From 2dcc43e124bca0ca59c08a92c4927df3384530b2 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 21 Nov 2023 20:00:36 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2023/47xxx/CVE-2023-47643.json | 86 +++++++++++++++++++++++++-- 2023/48xxx/CVE-2023-48226.json | 105 +++++++++++++++++++++++++++++++-- 2023/49xxx/CVE-2023-49100.json | 18 ++++++ 2023/49xxx/CVE-2023-49101.json | 18 ++++++ 2023/6xxx/CVE-2023-6246.json | 18 ++++++ 5 files changed, 237 insertions(+), 8 deletions(-) create mode 100644 2023/49xxx/CVE-2023-49100.json create mode 100644 2023/49xxx/CVE-2023-49101.json create mode 100644 2023/6xxx/CVE-2023-6246.json diff --git a/2023/47xxx/CVE-2023-47643.json b/2023/47xxx/CVE-2023-47643.json index 71351cbb932..e176fec86ad 100644 --- a/2023/47xxx/CVE-2023-47643.json +++ b/2023/47xxx/CVE-2023-47643.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-47643", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "salesagility", + "product": { + "product_data": [ + { + "product_name": "SuiteCRM-Core", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 8.4.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr", + "refsource": "MISC", + "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr" + }, + { + "url": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33", + "refsource": "MISC", + "name": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33" + }, + { + "url": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/", + "refsource": "MISC", + "name": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" + } + ] + }, + "source": { + "advisory": "GHSA-fxww-jqfv-9rrr", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.1, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2023/48xxx/CVE-2023-48226.json b/2023/48xxx/CVE-2023-48226.json index 584a6a98cf1..263f65e166c 100644 --- a/2023/48xxx/CVE-2023-48226.json +++ b/2023/48xxx/CVE-2023-48226.json @@ -1,17 +1,114 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-48226", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to phishing actions for example. Email is really send from OpenReplay, but bad actors can add there HTML code injected (content spoofing). Please notice that during Registration steps for FullName looks like is validated correct - can not type there, but using this kind of bypass/workaround - bad actors can achieve own goal. As of time of publication, no known fixes or workarounds are available." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation", + "cweId": "CWE-20" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "cweId": "CWE-94" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "openreplay", + "product": { + "product_data": [ + { + "product_name": "openreplay", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "= 1.14.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/openreplay/openreplay/security/advisories/GHSA-xpfv-454c-3fj4", + "refsource": "MISC", + "name": "https://github.com/openreplay/openreplay/security/advisories/GHSA-xpfv-454c-3fj4" + }, + { + "url": "https://bugcrowd.com/vulnerability-rating-taxonomy", + "refsource": "MISC", + "name": "https://bugcrowd.com/vulnerability-rating-taxonomy" + }, + { + "url": "https://capec.mitre.org/data/definitions/242.html", + "refsource": "MISC", + "name": "https://capec.mitre.org/data/definitions/242.html" + }, + { + "url": "https://cwe.mitre.org/data/definitions/20.html", + "refsource": "MISC", + "name": "https://cwe.mitre.org/data/definitions/20.html" + }, + { + "url": "https://github.com/openreplay/openreplay/blob/main/api/chalicelib/utils/html/invitation.html#L421", + "refsource": "MISC", + "name": "https://github.com/openreplay/openreplay/blob/main/api/chalicelib/utils/html/invitation.html#L421" + } + ] + }, + "source": { + "advisory": "GHSA-xpfv-454c-3fj4", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ] } diff --git a/2023/49xxx/CVE-2023-49100.json b/2023/49xxx/CVE-2023-49100.json new file mode 100644 index 00000000000..09066ed3496 --- /dev/null +++ b/2023/49xxx/CVE-2023-49100.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-49100", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2023/49xxx/CVE-2023-49101.json b/2023/49xxx/CVE-2023-49101.json new file mode 100644 index 00000000000..dc6dce98f99 --- /dev/null +++ b/2023/49xxx/CVE-2023-49101.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-49101", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2023/6xxx/CVE-2023-6246.json b/2023/6xxx/CVE-2023-6246.json new file mode 100644 index 00000000000..24efee51125 --- /dev/null +++ b/2023/6xxx/CVE-2023-6246.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-6246", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file