admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-19 17:32:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2022-06-24 15:00:47 +00:00
parent 6fda3c696b
commit 456742817b
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
60 changed files with 3772 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
2013/1xxx/CVE-2013-1891.json
View File

@ -1,17 +1,71 @@
{
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-1891",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2013-1891",
"ASSIGNER": "secalert@redhat.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "opencart",
"version": {
"version_data": [
{
"version_value": "opencart 1.4.7 to 1.5.5.1"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "http://www.waraxe.us/advisory-98.html",
"url": "http://www.waraxe.us/advisory-98.html"
},
{
"refsource": "MISC",
"name": "https://seclists.org/fulldisclosure/2013/Mar/176",
"url": "https://seclists.org/fulldisclosure/2013/Mar/176"
},
{
"refsource": "MISC",
"name": "https://www.openwall.com/lists/oss-security/2013/03/24/1",
"url": "https://www.openwall.com/lists/oss-security/2013/03/24/1"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed."
}
]
}

68
2013/1xxx/CVE-2013-1916.json
View File

@ -1,17 +1,71 @@
{
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-1916",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2013-1916",
"ASSIGNER": "secalert@redhat.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "WordPress Plugin User Photo",
"version": {
"version_data": [
{
"version_value": "WordPress Plugin User Photo 0.9.4"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://wordpress.org/plugins/user-photo/#developers",
"url": "https://wordpress.org/plugins/user-photo/#developers"
},
{
"refsource": "MISC",
"name": "https://plugins.trac.wordpress.org/changeset/347137",
"url": "https://plugins.trac.wordpress.org/changeset/347137"
},
{
"refsource": "MISC",
"name": "https://www.exploit-db.com/exploits/16181",
"url": "https://www.exploit-db.com/exploits/16181"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved."
}
]
}

5
2018/18xxx/CVE-2018-18907.json
View File

@ -61,6 +61,11 @@
"refsource": "MISC",
"name": "https://www.synopsys.com/blogs/software-security/wpa2-encryption-bypass-defensics-fuzzing/",
"url": "https://www.synopsys.com/blogs/software-security/wpa2-encryption-bypass-defensics-fuzzing/"
},
{
"refsource": "MISC",
"name": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10097",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10097"
}
]
}

18
2019/25xxx/CVE-2019-25071.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2019-25071",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

50
2021/30xxx/CVE-2021-30651.json
View File

@ -4,14 +4,58 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-30651",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "secure@symantec.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "Symantec Messaging Gateway (SMG)",
"version": {
"version_data": [
{
"version_value": "10.7"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://support.broadcom.com/external/content/SecurityAdvisories/0/20652",
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/20652"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A malicious authenticated SMG administrator user can obtain passwords for external LDAP/Active Directory servers that they might not otherwise be authorized to access."
}
]
}

202
2022/1xxx/CVE-2022-1517.json
View File

@ -4,15 +4,209 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1517",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220602T06:00:00.000000Z",
"TITLE": "3.2.1 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 500 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "iSeq 100 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiniSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "cwe-250"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this vulnerability to access APIs not intended for general use and interact through the network."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"
}
]
},
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10.0,
"baseSeverity": "CRITICAL"
}
},
"work_around": [],
"solution": [],
"credit": []
}

202
2022/1xxx/CVE-2022-1518.json
View File

@ -4,15 +4,209 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1518",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220602T06:00:00.000000Z",
"TITLE": "3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 500 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "iSeq 100 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiniSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "LRM contains a directory traversal vulnerability that can allow a malicious actor to upload outside the intended directory structure."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"
}
]
},
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10.0,
"baseSeverity": "CRITICAL"
}
},
"work_around": [],
"solution": [],
"credit": []
}

202
2022/1xxx/CVE-2022-1519.json
View File

@ -4,15 +4,209 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1519",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220602T06:00:00.000000Z",
"TITLE": "",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 500 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "iSeq 100 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiniSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"
}
]
},
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10.0,
"baseSeverity": "CRITICAL"
}
},
"work_around": [],
"solution": [],
"credit": []
}

202
2022/1xxx/CVE-2022-1521.json
View File

@ -4,15 +4,209 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1521",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220602T06:00:00.000000Z",
"TITLE": "3.2.4 IMPROPER ACCESS CONTROL CWE-284",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 500 Instrumen",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "iSeq 100 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiniSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "cwe-284"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"
}
]
},
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"work_around": [],
"solution": [],
"credit": []
}

202
2022/1xxx/CVE-2022-1524.json
View File

@ -4,15 +4,209 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1524",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220602T06:00:00.000000Z",
"TITLE": "3.2.5 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Dx",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 500 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "NextSeq 550 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "iSeq 100 Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Illumina",
"product": {
"product_data": [
{
"product_name": "MiniSeq Instrument",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "LRM Versions 1.3 to 3.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319 Cleartext Transmission of Sensitive Information"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"
}
]
},
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"baseScore": 7.4,
"baseSeverity": "HIGH"
}
},
"work_around": [],
"solution": [],
"credit": []
}

113
2022/1xxx/CVE-2022-1666.json
View File

@ -1,18 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T17:01:00.000Z",
"ID": "CVE-2022-1666",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Secheron SEPCOS Control and Protection Relay"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SEPCOS Control and Protection Relay firmware package",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.23.21"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.24.8"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.25.3"
}
]
}
}
]
},
"vendor_name": "Secheron"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The default password for the web application\u2019s root user (the vendor\u2019s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version"
}
],
"source": {
"advisory": "ICSA-22-174-03",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "eng",
"value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access."
}
]
}

113
2022/1xxx/CVE-2022-1667.json
View File

@ -1,18 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T17:01:00.000Z",
"ID": "CVE-2022-1667",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Secheron SEPCOS Control and Protection Relay"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SEPCOS Control and Protection Relay firmware package",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.23.21"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.24.8"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.25.3"
}
]
}
}
]
},
"vendor_name": "Secheron"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script"
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version"
}
],
"source": {
"advisory": "ICSA-22-174-03",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "eng",
"value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access."
}
]
}

113
2022/1xxx/CVE-2022-1668.json
View File

@ -1,18 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T17:01:00.000Z",
"ID": "CVE-2022-1668",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Secheron SEPCOS Control and Protection Relay"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SEPCOS Control and Protection Relay firmware package",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.23.21"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.24.8"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.25.3"
}
]
}
}
]
},
"vendor_name": "Secheron"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-521 Weak Password Requirements"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version"
}
],
"source": {
"advisory": "ICSA-22-174-03",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "eng",
"value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access."
}
]
}

86
2022/1xxx/CVE-2022-1739.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1739",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.1\tIMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-347 Improper Verification of Cryptographic Signature"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The tested version of Dominion Voting Systems ImageCast X does not validate application signatures to a trusted root certificate. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1740.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1740",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.2 MUTABLE ATTESTATION OR MEASUREMENT REPORTING DATA CWE-1283",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1283"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The tested version of Dominion Voting Systems ImageCast X\u2019s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1741.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1741",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.3 HIDDEN FUNCTIONALITY CWE-912",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "cwe-912"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The tested version of Dominion Voting Systems ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1742.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1742",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.4 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "None",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "None",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-424"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The tested version of Dominion Voting Systems ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1743.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1743",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.5 PATH TRAVERSAL: '../FILEDIR' CWE-24",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting System",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting System",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-24"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1744.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1744",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.6 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting System",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting System",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-250"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Applications on the tested version of Dominion Voting Systems ImageCast X can execute code with elevated privileges by exploiting a system level service. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1745.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1745",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.7 AUTHENTICATION BYPASS BY SPOOFING CWE-290",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290 Authentication Bypass by Spoofing"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1746.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1746",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "2.2.8 INCORRECT PRIVILEGE ASSIGNMENT CWE-266",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-266"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

86
2022/1xxx/CVE-2022-1747.json
View File

@ -4,15 +4,93 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-1747",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "20220603T06:00:00.000000Z",
"TITLE": "",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"discovery": "UNKNOWN",
"defect": [],
"advisory": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X firmware",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": "=",
"version_value": "Version 5.5-A",
"platform": ""
}
]
}
}
]
}
},
{
"vendor_name": "Dominion Voting Systems",
"product": {
"product_data": [
{
"product_name": "ImageCast X application",
"version": {
"version_data": [
{
"version_name": "Version 5.5-A",
"version_affected": "=",
"version_value": "Versions 5.5.10.30 and 5.5.10.32",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-346 Origin Validation Error"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization."
}
]
}
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
]
},
"work_around": [],
"solution": [],
"credit": []
}

60
2022/21xxx/CVE-2022-21829.json
View File

@ -4,14 +4,68 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-21829",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "https://github.com/concrete5/concrete5",
"version": {
"version_data": [
{
"version_value": "Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext Transmission of Sensitive Information (CWE-319)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"
},
{
"refsource": "MISC",
"name": "https://hackerone.com/reports/1482520,",
"url": "https://hackerone.com/reports/1482520,"
},
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes,",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes,"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing \u2018concrete_secure\u2019 instead of \u2018concrete\u2019. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520."
}
]
}

97
2022/23xxx/CVE-2022-23170.json
View File

@ -1,18 +1,103 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"DATE_PUBLIC": "2022-06-14T08:07:00.000Z",
"ID": "CVE-2022-23170",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "SysAid - Okta SSO integration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_affected": ">=",
"version_name": "22.1.49",
"version_value": "22.1.63"
}
]
},
"product_name": "SysAid - Okta SSO integration"
}
]
},
"vendor_name": "Sysaid"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Niv Levy - CyberArk"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories",
"name": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update to 22.1.50 cloud version, or to 22.1.64 on premise version."
}
],
"source": {
"defect": [
"ILVN-2022-0025"
],
"discovery": "EXTERNAL"
}
}

50
2022/28xxx/CVE-2022-28619.json
View File

@ -4,14 +4,58 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-28619",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-alert@hpe.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "HPE Version Control Repository Manager",
"version": {
"version_data": [
{
"version_value": "Prior to v7.6.14.0"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "local escalation of privilege"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04310en_us",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04310en_us"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A potential security vulnerability has been identified in the installer of HPE Version Control Repository Manager. The vulnerability could allow local escalation of privilege. HPE has made the following software update to resolve the vulnerability in HPE Version Control Repository Manager installer 7.6.14.0."
}
]
}

56
2022/28xxx/CVE-2022-28620.json
View File

@ -4,14 +4,64 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-28620",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-alert@hpe.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "Cray Legacy Shasta System Solutions; HPE Slingshot; HPE Cray EX supercomputers",
"version": {
"version_data": [
{
"version_value": "All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27"
},
{
"version_value": "- All Slingshot versions prior to 1.7.2"
},
{
"version_value": "- All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "remote authentication bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27; All Slingshot versions prior to 1.7.2; All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27. HPE has provided a software update to resolve this vulnerability in HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX Supercomputers."
}
]
}

5
2022/29xxx/CVE-2022-29776.json
View File

@ -61,6 +61,11 @@
"url": "https://github.com/ONLYOFFICE/core/commit/88cf60a3ed4a2b40d71a1c2ced72fa3902a30967",
"refsource": "MISC",
"name": "https://github.com/ONLYOFFICE/core/commit/88cf60a3ed4a2b40d71a1c2ced72fa3902a30967"
},
{
"refsource": "MISC",
"name": "https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29776",
"url": "https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29776"
}
]
}

