diff options
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/Makefile | 4 | ||||
| -rw-r--r-- | security/vuxml/files/euvd_provider.sh | 69 | ||||
| -rw-r--r-- | security/vuxml/files/mitre_provider.sh | 61 | ||||
| -rw-r--r-- | security/vuxml/files/newentry.sh | 173 | ||||
| -rw-r--r-- | security/vuxml/files/nvd_provider.sh | 72 | ||||
| -rw-r--r-- | security/vuxml/vuln/2025.xml | 2885 |
6 files changed, 3186 insertions, 78 deletions
diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index 9a3ef8b7a291..243b5cd5723e 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -102,10 +102,6 @@ newentry: @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.' @${ECHO_CMD} @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}" - @${ECHO_CMD} - @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!' - @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.' - @${ECHO_CMD} .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/euvd_provider.sh b/security/vuxml/files/euvd_provider.sh new file mode 100644 index 000000000000..821d2fcc06a2 --- /dev/null +++ b/security/vuxml/files/euvd_provider.sh @@ -0,0 +1,69 @@ +# Provider for the European Union Vulnerability Database +# https://euvd.enisa.europa.eu/ + +tmp_euvd="" + +init_euvd() { + tmp_euvd=$(mktemp "${TMPDIR:-/tmp}"/euvd_json_data.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_euvd}" "https://euvdservices.enisa.europa.eu/api/enisaid?id=${CVE_ID}" || exit 1 +} + +cleanup_euvd() { + rm -f "${tmp_euvd}" 2>/dev/null +} + +get_cvename_from_euvd() { + # EUVD response includes "aliases" (CVE ID if available) + jq -r '.aliases // .id' "${tmp_euvd}" +} + +get_cveurl_from_euvd() { + echo "https://euvd.enisa.europa.eu/ui/vuln/${CVE_ID}" +} + +get_details_from_euvd() { + jq -r '.description // empty | @html' "${tmp_euvd}" | fmt -p -s | sed '1!s/^/\t/' +} + +get_discovery_date_from_euvd() { + raw=$(jq -r '.datePublished // empty' "${tmp_euvd}") + if [ -n "$raw" ]; then + trimmed=$(echo "$raw" | cut -d, -f1-2) + if date -d "$trimmed" "+%Y-%m-%d" >/dev/null 2>&1; then + date -d "$trimmed" "+%Y-%m-%d" + else + date -j -f "%b %d, %Y" "$trimmed" "+%Y-%m-%d" + fi + fi +} + +get_entry_date_from_euvd() { + echo "${entry_date}" +} + + +get_product_name_from_euvd() { + jq -r ' .enisaIdProduct[]?.product?.name ' "${tmp_euvd}" +} + +get_product_range_from_euvd() { + jq -r '.enisaIdProduct[]? | "\(.product_version? | gsub("<";"<") | gsub(">";">") | gsub("&";"&"))"' "${tmp_euvd}" +} + +get_package_name_from_euvd() { + jq -r '.enisaIdProduct[0]?.product?.name // empty' "${tmp_euvd}" +} + +get_references_from_euvd() { + jq -r '.references // empty | @html' "${tmp_euvd}" | tr " " "\n" +} + +get_source_from_euvd() { + jq -r '.assigner // empty | @html' "${tmp_euvd}" +} + +get_topic_from_euvd() { + # Use first sentence of description + jq -r '.description // empty' "${tmp_euvd}" | cut -f1 -d. +} + diff --git a/security/vuxml/files/mitre_provider.sh b/security/vuxml/files/mitre_provider.sh new file mode 100644 index 000000000000..c2b1f8ffa73e --- /dev/null +++ b/security/vuxml/files/mitre_provider.sh @@ -0,0 +1,61 @@ +# Provider for MITRE +# https://www.mitre.org/ + +tmp_mitre="" + +init_mitre() +{ + tmp_mitre=$(mktemp "${TMPDIR:-/tmp}"/mitre.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" +} + +cleanup_mitre() +{ + rm "${tmp_mitre}" 2>/dev/null +} + +get_cvename_from_mitre() +{ + cvename="${CVE_ID}" + echo "${cvename}" +} + +get_cveurl_from_mitre() { + echo https://cveawg.mitre.org/api/cve/"${CVE_ID}" +} + +get_details_from_mitre() { + jq -r '.containers?.cna?.descriptions[0]?.value' "${tmp_mitre}" | fmt -p -s +} + +get_discovery_date_from_mitre() { + jq -r '.cveMetadata?.datePublished?' "${tmp_mitre}" | cut -f1 -dT +} + +get_entry_date_from_mitre() { + echo "${entry_date}" +} + +get_product_name_from_mitre() { + jq -r '.containers?.cna?.affected[]?.product' "${tmp_mitre}" +} + +get_product_range_from_mitre() { + jq -r '.containers?.cna?.affected[]??.versions[0]?.lessThan' "${tmp_mitre}" +} + +get_package_name_from_mitre() { + jq -r '.containers?.cna?.affected[0]?.product' "${tmp_mitre}" +} + +get_references_from_mitre() { + jq -r '.containers?.cna?.references[0]?.url' "${tmp_mitre}" | fmt -p -s +} + +get_source_from_mitre() { + jq -r '.containers?.cna?.references[0]?.url' "${tmp_mitre}" +} + +get_topic_from_mitre() { + jq -r ".containers?.cna?.problemTypes[0]?.descriptions[0]?.description" "${tmp_mitre}" +} diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 0298a5376a9e..0fcffae816ad 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -15,6 +15,9 @@ if [ -z "${vuxml_file}" ]; then show_usage fi +# ----------------- +# Process arguments +# ----------------- shift while [ $# -gt 0 ]; do case "$1" in @@ -34,27 +37,46 @@ case "$1" in esac done -tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp=$(mktemp "${TMPDIR:-/tmp}"/vuxml.XXXXXXXXXX) || exit 1 tmp_fbsd_sa="" -tmp_mitre="" -tmp_nvd="" +# ------------------------------------- +# Define how to clean up temporal files +# ------------------------------------- +# doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null + rm -f "${tmp}" "${tmp_fbsd_sa}" > /dev/null fi + + # Call cleaners for providers + for provider in ${providers}; do + cleanup_"${provider}" + cleanup_"${provider}" + done } -trap cleanup EXIT 1 2 13 15 +trap cleanup EXIT HUP INT PIPE TERM -vid="`uuidgen | tr '[:upper:]' '[:lower:]'`" +# ----------------------------- +# Variables with default values +# ----------------------------- +vid="$(uuidgen | tr '[:upper:]' '[:lower:]')" [ -z "$vid" ] && exit 1 + +discovery_date="" cvename="INSERT CVE RECORD IF AVAILABLE" cveurl="INSERT BLOCKQUOTE URL HERE" details="." -discovery="`date -u '+%Y-%m'`-FIXME" || exit 1 -entry="`date -u '+%Y-%m-%d'`" || exit 1 +discovery_date="$(date -u '+%Y-%m')-FIXME" || exit 1 +entry_date="$(date -u '+%Y-%m-%d')" || exit 1 package_name="" +product_name="" +product_range="" +package_list="<package> +<name></name> +<range><lt></lt></range> +</package>" references="INSERT URL HERE" topic="" source="SO-AND-SO" @@ -67,38 +89,65 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> </blockquote> </body>" - -# Try to retrieve information if a CVE identifier was provided -if [ -n "${CVE_ID}" ]; then +# -------------------------------- +# Check we have everything we need +# -------------------------------- +check_dependencies() +{ if ! command -v jq > /dev/null; then echo textproc/jq is needed for CVE automatic entry fill exit 1 fi +} + +# ------------------------------------------ +# List of CVE providers sorted by preference +# ------------------------------------------ +providers="mitre nvd euvd" + +# ------------------------------------------ +# List of fields to query for every provider +# ------------------------------------------ +fields="cvename cveurl details discovery_date entry_date product_name product_range package_name references source topic" - # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT - # cve-2022-39282. - CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 - - # Get information from the NVD database JSON format - tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 - fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 - # Get information from MITRE database (they provide a nice "topic") - tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 - fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" - - # Create variables from input and online sources - cvename="${CVE_ID}" - cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} - pref=.vulnerabilities[0].cve - details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1 - discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1 - pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0] - package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1 - upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1 - pref=.vulnerabilities[0].cve.references[0] - references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 - source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 - topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 +# Some providers only allow for upper case identifiers +CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 + +# ----------------------------------------------------------------------------- +# Generic resolver +# +# Gets a variable name and the list of providers and returns the value of the +# variable. If the first defined provider returns empty or nullm, it tries with +# the next one until one provider returns a value or we run out of providers +# ----------------------------------------------------------------------------- +resolve_field() { + field="${1}" + shift + providers="$@" + + for provider in $providers; do + func="get_${field}_from_${provider}" + if command -v "${func}" >/dev/null 2>&1; then + value="$($func)" + if [ -n "${value}" ] && [ "${value}" != "null" ] && [ "${value}" != "n/a" ]; then + echo "${value}" + return 0 + fi + else + echo "Warning: function ${func} not implemented in provider ${provider}" + fi + done + echo "null" +} + +# -------------------------------------------------- +# Fill global variables with data from CVE databases +# -------------------------------------------------- +get_cve_info() { + for field in ${fields}; do + value=$(resolve_field "${field}" ${providers}) + eval "${field}=\$value" + done DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <p>${source} reports:</p> @@ -106,14 +155,17 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <p>${details}</p> </blockquote> </body>" -fi +} -if [ -n "${SA_ID}" ]; then +# ---------------------------------------------------------------- +# Fill global variables with data from FreeBSD Security Advisories +# ---------------------------------------------------------------- +get_sa_info() { SA_URL_BASE=https://www.freebsd.org/security/advisories/ # Get information from the Project's SA site - tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1 - fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1 + tmp_fbsd_sa=$(mktemp "${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX") || exit 1 + fetch -q -o "${tmp_fbsd_sa}" "${SA_URL_BASE}${SA_ID}" || exit 1 # Create variables from SA note if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then @@ -148,6 +200,40 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <h1>Impact:</h1> ${impact} </body>" +} + +init_providers() { + for provider in files/*_provider.sh; do + provider_name=$(basename "${provider}" | cut -f1 -d_) + . "files/${provider_name}_provider.sh" + init_"${provider_name}" + done +} + +create_packages_list() { + tmp_prod=$(mktemp "${TMPDIR:-/tmp}"/vuxml.prod.XXXXXXXXXX) || exit 1 + tmp_ver=$(mktemp "${TMPDIR:-/tmp}"/vuxml.ver.XXXXXXXXXX) || exit 1 + printf "%s" "${product_name}" > "${tmp_prod}" + printf "%s" "${product_range}" > "${tmp_ver}" + + package_list=$(paste "${tmp_prod}" "${tmp_ver}" | sed \ + -e 's|\t|</name>\n\t<range><lt>|g' \ + -e 's|^| <package>\n\t<name>|g' \ + -e 's|$|</lt></range>\n </package>|g') + + rm "${tmp_prod}" "${tmp_ver}" 2>/dev/null +} + +# Try to retrieve information if a CVE identifier was provided +if [ -n "${CVE_ID}" ]; then + check_dependencies + init_providers + get_cve_info "${CVE_ID}" + create_packages_list +fi + +if [ -n "${SA_ID}" ]; then + get_sa_info fi awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1 @@ -155,10 +241,7 @@ cat << EOF >> "${tmp}" || exit 1 <vuln vid="${vid}"> <topic>${package_name} -- ${topic}</topic> <affects> - <package> - <name>${package_name}</name> - <range><lt>${upstream_fix}</lt></range> - </package> +${package_list} </affects> <description> ${DESC_BODY} @@ -168,8 +251,8 @@ cat << EOF >> "${tmp}" || exit 1 <url>${cveurl}</url> </references> <dates> - <discovery>${discovery}</discovery> - <entry>${entry}</entry> + <discovery>${discovery_date}</discovery> + <entry>${entry_date}</entry> </dates> </vuln> diff --git a/security/vuxml/files/nvd_provider.sh b/security/vuxml/files/nvd_provider.sh new file mode 100644 index 000000000000..8a383a7d6752 --- /dev/null +++ b/security/vuxml/files/nvd_provider.sh @@ -0,0 +1,72 @@ +# Provider for the National Vulnerability Database +# https://nvd.nist.gov/ + +tmp_nvd="" + +init_nvd() +{ + tmp_nvd=$(mktemp "${TMPDIR:-/tmp}"/nvd_json_data.