From 7083ac437b2c933d3ef5ef71ec91f6e5b99a3033 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 25 Apr 2023 19:00:38 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2021/23xxx/CVE-2021-23166.json | 90 ++++++++++++++++++++++++-- 2021/23xxx/CVE-2021-23176.json | 90 ++++++++++++++++++++++++-- 2021/23xxx/CVE-2021-23178.json | 90 ++++++++++++++++++++++++-- 2021/23xxx/CVE-2021-23186.json | 90 ++++++++++++++++++++++++-- 2021/23xxx/CVE-2021-23203.json | 102 +++++++++++++++++++++++++++-- 2021/26xxx/CVE-2021-26263.json | 98 ++++++++++++++++++++++++++-- 2021/26xxx/CVE-2021-26947.json | 94 +++++++++++++++++++++++++-- 2021/44xxx/CVE-2021-44460.json | 90 ++++++++++++++++++++++++-- 2021/44xxx/CVE-2021-44461.json | 72 +++++++++++++++++++-- 2021/44xxx/CVE-2021-44465.json | 90 ++++++++++++++++++++++++-- 2021/44xxx/CVE-2021-44476.json | 90 ++++++++++++++++++++++++-- 2021/44xxx/CVE-2021-44547.json | 88 +++++++++++++++++++++++-- 2021/44xxx/CVE-2021-44775.json | 90 ++++++++++++++++++++++++-- 2021/45xxx/CVE-2021-45071.json | 102 +++++++++++++++++++++++++++-- 2021/45xxx/CVE-2021-45111.json | 94 +++++++++++++++++++++++++-- 2022/40xxx/CVE-2022-40482.json | 71 +++++++++++++++++++-- 2022/45xxx/CVE-2022-45291.json | 61 ++++++++++++++++-- 2023/25xxx/CVE-2023-25485.json | 113 +++++++++++++++++++++++++++++++-- 2023/25xxx/CVE-2023-25793.json | 113 +++++++++++++++++++++++++++++++-- 2023/28xxx/CVE-2023-28086.json | 57 +++++++++++++++-- 2023/28xxx/CVE-2023-28087.json | 57 +++++++++++++++-- 2023/28xxx/CVE-2023-28088.json | 57 +++++++++++++++-- 2023/28xxx/CVE-2023-28089.json | 57 +++++++++++++++-- 2023/28xxx/CVE-2023-28090.json | 57 +++++++++++++++-- 2023/29xxx/CVE-2023-29552.json | 5 ++ 2023/2xxx/CVE-2023-2282.json | 60 +++++++++++++++-- 2023/30xxx/CVE-2023-30838.json | 90 ++++++++++++++++++++++++-- 2023/30xxx/CVE-2023-30839.json | 90 ++++++++++++++++++++++++-- 28 files changed, 2146 insertions(+), 112 deletions(-) diff --git a/2021/23xxx/CVE-2021-23166.json b/2021/23xxx/CVE-2021-23166.json index 9ca9f6a866c..6ac5eddfc40 100644 --- a/2021/23xxx/CVE-2021-23166.json +++ b/2021/23xxx/CVE-2021-23166.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-23166", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege Defined With Unsafe Actions" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107687", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107687" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Nils Hamerlinck" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/23xxx/CVE-2021-23176.json b/2021/23xxx/CVE-2021-23176.json index dbf955461ae..1f04a6227d8 100644 --- a/2021/23xxx/CVE-2021-23176.json +++ b/2021/23xxx/CVE-2021-23176.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-23176", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107682", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107682" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Florent Mirieu de Labarre" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" } ] } diff --git a/2021/23xxx/CVE-2021-23178.json b/2021/23xxx/CVE-2021-23178.json index 1b22697c8b1..c14c8011218 100644 --- a/2021/23xxx/CVE-2021-23178.json +++ b/2021/23xxx/CVE-2021-23178.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-23178", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107690", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107690" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Parth Gajjar" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/23xxx/CVE-2021-23186.json b/2021/23xxx/CVE-2021-23186.json index ed973596642..dd324d5ccc0 100644 --- a/2021/23xxx/CVE-2021-23186.json +++ b/2021/23xxx/CVE-2021-23186.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-23186", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege Defined With Unsafe Actions" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107688", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107688" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Nils Hamerlinck" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/23xxx/CVE-2021-23203.json b/2021/23xxx/CVE-2021-23203.json index 4daf7ba61b0..3071227ae14 100644 --- a/2021/23xxx/CVE-2021-23203.json +++ b/2021/23xxx/CVE-2021-23203.json @@ -1,17 +1,111 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-23203", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "14.0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "14.0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107695", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107695" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Tiffany Chang" + }, + { + "lang": "eng", + "value": "iamsushi" + }, + { + "lang": "eng", + "value": "Ranjit Pahan" + }, + { + "lang": "eng", + "value": "Iago Ruiz" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2021/26xxx/CVE-2021-26263.json b/2021/26xxx/CVE-2021-26263.json index 42f6d19532d..a0754b0cc25 100644 --- a/2021/26xxx/CVE-2021-26263.json +++ b/2021/26xxx/CVE-2021-26263.json @@ -1,17 +1,107 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-26263", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "14.0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "14.0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107693", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107693" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Theodoros Malachias" + }, + { + "lang": "eng", + "value": "iamsushi" + }, + { + "lang": "eng", + "value": "Ranjit Pahan" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/26xxx/CVE-2021-26947.json b/2021/26xxx/CVE-2021-26947.json index 7e674faefa3..3ccc1275124 100644 --- a/2021/26xxx/CVE-2021-26947.json +++ b/2021/26xxx/CVE-2021-26947.json @@ -1,17 +1,103 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-26947", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107694", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107694" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Nils Hamerlinck" + }, + { + "lang": "eng", + "value": "Andreas Perhab" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.0" } ] } diff --git a/2021/44xxx/CVE-2021-44460.json b/2021/44xxx/CVE-2021-44460.json index 17568fc00c2..18fb57db258 100644 --- a/2021/44xxx/CVE-2021-44460.json +++ b/2021/44xxx/CVE-2021-44460.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-44460", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "13.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "13.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107685", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107685" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Xavier Morel" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.4, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/44xxx/CVE-2021-44461.json b/2021/44xxx/CVE-2021-44461.json index 4864ad648c8..09a565098f8 100644 --- a/2021/44xxx/CVE-2021-44461.json +++ b/2021/44xxx/CVE-2021-44461.json @@ -1,17 +1,81 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-44461", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "13.0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107686", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107686" + } + ] + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/44xxx/CVE-2021-44465.json b/2021/44xxx/CVE-2021-44465.json index f35f1c9e857..f5e785ee6ef 100644 --- a/2021/44xxx/CVE-2021-44465.json +++ b/2021/44xxx/CVE-2021-44465.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-44465", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "13.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "13.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107692", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107692" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Swapnesh Shah" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.0" } ] } diff --git a/2021/44xxx/CVE-2021-44476.json b/2021/44xxx/CVE-2021-44476.json index b65ec4d653f..67ac431b559 100644 --- a/2021/44xxx/CVE-2021-44476.json +++ b/2021/44xxx/CVE-2021-44476.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-44476", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege Defined With Unsafe Actions" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107684", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107684" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Toufik Ben Jaa" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "version": "3.0" } ] } diff --git a/2021/44xxx/CVE-2021-44547.json b/2021/44xxx/CVE-2021-44547.json index d030f080991..348ccb7ecb5 100644 --- a/2021/44xxx/CVE-2021-44547.json +++ b/2021/44xxx/CVE-2021-44547.json @@ -1,17 +1,97 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-44547", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege Defined With Unsafe Actions" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107696", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107696" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Stephane Debauche" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/44xxx/CVE-2021-44775.json b/2021/44xxx/CVE-2021-44775.json index 1f6bed3929d..0642ad56f52 100644 --- a/2021/44xxx/CVE-2021-44775.json +++ b/2021/44xxx/CVE-2021-44775.