automatic update

author: security tracker role <sectracker@soriano.debian.org> 2020-12-31 08:10:27 +0000
committer: security tracker role <sectracker@soriano.debian.org> 2020-12-31 08:10:27 +0000
commit: f82cbf2b7188af6ab47035c8efa3bfe1a6618cb1 (patch)
tree: 0d9defb1090495bad59449421b56c3edca4a0202 /data
parent: 42d1d7c15b8f1fca7b986fbb5785b16bdb200ced (diff)
5 files changed, 170 insertions, 64 deletions
diff --git a/data/CVE/2016.list b/data/CVE/2016.list
index 38158d87ff..7a5b484ed8 100644
--- a/data/CVE/2016.list
+++ b/data/CVE/2016.list
@@ -6322,18 +6322,18 @@ CVE-2016-9028 (Unauthorized redirect vulnerability in Citrix NetScaler ADC befor
 	NOT-FOR-US: Citrix
 CVE-2016-9027
 	RESERVED
-CVE-2016-9026
-	RESERVED
-CVE-2016-9025
-	RESERVED
+CVE-2016-9026 (Exponent CMS before 2.6.0 has improper input validation in fileControl ...)
+	TODO: check
+CVE-2016-9025 (Exponent CMS before 2.6.0 has improper input validation in purchaseOrd ...)
+	TODO: check
 CVE-2016-9024
 	RESERVED
-CVE-2016-9023
-	RESERVED
-CVE-2016-9022
-	RESERVED
-CVE-2016-9021
-	RESERVED
+CVE-2016-9023 (Exponent CMS before 2.6.0 has improper input validation in cron/find_h ...)
+	TODO: check
+CVE-2016-9022 (Exponent CMS before 2.6.0 has improper input validation in usersContro ...)
+	TODO: check
+CVE-2016-9021 (Exponent CMS before 2.6.0 has improper input validation in storeContro ...)
+	TODO: check
 CVE-2016-9020 (SQL injection vulnerability in framework/modules/help/controllers/help ...)
 	NOT-FOR-US: Exponent CMS
 CVE-2016-9019 (SQL injection vulnerability in the activate_address function in framew ...)
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index 368079db3a..e0e99e7774 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -12126,8 +12126,8 @@ CVE-2018-16797 (A heap-based buffer overflow in PotPlayerMini.exe in PotPlayer 1
 	NOT-FOR-US: PotPlayer
 CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Files wit ...)
 	NOT-FOR-US: HiScout GRC Suite
-CVE-2018-16795
-	RESERVED
+CVE-2018-16795 (OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/a ...)
+	TODO: check
 CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory  ...)
 	NOT-FOR-US: Microsoft ADFS 4.0 Windows Server
 CVE-2018-16793 (Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions ...)
@@ -19246,8 +19246,8 @@ CVE-2018-14069 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnera
 	NOT-FOR-US: SRCMS
 CVE-2018-14068 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability ...)
 	NOT-FOR-US: SRCMS
-CVE-2018-14067
-	RESERVED
+CVE-2018-14067 (Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injec ...)
+	TODO: check
 CVE-2018-14066 (The content://wappush content provider in com.android.provider.telepho ...)
 	NOT-FOR-US: Lenovo
 CVE-2018-14065 (XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. ...)
diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index 9a71996fad..b3787aedc4 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -347,8 +347,7 @@ CVE-2019-20810 (go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the
 	NOTE: https://git.kernel.org/linus/9453264ef58638ce8976121ac44c07a3ef375983
 CVE-2019-20809 (The price oracle in PriceOracle.sol in Compound Finance Compound Price ...)
 	NOT-FOR-US: Compound Finance Compound Price Oracle
-CVE-2019-20808 [out-of-bounds read in ati_cursor_define() function in hw/display/ati.c leads to DoS]
-	RESERVED
+CVE-2019-20808 (In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA imp ...)
 	- qemu 1:4.2-1
 	[buster] - qemu <not-affected> (Vulnerable code introduced later)
 	[stretch] - qemu <not-affected> (Vulnerable code introduced later)
@@ -10664,8 +10663,8 @@ CVE-2019-16749
 CVE-2019-16748 (In wolfSSL through 4.1.0, there is a missing sanity check of memory ac ...)
