From bd24b1f3d0073696879f827372f7563051766e2b Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 21 Apr 2022 18:01:35 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/14xxx/CVE-2020-14116.json | 50 ++++++++++++++++++++++++++++++++-- 2020/14xxx/CVE-2020-14117.json | 50 ++++++++++++++++++++++++++++++++-- 2020/14xxx/CVE-2020-14118.json | 50 ++++++++++++++++++++++++++++++++-- 2020/14xxx/CVE-2020-14120.json | 50 ++++++++++++++++++++++++++++++++-- 2020/14xxx/CVE-2020-14121.json | 50 ++++++++++++++++++++++++++++++++-- 2020/14xxx/CVE-2020-14122.json | 50 ++++++++++++++++++++++++++++++++-- 2022/1xxx/CVE-2022-1426.json | 18 ++++++++++++ 2022/24xxx/CVE-2022-24869.json | 2 +- 2022/28xxx/CVE-2022-28810.json | 12 +++++++- 9 files changed, 312 insertions(+), 20 deletions(-) create mode 100644 2022/1xxx/CVE-2022-1426.json diff --git a/2020/14xxx/CVE-2020-14116.json b/2020/14xxx/CVE-2020-14116.json index 16cedfc8a14..76ebf4ff3ec 100644 --- a/2020/14xxx/CVE-2020-14116.json +++ b/2020/14xxx/CVE-2020-14116.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-14116", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@xiaomi.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Mi Browser", + "version": { + "version_data": [ + { + "version_value": "Mi Browser version < 15.8" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Intent redirection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=148", + "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=148" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this." } ] } diff --git a/2020/14xxx/CVE-2020-14117.json b/2020/14xxx/CVE-2020-14117.json index a6c262b5cf4..0a223fb5737 100644 --- a/2020/14xxx/CVE-2020-14117.json +++ b/2020/14xxx/CVE-2020-14117.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-14117", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@xiaomi.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Xiaomi Content Center APP", + "version": { + "version_data": [ + { + "version_value": "Xiaomi Content Center APP version < 4.4.11" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper permission configuration" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=143", + "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=143" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A improper permission configuration vulnerability in Xiaomi Content Center APP. This vulnerability is caused by the lack of correct permission verification in the Xiaomi content center APP, and attackers can use this vulnerability to invoke the sensitive component functions of the Xiaomi content center APP." } ] } diff --git a/2020/14xxx/CVE-2020-14118.json b/2020/14xxx/CVE-2020-14118.json index 227c42ac513..237b9343c0d 100644 --- a/2020/14xxx/CVE-2020-14118.json +++ b/2020/14xxx/CVE-2020-14118.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-14118", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@xiaomi.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Mi App Store", + "version": { + "version_data": [ + { + "version_value": "Mi App Store version <4.10.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Intent redirection vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=144", + "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=144" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps." } ] } diff --git a/2020/14xxx/CVE-2020-14120.json b/2020/14xxx/CVE-2020-14120.json index f5df14b5343..4db94e2039c 100644 --- a/2020/14xxx/CVE-2020-14120.json +++ b/2020/14xxx/CVE-2020-14120.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-14120", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@xiaomi.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "MIUI", + "version": { + "version_data": [ + { + "version_value": "MIUI version 12.5" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Permission bypass" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=145", + "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=145" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Some Xiaomi models have a vulnerability in a certain application. The vulnerability is caused by the lack of checksum when using a three-party application to pass in parameters, and attackers can induce users to install a malicious app and use the vulnerability to achieve elevated privileges, making the normal services of the system affected." } ] } diff --git a/2020/14xxx/CVE-2020-14121.json b/2020/14xxx/CVE-2020-14121.json index df2d6ee7009..8ffa4115f2e 100644 --- a/2020/14xxx/CVE-2020-14121.json +++ b/2020/14xxx/CVE-2020-14121.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-14121", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@xiaomi.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Mi App Store", + "version": { + "version_data": [ + { + "version_value": "Mi App Store version 4.12.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Business logic vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=146", + "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=146" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation." } ] } diff --git a/2020/14xxx/CVE-2020-14122.json b/2020/14xxx/CVE-2020-14122.json index 8864c8d31f1..c915a2b4019 100644 --- a/2020/14xxx/CVE-2020-14122.json +++ b/2020/14xxx/CVE-2020-14122.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-14122", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@xiaomi.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "MIUI", + "version": { + "version_data": [ + { + "version_value": "MIUI version 12.5.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information leakage" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=147", + "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=147" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Some Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage." } ] } diff --git a/2022/1xxx/CVE-2022-1426.json b/2022/1xxx/CVE-2022-1426.json new file mode 100644 index 00000000000..62a634b30eb --- /dev/null +++ b/2022/1xxx/CVE-2022-1426.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-1426", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/24xxx/CVE-2022-24869.json b/2022/24xxx/CVE-2022-24869.json index 5cc34fe5d4a..4069cb92475 100644 --- a/2022/24xxx/CVE-2022-24869.json +++ b/2022/24xxx/CVE-2022-24869.json @@ -35,7 +35,7 @@ "description_data": [ { "lang": "eng", - "value": "GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.\n" + "value": "GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade." } ] }, diff --git a/2022/28xxx/CVE-2022-28810.json b/2022/28xxx/CVE-2022-28810.json index 60d2cb6396e..85989e80da4 100644 --- a/2022/28xxx/CVE-2022-28810.json +++ b/2022/28xxx/CVE-2022-28810.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "Zoho ManageEngine ADSelfService Plus before 6122 allows an authenticated user to achieve remote code execution via executable CMD.EXE input in a password field, This only occurs if a certain password sync feature is enabled that uses passwords as script arguments." + "value": "Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field." } ] }, @@ -61,6 +61,16 @@ "refsource": "MISC", "name": "http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html", "url": "http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html" + }, + { + "refsource": "MISC", + "name": "https://github.com/rapid7/metasploit-framework/pull/16475", + "url": "https://github.com/rapid7/metasploit-framework/pull/16475" + }, + { + "refsource": "MISC", + "name": "https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/", + "url": "https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/" } ] }