From 670ff231a0840bcfbbc8839cacbce8d9428eeab4 Mon Sep 17 00:00:00 2001 From: zdi-team Date: Thu, 23 Jul 2020 14:25:18 -0500 Subject: [PATCH] ZDI assigns the following CVEs: M 2020/15xxx/CVE-2020-15420.json M 2020/15xxx/CVE-2020-15421.json M 2020/15xxx/CVE-2020-15422.json M 2020/15xxx/CVE-2020-15423.json M 2020/15xxx/CVE-2020-15424.json M 2020/15xxx/CVE-2020-15425.json M 2020/15xxx/CVE-2020-15426.json M 2020/15xxx/CVE-2020-15427.json M 2020/15xxx/CVE-2020-15428.json M 2020/15xxx/CVE-2020-15429.json M 2020/15xxx/CVE-2020-15430.json M 2020/15xxx/CVE-2020-15431.json M 2020/15xxx/CVE-2020-15432.json M 2020/15xxx/CVE-2020-15433.json M 2020/15xxx/CVE-2020-15434.json M 2020/15xxx/CVE-2020-15435.json M 2020/15xxx/CVE-2020-15606.json M 2020/15xxx/CVE-2020-15607.json M 2020/15xxx/CVE-2020-15608.json M 2020/15xxx/CVE-2020-15609.json M 2020/15xxx/CVE-2020-15610.json M 2020/15xxx/CVE-2020-15611.json M 2020/15xxx/CVE-2020-15612.json M 2020/15xxx/CVE-2020-15613.json M 2020/15xxx/CVE-2020-15614.json M 2020/15xxx/CVE-2020-15615.json M 2020/15xxx/CVE-2020-15616.json M 2020/15xxx/CVE-2020-15617.json M 2020/15xxx/CVE-2020-15618.json M 2020/15xxx/CVE-2020-15619.json M 2020/15xxx/CVE-2020-15620.json M 2020/15xxx/CVE-2020-15621.json M 2020/15xxx/CVE-2020-15622.json M 2020/15xxx/CVE-2020-15623.json M 2020/15xxx/CVE-2020-15624.json M 2020/15xxx/CVE-2020-15625.json M 2020/15xxx/CVE-2020-15626.json M 2020/15xxx/CVE-2020-15627.json M 2020/15xxx/CVE-2020-15628.json --- 2020/15xxx/CVE-2020-15420.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15421.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15422.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15423.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15424.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15425.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15426.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15427.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15428.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15429.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15430.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15431.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15432.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15433.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15434.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15435.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15606.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15607.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15608.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15609.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15610.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15611.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15612.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15613.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15614.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15615.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15616.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15617.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15618.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15619.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15620.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15621.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15622.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15623.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15624.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15625.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15626.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15627.json | 81 +++++++++++++++++++++++++++------- 2020/15xxx/CVE-2020-15628.json | 81 +++++++++++++++++++++++++++------- 39 files changed, 2535 insertions(+), 624 deletions(-) diff --git a/2020/15xxx/CVE-2020-15420.json b/2020/15xxx/CVE-2020-15420.json index 424eb23d6b3..07076ef4990 100644 --- a/2020/15xxx/CVE-2020-15420.json +++ b/2020/15xxx/CVE-2020-15420.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15420", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15420", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-el7-0.9.8.891" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-el7-0.9.8.891. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within loader_ajax.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9259." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-737/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15421.json b/2020/15xxx/CVE-2020-15421.json index 17efc54ef46..29006ccbb96 100644 --- a/2020/15xxx/CVE-2020-15421.json +++ b/2020/15xxx/CVE-2020-15421.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15421", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15421", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mod_security.php. When parsing the check_ip parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9707." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-738/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15422.json b/2020/15xxx/CVE-2020-15422.json index 4d9674366b5..d10956ee28e 100644 --- a/2020/15xxx/CVE-2020-15422.json +++ b/2020/15xxx/CVE-2020-15422.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15422", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15422", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mod_security.php. When parsing the archivo parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9731." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-739/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15423.json b/2020/15xxx/CVE-2020-15423.json index 4b9b6fc5492..2dbdb58146d 100644 --- a/2020/15xxx/CVE-2020-15423.json +++ b/2020/15xxx/CVE-2020-15423.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15423", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15423", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mod_security.php. When parsing the dominio parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9732." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-740/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15424.json b/2020/15xxx/CVE-2020-15424.json index 77edcfb04eb..0529bfa118a 100644 --- a/2020/15xxx/CVE-2020-15424.json +++ b/2020/15xxx/CVE-2020-15424.