Author: sectracker
Date: 2017-10-16 21:10:18 +0000 (Mon, 16 Oct 2017)
New Revision: 56765
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-10-16 20:01:25 UTC (rev 56764)
+++ data/CVE/list 2017-10-16 21:10:18 UTC (rev 56765)
@@ -1,3 +1,9 @@
+CVE-2017-15384 (rate-me.php in Rate Me 1.0 has XSS via the id field in a rate
action. ...)
+ TODO: check
+CVE-2017-15383 (Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService,
...)
+ TODO: check
+CVE-2017-15382
+ RESERVED
CVE-2017-15381
RESERVED
CVE-2017-15380
@@ -54,8 +60,8 @@
NOT-FOR-US: Luracast Restler
CVE-2017-15362 (osTicket 1.10.1 allows arbitrary client-side JavaScript code
execution ...)
NOT-FOR-US: osTicket
-CVE-2017-15361
- RESERVED
+CVE-2017-15361 (The Infineon RSA library 1.02.013 in Infineon Trusted Platform
Module ...)
+ TODO: check
CVE-2017-15360 (PRTG Network Monitor version 17.3.33.2830 is vulnerable to
stored ...)
NOT-FOR-US: PRTG Network Monitor
CVE-2017-15359
@@ -185,16 +191,16 @@
NOTE: https://kate.io/blog/git-bomb/
NOTE: https://github.com/Katee/git-bomb
NOTE: No practical security implications
-CVE-2017-15297
- RESERVED
-CVE-2017-15296
- RESERVED
-CVE-2017-15295
- RESERVED
-CVE-2017-15294
- RESERVED
-CVE-2017-15293
- RESERVED
+CVE-2017-15297 (SAP Hostcontrol does not require authentication for the SOAP
...)
+ TODO: check
+CVE-2017-15296 (The Java component in SAP CRM has CSRF. This is SAP Security
Note ...)
+ TODO: check
+CVE-2017-15295 (Xpress Server in SAP POS does not require authentication for
...)
+ TODO: check
+CVE-2017-15294 (The Java administration console in SAP CRM has XSS. This is
SAP ...)
+ TODO: check
+CVE-2017-15293 (Xpress Server in SAP POS does not require authentication for
file read ...)
+ TODO: check
CVE-2017-15292
RESERVED
CVE-2017-15291
@@ -227,8 +233,7 @@
CVE-2017-XXXX [XSA 237]
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-237.html
-CVE-2017-15289 [cirrus: OOB access issue in mode4and5 write functions]
- RESERVED
+CVE-2017-15289 (The mode4and5 write functions in hw/display/cirrus_vga.c in
Qemu allow ...)
- qemu <unfixed>
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02557.html
@@ -313,8 +318,7 @@
NOTE: http://openwall.com/lists/oss-security/2017/10/11/1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1499599
NOTE: Fixed by:
https://gnunet.org/git/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2
-CVE-2017-15265 [use-after-free in /dev/snd/seq]
- RESERVED
+CVE-2017-15265 (Use-after-free vulnerability in the Linux kernel before
4.14-rc5 ...)
- linux 4.13.4-2
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1062520
NOTE:
http://mailman.alsa-project.org/pipermail/alsa-devel/2017-October/126292.html
@@ -422,8 +426,8 @@
RESERVED
CVE-2017-15222
RESERVED
-CVE-2017-15221
- RESERVED
+CVE-2017-15221 (ASX to MP3 converter 3.1.3.7.2010.11.05 has a buffer overflow
via a ...)
+ TODO: check
CVE-2017-15220 (Flexense VX Search Enterprise 10.1.12 is vulnerable to a
buffer ...)
NOT-FOR-US: Flexense VX Search Enterprise
CVE-2017-15219 (The dotCMS 4.1.1 application is vulnerable to Stored
Cross-Site ...)
@@ -1186,8 +1190,8 @@
NOTE: Fixed by:
https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
CVE-2017-14953
RESERVED
-CVE-2017-14952
- RESERVED
+CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components
for ...)