 	- wolfssl 4.2.0+dfsg-1
 	NOTE: https://github.com/wolfSSL/wolfssl/issues/2459
-CVE-2019-16747
-	RESERVED
+CVE-2019-16747 (In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an inval ...)
+	TODO: check
 CVE-2019-16745 (eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection. ...)
 	NOT-FOR-US: eBrigade
 CVE-2019-16744 (eBrigade before 5.0 has evenements.php cid SQL Injection. ...)
@@ -11705,8 +11704,8 @@ CVE-2019-16283
 	RESERVED
 CVE-2019-16282 (In NCH Express Invoice v7.12, persistent cross site scripting (XSS) ex ...)
 	NOT-FOR-US: NCH Express Invoice
-CVE-2019-16281
-	RESERVED
+CVE-2019-16281 (Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token ...)
+	TODO: check
 CVE-2019-16280
 	RESERVED
 CVE-2019-16279 (A memory error in the function SSL_accept in nostromo nhttpd through 1 ...)
@@ -13742,8 +13741,8 @@ CVE-2019-15525 (There is Missing SSL Certificate Validation in the pw3270 termin
 	NOT-FOR-US: pw3270 terminal emulator
 CVE-2019-15524 (CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php  ...)
 	NOT-FOR-US: CSZ CMS
-CVE-2019-15523
-	RESERVED
+CVE-2019-15523 (An issue was discovered in LINBIT csync2 through 2.0. It does not corr ...)
+	TODO: check
 CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...)
 	- csync2 2.0-25-gc0faaf9-1 (bug #955445)
 	[buster] - csync2 2.0-22-gce67c55-1+deb10u1
@@ -14803,12 +14802,12 @@ CVE-2019-15082 (The 360-product-rotation plugin before 1.4.8 for WordPress has r
 	NOT-FOR-US: Wordpress plugin
 CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...)
 	NOT-FOR-US: OpenCart
-CVE-2019-15080
-	RESERVED
-CVE-2019-15079
-	RESERVED
-CVE-2019-15078
-	RESERVED
+CVE-2019-15080 (An issue was discovered in a smart contract implementation for MORPH T ...)
+	TODO: check
+CVE-2019-15079 (A typo exists in the constructor of a smart contract implementation fo ...)
+	TODO: check
+CVE-2019-15078 (An issue was discovered in a smart contract implementation for AIRDROP ...)
+	TODO: check
 CVE-2019-15077
 	RESERVED
 CVE-2019-15076
@@ -20800,8 +20799,8 @@ CVE-2019-12955
 	RESERVED
 CVE-2019-12954 (SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, ...)
 	NOT-FOR-US: SolarWinds
-CVE-2019-12953
-	RESERVED
+CVE-2019-12953 (Dropbear 2011.54 through 2018.76 has an inconsistent failure delay tha ...)
+	TODO: check
 CVE-2019-12952
 	RESERVED
 CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...)
@@ -21282,8 +21281,8 @@ CVE-2019-12770
 	RESERVED
 CVE-2019-12769 (SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 ...)
 	NOT-FOR-US: SolarWinds
-CVE-2019-12768
-	RESERVED
+CVE-2019-12768 (An issue was discovered on D-Link DAP-1650 devices through v1.03b07 be ...)
+	TODO: check
 CVE-2019-12767 (An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H ...)
 	NOT-FOR-US: D-Link
 CVE-2019-12766 (An issue was discovered in Joomla! before 3.9.7. The subform fieldtype ...)
@@ -22908,7 +22907,7 @@ CVE-2019-12157 (In JetBrains TeamCity versions before 2018.2.5 and UpSource vers
 	NOT-FOR-US: JetBrains TeamCity
 CVE-2019-12156 (Server metadata could be exposed because one of the error messages ref ...)
 	NOT-FOR-US: JetBrains TeamCity
-CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NUL ...)
+CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4 ...)
 	{DSA-4454-1 DLA-1927-1}
 	- qemu 1:3.1+dfsg-8 (bug #929353)
 	[buster] - qemu 1:3.1+dfsg-8~deb10u1
@@ -35783,10 +35782,10 @@ CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.
