From nobody Thu Apr 25 11:18:17 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VQCyd6c4qz5HSJd; Thu, 25 Apr 2024 11:18:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VQCyd6JfGz533b; Thu, 25 Apr 2024 11:18:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714043897; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xF+6m5/9hPfsWxaHl2N78V4c0IwSGektSTDv0QShPbY=; b=mlwgLAKtloIauJ7EyoFo12WpkWfKTeYk6d5VqoGuS/qxiMPA8WSGJZGxI9KcABzUBI6Nnh o8n6EsOk7hhkuPblH7rLdhGjb3LsZI+cnYR+s04Ex5LOyd8IGJl72vsFzDStGUe8psuETI 1B0p+7eVlvtyDRcnWI597mrhmYOteMI2EY675a6jRuZqf/qEXD+a34b0nKBXQvgwI0Ym1G PZCAo/Nr9Q9tunR4U1adRlL6aGTKD89vFzVIRFvx9JvfQNCh6Lzlhq5Mce5kJjHuFKXrL1 WbY2mwWPOVIInU1FI+5XZWRVkRbUWv29paYmPlkz3HHXP6C/5ljKhq8HP4uWnw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1714043897; a=rsa-sha256; cv=none; b=SWNCeylgn1xqRGuem/X06obIwHSs9Wbes8uXeQe3mBaopjJyCGuxdgpOsJShTHNLeZ7o8a S/YqvotZZCiVwkifuJ3StMQrJA0GphMSEkyIOkSo99x2ACc9YmwEPhbi1H8xSLi9y0w62G aFWs9ZYVikeq3dLJ3mGUHjraeELvJMDBKT/fO8+AET6E7v29TEuxPBEvOC7oiKmZGD49eq UHBrciGiOzrL+TC0Uw6ikIWwVKsGfm90JrqLOrXweTxapRE4ErBtmhN3RF4Kap+HWtud18 aWhccbe60t8OJHFwYrIxiYG2VIUMaoPTFMpwamjBKX3zpTUJ/PqK1/lC187zgg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714043897; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xF+6m5/9hPfsWxaHl2N78V4c0IwSGektSTDv0QShPbY=; b=Vp/b16SWJTn2icpm3/nrVOUxVz45T7GBZy0ClA6rGyFc61qUKFCozW6EJ+zmZgyxNpfVdl nt+HjN9aypDAVtFtWO+jB81OT7DBFQV0caYlYZe6PX8tJepjsYJO7Sy0+M/aL5ftI6GAw+ tIMtyNPR97zlc13UdaVJMCM3Cmq2K2bqe0F8KcRKo8x+eRBPZ7ZkKhTZzTpVx3qeDt5k1F 5/i6RenCCTk2XAJ7lYEPpJ5V27ufPqQiokVaweCn9KRrPxeL3AhHobeNfobOJTjPtdQ19+ yZUNTwOakV6KBuf/x7MQKM8vmQbe4OvSGCm4i2fvHia1elEC4+bW0edv14xKfw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VQCyd5rV7zwRc; Thu, 25 Apr 2024 11:18:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43PBIH84090262; Thu, 25 Apr 2024 11:18:17 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43PBIHmx090259; Thu, 25 Apr 2024 11:18:17 GMT (envelope-from git) Date: Thu, 25 Apr 2024 11:18:17 GMT Message-Id: <202404251118.43PBIHmx090259@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Philip Paeps Subject: git: 539ca10aa3f0 - main - security/vuxml: correct historical www/glpi entries List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 539ca10aa3f0e80f78b1e684815c2a8d1b74da40 Auto-Submitted: auto-generated The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/ports/commit/?id=539ca10aa3f0e80f78b1e684815c2a8d1b74da40 commit 539ca10aa3f0e80f78b1e684815c2a8d1b74da40 Author: Tomáš Čiernik AuthorDate: 2024-04-25 10:18:00 +0000 Commit: Philip Paeps CommitDate: 2024-04-25 11:16:00 +0000 security/vuxml: correct historical www/glpi entries Several older entries for www/glpi had incorrect version ranges, causing pkg audit to complain about false positives. This corrects the older entries and adds some missing ones. PR: 278549 --- security/vuxml/vuln/2020.xml | 70 +++--- security/vuxml/vuln/2023.xml | 3 +- security/vuxml/vuln/2024.xml | 555 