From 28c5e8dc72efb547505b660f5b06b9e5000e8596 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Mon, 22 Mar 2021 20:00:40 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/28xxx/CVE-2020-28431.json | 77 ++--------------------------- 2020/28xxx/CVE-2020-28432.json | 77 ++--------------------------- 2021/22xxx/CVE-2021-22314.json | 50 +++++++++++++++++-- 2021/22xxx/CVE-2021-22321.json | 89 ++++++++++++++++++++++++++++++++-- 2021/25xxx/CVE-2021-25917.json | 55 +++++++++++++++++++-- 2021/25xxx/CVE-2021-25918.json | 55 +++++++++++++++++++-- 2021/25xxx/CVE-2021-25919.json | 55 +++++++++++++++++++-- 2021/25xxx/CVE-2021-25920.json | 55 +++++++++++++++++++-- 2021/25xxx/CVE-2021-25921.json | 55 +++++++++++++++++++-- 2021/25xxx/CVE-2021-25922.json | 55 +++++++++++++++++++-- 10 files changed, 453 insertions(+), 170 deletions(-) diff --git a/2020/28xxx/CVE-2020-28431.json b/2020/28xxx/CVE-2020-28431.json index bf5d09776e7..2449825cf27 100644 --- a/2020/28xxx/CVE-2020-28431.json +++ b/2020/28xxx/CVE-2020-28431.json @@ -3,85 +3,16 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { - "ASSIGNER": "report@snyk.io", - "DATE_PUBLIC": "2021-02-23T15:19:13.882047Z", "ID": "CVE-2020-28431", - "STATE": "PUBLIC", - "TITLE": "Command Injection" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "wc-cmd", - "version": { - "version_data": [ - { - "version_affected": ">=", - "version_value": "0" - } - ] - } - } - ] - }, - "vendor_name": "n/a" - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "Command Injection" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "MISC", - "url": "https://snyk.io/vuln/SNYK-JS-WCCMD-1050423", - "name": "https://snyk.io/vuln/SNYK-JS-WCCMD-1050423" - } - ] + "ASSIGNER": "cve@mitre.org", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "All versions of package wc-cmd are vulnerable to Command Injection via the index.js file. PoC: var a =require(\"wc-cmd\"); a(\"touch JHU\")" + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." } ] - }, - "impact": { - "cvss": { - "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "baseScore": 7.3, - "baseSeverity": "HIGH", - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "LOW", - "integrityImpact": "LOW", - "availabilityImpact": "LOW" - } - }, - "credit": [ - { - "lang": "eng", - "value": "JHU System Security Lab" - } - ] + } } \ No newline at end of file diff --git a/2020/28xxx/CVE-2020-28432.json b/2020/28xxx/CVE-2020-28432.json index d7540857795..ee352d2ad32 100644 --- a/2020/28xxx/CVE-2020-28432.json +++ b/2020/28xxx/CVE-2020-28432.json @@ -3,85 +3,16 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { - "ASSIGNER": "report@snyk.io", - "DATE_PUBLIC": "2021-02-23T15:23:08.267334Z", "ID": "CVE-2020-28432", - "STATE": "PUBLIC", - "TITLE": "Command Injection" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "theme-core", - "version": { - "version_data": [ - { - "version_affected": ">=", - "version_value": "0" - } - ] - } - } - ] - }, - "vendor_name": "n/a" - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "Command Injection" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "MISC", - "url": "https://snyk.io/vuln/SNYK-JS-THEMECORE-1050425", - "name": "https://snyk.io/vuln/SNYK-JS-THEMECORE-1050425" - } - ] + "ASSIGNER": "cve@mitre.org", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "All versions of package theme-core are vulnerable to Command Injection via the lib/utils.js file, which is required by main entry of the package. PoC: var a =require(\"theme-core\"); a.utils.sh(\"touch JHU\")" + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." } ] - }, - "impact": { - "cvss": { - "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "baseScore": 7.3, - "baseSeverity": "HIGH", - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "LOW", - "integrityImpact": "LOW", - "availabilityImpact": "LOW" - } - }, - "credit": [ - { - "lang": "eng", - "value": "JHU System Security Lab" - } - ] + } } \ No newline at end of file diff --git a/2021/22xxx/CVE-2021-22314.json b/2021/22xxx/CVE-2021-22314.json index 86c32b95ae8..a45b326bcb5 100644 --- a/2021/22xxx/CVE-2021-22314.json +++ b/2021/22xxx/CVE-2021-22314.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-22314", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@huawei.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "ManageOne", + "version": { + "version_data": [ + { + "version_value": "6.5.1.1.B010,6.5.1RC1.B060,6.5.1RC1.B070,6.5.1RC2.B020,6.5.1RC2.B030" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Local Privilege Escalation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210218-01-privilege-en", + "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210218-01-privilege-en" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "There is a local privilege escalation vulnerability in some versions of ManageOne. A local authenticated attacker could perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege and compromise the service." } ] } diff --git a/2021/22xxx/CVE-2021-22321.json b/2021/22xxx/CVE-2021-22321.json index 8918423d2c3..472ebf2ae79 100644 --- a/2021/22xxx/CVE-2021-22321.json +++ b/2021/22xxx/CVE-2021-22321.json @@ -4,14 +4,97 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-22321", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@huawei.