admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-30 18:04:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2023-08-10 18:00:33 +00:00
parent 8e095c072e
commit 15470bd594
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
8 changed files with 741 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
2023/39xxx/CVE-2023-39958.json
View File

@ -1,17 +1,115 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39958",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"cweId": "CWE-307"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "nextcloud",
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 22.0.0, < 22.2.10.13"
},
{
"version_affected": "=",
"version_value": ">= 23.0.0, < 23.0.12.8"
},
{
"version_affected": "=",
"version_value": ">= 24.0.0, < 24.0.12.5"
},
{
"version_affected": "=",
"version_value": ">= 25.0.0, < 25.0.9"
},
{
"version_affected": "=",
"version_value": ">= 26.0.0, < 26.0.4"
},
{
"version_affected": "=",
"version_value": ">= 27.0.0, < 27.0.1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h",
"refsource": "MISC",
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h"
},
{
"url": "https://github.com/nextcloud/server/pull/38773",
"refsource": "MISC",
"name": "https://github.com/nextcloud/server/pull/38773"
},
{
"url": "https://hackerone.com/reports/1258448",
"refsource": "MISC",
"name": "https://hackerone.com/reports/1258448"
}
]
},
"source": {
"advisory": "GHSA-vv27-g2hq-v48h",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
]
}

94
2023/39xxx/CVE-2023-39959.json
View File

@ -1,17 +1,103 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39959",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control",
"cweId": "CWE-284"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "nextcloud",
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 25.0.0, < 25.0.9"
},
{
"version_affected": "=",
"version_value": ">= 26.0.0, < 26.0.4"
},
{
"version_affected": "=",
"version_value": ">= 27.0.0, < 27.0.1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj",
"refsource": "MISC",
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj"
},
{
"url": "https://github.com/nextcloud/server/pull/38747",
"refsource": "MISC",
"name": "https://github.com/nextcloud/server/pull/38747"
},
{
"url": "https://hackerone.com/reports/1832126",
"refsource": "MISC",
"name": "https://hackerone.com/reports/1832126"
}
]
},
"source": {
"advisory": "GHSA-g97r-8ffm-hfpj",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
]
}

98
2023/39xxx/CVE-2023-39961.json
View File

@ -1,17 +1,107 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39961",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control",
"cweId": "CWE-284"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "nextcloud",
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 24.0.4, < 24.0.12.5"
},
{
"version_affected": "=",
"version_value": ">= 25.0.0, < 25.0.9"
},
{
"version_affected": "=",
"version_value": ">= 27.0.0, < 27.0.1"
},
{
"version_affected": "=",
"version_value": ">= 26.0.0, < 26.0.4"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qhgm-w4gx-gvgp",
"refsource": "MISC",
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qhgm-w4gx-gvgp"
},
{
"url": "https://github.com/nextcloud/text/pull/4481",
"refsource": "MISC",
"name": "https://github.com/nextcloud/text/pull/4481"
},
{
"url": "https://hackerone.com/reports/1965156",
"refsource": "MISC",
"name": "https://hackerone.com/reports/1965156"
}
]
},
"source": {
"advisory": "GHSA-qhgm-w4gx-gvgp",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
]
}

118
2023/39xxx/CVE-2023-39962.json
View File

@ -1,17 +1,127 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39962",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control",
"cweId": "CWE-284"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "nextcloud",
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 19.0.0, < 19.0.13.10"
},
{
"version_affected": "=",
"version_value": ">= 20.0.0, < 20.0.14.15"
},
{
"version_affected": "=",
"version_value": ">= 21.0.0, < 21.0.9.13"
},
{
"version_affected": "=",
"version_value": ">= 22.0.0, < 22.2.10.14"
},
{
"version_affected": "=",
"version_value": ">= 23.0.0, < 23.0.12.9"
},
{
"version_affected": "=",
"version_value": ">= 24.0.0, < 24.0.12.5"
},
{
"version_affected": "=",
"version_value": ">= 25.0.0, < 25.0.9"
},
{
"version_affected": "=",
"version_value": ">= 26.0.0, < 26.0.4"
},
{
"version_affected": "=",
"version_value": ">= 27.0.0, < 27.0.1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm",
"refsource": "MISC",
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm"
},
{
"url": "https://github.com/nextcloud/server/pull/39323",
"refsource": "MISC",
"name": "https://github.com/nextcloud/server/pull/39323"
},
{
"url": "https://hackerone.com/reports/2047168",
"refsource": "MISC",
"name": "https://hackerone.com/reports/2047168"
}
]
},
"source": {
"advisory": "GHSA-xwxx-2752-w3xm",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
]
}

114
2023/39xxx/CVE-2023-39963.json
View File

@ -1,17 +1,123 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39963",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control",
"cweId": "CWE-284"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "nextcloud",
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 20.0.0, < 20.0.14.15"
},
{
"version_affected": "=",
"version_value": ">= 21.0.0, < 21.0.9.13"
},
{
"version_affected": "=",
"version_value": ">= 22.0.0, < 22.2.10.14"
},
{
"version_affected": "=",
"version_value": ">= 23.0.0, < 23.0.12.9"
},
{
"version_affected": "=",
"version_value": ">= 24.0.0, < 24.0.12.5"
},
{
"version_affected": "=",
"version_value": ">= 25.0.0, < 25.0.9"
},
{
"version_affected": "=",
"version_value": ">= 26.0.0, < 26.0.4"
},
{
"version_affected": "=",
"version_value": ">= 27.0.0, < 27.0.1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5",
"refsource": "MISC",
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5"
},
{
"url": "https://github.com/nextcloud/server/pull/39416",
"refsource": "MISC",
"name": "https://github.com/nextcloud/server/pull/39416"
},
{
"url": "https://hackerone.com/reports/2067572",
"refsource": "MISC",
"name": "https://hackerone.com/reports/2067572"
}
]
},
"source": {
"advisory": "GHSA-j4qm-5q5x-54m5",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
]
}

81
2023/39xxx/CVE-2023-39964.json
View File

@ -1,17 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39964",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. In the `api/v1/file.go` file, there is a function called `LoadFromFile`, which directly reads the file by obtaining the requested path `parameter[path]`. The request parameters are not filtered, resulting in a background arbitrary file reading vulnerability. Version 1.5.0 has a patch for this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "1Panel-dev",
"product": {
"product_data": [
{
"product_name": "1Panel",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "= 1.4.3"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5",
"refsource": "MISC",
"name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5"
},
{
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
"refsource": "MISC",
"name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
}
]
},
"source": {
"advisory": "GHSA-pv7q-v9mv-9mh5",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
]
}

81
2023/39xxx/CVE-2023-39965.json
View File

@ -1,17 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39965",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target system. This may cause a large amount of information leakage. Version 1.5.0 has a patch for this issue.\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization",
"cweId": "CWE-863"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "1Panel-dev",
"product": {
"product_data": [
{
"product_name": "1Panel",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "= 1.4.3"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-85cf-gj29-f555",
"refsource": "MISC",
"name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-85cf-gj29-f555"
},
{
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
"refsource": "MISC",
"name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
}
]
},
"source": {
"advisory": "GHSA-85cf-gj29-f555",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
]
}

81
2023/39xxx/CVE-2023-39966.json
View File

@ -1,17 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-39966",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization",
"cweId": "CWE-862"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "1Panel-dev",
"product": {
"product_data": [
{
"product_name": "1Panel",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "= 1.4.3"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4",
"refsource": "MISC",
"name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
},
{
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
"refsource": "MISC",
"name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
}
]
},
"source": {
"advisory": "GHSA-hf7j-xj3w-87g4",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
]
}