which checking the vulnerabilities themselves it appears that they are for another version of phplist see the next 2 images showing versions 3.5.9 and 3.6.0. as we are currently at version 3.6.7 how can that be fixed ?
The VT in question has been reviewed for a possible solution at the 18. February, no official information on a fix has been found and thus the affected version has been raised to the latest available version (3.6.7 at this time). This is a standard procedure if vendors are not publishing detailed information / no information at all on affected and fixed versions.
Do you have any official statement (e.g. a changelog entry, a blog post) stating that both CVE-2020-35708/CVE-2021-3188 got fixed and in which version? In this case the version check could be updated / improved accordingly to match the information provided by the vendor.
Related to the last two screenshots:
The versions stated in the CVE entries provided by MITRE are often not a reliable source for all affected and/or fixed versions:
If no known fix was available it only reflects the known affected versions at the time of the publication of the entry (e.g. extracted from external links included in the entry)
It also not necessarily contains all affected versions
This also means that some one needs to push the information on available fixes to MITRE so that these are reflected in the related CVE entries.
Related to this we also got the following statement from a MITRE representative in the past:
A CVE description does not necessarily contain all the affected products or versions and is not part of CVE ID requirements. The products are documented in the CVE references.
Yes, unfortunately this is common but bad practice and is giving quite a lot headaches for all vulnerability scanners (not only Greenbone specific) relying on accurate information published by vendors.
