diff --git a/2013/6xxx/CVE-2013-6040.json b/2013/6xxx/CVE-2013-6040.json
index 64ddae08d09..04e2297ef7d 100644
--- a/2013/6xxx/CVE-2013-6040.json
+++ b/2013/6xxx/CVE-2013-6040.json
@@ -1,40 +1,17 @@
{
+ "data_version": "4.0",
+ "data_type": "CVE",
+ "data_format": "MITRE",
"CVE_data_meta": {
- "ASSIGNER": "cert@cert.org",
"ID": "CVE-2013-6040",
+ "ASSIGNER": "cert@cert.org",
"STATE": "PUBLIC"
},
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "product": {
- "product_data": [
- {
- "product_name": "n/a",
- "version": {
- "version_data": [
- {
- "version_value": "n/a"
- }
- ]
- }
- }
- ]
- },
- "vendor_name": "n/a"
- }
- ]
- }
- },
- "data_format": "MITRE",
- "data_type": "CVE",
- "data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
- "value": "Multiple unspecified vulnerabilities in the MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls allow remote attackers to execute arbitrary code via a crafted HTML document."
+ "value": "MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls before version 4.0 vulnerable to arbitrary code via a crafted HTML document. Latest versions (4.0) of MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls have resolved the issue"
}
]
},
@@ -44,29 +21,86 @@
"description": [
{
"lang": "eng",
- "value": "n/a"
+ "value": "CWE-94: Improper Control of Generation of Code"
}
]
}
]
},
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "MW6 Tech",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "MW6 Aztec ActiveX Controls",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "0.0",
+ "version_value": "4.0"
+ }
+ ]
+ }
+ },
+ {
+ "product_name": "MW6 DataMatrix ActiveX Controls",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "0.0",
+ "version_value": "4.0"
+ }
+ ]
+ }
+ },
+ {
+ "product_name": "MW6 MaxiCode ActiveX Controls",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "0.0",
+ "version_value": "4.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
"references": {
"reference_data": [
{
- "name": "31176",
- "refsource": "EXPLOIT-DB",
- "url": "http://www.exploit-db.com/exploits/31176"
+ "url": "http://www.exploit-db.com/exploits/31176",
+ "refsource": "MISC",
+ "name": "http://www.exploit-db.com/exploits/31176"
},
{
- "name": "VU#219470",
- "refsource": "CERT-VN",
- "url": "http://www.kb.cert.org/vuls/id/219470"
+ "url": "http://www.kb.cert.org/vuls/id/219470",
+ "refsource": "MISC",
+ "name": "http://www.kb.cert.org/vuls/id/219470"
},
{
- "name": "31177",
- "refsource": "EXPLOIT-DB",
- "url": "http://www.exploit-db.com/exploits/31177"
+ "url": "http://www.exploit-db.com/exploits/31177",
+ "refsource": "MISC",
+ "name": "http://www.exploit-db.com/exploits/31177"
+ },
+ {
+ "url": "https://www.mw6tech.com",
+ "refsource": "MISC",
+ "name": "https://www.mw6tech.com"
}
]
+ },
+ "generator": {
+ "engine": "cveClient/1.0.15"
}
}
\ No newline at end of file
diff --git a/2024/43xxx/CVE-2024-43788.json b/2024/43xxx/CVE-2024-43788.json
index 90943df727f..e92113a5e87 100644
--- a/2024/43xxx/CVE-2024-43788.json
+++ b/2024/43xxx/CVE-2024-43788.json
@@ -41,7 +41,7 @@
"version_data": [
{
"version_affected": "=",
- "version_value": "< 5.94.0"
+ "version_value": ">= 5.0.0-alpha.0, < 5.94.0"
}
]
}
@@ -59,6 +59,11 @@
"refsource": "MISC",
"name": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"
},
+ {
+ "url": "https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270",
+ "refsource": "MISC",
+ "name": "https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270"
+ },
{
"url": "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61",
"refsource": "MISC",
diff --git a/2024/7xxx/CVE-2024-7345.json b/2024/7xxx/CVE-2024-7345.json
index ee34ead6b1d..a8e1a84e72e 100644
--- a/2024/7xxx/CVE-2024-7345.json
+++ b/2024/7xxx/CVE-2024-7345.json
@@ -1,17 +1,202 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-7345",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security@progress.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms"
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')",
+ "cweId": "CWE-94"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Progress",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "OpenEdge",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "11.7.19",
+ "status": "affected",
+ "version": "11.7.0",
+ "versionType": "custom"
+ },
+ {
+ "lessThanOrEqual": "12.2.14",
+ "status": "affected",
+ "version": "12.2.0",
+ "versionType": "custom"
+ },
+ {
+ "status": "unaffected",
+ "version": "12.8.0",
+ "versionType": "custom"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication",
+ "refsource": "MISC",
+ "name": "https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "configuration": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "An active instance of OpenEdge PASOE's Tomcat Webserver and local or system adjacent access to an ABL client on the Webserver host
"
+ }
+ ],
+ "value": "An active instance of OpenEdge PASOE's Tomcat Webserver and local or system adjacent access to an ABL client on the Webserver host"
+ }
+ ],
+ "work_around": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Do not put client software on host webserver systems
"
+ }
+ ],
+ "value": "Do not put client software on host webserver systems"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Ensure the \"AppServer.SessMgr.agentHost\" property is set to \"localhost\" unless you are multi-hosting a single Webserver system
"
+ }
+ ],
+ "value": "Ensure the \"AppServer.SessMgr.agentHost\" property is set to \"localhost\" unless you are multi-hosting a single Webserver system"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Block agent listening ports from network access anywhere with the exception of the PASOE Tomcat Webserver's published listening port
