admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-06 02:32:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2025-01-03 18:00:57 +00:00
parent 22cbd16f34
commit 40e7893a49
No known key found for this signature in database
GPG Key ID: BC5FD8F2443B23B7
22 changed files with 1243 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
2024/53xxx/CVE-2024-53473.json
View File

@ -71,6 +71,11 @@
"refsource": "MISC",
"name": "https://github.com/nilsonLazarin/WeGIA/issues/791",
"url": "https://github.com/nilsonLazarin/WeGIA/issues/791"
},
{
"refsource": "MISC",
"name": "https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-53473/README.md",
"url": "https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-53473/README.md"
}
]
}

56
2024/55xxx/CVE-2024-55507.json
View File

@ -1,17 +1,61 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-55507",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2024-55507",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://github.com/CV1523/CVEs/blob/main/CVE-2024-55507.md",
"url": "https://github.com/CV1523/CVEs/blob/main/CVE-2024-55507.md"
}
]
}

73
2024/56xxx/CVE-2024-56320.json
View File

@ -1,18 +1,83 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56320",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin \"Configuration XML\" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization",
"cweId": "CWE-285"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "gocd",
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 24.5.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j"
},
{
"url": "https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"url": "https://www.gocd.org/releases/#24-5-0",
"refsource": "MISC",
"name": "https://www.gocd.org/releases/#24-5-0"
}
]
},
"source": {
"advisory": "GHSA-346h-q594-rj8j",
"discovery": "UNKNOWN"
}
}

100
2024/56xxx/CVE-2024-56321.json
View File

@ -1,17 +1,109 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56321",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration \"post-backup script\" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation",
"cweId": "CWE-20"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-36: Absolute Path Traversal",
"cweId": "CWE-36"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "gocd",
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 18.9.0, < 24.5.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq"
},
{
"url": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"url": "https://www.gocd.org/releases/#24-5-0",
"refsource": "MISC",
"name": "https://www.gocd.org/releases/#24-5-0"
}
]
},
"source": {
"advisory": "GHSA-7jr3-gh3w-vjxq",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
]
}

73
2024/56xxx/CVE-2024-56322.json
View File

@ -1,18 +1,83 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56322",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference",
"cweId": "CWE-611"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "gocd",
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 16.7.0, < 24.5.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7"
},
{
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"url": "https://www.gocd.org/releases/#24-5-0",
"refsource": "MISC",
"name": "https://www.gocd.org/releases/#24-5-0"
}
]
},
"source": {
"advisory": "GHSA-8xwx-hf68-8xq7",
"discovery": "UNKNOWN"
}
}

73
2024/56xxx/CVE-2024-56324.json
View File

@ -1,18 +1,83 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56324",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference",
"cweId": "CWE-611"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "gocd",
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 24.5.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78"
},
{
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"refsource": "MISC",
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"url": "https://www.gocd.org/releases/#24-5-0",
"refsource": "MISC",
"name": "https://www.gocd.org/releases/#24-5-0"
}
]
},
"source": {
"advisory": "GHSA-3w9f-fgr5-5g78",
"discovery": "UNKNOWN"
}
}

75
2024/56xxx/CVE-2024-56365.json
View File

@ -1,18 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56365",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PHPOffice",
"product": {
"product_data": [
{
"product_name": "PhpSpreadsheet",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.0.0, < 3.7.0"
},
{
"version_affected": "=",
"version_value": "< 1.29.7"
},
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.6"
},
{
"version_affected": "=",
"version_value": ">= 2.2.0, < 2.3.5"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jmpx-686v-c3wx",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jmpx-686v-c3wx"
},
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4#diff-fbb0f53a5c68eeeffaa9ab35552c0b01740396f1a4045af5d2935ec2a62a7816",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4#diff-fbb0f53a5c68eeeffaa9ab35552c0b01740396f1a4045af5d2935ec2a62a7816"
}
]
},
"source": {
"advisory": "GHSA-jmpx-686v-c3wx",
"discovery": "UNKNOWN"
}
}

75
2024/56xxx/CVE-2024-56366.json
View File

@ -1,18 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56366",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PHPOffice",
"product": {
"product_data": [
{
"product_name": "PhpSpreadsheet",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.0.0, < 3.7.0"
},
{
"version_affected": "=",
"version_value": "< 1.29.7"
},
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.6"
},
{
"version_affected": "=",
"version_value": ">= 2.2.0, < 2.3.5"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-c6fv-7vh8-2rhr",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-c6fv-7vh8-2rhr"
},
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"
}
]
},
"source": {
"advisory": "GHSA-c6fv-7vh8-2rhr",
"discovery": "UNKNOWN"
}
}

75
2024/56xxx/CVE-2024-56408.json
View File

@ -1,18 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56408",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PHPOffice",
"product": {
"product_data": [
{
"product_name": "PhpSpreadsheet",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.0.0, < 3.7.0"
},
{
"version_affected": "=",
"version_value": "< 1.29.7"
},
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.6"
},
{
"version_affected": "=",
"version_value": ">= 2.2.0, < 2.3.5"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg"
},
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"
}
]
},
"source": {
"advisory": "GHSA-x88g-h956-m5xg",
"discovery": "UNKNOWN"
}
}

75
2024/56xxx/CVE-2024-56409.json
View File

@ -1,18 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56409",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PHPOffice",
"product": {
"product_data": [
{
"product_name": "PhpSpreadsheet",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.0.0, < 3.7.0"
},
{
"version_affected": "=",
"version_value": "< 1.29.7"
},
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.6"
},
{
"version_affected": "=",
"version_value": ">= 2.2.0, < 2.3.5"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-j2xg-cjcx-4677",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-j2xg-cjcx-4677"
},
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"
}
]
},
"source": {
"advisory": "GHSA-j2xg-cjcx-4677",
"discovery": "UNKNOWN"
}
}