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 +} + +cleanup_nvd() +{ + rm "${tmp_nvd}" 2>/dev/null +} + +get_cvename_from_nvd() +{ + cvename="${CVE_ID}" + echo "${cvename}" +} + +get_cveurl_from_nvd() { + cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} + echo "${cveurl}" +} + +get_details_from_nvd() { + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.descriptions[0]?.value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/' +} + +get_discovery_date_from_nvd() { + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT +} + +get_entry_date_from_nvd() { + echo "${entry_date}" +} + +get_product_name_from_nvd() { + jq -r '.vulnerabilities[]?.cve?.configurations[]?.nodes[]?.cpeMatch[]? | + (.criteria | split(":")[4])' "${tmp_nvd}" +} + +get_product_range_from_nvd() { + jq -r '.vulnerabilities[]?.cve.configurations[]?.nodes[]?.cpeMatch[]?.versionEndExcluding ' "${tmp_nvd}" +} + +get_package_name_from_nvd() { + jq -r '.vulnerabilities[]?.cve?.configurations[]?.nodes[]?.cpeMatch[0]?.criteria' "${tmp_nvd}" | cut -f5 -d: +} + +get_references_from_nvd() { + pref=".vulnerabilities[0]?.cve?.references[0]?" + jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n" +} + +get_source_from_nvd() +{ + pref=".vulnerabilities[0]?.cve?.references[0]?" + jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n" +} + +get_topic_from_nvd() { + # NVD does not provide a nice summary. Let's use the first sentence from + # the details instead + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.descriptions[0]?.value|@html" "${tmp_nvd}" | cut -f1 -d. +} + diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index b1d04ff02b44..bc7d08dd1172 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,2829 @@ + <vuln vid="364e5fa4-c178-11f0-b614-b42e991fc52e"> + <topic>PostgreSQL -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>postgresql13-client</name> + <range><lt>13.23</lt></range> + </package> + <package> + <name>postgresql14-client</name> + <range><lt>14.20</lt></range> + </package> + <package> + <name>postgresql15-client</name> + <range><lt>15.15</lt></range> + </package> + <package> + <name>postgresql16-client</name> + <range><lt>16.11</lt></range> + </package> + <package> + <name>postgresql17-client</name> + <range><lt>17.7</lt></range> + </package> + <package> + <name>postgresql18-client</name> + <range><lt>18.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://www.postgresql.org/support/security/CVE-2025-12818/ reports:</p> + <blockquote cite="https://www.postgresql.org/support/security/CVE-2025-12818/"> + <ul> + <li>Integer wraparound in multiple PostgreSQL libpq client + library functions allows an application input provider or + network peer to cause libpq to undersize an allocation and + write out-of-bounds by hundreds of megabytes. This results + in a segmentation fault for the application using libpq.</li> + <li>Missing authorization in PostgreSQL CREATE STATISTICS + command allows a table owner to achieve denial of service + against other CREATE STATISTICS users by creating in any + schema. A later CREATE STATISTICS for the same name, from a + user having the CREATE privilege, would then fail.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12818</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-12818</url> + <cvename>CVE-2025-12817</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-12817</url> + </references> + <dates> + <discovery>2025-11-13</discovery> + <entry>2025-11-14</entry> + </dates> + </vuln> + + <vuln vid="2063f110-c0b8-11f0-a633-8c164580114f"> + <topic>lightdm-kde-greeter -- Privilege Escalation from lightdm Service User to root</topic> + <affects> + <package> + <name>lightdm-kde-greeter</name> + <range><lt>6.0.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>SUSE Security Team reports:</p> + <blockquote cite="https://security.opensuse.org/2025/11/13/lightdm-kde-greeter-auth-helper.html"> + <p>A Execution with Unnecessary Privileges vulnerability in + lightdm-kde-greeter allows escalation from the service user to + root. This issue affects lightdm-kde-greeter before 6.0.4.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62876</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-62876</url> + </references> + <dates> + <discovery>2025-11-12</discovery> + <entry>2025-11-13</entry> + </dates> + </vuln> + + <vuln vid="bff06006-c0b7-11f0-ab42-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>145.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>145.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/buglist.cgi?bug_id=1987237%2C1990079%2C1991715%2C1994994 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1987237%2C1990079%2C1991715%2C1994994"> + <p>Memory safety bugs. Some of these bugs showed evidence of + memory corruption and we presume that with enough effort + some of these could have been exploited to run arbitrary + code. </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-13027</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13027</url> + </references> + <dates> + <discovery>2025-11-11</discovery> + <entry>2025-11-13</entry> + </dates> + </vuln> + + <vuln vid="a2a815c8-c0b7-11f0-ab42-b42e991fc52e"> + <topic>Firefox -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>145.0.0,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1994441 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1994441"> + <ul> + <li>Sandbox escape due to incorrect boundary conditions in + the Graphics: WebGPU component.</li> + <li>Incorrect boundary conditions in the Graphics: WebGPU + component.</li> + <li>JIT miscompilation in the JavaScript Engine: JIT component.</li> + <li>Sandbox escape due to incorrect boundary conditions in + the Graphics: WebGPU component.</li> + <li>Incorrect boundary conditions in the Graphics: WebGPU + component.</li> + <li>Incorrect boundary conditions in the Graphics: WebGPU + component.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-13026</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13026</url> + <cvename>CVE-2025-13025</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13025</url> + <cvename>CVE-2025-13024</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13024</url> + <cvename>CVE-2025-13023</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13023</url> + <cvename>CVE-2025-13022</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13022</url> + <cvename>CVE-2025-13021</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13021</url> + </references> + <dates> + <discovery>2025-11-11</discovery> + <entry>2025-11-13</entry> + </dates> + </vuln> + + <vuln vid="c894635c-c0b6-11f0-ab42-b42e991fc52e"> + <topic>firefox -- Use-after-free</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>145.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1995686 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1995686"> + <ul> + <li>Use-after-free in the WebRTC: Audio/Video component.</li> + <li>Same-origin policy bypass in the DOM: Workers component.</li> + <li>Mitigation bypass in the DOM: Security component.</li> + <li>Same-origin policy bypass in the DOM: Notifications + component.</li> + <li>Incorrect boundary conditions in the JavaScript: + WebAssembly component.</li> + <li>Spoofing issue in Firefox.</li> + <li>Use-after-free in the Audio/Video component.</li> + <li>Mitigation bypass in the DOM: Core and HTML component.</li> + <li>Race condition in the Graphics component.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-13020</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13020</url> + <cvename>CVE-2025-13019</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13019</url> + <cvename>CVE-2025-13018</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13018</url> + <cvename>CVE-2025-13017</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13017</url> + <cvename>CVE-2025-13016</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13016</url> + <cvename>CVE-2025-13015</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13015</url> + <cvename>CVE-2025-13014</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13014</url> + <cvename>CVE-2025-13013</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13013</url> + <cvename>CVE-2025-13012</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-13012</url> + </references> + <dates> + <discovery>2025-11-11</discovery> + <entry>2025-11-13</entry> + </dates> + </vuln> + + <vuln vid="5a1d6309-c04a-11f0-85d8-2cf05da270f3"> + <topic>Gitlab -- vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <name>gitlab-ee</name> + <range><ge>18.5.0</ge><lt>18.5.2</lt></range> + <range><ge>18.4.0</ge><lt>18.4.4</lt></range> + <range><ge>13.2.0</ge><lt>18.3.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/"> + <p>Cross-site scripting issue in k8s proxy impacts GitLab CE/EE</p> + <p>Incorrect Authorization issue in workflows impacts GitLab EE</p> + <p>Information Disclosure issue in GraphQL subscriptions impacts GitLab CE/EE</p> + <p>Information Disclosure issue in access control impacts GitLab CE/EE</p> + <p>Prompt Injection issue in GitLab Duo review impacts GitLab EE</p> + <p>Client Side Path Traversal issue in branch names impacts GitLab EE</p> + <p>Information Disclosure issue in packages API endpoint impacts GitLab CE/EE</p> + <p>Improper Access Control issue in GitLab Pages impacts GitLab CE/EE</p> + <p>Denial of service issue in markdown impacts GitLab CE/EE</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11224</cvename> + <cvename>CVE-2025-11865</cvename> + <cvename>CVE-2025-2615</cvename> + <cvename>CVE-2025-7000</cvename> + <cvename>CVE-2025-6945</cvename> + <cvename>CVE-2025-11990</cvename> + <cvename>CVE-2025-6171</cvename> + <cvename>CVE-2025-7736</cvename> + <cvename>CVE-2025-12983</cvename> + <url>https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/</url> + </references> + <dates> + <discovery>2025-11-12</discovery> + <entry>2025-11-13</entry> + </dates> + </vuln> + + <vuln vid="6e1105d8-bfc2-11f0-bb2b-ecf4bbefc954"> + <topic>privatebin XSS</topic> + <affects> + <package> + <name>privatebin</name> + <range><lt>2.