diff --git a/2024/45xxx/CVE-2024-45712.json b/2024/45xxx/CVE-2024-45712.json
index 8a55e5f4762..754b903250d 100644
--- a/2024/45xxx/CVE-2024-45712.json
+++ b/2024/45xxx/CVE-2024-45712.json
@@ -1,17 +1,105 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-45712",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+ "cweId": "CWE-79"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Serv-U",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "Serv-U 15.5 and previous versions"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-45712",
+ "refsource": "MISC",
+ "name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-45712"
+ },
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-1_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-1_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "SolarWinds recommends that customers upgrade to SolarWinds Serv-U 15.5.1 as soon as it becomes available.\n\n
"
+ }
+ ],
+ "value": "SolarWinds recommends that customers upgrade to SolarWinds Serv-U 15.5.1 as soon as it becomes available."
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 2.6,
+ "baseSeverity": "LOW",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
+ "version": "3.1"
}
]
}
diff --git a/2025/32xxx/CVE-2025-32002.json b/2025/32xxx/CVE-2025-32002.json
new file mode 100644
index 00000000000..4abec1e5078
--- /dev/null
+++ b/2025/32xxx/CVE-2025-32002.json
@@ -0,0 +1,18 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2025-32002",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/2025/32xxx/CVE-2025-32738.json b/2025/32xxx/CVE-2025-32738.json
new file mode 100644
index 00000000000..4b7acc95ea8
--- /dev/null
+++ b/2025/32xxx/CVE-2025-32738.json
@@ -0,0 +1,18 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2025-32738",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/2025/3xxx/CVE-2025-3574.json b/2025/3xxx/CVE-2025-3574.json
index 0a6bb5c20bd..d2af1294902 100644
--- a/2025/3xxx/CVE-2025-3574.json
+++ b/2025/3xxx/CVE-2025-3574.json
@@ -1,18 +1,89 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-3574",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "cve-coordination@incibe.es",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via \"idUsuario\" parameter in \"/helper/Familia/obtenerFamiliaUsuario\" endpoint."
}
]
- }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-639 Authorization Bypass Through User-Controlled Key",
+ "cweId": "CWE-639"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "T-INNOVA",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Deporsite",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "v05.29.0907"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-deporsite-t-innova",
+ "refsource": "MISC",
+ "name": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-deporsite-t-innova"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "The vulnerabilities have been fixed by the T-INNOVA team in release 2024.02 (DSuite2024 v06.1287 fix2).
T-Innova has identified the customers using the affected module, and has applied the corresponding patch.
"
+ }
+ ],
+ "value": "The vulnerabilities have been fixed by the T-INNOVA team in release 2024.02 (DSuite2024 v06.1287 fix2).\nT-Innova has identified the customers using the affected module, and has applied the corresponding patch."
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Carlos Alonso Arranz"
+ }
+ ]
}
\ No newline at end of file
diff --git a/2025/3xxx/CVE-2025-3575.json b/2025/3xxx/CVE-2025-3575.json
index 5c774f45c48..ac81425bb32 100644
--- a/2025/3xxx/CVE-2025-3575.json
+++ b/2025/3xxx/CVE-2025-3575.json
@@ -1,18 +1,83 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-3575",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "cve-coordination@incibe.es",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via \"idUsuario\" parameter in \"/helper/Familia/establecerUsuarioSeleccion\" endpoint."
}
]
- }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-639 Authorization Bypass Through User-Controlled Key",
+ "cweId": "CWE-639"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "T-INNOVA",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Deporsite",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "v05.29.0907"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-deporsite-t-innova",
+ "refsource": "MISC",
+ "name": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-deporsite-t-innova"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "The vulnerabilities have been fixed by the T-INNOVA team in release 2024.02 (DSuite2024 v06.1287 fix2).
T-Innova has identified the customers using the affected module, and has applied the corresponding patch.
"
+ }
+ ],
+ "value": "The vulnerabilities have been fixed by the T-INNOVA team in release 2024.02 (DSuite2024 v06.1287 fix2).\nT-Innova has identified the customers using the affected module, and has applied the corresponding patch."
+ }
+ ]
}
\ No newline at end of file
diff --git a/2025/3xxx/CVE-2025-3578.json b/2025/3xxx/CVE-2025-3578.json
index e50b1f8e42e..aad8ba7f9cd 100644
--- a/2025/3xxx/CVE-2025-3578.json
+++ b/2025/3xxx/CVE-2025-3578.json
@@ -1,18 +1,90 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-3578",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "cve-coordination@incibe.es",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "A malicious, authenticated user in Aidex, versions prior to 1.7, could list credentials of other users, create or modify existing users in the application, list credentials of users in production or development environments. In addition, it would be possible to cause bugs that would result in the exfiltration of sensitive information, such as details about the software or internal system paths. These actions could be carried out through the misuse of LLM Prompt (chatbot) technology, via the /api//message endpoint, by manipulating the contents of the \u2018content\u2019 parameter."
}
]
- }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-1039: Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism",
+ "cweId": "CWE-1039"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "AiDex",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "AiDex",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "0",
+ "version_value": "1.7"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-aidex",
+ "refsource": "MISC",
+ "name": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-aidex"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "The vulnerability has been fixed by the AiDex team in version 1.7."
+ }
+ ],
+ "value": "The vulnerability has been fixed by the AiDex team in version 1.7."
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"
+ }
+ ]
}
\ No newline at end of file
diff --git a/2025/3xxx/CVE-2025-3579.json b/2025/3xxx/CVE-2025-3579.json
index b8334043c0f..cca4d26f21f 100644
--- a/2025/3xxx/CVE-2025-3579.json
+++ b/2025/3xxx/CVE-2025-3579.json
@@ -1,18 +1,90 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-3579",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "cve-coordination@incibe.es",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system (Unix) commands, interacting with internal services such as PHP or MySQL, and even invoking native functions of the framework used, such as Laravel or Symfony. This execution is achieved by Prompt Injection attacks through the /api//message endpoint, manipulating the content of the \u2018content\u2019 parameter."
}
]
- }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')",
+ "cweId": "CWE-94"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "AiDex",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "AiDex",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "0",
+ "version_value": "1.7"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-aidex",
+ "refsource": "MISC",
+ "name": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-aidex"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "The vulnerability has been fixed by the AiDex team in version 1.7."
+ }
+ ],
+ "value": "The vulnerability has been fixed by the AiDex team in version 1.7."
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"
+ }
+ ]
}
\ No newline at end of file