-US: media-server
CVE-2024-24260 (media-server v1.0.0 was discovered to contain a Use-After-Free
(UAF) v ...)
NOT-FOR-US: media-server
-CVE-2024-24259
+CVE-2024-24259 (freeglut through 3.4.0 was discovered to contain a memory leak
via the ...)
- freeglut <unfixed> (bug #1063801)
NOTE:
https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md
NOTE: https://github.com/freeglut/freeglut/pull/155
NOTE: Fixed by:
https://github.com/freeglut/freeglut/commit/9ad320c1ad1a25558998ddfe47674511567fec57
-CVE-2024-24258
+CVE-2024-24258 (freeglut 3.4.0 was discovered to contain a memory leak via the
menuEnt ...)
- freeglut <unfixed> (bug #1063801)
NOTE:
https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md
NOTE: https://github.com/freeglut/freeglut/pull/155
@@ -2217,7 +2389,7 @@ CVE-2023-31505 (An arbitrary file upload vulnerability in
Schlix CMS v2.2.8-1, a
NOT-FOR-US: Schlix CMS
CVE-2023-2439 (The UserPro plugin for WordPress is vulnerable to Stored
Cross-Site Sc ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-1062 [a heap overflow leading to denail-of-servce while writing a
value larger than 256 chars (in log_entry_attr)]
+CVE-2024-1062 (A heap overflow flaw was found in 389-ds-base. This issue leads
to a d ...)
- 389-ds-base <unfixed>
[bookworm] - 389-ds-base <no-dsa> (Minor issue)
[bullseye] - 389-ds-base <no-dsa> (Minor issue)
@@ -53613,8 +53785,8 @@ CVE-2023-28020 (URL redirection in Login page in HCL
BigFix WebUI allows malicio
NOT-FOR-US: HCL
CVE-2023-28019 (Insufficient validation in Bigfix WebUI API App site version <
14 allo ...)
NOT-FOR-US: HCL
-CVE-2023-28018
- RESERVED
+CVE-2023-28018 (HCL Connections is vulnerable to a denial of service, caused
by improp ...)
+ TODO: check
CVE-2023-28017 (HCL Connections is vulnerable to a cross-site scripting attack
where a ...)
NOT-FOR-US: HCL
CVE-2023-28016 (Host Header Injection vulnerability in the HCL BigFix OSD Bare
Metal S ...)
@@ -102508,8 +102680,8 @@ CVE-2020-36601 (Out-of-bounds write vulnerability in
the kernel modules. Success
NOT-FOR-US: Huawei
CVE-2020-36600 (Out-of-bounds write vulnerability in the power consumption
module. Suc ...)
NOT-FOR-US: Huawei
-CVE-2022-38714
- RESERVED
+CVE-2022-38714 (IBM DataStage on Cloud Pak for Data 4.0.6 to 4.5.2 stores
sensitive cr ...)
+ TODO: check
CVE-2022-38713
RESERVED
CVE-2022-38712 ("IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Web
services ...)
@@ -114948,12 +115120,12 @@ CVE-2022-34313 (IBM CICS TX 11.1 does not set the
secure attribute on authorizat
NOT-FOR-US: IBM
CVE-2022-34312 (IBM CICS TX 11.1 allows web pages to be stored locally which
can be re ...)
NOT-FOR-US: IBM
-CVE-2022-34311
- RESERVED
-CVE-2022-34310
- RESERVED
-CVE-2022-34309
- RESERVED
+CVE-2022-34311 (IBM CICS TX Standard and Advanced 11.1 could allow a user with
physica ...)
+ TODO: check
+CVE-2022-34310 (IBM CICS TX Standard and Advanced 11.1 uses weaker than
expected crypt ...)
+ TODO: check
+CVE-2022-34309 (IBM CICS TX Standard and Advanced 11.1 uses weaker than
expected crypt ...)
+ TODO: check
CVE-2022-34308 (IBM CICS TX 11.1 could allow a local user to cause a denial of
service ...)
NOT-FOR-US: IBM
CVE-2022-34307 (IBM CICS TX 11.1 does not set the secure attribute on
authorization to ...)
@@ -151233,8 +151405,8 @@ CVE-2022-22508 (Improper Input Validation
vulnerability in multiple CODESYS V3 p
NOT-FOR-US: CODESYS
CVE-2022-22507
REJECTED
-CVE-2022-22506
- RESERVED
+CVE-2022-22506 (IBM Robotic Process Automation 21.0.2 contains a vulnerability
that co ...)
+ TODO: check
CVE-2022-22505 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2
contains a v ...)
NOT-FOR-US: IBM
CVE-2022-22504
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ff1881e345fa9d109c75cac1adcb810ef77459d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ff1881e345fa9d109c75cac1adcb810ef77459d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
