new iotjs issue

pagure n/a
NFUs

1 files changed, 42 insertions, 38 deletions

diff --git a/data/CVE/list b/data/CVE/list
index 8deae3fef2..9614148c0f 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1980,7 +1980,7 @@ CVE-2020-25205
 CVE-2020-25204
 	RESERVED
 CVE-2020-25203 (The Framer Preview application 12 for Android exposes com.framer.viewe ...)
-	TODO: check
+	NOT-FOR-US: Framer Preview application
 CVE-2020-25576 (An issue was discovered in the rand_core crate before 0.4.2 for Rust.  ...)
 	- rust-rand-core 0.5.0-1 (bug #969911; low)
 	[buster] - rust-rand-core <no-dsa> (Minor issue)
@@ -3031,7 +3031,7 @@ CVE-2020-24720
 CVE-2020-24719
 	RESERVED
 CVE-2020-24718 (bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE th ...)
-	TODO: check
+	NOT-FOR-US: bhyve
 CVE-2020-24717 (OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group pe ...)
 	NOT-FOR-US: OpenZFS
 CVE-2020-24716 (OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permiss ...)
@@ -3248,7 +3248,7 @@ CVE-2020-24623 (A potential security vulnerability has been identified in Hewlet
 CVE-2020-24622 (In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exposed b ...)
 	NOT-FOR-US: Sonatype
 CVE-2020-24621 (A remote code execution (RCE) vulnerability was discovered in the html ...)
-	TODO: check
+	NOT-FOR-US: OpenMRS
 CVE-2020-24620
 	RESERVED
 CVE-2020-24619 (In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuse ...)
@@ -21130,9 +21130,9 @@ CVE-2020-XXXX [mpv insecure lua loadpath]
 	[stretch] - mpv <no-dsa> (Minor issue)
 	NOTE: https://github.com/mpv-player/mpv/commit/cce7062a8a6b6a3b3666aea3ff86db879cba67b6
 CVE-2020-15851 (Lack of access control in Nakivo Backup &amp; Replication Transporter  ...)
-	TODO: check
+	NOT-FOR-US: Nakivo Backup
 CVE-2020-15850 (Insecure permissions in Nakivo Backup &amp; Replication Director versi ...)
-	TODO: check
+	NOT-FOR-US: Nakivo Backup
 CVE-2020-15849
 	RESERVED
 CVE-2020-15848
@@ -21146,7 +21146,7 @@ CVE-2020-15845
 CVE-2020-15844
 	RESERVED
 CVE-2020-15843 (ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privil ...)
-	TODO: check
+	NOT-FOR-US: ActFax
 CVE-2020-15842 (Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7 ...)
 	NOT-FOR-US: Liferay
 CVE-2020-15841 (Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7 ...)
@@ -22082,7 +22082,7 @@ CVE-2020-15523 (In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8
 CVE-2020-15522
 	RESERVED
 CVE-2020-15521 (Zoho ManageEngine Applications Manager before 14 build 14730 has no pr ...)
-	TODO: check
+	NOT-FOR-US: Zoho
 CVE-2020-15520
 	RESERVED
 CVE-2020-15519
@@ -22380,7 +22380,7 @@ CVE-2020-15395 (In MediaInfoLib in MediaArea MediaInfo 20.03, there is a stack-b
 	[jessie] - libmediainfo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/mediainfo/bugs/1127/
 CVE-2020-15394 (The REST API in Zoho ManageEngine Applications Manager before build 14 ...)
-	TODO: check
+	NOT-FOR-US: Zoho
 CVE-2019-20893 (An issue was discovered in Activision Infinity Ward Call of Duty Moder ...)
 	NOT-FOR-US: Activision
 CVE-2017-18922 (It was discovered that websockets.c in LibVNCServer prior to 0.9.12 di ...)