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 597 insertions(+), 31 deletions(-) diff --git a/security/vuxml/vuln/2020.xml b/security/vuxml/vuln/2020.xml index c91206e3c661..138f108b0578 100644 --- a/security/vuxml/vuln/2020.xml +++ b/security/vuxml/vuln/2020.xml @@ -386,7 +386,7 @@ glpi - 9.4.6 + 9.4.6,1 @@ -405,6 +405,7 @@ 2020-01-02 2020-01-02 + 2024-04-25 @@ -413,7 +414,7 @@ glpi - 9.5.3 + 9.5.3,1 @@ -431,6 +432,7 @@ 2020-10-22 2020-10-22 + 2024-04-25 @@ -439,7 +441,7 @@ glpi - 9.5.3 + 9.5.3,1 @@ -457,6 +459,7 @@ 2020-10-22 2020-10-22 + 2024-04-25 @@ -465,8 +468,7 @@ glpi - 9.5.0 - 9.5.3 + 9.5.0,19.5.3,1 @@ -486,6 +488,7 @@ 2020-10-01 2020-10-01 + 2024-04-25 @@ -494,8 +497,7 @@ glpi - 9.1 - 9.5.2 + 9.1,19.5.2,1 @@ -514,6 +516,7 @@ 2020-06-25 2020-06-25 + 2024-04-25 @@ -522,8 +525,7 @@ glpi - 9.5.0 - 9.5.2 + 9.5.0,19.5.2,1 @@ -542,6 +544,7 @@ 2020-06-25 2020-06-25 + 2024-04-25 @@ -550,8 +553,7 @@ glpi - 0.65 - 9.5.2 + 9.5.2,1 @@ -570,6 +572,7 @@ 2020-06-25 2020-06-25 + 2024-04-25 @@ -578,8 +581,7 @@ glpi - 0.68 - 9.5.2 + 9.5.2,1 @@ -598,6 +600,7 @@ 2020-06-25 2020-06-25 + 2024-04-25 @@ -606,8 +609,7 @@ glpi - 0.70 - 9.5.2 + 9.5.2,1 @@ -626,6 +628,7 @@ 2020-06-25 2020-06-25 + 2024-04-25 @@ -634,8 +637,7 @@ glpi - 9.5.0 - 9.5.1 + 9.5.0,19.5.1,1 @@ -655,6 +657,7 @@ 2020-06-25 2020-06-25 + 2024-04-25 @@ -663,8 +666,7 @@ glpi - 0.68.1 - 9.4.6 + 9.4.6,1 @@ -683,6 +685,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -691,7 +694,7 @@ glpi - 9.4.6 + 9.4.6,1 @@ -710,6 +713,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -718,7 +722,7 @@ glpi - 9.4.6 + 9.4.6,1 @@ -738,6 +742,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -746,8 +751,7 @@ glpi - 0.83.3 - 9.4.6 + 0.83.3,19.4.6,1 @@ -767,6 +771,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -775,7 +780,7 @@ glpi - 9.4.6 + 9.4.6,1 @@ -795,6 +800,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -803,8 +809,7 @@ glpi - 9.1 - 9.4.6 + 9.1,19.4.6,1 @@ -824,6 +829,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -832,7 +838,7 @@ glpi - 9.4.6 + 9.4.6,1 @@ -850,6 +856,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -858,7 +865,7 @@ glpi - 9.5.0 + 9.5.0,1 @@ -878,6 +885,7 @@ 2020-03-30 2020-03-30 + 2024-04-25 @@ -886,7 +894,7 @@ glpi - 9.4.4 + 9.4.4,1 @@ -906,6 +914,7 @@ 2019-08-05 2019-08-05 + 2024-04-25 @@ -9011,7 +9020,7 @@ Workaround: glpi - 9.4.3 + 9.4.3,1 @@ -9031,6 +9040,7 @@ Workaround: 2019-02-25 2020-05-09 + 2024-04-25 diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index d9b02f61c794..74e0306ae776 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -8265,7 +8265,7 @@ Reported by Niccolo Belli and WIPocket (Github #400, #417). glpi - 10.0.7 + 10.0.7,1 @@ -8305,6 +8305,7 @@ Reported by Niccolo Belli and WIPocket (Github #400, #417). 2023-03-20 2023-05-08 + 2024-04-25 diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index c28463cdfc36..ed943beccb02 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,558 @@ + + Unallowed PHP script execution in GLPI + + + glpi + 10.0.10,1 + + + + +