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>privatebin reports:</p> + <blockquote cite="https://privatebin.info/reports/vulnerability-2025-11-12-drag-drop.html"> + <p>Dragging a file whose filename contains HTML is reflected verbatim + into the page via the drag-and-drop helper, so any user who drops a + crafted file on PrivateBin will execute arbitrary JavaScript within + their own session (self-XSS). This allows an attacker who can entice + a victim to drag or otherwise attach such a file to exfiltrate + plaintext, encryption keys, or stored pastes before they are + encrypted or sent.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62796</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-62796</url> + </references> + <dates> + <discovery>2025-11-09</discovery> + <entry>2025-11-12</entry> + </dates> + </vuln> + + <vuln vid="6e05f716-bf9e-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- security fix</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>142.0.7444.162</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>142.0.7444.162</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html"> + <p>This update includes 1 security fix:</p> + <ul> + <li>[457351015] High CVE-2025-13042: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-11-03</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-13042</cvename> + <url>https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html</url> + </references> + <dates> + <discovery>2025-11-11</discovery> + <entry>2025-11-12</entry> + </dates> + </vuln> + + <vuln vid="93ff3ebe-bba8-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>142.0.7444.134</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>142.0.7444.134</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html"> + <p>This update includes 5 security fixes:</p> + <ul> + <li>[443906252] High CVE-2025-12725: Out of bounds write in WebGPU. Reported by Anonymous on 2025-09-09</li> + <li>[447172715] High CVE-2025-12726: Inappropriate implementation in Views. Reported by Alesandro Ortiz on 2025-09-25</li> + <li>[454485895] High CVE-2025-12727: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-10-23</li> + <li>[452392032] Medium CVE-2025-12728: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-10-16</li> + <li>[454354281] Medium CVE-2025-12729: Inappropriate implementation in Omnibox. Reported by Khalil Zhani on 2025-10-23</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12725</cvename> + <cvename>CVE-2025-12726</cvename> + <cvename>CVE-2025-12727</cvename> + <cvename>CVE-2025-12728</cvename> + <cvename>CVE-2025-12729</cvename> + <url>https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html</url> + </references> + <dates> + <discovery>2025-11-05</discovery> + <entry>2025-11-07</entry> + </dates> + </vuln> + + <vuln vid="77bac392-ba98-11f0-aada-f59a8ea34d12"> + <topic>OpenJPH < 0.24.5 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>openjph</name> + <range><lt>0.24.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Aous Naman reports several vulnerabilities fixed in OpenJPH versions + up to 0.24.5 and credits Cary Phillips for reporting them from the + OSS-fuzz project.</p> + <blockquote cite="https://github.com/aous72/OpenJPH/releases"> + <p>[0.24.5] Addresses OpenEXR OSS-fuzz issue 5747129672073216 that can cause heap corruption.</p> + <p>[0.24.4...] we now check that the ATK marker segment length (Latk) makes sense. + The issue was identified in OpenEXR fuzzing.</p> + <p>[0.24.3] This is an important bug fix. It protects against illegally long QCD and QCC marker segments. It was discovered during OpenEXR fussing; thanx to [Cary Phillips].</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/aous72/OpenJPH/releases</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-11-05</entry> + </dates> + </vuln> + + <vuln vid="c71a3914-ba96-11f0-aada-f59a8ea34d12"> + <topic>OpenEXR < 3.4.3 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>openexr</name> + <range><lt>3.4.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Cary Phillips reports:</p> + <blockquote cite="https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.3"> + <p> + Patch release that addresses several bugs, primarily involving + properly rejecting corrupt input data. + </p> + </blockquote> + <p> + He goes on to report various relevant items including heap buffer + overflows, use-after-free, use of uninitialized memory and other bugs, + several of them found by OSS-fuzz, and some also found in OpenJPH. + </p> + </body> + </description> + <references> + <url>https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.3</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-11-05</entry> + </dates> + </vuln> + + <vuln vid="970159e6-ba60-11f0-8447-b42e991fc52e"> + <topic>MongoDB -- Improper Check for Unusual or Exceptional Conditions</topic> + <affects> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://jira.mongodb.org/browse/SERVER-101230 reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-101230"> + <p>The KMIP response parser built into mongo binaries is + overly tolerant of certain malformed packets, and may parse + them into invalid objects. Later reads of this object can + result in read access violations.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12657</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-12657</url> + </references> + <dates> + <discovery>2025-11-03</discovery> + <entry>2025-11-05</entry> + </dates> + </vuln> + + <vuln vid="e99a32c8-b8e2-11f0-8510-b42e991fc52e"> + <topic>Xorg -- multiple vulnerabilities</topic> + <affects> + <package> + <name>xorg-server</name> + <range><lt>21.1.19,1</lt></range> + </package> + <package> + <name>xwayland</name> + <range><lt>24.1.9,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://access.redhat.com/errata/RHSA-2025:19432 reports:</p> + <blockquote cite="https://access.redhat.com/errata/RHSA-2025:19432"> + <p>CVE-2025-62229: A flaw was found in the X.Org X server + and Xwayland when processing X11 Present extension + notifications. Improper error handling during notification + creation can leave dangling pointers that lead to a + use-after-free condition. This can cause memory corruption + or a crash, potentially allowing an attacker to execute + arbitrary code or cause a denial of service.</p> + <p>CVE-2025-62230: A flaw was discovered in the X.Org X + servers X Keyboard (Xkb) extension when handling client + resource cleanup. The software frees certain data + structures without properly detaching related resources, + leading to a use-after-free condition. This can cause + memory corruption or a crash when affected clients + disconnect.</p> + <p>CVE-2025-62231: A flaw was identified in the X.Org X + servers X Keyboard (Xkb) extension where improper bounds + checking in the XkbSetCompatMap() function can cause an + unsigned short overflow. If an attacker sends specially + crafted input data, the value calculation may overflow, + leading to memory corruption or a crash.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62229</cvename> + <cvename>CVE-2025-62230</cvename> + <cvename>CVE-2025-62231</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-62229</url> + </references> + <dates> + <discovery>2025-10-30</discovery> + <entry>2025-11-03</entry> + </dates> + </vuln> + + <vuln vid="5523394e-b889-11f0-9446-f02f7497ecda"> + <topic>redis -- Bug in XACKDEL may lead to stack overflow and potential RCE</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Google Big Sleep reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-jhjx-x4cf-4vm8"> + <p>A user can run the XACKDEL command with multiple ID's and + trigger a stack buffer overflow, which may potentially lead to + remote code execution. + The problem exists in Redis 8.2 or newer. + The code doesn't handle the case where the number of ID's exceeds + the STREAMID_STATIC_VECTOR_LEN, and skips a reallocation, which + leads to a stack buffer overflow. + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing + XACKDEL operation. This can be done using ACL to restrict XACKDEL + command. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62507</cvename> + <url></url> + </references> + <dates> + <discovery>2025-11-03</discovery> + <entry>2025-11-03</entry> + </dates> + </vuln> + + <vuln vid="1ba0b62b-b80a-11f0-8016-b42e991fc52e"> + <topic>Mozilla -- Denial-of-service due to out-of-memory</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>142.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.2.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>142.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1975837 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1975837"> + <p>Denial-of-service due to out-of-memory in the Graphics: + WebRender component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9182</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-9182</url> + </references> + <dates> + <discovery>2025-08-19</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="0723a60e-b80a-11f0-8016-b42e991fc52e"> + <topic>Mozilla -- Same-origin policy bypass in the Graphics: Canvas2D component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>142.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.2.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>142.0.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.2.