admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-05 18:28:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-03-13 22:01:22 +00:00
parent c1c9feb0e9
commit 929236fcf5
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
3 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
2020/10xxx/CVE-2020-10564.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-10564",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

4
2020/5xxx/CVE-2020-5240.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. \nThe user does not require special permissions in order to do so. By deleting the other users device they can disable the target users\n2FA devices and potentially compromise the account if they figure out their password.\n\nThe problem has been patched in version 1.4.1."
"value": "In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1."
}
]
},
@ -85,4 +85,4 @@
"advisory": "GHSA-9gjv-6qq6-v7qm",
"discovery": "UNKNOWN"
}
}
}

2
2020/5xxx/CVE-2020-5257.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard,\nthe direction parameter was not validated before being interpolated into the SQL query.\nThis could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections.\n\nWhilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication.\n\nThis is patched in wersion 0.13.0."
"value": "In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0."
}
]
},