+ TODO: check
CVE-2017-14951
RESERVED
CVE-2017-14950
@@ -5999,14 +6003,17 @@
RESERVED
CVE-2017-13088
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13087
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13086
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13085
@@ -6017,26 +6024,32 @@
RESERVED
CVE-2017-13082
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13081
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13080
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13079
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13078
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13077
RESERVED
+ {DSA-3999-1}
- wpa 2:2.4-1.1
NOTE: https://w1.fi/security/2017-1/
CVE-2017-13076
@@ -46296,8 +46309,7 @@
NOTE: Fixed by: http://svn.apache.org/r1767656 (8.0.x)
NOTE: Fixed by: http://svn.apache.org/r1767676 (7.0.x)
NOTE: Fixed by: http://svn.apache.org/r1767684 (6.0.x)
-CVE-2016-8734 [Unrestricted XML entity expansion in mod_dontdothat and
Subversion clients using http(s)://]
- RESERVED
+CVE-2016-8734 (Subversion's mod_dontdothat module and HTTP clients 1.4.0
through ...)
- subversion 1.9.5-1 (low)
[jessie] - subversion 1.8.10-6+deb8u5
[wheezy] - subversion <no-dsa> (Minor issue, binary packages not
affected since built against Neon as HTTP library)
@@ -61011,8 +61023,8 @@
NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt
CVE-2016-4462 (By manipulating the URL parameter externalLoginKey, a
malicious, ...)
NOT-FOR-US: Apache OFBiz
-CVE-2016-4461
- RESERVED
+CVE-2016-4461 (Apache Struts 2.x before 2.3.29 allows remote attackers to
execute ...)
+ TODO: check
CVE-2016-4460 (Apache Pony Mail 0.6c through 0.8b allows remote attackers to
bypass ...)
NOT-FOR-US: Apache Pony Mail
CVE-2016-4459 (Stack-based buffer overflow in native/mod_manager/node.c in ...)
@@ -77900,8 +77912,7 @@
- opensmtpd 5.7.3p1-1
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/10/04/2
NOTE: Fixed with 5.7.3 upstream release
-CVE-2015-7687 [use-after-free issue in OpenSMTPD]
- RESERVED
+CVE-2015-7687 (Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows
remote ...)
- opensmtpd 5.7.3p1-1 (bug #800787)
CVE-2015-7686 (Algorithmic complexity vulnerability in Address.pm in the ...)
- libemail-address-perl <unfixed> (unimportant)
@@ -78490,8 +78501,7 @@
- netsurf 3.2+dfsg-3 (bug #810491)
[jessie] - netsurf <no-dsa> (netsurf already relies only entirely
unsupported mozjs)
[wheezy] - netsurf <no-dsa> (netsurf already relies only entirely
unsupported mozjs)
-CVE-2015-7504 [net: pcnet: heap overflow vulnerability in loopback mode]
- RESERVED
+CVE-2015-7504 (Heap-based buffer overflow in the pcnet_receive function in ...)
{DSA-3471-1 DSA-3470-1 DSA-3469-1}
- qemu 1:2.5+dfsg-1 (bug #806742)
[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
@@ -86275,8 +86285,8 @@
NOT-FOR-US: EQ Event Calendar component for Joomla!
CVE-2015-4653
RESERVED
-CVE-2015-4650
- RESERVED
+CVE-2015-4650 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x
before ...)
+ TODO: check
CVE-2015-4649 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x
before ...)
NOT-FOR-US: Aruba Networks ClearPass Policy Manager
CVE-2015-4648 (Stack-based buffer overflow in the Ipropsapi.ipropsapiCtrl.1
ActiveX ...)
@@ -90285,8 +90295,7 @@
- 389-ds-base 1.3.3.12-1 (bug #789202)
NOTE: https://fedorahosted.org/389/ticket/48194
NOTE: Regression if https://fedorahosted.org/389/ticket/47838 applied
-CVE-2015-3229
- RESERVED
+CVE-2015-3229 (fedora-cloud-atomic.ks in spin-kickstarts allows remote
attackers to ...)
NOT-FOR-US: Fedora Atomic
CVE-2015-3228 (Integer overflow in the gs_heap_alloc_bytes function in ...)
{DSA-3326-1 DLA-280-1}
@@ -91710,8 +91719,8 @@
NOTE: Fixed in 5.6.8 and 5.4.40
CVE-2015-2781 (Cross-site scripting (XSS) vulnerability in
cgi-bin/hotspotlogin.cgi ...)