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1979782 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979782"> + <p>Same-origin policy bypass in the Graphics: Canvas2D + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9180</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-9180</url> + </references> + <dates> + <discovery>2025-08-19</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="f752879f-b809-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Sandbox escape due to integer overflow</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.3,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1987246 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1987246"> + <p>Sandbox escape due to integer overflow in the Graphics: + Canvas2D component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11152</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-11152</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="ea017037-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Information disclosure in the Networking: Cache component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1981502 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1981502"> + <p>Information disclosure in the Networking: Cache + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10536</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10536</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="d09efc3b-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Spoofing issue in the Site Permissions component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1665334 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1665334"> + <p>Spoofing issue in the Site Permissions component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10534</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10534</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="c80baae7-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Integer overflow in the SVG component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1980788 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1980788"> + <p>Integer overflow in the SVG component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10533</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10533</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="af9c5b99-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Incorrect boundary conditions</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1979502 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979502"> + <p>Incorrect boundary conditions in the JavaScript: GC + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10532</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10532</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="a4bebda9-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Mitigation bypass</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1978453 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1978453"> + <p>Mitigation bypass in the Web Compatibility: Tooling + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10531</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10531</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="944d968c-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Same-origin policy bypass</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1970490 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1970490"> + <p>Same-origin policy bypass in the Layout component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10529</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10529</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="8b5f4eb3-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Sandbox escape due to undefined behavior</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1986185 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1986185"> + <p>Sandbox escape due to undefined behavior, invalid pointer + in the Graphics: Canvas2D component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10528</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10528</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="82595339-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Sandbox escape due to use-after-free</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1984825 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1984825"> + <p>Sandbox escape due to use-after-free in the Graphics: + Canvas2D component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10527</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10527</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="77a0f93a-b71e-11f0-8d86-d7789240c8c2"> + <topic>python 3.9 -- end of life, not receiving security support</topic> + <affects> + <package> + <name>python39</name> + <range><ge>3</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <blockquote cite="https://devguide.python.org/versions/"> + <p>Unsupported versions: [...] End of life: 2025-10-31.</p> + </blockquote> + </body> + </description> + <references> + <url>https://devguide.python.org/versions/</url> + </references> + <dates> + <discovery>2020-10-05</discovery> + <entry>2025-11-01</entry> + </dates> + </vuln> + + <vuln vid="c4fb21e4-b579-11f0-871c-6805ca2fa271"> + <topic>powerdns-recursor -- cache pollution</topic> + <affects> + <package> + <name>powerdns_recursor</name> + <range><lt>5.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>PowerDNS Team reports:</p> + <blockquote cite="https://blog.powerdns.com/powerdns-security-advisory-2025-06-2025-10-22"> + <p>It has been brought to our attention that the Recursor does not + apply strict enough validation of received delegation information. + The malicious delegation information can be sent by an attacker + spoofing packets.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-59023</cvename> + <cvename>CVE-2025-59024</cvename> + <url>https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html</url> + </references> + <dates> + <discovery>2025-10-15</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="7c09fcb7-b5d6-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>142.0.7444.59</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>142.0.7444.59</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"> + <p>This update includes 20 security fixes:</p> + <ul> + <li>[447613211] High CVE-2025-12428: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2025-09-26</li> + <li>[450618029] High CVE-2025-12429: Inappropriate implementation in V8. Reported by Aorui Zhang on 2025-10-10</li> + <li>[442860743] High CVE-2025-12430: Object lifecycle issue in Media. Reported by round.about on 2025-09-04</li> + <li>[436887350] High CVE-2025-12431: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2025-08-06</li> + <li>[439522866] High CVE-2025-12432: Race in V8. Reported by Google Big Sleep on 2025-08-18</li> + <li>[449760249] High CVE-2025-12433: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-07</li> + <li>[452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15</li> + <li>[337356054] Medium CVE-2025-12434: Race in Storage. Reported by Lijo A.T on 2024-04-27</li> + <li>[446463993] Medium CVE-2025-12435: Incorrect security UI in Omnibox. Reported by Hafiizh on 2025-09-21</li> + <li>[40054742] Medium CVE-2025-12436: Policy bypass in Extensions. Reported by Luan Herrera (@lbherrera_) on 2021-02-08</li> + <li>[446294487] Medium CVE-2025-12437: Use after free in PageInfo. Reported by Umar Farooq on 2025-09-20</li> + <li>[433027577] Medium CVE-2025-12438: Use after free in Ozone. Reported by Wei Yuan of MoyunSec VLab on 2025-07-20</li> + <li>[382234536] Medium CVE-2025-12439: Inappropriate implementation in App-Bound Encryption. Reported by Ari Novick on 2024-12-04</li> + <li>[430555440] Low CVE-2025-12440: Inappropriate implementation in Autofill. Reported by Khalil Zhani on 2025-07-09</li> + <li>[444049512] Medium CVE-2025-12441: Out of bounds read in V8. Reported by Google Big Sleep on 2025-09-10</li> + <li>[452071845] Medium CVE-2025-12443: Out of bounds read in WebXR. Reported by Aisle Research on 2025-10-15</li> + <li>[390571618] Low CVE-2025-12444: Incorrect security UI in Fullscreen UI. Reported by syrf on 2025-01-18</li> + <li>[428397712] Low CVE-2025-12445: Policy bypass in Extensions. Reported by Thomas Greiner on 2025-06-29</li> + <li>[444932667] Low CVE-2025-12446: Incorrect security UI in SplitView. Reported by Hafiizh on 2025-09-14</li> + <li>[442636157] Low CVE-2025-12447: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2025-09-03</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12036</cvename> + <cvename>CVE-2025-12428</cvename> + <cvename>CVE-2025-12429</cvename> + <cvename>CVE-2025-12430</cvename> + <cvename>CVE-2025-12431</cvename> + <cvename>CVE-2025-12432</cvename> + <cvename>CVE-2025-12433</cvename> + <cvename>CVE-2025-12434</cvename> + <cvename>CVE-2025-12435</cvename> + <cvename>CVE-2025-12436</cvename> + <cvename>CVE-2025-12437</cvename> + <cvename>CVE-2025-12438</cvename> + <cvename>CVE-2025-12439</cvename> + <cvename>CVE-2025-12440</cvename> + <cvename>CVE-2025-12441</cvename> + <cvename>CVE-2025-12443</cvename> + <cvename>CVE-2025-12444</cvename> + <cvename>CVE-2025-12445</cvename> + <cvename>CVE-2025-12446</cvename> + <cvename>CVE-2025-12447</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="291773e6-b5b2-11f0-8f61-b42e991fc52e"> + <topic>Firefox -- use-after-free in the GPU or browser process</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.2,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1993113 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1993113"> + <p>Starting with Firefox 142, it was possible for a + compromised child process to trigger a use-after-free in the + GPU or browser process using WebGPU-related IPC calls. + This may have been usable to escape the child process + sandbox.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12380</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-12380</url> + </references> + <dates> + <discovery>2025-10-28</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="237f4f57-b50f-11f0-ae9b-b42e991fc52e"> + <topic>Erlang - Absolute Path in Zip Module</topic> + <affects> + <package> + <name>erlang</name> + <range><ge>17.0</ge><lt>26.2.5.13,4</lt></range> + </package> + <package> + <name>erlang-runtime26</name> + <range><lt>26.2.5.13</lt></range> + </package> + <package> + <name>erlang-runtime27</name> + <range><lt>27.3.4.1</lt></range> + </package> + <package> + <name>erlang-runtime28</name> + <range><lt>28.0.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc reports:</p> + <blockquote cite="https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc"> + <p>Improper Limitation of a Pathname to a Restricted + Directory ('Path Traversal') vulnerability in Erlang OTP + (stdlib modules) allows Absolute Path Traversal, File Manipulation. + This vulnerability is associated with program files lib/stdlib/src/zip.erl + and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, + zip:extract/2unless the memory option is passed. This issue + affects OTP from OTP 17.0 until OTP28.0.1, OTP27.3.4.1 and + OTP26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, + 6.2.2.1 and 5.2.3.4.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4748</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-4748</url> + </references> + <dates> + <discovery>2025-06-16</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="55c4e822-b4e4-11f0-8438-001b217e4ee5"> + <topic>ISC KEA -- Invalid characters cause assert</topic> + <affects> + <package> + <name>kea</name> + <range><ge>3.0.1</ge><lt>3.0.2</lt></range> + </package> + <package> + <name>kea-devel</name> + <range><ge>3.1.1</ge><lt>3.1.