Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4ccd2036 by security tracker role at 2025-09-30T20:12:45+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,14 +1,132 @@
-CVE-2025-10725
+CVE-2025-8877 (The AffiliateWP plugin for WordPress is vulnerable to SQL
Injection vi ...)
+ TODO: check
+CVE-2025-8122 (Improper neutralization of input provided by an authorized user
in art ...)
+ TODO: check
+CVE-2025-8121 (Improper neutralization of input provided by an authorized user
in art ...)
+ TODO: check
+CVE-2025-8120 (Due to client-controlled permission check parameter, PAD CMS's
upload ...)
+ TODO: check
+CVE-2025-8119 (PAD CMS is vulnerable to Cross-Site Request Forgery in reset
password' ...)
+ TODO: check
+CVE-2025-8118 (PAD CMS implements weak client-side brute-force protection by
utilizin ...)
+ TODO: check
+CVE-2025-8117 (PAD CMS improperly initializes parameter used for password
recovery, w ...)
+ TODO: check
+CVE-2025-8116 (PAD CMS is vulnerable to Reflected XSS in printing and save to
PDF fun ...)
+ TODO: check
+CVE-2025-7779 (Local privilege escalation due to insecure XPC service
configuration. ...)
+ TODO: check
+CVE-2025-7065 (Due to client-controlled permission check parameter, PAD CMS's
photo u ...)
+ TODO: check
+CVE-2025-7063 (Due to client-controlled permission check parameter, PAD CMS's
file up ...)
+ TODO: check
+CVE-2025-6034 (There is a memory corruption vulnerability due to an out of
bounds rea ...)
+ TODO: check
+CVE-2025-6033 (There is a memory corruption vulnerability due to an out of
bounds wri ...)
+ TODO: check
+CVE-2025-57852 (A container privilege escalation flaw was found in KServe
ModelMesh co ...)
+ TODO: check
+CVE-2025-57254 (An SQL injection vulnerability in user-login.php and index.php
of Kart ...)
+ TODO: check
+CVE-2025-56676 (TitanSystems Zender v3.9.7 contains an account takeover
vulnerability ...)
+ TODO: check
+CVE-2025-56675 (The EKEN video doorbell T6 BT60PLUS_MAIN_V1.0_GC1084_20230531
periodic ...)
+ TODO: check
+CVE-2025-56572 (An issue in finance.js v.4.1.0 allows a remote attacker to
cause a den ...)
+ TODO: check
+CVE-2025-56571 (Finance.js v4.1.0 contains a Denial of Service (DoS)
vulnerability via ...)
+ TODO: check
+CVE-2025-56520 (Dify v1.6.0 was discovered to contain a Server-Side Request
Forgery (S ...)
+ TODO: check
+CVE-2025-56513 (NiceHash QuickMiner 6.12.0 perform software updates over HTTP
without ...)
+ TODO: check
+CVE-2025-56392 (An Insecure Direct Object Reference (IDOR) in the
/dashboard/notes end ...)
+ TODO: check
+CVE-2025-56301 (An issue was discovered in Chipsalliance Rocket-Chip commit
f517abbf41 ...)
+ TODO: check
+CVE-2025-56207 (A security flaw in the '_transfer' function of a smart
contract implem ...)
+ TODO: check
+CVE-2025-56200 (A URL validation bypass vulnerability exists in validator.js
through v ...)
+ TODO: check
+CVE-2025-56132 (LiquidFiles filetransfer server is vulnerable to a user
enumeration is ...)
+ TODO: check
+CVE-2025-56018 (SourceCodester Web-based Pharmacy Product Management System
V1.0 is vu ...)
+ TODO: check
+CVE-2025-55797 (An improper access control vulnerability in FormCms v0.5.4 in
the /api ...)
+ TODO: check
+CVE-2025-54477 (Improper handling of authentication requests lead to a user
enumeratio ...)
+ TODO: check
+CVE-2025-54476 (Improper handling of input could lead to an XSS vector in the
checkAtt ...)
+ TODO: check
+CVE-2025-52050 (In Frappe ERPNext 15.57.5, the function
get_loyalty_program_details_wi ...)
+ TODO: check
+CVE-2025-52049 (In Frappe ErpNext v15.57.5, the function
get_timesheet_detail_rate() a ...)
+ TODO: check
+CVE-2025-52047 (In Frappe ErpNext v15.57.5, the function get_income_account()
at erpne ...)
