From 7fd200d26861607374687c0c3bb2b4f2bc1ffe9f Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 22 Oct 2024 16:00:29 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2022/23xxx/CVE-2022-23861.json | 66 ++++++++++++++++++-- 2022/23xxx/CVE-2022-23862.json | 66 ++++++++++++++++++-- 2024/10xxx/CVE-2024-10249.json | 18 ++++++ 2024/26xxx/CVE-2024-26273.json | 106 +++++++++++++++++++++++++++++-- 2024/38xxx/CVE-2024-38002.json | 111 +++++++++++++++++++++++++++++++-- 2024/47xxx/CVE-2024-47810.json | 18 ++++++ 2024/47xxx/CVE-2024-47819.json | 76 ++++++++++++++++++++-- 2024/48xxx/CVE-2024-48605.json | 71 +++++++++++++++++++-- 2024/48xxx/CVE-2024-48925.json | 85 +++++++++++++++++++++++-- 2024/48xxx/CVE-2024-48926.json | 84 +++++++++++++++++++++++-- 2024/48xxx/CVE-2024-48927.json | 84 +++++++++++++++++++++++-- 2024/48xxx/CVE-2024-48929.json | 80 ++++++++++++++++++++++-- 2024/49xxx/CVE-2024-49373.json | 86 +++++++++++++++++++++++-- 2024/50xxx/CVE-2024-50313.json | 18 ++++++ 14 files changed, 919 insertions(+), 50 deletions(-) create mode 100644 2024/10xxx/CVE-2024-10249.json create mode 100644 2024/47xxx/CVE-2024-47810.json create mode 100644 2024/50xxx/CVE-2024-50313.json diff --git a/2022/23xxx/CVE-2022-23861.json b/2022/23xxx/CVE-2022-23861.json index 76cc2ac0f1c..aa787f15ce4 100644 --- a/2022/23xxx/CVE-2022-23861.json +++ b/2022/23xxx/CVE-2022-23861.json @@ -1,17 +1,71 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2022-23861", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2022-23861", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Multiple Stored Cross-Site Scripting vulnerabilities were discovered in Y Soft SAFEQ 6 Build 53. Multiple fields in the YSoft SafeQ web application can be used to inject malicious inputs that, due to a lack of output sanitization, result in the execution of arbitrary JS code. These fields can be leveraged to perform XSS attacks on legitimate users accessing the SafeQ web interface." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://ysoft.com", + "refsource": "MISC", + "name": "https://ysoft.com" + }, + { + "refsource": "MISC", + "name": "https://github.com/mbadanoiu/CVE-2022-23861", + "url": "https://github.com/mbadanoiu/CVE-2022-23861" + }, + { + "refsource": "MISC", + "name": "https://github.com/mbadanoiu/CVE-2022-23861/blob/main/SafeQ%20-%20CVE-2022-23861.pdf", + "url": "https://github.com/mbadanoiu/CVE-2022-23861/blob/main/SafeQ%20-%20CVE-2022-23861.pdf" } ] } diff --git a/2022/23xxx/CVE-2022-23862.json b/2022/23xxx/CVE-2022-23862.json index d440072c988..53ca11c1f24 100644 --- a/2022/23xxx/CVE-2022-23862.json +++ b/2022/23xxx/CVE-2022-23862.json @@ -1,17 +1,71 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2022-23862", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2022-23862", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A Local Privilege Escalation issue was discovered in Y Soft SAFEQ 6 Build 53. The SafeQ JMX service running on port 9696 is vulnerable to JMX MLet attacks. Because the service did not enforce authentication and was running under the \"NT Authority\\System\" user, an attacker is able to use the vulnerability to execute arbitrary code and elevate to the system user." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://ysoft.com", + "refsource": "MISC", + "name": "https://ysoft.com" + }, + { + "refsource": "MISC", + "name": "https://github.com/mbadanoiu/CVE-2022-23862", + "url": "https://github.com/mbadanoiu/CVE-2022-23862" + }, + { + "refsource": "MISC", + "name": "https://github.com/mbadanoiu/CVE-2022-23862/blob/main/SafeQ%20-%20CVE-2022-23862.pdf", + "url": "https://github.com/mbadanoiu/CVE-2022-23862/blob/main/SafeQ%20-%20CVE-2022-23862.pdf" } ] } diff --git a/2024/10xxx/CVE-2024-10249.json b/2024/10xxx/CVE-2024-10249.json new file mode 100644 index 00000000000..9b74dc07a42 --- /dev/null +++ b/2024/10xxx/CVE-2024-10249.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-10249", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/26xxx/CVE-2024-26273.json b/2024/26xxx/CVE-2024-26273.json index 1fdfbd1709f..8976a15541b 100644 --- a/2024/26xxx/CVE-2024-26273.json +++ b/2024/26xxx/CVE-2024-26273.json @@ -1,17 +1,115 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-26273", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@liferay.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Liferay", + "product": { + "product_data": [ + { + "product_name": "Portal", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.4.0", + "version_value": "7.4.3.103" + } + ] + } + }, + { + "product_name": "DXP", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.3.10-u29", + "version_value": "7.3.10-u35" + }, + { + "version_affected": "<=", + "version_name": "7.4.13", + "version_value": "7.4.13-u92" + }, + { + "version_affected": "<=", + "version_name": "2023.Q3.1", + "version_value": "2023.Q3.5" + }, + { + "version_affected": "<=", + "version_name": "2023.Q4.0", + "version_value": "2023.Q4.