Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
43ba09d1 by Salvatore Bonaccorso at 2025-07-08T06:00:34+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -110,21 +110,21 @@ CVE-2025-6210 (A vulnerability in the ObsidianReader
class of the run-llama/llam
CVE-2025-6209 (A path traversal vulnerability exists in run-llama/llama_index
version ...)
NOT-FOR-US: llama/llama_index
CVE-2025-6044 (An Improper Access Control vulnerability in the Stylus Tools
component ...)
- TODO: check
+ NOT-FOR-US: Stylus Tools component of Google ChromeOS
CVE-2025-5472 (The JSONReader in run-llama/llama_index versions 0.12.28 is
vulnerable ...)
NOT-FOR-US: llama/llama_index
CVE-2025-53543 (Kestra is an event-driven orchestration platform. The error
message in ...)
- TODO: check
+ NOT-FOR-US: Kestra
CVE-2025-53540 (arduino-esp32 is an Arduino core for the ESP32, ESP32-S2,
ESP32-S3, ES ...)
- TODO: check
+ NOT-FOR-US: arduino-esp32
CVE-2025-53539 (FastAPI Guard is a security library for FastAPI that provides
middlewa ...)
- TODO: check
+ NOT-FOR-US: FastAPI Guard
CVE-2025-53536 (Roo Code is an AI-powered autonomous coding agent. Prior to
3.22.6, if ...)
- TODO: check
+ NOT-FOR-US: Roo Code
CVE-2025-53535 (Better Auth is an authentication and authorization library for
TypeScr ...)
- TODO: check
+ NOT-FOR-US: Better Auth
CVE-2025-53532 (giscus is a commenting system powered by GitHub Discussions. A
bug in ...)
- TODO: check
+ NOT-FOR-US: giscus
CVE-2025-53531 (WeGIA is a web manager for charitable institutions. The Wegia
server h ...)
NOT-FOR-US: WeGIA
CVE-2025-53530 (WeGIA is a web manager for charitable institutions. The Wegia
server h ...)
@@ -160,35 +160,35 @@ CVE-2025-53478 (The CheckUser extension\u2019s
Special:Investigate interface is
CVE-2025-53377 (WeGIA is a web manager for charitable institutions. A
Reflected Cross- ...)
NOT-FOR-US: WeGIA
CVE-2025-53376 (Dokploy is a self-hostable Platform as a Service (PaaS) that
simplifie ...)
- TODO: check
+ NOT-FOR-US: Dokploy
CVE-2025-53375 (Dokploy is a self-hostable Platform as a Service (PaaS) that
simplifie ...)
- TODO: check
+ NOT-FOR-US: Dokploy
CVE-2025-53374 (Dokploy is a self-hostable Platform as a Service (PaaS) that
simplifie ...)
- TODO: check
+ NOT-FOR-US: Dokploy
CVE-2025-53373 (Natours is a Tour Booking API. The attacker can easily take
over any v ...)
- TODO: check
+ NOT-FOR-US: Natours
CVE-2025-52492 (A vulnerability has been discovered in the firmware of Paxton
Paxton10 ...)
- TODO: check
+ NOT-FOR-US: firmware of Paxton Paxton10
CVE-2025-4779 (lunary-ai/lunary versions prior to 1.9.24 are vulnerable to
stored cro ...)
- TODO: check
+ NOT-FOR-US: lunary-ai/lunary
CVE-2025-48367 (Redis is an open source, in-memory database that persists on
disk. An ...)
TODO: check
CVE-2025-47202 (In RRC in Samsung Mobile Processor, Wearable Processor, and
Modem Exyn ...)
- TODO: check
+ NOT-FOR-US: Samsung
CVE-2025-45479 (Insufficient security mechanisms for created containers in
educoder ch ...)
- TODO: check
+ NOT-FOR-US: educoder challenges
CVE-2025-45065 (employee record management system in php and mysql v1 was
discovered t ...)
- TODO: check
+ NOT-FOR-US: employee record management system
CVE-2025-43933 (fblog through 983bede allows account takeover via the password
reset f ...)
- TODO: check
+ NOT-FOR-US: fblog
CVE-2025-43932 (JobCenter through 7e7b0b2 allows account takeover via the
password res ...)
- TODO: check
+ NOT-FOR-US: JobCenter
CVE-2025-43931 (flask-boilerplate through a170e7c allows account takeover via
the pass ...)
TODO: check
CVE-2025-43930 (Hashview 0.8.1 allows account takeover via the password reset
feature ...)
- TODO: check
+ NOT-FOR-US: Hashview
CVE-2025-3920 (A vulnerability was identified in SUR-FBD CMMS where hard-coded
creden ...)
- TODO: check
+ NOT-FOR-US: SUR-FBD CMMS
CVE-2025-3777 (Hugging Face Transformers versions up to 4.49.0 are affected by
an imp ...)
TODO: check
CVE-2025-3705 (A physical attacker with no privileges can gain full control of
the af ...)
@@ -196,9 +196,9 @@ CVE-2025-3705 (A physical attacker with no privileges can
gain full control of t
CVE-2025-3626 (A remote attacker with administrator account can gain full
control of ...)
TODO: check
CVE-2025-3467 (An XSS vulnerability exists in langgenius/dify versions prior
to 1.1.3 ...)