@@ -22769,9 +22769,9 @@ CVE-2020-15225
 CVE-2020-15224
 	RESERVED
 CVE-2020-15223 (In ORY Fosite (the security first OAuth2 &amp; OpenID Connect framewor ...)
-	TODO: check
+	NOT-FOR-US: ORY Fosite
 CVE-2020-15222 (In ORY Fosite (the security first OAuth2 &amp; OpenID Connect framewor ...)
-	TODO: check
+	NOT-FOR-US: ORY Fosite
 CVE-2020-15221
 	RESERVED
 CVE-2020-15220
@@ -22906,11 +22906,11 @@ CVE-2020-15164 (in Scratch Login (MediaWiki extension) before version 1.1, any a
 CVE-2020-15163 (Python TUF (The Update Framework) reference implementation before vers ...)
 	- python-tuf <itp> (bug #934151)
 CVE-2020-15162 (In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users a ...)
-	TODO: check
+	NOT-FOR-US: PrestaShop
 CVE-2020-15161 (In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attac ...)
-	TODO: check
+	NOT-FOR-US: PrestaShop
 CVE-2020-15160 (PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerab ...)
-	TODO: check
+	NOT-FOR-US: PrestaShop
 CVE-2020-15159 (baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) a ...)
 	NOT-FOR-US: baserCMS
 CVE-2020-15158 (In libIEC61850 before version 1.4.3, when a message with COTP message  ...)
@@ -26120,7 +26120,11 @@ CVE-2020-13993 (An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0.
 CVE-2020-13992 (An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A Sto ...)
 	NOT-FOR-US: Mods for HESK
 CVE-2020-13991 (vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow  ...)
-	TODO: check
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3858
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3859
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3860
+	NOTE: https://github.com/jerryscript-project/jerryscript/pull/3867
 CVE-2020-13990
 	RESERVED
 CVE-2020-13989
@@ -27378,7 +27382,7 @@ CVE-2020-13523 (An exploitable information disclosure vulnerability exists in So
 CVE-2020-13522 (An exploitable arbitrary file delete vulnerability exists in SoftPerfe ...)
 	NOT-FOR-US: SoftPerfect
 CVE-2020-13521 (Parameter psAttribute in ednareporting.asmx is vulnerable to unauthent ...)
-	TODO: check
+	NOT-FOR-US: ednareporting.asmx
 CVE-2020-13520
 	RESERVED
 CVE-2020-13519
@@ -27404,25 +27408,25 @@ CVE-2020-13510
 CVE-2020-13509
 	RESERVED
 CVE-2020-13508 (An SQL injection vulnerability exists in the Alias.asmx Web Service fu ...)
-	TODO: check
+	NOT-FOR-US: Alias.asmx
 CVE-2020-13507 (An SQL injection vulnerability exists in the Alias.asmx Web Service fu ...)
-	TODO: check
+	NOT-FOR-US: Alias.asmx
 CVE-2020-13506
 	RESERVED
 CVE-2020-13505 (Parameter psClass in ednareporting.asmx is vulnerable to unauthenticat ...)
-	TODO: check
+	NOT-FOR-US: ednareporting.asmx
 CVE-2020-13504 (Parameter AttFilterValue in ednareporting.asmx is vulnerable to unauth ...)
-	TODO: check
+	NOT-FOR-US: ednareporting.asmx
 CVE-2020-13503 (Parameter AttFilterName in ednareporting.asmx is vulnerable to unauthe ...)
-	TODO: check
+	NOT-FOR-US: ednareporting.asmx
 CVE-2020-13502 (An exploitable SQL injection vulnerability exists in the DNAPoints.asm ...)
-	TODO: check
+	NOT-FOR-US: DNAPoints.asmx
 CVE-2020-13501 (An SQL injection vulnerability exists in the CHaD.asmx web service fun ...)
-	TODO: check
+	NOT-FOR-US: CHaD.asmx
 CVE-2020-13500 (SQL injection vulnerability exists in the CHaD.asmx web service functi ...)