NOT-FOR-US: Hotspot Express hotEx Billing Manager
-CVE-2015-2780
- RESERVED
+CVE-2015-2780 (Unrestricted file upload vulnerability in Berta CMS allows
remote ...)
+ TODO: check
CVE-2015-2777
RESERVED
CVE-2015-2775 (Directory traversal vulnerability in GNU Mailman before 2.1.20,
when ...)
@@ -101043,10 +101052,10 @@
NOT-FOR-US: Adobe
CVE-2014-9149
RESERVED
-CVE-2014-9148
- RESERVED
-CVE-2014-9147
- RESERVED
+CVE-2014-9148 (Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended
access ...)
+ TODO: check
+CVE-2014-9147 (Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive
...)
+ TODO: check
CVE-2014-9146 (Multiple cross-site scripting (XSS) vulnerabilities in Fiyo CMS
...)
NOT-FOR-US: Fiyo CMS
CVE-2014-9145 (Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8
allow ...)
@@ -103126,8 +103135,8 @@
RESERVED
CVE-2014-8622 (Cross-site scripting (XSS) vulnerability in
compfight-search.php in ...)
NOT-FOR-US: Compfight plugin for WordPress
-CVE-2014-8621
- RESERVED
+CVE-2014-8621 (SQL injection vulnerability in the Store Locator plugin 2.3
through ...)
+ TODO: check
CVE-2014-8620
RESERVED
CVE-2014-8619 (Cross-site scripting (XSS) vulnerability in the autolearn ...)
@@ -104880,8 +104889,8 @@
- ruby2.1 2.1.5-1 (bug #770932)
NOTE: For the incomplete fix for CVE-2014-8080
NOTE:
https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/
-CVE-2014-8087
- RESERVED
+CVE-2014-8087 (Cross-site scripting (XSS) vulnerability in the post highlights
plugin ...)
+ TODO: check
CVE-2014-8085 (Unrestricted file upload vulnerability in the
CWebContact::doModel ...)
NOT-FOR-US: OsClass
CVE-2014-8084 (Directory traversal vulnerability in ...)
@@ -105544,8 +105553,7 @@
NOT-FOR-US: JBoss AS/WildFly Domain Management
CVE-2014-7852 (Cross-site scripting (XSS) vulnerability in JBoss RichFaces, as
used ...)
NOT-FOR-US: RichFaces
-CVE-2014-7851
- RESERVED
+CVE-2014-7851 (oVirt 3.2.2 through 3.5.0 does not invalidate the restapi
session ...)
NOT-FOR-US: ovirt-engine-webadmin
CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in
FreeIPA 4.x ...)
- freeipa <unfixed> (unimportant)
@@ -115393,8 +115401,7 @@
- drupal6 <not-affected> (Only affects Drupal 7)
CVE-2014-3703 (OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS)
monolithic ...)
NOT-FOR-US: Red Hat Openstack 4 Neutron
-CVE-2014-3702
- RESERVED
+CVE-2014-3702 (Directory traversal vulnerability in eNovance eDeploy allows
remote ...)
- edeploy <itp> (bug #717664)
CVE-2014-3701
RESERVED
@@ -125887,8 +125894,7 @@
CVE-2014-0209 (Multiple integer overflows in the (1) FontFileAddEntry and (2)
...)
{DSA-2927-1}
- libxfont 1:1.4.7-2
-CVE-2014-0208
- RESERVED
+CVE-2014-0208 (Cross-site scripting (XSS) vulnerability in the search
auto-completion ...)
- foreman <itp> (bug #663101)
CVE-2014-0207 (The cdf_read_short_sector function in cdf.c in file before
5.19, as ...)
{DSA-3021-1 DSA-2974-1 DLA-27-1 DLA-0018-1}
@@ -126562,8 +126568,7 @@
NOT-FOR-US: Apache CloudStack
CVE-2014-0030 (The XML-RPC protocol support in Apache Roller before 5.0.3
allows ...)
NOT-FOR-US: Apache Roller
-CVE-2014-0029
- RESERVED
+CVE-2014-0029 (Multiple cross-site scripting (XSS) vulnerabilities in the SAM
web ...)
NOT-FOR-US: Katello
CVE-2014-0028 (libvirt 1.1.1 through 1.2.0 allows context-dependent attackers
to ...)
- libvirt 1.2.1-1
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