5
2022/29xxx/CVE-2022-29777.json
View File

@ -61,6 +61,11 @@
"url": "https://github.com/ONLYOFFICE/core/commit/b17d5e860f30e8be2caeb0022b63be4c76660178",
"refsource": "MISC",
"name": "https://github.com/ONLYOFFICE/core/commit/b17d5e860f30e8be2caeb0022b63be4c76660178"
},
{
"refsource": "MISC",
"name": "https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29777",
"url": "https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29777"
}
]
}

113
2022/2xxx/CVE-2022-2102.json
View File

@ -1,18 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T17:01:00.000Z",
"ID": "CVE-2022-2102",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Secheron SEPCOS Control and Protection Relay"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SEPCOS Control and Protection Relay firmware package",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.23.21"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.24.8"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.25.3"
}
]
}
}
]
},
"vendor_name": "Secheron"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version"
}
],
"source": {
"advisory": "ICSA-22-174-03",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "eng",
"value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access."
}
]
}

113
2022/2xxx/CVE-2022-2103.json
View File

@ -1,18 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T17:01:00.000Z",
"ID": "CVE-2022-2103",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Secheron SEPCOS Control and Protection Relay"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SEPCOS Control and Protection Relay firmware package",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.23.21"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.24.8"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.25.3"
}
]
}
}
]
},
"vendor_name": "Secheron"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version"
}
],
"source": {
"advisory": "ICSA-22-174-03",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "eng",
"value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access."
}
]
}

113
2022/2xxx/CVE-2022-2104.json
View File

@ -1,18 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T17:01:00.000Z",
"ID": "CVE-2022-2104",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Secheron SEPCOS Control and Protection Relay"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SEPCOS Control and Protection Relay firmware package",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.23.21"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.24.8"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.25.3"
}
]
}
}
]
},
"vendor_name": "Secheron"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash)."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version"
}
],
"source": {
"advisory": "ICSA-22-174-03",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "eng",
"value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access."
}
]
}

113
2022/2xxx/CVE-2022-2105.json
View File

@ -1,18 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T17:01:00.000Z",
"ID": "CVE-2022-2105",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Secheron SEPCOS Control and Protection Relay"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SEPCOS Control and Protection Relay firmware package",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.23.21"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.24.8"
},
{
"version_affected": "<",
"version_name": "All versions",
"version_value": "1.25.3"
}
]
}
}
]
},
"vendor_name": "Secheron"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a \u201croot\u201d user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version"
}
],
"source": {
"advisory": "ICSA-22-174-03",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "eng",
"value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access."
}
]
}

82
2022/2xxx/CVE-2022-2119.json
View File

@ -1,18 +1,88 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T22:19:00.000Z",
"ID": "CVE-2022-2119",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "OFFIS DCMTK Path Traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DCMTK",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "3.6.7"
}
]
}
}
]
},
"vendor_name": "OFFIS"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-174-01",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-174-01"
}
]
},
"source": {
"advisory": "ICSMA-22-174-01",
"discovery": "UNKNOWN"
}
}

82
2022/2xxx/CVE-2022-2120.json
View File

@ -1,18 +1,88 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T22:19:00.000Z",
"ID": "CVE-2022-2120",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "OFFIS DCMTK Path Traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DCMTK",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "3.6.7"
}
]
}
}
]
},
"vendor_name": "OFFIS"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-174-01",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-174-01"
}
]
},
"source": {
"advisory": "ICSMA-22-174-01",
"discovery": "UNKNOWN"
}
}

82
2022/2xxx/CVE-2022-2121.json
View File

@ -1,18 +1,88 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-06-23T22:19:00.000Z",
"ID": "CVE-2022-2121",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "OFFIS DCMTK NULL Pointer Dereference"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DCMTK",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "3.6.7"
}
]
}
}
]
},
"vendor_name": "OFFIS"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476 NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-174-01",
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-174-01"
}
]
},
"source": {
"advisory": "ICSMA-22-174-01",
"discovery": "UNKNOWN"
}
}

18
2022/2xxx/CVE-2022-2197.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-2197",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

60
2022/30xxx/CVE-2022-30117.json
View File

@ -4,14 +4,68 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-30117",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "https://github.com/concrete5/concrete5",
"version": {
"version_data": [
{
"version_value": "Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://hackerone.com/reports/1482280",
"url": "https://hackerone.com/reports/1482280"
},
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes"
},
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn\u2019t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting."
}
]
}

60
2022/30xxx/CVE-2022-30118.json
View File

@ -4,14 +4,68 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-30118",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "https://github.com/concrete5/concrete5",
"version": {
"version_data": [
{
"version_value": "Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes"
},
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"
},
{
"refsource": "MISC",
"name": "https://hackerone.com/reports/1370054",
"url": "https://hackerone.com/reports/1370054"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting."
}
]
}

60
2022/30xxx/CVE-2022-30119.json
View File

@ -4,14 +4,68 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-30119",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "https://github.com/concrete5/concrete5",
"version": {
"version_data": [
{
"version_value": "Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes"
},
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"
},
{
"refsource": "MISC",
"name": "https://hackerone.com/reports/1370054",
"url": "https://hackerone.com/reports/1370054"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting."
}
]
}

60
2022/30xxx/CVE-2022-30120.json
View File

@ -4,14 +4,68 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-30120",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "https://github.com/concrete5/concrete5",
"version": {
"version_data": [
{
"version_value": "Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes"
},
{
"refsource": "MISC",
"name": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"
},
{
"refsource": "MISC",
"name": "https://hackerone.com/reports/1363598",
"url": "https://hackerone.com/reports/1363598"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting"
}
]
}

63
2022/31xxx/CVE-2022-31289.json
View File

@ -1,66 +1,17 @@
{
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-31289",
"ASSIGNER": "cve@mitre.org",
"STATE": "REJECT"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** https://ossindex.sonatype.org/ Sonatype Nexus Repository Manager OSS 3.37.3-02 is affected by: Incorrect Access Control. The impact is: Authentication Bypass (remote). The component is: Admin Panel. The attack vector is: With the help of response manipulation Attacker can bypass the login panel and view the dashboard menus, No user interaction is required. 1. Go to https://nexus.e-goi.com 2. Click on the Sign In button. 3. Enter the password as admin:admin. 4. Intercept the request in Burp Suite. 5. Capture the Response of the Request. 6. Change the Status Code from 403 Forbidden to 200 OK. 7. You will see the dashboard which provides the admin access. NOTE: third parties claim that the server application has not actually authenticated the request and no administrative actions are permitted which would not make this issue a vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.acunetix.com/vulnerabilities/web/tag/authentication-bypass/",
"refsource": "MISC",
"name": "https://www.acunetix.com/vulnerabilities/web/tag/authentication-bypass/"
},
{
"refsource": "MISC",
"name": "https://medium.com/@pmmali/my-first-cve-2022-31289-4081c57e90fb",
"url": "https://medium.com/@pmmali/my-first-cve-2022-31289-4081c57e90fb"
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}

50
2022/32xxx/CVE-2022-32209.json
View File

@ -4,14 +4,58 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-32209",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "https://github.com/rails/rails-html-sanitizer",
"version": {
"version_data": [
{
"version_value": "v1.4.3"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://hackerone.com/reports/1530898",
"url": "https://hackerone.com/reports/1530898"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags: [\"select\", \"style\"] %>```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```All users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user)."
}
]
}

18
2022/34xxx/CVE-2022-34468.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34468",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34469.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34469",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34470.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34470",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34471.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34471",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34472.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34472",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34473.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34473",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34474.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34474",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34475.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34475",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34476.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34476",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34477.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34477",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34478.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34478",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34479.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34479",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34480.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34480",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34481.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34481",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34482.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34482",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34483.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34483",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34484.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34484",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/34xxx/CVE-2022-34485.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-34485",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}