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-44775", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107691", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107691" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Holger Brunn" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/45xxx/CVE-2021-45071.json b/2021/45xxx/CVE-2021-45071.json index 04411c5d257..4993f42be9a 100644 --- a/2021/45xxx/CVE-2021-45071.json +++ b/2021/45xxx/CVE-2021-45071.json @@ -1,17 +1,111 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-45071", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107697", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107697" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Lauri Vakkala" + }, + { + "lang": "eng", + "value": "An\u0131l Y\u00fcksel" + }, + { + "lang": "eng", + "value": "Agustin Maio" + }, + { + "lang": "eng", + "value": "Johannes Moritz" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", + "version": "3.0" } ] } diff --git a/2021/45xxx/CVE-2021-45111.json b/2021/45xxx/CVE-2021-45111.json index 822f48194b6..25f34c54a49 100644 --- a/2021/45xxx/CVE-2021-45111.json +++ b/2021/45xxx/CVE-2021-45111.json @@ -1,17 +1,103 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-45111", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@odoo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Odoo", + "product": { + "product_data": [ + { + "product_name": "Odoo Community", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + }, + { + "product_name": "Odoo Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "15.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/odoo/odoo/issues/107683", + "refsource": "MISC", + "name": "https://github.com/odoo/odoo/issues/107683" + } + ] + }, + "credits": [ + { + "lang": "eng", + "value": "Nils Hamerlinck" + }, + { + "lang": "eng", + "value": "Yenthe Van Ginneken" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "version": "3.0" } ] } diff --git a/2022/40xxx/CVE-2022-40482.json b/2022/40xxx/CVE-2022-40482.json index 0033bac4474..6fecc5c9882 100644 --- a/2022/40xxx/CVE-2022-40482.json +++ b/2022/40xxx/CVE-2022-40482.json @@ -1,17 +1,76 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2022-40482", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2022-40482", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\\Auth\\SessionGuard class when a user is found to not exist." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://ephort.dk/blog/laravel-timing-attack-vulnerability/", + "refsource": "MISC", + "name": "https://ephort.dk/blog/laravel-timing-attack-vulnerability/" + }, + { + "url": "https://github.com/ephort/laravel-user-enumeration-demo", + "refsource": "MISC", + "name": "https://github.com/ephort/laravel-user-enumeration-demo" + }, + { + "refsource": "CONFIRM", + "name": "https://github.com/laravel/framework/pull/44069", + "url": "https://github.com/laravel/framework/pull/44069" + }, + { + "refsource": "CONFIRM", + "name": "https://github.com/laravel/framework/releases/tag/v9.32.0", + "url": "https://github.com/laravel/framework/releases/tag/v9.32.0" } ] } diff --git a/2022/45xxx/CVE-2022-45291.json b/2022/45xxx/CVE-2022-45291.json index f8c6b78e85b..fd52c69bca3 100644 --- a/2022/45xxx/CVE-2022-45291.json +++ b/2022/45xxx/CVE-2022-45291.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2022-45291", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2022-45291", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://pwsdashboard.com/", + "refsource": "MISC", + "name": "https://pwsdashboard.com/" + }, + { + "refsource": "MISC", + "name": "https://cavefxa.com/posts/cve-2022-45291/", + "url": "https://cavefxa.com/posts/cve-2022-45291/" } ] } diff --git a/2023/25xxx/CVE-2023-25485.json b/2023/25xxx/CVE-2023-25485.json index e06cbc63211..931595dd678 100644 --- a/2023/25xxx/CVE-2023-25485.json +++ b/2023/25xxx/CVE-2023-25485.json @@ -1,17 +1,122 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-25485", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "audit@patchstack.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Bernhard Kux JSON Content Importer plugin <=\u00a01.3.15 versions." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Bernhard Kux", + "product": { + "product_data": [ + { + "product_name": "JSON Content Importer", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "changes": [ + { + "at": "1.3.16", + "status": "unaffected" + } + ], + "lessThanOrEqual": "1.3.15", + "status": "affected", + "version": "n/a", + "versionType": "custom" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://patchstack.com/database/vulnerability/json-content-importer/wordpress-json-content-importer-plugin-1-3-15-cross-site-scripting-xss-vulnerability?_s_id=cve", + "refsource": "MISC", + "name": "https://patchstack.com/database/vulnerability/json-content-importer/wordpress-json-content-importer-plugin-1-3-15-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "EXTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update to 1.3.16 or a higher version." + } + ], + "value": "Update to\u00a01.3.16 or a higher version." + } + ], + "credits": [ + { + "lang": "en", + "value": "Rio Darmawan (Patchstack Alliance)" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" } ] } diff --git a/2023/25xxx/CVE-2023-25793.json b/2023/25xxx/CVE-2023-25793.json index 4ce95f1cf32..fde1aef4688 100644 --- a/2023/25xxx/CVE-2023-25793.json +++ b/2023/25xxx/CVE-2023-25793.json @@ -1,17 +1,122 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-25793", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "audit@patchstack.