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15424", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15424", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mod_security.php. When parsing the domain parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9735." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-741/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15425.json b/2020/15xxx/CVE-2020-15425.json index 616c3f1c777..8c530f707d7 100644 --- a/2020/15xxx/CVE-2020-15425.json +++ b/2020/15xxx/CVE-2020-15425.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15425", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15425", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mod_security.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9742." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-742/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15426.json b/2020/15xxx/CVE-2020-15426.json index 2c4e05ecc32..c78fc0eb51d 100644 --- a/2020/15xxx/CVE-2020-15426.json +++ b/2020/15xxx/CVE-2020-15426.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15426", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15426", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_migration_cpanel.php. When parsing the serverip parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9709." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-743/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15427.json b/2020/15xxx/CVE-2020-15427.json index 0a7ddd51ff2..0adc90483d3 100644 --- a/2020/15xxx/CVE-2020-15427.json +++ b/2020/15xxx/CVE-2020-15427.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15427", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15427", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_disk_usage.php. When parsing the folderName parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9713." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-744/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15428.json b/2020/15xxx/CVE-2020-15428.json index c73d394c52d..dba3dbfdf21 100644 --- a/2020/15xxx/CVE-2020-15428.json +++ b/2020/15xxx/CVE-2020-15428.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15428", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15428", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_crons.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9714." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-745/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15429.json b/2020/15xxx/CVE-2020-15429.json index c991824c29d..38b7728cfaa 100644 --- a/2020/15xxx/CVE-2020-15429.json +++ b/2020/15xxx/CVE-2020-15429.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15429", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15429", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_crons.php. When parsing the user parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9716." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-746/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15430.json b/2020/15xxx/CVE-2020-15430.json index b8bcfc5a707..4c438263825 100644 --- a/2020/15xxx/CVE-2020-15430.json +++ b/2020/15xxx/CVE-2020-15430.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15430", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15430", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_list_accounts.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9736." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-747/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15431.json b/2020/15xxx/CVE-2020-15431.json index f6385a1dcde..9f8e00c5182 100644 --- a/2020/15xxx/CVE-2020-15431.json +++ b/2020/15xxx/CVE-2020-15431.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15431", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15431", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_crons.php. When parsing the user parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9740." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-748/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15432.json b/2020/15xxx/CVE-2020-15432.json index f608c9f4514..0b352b32a17 100644 --- a/2020/15xxx/CVE-2020-15432.json +++ b/2020/15xxx/CVE-2020-15432.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15432", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15432", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_migration_cpanel.php. When parsing the filespace parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9743." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-749/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15433.json b/2020/15xxx/CVE-2020-15433.json index 99eb1cf934f..0dbebae590f 100644 --- a/2020/15xxx/CVE-2020-15433.json +++ b/2020/15xxx/CVE-2020-15433.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15433", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15433", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_php_pecl.php. When parsing the phpversion parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9715." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-750/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15434.json b/2020/15xxx/CVE-2020-15434.json index 5e8db66ad51..2e6cb77f42c 100644 --- a/2020/15xxx/CVE-2020-15434.json +++ b/2020/15xxx/CVE-2020-15434.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15434", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15434", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_php_pecl.php. When parsing the canal parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9745." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-751/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15435.json b/2020/15xxx/CVE-2020-15435.json index d299cffb611..d90faf55a96 100644 --- a/2020/15xxx/CVE-2020-15435.json +++ b/2020/15xxx/CVE-2020-15435.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15435", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15435", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_dashboard.php. When parsing the service_start parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9719." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-752/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15606.json b/2020/15xxx/CVE-2020-15606.json index e24808d1dc1..b1882426874 100644 --- a/2020/15xxx/CVE-2020-15606.json +++ b/2020/15xxx/CVE-2020-15606.