 	NOT-FOR-US: Bosch Smart Camera App
 CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...)
 	NOT-FOR-US: NICE Engage
-CVE-2019-7726
-	RESERVED
-CVE-2019-7725
-	RESERVED
+CVE-2019-7726 (modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL IN ...)
+	TODO: check
+CVE-2019-7725 (includes/core/is_user.php in NukeViet before 4.3.04 deserializes the u ...)
+	TODO: check
 CVE-2019-7724
 	RESERVED
 CVE-2019-7723
diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index f25c686878..f3f88439d6 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -1,3 +1,9 @@
+CVE-2020-35856
+	RESERVED
+CVE-2020-35855
+	RESERVED
+CVE-2020-35854
+	RESERVED
 CVE-2020-35853
 	RESERVED
 CVE-2020-35852
@@ -235,8 +241,8 @@ CVE-2020-35738 (WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples i
 	[buster] - wavpack <no-dsa> (Minor issue)
 	NOTE: https://github.com/dbry/WavPack/issues/91
 	NOTE: https://github.com/dbry/WavPack/commit/89df160596132e3bd666322e1c20b2ebd4b92cd0
-CVE-2020-35737
-	RESERVED
+CVE-2020-35737 (In Correspondence Management System (corms) in Newgen eGov 12.0, an at ...)
+	TODO: check
 CVE-2020-35736 (GateOne 1.1 allows arbitrary file download without authentication via  ...)
 	NOT-FOR-US: GateOne
 CVE-2020-35735 (Vidyo 02-09-/D allows clickjacking via the portal/ URI. ...)
@@ -4473,8 +4479,8 @@ CVE-2020-28415 (A reflected cross-site scripting (XSS) vulnerability exists in t
 	NOT-FOR-US: TranzWare Payment Gateway
 CVE-2020-28414 (A reflected cross-site scripting (XSS) vulnerability exists in the Tra ...)
 	NOT-FOR-US: TranzWare Payment Gateway
-CVE-2020-28413
-	RESERVED
+CVE-2020-28413 (In MantisBT 2.24.3, SQL Injection can occur in the parameter "access"  ...)
+	TODO: check
 CVE-2020-28412
 	RESERVED
 CVE-2020-28411
@@ -5161,8 +5167,8 @@ CVE-2020-28097
 	RESERVED
 CVE-2020-28096 (FOSCAM FHD X1 1.14.2.4 devices allow attackers (with physical UART acc ...)
 	NOT-FOR-US: FOSCAM FHD
-CVE-2020-28095
-	RESERVED
+CVE-2020-28095 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP PO ...)
+	TODO: check
 CVE-2020-28094 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, the default set ...)
 	NOT-FOR-US: Tenda
 CVE-2020-28093 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, admin, support, ...)
@@ -6651,8 +6657,8 @@ CVE-2020-27536
 	RESERVED
 CVE-2020-27535
 	RESERVED
-CVE-2020-27534
-	RESERVED
+CVE-2020-27534 (util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 c ...)
+	TODO: check
 CVE-2020-27533 (A Cross Site Scripting (XSS) issue was discovered in the search featur ...)
 	NOT-FOR-US: DedeCMS
 CVE-2020-27532
@@ -9365,8 +9371,8 @@ CVE-2020-26298
 	RESERVED
 CVE-2020-26297
 	RESERVED
-CVE-2020-26296
-	RESERVED
+CVE-2020-26296 (Vega is a visualization grammar, a declarative format for creating, sa ...)
+	TODO: check
 CVE-2020-26295
 	RESERVED
 CVE-2020-26294
@@ -9375,14 +9381,14 @@ CVE-2020-26293
 	RESERVED
 CVE-2020-26292
 	RESERVED
-CVE-2020-26291
-	RESERVED
+CVE-2020-26291 (URI.js is a javascript URL mutation library (npm package urijs). In UR ...)
+	TODO: check
 CVE-2020-26290 (Dex is a federated OpenID Connect provider written in Go. In Dex befor ...)
 	TODO: check
 CVE-2020-26289 (date-and-time is an npm package for manipulating date and time. In dat ...)
