From 2ce95726b61193412133269481e243258b228c1e Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 18 Nov 2020 18:01:55 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/26xxx/CVE-2020-26068.json | 4 +-- 2020/26xxx/CVE-2020-26072.json | 4 +-- 2020/26xxx/CVE-2020-26075.json | 4 +-- 2020/26xxx/CVE-2020-26076.json | 4 +-- 2020/26xxx/CVE-2020-26077.json | 4 +-- 2020/26xxx/CVE-2020-26078.json | 4 +-- 2020/26xxx/CVE-2020-26079.json | 4 +-- 2020/26xxx/CVE-2020-26080.json | 4 +-- 2020/26xxx/CVE-2020-26081.json | 4 +-- 2020/26xxx/CVE-2020-26097.json | 56 ++++++++++++++++++++++++++++++---- 2020/28xxx/CVE-2020-28928.json | 18 +++++++++++ 11 files changed, 86 insertions(+), 24 deletions(-) create mode 100644 2020/28xxx/CVE-2020-28928.json diff --git a/2020/26xxx/CVE-2020-26068.json b/2020/26xxx/CVE-2020-26068.json index 09a93783a3a..32192477567 100644 --- a/2020/26xxx/CVE-2020-26068.json +++ b/2020/26xxx/CVE-2020-26068.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device.\r The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.\r " + "value": "A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26072.json b/2020/26xxx/CVE-2020-26072.json index 31fdcc7d8cc..8fc95880918 100644 --- a/2020/26xxx/CVE-2020-26072.json +++ b/2020/26xxx/CVE-2020-26072.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": " A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to access and modify information on devices that belong to a different domain. The vulnerability is due to insufficient authorization in the SOAP API. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain. A successful exploit could allow the attacker to access and modify information on devices that belong to a different domain. " + "value": "A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to access and modify information on devices that belong to a different domain. The vulnerability is due to insufficient authorization in the SOAP API. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain. A successful exploit could allow the attacker to access and modify information on devices that belong to a different domain." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26075.json b/2020/26xxx/CVE-2020-26075.json index c80d6db2e7f..5e23f08c008 100644 --- a/2020/26xxx/CVE-2020-26075.json +++ b/2020/26xxx/CVE-2020-26075.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to gain access to the back-end database of an affected device.\r The vulnerability is due to insufficient input validation of REST API requests that are made to an affected device. An attacker could exploit this vulnerability by crafting malicious API requests to the affected device. A successful exploit could allow the attacker to gain access to the back-end database of the affected device.\r " + "value": "A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to gain access to the back-end database of an affected device. The vulnerability is due to insufficient input validation of REST API requests that are made to an affected device. An attacker could exploit this vulnerability by crafting malicious API requests to the affected device. A successful exploit could allow the attacker to gain access to the back-end database of the affected device." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26076.json b/2020/26xxx/CVE-2020-26076.json index 3e3cc167790..ed53291de9d 100644 --- a/2020/26xxx/CVE-2020-26076.json +++ b/2020/26xxx/CVE-2020-26076.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to view sensitive database information on an affected device.\r The vulnerability is due to the absence of authentication for sensitive information. An attacker could exploit this vulnerability by sending crafted curl commands to an affected device. A successful exploit could allow the attacker to view sensitive database information on the affected device.\r " + "value": "A vulnerability in Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to view sensitive database information on an affected device. The vulnerability is due to the absence of authentication for sensitive information. An attacker could exploit this vulnerability by sending crafted curl commands to an affected device. A successful exploit could allow the attacker to view sensitive database information on the affected device." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26077.json b/2020/26xxx/CVE-2020-26077.json index d2bb4a623f7..2152352808b 100644 --- a/2020/26xxx/CVE-2020-26077.json +++ b/2020/26xxx/CVE-2020-26077.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in the access control functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to view lists of users from different domains that are configured on an affected system.\r The vulnerability is due to improper access control. An attacker could exploit this vulnerability by sending an API request that alters the domain for a requested user list on an affected system. A successful exploit could allow the attacker to view lists of users from different domains on the affected system.\r " + "value": "A vulnerability in the access control functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to view lists of users from different domains that are configured on an affected system. The vulnerability is due to improper access control. An attacker could exploit this vulnerability by sending an API request that alters the domain for a requested user list on an affected system. A successful exploit could allow the attacker to view lists of users from different domains on the affected system." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26078.json b/2020/26xxx/CVE-2020-26078.json index e70a187d4c2..547bf06e96f 100644 --- a/2020/26xxx/CVE-2020-26078.json +++ b/2020/26xxx/CVE-2020-26078.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in the file system of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to overwrite files on an affected system.\r The vulnerability is due to insufficient file system protections. An attacker could exploit this vulnerability by crafting API requests and sending them to an affected system. A successful exploit could allow the attacker to overwrite files on an affected system.\r " + "value": "A vulnerability in the file system of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to overwrite files on an affected system. The vulnerability is due to insufficient file system protections. An attacker could exploit this vulnerability by crafting API requests and sending them to an affected system. A successful exploit could allow the attacker to overwrite files on an affected system." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26079.json b/2020/26xxx/CVE-2020-26079.json index 713d35f6e08..17e506185a1 100644 --- a/2020/26xxx/CVE-2020-26079.json +++ b/2020/26xxx/CVE-2020-26079.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device.\r The vulnerability is due to insufficient protection of user credentials. An attacker could exploit this vulnerability by logging in as an administrative user and crafting a call for user information. A successful exploit could allow the attacker to obtain hashes of user passwords on an affected device.\r " + "value": "A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device. The vulnerability is due to insufficient protection of user credentials. An attacker could exploit this vulnerability by logging in as an administrative user and crafting a call for user information. A successful exploit could allow the attacker to obtain hashes of user passwords on an affected device." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26080.json b/2020/26xxx/CVE-2020-26080.json index 723c2305267..81257e8fe24 100644 --- a/2020/26xxx/CVE-2020-26080.json +++ b/2020/26xxx/CVE-2020-26080.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system.\r The vulnerability is due to improper domain access control. An attacker could exploit this vulnerability by manipulating JSON payloads to target different domains on an affected system. A successful exploit could allow the attacker to manage user information for users in different domains on an affected system.\r " + "value": "A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could exploit this vulnerability by manipulating JSON payloads to target different domains on an affected system. A successful exploit could allow the attacker to manage user information for users in different domains on an affected system." } ] }, @@ -83,4 +83,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26081.json b/2020/26xxx/CVE-2020-26081.json index 75abdd11546..50926feec12 100644 --- a/2020/26xxx/CVE-2020-26081.json +++ b/2020/26xxx/CVE-2020-26081.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r Multiple vulnerabilities in the web UI of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users on an affected system.\r The vulnerabilities are due to insufficient validation of user-supplied input that is processed by the web UI. An attacker could exploit these vulnerabilities by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information on an affected system.\r " + "value": "Multiple vulnerabilities in the web UI of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users on an affected system. The vulnerabilities are due to insufficient validation of user-supplied input that is processed by the web UI. An attacker could exploit these vulnerabilities by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information on an affected system." } ] }, @@ -86,4 +86,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/26xxx/CVE-2020-26097.json b/2020/26xxx/CVE-2020-26097.json index 5dfe3aea357..cf67518ca1b 100644 --- a/2020/26xxx/CVE-2020-26097.json +++ b/2020/26xxx/CVE-2020-26097.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2020-26097", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2020-26097", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** UNSUPPORTED WHEN ASSIGNED ** The firmware of the PLANET Technology Corp NVR-915 and NVR-1615 before 2020-10-28 embeds default credentials for root access via telnet. By exposing telnet on the Internet, remote root access on the device is possible. NOTE: This vulnerability only affects products that are no longer supported by the maintainer." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.sec-research.com/1604584604-hard-coded-credentials-in-netzwerk-videorekorder-planet-nvr-915.html", + "url": "https://www.sec-research.com/1604584604-hard-coded-credentials-in-netzwerk-videorekorder-planet-nvr-915.html" } ] } diff --git a/2020/28xxx/CVE-2020-28928.json b/2020/28xxx/CVE-2020-28928.json new file mode 100644 index 00000000000..37cb2bf1cae --- /dev/null +++ b/2020/28xxx/CVE-2020-28928.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2020-28928", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file