Author: sectracker Date: 2017-08-02 21:10:13 +0000 (Wed, 02 Aug 2017) New Revision: 54212
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-08-02 21:09:59 UTC (rev 54211) +++ data/CVE/list 2017-08-02 21:10:13 UTC (rev 54212) @@ -1,3 +1,5 @@ +CVE-2016-10403 + RESERVED CVE-2107-XXXX [Bogusly large chunk sizes may cause assert] - varnish <unfixed> (bug #870467) [stretch] - varnish 5.0.0-7+deb9u1 @@ -1758,8 +1760,8 @@ RESERVED CVE-2017-11495 (PHICOMM K2(PSG1218) devices V22.5.11.5 and earlier allow ...) NOT-FOR-US: PHICOMM -CVE-2017-11494 - RESERVED +CVE-2017-11494 (SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and ...) + TODO: check CVE-2017-11493 RESERVED CVE-2017-11492 @@ -1898,12 +1900,10 @@ NOT-FOR-US: Sitecore CVE-2017-11439 (In Sitecore 8.2, there is reflected XSS in the ...) NOT-FOR-US: Sitecore -CVE-2017-11438 [Projects in subgroups authorization bypass with SQL wildcards] - RESERVED +CVE-2017-11438 (GitLab Community Edition (CE) and Enterprise Edition (EE) before ...) - gitlab <not-affected> (Only affects 8.5 onwards) NOTE: https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/ -CVE-2017-11437 [Unauthorized repository access by using project mirrors and CI] - RESERVED +CVE-2017-11437 (GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, ...) - gitlab <not-affected> (Only affects Enterprise Edition) NOTE: https://gitlab.com/gitlab-org/gitlab-ee/issues/2905 NOTE: https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/ @@ -2092,8 +2092,8 @@ RESERVED CVE-2017-11365 RESERVED -CVE-2017-11364 - RESERVED +CVE-2017-11364 (The CMS installer in Joomla! before 3.7.4 does not verify a user's ...) + TODO: check CVE-2017-11363 RESERVED CVE-2017-11362 (In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ...) @@ -2124,10 +2124,10 @@ NOTE: Upstream bug report https://sourceforge.net/p/sox/bugs/296/ CVE-2017-11357 RESERVED -CVE-2017-11356 - RESERVED -CVE-2017-11355 - RESERVED +CVE-2017-11356 (The application distribution export functionality in PEGA Platform 7.2 ...) + TODO: check +CVE-2017-11355 (Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform ...) + TODO: check CVE-2017-11354 (Fiyo CMS v2.0.7 has an SQL injection vulnerability in ...) NOT-FOR-US: Fiyo CMS CVE-2017-11351 @@ -2220,8 +2220,7 @@ {DSA-3914-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867798) NOTE: https://github.com/ImageMagick/ImageMagick/issues/506 -CVE-2017-11334 [exec: oob access during dma operation] - RESERVED +CVE-2017-11334 (The address_space_write_continue function in exec.c in QEMU (aka Quick ...) - qemu <unfixed> (bug #869173) - qemu-kvm <removed> NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg03775.html @@ -3752,8 +3751,7 @@ RESERVED CVE-2017-10808 RESERVED -CVE-2017-10806 [usb-redirect: stack buffer overflow in debug logging] - RESERVED +CVE-2017-10806 (Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick ...) - qemu <unfixed> (bug #867751) [stretch] - qemu <no-dsa> (Minor issue) [jessie] - qemu <no-dsa> (Minor issue) @@ -4127,8 +4125,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465756 CVE-2017-9997 RESERVED -CVE-2017-10664 [qemu-nbd: server breaks with SIGPIPE upon client abort] - RESERVED +CVE-2017-10664 (qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which ...) {DSA-3920-1} - qemu <unfixed> (bug #866674) [jessie] - qemu <no-dsa> (Minor issue) @@ -6231,10 +6228,10 @@ NOTE: https://caml.inria.fr/mantis/view.php?id=7557 CVE-2017-9771 (install\save.php in WebsiteBaker v2.10.0 allows remote attackers to ...) NOT-FOR-US: WebsiteBaker -CVE-2017-9770 - RESERVED -CVE-2017-9769 - RESERVED +CVE-2017-9770 (A specially crafted IOCTL can be issued to the rzpnk.sys driver in ...) + TODO: check +CVE-2017-9769 (A specially crafted IOCTL can be issued to the rzpnk.sys driver in ...) + TODO: check CVE-2017-9768 RESERVED CVE-2017-9767 @@ -7185,8 +7182,8 @@ - irssi 1.0.3-1 (bug #864400) NOTE: https://github.com/irssi/irssi/commit/528f51bfbe5c65c5b24546faa244009dd5b3c586 NOTE: https://irssi.org/security/irssi_sa_2017_06.txt -CVE-2017-9467 - RESERVED +CVE-2017-9467 (Cross-site scripting (XSS) vulnerability in the GlobalProtect external ...) + TODO: check CVE-2017-9466 (The executable httpd on the TP-Link WR841N V8 router before ...) NOT-FOR-US: TP-Link CVE-2017-9465 (The yr_arena_write_data function in YARA 3.6.1 allows remote attackers ...) @@ -7201,8 +7198,8 @@ - piwigo <removed> CVE-2017-9460 RESERVED -CVE-2017-9459 - RESERVED +CVE-2017-9459 (Cross-site scripting (XSS) vulnerability in the management web ...) + TODO: check CVE-2017-9458 RESERVED CVE-2017-9457 (Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware does not ...) @@ -8003,14 +8000,14 @@ NOT-FOR-US: Allen Disk CVE-2017-9248 (Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 ...) NOT-FOR-US: Progress Telerik UI for ASP.NET AJAX -CVE-2017-9247 - RESERVED +CVE-2017-9247 (Multiple unquoted Windows search path vulnerabilities in Sierra ...) + TODO: check CVE-2017-9246 (New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe ...) NOT-FOR-US: New Relic .NET Agent CVE-2017-9245 (The Google News and Weather application before 3.3.1 for Android allows ...) NOT-FOR-US: Google News and Weather application for Android -CVE-2017-9244 - RESERVED +CVE-2017-9244 (Cross-site scripting (XSS) vulnerability in the Trello app before ...) + TODO: check CVE-2017-9243 (Aries QWR-1104 Wireless-N Router with Firmware Version WRC.253.2.0913 ...) NOT-FOR-US: Aries QWR-1104 Wireless-N Router CVE-2015-9059 (picocom before 2.0 has a command injection vulnerability in the 'send ...) @@ -10355,8 +10352,8 @@ NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3239a4231ff79bf8b67b8faaf414b1667486167c CVE-2017-8391 (The OS Installation Management component in CA Client Automation r12.9, ...) NOT-FOR-US: OS Installation Management component in CA Client Automation -CVE-2017-8390 - RESERVED +CVE-2017-8390 (The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before ...) + TODO: check CVE-2017-8389 RESERVED CVE-2017-8388 (GeniXCMS 1.0.2 allows remote attackers to bypass the alertDanger ...) @@ -11812,8 +11809,7 @@ NOTE: So far only Apple's compiler has been shown to apply the problematic optimization, fixed in 0.5.3.1 upstream CVE-2017-7891 (sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php via the ...) NOT-FOR-US: SourceBans++ -CVE-2017-7890 [Buffer over-read into uninitialized memory] - RESERVED +CVE-2017-7890 (The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in ...) - php7.1 <unfixed> (unimportant) - php7.0 <unfixed> (unimportant) - php5 <removed> (unimportant) @@ -12646,8 +12642,8 @@ NOT-FOR-US: Management Web Interface in Palo Alto Networks PAN-OS CVE-2017-7643 (Proxifier for Mac before 2.19 allows local users to gain privileges ...) NOT-FOR-US: Proxifier for Mac -CVE-2017-7642 - RESERVED +CVE-2017-7642 (The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka ...) + TODO: check CVE-2017-7641 RESERVED CVE-2017-7640 @@ -24334,8 +24330,8 @@ NOT-FOR-US: IBM CVE-2016-9982 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow an ...) NOT-FOR-US: IBM -CVE-2016-9981 - RESERVED +CVE-2016-9981 (IBM AppScan Enterprise Edition 9.0 contains an unspecified ...) + TODO: check CVE-2016-9980 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-9979 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to ...) @@ -28775,28 +28771,28 @@ NOT-FOR-US: mcollective-puppet-agent plugin on Windows CVE-2017-2289 RESERVED -CVE-2017-2288 - RESERVED -CVE-2017-2287 - RESERVED -CVE-2017-2286 - RESERVED -CVE-2017-2285 - RESERVED -CVE-2017-2284 - RESERVED -CVE-2017-2283 - RESERVED -CVE-2017-2282 - RESERVED -CVE-2017-2281 - RESERVED -CVE-2017-2280 - RESERVED -CVE-2017-2279 - RESERVED -CVE-2017-2278 - RESERVED +CVE-2017-2288 (Untrusted search path vulnerability in LhaForge Ver.1.6.5 and earlier ...) + TODO: check +CVE-2017-2287 (Untrusted search path vulnerability in NFC Port Software remover ...) + TODO: check +CVE-2017-2286 (Untrusted search path vulnerability in NFC Port Software Version ...) + TODO: check +CVE-2017-2285 (Cross-site scripting vulnerability in Simple Custom CSS and JS prior ...) + TODO: check +CVE-2017-2284 (Cross-site scripting vulnerability in Popup Maker prior to version ...) + TODO: check +CVE-2017-2283 (WN-G300R3 firmware version 1.0.2 and earlier uses hardcoded ...) + TODO: check +CVE-2017-2282 (Buffer overflow in WN-AX1167GR firmware version 3.00 and earlier ...) + TODO: check +CVE-2017-2281 (WN-AX1167GR firmware version 3.00 and earlier allows an attacker to ...) + TODO: check +CVE-2017-2280 (WN-AX1167GR firmware version 3.00 and earlier uses hardcoded ...) + TODO: check +CVE-2017-2279 (Untrusted search path vulnerability in Tween Ver1.6.6.0 and earlier ...) + TODO: check +CVE-2017-2278 (The RBB SPEED TEST App for Android version 2.0.3 and earlier, RBB ...) + TODO: check CVE-2017-2277 (WG-C10 v3.0.79 and earlier allows an attacker to bypass access ...) NOT-FOR-US: WG-C10 CVE-2017-2276 (Buffer overflow in WG-C10 v3.0.79 and earlier allows an attacker to ...) @@ -29075,8 +29071,8 @@ NOT-FOR-US: Tablacus Explorer CVE-2017-2139 (CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), ...) NOT-FOR-US: CS-Cart -CVE-2017-2138 - RESERVED +CVE-2017-2138 (Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese ...) + TODO: check CVE-2017-2137 (ProSAFE Plus Configuration Utility prior to 2.3.29 allows remote ...) NOT-FOR-US: ProSAFE Plus Configuration Utility CVE-2017-2136 (Cross-site scripting vulnerability in WP Statistics version 12.0.4 and ...) @@ -30351,7 +30347,7 @@ RESERVED CVE-2017-1501 RESERVED -CVE-2017-1500 (IBM Worklight 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0 is vulnerable to ...) +CVE-2017-1500 (A Reflected Cross Site Scripting (XSS) vulnerability exists in the ...) NOT-FOR-US: IBM CVE-2017-1499 RESERVED @@ -30361,8 +30357,8 @@ RESERVED CVE-2017-1496 (IBM Sterling B2B Integrator Standard Edition 5.2.x is vulnerable to ...) NOT-FOR-US: IBM -CVE-2017-1495 - RESERVED +CVE-2017-1495 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a ...) + TODO: check CVE-2017-1494 RESERVED CVE-2017-1493 @@ -30415,10 +30411,10 @@ RESERVED CVE-2017-1469 RESERVED -CVE-2017-1468 - RESERVED -CVE-2017-1467 - RESERVED +CVE-2017-1468 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a ...) + TODO: check +CVE-2017-1467 (A network layer security vulnerability in InfoSphere Information ...) + TODO: check CVE-2017-1466 RESERVED CVE-2017-1465 @@ -30585,8 +30581,8 @@ RESERVED CVE-2017-1384 RESERVED -CVE-2017-1383 - RESERVED +CVE-2017-1383 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to ...) + TODO: check CVE-2017-1382 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create ...) NOT-FOR-US: IBM CVE-2017-1381 (IBM WebSphere Application Server Proxy Server or On-demand-router ...) @@ -31115,8 +31111,8 @@ NOT-FOR-US: IBM CVE-2017-1119 RESERVED -CVE-2017-1118 - RESERVED +CVE-2017-1118 (IBM WebSphere MQ Internet Pass-Thru 2.0 and 2.1 could allow n attacker ...) + TODO: check CVE-2017-1117 (IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2017-1116 @@ -39629,10 +39625,10 @@ REJECTED CVE-2016-7846 REJECTED -CVE-2016-7845 - RESERVED -CVE-2016-7844 - RESERVED +CVE-2016-7845 (GigaCC OFFICE ver.2.3 and earlier allows remote attackers to upload ...) + TODO: check +CVE-2016-7844 (GigaCC OFFICE ver.2.3 and earlier allows remote attackers to execute ...) + TODO: check CVE-2016-7843 (Directory traversal vulnerability in AttacheCase for Java 0.60 and ...) NOT-FOR-US: AttacheCase CVE-2016-7842 (Directory traversal vulnerability in AttacheCase 2.8.2.8 and earlier ...) @@ -39698,8 +39694,8 @@ NOT-FOR-US: I-O DATA DEVICE CVE-2016-7813 (Cross-site scripting vulnerability in DERAEMON-CMS version 0.8.9 and ...) NOT-FOR-US: DERAEMON-CMS -CVE-2016-7812 - RESERVED +CVE-2016-7812 (The Bank of Tokyo-Mitsubishi UFJ, Ltd. App for Android ver5.3.1, ...) + TODO: check CVE-2016-7811 (Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows an attacker ...) NOT-FOR-US: Corega CVE-2016-7810 (Cross-site scripting vulnerability in Corega CG-WLR300NX firmware Ver. ...) @@ -66020,8 +66016,8 @@ RESERVED CVE-2015-8265 (Huawei Mobile WiFi E5151 routers with software before ...) NOT-FOR-US: Huawei -CVE-2015-8264 - RESERVED +CVE-2015-8264 (Untrusted search path vulnerability in F-Secure Online Scanner allows ...) + TODO: check CVE-2015-8263 (NETGEAR WNR1000v3 devices with firmware 1.0.2.68 use the same source ...) NOT-FOR-US: NETGEAR CVE-2015-8262 (Buffalo WZR-600DHP2 devices with firmware 2.09, 2.13, and 2.16 use an ...) @@ -67128,8 +67124,8 @@ NOT-FOR-US: Samsung CVE-2015-7892 RESERVED -CVE-2015-7891 - RESERVED +CVE-2015-7891 (Race condition in the ioctl implementation in the Samsung Graphics 2D ...) + TODO: check CVE-2015-7890 RESERVED CVE-2015-7889 @@ -74732,8 +74728,7 @@ RESERVED CVE-2015-5204 (CRLF injection vulnerability in the Apache Cordova File Transfer ...) NOT-FOR-US: Apache Cordova Android File Transfer Plugin -CVE-2015-5203 [double free triggered by jasper_image_stop_load function] - RESERVED +CVE-2015-5203 (Double free vulnerability in the jasper_image_stop_load function in ...) - jasper <removed> (bug #796107) [jessie] - jasper <no-dsa> (Minor issue) [wheezy] - jasper <no-dsa> (Minor issue) @@ -76823,9 +76818,9 @@ NOT-FOR-US: WordPress plugin zM Ajax Login & Register CVE-2015-4464 RESERVED -CVE-2015-4463 (Unrestricted file upload vulnerability in eFront CMS before 3.6.15.5 ...) +CVE-2015-4463 (The file_manager component in eFront CMS before 3.6.15.5 allows remote ...) NOT-FOR-US: eFront CMS -CVE-2015-4462 (Unrestricted file upload vulnerability in eFront CMS before 3.6.15.5 ...) +CVE-2015-4462 (Absolute path traversal vulnerability in the file_manager component of ...) NOT-FOR-US: eFront CMS CVE-2015-4461 RESERVED @@ -79137,8 +79132,8 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/8 CVE-2015-3643 RESERVED -CVE-2015-3642 - RESERVED +CVE-2015-3642 (The TLS and DTLS processing functionality in Citrix NetScaler ...) + TODO: check CVE-2015-3641 RESERVED CVE-2015-3640 (phpMyBackupPro 2.5 and earlier does not properly escape the "." ...) @@ -82159,8 +82154,8 @@ NOT-FOR-US: AdBlock CVE-2015-2691 RESERVED -CVE-2015-2690 - RESERVED +CVE-2015-2690 (Multiple cross-site scripting (XSS) vulnerabilities in ...) + TODO: check CVE-2015-2704 (realmd allows remote attackers to inject arbitrary configurations in ...) - realmd 0.16.0-1 (bug #781179) [jessie] - realmd <no-dsa> (Minor issue) @@ -82552,8 +82547,8 @@ NOT-FOR-US: Joomla component com_ecommercewd CVE-2015-2561 RESERVED -CVE-2015-2560 - RESERVED +CVE-2015-2560 (Manage Engine Desktop Central 9 before build 90135 allows remote ...) + TODO: check CVE-2015-2558 (Use-after-free vulnerability in Microsoft Excel 2007 SP3, Excel 2010 ...) NOT-FOR-US: Microsoft CVE-2015-2557 (Buffer overflow in Microsoft Visio 2007 SP3 and 2010 SP2 allows remote ...) @@ -87071,8 +87066,8 @@ NOT-FOR-US: Exponent CMS CVE-2015-1176 (Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in ...) NOT-FOR-US: osTicket -CVE-2015-1174 - RESERVED +CVE-2015-1174 (Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA ...) + TODO: check CVE-2015-1173 (Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 does not ...) NOT-FOR-US: Unit4 Polska TETA Web CVE-2015-1172 (Unrestricted file upload vulnerability in admin/upload-file.php in the ...) @@ -88423,8 +88418,7 @@ {DSA-3217-1 DLA-220-1} - dpkg 1.17.25 NOTE: Ubuntu fix for 1.15.x (version in squeeze): http://launchpadlibrarian.net/202647129/dpkg_1.15.5.6ubuntu4.9_1.15.5.6ubuntu4.10.diff.gz -CVE-2015-0839 [hp-plugin binary driver verification] - RESERVED +CVE-2015-0839 (The hp-plugin utility in HP Linux Imaging and Printing (HPLIP) makes ...) {DLA-775-1} - hplip 3.15.11+repack0-1 (bug #787353; bug #796015) [jessie] - hplip 3.14.6-1+deb8u1 @@ -92081,8 +92075,8 @@ NOT-FOR-US: IBM CVE-2015-0195 (Cross-site scripting (XSS) vulnerability in IBM Content Template ...) NOT-FOR-US: IBM -CVE-2015-0194 - RESERVED +CVE-2015-0194 (XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator ...) + TODO: check CVE-2015-0193 (Cross-site scripting (XSS) vulnerability in IBM Business Process ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0192 (Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 ...) @@ -92667,8 +92661,8 @@ RESERVED CVE-2014-8904 (lquerylv in cmdlvm in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x allows ...) NOT-FOR-US: IBM AIX, VIOS -CVE-2014-8903 - RESERVED +CVE-2014-8903 (IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before ...) + TODO: check CVE-2014-8902 (Cross-site scripting (XSS) vulnerability in the Blog Portlet in IBM ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-8901 (IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 ...) @@ -139488,8 +139482,8 @@ NOT-FOR-US: Cisco IOS CVE-2012-5031 RESERVED -CVE-2012-5030 - RESERVED +CVE-2012-5030 (Cisco IOS before 15.2(4)S6 does not initialize an unspecified ...) + TODO: check CVE-2012-5029 RESERVED CVE-2012-5028 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits