admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-05 10:18:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-11-19 18:01:49 +00:00
parent 3b2bd2abdf
commit 44b0581630
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
15 changed files with 541 additions and 468 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
2018/13xxx/CVE-2018-13382.json
View File

@ -69,6 +69,11 @@
"refsource": "MISC",
"name": "https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf",
"url": "https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/160130/Fortinet-FortiOS-6.0.4-Password-Modification.html",
"url": "http://packetstormsecurity.com/files/160130/Fortinet-FortiOS-6.0.4-Password-Modification.html"
}
]
},

238
2020/12xxx/CVE-2020-12495.json
View File

@ -1,127 +1,127 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-12495",
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2020-11-19T14:00:00.000Z",
"TITLE": "ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 1.x has improper privilege management",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VDE-2020-021"
],
"advisory": "VDE-2020-021",
"discovery": "UNKNOWN"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Endress+Hauser",
"product": {
"product_data": [
{
"product_name": "RSG35 - Ecograph T",
"version": {
"version_data": [
{
"version_name": "V1.0.0",
"version_affected": "<",
"version_value": "V2.0.0",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-12495",
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2020-11-19T14:00:00.000Z",
"TITLE": "ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 1.x has improper privilege management",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VDE-2020-021"
],
"advisory": "VDE-2020-021",
"discovery": "UNKNOWN"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Endress+Hauser",
"product": {
"product_data": [
{
"product_name": "RSG35 - Ecograph T",
"version": {
"version_data": [
{
"version_name": "V1.0.0",
"version_affected": "<",
"version_value": "V2.0.0",
"platform": ""
}
]
}
},
{
"product_name": "ORSG35 - Ecograph T Neutral/Private Label",
"version": {
"version_data": [
{
"version_name": "V1.0.0",
"version_affected": "<",
"version_value": "V2.0.0",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "ORSG35 - Ecograph T Neutral/Private Label",
"version": {
"version_data": [
{
"version_name": "V1.0.0",
"version_affected": "<",
"version_value": "V2.0.0",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) with Firmware version prior to V2.0.0 is prone to improper privilege management. The affected device has a web-based user interface with a role-based access system. Users with different roles have different write and read privileges. The access system is based on dynamic \"tokens\". The vulnerability is that user sessions are not closed correctly and a user with fewer rights is assigned the higher rights when he logs on."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-021",
"name": "https://cert.vde.com/en-us/advisories/vde-2020-021"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"exploit": [],
"work_around": [
{
"lang": "eng",
"value": "Customers should configure a perimeter firewall to block traffic from untrusted networks and users to the device. These recommendations will be incorporated into the device documentation (operating instructions).\n\nChange default password for operator, service and admin account."
}
],
"solution": [
{
"lang": "eng",
"value": "Endress+Hauser will not change this behavior.\nCustomers are recommended to take the measures for Temporary Fix / Mitigation as described above."
}
],
"credit": [
{
"lang": "eng",
"value": "Maxim Rupp reported this vulnerability to CERT@VDE"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) with Firmware version prior to V2.0.0 is prone to improper privilege management.\nThe affected device has a web-based user interface with a role-based access system. Users with different roles have different write and read privileges. The access system is based on dynamic \"tokens\".\nThe vulnerability is that user sessions are not closed correctly and a user with fewer rights is assigned the higher rights when he logs on."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-021",
"name": "https://cert.vde.com/en-us/advisories/vde-2020-021"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"exploit": [],
"work_around": [
{
"lang": "eng",
"value": "Customers should configure a perimeter firewall to block traffic from untrusted networks and users to the device. These recommendations will be incorporated into the device documentation (operating instructions).\n\nChange default password for operator, service and admin account."
}
],
"solution": [
{
"lang": "eng",
"value": "Endress+Hauser will not change this behavior.\nCustomers are recommended to take the measures for Temporary Fix / Mitigation as described above."
}
],
"credit": [
{
"lang": "eng",
"value": "Maxim Rupp reported this vulnerability to CERT@VDE"
}
]
}

290
2020/12xxx/CVE-2020-12496.json
View File

@ -1,153 +1,153 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-12496",
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2020-11-19T14:00:00.000Z",
"TITLE": "ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 2.x exposures sensitive information to an unauthorized actor",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VDE-2020-022"
],
"advisory": "VDE-2020-022",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Endress+Hauser",
"product": {
"product_data": [
{
"product_name": "RSG35 - Ecograph T",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-12496",
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2020-11-19T14:00:00.000Z",
"TITLE": "ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 2.x exposures sensitive information to an unauthorized actor",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VDE-2020-022"
],
"advisory": "VDE-2020-022",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Endress+Hauser",
"product": {
"product_data": [
{
"product_name": "RSG35 - Ecograph T",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
}
]
}
},
{
"product_name": "ORSG35 - Ecograph T Neutral/Private Label",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
}
]
}
},
{
"product_name": "RSG45 - Memograph M",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
}
]
}
},
{
"product_name": "ORSG45 - Memograph M Neutral/Private Label",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "ORSG35 - Ecograph T Neutral/Private Label",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
}
]
}
},
{
"product_name": "RSG45 - Memograph M",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
}
]
}
},
{
"product_name": "ORSG45 - Memograph M Neutral/Private Label",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "V2.0.0",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-022",
"name": "https://cert.vde.com/en-us/advisories/vde-2020-022"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [
{
"lang": "eng",
"value": "Customers should configure a perimeter firewall to block traffic from untrusted networks and users to the device. These recommendations will be incorporated into the device documentation (operating instructions)\nChange default password for operator, service and admin account."
}
],
"solution": [
{
"lang": "eng",
"value": "Endress+Hauser will not change this behavior.\nCustomers are recommended to take the measures for Temporary Fix / Mitigation as described above."
}
],
"credit": [
{
"lang": "eng",
"value": "Maxim Rupp reported this vulnerability to CERT@VDE"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor.\nThe firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side.\nIt was found that a user with low rights can get information from endpoints that should not be available to this user."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-022",
"name": "https://cert.vde.com/en-us/advisories/vde-2020-022"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [
{
"lang": "eng",
"value": "Customers should configure a perimeter firewall to block traffic from untrusted networks and users to the device. These recommendations will be incorporated into the device documentation (operating instructions)\nChange default password for operator, service and admin account."
}
],
"solution": [
{
"lang": "eng",
"value": "Endress+Hauser will not change this behavior.\nCustomers are recommended to take the measures for Temporary Fix / Mitigation as described above."
}
],
"credit": [
{
"lang": "eng",
"value": "Maxim Rupp reported this vulnerability to CERT@VDE"
}
]
}

204
2020/12xxx/CVE-2020-12510.json
View File

@ -1,109 +1,109 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-12510",
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2020-11-19T14:00:00.000Z",
"TITLE": "Beckhoff: Privilege Escalation through TwinCat System ",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VDE-2020-037"
],
"advisory": "VDE-2020-037",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Beckhoff",
"product": {
"product_data": [
{
"product_name": "TwinCat XAR 3.1",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "all",
"platform": "all"
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-12510",
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2020-11-19T14:00:00.000Z",
"TITLE": "Beckhoff: Privilege Escalation through TwinCat System ",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VDE-2020-037"
],
"advisory": "VDE-2020-037",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Beckhoff",
"product": {
"product_data": [
{
"product_name": "TwinCat XAR 3.1",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "all",
"platform": "all"
}
]
}
}
]
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-037",
"name": "https://cert.vde.com/en-us/advisories/vde-2020-037"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [
{
"lang": "eng",
"value": "Please consider to choose \u201cC:\\Program Files\\TwinCAT\u201d during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator.\nPlease mind that already installed projects underneath C:\\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\\TwinCAT at the end of this sequence. This will also prevent confusion."
}
],
"credit": [
{
"lang": "eng",
"value": "Ayushman Dutta reported the issue to CERT@VDE"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoffs IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.\n"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-037",
"name": "https://cert.vde.com/en-us/advisories/vde-2020-037"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [
{
"lang": "eng",
"value": "Please consider to choose “C:\\Program Files\\TwinCAT” during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator.\nPlease mind that already installed projects underneath C:\\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\\TwinCAT at the end of this sequence. This will also prevent confusion."
}
],
"credit": [
{
"lang": "eng",
"value": "Ayushman Dutta reported the issue to CERT@VDE"
}
]
}
}