-	TODO: check
+	NOT-FOR-US: CHaD.asmx
 CVE-2020-13499 (An SQL injection vulnerability exists in the CHaD.asmx web service fun ...)
-	TODO: check
+	NOT-FOR-US: CHaD.asmx
 CVE-2020-13498
 	RESERVED
 CVE-2020-13497
@@ -27676,7 +27680,7 @@ CVE-2020-13389 (An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD0
 CVE-2020-13388 (An exploitable vulnerability exists in the configuration-loading funct ...)
 	NOT-FOR-US: jw.util
 CVE-2020-13387 (Pexip Infinity before 23.4 has a lack of input validation, leading to  ...)
-	TODO: check
+	NOT-FOR-US: Pexip Infinity
 CVE-2020-13386 (In SmartDraw 2020 27.0.0.0, the installer gives inherited write permis ...)
 	NOT-FOR-US: SmartDraw
 CVE-2020-13385
@@ -29052,7 +29056,7 @@ CVE-2020-12825 (libcroco through 0.6.13 has excessive recursion in cr_parser_par
 	[jessie] - libcroco <ignored> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
 CVE-2020-12824 (Pexip Infinity 23.x before 23.3 has improper input validation, leading ...)
-	TODO: check
+	NOT-FOR-US: Pexip Infinity
 CVE-2020-12823 (OpenConnect 8.09 has a buffer overflow, causing a denial of service (a ...)
 	{DLA-2212-1}
 	- openconnect 8.10-1 (unimportant; bug #960620)
@@ -32346,7 +32350,7 @@ CVE-2020-11807 (Because of Unrestricted Upload of a File with a Dangerous Type,
 CVE-2020-11806 (In MailStore Outlook Add-in (and Email Archive Outlook Add-in) through ...)
 	NOT-FOR-US: MailStore Outlook Add-in
 CVE-2020-11805 (Pexip Reverse Proxy and TURN Server before 6.1.0 has Incorrect UDP Acc ...)
-	TODO: check
+	NOT-FOR-US: Pexip Reverse Proxy and TURN Server
 CVE-2020-11804 (An issue was discovered in Titan SpamTitan 7.07. Due to improper sanit ...)
 	NOT-FOR-US: Titan SpamTitan
 CVE-2020-11803 (An issue was discovered in Titan SpamTitan 7.07. Improper sanitization ...)
@@ -41843,9 +41847,9 @@ CVE-2020-8350
 CVE-2020-8349
 	RESERVED
 CVE-2020-8348 (A DOM-based cross-site scripting (XSS) vulnerability was reported in L ...)
-	TODO: check
+	NOT-FOR-US: Lenovo
 CVE-2020-8347 (A reflective cross-site scripting (XSS) vulnerability was reported in  ...)
-	TODO: check
+	NOT-FOR-US: Lenovo
 CVE-2020-8346 (A denial of service vulnerability was reported in the Lenovo Vantage c ...)
 	NOT-FOR-US: Lenovo
 CVE-2020-8345
@@ -41873,7 +41877,7 @@ CVE-2020-8335 (The BIOS tamper detection mechanism was not triggered in Lenovo T
 CVE-2020-8334 (The BIOS tamper detection mechanism was not triggered in Lenovo ThinkP ...)
 	NOT-FOR-US: Lenovo
 CVE-2020-8333 (A potential vulnerability in the SMI callback function used in the EEP ...)
-	TODO: check
+	NOT-FOR-US: Lenovo
 CVE-2020-8332
 	RESERVED
 CVE-2020-8331
@@ -47487,7 +47491,7 @@ CVE-2020-6155
 CVE-2020-6154
 	RESERVED
 CVE-2020-6153 (An exploitable SQL injection vulnerability exists in the FavoritesServ ...)
-	TODO: check
+	NOT-FOR-US: eDNA Enterprise Data Historian
 CVE-2020-6152 (A code execution vulnerability exists in the DICOM parse_dicom_meta_in ...)