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in George Pattihis Link Juice Keeper plugin <=\u00a02.0.2 versions." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "George Pattihis", + "product": { + "product_data": [ + { + "product_name": "Link Juice Keeper", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "changes": [ + { + "at": "2.0.3", + "status": "unaffected" + } + ], + "lessThanOrEqual": "2.0.2", + "status": "affected", + "version": "n/a", + "versionType": "custom" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://patchstack.com/database/vulnerability/link-juice-keeper/wordpress-link-juice-keeper-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve", + "refsource": "MISC", + "name": "https://patchstack.com/database/vulnerability/link-juice-keeper/wordpress-link-juice-keeper-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "EXTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update to 2.0.3 or a higher version." + } + ], + "value": "Update to\u00a02.0.3 or a higher version." + } + ], + "credits": [ + { + "lang": "en", + "value": "Abdi Pranata (Patchstack Alliance)" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" } ] } diff --git a/2023/28xxx/CVE-2023-28086.json b/2023/28xxx/CVE-2023-28086.json index 44c735a3686..aeb42e4889d 100644 --- a/2023/28xxx/CVE-2023-28086.json +++ b/2023/28xxx/CVE-2023-28086.json @@ -1,18 +1,67 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28086", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-alert@hpe.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An HPE OneView appliance dump may expose proxy credential settings" } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Hewlett Packard Enterprise (HPE)", + "product": { + "product_data": [ + { + "product_name": "HPE OneView", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "8.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us", + "refsource": "MISC", + "name": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us" + } + ] + }, + "generator": { + "engine": "cveClient/1.0.13" } } \ No newline at end of file diff --git a/2023/28xxx/CVE-2023-28087.json b/2023/28xxx/CVE-2023-28087.json index ce8f0ef9273..12d13799e92 100644 --- a/2023/28xxx/CVE-2023-28087.json +++ b/2023/28xxx/CVE-2023-28087.json @@ -1,18 +1,67 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28087", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-alert@hpe.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An HPE OneView appliance dump may expose OneView user accounts" } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Hewlett Packard Enterprise (HPE)", + "product": { + "product_data": [ + { + "product_name": "HPE OneView", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "8.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us", + "refsource": "MISC", + "name": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us" + } + ] + }, + "generator": { + "engine": "cveClient/1.0.13" } } \ No newline at end of file diff --git a/2023/28xxx/CVE-2023-28088.json b/2023/28xxx/CVE-2023-28088.json index eeddafc5bcf..e109b2c239a 100644 --- a/2023/28xxx/CVE-2023-28088.json +++ b/2023/28xxx/CVE-2023-28088.json @@ -1,18 +1,67 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28088", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-alert@hpe.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An HPE OneView appliance dump may expose SAN switch administrative credentials" } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Hewlett Packard Enterprise (HPE)", + "product": { + "product_data": [ + { + "product_name": "HPE OneView", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "8.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us", + "refsource": "MISC", + "name": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us" + } + ] + }, + "generator": { + "engine": "cveClient/1.0.13" } } \ No newline at end of file diff --git a/2023/28xxx/CVE-2023-28089.json b/2023/28xxx/CVE-2023-28089.json index 06169e8e6cf..924d3fff409 100644 --- a/2023/28xxx/CVE-2023-28089.json +++ b/2023/28xxx/CVE-2023-28089.json @@ -1,18 +1,67 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28089", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-alert@hpe.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An HPE OneView appliance dump may expose FTP credentials for c7000 Interconnect Modules" } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Hewlett Packard Enterprise (HPE)", + "product": { + "product_data": [ + { + "product_name": "HPE OneView", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "8.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us", + "refsource": "MISC", + "name": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us" + } + ] + }, + "generator": { + "engine": "cveClient/1.0.13" } } \ No newline at end of file diff --git a/2023/28xxx/CVE-2023-28090.json b/2023/28xxx/CVE-2023-28090.json index 503c101a076..b0d7c9184d9 100644 --- a/2023/28xxx/CVE-2023-28090.json +++ b/2023/28xxx/CVE-2023-28090.json @@ -1,18 +1,67 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28090", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-alert@hpe.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An HPE OneView appliance dump may expose SNMPv3 read credentials" } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Hewlett Packard Enterprise (HPE)", + "product": { + "product_data": [ + { + "product_name": "HPE OneView", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "8.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us", + "refsource": "MISC", + "name": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04469en_us" + } + ] + }, + "generator": { + "engine": "cveClient/1.0.13" } } \ No newline at end of file diff --git a/2023/29xxx/CVE-2023-29552.json b/2023/29xxx/CVE-2023-29552.json index 6656095d2e5..a39ce847ac9 100644 --- a/2023/29xxx/CVE-2023-29552.json +++ b/2023/29xxx/CVE-2023-29552.json @@ -63,6 +63,11 @@ "refsource": "MISC", "name": "https://www.cisa.gov/news-events/alerts/2023/04/25/abuse-service-location-protocol-may-lead-dos-attacks", "url": "https://www.cisa.gov/news-events/alerts/2023/04/25/abuse-service-location-protocol-may-lead-dos-attacks" + }, + { + "refsource": "MISC", + "name": "https://www.suse.com/support/kb/doc/?id=000021051", + "url": "https://www.suse.com/support/kb/doc/?id=000021051" } ] }, diff --git a/2023/2xxx/CVE-2023-2282.json b/2023/2xxx/CVE-2023-2282.json index e18fd40413b..782ed04bddf 100644 --- a/2023/2xxx/CVE-2023-2282.json +++ b/2023/2xxx/CVE-2023-2282.json @@ -1,18 +1,70 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2282", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@devolutions.net", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper access control in the Web Login listener in Devolutions Remote Desktop Manager 2023.1.22 and earlier on Windows allows an authenticated user to bypass administrator-enforced Web Login restrictions and gain access to entries via an unexpected vector.\n" } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Devolutions", + "product": { + "product_data": [ + { + "product_name": "Remote Desktop Manager", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "2023.1.22" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://devolutions.net/security/advisories/DEVO-2023-0012", + "refsource": "MISC", + "name": "https://devolutions.net/security/advisories/DEVO-2023-0012" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2023/30xxx/CVE-2023-30838.json b/2023/30xxx/CVE-2023-30838.json index 17d8dc51a7b..d4f36b6ecd7 100644 --- a/2023/30xxx/CVE-2023-30838.json +++ b/2023/30xxx/CVE-2023-30838.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-30838", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "PrestaShop", + "product": { + "product_data": [ + { + "product_name": "PrestaShop", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 8.0.0, < 8.0.4" + }, + { + "version_affected": "=", + "version_value": "< 1.7.8.9" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp", + "refsource": "MISC", + "name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp" + }, + { + "url": "https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c", + "refsource": "MISC", + "name": "https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c" + }, + { + "url": "https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693", + "refsource": "MISC", + "name": "https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693" + } + ] + }, + "source": { + "advisory": "GHSA-fh7r-996q-gvcp", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2023/30xxx/CVE-2023-30839.json b/2023/30xxx/CVE-2023-30839.json index 0f07f9dfcb1..7026616fd37 100644 --- a/2023/30xxx/CVE-2023-30839.json +++ b/2023/30xxx/CVE-2023-30839.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-30839", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "PrestaShop", + "product": { + "product_data": [ + { + "product_name": "PrestaShop", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 8.0.0, < 8.0.4" + }, + { + "version_affected": "=", + "version_value": "< 1.7.8.9" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822", + "refsource": "MISC", + "name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822" + }, + { + "url": "https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30", + "refsource": "MISC", + "name": "https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30" + }, + { + "url": "https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149", + "refsource": "MISC", + "name": "https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149" + } + ] + }, + "source": { + "advisory": "GHSA-p379-cxqh-q822", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 10, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" } ] }