admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-19 17:32:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#3017

Browse Source 
Auto-merge PR#3017
This commit is contained in:
CVE Team 2020-01-08 16:50:12 -05:00 committed by GitHub
commit 9f5443ad82
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 63 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
2019/17xxx/CVE-2019-17151.json
View File

@ -1,69 +1,68 @@
{ {
"CVE_data_meta": { "CVE_data_meta": {
"ASSIGNER": "zdi-disclosures@trendmicro.com", "ASSIGNER": "zdi-disclosures@trendmicro.com",
"ID": "CVE-2019-17151", "ID": "CVE-2019-17151",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "WeChat", "product_name": "WeChat",
"version": { "version": {
"version_data": [ "version_data": [
{
"version_value": "Prior to 7.0.9"
}
]
}
}
]
},
"vendor_name": "Tencent"
}
]
}
},
"credit": "Todd Han and Junzhi Lu of TrendMicro Mobile Security Research Team, Zhengyu Dong",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat Prior to 7.0.9. User interaction is required to exploit this vulnerability in that the target must be within a chat session together with the attacker. The specific flaw exists within the parsing of a usernames. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9302."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{ {
"lang": "eng", "version_value": "Prior to 7.0.9"
"value": "CWE-94: Improper Control of Generation of Code ('Code Injection')"
} }
] ]
} }
] }
}, ]
"references": { },
"reference_data": [ "vendor_name": "Tencent"
{
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-1035/",
"refsource": "MISC",
"name": "https://www.zerodayinitiative.com/advisories/ZDI-19-1035/"
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
} }
]
} }
} },
"credit": "Todd Han and Junzhi Lu of TrendMicro Mobile Security Research Team, Zhengyu Dong",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows remote attackers redirect users to an external resource on affected installations of Tencent WeChat Prior to 7.0.9. User interaction is required to exploit this vulnerability in that the target must be within a chat session together with the attacker.\n\nThe specific flaw exists within the parsing of a users profile. The issue lies in the failure to properly validate a users name. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9302."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-356: Product UI does not Warn User of Unsafe Actions"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-1035/"
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
}