diff --git a/2019/13xxx/CVE-2019-13657.json b/2019/13xxx/CVE-2019-13657.json index 71035cd6dc0..50e12f4e728 100644 --- a/2019/13xxx/CVE-2019-13657.json +++ b/2019/13xxx/CVE-2019-13657.json @@ -92,6 +92,11 @@ "refsource": "CONFIRM", "name": "https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca-20191015-01-security-notice-for-ca-performance-management.html", "url": "https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca-20191015-01-security-notice-for-ca-performance-management.html" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/154904/CA-Performance-Management-Arbitrary-Command-Execution.html", + "url": "http://packetstormsecurity.com/files/154904/CA-Performance-Management-Arbitrary-Command-Execution.html" } ] }, diff --git a/2019/16xxx/CVE-2019-16925.json b/2019/16xxx/CVE-2019-16925.json index 725b1bec4a9..4e34d067b16 100644 --- a/2019/16xxx/CVE-2019-16925.json +++ b/2019/16xxx/CVE-2019-16925.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "Flower 0.9.3 has XSS via the name parameter in an @app.task call." + "value": "** DISPUTED ** Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren\u2019t user facing configuration options. They are internal backend config options and person having rights to change them already has full access." } ] }, diff --git a/2019/17xxx/CVE-2019-17367.json b/2019/17xxx/CVE-2019-17367.json new file mode 100644 index 00000000000..5d4be920605 --- /dev/null +++ b/2019/17xxx/CVE-2019-17367.json @@ -0,0 +1,62 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2019-17367", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "name": "https://github.com/openwrt/luci/commit/f8c6eb67cd9da09ee20248fec6ab742069635e47", + "url": "https://github.com/openwrt/luci/commit/f8c6eb67cd9da09ee20248fec6ab742069635e47" + } + ] + } +} \ No newline at end of file diff --git a/2019/17xxx/CVE-2019-17393.json b/2019/17xxx/CVE-2019-17393.json new file mode 100644 index 00000000000..2b2c1a838e3 --- /dev/null +++ b/2019/17xxx/CVE-2019-17393.json @@ -0,0 +1,67 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2019-17393", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and password." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "FULLDISC", + "name": "20191015 Tomedo Server - Weak encryption mech.", + "url": "http://seclists.org/fulldisclosure/2019/Oct/33" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/154873/Tomedo-Server-1.7.3-Information-Disclosure-Weak-Cryptography.html", + "url": "http://packetstormsecurity.com/files/154873/Tomedo-Server-1.7.3-Information-Disclosure-Weak-Cryptography.html" + } + ] + } +} \ No newline at end of file diff --git a/2019/17xxx/CVE-2019-17526.json b/2019/17xxx/CVE-2019-17526.json new file mode 100644 index 00000000000..5cf2e1ad033 --- /dev/null +++ b/2019/17xxx/CVE-2019-17526.json @@ -0,0 +1,72 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2019-17526", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').popen('whoami').read() line. NOTE: the vendor's position is that the product is \"vulnerable by design\" and the current behavior will be retained." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/sagemath/sagecell/commits/master", + "refsource": "MISC", + "name": "https://github.com/sagemath/sagecell/commits/master" + }, + { + "url": "https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html", + "refsource": "MISC", + "name": "https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html" + }, + { + "refsource": "MISC", + "name": "https://gist.github.com/barrett092/0380a1c34c014e29b827d1f408381525", + "url": "https://gist.github.com/barrett092/0380a1c34c014e29b827d1f408381525" + } + ] + } +} \ No newline at end of file