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15606", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15606", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_admin_apis.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9720." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-753/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15607.json b/2020/15xxx/CVE-2020-15607.json index d61e4f2d8a3..d0c3b2891db 100644 --- a/2020/15xxx/CVE-2020-15607.json +++ b/2020/15xxx/CVE-2020-15607.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15607", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15607", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_admin_apis.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9721." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-754/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15608.json b/2020/15xxx/CVE-2020-15608.json index ec4f2669e26..74ed8242934 100644 --- a/2020/15xxx/CVE-2020-15608.json +++ b/2020/15xxx/CVE-2020-15608.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15608", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15608", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_dashboard.php. When parsing the ai_service parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9724." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-755/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15609.json b/2020/15xxx/CVE-2020-15609.json index c1ff89831be..e2350652327 100644 --- a/2020/15xxx/CVE-2020-15609.json +++ b/2020/15xxx/CVE-2020-15609.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15609", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15609", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_dashboard.php. When parsing the service_stop parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9726." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-756/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15610.json b/2020/15xxx/CVE-2020-15610.json index ae9f8d74306..d65ff05fb20 100644 --- a/2020/15xxx/CVE-2020-15610.json +++ b/2020/15xxx/CVE-2020-15610.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15610", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15610", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_php_pecl.php. When parsing the modulo parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9728." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-757/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15611.json b/2020/15xxx/CVE-2020-15611.json index c01823a176f..c3de12c42af 100644 --- a/2020/15xxx/CVE-2020-15611.json +++ b/2020/15xxx/CVE-2020-15611.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15611", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15611", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_dashboard.php. When parsing the service_restart parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9734." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-758/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15612.json b/2020/15xxx/CVE-2020-15612.json index 98a34e4d3f3..045b4ebb4ce 100644 --- a/2020/15xxx/CVE-2020-15612.json +++ b/2020/15xxx/CVE-2020-15612.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15612", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15612", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_ftp_manager.php. When parsing the userLogin parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9737." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-759/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15613.json b/2020/15xxx/CVE-2020-15613.json index 793d31436a8..53c8619a32a 100644 --- a/2020/15xxx/CVE-2020-15613.json +++ b/2020/15xxx/CVE-2020-15613.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15613", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15613", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_admin_apis.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9739." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-760/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15614.json b/2020/15xxx/CVE-2020-15614.json index 7ec5c521906..1838311d2fa 100644 --- a/2020/15xxx/CVE-2020-15614.json +++ b/2020/15xxx/CVE-2020-15614.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15614", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15614", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_php_pecl.php. When parsing the cha parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9718." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-761/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15615.json b/2020/15xxx/CVE-2020-15615.json index 7e4f1f2d30a..a7b9fde533c 100644 --- a/2020/15xxx/CVE-2020-15615.json +++ b/2020/15xxx/CVE-2020-15615.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15615", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15615", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_ftp_manager.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9746." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-762/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15616.json b/2020/15xxx/CVE-2020-15616.json index 59b9f300c25..29cfe457f7b 100644 --- a/2020/15xxx/CVE-2020-15616.json +++ b/2020/15xxx/CVE-2020-15616.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15616", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15616", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_list_accounts.php. When parsing the package parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9706." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-763/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15617.json b/2020/15xxx/CVE-2020-15617.json index 78c3ac37490..d3500105ebc 100644 --- a/2020/15xxx/CVE-2020-15617.json +++ b/2020/15xxx/CVE-2020-15617.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15617", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15617", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_list_accounts.php. When parsing the status parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9708." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-764/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15618.json b/2020/15xxx/CVE-2020-15618.json index 9ce1b514929..c387c35045b 100644 --- a/2020/15xxx/CVE-2020-15618.json +++ b/2020/15xxx/CVE-2020-15618.