diff --git a/2020/15xxx/CVE-2020-15253.json b/2020/15xxx/CVE-2020-15253.json index 7fe47d40fe5..b45c007038a 100644 --- a/2020/15xxx/CVE-2020-15253.json +++ b/2020/15xxx/CVE-2020-15253.json @@ -1,18 +1,98 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15253", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Stored XSS in Grocy" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "grocy", + "version": { + "version_data": [ + { + "version_value": "<= 2.7.1" + } + ] + } + } + ] + }, + "vendor_name": "grocy" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. \n\nAuthentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7", + "refsource": "CONFIRM", + "url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7" + }, + { + "name": "https://github.com/grocy/grocy/issues/996", + "refsource": "MISC", + "url": "https://github.com/grocy/grocy/issues/996" + }, + { + "name": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772", + "refsource": "MISC", + "url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772" + }, + { + "name": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887", + "refsource": "MISC", + "url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887" + } + ] + }, + "source": { + "advisory": "GHSA-7f37-2fjr-v9p7", + "discovery": "UNKNOWN" } } \ No newline at end of file