From 552b1934bc3b2c09da9c258dbede71c5c9addfd7 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 19 Apr 2022 21:01:45 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2021/26xxx/CVE-2021-26625.json | 81 ++++++++++++++++++++++++-- 2021/26xxx/CVE-2021-26626.json | 81 ++++++++++++++++++++++++-- 2021/26xxx/CVE-2021-26627.json | 82 ++++++++++++++++++++++++-- 2021/40xxx/CVE-2021-40167.json | 6 +- 2022/1xxx/CVE-2022-1384.json | 96 +++++++++++++++++++++++++++++-- 2022/1xxx/CVE-2022-1385.json | 101 +++++++++++++++++++++++++++++++-- 2022/25xxx/CVE-2022-25788.json | 50 +++++++++++++++- 2022/27xxx/CVE-2022-27836.json | 2 +- 2022/27xxx/CVE-2022-27862.json | 99 ++++++++++++++++++++++++++++++-- 2022/27xxx/CVE-2022-27863.json | 99 ++++++++++++++++++++++++++++++-- 10 files changed, 648 insertions(+), 49 deletions(-) diff --git a/2021/26xxx/CVE-2021-26625.json b/2021/26xxx/CVE-2021-26625.json index 5bce52b25e9..ff2acd3a91f 100644 --- a/2021/26xxx/CVE-2021-26625.json +++ b/2021/26xxx/CVE-2021-26625.json @@ -1,18 +1,87 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2021-26625", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "tobesoft Nexacro arbitrary file download vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Nexacro 17", + "version": { + "version_data": [ + { + "platform": "Windows", + "version_affected": "<=", + "version_value": "17.1.2.600" + } + ] + } + } + ] + }, + "vendor_name": "tobesoft Co.,Ltd" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Insufficient Verification of input Data leading to arbitrary file download and execute was discovered in Nexacro platform. This vulnerability is caused by an automatic update function that does not verify input data except version information. Remote attackers can use this incomplete validation logic to download and execute arbitrary malicious file." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-345 Insufficient Verification of Data Authenticity" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66661", + "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66661" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/26xxx/CVE-2021-26626.json b/2021/26xxx/CVE-2021-26626.json index 134f13e3a14..2522c6d6688 100644 --- a/2021/26xxx/CVE-2021-26626.json +++ b/2021/26xxx/CVE-2021-26626.json @@ -1,18 +1,87 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2021-26626", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "tobesoft XPLATFORM Arbitrary file execution Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "XPLATFORM", + "version": { + "version_data": [ + { + "platform": "Windows", + "version_affected": "<", + "version_value": "9.2.2.280" + } + ] + } + } + ] + }, + "vendor_name": "tobesoft Co.,Ltd" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper input validation vulnerability in XPLATFORM's execBrowser method can cause execute arbitrary commands. IF the second parameter value of the execBrowser function is \u2018default\u2019, the first parameter value could be passed to the ShellExecuteW API. The passed parameter is an arbitrary code to be executed. Remote attackers can use this vulnerability to execute arbitrary remote code." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66662", + "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66662" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/26xxx/CVE-2021-26627.json b/2021/26xxx/CVE-2021-26627.json index a4d2a85ac17..3cd0c76635b 100644 --- a/2021/26xxx/CVE-2021-26627.json +++ b/2021/26xxx/CVE-2021-26627.json @@ -1,18 +1,88 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2021-26627", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "EDrhyme QCP 200W Information Exposure Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "QCP 200W", + "version": { + "version_data": [ + { + "platform": "Windows, Android", + "version_affected": "=", + "version_name": "No version information", + "version_value": "No version information" + } + ] + } + } + ] + }, + "vendor_name": "EDrhyme Co.,Ltd" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Real-time image information exposure is caused by insufficient authentication for activated RTSP port. This vulnerability could allow to remote attackers to send the RTSP requests using ffplay command and lead to leakage a live image." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284 Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66663", + "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66663" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/40xxx/CVE-2021-40167.json b/2021/40xxx/CVE-2021-40167.json index b877060ff20..bbdd18deb85 100644 --- a/2021/40xxx/CVE-2021-40167.json +++ b/2021/40xxx/CVE-2021-40167.json @@ -19,7 +19,7 @@ "version": { "version_data": [ { - "version_value": "2018,\u00a02017,\u00a02013, 2012, 2011" + "version_value": "2018" } ] } @@ -36,7 +36,7 @@ "description": [ { "lang": "eng", - "value": "Memory Corruption" + "value": "Memory Corruption Vulnerability" } ] } @@ -55,7 +55,7 @@ "description_data": [ { "lang": "eng", - "value": "A Memory Corruption Vulnerability may lead to remote code execution through maliciously crafted DWF and TGA files in Autodesk Design Review 2018." + "value": "A malicious crafted dwf file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process." } ] } diff --git a/2022/1xxx/CVE-2022-1384.json b/2022/1xxx/CVE-2022-1384.json index 92e6f3da2de..4c4230fb14b 100644 --- a/2022/1xxx/CVE-2022-1384.json +++ b/2022/1xxx/CVE-2022-1384.json @@ -1,18 +1,102 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "responsibledisclosure@mattermost.com", "ID": "CVE-2022-1384", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Authorized users are allowed to install old plugin versions from the Marketplace" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Mattermost", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "6.4" + } + ] + } + } + ] + }, + "vendor_name": "Mattermost" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-477 Use of Obsolete Function" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://mattermost.com/security-updates/", + "name": "https://mattermost.com/security-updates/" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update Mattermost to version v6.5 or higher" + } + ], + "source": { + "advisory": "MMSA-2022-0095", + "defect": [ + "https://mattermost.atlassian.net/browse/MM-41885" + ], + "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2022/1xxx/CVE-2022-1385.json b/2022/1xxx/CVE-2022-1385.json index 946327ad458..052aec3994b 100644 --- a/2022/1xxx/CVE-2022-1385.json +++ b/2022/1xxx/CVE-2022-1385.json @@ -1,18 +1,107 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "responsibledisclosure@mattermost.com", "ID": "CVE-2022-1385", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Invitation Email is resent as a Reminder after invalidating pending email invites" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Mattermost", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "6.5.0" + } + ] + } + } + ] + }, + "vendor_name": "Mattermost" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks to mr_anon (mr_anksec) for contributing to this improvement under the Mattermost responsible disclosure policy." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-664 Improper Control of a Resource Through its Lifetime" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://mattermost.com/security-updates/", + "name": "https://mattermost.com/security-updates/" + }, + { + "refsource": "MISC", + "url": "https://hackerone.com/reports/1486820", + "name": "https://hackerone.com/reports/1486820" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update Mattermost to version v6.5 or higher" + } + ], + "source": { + "advisory": "MMSA-2022-0092", + "defect": [ + "https://mattermost.atlassian.net/browse/MM-42026" + ], + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/25xxx/CVE-2022-25788.json b/2022/25xxx/CVE-2022-25788.json index bd8b4e129d7..7baf6b7beab 100644 --- a/2022/25xxx/CVE-2022-25788.json +++ b/2022/25xxx/CVE-2022-25788.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-25788", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@autodesk.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Autodesk Advanced Steel, Civil 3D, AutoCAD, AutoCAD LT, AutoCAD Architecture, AutoCAD Electrical, AutoCAD Map 3D, AutoCAD Mechanical, AutoCAD MEP, AutoCAD Plant 3D", + "version": { + "version_data": [ + { + "version_value": "2022, 2021, 2020, 2019" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "BufferOverflow Write" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0002", + "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0002" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A maliciously crafted JT file in Autodesk AutoCAD 2022 may be used to write beyond the allocated buffer while parsing JT files. This vulnerability can be exploited to execute arbitrary code." } ] } diff --git a/2022/27xxx/CVE-2022-27836.json b/2022/27xxx/CVE-2022-27836.json index c642278fba5..658e79e0542 100644 --- a/2022/27xxx/CVE-2022-27836.json +++ b/2022/27xxx/CVE-2022-27836.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "Improper access control and path traversal vulnerability in StroageManager and StroageManagerService prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission." + "value": "Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission. The patch adds proper validation logic to prevent arbitrary files access." } ] }, diff --git a/2022/27xxx/CVE-2022-27862.json b/2022/27xxx/CVE-2022-27862.json index b0efc1fe672..4db72f51b27 100644 --- a/2022/27xxx/CVE-2022-27862.json +++ b/2022/27xxx/CVE-2022-27862.json @@ -1,18 +1,105 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "audit@patchstack.com", + "DATE_PUBLIC": "2022-04-18T10:14:00.000Z", "ID": "CVE-2022-27862", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Arbitrary File Upload leading to RCE" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VikBooking Hotel Booking Engine & PMS (WordPress plugin)", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "<= 1.5.3", + "version_value": "1.5.3" + } + ] + } + } + ] + }, + "vendor_name": "E4J s.r.l." + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Vulnerability discovered by Huli (Patchstack Alliance)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Sensitive Information Exposure in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows attackers to upload and execute dangerous file types (e.g. PHP shell) via the signature upload on the booking form." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-434 Unrestricted Upload of File with Dangerous Type" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://wordpress.org/plugins/vikbooking/#developers", + "refsource": "CONFIRM", + "url": "https://wordpress.org/plugins/vikbooking/#developers" + }, + { + "name": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-5-3-arbitrary-file-upload-leading-to-rce", + "refsource": "CONFIRM", + "url": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-5-3-arbitrary-file-upload-leading-to-rce" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to 1.5.4 or higher version." + } + ], + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/27xxx/CVE-2022-27863.json b/2022/27xxx/CVE-2022-27863.json index 7a8413ce7a5..e7121af9e4c 100644 --- a/2022/27xxx/CVE-2022-27863.json +++ b/2022/27xxx/CVE-2022-27863.json @@ -1,18 +1,105 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "audit@patchstack.com", + "DATE_PUBLIC": "2022-04-18T10:14:00.000Z", "ID": "CVE-2022-27863", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Sensitive Data Exposure vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VikBooking Hotel Booking Engine & PMS (WordPress plugin)", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "<= 1.5.3", + "version_value": "1.5.3" + } + ] + } + } + ] + }, + "vendor_name": "E4J s.r.l." + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Vulnerability discovered by Huli (Patchstack Alliance)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Sensitive Information Exposure in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows attackers to get the booking data by guessing / brute-forcing easy predictable booking IDs via search POST requests." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200 Information Exposure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://wordpress.org/plugins/vikbooking/#developers", + "refsource": "CONFIRM", + "url": "https://wordpress.org/plugins/vikbooking/#developers" + }, + { + "name": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-5-3-sensitive-data-exposure-vulnerability", + "refsource": "CONFIRM", + "url": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-5-3-sensitive-data-exposure-vulnerability" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to 1.5.4 or higher version." + } + ], + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file