94
2020/13xxx/CVE-2020-13360.json
View File

@ -4,101 +4,15 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-13360",
"ASSIGNER": "cve@gitlab.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "GitLab",
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": ">=12.10"
},
{
"version_value": "<13.3.9"
},
{
"version_value": ">=13.3.9"
},
{
"version_value": "<13.4.5"
},
{
"version_value": ">=13.4.5"
},
{
"version_value": "<13.5.2"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Uncontrolled resource consumption in GitLab"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/209814",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/209814",
"refsource": "MISC"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13360.json",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13360.json",
"refsource": "CONFIRM"
}
]
"ASSIGNER": "cve@mitre.org",
"STATE": "REJECT"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker can schedule a very large number of releases in the future causing a denial of service on a GitLab EE 12.10+ instance when they're all processed at once when the release date comes. This affects versions >=12.10, <13.3.9,>=13.3.9, <13.4.5,>=13.4.5, <13.5.2."
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
},
"impact": {
"cvss": {
"vectorString": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"version": "3.1",
"baseScore": 7.7,
"baseSeverity": "HIGH"
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
]
}
}

5
2020/14xxx/CVE-2020-14750.json
View File

@ -80,6 +80,11 @@
"url": "https://www.oracle.com/security-alerts/alert-cve-2020-14750.html",
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/alert-cve-2020-14750.html"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html",
"url": "http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html"
}
]
}

5
2020/14xxx/CVE-2020-14882.json
View File

@ -85,6 +85,11 @@
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html",
"url": "http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html",
"url": "http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html"
}
]
}

5
2020/14xxx/CVE-2020-14883.json
View File

@ -80,6 +80,11 @@
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html",
"url": "http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html"
}
]
}

56
2020/22xxx/CVE-2020-22394.json
View File

@ -1,17 +1,61 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-22394",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-22394",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://github.com/yzmcms/yzmcms/issues/42",
"refsource": "MISC",
"name": "https://github.com/yzmcms/yzmcms/issues/42"
}
]
}

5
2020/24xxx/CVE-2020-24365.json
View File

@ -56,6 +56,11 @@
"refsource": "MISC",
"name": "https://pastebin.com/QTev1TjM",
"url": "https://pastebin.com/QTev1TjM"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/160136/Gemtek-WVRTM-127ACN-01.01.02.141-Command-Injection.html",
"url": "http://packetstormsecurity.com/files/160136/Gemtek-WVRTM-127ACN-01.01.02.141-Command-Injection.html"
}
]
}

5
2020/28xxx/CVE-2020-28091.json
View File

@ -56,6 +56,11 @@
"refsource": "CONFIRM",
"name": "https://github.com/cbkhwx/cxuucmsv3/issues/1",
"url": "https://github.com/cbkhwx/cxuucmsv3/issues/1"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/160129/xuucms-3-SQL-Injection.html",
"url": "http://packetstormsecurity.com/files/160129/xuucms-3-SQL-Injection.html"
}
]
}

5
2020/28xxx/CVE-2020-28092.json
View File

@ -56,6 +56,11 @@
"url": "https://github.com/lazyphp/PESCMS-TEAM/issues/6",
"refsource": "MISC",
"name": "https://github.com/lazyphp/PESCMS-TEAM/issues/6"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/160128/PESCMS-TEAM-2.3.2-Cross-Site-Scripting.html",
"url": "http://packetstormsecurity.com/files/160128/PESCMS-TEAM-2.3.2-Cross-Site-Scripting.html"
}
]
}

18
2020/28xxx/CVE-2020-28946.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-28946",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

62
2020/28xxx/CVE-2020-28947.json Normal file
View File

@ -0,0 +1,62 @@
{
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://github.com/MISP/MISP/commit/626ca544ffb5604ea01bb291f69811668b6b5631",
"refsource": "MISC",
"name": "https://github.com/MISP/MISP/commit/626ca544ffb5604ea01bb291f69811668b6b5631"
}
]
}
}

12
2020/8xxx/CVE-2020-8013.json
View File

@ -99,15 +99,15 @@
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1163922",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1163922"
},
{
"refsource": "SUSE",
"name": "openSUSE-SU-2020:0302",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html"
},
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1163922",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1163922"
}
]
},
@ -118,4 +118,4 @@
],
"discovery": "INTERNAL"
}
}
}