"
+ }
+ ],
+ "value": "Block agent listening ports from network access anywhere with the exception of the PASOE Tomcat Webserver's published listening port"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Launch PASOE agent processes with \"least privilege\" system resource capabilities
"
+ }
+ ],
+ "value": "Launch PASOE agent processes with \"least privilege\" system resource capabilities"
+ }
+ ],
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist
"
+ }
+ ],
+ "value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 12.2 LTS release at the 12.2.14 Update level or above
"
+ }
+ ],
+ "value": "Use the 12.2 LTS release at the 12.2.14 Update level or above"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 11.7 LTS release at the 11.7.19 Update level or above\n\n
"
+ }
+ ],
+ "value": "Use the 11.7 LTS release at the 11.7.19 Update level or above"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "HIGH",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 8.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/7xxx/CVE-2024-7346.json b/2024/7xxx/CVE-2024-7346.json
index 930375037f6..007aaa0168c 100644
--- a/2024/7xxx/CVE-2024-7346.json
+++ b/2024/7xxx/CVE-2024-7346.json
@@ -1,17 +1,180 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-7346",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security@progress.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.\u00a0 This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.\u00a0 The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-297: Improper Validation of Certificate with Host Mismatch",
+ "cweId": "CWE-297"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Progress",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "OpenEdge",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "11.7.19",
+ "status": "affected",
+ "version": "11.7.0",
+ "versionType": "custom"
+ },
+ {
+ "lessThanOrEqual": "12.2.14",
+ "status": "affected",
+ "version": "12.2.0",
+ "versionType": "custom"
+ },
+ {
+ "status": "unaffected",
+ "version": "12.8.0",
+ "versionType": "custom"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://community.progress.com/s/article/Client-connections-using-default-TLS-certificates-from-OpenEdge-may-bypass-TLS-host-name-validation",
+ "refsource": "MISC",
+ "name": "https://community.progress.com/s/article/Client-connections-using-default-TLS-certificates-from-OpenEdge-may-bypass-TLS-host-name-validation"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "configuration": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use of the legacy OpenEdge default TLS/SSL certificates in TLS-networked connections in an OpenEdge installation.
"
+ }
+ ],
+ "value": "Use of the legacy OpenEdge default TLS/SSL certificates in TLS-networked connections in an OpenEdge installation."
+ }
+ ],
+ "work_around": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Replace all use of default OpenEdge TLS certificates with a CA-signed certificate from a recognized certificate authority that contains the necessary information to support host name validation\n\n
"
+ }
+ ],
+ "value": "Replace all use of default OpenEdge TLS certificates with a CA-signed certificate from a recognized certificate authority that contains the necessary information to support host name validation"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the \"nohostverify\" switch in development environments when clients need to bypass host name validation as a convenience prior to establishing valid certificates for production.
"
+ }
+ ],
+ "value": "Use the \"nohostverify\" switch in development environments when clients need to bypass host name validation as a convenience prior to establishing valid certificates for production."
+ }
+ ],
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist
"
+ }
+ ],
+ "value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above\n\n
"
+ }
+ ],
+ "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above\n\n
"
+ }
+ ],
+ "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 7.2,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
+ "version": "3.1"
}
]
}
diff --git a/2024/7xxx/CVE-2024-7654.json b/2024/7xxx/CVE-2024-7654.json
index 8d1074398a5..3e543a52eb7 100644
--- a/2024/7xxx/CVE-2024-7654.json
+++ b/2024/7xxx/CVE-2024-7654.json
@@ -1,17 +1,133 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-7654",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security@progress.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+ "cweId": "CWE-79"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Progress",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "OpenEdge",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "11.7.0",
+ "version_value": "11.7.19"
+ },
+ {
+ "version_affected": "<",
+ "version_name": "12.2.0",
+ "version_value": "12.2.15"
+ },
+ {
+ "version_affected": "<",
+ "version_name": "12.8.0",
+ "version_value": "12.8.2"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service",
+ "refsource": "MISC",
+ "name": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist\n\n
"
+ }
+ ],
+ "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above\n\n\n\n
"
+ }
+ ],
+ "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above"
+ },
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above\n\n\n\n\n\n
"
+ }
+ ],
+ "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 8.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}