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26273", + "refsource": "MISC", + "name": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26273" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2024/38xxx/CVE-2024-38002.json b/2024/38xxx/CVE-2024-38002.json index 3c1ea5684cb..ace632f914d 100644 --- a/2024/38xxx/CVE-2024-38002.json +++ b/2024/38xxx/CVE-2024-38002.json @@ -1,17 +1,120 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-38002", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@liferay.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-863 Incorrect Authorization", + "cweId": "CWE-863" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Liferay", + "product": { + "product_data": [ + { + "product_name": "Portal", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.3.2", + "version_value": "7.3.7" + }, + { + "version_affected": "<=", + "version_name": "7.4.0", + "version_value": "7.4.3.111" + } + ] + } + }, + { + "product_name": "DXP", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.3.10", + "version_value": "7.3.10-u36" + }, + { + "version_affected": "<=", + "version_name": "7.4.13", + "version_value": "7.4.13-u92" + }, + { + "version_affected": "<=", + "version_name": "2023.Q3.1", + "version_value": "2023.Q3.8" + }, + { + "version_affected": "<=", + "version_name": "2023.Q4.0", + "version_value": "2023.Q4.5" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002", + "refsource": "MISC", + "name": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2024/47xxx/CVE-2024-47810.json b/2024/47xxx/CVE-2024-47810.json new file mode 100644 index 00000000000..aeec0f956bf --- /dev/null +++ b/2024/47xxx/CVE-2024-47810.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-47810", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/47xxx/CVE-2024-47819.json b/2024/47xxx/CVE-2024-47819.json index 72be8eb380b..53f49f92a25 100644 --- a/2024/47xxx/CVE-2024-47819.json +++ b/2024/47xxx/CVE-2024-47819.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-47819", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "umbraco", + "product": { + "product_data": [ + { + "product_name": "Umbraco-CMS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 14.0.0, < 14.3.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-c5g6-6xf7-qxp3", + "refsource": "MISC", + "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-c5g6-6xf7-qxp3" + } + ] + }, + "source": { + "advisory": "GHSA-c5g6-6xf7-qxp3", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.2, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/48xxx/CVE-2024-48605.json b/2024/48xxx/CVE-2024-48605.json index 684581b9d90..d7ee5398056 100644 --- a/2024/48xxx/CVE-2024-48605.json +++ b/2024/48xxx/CVE-2024-48605.json @@ -1,17 +1,76 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2024-48605", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2024-48605", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue in Helakuru Desktop Application v1.1 allows a local attacker to execute arbitrary code via the lack of proper validation of the wow64log.dll file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://medium.com/@xNEED/dll-hijacking-jagexlauncher-819599165822", + "refsource": "MISC", + "name": "https://medium.com/@xNEED/dll-hijacking-jagexlauncher-819599165822" + }, + { + "url": "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "refsource": "MISC", + "name": "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/" + }, + { + "url": "https://www.exploit-db.com/exploits/51461", + "refsource": "MISC", + "name": "https://www.exploit-db.com/exploits/51461" + }, + { + "refsource": "MISC", + "name": "https://github.com/surajhacx/HelakuruV.1.1-DLLHijack", + "url": "https://github.com/surajhacx/HelakuruV.1.1-DLLHijack" } ] } diff --git a/2024/48xxx/CVE-2024-48925.json b/2024/48xxx/CVE-2024-48925.json index bc01edb6bbb..9225938e2c8 100644 --- a/2024/48xxx/CVE-2024-48925.json +++ b/2024/48xxx/CVE-2024-48925.json @@ -1,17 +1,94 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-48925", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284: Improper Access Control", + "cweId": "CWE-284" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-863: Incorrect Authorization", + "cweId": "CWE-863" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "umbraco", + "product": { + "product_data": [ + { + "product_name": "Umbraco-CMS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 14.0.0, < 14.3.