From 2c21526e6b237e2517f2efdb3c42e15632f4efba Mon Sep 17 00:00:00 2001 From: ncsc_brian Date: Tue, 30 Nov 2021 09:51:52 +0100 Subject: [PATCH] Added the following cves for topease: CVE-2021-42115, CVE-2021-42116, CVE-2021-42117, CVE-2021-42118, CVE-2021-42119, CVE-2021-42120, CVE-2021-42121, CVE-2021-42122, CVE-2021-42123, CVE-2021-42544, CVE-2021-42545 --- 2021/42xxx/CVE-2021-42115.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42116.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42117.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42118.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42119.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42120.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42121.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42122.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42123.json | 86 +++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42544.json | 90 +++++++++++++++++++++++++++++++--- 2021/42xxx/CVE-2021-42545.json | 86 +++++++++++++++++++++++++++++--- 11 files changed, 884 insertions(+), 66 deletions(-) diff --git a/2021/42xxx/CVE-2021-42115.json b/2021/42xxx/CVE-2021-42115.json index bf3c964023c..385060f098e 100644 --- a/2021/42xxx/CVE-2021-42115.json +++ b/2021/42xxx/CVE-2021-42115.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42115", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Missing HTTPOnly flag on sensitive cookie in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42116.json b/2021/42xxx/CVE-2021-42116.json index 11d971936f0..de215660cac 100644 --- a/2021/42xxx/CVE-2021-42116.json +++ b/2021/42xxx/CVE-2021-42116.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42116", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Unauthorized Menu Item Access in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284 Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42117.json b/2021/42xxx/CVE-2021-42117.json index 6760500782f..a05fbc3a22c 100644 --- a/2021/42xxx/CVE-2021-42117.json +++ b/2021/42xxx/CVE-2021-42117.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42117", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "UI Redressing in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert \narbitrary HTML without code execution." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.5, + "baseSeverity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42118.json b/2021/42xxx/CVE-2021-42118.json index f71d8db6dcb..51a8566da65 100644 --- a/2021/42xxx/CVE-2021-42118.json +++ b/2021/42xxx/CVE-2021-42118.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42118", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Stored XSS in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Structure Component allows an authenticated remote attacker with Object Modification privileges to inject arbitrary HTML and JavaScript code in an object attribute, which is then rendered in the Structure Component, to alter the intended functionality and steal cookies, the latter allowing for account takeover." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42119.json b/2021/42xxx/CVE-2021-42119.json index fa3a51e3b02..5e2a02cfffb 100644 --- a/2021/42xxx/CVE-2021-42119.json +++ b/2021/42xxx/CVE-2021-42119.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42119", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Stored XSS in Search Function in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Search Functionality allows authenticated users with Object Modification privileges to inject arbitrary HTML and JavaScript in object attributes, which is then rendered in the Search Functionality, to alter the intended functionality and steal cookies, the latter allowing for account takeover." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42120.json b/2021/42xxx/CVE-2021-42120.json index 0d36a7c48cf..366e9a5d151 100644 --- a/2021/42xxx/CVE-2021-42120.json +++ b/2021/42xxx/CVE-2021-42120.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42120", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Missing Character Length (Denial of Service) in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on all object attributes allows an authenticated remote attacker with Object Modification privileges to insert arbitrarily long strings, eventually leading to exhaustion of the underlying resource." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42121.json b/2021/42xxx/CVE-2021-42121.json index 919da2b0434..db73da3d57d 100644 --- a/2021/42xxx/CVE-2021-42121.json +++ b/2021/42xxx/CVE-2021-42121.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42121", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Denial of Service via Invalid Date Format in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on an object’s date attribute(s) allows an authenticated remote attacker with Object Modification privileges to insert an unexpected format into date fields, which leads to breaking the object page that the date field is present." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42122.json b/2021/42xxx/CVE-2021-42122.json index 827aa661e0d..138b4471530 100644 --- a/2021/42xxx/CVE-2021-42122.json +++ b/2021/42xxx/CVE-2021-42122.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42122", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Denial of Service via Invalid Object Attribute in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on an object’s attributes with numeric format allows an authenticated remote attacker with Object Modification privileges to insert an unexpected format, which makes the affected attribute non-editable." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42123.json b/2021/42xxx/CVE-2021-42123.json index 27c236e3311..acc84bc93fa 100644 --- a/2021/42xxx/CVE-2021-42123.json +++ b/2021/42xxx/CVE-2021-42123.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42123", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Missing Upload Filter in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Unrestricted File Upload in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 in the File Upload Functions allows an authenticated remote attacker with Upload privileges to upload files with any file type, enabling client-side attacks." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-434 Unrestricted Upload of File with Dangerous Type" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42544.json b/2021/42xxx/CVE-2021-42544.json index 6a07ff71991..eea54a01677 100644 --- a/2021/42xxx/CVE-2021-42544.json +++ b/2021/42xxx/CVE-2021-42544.json @@ -1,18 +1,96 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42544", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Lack of Rate limiting in Authentication in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.28" + }, + { + "version_affected": "?>", + "version_value": "7.1.28" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates gaining privileges." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-307 Improper Restriction of Excessive Authentication Attempts" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/42xxx/CVE-2021-42545.json b/2021/42xxx/CVE-2021-42545.json index 774b96e7f60..f1b50721a53 100644 --- a/2021/42xxx/CVE-2021-42545.json +++ b/2021/42xxx/CVE-2021-42545.json @@ -1,18 +1,92 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42545", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Insufficient Session Expiration in TopEase" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TopEase", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.1.27" + } + ] + } + } + ] + }, + "vendor_name": "Business-DNA Solutions GmbH" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SIX Group Services AG, Cyber Controls" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions. " } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-613 Insufficient Session Expiration" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", + "refsource": "CONFIRM", + "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file