From 76fcbb112f753417ddcfda599c1b7f13748358bd Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 5 Apr 2023 18:00:36 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2022/2xxx/CVE-2022-2846.json | 5 ++ 2022/46xxx/CVE-2022-46552.json | 5 ++ 2022/4xxx/CVE-2022-4939.json | 18 +++++++ 2022/4xxx/CVE-2022-4940.json | 18 +++++++ 2023/22xxx/CVE-2023-22855.json | 5 ++ 2023/26xxx/CVE-2023-26777.json | 5 ++ 2023/28xxx/CVE-2023-28849.json | 90 ++++++++++++++++++++++++++++++-- 2023/28xxx/CVE-2023-28852.json | 90 ++++++++++++++++++++++++++++++-- 2023/28xxx/CVE-2023-28855.json | 95 ++++++++++++++++++++++++++++++++-- 2023/29xxx/CVE-2023-29006.json | 85 ++++++++++++++++++++++++++++-- 10 files changed, 400 insertions(+), 16 deletions(-) create mode 100644 2022/4xxx/CVE-2022-4939.json create mode 100644 2022/4xxx/CVE-2022-4940.json diff --git a/2022/2xxx/CVE-2022-2846.json b/2022/2xxx/CVE-2022-2846.json index 9232efd7708..771f56df450 100644 --- a/2022/2xxx/CVE-2022-2846.json +++ b/2022/2xxx/CVE-2022-2846.json @@ -48,6 +48,11 @@ "refsource": "MISC", "url": "https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c", "name": "https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.html", + "url": "http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.html" } ] }, diff --git a/2022/46xxx/CVE-2022-46552.json b/2022/46xxx/CVE-2022-46552.json index 0b2da28bc67..2fbdf39b22a 100644 --- a/2022/46xxx/CVE-2022-46552.json +++ b/2022/46xxx/CVE-2022-46552.json @@ -81,6 +81,11 @@ "refsource": "MISC", "name": "https://github.com/c2dc/cve-reported/blob/main/CVE-2022-46552/CVE-2022-46552.md", "url": "https://github.com/c2dc/cve-reported/blob/main/CVE-2022-46552/CVE-2022-46552.md" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/171710/D-Link-DIR-846-Remote-Command-Execution.html", + "url": "http://packetstormsecurity.com/files/171710/D-Link-DIR-846-Remote-Command-Execution.html" } ] } diff --git a/2022/4xxx/CVE-2022-4939.json b/2022/4xxx/CVE-2022-4939.json new file mode 100644 index 00000000000..07c378803d6 --- /dev/null +++ b/2022/4xxx/CVE-2022-4939.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-4939", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/4xxx/CVE-2022-4940.json b/2022/4xxx/CVE-2022-4940.json new file mode 100644 index 00000000000..e8d55e96b52 --- /dev/null +++ b/2022/4xxx/CVE-2022-4940.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-4940", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2023/22xxx/CVE-2023-22855.json b/2023/22xxx/CVE-2023-22855.json index a73311bd60a..12c525af001 100644 --- a/2023/22xxx/CVE-2023-22855.json +++ b/2023/22xxx/CVE-2023-22855.json @@ -66,6 +66,11 @@ "refsource": "MISC", "name": "http://packetstormsecurity.com/files/171046/Kardex-Mlog-MCC-5.7.12-0-a203c2a213-master-File-Inclusion-Remote-Code-Execution.html", "url": "http://packetstormsecurity.com/files/171046/Kardex-Mlog-MCC-5.7.12-0-a203c2a213-master-File-Inclusion-Remote-Code-Execution.html" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/171689/Kardex-Mlog-MCC-5.7.12-Remote-Code-Execution.html", + "url": "http://packetstormsecurity.com/files/171689/Kardex-Mlog-MCC-5.7.12-Remote-Code-Execution.html" } ] } diff --git a/2023/26xxx/CVE-2023-26777.json b/2023/26xxx/CVE-2023-26777.json index cfffeba8329..4089f01092e 100644 --- a/2023/26xxx/CVE-2023-26777.json +++ b/2023/26xxx/CVE-2023-26777.json @@ -56,6 +56,11 @@ "url": "https://github.com/louislam/uptime-kuma/issues/2186", "refsource": "MISC", "name": "https://github.com/louislam/uptime-kuma/issues/2186" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/171699/Uptime-Kuma-1.19.6-Cross-Site-Scripting.html", + "url": "http://packetstormsecurity.com/files/171699/Uptime-Kuma-1.19.6-Cross-Site-Scripting.html" } ] } diff --git a/2023/28xxx/CVE-2023-28849.json b/2023/28xxx/CVE-2023-28849.json index d5cdcd16c5c..b7ea239122c 100644 --- a/2023/28xxx/CVE-2023-28849.json +++ b/2023/28xxx/CVE-2023-28849.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28849", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "glpi-project", + "product": { + "product_data": [ + { + "product_name": "glpi", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 10.0.0, < 10.0.