admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-08 05:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Synchronized data.

Browse Source
This commit is contained in:
CVE Team 2018-12-20 11:23:33 -05:00
parent 8778b452fd
commit 88c298de35
No known key found for this signature in database
GPG Key ID: 0DA1F9F56BC892E8
7 changed files with 401 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
2018/1000xxx/CVE-2018-1000854.json
View File

@ -1 +1,65 @@
{ "CVE_data_meta": { "ASSIGNER": "kurt@seifried.org", "DATE_ASSIGNED": "2018-12-05T14:18:48.092795", "DATE_REQUESTED": "2018-10-19T16:32:46", "ID": "CVE-2018-1000854", "REQUESTER": "nicolas.richeton@gmail.com" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "esigate", "version": { "version_data": [ { "version_value": "5.2 and earlier" } ] } } ] }, "vendor_name": "esigate.org" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" } ] } ] }, "references": { "reference_data": [ { "url": "https://github.com/esigate/esigate/issues/209" } ] } } {
"CVE_data_meta" : {
"ASSIGNER" : "kurt@seifried.org",
"DATE_ASSIGNED" : "2018-12-05T14:18:48.092795",
"DATE_REQUESTED" : "2018-10-19T16:32:46",
"ID" : "CVE-2018-1000854",
"REQUESTER" : "nicolas.richeton@gmail.com",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "esigate",
"version" : {
"version_data" : [
{
"version_value" : "5.2 and earlier"
}
]
}
}
]
},
"vendor_name" : "esigate.org"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://github.com/esigate/esigate/issues/209",
"refsource" : "MISC",
"url" : "https://github.com/esigate/esigate/issues/209"
}
]
}
}

71
2018/1000xxx/CVE-2018-1000855.json
View File

@ -1 +1,70 @@
{ "CVE_data_meta": { "ASSIGNER": "kurt@seifried.org", "DATE_ASSIGNED": "2018-12-05T14:18:48.093768", "DATE_REQUESTED": "2018-11-19T08:38:18", "ID": "CVE-2018-1000855", "REQUESTER": "rosa@basecamp.com" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "easymon", "version": { "version_data": [ { "version_value": "1.4 and earlier" } ] } } ] }, "vendor_name": "easymon" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "easymon version 1.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Endpoint where monitoring is mounted that can result in Reflected XSS that affects Firefox. Can be used to steal cookies, depending on the cookie settings.. This attack appear to be exploitable via The victim must click on a crafted URL that contains the XSS payload. This vulnerability appears to have been fixed in 1.4.1 and later." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross Site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "url": "https://github.com/basecamp/easymon/issues/26" }, { "url": "https://github.com/basecamp/easymon/pull/25" } ] } } {
"CVE_data_meta" : {
"ASSIGNER" : "kurt@seifried.org",
"DATE_ASSIGNED" : "2018-12-05T14:18:48.093768",
"DATE_REQUESTED" : "2018-11-19T08:38:18",
"ID" : "CVE-2018-1000855",
"REQUESTER" : "rosa@basecamp.com",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "easymon",
"version" : {
"version_data" : [
{
"version_value" : "1.4 and earlier"
}
]
}
}
]
},
"vendor_name" : "easymon"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "easymon version 1.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Endpoint where monitoring is mounted that can result in Reflected XSS that affects Firefox. Can be used to steal cookies, depending on the cookie settings.. This attack appear to be exploitable via The victim must click on a crafted URL that contains the XSS payload. This vulnerability appears to have been fixed in 1.4.1 and later."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Cross Site Scripting (XSS)"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://github.com/basecamp/easymon/issues/26",
"refsource" : "MISC",
"url" : "https://github.com/basecamp/easymon/issues/26"
},
{
"name" : "https://github.com/basecamp/easymon/pull/25",
"refsource" : "MISC",
"url" : "https://github.com/basecamp/easymon/pull/25"
}
]
}
}