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Internet Systems Consortium, Inc. reports:</p> + <blockquote cite="https://kb.isc.org/docs/cve-2025-11232"> + <p>To trigger the issue, three configuration parameters + must have specific settings: "hostname-char-set" must be + left at the default setting, which is "[^A-Za-z0-9.-]"; + "hostname-char-replacement" must be empty (the default); + and "ddns-qualifying-suffix" must NOT be empty (the default is empty). + DDNS updates do not need to be enabled for this issue to manifest. + A client that sends certain option content would then + cause kea-dhcp4 to exit unexpectedly. + This addresses CVE-2025-11232 [#4142, #4155].</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11232</cvename> + <url>https://kb.isc.org/docs/cve-2025-11232</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="c5889223-b4e1-11f0-ae9b-b42e991fc52e"> + <topic>SQLite < 3.50.3 -- CWE-190 Integer Overflow or Wraparound in FTS5 module</topic> + <affects> + <package> + <name>sqlite3</name> + <range><ge>3.49.1,1</ge><lt>3.50.3,1</lt></range> + </package> + <package> + <name>linux_base-rl9</name> + <range><ge>0</ge></range> <!-- unknown and unrelated fixes might make this disappear, so set >= 0 instead of <= 9.6_1 to err on the safe side --> + </package> + <package> + <name>linux-c7-sqlite</name> + <range><lt>3.50.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g reports:</p> + <blockquote cite="https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g"> + <p>An integer overflow exists in the FTS5 https://sqlite.org/fts5.html + extension. It occurs when the size of an array of tombstone + pointers is calculated and truncated into a 32-bit integer. + A pointer to partially controlled data can then be written + out of bounds.</p> + </blockquote> + <p>The FreeBSD build enables the FTS5 extension by default.</p> + </body> + </description> + <references> + <cvename>CVE-2025-7709</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-7709</url> + </references> + <dates> + <discovery>2025-07-15</discovery> + <entry>2025-10-29</entry> + <modified>2025-11-07</modified> + </dates> + </vuln> + + <vuln vid="3116b6f3-b433-11f0-82ac-901b0edee044"> + <topic>py-social-auth-app-django -- Unsafe account association</topic> + <affects> + <package> + <name>py39-social-auth-app-django</name> + <name>py310-social-auth-app-django</name> + <name>py311-social-auth-app-django</name> + <name>py312-social-auth-app-django</name> + <range><lt>5.4.3_1</lt></range> + </package> + <package> + <name>py310-dj51-social-auth-app-django</name> + <name>py311-dj51-social-auth-app-django</name> + <name>py312-dj51-social-auth-app-django</name> + <range><lt>5.6.0</lt></range> + </package> + <package> + <name>py310-dj52-social-auth-app-django</name> + <name>py311-dj52-social-auth-app-django</name> + <name>py312-dj52-social-auth-app-django</name> + <range><lt>5.6.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Michal Čihař reports:</p> + <blockquote cite="https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg"> + <p>Upon authentication, the user could be associated by e-mail even if the + associate_by_email pipeline was not included. This could lead to account + compromise when a third-party authentication service does not validate + provided e-mail addresses or doesn't require unique e-mail addresses.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61783</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-61783</url> + </references> + <dates> + <discovery>2025-10-09</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="2cd61f76-b41b-11f0-bf21-b42e991fc52e"> + <topic>SQLite -- Integer Overflow vulnerability</topic> + <affects> + <package> + <name>sqlite3</name> + <range><lt>3.50.1,1</lt></range> + </package> + <package> + <name>linux_base-rl9-9.6</name> + <range><le>9.6_1</le></range> + </package> + <package> + <name>linux-c7-sqlite</name> + <range><lt>3.50.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>http://sqlite3.com reports:</p> + <blockquote cite="http://sqlite3.com"> + <p>Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 + allows a remote attacker to cause a denial of service via + the setupLookaside function</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-52099</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-52099</url> + </references> + <dates> + <discovery>2025-10-24</discovery> + <entry>2025-10-28</entry> + </dates> + </vuln> + + <vuln vid="a8dacd4b-b416-11f0-9f23-ecf4bbefc954"> + <topic>privatebin - Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS</topic> + <affects> + <package> + <name>privatebin</name> + <range><lt>2.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>PrivateBin reports:</p> + <blockquote cite="https://privatebin.info/reports/vulnerability-2025-10-28.html"> + <p>We've identified an HTML injection/XSS vulnerability in the PrivateBin + service that allows the injection of arbitrary HTML markup via the attached + filename.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62796</cvename> + <url>https://www.cve.org/CVERecord?id=CVE-2025-62796</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-28</entry> + </dates> + </vuln> + + <vuln vid="1f1cf967-b35c-11f0-bce7-bc2411002f50"> + <topic>strongSwan -- Heap-based buffer overflow in eap-mschapv2 plugin due to improper handling of failure request packets</topic> + <affects> + <package> + <name>strongswan</name> + <range><ge>4.2.12</ge><lt>6.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Xu Biang reports:</p> + <blockquote cite="https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-(cve-2025-62291).html"> + <p>The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, + which can cause an integer underflow that leads to a crash and, depending on the compiler options, even a heap-based + buffer overflow that's potentially exploitable for remote code execution. Affected are all strongSwan versions since 4.2.12.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62291</cvename> + <url>https://www.cve.org/CVERecord?id=CVE-2025-62291</url> + </references> + <dates> + <discovery>2025-10-27</discovery> + <entry>2025-10-27</entry> + </dates> + </vuln> + + <vuln vid="823b4e48-b340-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- security fix</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.122</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.122</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_21.html"> + <p>This update includes 1 security fix:</p> + <ul> + <li>[452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12036</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_21.html</url> + </references> + <dates> + <discovery>2025-10-21</discovery> + <entry>2025-10-27</entry> + </dates> + </vuln> + + <vuln vid="ea1c485f-b025-11f0-bce7-bc2411002f50"> + <topic>unbound -- Possible domain hijacking via promiscuous records in the authority section</topic> + <affects> + <package> + <name>unbound</name> + <range><lt>1.24.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>sep@nlnetlabs.nl reports:</p> + <blockquote cite="https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt"> + <p>NLnet Labs Unbound up to and including version 1.24.0 is vulnerable + to possible domain hijack attacks. Promiscuous NS RRSets that + complement positive DNS replies in the authority section can be + used to trick resolvers to update their delegation information for + the zone. Usually these RRSets are used to update the resolver's + knowledge of the zone's name servers. A malicious actor can + exploit the possible poisonous effect by injecting NS RRSets (and + possibly their respective address records) in a reply. This could + be done for example by trying to spoof a packet or fragmentation + attacks. Unbound would then proceed to update the NS RRSet data + it already has since the new data has enough trust for it, i.e., + in-zone data for the delegation point. Unbound 1.24.1 includes a + fix that scrubs unsolicited NS RRSets (and their respective address + records) from replies mitigating the possible poison effect.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11411</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11411</url> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="269c2de7-afaa-11f0-b4c8-792b26d8a051"> + <topic>RT -- XSS via calendar invitations</topic> + <affects> + <package> + <name>rt60</name> + <name>rt50</name> + <range><ge>6.0.0</ge><lt>6.0.2</lt></range> + <range><ge>5.0.4</ge><lt>5.0.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Mateusz Szymaniec and CERT Polska Reports:</p> + <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2"> + <p>RT is vulnerable to XSS via calendar invitations added to a + ticket. Thanks to Mateusz Szymaniec and CERT Polska for + reporting this finding.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9158</cvename> + <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="b374df95-afa8-11f0-b4c8-792b26d8a051"> + <topic>RT -- CSV injection</topic> + <affects> + <package> + <name>rt60</name> + <name>rt50</name> + <name>rt44</name> + <range><ge>6.0.0</ge><lt>6.0.2</lt></range> + <range><ge>5.0.0</ge><lt>5.0.9</lt></range> + <range><ge>4.4.0</ge><lt>4.4.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gareth Watkin-Jones from 4armed reports:</p> + <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2"> + <p>RT is vulnerable to CSV injection via ticket values with + special characters that are exported to a TSV from search + results. Thanks to Gareth Watkin-Jones from 4armed for + reporting this finding.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61873</cvename> + <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="114cc98b-afad-11f0-af12-bc241121aa0a"> + <topic>FreeBSD -- SO_REUSEPORT_LB breaks connect(2) for UDP sockets</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>14.3</ge><lt>14.3_5</lt></range> + <range><ge>13.5</ge><lt>13.5_6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>Connected sockets are not intended to belong to load-balancing + groups. However, the kernel failed to check the connection state + of sockets when adding them to load-balancing groups. Furthermore, + when looking up the destination socket for an incoming packet, the + kernel will match a socket belonging to a load-balancing group even + if it is connected.</p> + <p>Connected sockets are only supposed to receive packets originating + from the connected host. The above behavior violates this contract.</p> + <h1>Impact:</h1> + <p>Software which sets SO_REUSEPORT_LB on a socket and then connects + it to a host will not observe any problems. However, due to its + membership in a load-balancing group, that socket will receive + packets originating from any host. This breaks the contract of the + connect(2) and implied connect via sendto(2), and may leave the + application vulnerable to spoofing attacks.