diff --git a/2025/22xxx/CVE-2025-22371.json b/2025/22xxx/CVE-2025-22371.json index 4899eb600b7..bf062a8d817 100644 --- a/2025/22xxx/CVE-2025-22371.json +++ b/2025/22xxx/CVE-2025-22371.json @@ -1,18 +1,105 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-22371", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "csirt@divd.nl", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SicommNet BASEC (SaaS Service) login page allows an unauthenticated remote attacker to Bypass Authentication and execute arbitrary SQL commands. This issue at least affects BASEC for the date of 14 Dec 2021 onwards. It is very likely that this vulnerability has been present in the solution before that.\n\nAs of the date of this CVE record, there has been no patch" } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SicommNet", + "product": { + "product_data": [ + { + "product_name": "BASEC", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "14 Dec 2021", + "version_value": "*" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://basec.sicomm.net/login/", + "refsource": "MISC", + "name": "https://basec.sicomm.net/login/" + }, + { + "url": "https://csirt.divd.nl/DIVD-2025-00001", + "refsource": "MISC", + "name": "https://csirt.divd.nl/DIVD-2025-00001" + }, + { + "url": "https://cisrt.divd.nl/CVE-2025-22371", + "refsource": "MISC", + "name": "https://cisrt.divd.nl/CVE-2025-22371" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "advisory": "DIVD-2025-00001", + "discovery": "INTERNAL" + }, + "exploit": [ + { + "lang": "en", + "value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised." + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Jesse Meijer (DIVD)" + }, + { + "lang": "en", + "value": "Frank Breedijk (DIVD)" + } + ] } \ No newline at end of file diff --git a/2025/22xxx/CVE-2025-22372.json b/2025/22xxx/CVE-2025-22372.json index aff30240ba8..30fb78ac77b 100644 --- a/2025/22xxx/CVE-2025-22372.json +++ b/2025/22xxx/CVE-2025-22372.json @@ -1,18 +1,105 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-22372", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "csirt@divd.nl", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery.\nPasswords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily.\n\nThis issue affects BASEC: from 14 Dec 2021." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-522 Insufficiently Protected Credentials", + "cweId": "CWE-522" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SicommNet", + "product": { + "product_data": [ + { + "product_name": "BASEC", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "14 Dec 2021", + "version_value": "*" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://basec.sicomm.net/login/", + "refsource": "MISC", + "name": "https://basec.sicomm.net/login/" + }, + { + "url": "https://csirt.divd.nl/DIVD-2025-00001", + "refsource": "MISC", + "name": "https://csirt.divd.nl/DIVD-2025-00001" + }, + { + "url": "https://cisrt.divd.nl/CVE-2025-22372", + "refsource": "MISC", + "name": "https://cisrt.divd.nl/CVE-2025-22372" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "advisory": "DIVD-2025-00001", + "discovery": "INTERNAL" + }, + "exploit": [ + { + "lang": "en", + "value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised." + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Jesse Meijer (DIVD)" + }, + { + "lang": "en", + "value": "Frank Breedijk (DIVD)" + } + ] } \ No newline at end of file diff --git a/2025/22xxx/CVE-2025-22373.json b/2025/22xxx/CVE-2025-22373.json index 846d17192da..d8348f2ec83 100644 --- a/2025/22xxx/CVE-2025-22373.json +++ b/2025/22xxx/CVE-2025-22373.json @@ -1,18 +1,105 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-22373", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "csirt@divd.nl", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SicommNet BASEC on SaaS allows Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML and alternation of CSS Styles\nThis issue affects BASEC: from 14 Dec 2021." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SicommNet", + "product": { + "product_data": [ + { + "product_name": "BASEC", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "14 Dec 2021", + "version_value": "*" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://basec.sicomm.net/login/", + "refsource": "MISC", + "name": "https://basec.sicomm.net/login/" + }, + { + "url": "https://csirt.divd.nl/DIVD-2025-00001", + "refsource": "MISC", + "name": "https://csirt.divd.nl/DIVD-2025-00001" + }, + { + "url": "https://cisrt.divd.nl/CVE-2025-22373", + "refsource": "MISC", + "name": "https://cisrt.divd.nl/CVE-2025-22373" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "advisory": "DIVD-2025-00001", + "discovery": "INTERNAL" + }, + "exploit": [ + { + "lang": "en", + "value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised." + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Jesse Meijer (DIVD)" + }, + { + "lang": "en", + "value": "Frank Breedijk (DIVD)" + } + ] } \ No newline at end of file diff --git a/2025/32xxx/CVE-2025-32931.json b/2025/32xxx/CVE-2025-32931.json new file mode 100644 index 00000000000..68480866f68 --- /dev/null +++ b/2025/32xxx/CVE-2025-32931.json @@ -0,0 +1,72 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2025-32931", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** UNSUPPORTED WHEN ASSIGNED ** DevDojo Voyager 1.4.0 through 1.8.0, when Laravel 8 or later is used, allows authenticated administrators to execute arbitrary OS commands via a specific php artisan command." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/lishihihi/voyager-issue-report/", + "refsource": "MISC", + "name": "https://github.com/lishihihi/voyager-issue-report/" + }, + { + "url": "https://github.com/thedevdojo/voyager/blob/1.8/docs/core-concepts/compass.md", + "refsource": "MISC", + "name": "https://github.com/thedevdojo/voyager/blob/1.8/docs/core-concepts/compass.md" + }, + { + "url": "https://github.com/thedevdojo/voyager/blob/7e7e0f4f0e115d2d9e0481a86153a1ceff194c00/resources/views/compass/includes/commands.blade.php#L11-L16", + "refsource": "MISC", + "name": "https://github.com/thedevdojo/voyager/blob/7e7e0f4f0e115d2d9e0481a86153a1ceff194c00/resources/views/compass/includes/commands.blade.php#L11-L16" + } + ] + } +} \ No newline at end of file diff --git a/2025/3xxx/CVE-2025-3571.json b/2025/3xxx/CVE-2025-3571.json index 5c23dd2d70e..be4028027c1 100644 --- a/2025/3xxx/CVE-2025-3571.json +++ b/2025/3xxx/CVE-2025-3571.json @@ -1,17 +1,122 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-3571", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@vuldb.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability was found in Fannuo Enterprise Content Management System \u51e1\u8bfa\u4f01\u4e1a\u7f51\u7ad9\u7ba1\u7406\u7cfb\u7edf 1.1/4.0. It has been declared as critical. This vulnerability affects unknown code of the file admin/cms_chip.php. The manipulation of the argument del leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used." + }, + { + "lang": "deu", + "value": "In Fannuo Enterprise Content Management System \u51e1\u8bfa\u4f01\u4e1a\u7f51\u7ad9\u7ba1\u7406\u7cfb\u7edf 1.1/4.0 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei admin/cms_chip.php. Dank der Manipulation des Arguments del mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "SQL Injection", + "cweId": "CWE-89" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "Injection", + "cweId": "CWE-74" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Fannuo", + "product": { + "product_data": [ + { + "product_name": "Enterprise Content Management System \u51e1\u8bfa\u4f01\u4e1a\u7f51\u7ad9\u7ba1\u7406\u7cfb\u7edf", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "1.1" + }, + { + "version_affected": "=", + "version_value": "4.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://vuldb.com/?id.304612", + "refsource": "MISC", + "name": "https://vuldb.com/?id.304612" + }, + { + "url": "https://vuldb.com/?ctiid.304612", + "refsource": "MISC", + "name": "https://vuldb.com/?ctiid.304612" + }, + { + "url": "https://vuldb.com/?submit.549927", + "refsource": "MISC", + "name": "https://vuldb.com/?submit.549927" + }, + { + "url": "https://wiki.shikangsi.com/post/share/c46c50d3-c8d7-46a0-9fed-8d79a64abb44", + "refsource": "MISC", + "name": "https://wiki.shikangsi.com/post/share/c46c50d3-c8d7-46a0-9fed-8d79a64abb44" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "XingYue_Mstir (VulDB User)" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "baseScore": 6.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "MEDIUM" + }, + { + "version": "3.0", + "baseScore": 6.3, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "MEDIUM" + }, + { + "version": "2.0", + "baseScore": 6.5, + "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P" } ] } diff --git a/2025/3xxx/CVE-2025-3598.json b/2025/3xxx/CVE-2025-3598.json new file mode 100644 index 00000000000..b62029ace96 --- /dev/null +++ b/2025/3xxx/CVE-2025-3598.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2025-3598", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2025/3xxx/CVE-2025-3599.json b/2025/3xxx/CVE-2025-3599.json new file mode 100644 index 00000000000..800b44f8326 --- /dev/null +++ b/2025/3xxx/CVE-2025-3599.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2025-3599", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file