+ TODO: check
+CVE-2025-52043 (In Frappe ERPNext v15.57.5, the function import_coa() at
erpnext/accou ...)
+ TODO: check
+CVE-2025-43827 (Insecure Direct Object Reference (IDOR) vulnerability with
audit event ...)
+ TODO: check
+CVE-2025-41099 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41098 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41097 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41096 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41095 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41094 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41093 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41092 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-41091 (Insecure Direct Object Reference (IDOR) vulnerability in BOLD
Workplan ...)
+ TODO: check
+CVE-2025-36262 (IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0
through 2 ...)
+ TODO: check
+CVE-2025-36132 (IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0
through 2 ...)
+ TODO: check
+CVE-2025-34217 (Vasion Print (formerly PrinterLogic) Virtual Appliance Host
and Applic ...)
+ TODO: check
+CVE-2025-28016 (A Reflected Cross-Site Scripting (XSS) vulnerability was found
in logi ...)
+ TODO: check
+CVE-2025-23293 (NVIDIA Delegated Licensing Service for all appliance platforms
contain ...)
+ TODO: check
+CVE-2025-23292 (NVIDIA Delegated Licensing Service for all appliance platforms
contain ...)
+ TODO: check
+CVE-2025-23291 (NVIDIA Delegated Licensing Service for all appliance platforms
contain ...)
+ TODO: check
+CVE-2025-11195 (Rapid7 AppSpider Pro versions below 7.5.021 suffer from a
project name ...)
+ TODO: check
+CVE-2025-11178 (Local privilege escalation due to DLL hijacking vulnerability.
The fol ...)
+ TODO: check
+CVE-2025-11153 (This vulnerability affects Firefox < 143.0.3.)
+ TODO: check
+CVE-2025-11152 (This vulnerability affects Firefox < 143.0.3.)
+ TODO: check
+CVE-2025-10859 (Cookie storage for non-HTML temporary documents was being
shared incor ...)
+ TODO: check
+CVE-2025-10659 (The Telenium Online Web Application is vulnerable due to a PHP
endpoin ...)
+ TODO: check
+CVE-2025-10217 (A vulnerability exists in Asset Suite for an authenticated
user to man ...)
+ TODO: check
+CVE-2024-55017 (Account Takeover in Corezoid 6.6.0 in the OAuth2
implementation via an ...)
+ TODO: check
+CVE-2025-10725 (A flaw was found in Red Hat Openshift AI Service. A
low-privileged att ...)
NOT-FOR-US: OpenShift AI
-CVE-2025-9230 [Out-of-bounds read & write in RFC 3211 KEK Unwrap]
+CVE-2025-9230 (Issue summary: An application trying to decrypt CMS messages
encrypted ...)
- openssl <unfixed>
NOTE: https://openssl-library.org/news/secadv/20250930.txt
-CVE-2025-9231 [Timing side-channel in SM2 algorithm on 64 bit ARM]
+CVE-2025-9231 (Issue summary: A timing side-channel which could potentially
allow rem ...)
- openssl <unfixed>
[bookworm] - openssl <not-affected> (Vulnerable code not present)
[bullseye] - openssl <not-affected> (Vulnerable code not present)
NOTE: https://openssl-library.org/news/secadv/20250930.txt
-CVE-2025-9232 [Out-of-bounds read in HTTP client no_proxy handling]
+CVE-2025-9232 (Issue summary: An application using the OpenSSL HTTP client API
functi ...)
- openssl <unfixed>
[bullseye] - openssl <not-affected> (Vulnerable code not present)
NOTE: https://openssl-library.org/news/secadv/20250930.txt
@@ -241,7 +359,7 @@ CVE-2025-57197 (In the Payeer Android application 2.5.0, an
improper access cont
NOT-FOR-US: Payeer Android application
CVE-2025-56807 (A cross-site scripting (XSS) vulnerability in FairSketch RISE
Ultimate ...)
NOT-FOR-US: FairSketch RISE Ultimate Project Manager & CRM
-CVE-2025-56795 (Mealie 3.0.1 and earlier is vulnerable to Cross-Site Scripting
(XSS) i ...)
+CVE-2025-56795 (Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site
Scripting ...)
NOT-FOR-US: Mealie
CVE-2025-56764 (Trivision NC-227WF firmware 5.80 (build 20141010) login
mechanism reve ...)
NOT-FOR-US: Trivision NC-227WF firmware
@@ -310,6 +428,7 @@ CVE-2025-41246 (VMware Tools for Windows contains an
improper authorisationvulne
CVE-2025-41245 (VMware Aria Operations contains an information disclosure
vulnerabilit ...)
NOT-FOR-US: WMware
CVE-2025-41244 (VMware Aria Operations and VMware Tools contain a local
privilege esca ...)
+ {DLA-4316-1}
- open-vm-tools 2:13.0.5-1
[trixie] - open-vm-tools <no-dsa> (Will be fixed via point release)
[bookworm] - open-vm-tools <no-dsa> (Will be fixed via point release)
@@ -1245,7 +1364,7 @@ CVE-2025-29155 (An issue in petstore v.1.0.7 allows a
remote attacker to execute
NOT-FOR-US: petstore
CVE-2025-27262 (Ericsson Indoor Connect 8855 contains a command injection
vulnerabilit ...)
NOT-FOR-US: Ericsson
-CVE-2025-27261 (Ericsson Indoor Connect 8855 contains a SQL injection
vulnerability wh ...)
+CVE-2025-27261 (Ericsson Indoor Connect 8855 contains an SQL injection
vulnerability w ...)
NOT-FOR-US: Ericsson
CVE-2025-26333 (Dell Crypto-J generates an error message that includes
sensitive infor ...)
NOT-FOR-US: Dell / EMC
@@ -3016,7 +3135,7 @@ CVE-2025-9079 (Mattermost versions 10.8.x <= 10.8.3,
10.5.x <= 10.5.8, 9.11.x <=
- mattermost-server <itp> (bug #823556)
CVE-2025-8664 (Improper Neutralization of Input During Web Page Generation
(XSS or 'C ...)
NOT-FOR-US: StarCities E-Municipality Management
-CVE-2025-8532 (Authorization Bypass Through User-Controlled Key, CWE - 862 -
Missing ...)
+CVE-2025-8532 (Authorization Bypass Through User-Controlled Key, Improper
Authorizati ...)
NOT-FOR-US: eBA Document and Workflow Management System
CVE-2025-8531 (Improper Handling of Length Parameter Inconsistency
vulnerability in M ...)
NOT-FOR-US: Mitsubishi
@@ -4627,7 +4746,7 @@ CVE-2025-8893 (A maliciously crafted PDF file, when
parsed through certain Autod
NOT-FOR-US: Autodesk
CVE-2025-8446 (The Blaze Demo Importer plugin for WordPress is vulnerable to
unauthor ...)
NOT-FOR-US: WordPress plugin
-CVE-2025-8276 (Improper Encoding or Escaping of Output, Improper
Neutralization of Sp ...)
+CVE-2025-8276 (Improper Neutralization of Input During Web Page Generation
(XSS or 'C ...)
NOT-FOR-US: Patika Global Technologies HumanSuite
CVE-2025-8057 (Authorization Bypass Through User-Controlled Key, Externally
Controlle ...)
NOT-FOR-US: Patika Global Technologies HumanSuite
@@ -34404,7 +34523,7 @@ CVE-2025-4879 (Local Privilege escalation allows a
low-privileged user to gain S
NOT-FOR-US: Citrix
CVE-2025-4754 (Insufficient Session Expiration vulnerability in ash-project
ash_authe ...)
NOT-FOR-US: ash-project ash_authentication_phoenix
-CVE-2025-7493
+CVE-2025-7493 (A privilege escalation flaw from host to domain administrator
was foun ...)
- freeipa <unfixed> (unimportant)
NOTE: https://www.openwall.com/lists/oss-security/2025/09/30/6
NOTE: FreeIPA in Debian only builds the client packages, not the server
@@ -170256,7 +170375,7 @@ CVE-2024-2121 (The Elementor Website Builder Pro
plugin for WordPress is vulnera
NOT-FOR-US: WordPress plugin
CVE-2024-2120 (The Elementor Website Builder \u2013 More than Just a Page
Builder plu ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-2097 (Authenticated List control client can execute the LINQ query in
SCM Se ...)
+CVE-2024-2097 (An authenticated malicious client can send a special LINQ query
to exe ...)
NOT-FOR-US: Hitachi
CVE-2024-29928 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ccd2036842fdbcdc3d6a45638f7b4650545a761
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ccd2036842fdbcdc3d6a45638f7b4650545a761
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