</p> + </body> + </description> + <references> + <cvename>CVE-2025-24934</cvename> + <freebsdsa>SA-25:09.netinet</freebsdsa> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="f741ea93-af61-11f0-98b5-2cf05da270f3"> + <topic>Gitlab -- vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <name>gitlab-ee</name> + <range><ge>18.5.0</ge><lt>18.5.1</lt></range> + <range><ge>18.4.0</ge><lt>18.4.3</lt></range> + <range><ge>10.6.0</ge><lt>18.3.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/"> + <p>Improper access control issue in runner API impacts GitLab EE</p> + <p>Denial of service issue in event collection impacts GitLab CE/EE</p> + <p>Denial of service issue in JSON validation impacts GitLab CE/EE</p> + <p>Denial of service issue in upload impacts GitLab CE/EE</p> + <p>Incorrect Authorization issue in pipeline builds impacts GitLab CE</p> + <p>Business logic error issue in group memberships impacts GitLab EE</p> + <p>Missing authorization issue in quick actions impacts GitLab EE</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11702</cvename> + <cvename>CVE-2025-10497</cvename> + <cvename>CVE-2025-11447</cvename> + <cvename>CVE-2025-11974</cvename> + <cvename>CVE-2025-11971</cvename> + <cvename>CVE-2025-6601</cvename> + <cvename>CVE-2025-11989</cvename> + <url>https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/</url> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-22</entry> + </dates> + </vuln> + + <vuln vid="88f34edb-ae9b-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.107</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.107</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_14.html"> + <p>This update includes 1 security fix:</p> + <ul> + <li>[447192722] High CVE-2025-11756: Use after free in Safe Browsing. Reported by asnine on 2025-09-25</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11756</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_14.html</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-21</entry> + </dates> + </vuln> + + <vuln vid="60ddafd2-ae9e-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.65</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.65</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop.html"> + <p>This update includes 3 security fixes:</p> + <ul> + <li>[443196747] High CVE-2025-11458: Heap buffer overflow in Sync. Reported by raven at KunLun lab on 2025-09-05</li> + <li>[446722008] High CVE-2025-11460: Use after free in Storage. Reported by Sombra on 2025-09-23</li> + <li>[441917796] Medium CVE-2025-11211: Out of bounds read in WebCodecs. Reported by Jakob Košir on 2025-08-29</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11458</cvename> + <cvename>CVE-2025-11460</cvename> + <cvename>CVE-2025-11211</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop.html</url> + </references> + <dates> + <discovery>2025-10-07</discovery> + <entry>2025-10-21</entry> + </dates> + </vuln> + + <vuln vid="cdf2abf7-ae83-11f0-b5fb-b42e991fc52e"> + <topic>Mongodb -- Use-after-free in the MongoDB</topic> + <affects> + <package> + <name>mongodb70</name> + <range><lt>7.0.25</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.15</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-105873"> + <p>An authorized user may crash the MongoDB server by + causing buffer over-read. This can be done by issuing a DDL + operation while queries are being issued, under some + conditions.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11979</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11979</url> + </references> + <dates> + <discovery>2025-10-20</discovery> + <entry>2025-10-21</entry> + </dates> + </vuln> + + <vuln vid="4553e4b3-addf-11f0-9b8d-40a6b7c3b3b8"> + <topic>Hidden/Protected custom variables are prone to filter enumeration</topic> + <affects> + <package> + <name>icingaweb2-module-icingadb-php81</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php82</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php83</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php84</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php85</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Icinga reports:</p> + <blockquote cite="https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"> + <p>An authorized user with access to Icinga DB Web, can use + a custom variable in a filter that is either protected by + icingadb/protect/variables or hidden by icingadb/denylist/variables, + to guess values assigned to it.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61789</cvename> + <url>https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429</url> + </references> + <dates> + <discovery>2025-10-16</discovery> + <entry>2025-10-20</entry> + </dates> + </vuln> + + <vuln vid="4355ce42-ad06-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- XSS in sites without content-type header</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979536"> + <p>A malicious page could have used the type attribute of an OBJECT + tag to override the default browser behavior when encountering a + web resource served without a content-type. This could have + contributed to an XSS on a site that unsafely serves files without + a content-type header.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11712</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11712</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="fff839db-ad04-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- JavaScript Object property overriding</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1989978"> + <p>There was a way to change the value of JavaScript Object + properties that were supposed to be non-writeable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11711</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11711</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="f7047dfc-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Memory disclosure</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1989899"> + <p>A compromised web process using malicious IPC messages + could have caused the privileged browser process to reveal + blocks of its memory to the compromised process.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11710</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11710</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="b760c618-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Out-of-bounds reads and writes</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1989127"> + <p>A compromised web process was able to trigger out of + bounds reads and writes in a more privileged process using + manipulated WebGL textures.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11709</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11709</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="85c17eb8-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Use-after-free</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1988931"> + <p>Use-after-free in MediaTrackGraphImpl::GetInstance()</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11708</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11708</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="247bc43f-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1973699%2C1989945%2C1990970%2C1991040%2C1992113"> + <p>Memory safety bugs. Some of these bugs showed evidence of + memory corruption and we presume that with enough effort + some of these could have been exploited to run arbitrary + code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11714</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11714</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="20840621-ab82-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.4.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1983838%2C1987624%2C1988244%2C1988912%2C1989734%2C1990085%2C1991899"> + <p>Memory safety bugs. Some of these bugs showed evidence of + memory corruption and we presume that with enough effort + some of these could have been exploited to run arbitrary + code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11715</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11715</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="ed132d42-ab81-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1986816"> + <p>Memory safety bug. This bug showed evidence of memory + corruption and we presume that with enough effort this could + have been exploited to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11721</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11721</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="f3550d26-ab7d-11f0-b961-b42e991fc52e"> + <topic>Firefox -- Sandbox escape</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.3,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1987246"> + <p>Sandbox excape due to integer overflow in the Graphics: + Canvas2D component</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11152</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11152</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="7b9a8247-ab7b-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>142.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.2.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>142.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1938220%2C1980730%2C1981280%2C1981283%2C1984505%2C1985067"> + <p>Some of these bugs showed evidence of memory corruption + and we presume that with enough effort some of these could + have been exploited to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10537</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10537</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="4fe6f98e-ab7b-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Information disclosure</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1981502"> + <p>This vulnerability affects Firefox < 143, Firefox ESR < 140.3, + Thunderbird < 143, and Thunderbird < 140.3.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10536</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10536</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="1e8a6581-ab7b-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- spoofing</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1665334"> + <p>Spoofing issue in the Site Permission component</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10534</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10534</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="c7383de4-ab7a-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- integer overflow</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>115.28.