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "NIP6600;NIP6800;S12700;S1700;S2700;S5700;S6700;S7700;S9700;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG9500", + "version": { + "version_data": [ + { + "version_value": "V500R001C30,V500R001C60" + }, + { + "version_value": "V500R001C30" + }, + { + "version_value": "V500R001C60" + }, + { + "version_value": "V200R007C01,V200R007C01B102,V200R008C00,V200R010C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10" + }, + { + "version_value": "V200R009C00SPC200,V200R009C00SPC500,V200R010C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10" + }, + { + "version_value": "V200R008C00,V200R010C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10" + }, + { + "version_value": "V200R008C00,V200R010C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10,V200R011C10SPC100" + }, + { + "version_value": "V200R008C00,V200R010C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10,V200R011C10SPC100" + }, + { + "version_value": "V200R008C00,V200R010C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10" + }, + { + "version_value": "V200R007C01,V200R007C01B102,V200R008C00,V200R010C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10" + }, + { + "version_value": "V500R001C30,V500R001C60" + }, + { + "version_value": "V500R001C30,V500R001C60" + }, + { + "version_value": "V500R001C30,V500R001C60" + }, + { + "version_value": "V500R001C30,V500R001C60" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Use After Free" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210210-01-uaf-en", + "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210210-01-uaf-en" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "There is a use-after-free vulnerability in a Huawei product. A module cannot deal with specific operations in special scenarios. Attackers can exploit this vulnerability by performing malicious operations. This can cause memory use-after-free, compromising normal service. Affected product include some versions of NIP6300, NIP6600, NIP6800, S1700, S2700, S5700, S6700 , S7700, S9700, Secospace USG6300, Secospace USG6500, Secospace USG6600 and USG9500." } ] } diff --git a/2021/25xxx/CVE-2021-25917.json b/2021/25xxx/CVE-2021-25917.json index 88195350997..0e48cb20bfd 100644 --- a/2021/25xxx/CVE-2021-25917.json +++ b/2021/25xxx/CVE-2021-25917.json @@ -4,14 +4,63 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-25917", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "openemr", + "version": { + "version_data": [ + { + "version_value": "5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site-Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f", + "url": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f" + }, + { + "refsource": "MISC", + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25917", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25917" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user." } ] } diff --git a/2021/25xxx/CVE-2021-25918.json b/2021/25xxx/CVE-2021-25918.json index 513761ab5c7..ecbeb701b6e 100644 --- a/2021/25xxx/CVE-2021-25918.json +++ b/2021/25xxx/CVE-2021-25918.json @@ -4,14 +4,63 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-25918", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "openemr", + "version": { + "version_data": [ + { + "version_value": "5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site-Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f", + "url": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f" + }, + { + "refsource": "MISC", + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25918", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25918" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user." } ] } diff --git a/2021/25xxx/CVE-2021-25919.json b/2021/25xxx/CVE-2021-25919.json index c79e7c02e2e..b4e034b7a8e 100644 --- a/2021/25xxx/CVE-2021-25919.json +++ b/2021/25xxx/CVE-2021-25919.json @@ -4,14 +4,63 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-25919", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "openemr", + "version": { + "version_data": [ + { + "version_value": "5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site-Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25919", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25919" + }, + { + "refsource": "MISC", + "name": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f", + "url": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user." } ] } diff --git a/2021/25xxx/CVE-2021-25920.json b/2021/25xxx/CVE-2021-25920.json index cc6325d347a..260aa609bc4 100644 --- a/2021/25xxx/CVE-2021-25920.json +++ b/2021/25xxx/CVE-2021-25920.json @@ -4,14 +4,63 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-25920", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "openemr", + "version": { + "version_data": [ + { + "version_value": "2.7.2-rc1, 2.7.2-rc2, 2.7.2, 2.7.3-rc1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.0.3, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f", + "url": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f" + }, + { + "refsource": "MISC", + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25920", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25920" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user." } ] } diff --git a/2021/25xxx/CVE-2021-25921.json b/2021/25xxx/CVE-2021-25921.json index 3ddc0c3ed7b..9f8c10c3fef 100644 --- a/2021/25xxx/CVE-2021-25921.json +++ b/2021/25xxx/CVE-2021-25921.json @@ -4,14 +4,63 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-25921", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "openemr", + "version": { + "version_data": [ + { + "version_value": "2.7.3-rc1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.0.3, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site-Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f", + "url": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f" + }, + { + "refsource": "MISC", + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25921", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25921" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit." } ] } diff --git a/2021/25xxx/CVE-2021-25922.json b/2021/25xxx/CVE-2021-25922.json index 69528cbd176..d7c3aff4188 100644 --- a/2021/25xxx/CVE-2021-25922.json +++ b/2021/25xxx/CVE-2021-25922.json @@ -4,14 +4,63 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-25922", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "openemr", + "version": { + "version_data": [ + { + "version_value": "4.2.0, 4.2.0.3, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site-Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f", + "url": "https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f" + }, + { + "refsource": "MISC", + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25922", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25922" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code." } ] }