From 841e34c9c4e087b9a51f63b4c5634f1fed1d8467 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 22 Feb 2024 19:00:34 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2023/48xxx/CVE-2023-48715.json | 2 +- 2024/1xxx/CVE-2024-1773.json | 18 +++++++ 2024/1xxx/CVE-2024-1774.json | 18 +++++++ 2024/1xxx/CVE-2024-1775.json | 18 +++++++ 2024/1xxx/CVE-2024-1776.json | 18 +++++++ 2024/1xxx/CVE-2024-1777.json | 18 +++++++ 2024/1xxx/CVE-2024-1778.json | 18 +++++++ 2024/1xxx/CVE-2024-1779.json | 18 +++++++ 2024/1xxx/CVE-2024-1780.json | 18 +++++++ 2024/1xxx/CVE-2024-1781.json | 18 +++++++ 2024/1xxx/CVE-2024-1782.json | 18 +++++++ 2024/1xxx/CVE-2024-1783.json | 18 +++++++ 2024/25xxx/CVE-2024-25129.json | 86 +++++++++++++++++++++++++++-- 2024/25xxx/CVE-2024-25130.json | 99 ++++++++++++++++++++++++++++++++-- 2024/26xxx/CVE-2024-26128.json | 86 +++++++++++++++++++++++++++-- 2024/26xxx/CVE-2024-26151.json | 96 +++++++++++++++++++++++++++++++-- 2024/27xxx/CVE-2024-27284.json | 18 +++++++ 2024/27xxx/CVE-2024-27285.json | 18 +++++++ 2024/27xxx/CVE-2024-27286.json | 18 +++++++ 2024/27xxx/CVE-2024-27287.json | 18 +++++++ 2024/27xxx/CVE-2024-27288.json | 18 +++++++ 2024/27xxx/CVE-2024-27289.json | 18 +++++++ 2024/27xxx/CVE-2024-27290.json | 18 +++++++ 2024/27xxx/CVE-2024-27291.json | 18 +++++++ 2024/27xxx/CVE-2024-27292.json | 18 +++++++ 2024/27xxx/CVE-2024-27293.json | 18 +++++++ 2024/27xxx/CVE-2024-27294.json | 18 +++++++ 2024/27xxx/CVE-2024-27295.json | 18 +++++++ 2024/27xxx/CVE-2024-27296.json | 18 +++++++ 2024/27xxx/CVE-2024-27297.json | 18 +++++++ 2024/27xxx/CVE-2024-27298.json | 18 +++++++ 2024/27xxx/CVE-2024-27299.json | 18 +++++++ 2024/27xxx/CVE-2024-27300.json | 18 +++++++ 2024/27xxx/CVE-2024-27301.json | 18 +++++++ 2024/27xxx/CVE-2024-27302.json | 18 +++++++ 2024/27xxx/CVE-2024-27303.json | 18 +++++++ 2024/27xxx/CVE-2024-27304.json | 18 +++++++ 2024/27xxx/CVE-2024-27305.json | 18 +++++++ 2024/27xxx/CVE-2024-27306.json | 18 +++++++ 2024/27xxx/CVE-2024-27307.json | 18 +++++++ 2024/27xxx/CVE-2024-27308.json | 18 +++++++ 2024/27xxx/CVE-2024-27309.json | 18 +++++++ 42 files changed, 1018 insertions(+), 17 deletions(-) create mode 100644 2024/1xxx/CVE-2024-1773.json create mode 100644 2024/1xxx/CVE-2024-1774.json create mode 100644 2024/1xxx/CVE-2024-1775.json create mode 100644 2024/1xxx/CVE-2024-1776.json create mode 100644 2024/1xxx/CVE-2024-1777.json create mode 100644 2024/1xxx/CVE-2024-1778.json create mode 100644 2024/1xxx/CVE-2024-1779.json create mode 100644 2024/1xxx/CVE-2024-1780.json create mode 100644 2024/1xxx/CVE-2024-1781.json create mode 100644 2024/1xxx/CVE-2024-1782.json create mode 100644 2024/1xxx/CVE-2024-1783.json create mode 100644 2024/27xxx/CVE-2024-27284.json create mode 100644 2024/27xxx/CVE-2024-27285.json create mode 100644 2024/27xxx/CVE-2024-27286.json create mode 100644 2024/27xxx/CVE-2024-27287.json create mode 100644 2024/27xxx/CVE-2024-27288.json create mode 100644 2024/27xxx/CVE-2024-27289.json create mode 100644 2024/27xxx/CVE-2024-27290.json create mode 100644 2024/27xxx/CVE-2024-27291.json create mode 100644 2024/27xxx/CVE-2024-27292.json create mode 100644 2024/27xxx/CVE-2024-27293.json create mode 100644 2024/27xxx/CVE-2024-27294.json create mode 100644 2024/27xxx/CVE-2024-27295.json create mode 100644 2024/27xxx/CVE-2024-27296.json create mode 100644 2024/27xxx/CVE-2024-27297.json create mode 100644 2024/27xxx/CVE-2024-27298.json create mode 100644 2024/27xxx/CVE-2024-27299.json create mode 100644 2024/27xxx/CVE-2024-27300.json create mode 100644 2024/27xxx/CVE-2024-27301.json create mode 100644 2024/27xxx/CVE-2024-27302.json create mode 100644 2024/27xxx/CVE-2024-27303.json create mode 100644 2024/27xxx/CVE-2024-27304.json create mode 100644 2024/27xxx/CVE-2024-27305.json create mode 100644 2024/27xxx/CVE-2024-27306.json create mode 100644 2024/27xxx/CVE-2024-27307.json create mode 100644 2024/27xxx/CVE-2024-27308.json create mode 100644 2024/27xxx/CVE-2024-27309.json diff --git a/2023/48xxx/CVE-2023-48715.json b/2023/48xxx/CVE-2023-48715.json index 9969164b6a4..6943ba3dd0f 100644 --- a/2023/48xxx/CVE-2023-48715.json +++ b/2023/48xxx/CVE-2023-48715.json @@ -11,7 +11,7 @@ "description_data": [ { "lang": "eng", - "value": "Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.2.99.103 or Tuleap Community Edition and prior to versions 15.2-4 and 15.1-8 of Tuleap Enterprise Edition, the name of the releases are not properly escaped on the edition page of a release. A malicious user with the ability to create a FRS release could force a victim having write permissions in the FRS to execute uncontrolled code. Tuleap Community Edition 15.2.99.103, Tuleap Enterprise Edition 15.2-4, and Tuleap Enterprise Edition 15.1-8 contain a fix for this issue." + "value": "Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.2.99.103 of Tuleap Community Edition and prior to versions 15.2-4 and 15.1-8 of Tuleap Enterprise Edition, the name of the releases are not properly escaped on the edition page of a release. A malicious user with the ability to create a FRS release could force a victim having write permissions in the FRS to execute uncontrolled code. Tuleap Community Edition 15.2.99.103, Tuleap Enterprise Edition 15.2-4, and Tuleap Enterprise Edition 15.1-8 contain a fix for this issue." } ] }, diff --git a/2024/1xxx/CVE-2024-1773.json b/2024/1xxx/CVE-2024-1773.json new file mode 100644 index 00000000000..b32c9bd8fe1 --- /dev/null +++ b/2024/1xxx/CVE-2024-1773.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1773", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1774.json b/2024/1xxx/CVE-2024-1774.json new file mode 100644 index 00000000000..bfa0f54859d --- /dev/null +++ b/2024/1xxx/CVE-2024-1774.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1774", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1775.json b/2024/1xxx/CVE-2024-1775.json new file mode 100644 index 00000000000..185224d9d7c --- /dev/null +++ b/2024/1xxx/CVE-2024-1775.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1775", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1776.json b/2024/1xxx/CVE-2024-1776.json new file mode 100644 index 00000000000..c8cc4f96f43 --- /dev/null +++ b/2024/1xxx/CVE-2024-1776.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1776", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1777.json b/2024/1xxx/CVE-2024-1777.json new file mode 100644 index 00000000000..32ff5b7fd6d --- /dev/null +++ b/2024/1xxx/CVE-2024-1777.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1777", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1778.json b/2024/1xxx/CVE-2024-1778.json new file mode 100644 index 00000000000..4b35315aab9 --- /dev/null +++ b/2024/1xxx/CVE-2024-1778.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1778", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1779.json b/2024/1xxx/CVE-2024-1779.json new file mode 100644 index 00000000000..31a23728824 --- /dev/null +++ b/2024/1xxx/CVE-2024-1779.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1779", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1780.json b/2024/1xxx/CVE-2024-1780.json new file mode 100644 index 00000000000..9e3c32a3d85 --- /dev/null +++ b/2024/1xxx/CVE-2024-1780.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1780", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1781.json b/2024/1xxx/CVE-2024-1781.json new file mode 100644 index 00000000000..dfb2e77d034 --- /dev/null +++ b/2024/1xxx/CVE-2024-1781.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1781", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1782.json b/2024/1xxx/CVE-2024-1782.json new file mode 100644 index 00000000000..f82a13ca360 --- /dev/null +++ b/2024/1xxx/CVE-2024-1782.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1782", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/1xxx/CVE-2024-1783.json b/2024/1xxx/CVE-2024-1783.json new file mode 100644 index 00000000000..dc9a02937eb --- /dev/null +++ b/2024/1xxx/CVE-2024-1783.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-1783", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/25xxx/CVE-2024-25129.json b/2024/25xxx/CVE-2024-25129.json index 171e321e5c2..493c00af710 100644 --- a/2024/25xxx/CVE-2024-25129.json +++ b/2024/25xxx/CVE-2024-25129.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-25129", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to an URL that contains material read from a local file chosen by the attacker. This may result in a loss of privacy of exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. A single untrusted `.ql` or `.qll` file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system. Those using CodeQL for routine analysis of source trees with a preselected set of trusted queries are not affected. In particular, extracting XML files from a source tree into the CodeQL database does not make one vulnerable. The problem is fixed in release 2.16.3 of the CodeQL CLI. Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection. Customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe. If such customers have a private query pack and use the `codeql pack create` command to precompile them before using them in the CI system, they should be using the production CodeQL release to run `codeql pack create`. That command is safe as long as the QL source it precompiled is trusted. All other development of the query pack should use an upgraded CLI." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference", + "cweId": "CWE-611" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "github", + "product": { + "product_data": [ + { + "product_name": "codeql-cli-binaries", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 2.16.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph", + "refsource": "MISC", + "name": "https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph" + }, + { + "url": "https://github.com/github/codeql-cli-binaries/releases/tag/v2.16.3", + "refsource": "MISC", + "name": "https://github.com/github/codeql-cli-binaries/releases/tag/v2.16.3" + }, + { + "url": "https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXELocal.ql", + "refsource": "MISC", + "name": "https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXELocal.ql" + } + ] + }, + "source": { + "advisory": "GHSA-gf8p-v3g3-3wph", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 2.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/25xxx/CVE-2024-25130.json b/2024/25xxx/CVE-2024-25130.json index fc5359bbac9..0bf20e9f96c 100644 --- a/2024/25xxx/CVE-2024-25130.json +++ b/2024/25xxx/CVE-2024-25130.json @@ -1,17 +1,108 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-25130", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Enalean", + "product": { + "product_data": [ + { + "product_name": "tuleap", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 15.5.99.76" + }, + { + "version_affected": "=", + "version_value": ">= 15.5, < 15.5-4" + }, + { + "version_affected": "=", + "version_value": "< 15.4-7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5", + "refsource": "MISC", + "name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5" + }, + { + "url": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667", + "refsource": "MISC", + "name": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667" + }, + { + "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667", + "refsource": "MISC", + "name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667" + }, + { + "url": "https://tuleap.net/plugins/tracker/?aid=36803", + "refsource": "MISC", + "name": "https://tuleap.net/plugins/tracker/?aid=36803" + } + ] + }, + "source": { + "advisory": "GHSA-mq7f-m6mj-hjj5", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", + "version": "3.1" } ] } diff --git a/2024/26xxx/CVE-2024-26128.json b/2024/26xxx/CVE-2024-26128.json index 2cb2e0062f8..c57049ed00a 100644 --- a/2024/26xxx/CVE-2024-26128.json +++ b/2024/26xxx/CVE-2024-26128.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-26128", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "baserproject", + "product": { + "product_data": [ + { + "product_name": "basercms", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 5.0.9" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-jjxq-m8h3-4vw5", + "refsource": "MISC", + "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-jjxq-m8h3-4vw5" + }, + { + "url": "https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c", + "refsource": "MISC", + "name": "https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c" + }, + { + "url": "https://basercms.net/security/JVN_73283159", + "refsource": "MISC", + "name": "https://basercms.net/security/JVN_73283159" + } + ] + }, + "source": { + "advisory": "GHSA-jjxq-m8h3-4vw5", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2024/26xxx/CVE-2024-26151.json b/2024/26xxx/CVE-2024-26151.json index 1a8cb89398b..75f663763d4 100644 --- a/2024/26xxx/CVE-2024-26151.json +++ b/2024/26xxx/CVE-2024-26151.json @@ -1,17 +1,105 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-26151", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `<script>` would be rendered as `