 	TODO: check
-CVE-2020-26288
-	RESERVED
+CVE-2020-26288 (Parse Server is an open source backend that can be deployed to any inf ...)
+	TODO: check
 CVE-2020-26287 (HedgeDoc is a collaborative platform for writing and sharing markdown. ...)
 	NOT-FOR-US: HedgeDoc
 CVE-2020-26286 (HedgeDoc is a collaborative platform for writing and sharing markdown. ...)
@@ -9505,6 +9511,7 @@ CVE-2020-26239 (Scratch Addons is a WebExtension that supports both Chrome and F
 CVE-2020-26238 (Cron-utils is a Java library to parse, validate, migrate crons as well ...)
 	NOT-FOR-US: cron-utils Java library
 CVE-2020-26237 (Highlight.js is a syntax highlighter written in JavaScript. Highlight. ...)
+	{DLA-2511-1}
 	- highlight.js 9.18.1+dfsg1-3 (bug #976446)
 	NOTE: https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx
 	NOTE: https://github.com/highlightjs/highlight.js/pull/2636
@@ -23295,8 +23302,8 @@ CVE-2020-19666
 	RESERVED
 CVE-2020-19665
 	RESERVED
-CVE-2020-19664
-	RESERVED
+CVE-2020-19664 (DrayTek Vigor2960 1.5.1 allows remote command execution via shell meta ...)
+	TODO: check
 CVE-2020-19663
 	RESERVED
 CVE-2020-19662
@@ -27982,8 +27989,8 @@ CVE-2020-17365 (Improper directory permissions in the Hotspot Shield VPN client
 	NOT-FOR-US: Hotspot Shield VPN client for Windows
 CVE-2020-17364 (USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs. ...)
 	NOT-FOR-US: User-friendly SVN
-CVE-2020-17363
-	RESERVED
+CVE-2020-17363 (USVN (aka User-friendly SVN) before 1.0.9 allows remote code execution ...)
+	TODO: check
 CVE-2020-17362 (search.php in the Nova Lite theme before 1.3.9 for WordPress allows Re ...)
 	NOT-FOR-US: Nova Lite theme for WordPress
 CVE-2020-17361 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in ReadyTalk A ...)
@@ -30587,7 +30594,7 @@ CVE-2020-16134 (An issue was discovered on Swisscom Internet Box 2, Internet Box
 CVE-2020-16133
 	RESERVED
 CVE-2020-16132
-	RESERVED
+	REJECTED
 CVE-2020-16131 (Tiki before 21.2 allows XSS because [\s\/"\'] is not properly consider ...)
 	- tikiwiki <removed>
 CVE-2020-16130
@@ -37024,8 +37031,8 @@ CVE-2020-13656 (In Morgan Stanley Hobbes through 2020-05-21, the array implement
 	NOT-FOR-US: Hobbes
 CVE-2020-13655 (An issue was discovered in Collabtive 3.0 and later. managefile.php is ...)
 	- collabtive <removed>
-CVE-2020-13654
-	RESERVED
+CVE-2020-13654 (XWiki Platform before 12.8 mishandles escaping in the property display ...)
+	TODO: check
 CVE-2020-13653 (An XSS vulnerability exists in the Webmail component of Zimbra Collabo ...)
 	NOT-FOR-US: Zimbra
 CVE-2020-13652 (An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 bef ...)
@@ -39474,8 +39481,8 @@ CVE-2020-12659 (An issue was discovered in the Linux kernel before 5.6.7. xdp_um
 	[stretch] - linux <not-affected> (Vulnerable code not present)
 	[jessie] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://git.kernel.org/linus/99e3a236dd43d06c65af0a2ef9cb44306aef6e02 (5.7-rc2)
-CVE-2020-12658
-	RESERVED
+CVE-2020-12658 (gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex befor ...)
+	TODO: check
 CVE-2020-12657 (An issue was discovered in the Linux kernel before 5.6.5. There is a u ...)
 	- linux 5.6.7-1
 	[buster] - linux 4.19.118-1
@@ -41258,8 +41265,8 @@ CVE-2020-11949 (testserver.cgi of the web service on VIVOTEK Network Cameras bef
 	NOT-FOR-US: VIVOTEK Network Cameras
 CVE-2020-11948
 	RESERVED
-CVE-2020-11947 [heap-based buffer over-read]
-	RESERVED
+CVE-2020-11947 (iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buf ...)
