"-Synchronized-Data."

2025-07-29 05:56:59 +00:00 · 2021-11-19 00:01:11 +00:00 · 2021-11-19 00:01:11 +00:00 · 1ef11e7632
commit 1ef11e7632
parent d2926f8862
4 changed files with 8 additions and 8 deletions
--- a/2021/40xxx/CVE-2021-40129.json
+++ b/2021/40xxx/CVE-2021-40129.json
@ -36,7 +36,7 @@
        "description_data": [
            {
                "lang": "eng",
-                "value": "\r A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to submit a SQL query through the CSPC configuration dashboard.\r This vulnerability is due to insufficient input validation of uploaded files. An attacker could exploit this vulnerability by uploading a file containing a SQL query to the configuration dashboard. A successful exploit could allow the attacker to read restricted information from the CSPC SQL database.\r "
+                "value": "A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to submit a SQL query through the CSPC configuration dashboard. This vulnerability is due to insufficient input validation of uploaded files. An attacker could exploit this vulnerability by uploading a file containing a SQL query to the configuration dashboard. A successful exploit could allow the attacker to read restricted information from the CSPC SQL database."
            }
        ]
    },
@ -83,4 +83,4 @@
        ],
        "discovery": "INTERNAL"
    }
-}
+}
--- a/2021/40xxx/CVE-2021-40130.json
+++ b/2021/40xxx/CVE-2021-40130.json
@ -36,7 +36,7 @@
        "description_data": [
            {
                "lang": "eng",
-                "value": "\r A vulnerability in the web application of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting.\r This vulnerability is due to improper restriction of the syslog configuration. An attacker could exploit this vulnerability by configuring non-log files as sources for syslog reporting through the web application. A successful exploit could allow the attacker to read non-log files on the CSPC.\r "
+                "value": "A vulnerability in the web application of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting. This vulnerability is due to improper restriction of the syslog configuration. An attacker could exploit this vulnerability by configuring non-log files as sources for syslog reporting through the web application. A successful exploit could allow the attacker to read non-log files on the CSPC."
            }
        ]
    },
@ -83,4 +83,4 @@
        ],
        "discovery": "INTERNAL"
    }
-}
+}
--- a/2021/40xxx/CVE-2021-40131.json
+++ b/2021/40xxx/CVE-2021-40131.json
@ -36,7 +36,7 @@
        "description_data": [
            {
                "lang": "eng",
-                "value": "\r A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.\r This vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by adding malicious code to the configuration by using the web-based management interface. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information.\r "
+                "value": "A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by adding malicious code to the configuration by using the web-based management interface. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information."
            }
        ]
    },
@ -84,4 +84,4 @@
        ],
        "discovery": "INTERNAL"
    }
-}
+}
--- a/2021/41xxx/CVE-2021-41278.json
+++ b/2021/41xxx/CVE-2021-41278.json
@ -3,7 +3,7 @@
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41278",
        "STATE": "PUBLIC",
-        "TITLE": "Broken encryption in app-functions-sdk “AES” transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors"
+        "TITLE": "Broken encryption in app-functions-sdk \u201cAES\u201d transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors"
    },
    "affects": {
        "vendor": {
@ -35,7 +35,7 @@
        "description_data": [
            {
                "lang": "eng",
-                "value": "Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. In affected versions broken encryption in app-functions-sdk “AES” transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline.  No decrypt function is provided.  Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation. Version v2.1.0 (EdgeX Foundry Jakarta release and later) of app-functions-sdk-go/v2 deprecates the “aes” transform and provides an improved “aes256” transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation. As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new \"aes256\" transform."
+                "value": "Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. In affected versions broken encryption in app-functions-sdk \u201cAES\u201d transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors. The app-functions-sdk exports an \u201caes\u201d transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation. Version v2.1.0 (EdgeX Foundry Jakarta release and later) of app-functions-sdk-go/v2 deprecates the \u201caes\u201d transform and provides an improved \u201caes256\u201d transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation. As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new \"aes256\" transform."
            }
        ]
    },