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1980788"> + <p>Integer overflow in the SVG component</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10533</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10533</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="511f5aac-ab46-11f0-9446-f02f7497ecda"> + <topic>minio -- Privilege Escalation via Session Policy Bypass in Service Accounts and STS</topic> + <affects> + <package> + <name>minio</name> + <range><lt>RELEASE.2025-10-15T17-29-55Z</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>mino reports:</p> + <blockquote cite="https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr"> + <p>A privilege escalation vulnerability allows service accounts and STS + (Security Token Service) accounts with restricted session policies to + bypass their inline policy restrictions when performing "own" account + operations, specifically when creating new service accounts for the same + user.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62506</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-62506</url> + </references> + <dates> + <discovery>2025-10-17</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="50fd6a75-0587-4987-bef2-bb933cd78ea1"> + <topic>zeek -- information leak vulnerability</topic> + <affects> + <package> + <name>zeek</name> + <range><lt>8.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Tim Wojtulewicz of Corelight reports:</p> + <blockquote cite="INSERT URL HERE"> + <p>The KRB analyzer can leak information about hosts in + analyzed traffic via external DNS lookups.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/zeek/zeek/releases/tag/v8.0.2</url> + </references> + <dates> + <discovery>2025-10-13</discovery> + <entry>2025-10-13</entry> + </dates> + </vuln> + + <vuln vid="6dd86212-a859-11f0-bd95-b42e991fc52e"> + <topic>Firefox -- JIT miscompilation in the JavaScript Engine</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.3,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1987481"> + <p>JIT miscompilation in the JavaScript Engine: JIT + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11153</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11153</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-10-13</entry> + </dates> + </vuln> + + <vuln vid="87fdaf3c-a5b5-11f0-98b5-2cf05da270f3"> + <topic>Gitlab -- vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <name>gitlab-ee</name> + <range><ge>18.4.0</ge><lt>18.4.2</lt></range> + <range><ge>18.3.0</ge><lt>18.3.4</lt></range> + <range><ge>5.2.0</ge><lt>18.2.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/"> + <p>Incorrect authorization issue in GraphQL mutations impacts GitLab EE</p> + <p>Denial of Service issue in GraphQL blob type impacts GitLab CE/EE</p> + <p>Missing authorization issue in manual jobs impacts GitLab CE/EE</p> + <p>Denial of Service issue in webhook endpoints impacts GitLab CE/EE</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11340</cvename> + <cvename>CVE-2025-10004</cvename> + <cvename>CVE-2025-9825</cvename> + <cvename>CVE-2025-2934</cvename> + <url>https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/</url> + </references> + <dates> + <discovery>2025-10-08</discovery> + <entry>2025-10-10</entry> + </dates> + </vuln> + + <vuln vid="0b5145e9-a500-11f0-a136-10ffe07f9334"> + <topic>Mailpit -- Performance information disclosure</topic> + <affects> + <package> + <name>mailpit</name> + <range><lt>1.27.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Ralph Slooten (Mailpit developer) reports:</p> + <blockquote cite="https://github.com/axllent/mailpit/releases/tag/v1.27.10"> + <p>An HTTP endpoint was found which exposed expvar runtime + information (memory usage, goroutine counts, GC behavior, + uptime and potential runtime flags) due to the Prometheus + client library dependency.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/axllent/mailpit/releases/tag/v1.27.10</url> + </references> + <dates> + <discovery>2025-10-09</discovery> + <entry>2025-10-09</entry> + </dates> + </vuln> + + <vuln vid="f60c790a-a394-11f0-9617-b42e991fc52e"> + <topic>Mozilla -- Incorrect boundary conditions</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979502"> + <p>The vulnerability has been assessed to have moderate + impact on affected systems, potentially allowing attackers + to exploit incorrect boundary conditions in the JavaScript + Garbage Collection component. In Thunderbird specifically, + these flaws cannot be exploited through email as scripting + is disabled when reading mail, but remain potential risks in + browser or browser-like contexts </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10532</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10532</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-07</entry> + </dates> + </vuln> + + <vuln vid="a240c31b-a394-11f0-9617-b42e991fc52e"> + <topic>Mozilla -- mitigation bypass vulnerability</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1978453"> + <p>The vulnerability has been rated as having moderate + impact, affecting both confidentiality and integrity + with low severity, while having no impact on + availability. For Thunderbird specifically, the + vulnerability cannot be exploited through email as + scripting is disabled when reading mail, but remains a + potential risk in browser or browser-like contexts </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10531</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10531</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-07</entry> + </dates> + </vuln> + + <vuln vid="f2de2f64-a2cc-11f0-8402-b42e991fc52e"> + <topic>Mozilla -- Sandbox escape due to use-after-free</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1986185"> + <p>Sandbox escape due to use-after-free</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10527</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10527</url> + <cvename>CVE-2025-10528</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10528</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="a5395e02-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- Malformed $group Query May Cause MongoDB Server to Crash</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.25</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-99616"> + <p>An authorized user can cause a crash in the MongoDB Server through + a specially crafted $group query. This vulnerability is related + to the incorrect handling of certain accumulator functions when + additional parameters are specified within the $group operation. + This vulnerability could lead to denial of service if triggered + repeatedly.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10061</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10061</url> + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + <modified>2025-10-07</modified> + </dates> + </vuln> + + <vuln vid="6d16b410-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.25</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-95524"> + <p>MongoDB Server may allow upsert operations retried + within a transaction to violate unique index constraints, + potentially causing an invariant failure and server crash + during commit. This issue may be triggered by improper + WriteUnitOfWork state management.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10060</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10060</url> + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="4329e3bd-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- MongoDB Server router will crash when incorrect lsid is set on a sharded query</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.24</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.18</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-100901"> + <p>An improper setting of the lsid field on any sharded query can cause + a crash in MongoDB routers. This issue occurs when a generic + argument (lsid) is provided in a case when it is not applicable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10059</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10059</url> + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="a9dc3c61-a20f-11f0-91d8-b42e991fc52e"> + <topic>mongodb -- MongoDB Server access to non-initialized memory</topic> + <affects> + <package> + <name>mongodb6</name> + <range><lt>6.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-71477"> + <p>MongoDB Server may access non-initialized region of + memory leading to unexpected behaviour when zero arguments + are called in internal aggregation stage.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-8654</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-8654</url> + </references> + <dates> + <discovery>2024-09-10</discovery> + <entry>2025-10-05</entry> + </dates> + </vuln> + + <vuln vid="0af2f18e-a119-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Out of bound read due to a bug in LUA</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-4c68-q8q8-3g4f"> + <p> + An authenticated user may use a specially crafted LUA script to read + out-of-bound data or crash the server and subsequent denial of + service. + The problem exists in all versions of Redis with Lua scripting + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing Lua + scripts. This can be done using ACL to block a script by restricting + both the EVAL and FUNCTION command families. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-46819</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-46819</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="0258d37d-a118-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Running Lua function as a different user</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-qrv7-wcrx-q5jp"> + <p> + An authenticated user may use a specially crafted Lua script to + manipulate different LUA objects and potentially run their own code + in the context of another user + The problem exists in all versions of Redis with Lua scripting. + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing Lua + scripts. This can be done using ACL to block a script by restricting + both the EVAL and FUNCTION command families. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-46818</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-46818</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="f6b8de04-a116-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Lua library commands may lead to integer overflow and potential RCE</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-m8fj-85cg-7vhp"> + <p> + An authenticated user may use a specially crafted Lua script to + cause an integer overflow and potentially lead to remote code + execution + The problem exists in all versions of Redis with Lua scripting. + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing Lua + scripts. This can be done using ACL to block a script by restricting + both the EVAL and FUNCTION command families. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-46817</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-46817</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="17e85cae-a115-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Lua Use-After-Free may lead to remote code execution</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q"> + <p> + An authenticated user may use a specially crafted Lua script to + manipulate the garbage collector, trigger a use-after-free and + potentially lead to remote code execution. + The problem exists in all versions of Redis with Lua scripting. + An additional workaround to mitigate the problem without patching the + redis-server executable is to prevent users from executing Lua scripts. + This can be done using ACL to restrict EVAL and EVALSHA commands. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-49844</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-49844</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="c27c05a7-a0c8-11f0-8471-4ccc6adda413"> + <topic>qt6-webengine -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>qt6-pdf</name> + <name>qt6-webengine</name> + <range><lt>6.9.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Qt qtwebengine-chromium repo reports:</p> + <blockquote cite="https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=130-based"> + <p>Backports for 9 security bugs in Chromium:</p> + <ul> + <li>CVE-2025-9866: Determine whether to bypass redirect checks per request</li> + <li>CVE-2025-10200: Use after free in Serviceworker</li> + <li>CVE-2025-10201: Inappropriate implementation in Mojo</li> + <li>CVE-2025-10500: Use after free in Dawn</li> + <li>CVE-2025-10501: Use after free in WebRTC</li> + <li>CVE-2025-10502: Heap buffer overflow in ANGLE</li> + <li>CVE-2025-10890: Side-channel information leakage in V8 (1/2)</li> + <li>CVE-2025-10891: Integer overflow in V8</li> + <li>CVE-2025-10892: Integer overflow in V8</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9866</cvename> + <cvename>CVE-2025-10200</cvename> + <cvename>CVE-2025-10201</cvename> + <cvename>CVE-2025-10500</cvename> + <cvename>CVE-2025-10501</cvename> + <cvename>CVE-2025-10502</cvename> + <cvename>CVE-2025-10890</cvename> + <cvename>CVE-2025-10891</cvename> + <cvename>CVE-2025-10892</cvename> + <url>https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=130-based</url> + </references> + <dates> + <discovery>2025-09-25</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + <vuln vid="21fba35e-a05f-11f0-a8b8-a1ef31191bc1"> <topic>fetchmail -- potential crash when authenticating to SMTP server</topic> <affects> @@ -24,7 +2850,7 @@ </body> </description> <references> - <!-- cvename has been requested from MITRE but not yet created <cvename>INSERT CVE RECORD IF AVAILABLE</cvename> --> + <cvename>CVE-2025-61962</cvename> <url>https://www.fetchmail.info/fetchmail-SA-2025-01.txt</url> <url>https://gitlab.com/fetchmail/fetchmail/-/raw/legacy_6x/fetchmail-SA-2025-01.txt?ref_type=heads</url> <url>https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8</url> @@ -32,6 +2858,7 @@ <dates> <discovery>2025-10-02</discovery> <entry>2025-10-03</entry> + <modified>2025-10-04</modified> </dates> </vuln> @@ -1198,7 +4025,7 @@ <affects> <package> <name>sqlite3</name> - <range><lt>3.49.1</lt></range> + <range><lt>3.49.1,1</lt></range> </package> <package> <name>linux_base-rl9-9.6</name> @@ -1858,7 +4685,7 @@ <affects> <package> <name>sqlite3</name> - <range><lt>3.49.1</lt></range> + <range><lt>3.49.1,1</lt></range> </package> <package> <name>linux-c7-sqlite</name> @@ -1877,7 +4704,7 @@ function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap - Buffer overflow of size ~4GB can be triggered. This can result in + Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.</p> </blockquote> </body> @@ -3001,7 +5828,7 @@ i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing - queries to accommodate for different outgoing ECS information. This + queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.</p> @@ -4656,7 +7483,7 @@ by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on - the affected software. Although unproven, there is also a possibility + the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.</p> </blockquote> @@ -5014,7 +7841,7 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>secalert@redhat.com reports:</p> <blockquote cite="https://access.redhat.com/errata/RHSA-2025:4450"> - <p>A flaw was found in Yelp. The Gnome user help application allows + <p>A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.</p> @@ -5043,7 +7870,7 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>secalert@redhat.com reports:</p> <blockquote cite="https://access.redhat.com/errata/RHSA-2025:4450"> - <p>A flaw was found in Yelp. The Gnome user help application allows + <p>A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.</p> @@ -5461,7 +8288,7 @@ <p>zdi-disclosures@trendmicro.com reports:</p> <blockquote cite="https://www.zerodayinitiative.com/advisories/ZDI-25-204/"> <p>GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution - Vulnerability. This vulnerability allows remote attackers to execute + Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. @@ -5496,7 +8323,7 @@ <p>zdi-disclosures@trendmicro.com reports:</p> <blockquote cite="https://www.zerodayinitiative.com/advisories/ZDI-25-203/"> <p>GIMP XWD File Parsing Integer Overflow Remote Code Execution - Vulnerability. This vulnerability allows remote attackers to execute + Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. @@ -5667,7 +8494,7 @@ <li>[417169470] High CVE-2025-5280: Out of bounds write in V8. Reported by [pwn2car] on 2025-05-12</li> <li>[40058068] Medium CVE-2025-5064: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-29</li> <li>[40059071] Medium CVE-2025-5065: Inappropriate implementation in FileSystemAccess API. Reported by NDevTK on 2022-03-11</li> - <li>[356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31</li> + <li>[356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31</li> <li>[417215501] Medium CVE-2025-5281: Inappropriate implementation in BFCache. Reported by Jesper van den Ende (Pelican Party Studios) on 2025-05-12</li> <li>[419467315] Medium CVE-2025-5283: Use after free in libvpx. Reported by Mozilla on 2025-05-22</li> <li>[40075024] Low CVE-2025-5067: Inappropriate implementation in Tab Strip. Reported by Khalil Zhani on 2023-10-17</li> @@ -5898,7 +8725,7 @@ special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available - at pull request 3389 and expected to be part of version 2.9.9. No + at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.</p> </blockquote> </body> @@ -6151,7 +8978,7 @@ <p>A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend - plugin that will execute arbitrary JavaScript. This vulnerability + plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve @@ -6200,7 +9027,7 @@ `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your - usage is not affected. To work-around this issue you may stop + usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.</p> </blockquote> @@ -8574,7 +11401,7 @@ <p>cna@mongodb.com reports:</p> <blockquote cite="https://jira.mongodb.org/browse/SERVER-103153"> <p>When run on commands with certain arguments set, explain may fail - to validate these arguments before using them. This can lead to + to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4</p> @@ -8727,8 +11554,8 @@ responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity - issues, or the client was configured with aggressive timeouts. The - problem occurs for multiple use cases. For sticky connections, you + issues, or the client was configured with aggressive timeouts. The + problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned @@ -8745,7 +11572,7 @@ Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's - argument), with a constant factor of about 16. This issue is fixed + argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.</p> </blockquote> </body> @@ -8794,12 +11621,12 @@ <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1945392"> <p>An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected - version 122 and later. This vulnerability affects Firefox < + version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.</p> <p>Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed - (distinct from CVE-2025-0245). This vulnerability affects Firefox + (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.</p> <p>When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result @@ -9400,7 +12227,7 @@ <p>LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was - added. In the affected versions of LibreOffice a link in a browser + added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 @@ -9555,13 +12382,13 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>security-advisories@github.com reports:</p> <blockquote cite="https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403"> - <p>Jinja is an extensible templating engine. Prior to 3.1.6, an + <p>Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using - Jinja. This vulnerability impacts users of applications which + Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference @@ -9791,9 +12618,9 @@ <blockquote cite="https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98"> <p>Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth - token. Prior to version 2.25.1, the file created has `rw-r--r--` + token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to - `rw-------` (600) permissions. This leads to overly broad exposure + `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify @@ -10644,7 +13471,7 @@ opened in normal browsing windows. This could have resulted in a potential privacy leak.</p> <p>Certificate length was not properly checked when added to a certificate - store. In practice only trusted data was processed.</p> + store. In practice only trusted data was processed.</p> <p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some @@ -10734,7 +13561,7 @@ use-after-free.</p> <p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird - 128.6. Some of these bugs showed evidence of memory corruption and + 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.</p> </blockquote> @@ -10845,7 +13672,7 @@ <li>CVE-2018-20547: Illegal READ memory access at caca/dither.c</li> <li>CVE-2018-20548: Illegal WRITE memory access at common-image.c</li> <li>CVE-2018-20549: Illegal WRITE memory access at caca/file.c</li> - <li>CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize</li> + <li>CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize</li> <li>CVE-2021-30498: Heap buffer overflow in export.c in function export_tga</li> <li>CVE-2021-30499: Buffer overflow in export.c in function export_troff</li> </ul> @@ -11133,7 +13960,7 @@ can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, - though this has not been demonstrated. In particular, release + though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.</p> </body> |