 	NOT-FOR-US: Accusoft
 CVE-2020-6151 (A memory corruption vulnerability exists in the TIFF handle_COMPRESSIO ...)
@@ -47811,7 +47815,7 @@ CVE-2020-6022
 CVE-2020-6021
 	RESERVED
 CVE-2020-6020 (Check Point Security Management's Internal CA web management before Ju ...)
-	TODO: check
+	NOT-FOR-US: Check Point
 CVE-2020-6019
 	RESERVED
 CVE-2020-6018
@@ -87271,7 +87275,7 @@ CVE-2019-11558
 CVE-2019-11557 (The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress  ...)
 	NOT-FOR-US: WebDorado Contact Form Builder plugi for WordPress
 CVE-2019-11556 (Pagure before 5.6 allows XSS via the templates/blame.html blame view. ...)
-	TODO: check
+	- pagure <not-affected> (Fixed before initial release)
 CVE-2019-11554 (The Audible application through 2.34.0 for Android has Missing SSL Cer ...)
 	NOT-FOR-US: Audible application for Android
 CVE-2019-11553 (In Code42 for Enterprise through 6.8.4, an administrator without web r ...)
@@ -100278,9 +100282,9 @@ CVE-2018-20747
 CVE-2018-20746
 	RESERVED
 CVE-2019-7178 (Pexip Infinity before 20.1 allows privilege escalation by restoring a  ...)
-	TODO: check
+	NOT-FOR-US: Pexip Infinity
 CVE-2019-7177 (Pexip Infinity before 20.1 allows Code Injection onto nodes via an adm ...)
-	TODO: check
+	NOT-FOR-US: Pexip Infinity
 CVE-2019-7176 (An issue was discovered in GitLab Community and Enterprise Edition 8.x ...)
 	- gitlab 11.5.10+dfsg-1 (bug #921059)
 	NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/
@@ -144164,7 +144168,7 @@ CVE-2018-10587 (NetGain Enterprise Manager (EM) is affected by OS Command Inject
 CVE-2018-10586 (NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-S ...)
 	NOT-FOR-US: NetGain Enterprise Manager
 CVE-2018-10585 (Pexip Infinity before 18 allows remote Denial of Service (XML parsing) ...)
-	TODO: check
+	NOT-FOR-US: Pexip Infinity
 CVE-2018-10584
 	RESERVED
 CVE-2018-10583 (An information disclosure vulnerability occurs when LibreOffice 6.0.3  ...)
@@ -144576,7 +144580,7 @@ CVE-2018-10472 (An issue was discovered in Xen through 4.10.x allowing x86 HVM g
 	[wheezy] - xen <not-affected> (No QMP support in wheezy)
 	NOTE: https://xenbits.xen.org/xsa/advisory-258.html
 CVE-2018-10432 (Pexip Infinity before 18 allows Remote Denial of Service (TLS handshak ...)
-	TODO: check
+	NOT-FOR-US: Pexip Infinity
 CVE-2018-10431 (D-Link DIR-615 2.5.17 devices allow Remote Code Execution via shell me ...)
 	NOT-FOR-US: D-Link
 CVE-2018-10430 (An issue was discovered in DiliCMS (aka DiligentCMS) 2.4.0. There is a ...)
@@ -170470,7 +170474,7 @@ CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered
 CVE-2017-17478 (An XSS issue was discovered in Designer Studio in Pegasystems Pega Pla ...)
 	NOT-FOR-US: Pegasystems Pega Platform
 CVE-2017-17477 (Pexip Infinity before 17 allows an unauthenticated remote attacker to  ...)
-	TODO: check
+	NOT-FOR-US: Pexip Infinity
 CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...)
 	NOT-FOR-US: TG Soft Vir.IT eXplorer Lite
 CVE-2017-17474 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...)