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4gp9-ff99-j6vj", + "refsource": "MISC", + "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4gp9-ff99-j6vj" + } + ] + }, + "source": { + "advisory": "GHSA-4gp9-ff99-j6vj", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 0, + "baseSeverity": "NONE", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/48xxx/CVE-2024-48926.json b/2024/48xxx/CVE-2024-48926.json index a39b1abafe5..d43f5c06de7 100644 --- a/2024/48xxx/CVE-2024-48926.json +++ b/2024/48xxx/CVE-2024-48926.json @@ -1,17 +1,93 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-48926", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-613: Insufficient Session Expiration", + "cweId": "CWE-613" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "umbraco", + "product": { + "product_data": [ + { + "product_name": "Umbraco-CMS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 13.0.0, < 13.5.2" + }, + { + "version_affected": "=", + "version_value": ">= 10.0.0, < 10.8.7" + }, + { + "version_affected": "=", + "version_value": ">= 8.0.0, < 8.18.15" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm", + "refsource": "MISC", + "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm" + } + ] + }, + "source": { + "advisory": "GHSA-fp6q-gccw-7qqm", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.2, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2024/48xxx/CVE-2024-48927.json b/2024/48xxx/CVE-2024-48927.json index b29e0e597da..3543b79dd61 100644 --- a/2024/48xxx/CVE-2024-48927.json +++ b/2024/48xxx/CVE-2024-48927.json @@ -1,17 +1,93 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-48927", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they \u201cpreview\u201d SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "cweId": "CWE-74" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "umbraco", + "product": { + "product_data": [ + { + "product_name": "Umbraco-CMS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 13.0.0, < 13.5.2" + }, + { + "version_affected": "=", + "version_value": ">= 10.0.0, < 10.8.7" + }, + { + "version_affected": "=", + "version_value": ">= 8.0.0, < 8.18.15" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh", + "refsource": "MISC", + "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh" + } + ] + }, + "source": { + "advisory": "GHSA-5955-cwv4-h7qh", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2024/48xxx/CVE-2024-48929.json b/2024/48xxx/CVE-2024-48929.json index 01f5dfa32fe..852a19ddc72 100644 --- a/2024/48xxx/CVE-2024-48929.json +++ b/2024/48xxx/CVE-2024-48929.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-48929", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-384: Session Fixation", + "cweId": "CWE-384" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "umbraco", + "product": { + "product_data": [ + { + "product_name": "Umbraco-CMS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 13.0.0, < 13.5.2" + }, + { + "version_affected": "=", + "version_value": ">= 10.0.0, < 10.8.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wxw9-6pv9-c3xc", + "refsource": "MISC", + "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wxw9-6pv9-c3xc" + } + ] + }, + "source": { + "advisory": "GHSA-wxw9-6pv9-c3xc", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.2, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2024/49xxx/CVE-2024-49373.json b/2024/49xxx/CVE-2024-49373.json index 82148471d52..d84019f373b 100644 --- a/2024/49xxx/CVE-2024-49373.json +++ b/2024/49xxx/CVE-2024-49373.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-49373", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-653: Improper Isolation or Compartmentalization", + "cweId": "CWE-653" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "nofusscomputing", + "product": { + "product_data": [ + { + "product_name": "centurion_erp", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 1.2.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5", + "refsource": "MISC", + "name": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5" + }, + { + "url": "https://github.com/nofusscomputing/centurion_erp/pull/358", + "refsource": "MISC", + "name": "https://github.com/nofusscomputing/centurion_erp/pull/358" + }, + { + "url": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae", + "refsource": "MISC", + "name": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae" + } + ] + }, + "source": { + "advisory": "GHSA-5qmx-pr2f-qhj5", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "PHYSICAL", + "availabilityImpact": "NONE", + "baseScore": 4.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/50xxx/CVE-2024-50313.json b/2024/50xxx/CVE-2024-50313.json new file mode 100644 index 00000000000..632dca6719f --- /dev/null +++ b/2024/50xxx/CVE-2024-50313.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-50313", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file