75
2024/56xxx/CVE-2024-56410.json
View File

@ -1,18 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56410",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PHPOffice",
"product": {
"product_data": [
{
"product_name": "PhpSpreadsheet",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.0.0, < 3.7.0"
},
{
"version_affected": "=",
"version_value": "< 1.29.7"
},
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.6"
},
{
"version_affected": "=",
"version_value": ">= 2.2.0, < 2.3.5"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wv23-996v-q229",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wv23-996v-q229"
},
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"
}
]
},
"source": {
"advisory": "GHSA-wv23-996v-q229",
"discovery": "UNKNOWN"
}
}

75
2024/56xxx/CVE-2024-56411.json
View File

@ -1,18 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56411",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PHPOffice",
"product": {
"product_data": [
{
"product_name": "PhpSpreadsheet",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.0.0, < 3.7.0"
},
{
"version_affected": "=",
"version_value": "< 1.29.7"
},
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.6"
},
{
"version_affected": "=",
"version_value": ">= 2.2.0, < 2.3.5"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w"
},
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e"
}
]
},
"source": {
"advisory": "GHSA-hwcp-2h35-p66w",
"discovery": "UNKNOWN"
}
}

75
2024/56xxx/CVE-2024-56412.json
View File

@ -1,18 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56412",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PHPOffice",
"product": {
"product_data": [
{
"product_name": "PhpSpreadsheet",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.0.0, < 3.7.0"
},
{
"version_affected": "=",
"version_value": "< 1.29.7"
},
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.6"
},
{
"version_affected": "=",
"version_value": ">= 2.2.0, < 2.3.5"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q9jv-mm3r-j47r",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q9jv-mm3r-j47r"
},
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e",
"refsource": "MISC",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e"
}
]
},
"source": {
"advisory": "GHSA-q9jv-mm3r-j47r",
"discovery": "UNKNOWN"
}
}

73
2024/56xxx/CVE-2024-56513.json
View File

@ -1,18 +1,83 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56513",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-266: Incorrect Privilege Assignment",
"cweId": "CWE-266"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "karmada-io",
"product": {
"product_data": [
{
"product_name": "karmada",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 1.12.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r"
},
{
"url": "https://github.com/karmada-io/karmada/pull/5793",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/pull/5793"
},
{
"url": "https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831"
},
{
"url": "https://karmada.io/docs/administrator/security/component-permission",
"refsource": "MISC",
"name": "https://karmada.io/docs/administrator/security/component-permission"
}
]
},
"source": {
"advisory": "GHSA-mg7w-c9x2-xh7r",
"discovery": "UNKNOWN"
}
}

78
2024/56xxx/CVE-2024-56514.json
View File

@ -1,18 +1,88 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-56514",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "karmada-io",
"product": {
"product_data": [
{
"product_name": "karmada",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 1.12.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/karmada-io/karmada/security/advisories/GHSA-cwrh-575j-8vr3",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/security/advisories/GHSA-cwrh-575j-8vr3"
},
{
"url": "https://github.com/karmada-io/karmada/pull/5703",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/pull/5703"
},
{
"url": "https://github.com/karmada-io/karmada/pull/5713",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/pull/5713"
},
{
"url": "https://github.com/karmada-io/karmada/commit/40ec488b18a461ab0f871d2c9ec8665b361f0d50",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/commit/40ec488b18a461ab0f871d2c9ec8665b361f0d50"
},
{
"url": "https://github.com/karmada-io/karmada/commit/f78e7e2a3d02bed04e9bc7abd3ae7b3ac56862d2",
"refsource": "MISC",
"name": "https://github.com/karmada-io/karmada/commit/f78e7e2a3d02bed04e9bc7abd3ae7b3ac56862d2"
}
]
},
"source": {
"advisory": "GHSA-cwrh-575j-8vr3",
"discovery": "UNKNOWN"
}
}

18
2025/0xxx/CVE-2025-0210.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-0210",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2025/0xxx/CVE-2025-0211.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-0211",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2025/0xxx/CVE-2025-0212.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-0212",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2025/0xxx/CVE-2025-0213.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-0213",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2025/0xxx/CVE-2025-0214.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-0214",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

72
2025/21xxx/CVE-2025-21609.json
View File

@ -1,18 +1,82 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-21609",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-459: Incomplete Cleanup",
"cweId": "CWE-459"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-552: Files or Directories Accessible to External Parties",
"cweId": "CWE-552"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "siyuan-note",
"product": {
"product_data": [
{
"product_name": "siyuan",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "= 3.1.18"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498",
"refsource": "MISC",
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498"
},
{
"url": "https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3",
"refsource": "MISC",
"name": "https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3"
}
]
},
"source": {
"advisory": "GHSA-8fx8-pffw-w498",
"discovery": "UNKNOWN"
}
}

91
2025/21xxx/CVE-2025-21610.json
View File

@ -1,17 +1,100 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-21610",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.12 or later to receive a patch. In addition to upgrading, affected users can disallow browsers that don't support a Content Security Policy (CSP) as a workaround for this and other cross-site scripting vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "basecamp",
"product": {
"product_data": [
{
"product_name": "trix",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 2.1.12"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg",
"refsource": "MISC",
"name": "https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg"
},
{
"url": "https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa",
"refsource": "MISC",
"name": "https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa"
},
{
"url": "https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93",
"refsource": "MISC",
"name": "https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93"
},
{
"url": "https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8",
"refsource": "MISC",
"name": "https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8"
}
]
},
"source": {
"advisory": "GHSA-j386-3444-qgwg",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
]
}