+	{DSA-4665-1}
 	- qemu 1:4.2-7
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ff0507c239a246fd7215b31c5658fc6a3ee1e4c5 (v5.0.0-rc4)
 CVE-2020-11946 (Zoho ManageEngine OpManager before 125120 allows an unauthenticated us ...)
@@ -43297,8 +43304,8 @@ CVE-2020-11105 (An issue was discovered in USC iLab cereal through 1.3.0. It emp
 	NOT-FOR-US: USC iLab cereal
 CVE-2020-11104 (An issue was discovered in USC iLab cereal through 1.3.0. Serializatio ...)
 	NOT-FOR-US: USC iLab cereal
-CVE-2020-11103
-	RESERVED
+CVE-2020-11103 (JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1,  ...)
+	TODO: check
 CVE-2020-11102 (hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying  ...)
 	- qemu 1:4.2-4 (bug #956145)
 	[buster] - qemu <not-affected> (Vulnerable code/Tulip NIC emulator added later)
diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index fd0787b1ef..73cdccd9c0 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -1,3 +1,103 @@
+CVE-2021-21493
+	RESERVED
+CVE-2021-21492
+	RESERVED
+CVE-2021-21491
+	RESERVED
+CVE-2021-21490
+	RESERVED
+CVE-2021-21489
+	RESERVED
+CVE-2021-21488
+	RESERVED
+CVE-2021-21487
+	RESERVED
+CVE-2021-21486
+	RESERVED
+CVE-2021-21485
+	RESERVED
+CVE-2021-21484
+	RESERVED
+CVE-2021-21483
+	RESERVED
+CVE-2021-21482
+	RESERVED
+CVE-2021-21481
+	RESERVED
+CVE-2021-21480
+	RESERVED
+CVE-2021-21479
+	RESERVED
+CVE-2021-21478
+	RESERVED
+CVE-2021-21477
+	RESERVED
+CVE-2021-21476
+	RESERVED
+CVE-2021-21475
+	RESERVED
+CVE-2021-21474
+	RESERVED
+CVE-2021-21473
+	RESERVED
+CVE-2021-21472
+	RESERVED
+CVE-2021-21471
+	RESERVED
+CVE-2021-21470
+	RESERVED
+CVE-2021-21469
+	RESERVED
+CVE-2021-21468
+	RESERVED
+CVE-2021-21467
+	RESERVED
+CVE-2021-21466
+	RESERVED
+CVE-2021-21465
+	RESERVED
+CVE-2021-21464
+	RESERVED
+CVE-2021-21463
+	RESERVED
+CVE-2021-21462
+	RESERVED
+CVE-2021-21461
+	RESERVED
+CVE-2021-21460
+	RESERVED
+CVE-2021-21459
+	RESERVED
+CVE-2021-21458
+	RESERVED
+CVE-2021-21457
+	RESERVED
+CVE-2021-21456
+	RESERVED
+CVE-2021-21455
+	RESERVED
+CVE-2021-21454
+	RESERVED
+CVE-2021-21453
+	RESERVED
+CVE-2021-21452
+	RESERVED
+CVE-2021-21451
+	RESERVED
+CVE-2021-21450
+	RESERVED
+CVE-2021-21449
+	RESERVED
+CVE-2021-21448
+	RESERVED
+CVE-2021-21447
+	RESERVED
+CVE-2021-21446
+	RESERVED
+CVE-2021-21445
+	RESERVED
+CVE-2021-21444
+	RESERVED
 CVE-2021-21443
 	RESERVED
 CVE-2021-21442
author	security tracker role <sectracker@soriano.debian.org>	2020-12-31 08:10:27 +0000
committer	security tracker role <sectracker@soriano.debian.org>	2020-12-31 08:10:27 +0000
commit	f82cbf2b7188af6ab47035c8efa3bfe1a6618cb1 (patch)
tree	0d9defb1090495bad59449421b56c3edca4a0202 /data
parent	42d1d7c15b8f1fca7b986fbb5785b16bdb200ced (diff)