From the GLPI 10.0.10 Changelog:

+
+

You will find below security issues fixed in this bugfixes version: + [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).

+
+

The mentioned CVE is invalid

+ + + + CVE-2023-42802 + https://github.com/glpi-project/glpi/releases/tag/10.0.10 + + + 2023-09-27 + 2023-10-11 + + + + + glpi-project -- SQL injection in ITIL actors in GLPI + + + glpi + 10.0.8,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The ITIL + actors input field from the Ticket form can be used to perform a + SQL injection. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.

+
+ + + + CVE-2023-42461 + https://nvd.nist.gov/vuln/detail/CVE-2023-42461 + + + 2023-09-27 + 2023-10-11 + + + + + Phishing through a login page malicious URL in GLPI + + + glpi + 10.0.8,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The lack + of path filtering on the GLPI URL may allow an attacker to transmit + a malicious URL of login page that can be used to attempt a phishing + attack on user credentials. Users are advised to upgrade to version + 10.0.10. There are no known workarounds for this vulnerability.

+
+ + + + CVE-2023-41888 + https://nvd.nist.gov/vuln/detail/CVE-2023-41888 + + + 2023-09-27 + 2023-10-11 + + + + + Users login enumeration by unauthenticated user in GLPI + + + glpi + 10.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An + unauthenticated user can enumerate users logins. Users are advised + to upgrade to version 10.0.10. There are no known workarounds for + this vulnerability.

+
+ + + + CVE-2023-41323 + https://nvd.nist.gov/vuln/detail/CVE-2023-41323 + + + 2023-09-27 + 2023-10-11 + + + + + Privilege Escalation from technician to super-admin in GLPI + + + glpi + 9.1.0,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. A user + with write access to another user can make requests to change the + latter's password and then take control of their account. + Users are advised to upgrade to version 10.0.10. There are no known + work around for this vulnerability.

+
+ + + + CVE-2023-41322 + https://nvd.nist.gov/vuln/detail/CVE-2023-41322 + + + 2023-09-27 + 2023-10-11 + + + + + Sensitive fields enumeration through API in GLPI + + + glpi + 9.1.1,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An API + user can enumerate sensitive fields values on resources on which + he has read access. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.

+
+ + + + CVE-2023-41321 + https://nvd.nist.gov/vuln/detail/CVE-2023-41321 + + + 2023-09-27 + 2023-10-11 + + + + + File deletion through document upload process in GLPI + + + glpi + 10.0.0,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The document + upload process can be diverted to delete some files. Users are + advised to upgrade to version 10.0.10. There are no known workarounds + for this vulnerability.

+
+ + + + CVE-2023-42462 + https://nvd.nist.gov/vuln/detail/CVE-2023-42462 + + + 2023-09-27 + 2023-10-11 + + + + + Account takeover through API in GLPI + + + glpi + 9.3.0,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An API + user that have read access on users resource can steal accounts of + other users. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.

+
+ + + + CVE-2023-41324 + https://nvd.nist.gov/vuln/detail/CVE-2023-41324 + + + 2023-09-27 + 2023-10-11 + + + + + Account takeover via Kanban feature in GLPI + + + glpi + 9.5.0,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. A logged + user from any profile can hijack the Kanban feature to alter any + user field, and end-up with stealing its account. Users are advised + to upgrade to version 10.0.10. There are no known workarounds for + this vulnerability.

+
+ + + + CVE-2023-41326 + https://nvd.nist.gov/vuln/detail/CVE-2023-41326 + + + 2023-09-27 + 2023-10-11 + + + + + Account takeover via SQL Injection in UI layout preferences in GLPI + + + glpi + 10.0.0,110.0.10,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. UI layout + preferences management can be hijacked to lead to SQL injection. + This injection can be use to takeover an administrator account. + Users are advised to upgrade to version 10.0.10. There are no known + workarounds for this vulnerability.

