ZDI assigns the following CVEs:

M 2020/27xxx/CVE-2020-27858.json M 2020/27xxx/CVE-2020-27859.json
2025-08-04 08:44:25 +00:00 · 2021-01-14 13:02:19 -06:00 · 2021-01-14 13:02:19 -06:00 · 3637509ed1
commit 3637509ed1
parent 7c1bdbb09c
2 changed files with 130 additions and 32 deletions
--- a/2020/27xxx/CVE-2020-27858.json
+++ b/2020/27xxx/CVE-2020-27858.json
@ -1,18 +1,67 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-        "ID": "CVE-2020-27858",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
-    },
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
-            }
-        ]
+  "CVE_data_meta": {
+    "ASSIGNER": "zdi-disclosures@trendmicro.com",
+    "ID": "CVE-2020-27858",
+    "STATE": "PUBLIC"
+  },
+  "affects": {
+    "vendor": {
+      "vendor_data": [
+        {
+          "product": {
+            "product_data": [
+              {
+                "product_name": "D2D",
+                "version": {
+                  "version_data": [
+                    {
+                      "version_value": "16.5"
+                    }
+                  ]
+                }
+              }
+            ]
+          },
+          "vendor_name": "Arcserve"
+        }
+      ]
    }
-}
+  },
+  "credit": "rgod",
+  "data_format": "MITRE",
+  "data_type": "CVE",
+  "data_version": "4.0",
+  "description": {
+    "description_data": [
+      {
+        "lang": "eng",
+        "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D 16.5. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the getNews method. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11103."
+      }
+    ]
+  },
+  "problemtype": {
+    "problemtype_data": [
+      {
+        "description": [
+          {
+            "lang": "eng",
+            "value": "CWE-611: Improper Restriction of XML External Entity Reference ('XXE')"
+          }
+        ]
+      }
+    ]
+  },
+  "references": {
+    "reference_data": [
+      {
+        "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1397/"
+      }
+    ]
+  },
+  "impact": {
+    "cvss": {
+      "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+      "version": "3.0"
+    }
+  }
+}
--- a/2020/27xxx/CVE-2020-27859.json
+++ b/2020/27xxx/CVE-2020-27859.json
@ -1,18 +1,67 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-        "ID": "CVE-2020-27859",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
-    },
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
-            }
-        ]
+  "CVE_data_meta": {
+    "ASSIGNER": "zdi-disclosures@trendmicro.com",
+    "ID": "CVE-2020-27859",
+    "STATE": "PUBLIC"
+  },
+  "affects": {
+    "vendor": {
+      "vendor_data": [
+        {
+          "product": {
+            "product_data": [
+              {
+                "product_name": "ESMPRO Manager",
+                "version": {
+                  "version_data": [
+                    {
+                      "version_value": "6.42"
+                    }
+                  ]
+                }
+              }
+            ]
+          },
+          "vendor_name": "NEC"
+        }
+      ]
    }
-}
+  },
+  "credit": "rgod",
+  "data_format": "MITRE",
+  "data_type": "CVE",
+  "data_version": "4.0",
+  "description": {
+    "description_data": [
+      {
+        "lang": "eng",
+        "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ESMPRO Manager 6.42. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the GetEuaLogDownloadAction class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-9607."
+      }
+    ]
+  },
+  "problemtype": {
+    "problemtype_data": [
+      {
+        "description": [
+          {
+            "lang": "eng",
+            "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+          }
+        ]
+      }
+    ]
+  },
+  "references": {
+    "reference_data": [
+      {
+        "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-736/"
+      }
+    ]
+  },
+  "impact": {
+    "cvss": {
+      "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+      "version": "3.0"
+    }
+  }
+}