66
2018/1000xxx/CVE-2018-1000856.json
View File

@ -1 +1,65 @@
{ "CVE_data_meta": { "ASSIGNER": "kurt@seifried.org", "DATE_ASSIGNED": "2018-12-05T14:18:48.094407", "DATE_REQUESTED": "2018-11-20T05:25:34", "ID": "CVE-2018-1000856", "REQUESTER": "sujendra.m@gmail.com" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DomainMOD", "version": { "version_data": [ { "version_value": "4.09.03 and above. Also verified in the latest version 4.11.01" } ] } } ] }, "vendor_name": "DomainMOD" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) vulnerability in Segment Name field in the segments page that can result in Arbitrary script can be executed on all users browsers who visit the affected page. This attack appear to be exploitable via Victim must visit the vulnerable page. This vulnerability appears to have been fixed in No fix yet." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross Site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "url": "https://github.com/domainmod/domainmod/issues/80" } ] } } {
"CVE_data_meta" : {
"ASSIGNER" : "kurt@seifried.org",
"DATE_ASSIGNED" : "2018-12-05T14:18:48.094407",
"DATE_REQUESTED" : "2018-11-20T05:25:34",
"ID" : "CVE-2018-1000856",
"REQUESTER" : "sujendra.m@gmail.com",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "DomainMOD",
"version" : {
"version_data" : [
{
"version_value" : "4.09.03 and above. Also verified in the latest version 4.11.01"
}
]
}
}
]
},
"vendor_name" : "DomainMOD"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) vulnerability in Segment Name field in the segments page that can result in Arbitrary script can be executed on all users browsers who visit the affected page. This attack appear to be exploitable via Victim must visit the vulnerable page. This vulnerability appears to have been fixed in No fix yet."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Cross Site Scripting (XSS)"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://github.com/domainmod/domainmod/issues/80",
"refsource" : "MISC",
"url" : "https://github.com/domainmod/domainmod/issues/80"
}
]
}
}

66
2018/1000xxx/CVE-2018-1000857.json
View File

@ -1 +1,65 @@
{ "CVE_data_meta": { "ASSIGNER": "kurt@seifried.org", "DATE_ASSIGNED": "2018-12-05T14:18:48.095067", "DATE_REQUESTED": "2018-11-22T22:05:34", "ID": "CVE-2018-1000857", "REQUESTER": "me@halfdog.net" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "log-user-session", "version": { "version_data": [ { "version_value": "0.7 and earlier" } ] } } ] }, "vendor_name": "log-user-session" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "log-user-session version 0.7 and earlier contains a Directory Traversal vulnerability in Main SUID-binary /usr/local/bin/log-user-session that can result in User to root privilege escalation. This attack appear to be exploitable via Malicious unprivileged user executes the vulnerable binary/(remote) environment variable manipulation similar shell-shock also possible." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Directory Traversal" } ] } ] }, "references": { "reference_data": [ { "url": "https://www.halfdog.net/Security/2018/LogUserSessionLocalRootPrivilegeEscalation/" } ] } } {
"CVE_data_meta" : {
"ASSIGNER" : "kurt@seifried.org",
"DATE_ASSIGNED" : "2018-12-05T14:18:48.095067",
"DATE_REQUESTED" : "2018-11-22T22:05:34",
"ID" : "CVE-2018-1000857",
"REQUESTER" : "me@halfdog.net",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "log-user-session",
"version" : {
"version_data" : [
{
"version_value" : "0.7 and earlier"
}
]
}
}
]
},
"vendor_name" : "log-user-session"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "log-user-session version 0.7 and earlier contains a Directory Traversal vulnerability in Main SUID-binary /usr/local/bin/log-user-session that can result in User to root privilege escalation. This attack appear to be exploitable via Malicious unprivileged user executes the vulnerable binary/(remote) environment variable manipulation similar shell-shock also possible."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Directory Traversal"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://www.halfdog.net/Security/2018/LogUserSessionLocalRootPrivilegeEscalation/",
"refsource" : "MISC",
"url" : "https://www.halfdog.net/Security/2018/LogUserSessionLocalRootPrivilegeEscalation/"
}
]
}
}

71
2018/1000xxx/CVE-2018-1000858.json
View File

@ -1 +1,70 @@
{ "CVE_data_meta": { "ASSIGNER": "kurt@seifried.org", "DATE_ASSIGNED": "2018-12-05T14:18:48.095694", "DATE_REQUESTED": "2018-11-23T20:30:00", "ID": "CVE-2018-1000858", "REQUESTER": "cve@sektioneins.de" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GnuPG", "version": { "version_data": [ { "version_value": "2.1.12 - 2.2.11" } ] } } ] }, "vendor_name": "GnuPG" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross ite Request Forgery (CSRF)" } ] } ] }, "references": { "reference_data": [ { "url": "https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html" }, { "url": "https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html" } ] } } {
"CVE_data_meta" : {
"ASSIGNER" : "kurt@seifried.org",
"DATE_ASSIGNED" : "2018-12-05T14:18:48.095694",
"DATE_REQUESTED" : "2018-11-23T20:30:00",
"ID" : "CVE-2018-1000858",
"REQUESTER" : "cve@sektioneins.de",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "GnuPG",
"version" : {
"version_data" : [
{
"version_value" : "2.1.12 - 2.2.11"
}
]
}
}
]
},
"vendor_name" : "GnuPG"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Cross ite Request Forgery (CSRF)"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html",
"refsource" : "MISC",
"url" : "https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html"
},
{
"name" : "https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html",
"refsource" : "MISC",
"url" : "https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html"
}
]
}
}

66
2018/1000xxx/CVE-2018-1000860.json
View File

@ -1 +1,65 @@
{ "CVE_data_meta": { "ASSIGNER": "kurt@seifried.org", "DATE_ASSIGNED": "2018-12-05T14:18:48.097031", "DATE_REQUESTED": "2018-11-29T17:16:48", "ID": "CVE-2018-1000860", "REQUESTER": "Disgruntled3lf@gmail.com" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "phpipam", "version": { "version_data": [ { "version_value": "1.3.2 and earlier" } ] } } ] }, "vendor_name": "phpipam" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'><script>alert(1)</script>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain.." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross Site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "url": "https://github.com/phpipam/phpipam/issues/2338" } ] } } {
"CVE_data_meta" : {
"ASSIGNER" : "kurt@seifried.org",
"DATE_ASSIGNED" : "2018-12-05T14:18:48.097031",
"DATE_REQUESTED" : "2018-11-29T17:16:48",
"ID" : "CVE-2018-1000860",
"REQUESTER" : "Disgruntled3lf@gmail.com",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "phpipam",
"version" : {
"version_data" : [
{
"version_value" : "1.3.2 and earlier"
}
]
}
}
]
},
"vendor_name" : "phpipam"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'><script>alert(1)</script>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain.."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Cross Site Scripting (XSS)"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://github.com/phpipam/phpipam/issues/2338",
"refsource" : "MISC",
"url" : "https://github.com/phpipam/phpipam/issues/2338"
}
]
}
}

2
2018/1xxx/CVE-2018-1778.json
View File

@ -44,7 +44,7 @@
"description_data" : [ "description_data" : [
{ {
"lang" : "eng", "lang" : "eng",
"value" : "IBM LoopBack (IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4) could allow an attacker to bypass authentication if f the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to the other user&#195;&#162;&#194;&#128;&#194;&#153;s data / access to their privileges (if the user happens to be an Admin for example). IBM X-Force ID: 148801." "value" : "IBM LoopBack (IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4) could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to the other user&#195;&#162;&#194;&#128;&#194;&#153;s data / access to their privileges (if the user happens to be an Admin for example). IBM X-Force ID: 148801."
} }
] ]
}, },