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.7", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/releases/tag/10.0.7" + }, + { + "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-9r84-jpg3-h4m6", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-9r84-jpg3-h4m6" + } + ] + }, + "source": { + "advisory": "GHSA-9r84-jpg3-h4m6", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 10, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" } ] } diff --git a/2023/28xxx/CVE-2023-28852.json b/2023/28xxx/CVE-2023-28852.json index 8c79e78ed72..98f4c39eb70 100644 --- a/2023/28xxx/CVE-2023-28852.json +++ b/2023/28xxx/CVE-2023-28852.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28852", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "glpi-project", + "product": { + "product_data": [ + { + "product_name": "glpi", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 9.5.0, < 9.5.13" + }, + { + "version_affected": "=", + "version_value": ">= 10.0.0, < 10.0.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.7", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/releases/tag/10.0.7" + }, + { + "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.13", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.13" + }, + { + "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-65gq-p8hg-7m92", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-65gq-p8hg-7m92" + } + ] + }, + "source": { + "advisory": "GHSA-65gq-p8hg-7m92", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2023/28xxx/CVE-2023-28855.json b/2023/28xxx/CVE-2023-28855.json index 41d31025c02..b4dfcf23919 100644 --- a/2023/28xxx/CVE-2023-28855.json +++ b/2023/28xxx/CVE-2023-28855.json @@ -1,17 +1,104 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28855", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-269: Improper Privilege Management", + "cweId": "CWE-269" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "pluginsGLPI", + "product": { + "product_data": [ + { + "product_name": "fields", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 1.13.1" + }, + { + "version_affected": "=", + "version_value": ">= 1.20.0, < 1.20.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584", + "refsource": "MISC", + "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584" + }, + { + "url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d", + "refsource": "MISC", + "name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d" + }, + { + "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1", + "refsource": "MISC", + "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1" + }, + { + "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4", + "refsource": "MISC", + "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4" + } + ] + }, + "source": { + "advisory": "GHSA-52vv-hm4x-8584", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "version": "3.1" } ] } diff --git a/2023/29xxx/CVE-2023-29006.json b/2023/29xxx/CVE-2023-29006.json index 390811c3b24..cc61803a8e0 100644 --- a/2023/29xxx/CVE-2023-29006.json +++ b/2023/29xxx/CVE-2023-29006.json @@ -1,17 +1,94 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-29006", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 contain a patch for this issue. As a workaround, delete the `ajax/dropdownContact.php` file from the plugin." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502: Deserialization of Untrusted Data", + "cweId": "CWE-502" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "pluginsGLPI", + "product": { + "product_data": [ + { + "product_name": "order", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 1.8.0, < 2.7.7" + }, + { + "version_affected": "=", + "version_value": ">= 2.10.0, < 2.10.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/pluginsGLPI/order/security/advisories/GHSA-xfx2-qx2r-3wwm", + "refsource": "MISC", + "name": "https://github.com/pluginsGLPI/order/security/advisories/GHSA-xfx2-qx2r-3wwm" + }, + { + "url": "https://github.com/pluginsGLPI/order/commit/c78e64b95e54d5e47d9835984c93049f245b579e", + "refsource": "MISC", + "name": "https://github.com/pluginsGLPI/order/commit/c78e64b95e54d5e47d9835984c93049f245b579e" + } + ] + }, + "source": { + "advisory": "GHSA-xfx2-qx2r-3wwm", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ] }