- TODO: check
+ NOT-FOR-US: Dify
CVE-2025-3466 (langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to
unsanitized ...)
- TODO: check
+ NOT-FOR-US: Dify
CVE-2025-3264 (A Regular Expression Denial of Service (ReDoS) vulnerability
was disco ...)
TODO: check
CVE-2025-3263 (A Regular Expression Denial of Service (ReDoS) vulnerability
was disco ...)
@@ -206,17 +206,17 @@ CVE-2025-3263 (A Regular Expression Denial of Service
(ReDoS) vulnerability was
CVE-2025-3262 (A Regular Expression Denial of Service (ReDoS) vulnerability
was disco ...)
TODO: check
CVE-2025-3225 (An XML Entity Expansion vulnerability, also known as a 'billion
laughs ...)
- TODO: check
+ NOT-FOR-US: run-llama/llama_index
CVE-2025-3046 (A vulnerability in the `ObsidianReader` class of the
run-llama/llama_i ...)
- TODO: check
+ NOT-FOR-US: run-llama/llama_index
CVE-2025-3044 (A vulnerability in the ArxivReader class of the
run-llama/llama_index ...)
- TODO: check
+ NOT-FOR-US: run-llama/llama_index
CVE-2025-36014 (IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is
vulnerable t ...)
NOT-FOR-US: IBM
CVE-2025-32023 (Redis is an open source, in-memory database that persists on
disk. Fro ...)
TODO: check
CVE-2025-26780 (An issue was discovered in L2 in Samsung Mobile Processor and
Modem Ex ...)
- TODO: check
+ NOT-FOR-US: Samsung
CVE-2025-20325 (In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and
9.1.10, a ...)
NOT-FOR-US: Cisco
CVE-2025-20324 (In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and
9.1.10 an ...)
@@ -240,11 +240,11 @@ CVE-2024-43334 (Improper Neutralization of Input During
Web Page Generation ('Cr
CVE-2024-43190 (IBM Engineering Requirements Management DOORS 9.7.2.9, under
certain c ...)
NOT-FOR-US: IBM
CVE-2024-37658 (An open redirect vulnerability in gnuboard5 v.5.5.16 allows a
remote a ...)
- TODO: check
+ NOT-FOR-US: Gnuboard
CVE-2024-37657 (An open redirect vulnerability in gnuboard5 v.5.5.16 allows a
remote a ...)
- TODO: check
+ NOT-FOR-US: Gnuboard
CVE-2024-37656 (An open redirect vulnerability in gnuboard5 v.5.5.16 allows a
remote a ...)
- TODO: check
+ NOT-FOR-US: Gnuboard
CVE-2024-25178 (LuaJIT through 2.1 has an out-of-bounds read in the
stack-overflow han ...)
TODO: check
CVE-2024-25177 (LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL
metatable, w ...)
@@ -252,7 +252,7 @@ CVE-2024-25177 (LuaJIT through 2.1 has an unsinking of
IR_FSTORE for NULL metata
CVE-2024-25176 (LuaJIT through 2.1 has a stack-buffer-overflow in
lj_strfmt_wfnum in l ...)
TODO: check
CVE-2023-51232 (Directory Traversal vulnerability in dagster-webserver Dagster
thru 1. ...)
- TODO: check
+ NOT-FOR-US: dagster-webserver Dagster
CVE-2025-XXXX [RSS/SEARCH: Prevent opening local files if web page is expected]
- qbittorrent 5.1.0-2 (bug #1108843)
[bookworm] - qbittorrent <no-dsa> (Minor issue)
@@ -308,7 +308,7 @@ CVE-2025-7094 (A vulnerability was found in Belkin F9K1122
1.00.33. It has been
CVE-2025-7093 (A vulnerability was found in Belkin F9K1122 1.00.33. It has
been decla ...)
NOT-FOR-US: Belkin
CVE-2025-53473 (Server-side request forgery (SSRF) vulnerability exists n
multiple ver ...)
- TODO: check
+ NOT-FOR-US: Nimesa Backup and Recovery
CVE-2025-53186 (Vulnerability that allows third-party call apps to send
broadcasts wit ...)
NOT-FOR-US: Huawei
CVE-2025-53185 (Virtual address reuse issue in the memory management module,
which can ...)
@@ -350,11 +350,11 @@ CVE-2025-53168 (Vulnerability of bypassing the process to
start SA and use relat
CVE-2025-53167 (Authentication vulnerability in the distributed collaboration
framewor ...)
NOT-FOR-US: Huawei
CVE-2025-48501 (An OS command injection issue exists in Nimesa Backup and
Recovery v2. ...)
- TODO: check
+ NOT-FOR-US: Nimesa Backup and Recovery
CVE-2025-41672 (A remote unauthenticated attacker may use default certificates
to gene ...)
TODO: check
CVE-2025-3108 (A critical deserialization vulnerability exists in the
run-llama/llama ...)
- TODO: check
+ NOT-FOR-US: run-llama/llama_index
CVE-2025-24508 (Extraction of Account Connectivity Credentials (ACCs) from the
IT Mana ...)
TODO: check
CVE-2024-58117 (Stack overflow risk when vector images are parsed during file
preview ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43ba09d123d6c4ba244648afe3b528e3ceb6b959
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43ba09d123d6c4ba244648afe3b528e3ceb6b959
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
