From daab42fdfd30b0794c394ee1f386b4546f6b9f24 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 4 Mar 2025 00:00:33 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2025/1xxx/CVE-2025-1890.json | 109 +++++++++++++++++++++++++++++++-- 2025/1xxx/CVE-2025-1891.json | 109 +++++++++++++++++++++++++++++++-- 2025/1xxx/CVE-2025-1913.json | 18 ++++++ 2025/27xxx/CVE-2025-27219.json | 61 ++++++++++++++++-- 2025/27xxx/CVE-2025-27220.json | 61 ++++++++++++++++-- 2025/27xxx/CVE-2025-27221.json | 61 ++++++++++++++++-- 6 files changed, 393 insertions(+), 26 deletions(-) create mode 100644 2025/1xxx/CVE-2025-1913.json diff --git a/2025/1xxx/CVE-2025-1890.json b/2025/1xxx/CVE-2025-1890.json index 379a904cceb..0bf99f9e9e8 100644 --- a/2025/1xxx/CVE-2025-1890.json +++ b/2025/1xxx/CVE-2025-1890.json @@ -1,17 +1,118 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-1890", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@vuldb.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used." + }, + { + "lang": "deu", + "value": "In shishuocms 1.1 wurde eine kritische Schwachstelle gefunden. Dabei geht es um die Funktion handleRequest der Datei src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. Dank der Manipulation des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Unrestricted Upload", + "cweId": "CWE-434" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Controls", + "cweId": "CWE-284" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "shishuocms", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "1.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://vuldb.com/?id.298408", + "refsource": "MISC", + "name": "https://vuldb.com/?id.298408" + }, + { + "url": "https://vuldb.com/?ctiid.298408", + "refsource": "MISC", + "name": "https://vuldb.com/?ctiid.298408" + }, + { + "url": "https://vuldb.com/?submit.505736", + "refsource": "MISC", + "name": "https://vuldb.com/?submit.505736" + }, + { + "url": "https://github.com/caigo8/CVE-md/blob/main/shishuocms/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md", + "refsource": "MISC", + "name": "https://github.com/caigo8/CVE-md/blob/main/shishuocms/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Caigo (VulDB User)" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "baseScore": 6.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "MEDIUM" + }, + { + "version": "3.0", + "baseScore": 6.3, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "MEDIUM" + }, + { + "version": "2.0", + "baseScore": 6.5, + "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P" } ] } diff --git a/2025/1xxx/CVE-2025-1891.json b/2025/1xxx/CVE-2025-1891.json index 42bae0f6ffc..c04fe3180bf 100644 --- a/2025/1xxx/CVE-2025-1891.json +++ b/2025/1xxx/CVE-2025-1891.json @@ -1,17 +1,118 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-1891", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@vuldb.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used." + }, + { + "lang": "deu", + "value": "Eine problematische Schwachstelle wurde in shishuocms 1.1 gefunden. Hierbei geht es um eine nicht exakt ausgemachte Funktion. Dank Manipulation mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site Request Forgery", + "cweId": "CWE-352" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "shishuocms", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "1.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://vuldb.com/?id.298409", + "refsource": "MISC", + "name": "https://vuldb.com/?id.298409" + }, + { + "url": "https://vuldb.com/?ctiid.298409", + "refsource": "MISC", + "name": "https://vuldb.com/?ctiid.298409" + }, + { + "url": "https://vuldb.com/?submit.505741", + "refsource": "MISC", + "name": "https://vuldb.com/?submit.505741" + }, + { + "url": "https://github.com/caigo8/CVE-md/blob/main/shishuocms/CSRF%E6%B7%BB%E5%8A%A0%E7%AE%A1%E7%90%86%E5%91%98.md", + "refsource": "MISC", + "name": "https://github.com/caigo8/CVE-md/blob/main/shishuocms/CSRF%E6%B7%BB%E5%8A%A0%E7%AE%A1%E7%90%86%E5%91%98.md" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Caigo (VulDB User)" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "baseScore": 4.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "baseSeverity": "MEDIUM" + }, + { + "version": "3.0", + "baseScore": 4.3, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "baseSeverity": "MEDIUM" + }, + { + "version": "2.0", + "baseScore": 5, + "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N" } ] } diff --git a/2025/1xxx/CVE-2025-1913.json b/2025/1xxx/CVE-2025-1913.json new file mode 100644 index 00000000000..de3bc5078ce --- /dev/null +++ b/2025/1xxx/CVE-2025-1913.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2025-1913", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2025/27xxx/CVE-2025-27219.json b/2025/27xxx/CVE-2025-27219.json index 14965e2ca75..ec3e60ed905 100644 --- a/2025/27xxx/CVE-2025-27219.json +++ b/2025/27xxx/CVE-2025-27219.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2025-27219", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2025-27219", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://hackerone.com/reports/2936778", + "refsource": "MISC", + "name": "https://hackerone.com/reports/2936778" + }, + { + "refsource": "CONFIRM", + "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml" } ] } diff --git a/2025/27xxx/CVE-2025-27220.json b/2025/27xxx/CVE-2025-27220.json index cb09b14fc3e..970be34e42e 100644 --- a/2025/27xxx/CVE-2025-27220.json +++ b/2025/27xxx/CVE-2025-27220.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2025-27220", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2025-27220", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://hackerone.com/reports/2890322", + "refsource": "MISC", + "name": "https://hackerone.com/reports/2890322" + }, + { + "refsource": "CONFIRM", + "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml" } ] } diff --git a/2025/27xxx/CVE-2025-27221.json b/2025/27xxx/CVE-2025-27221.json index 856172b0978..63411d08e98 100644 --- a/2025/27xxx/CVE-2025-27221.json +++ b/2025/27xxx/CVE-2025-27221.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2025-27221", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2025-27221", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://hackerone.com/reports/2957667", + "refsource": "MISC", + "name": "https://hackerone.com/reports/2957667" + }, + { + "refsource": "MISC", + "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml" } ] }