+
+ + + + CVE-2023-41320 + https://nvd.nist.gov/vuln/detail/CVE-2023-41320 + + + 2023-09-27 + 2023-10-11 + + + + + GLPI vulnerable to SQL injection via dashboard administration + + + glpi + 9.5.0,110.0.9,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a Free Asset and IT Management Software package, Data center + management, ITIL Service Desk, licenses tracking and software + auditing. An administrator can trigger SQL injection via dashboards + administration. This vulnerability has been patched in version + 10.0.9. +

+
+ + + + CVE-2023-37278 + https://nvd.nist.gov/vuln/detail/CVE-2023-37278 + + + 2023-07-13 + 2023-10-11 + + + + + GLPI vulnerable to unauthorized access to User data + + + glpi + 10.0.8,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a free asset and IT management software package. Versions + of the software starting with 0.68 and prior to 10.0.8 have an + incorrect rights check on a on a file accessible by an authenticated + user. This allows access to the list of all users and their personal + information. Users should upgrade to version 10.0.8 to receive a + patch.

+
+ + + + CVE-2023-34106 + https://nvd.nist.gov/vuln/detail/CVE-2023-34106 + + + 2023-07-05 + 2023-10-11 + + + + + GLPI vulnerable to unauthorized access to KnowbaseItem data + + + glpi + 9.2.0,110.0.8,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a free asset and IT management software package. Versions + of the software starting with 9.2.0 and prior to 10.0.8 have an + incorrect rights check on a on a file accessible by an authenticated + user, allows access to the view all KnowbaseItems. Version 10.0.8 + has a patch for this issue.

+
+ + + + CVE-2023-34107 + https://nvd.nist.gov/vuln/detail/CVE-2023-34107 + + + 2023-07-05 + 2023-10-11 + + + + + GLPI vulnerable to reflected XSS in search pages + + + glpi + 9.4.0,110.0.8,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a free asset and IT management software package. Starting + in version 9.4.0 and prior to version 10.0.8, a malicious link can + be crafted by an unauthenticated user that can exploit a reflected + XSS in case any authenticated user opens the crafted link. Users + should upgrade to version 10.0.8 to receive a patch.

+
+ + + + CVE-2023-34244 + https://nvd.nist.gov/vuln/detail/CVE-2023-34244 + + + 2023-07-05 + 2023-10-11 + + + + + GLPI vulnerable to unauthenticated access to Dashboard data + + + glpi + 9.5.0,110.0.8,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a free asset and IT management software package. Starting + in version 9.5.0 and prior to version 10.0.8, an incorrect rights + check on a file allows an unauthenticated user to be able to access + dashboards data. Version 10.0.8 contains a patch for this issue.

+
+ + + + CVE-2023-35940 + https://nvd.nist.gov/vuln/detail/CVE-2023-35940 + + + 2023-07-05 + 2023-10-11 + + + + + GLPI vulnerable to unauthorized access to Dashboard data + + + glpi + 9.5.0,110.0.8,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a free asset and IT management software package. Starting + in version 9.5.0 and prior to version 10.0.8, an incorrect rights + check on a on a file accessible by an authenticated user (or not + for certain actions), allows a threat actor to interact, modify, + or see Dashboard data. Version 10.0.8 contains a patch for this + issue.

+
+ + + + CVE-2023-35939 + https://nvd.nist.gov/vuln/detail/CVE-2023-35939 + + + 2023-07-05 + 2023-10-11 + + + + + GLPI vulnerable to SQL injection through Computer Virtual Machine information + + + glpi + 10.0.8,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a free asset and IT management software package. Starting + in version 0.80 and prior to version 10.0.8, Computer Virtual Machine + form and GLPI inventory request can be used to perform a SQL injection + attack. Version 10.0.8 has a patch for this issue. As a workaround, + one may disable native inventory.

+
+ + + + CVE-2023-36808 + https://nvd.nist.gov/vuln/detail/CVE-2023-36808 + + + 2023-07-05 + 2023-10-11 + + + + + GLPI vulnerable to SQL injection via inventory agent request + + + glpi + 10.0.0,110.0.8,1 + + + + +

security-advisories@github.com reports:

+
+

GLPI is a free asset and IT management software package. Starting + in version 10.0.0 and prior to version 10.0.8, GLPI inventory + endpoint can be used to drive a SQL injection attack. By default, + GLPI inventory endpoint requires no authentication. Version 10.0.8 + has a patch for this issue. As a workaround, one may disable native + inventory.

+
+ + + + CVE-2023-35924 + https://nvd.nist.gov/vuln/detail/CVE-2023-35924 + + + 2023-07-05 + 2023-10-11 + + + py-matrix-synapse -- weakness in auth chain indexing allows DoS