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15618", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15618", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_list_accounts.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9717." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-765/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15619.json b/2020/15xxx/CVE-2020-15619.json index fc73fe89345..4f93be0d132 100644 --- a/2020/15xxx/CVE-2020-15619.json +++ b/2020/15xxx/CVE-2020-15619.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15619", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15619", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_list_accounts.php. When parsing the type parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9723." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-766/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15620.json b/2020/15xxx/CVE-2020-15620.json index a1c5c0efd51..9a380bc9913 100644 --- a/2020/15xxx/CVE-2020-15620.json +++ b/2020/15xxx/CVE-2020-15620.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15620", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15620", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_list_accounts.php. When parsing the id parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9741." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-767/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15621.json b/2020/15xxx/CVE-2020-15621.json index 94640de56ca..84fdc3b4326 100644 --- a/2020/15xxx/CVE-2020-15621.json +++ b/2020/15xxx/CVE-2020-15621.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15621", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15621", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mail_autoreply.php. When parsing the email parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9711." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-768/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15622.json b/2020/15xxx/CVE-2020-15622.json index 5e5c1ca0f7b..b667ac1afea 100644 --- a/2020/15xxx/CVE-2020-15622.json +++ b/2020/15xxx/CVE-2020-15622.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15622", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15622", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mail_autoreply.php. When parsing the search parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9712." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-769/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15623.json b/2020/15xxx/CVE-2020-15623.json index 64d2082da30..a0b9dc60af4 100644 --- a/2020/15xxx/CVE-2020-15623.json +++ b/2020/15xxx/CVE-2020-15623.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15623", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15623", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to write arbitrary files on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\n\nThe specific flaw exists within ajax_mod_security.php. When parsing the archivo parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9722." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-749: Exposed Dangerous Method or Function" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-770/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15624.json b/2020/15xxx/CVE-2020-15624.json index f7d707204cf..de6a135fb69 100644 --- a/2020/15xxx/CVE-2020-15624.json +++ b/2020/15xxx/CVE-2020-15624.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15624", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15624", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_new_account.php. When parsing the domain parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9727." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-771/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15625.json b/2020/15xxx/CVE-2020-15625.json index 14ee29f9c9e..4e6a7e2e8b3 100644 --- a/2020/15xxx/CVE-2020-15625.json +++ b/2020/15xxx/CVE-2020-15625.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15625", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15625", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_add_mailbox.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9729." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-772/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15626.json b/2020/15xxx/CVE-2020-15626.json index 390fa510d1c..17104fc0eef 100644 --- a/2020/15xxx/CVE-2020-15626.json +++ b/2020/15xxx/CVE-2020-15626.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15626", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15626", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_dashboard.php. When parsing the term parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9730." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-773/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15627.json b/2020/15xxx/CVE-2020-15627.json index 009181d044d..a5866f6dda8 100644 --- a/2020/15xxx/CVE-2020-15627.json +++ b/2020/15xxx/CVE-2020-15627.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15627", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15627", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mail_autoreply.php. When parsing the account parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9738." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-774/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +} diff --git a/2020/15xxx/CVE-2020-15628.json b/2020/15xxx/CVE-2020-15628.json index ce3ab90881f..67bba5a415c 100644 --- a/2020/15xxx/CVE-2020-15628.json +++ b/2020/15xxx/CVE-2020-15628.json @@ -1,18 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-15628", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "zdi-disclosures@trendmicro.com", + "ID": "CVE-2020-15628", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CentOS Web Panel", + "version": { + "version_data": [ + { + "version_value": "cwp-e17.0.9.8.923" + } + ] + } + } + ] + }, + "vendor_name": "CentOS Web Panel" + } + ] } -} \ No newline at end of file + }, + "credit": "@PaulosYibelo & CasperTea", + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ajax_mail_autoreply.php. When parsing the user parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9710." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-775/" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + } +}