From ec6b312b19885792b23e20e5c2b8e5311dd4160c Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 5 Apr 2023 15:00:34 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2023/1xxx/CVE-2023-1874.json | 18 +++++++ 2023/24xxx/CVE-2023-24724.json | 2 +- 2023/28xxx/CVE-2023-28632.json | 90 ++++++++++++++++++++++++++++++++-- 2023/29xxx/CVE-2023-29389.json | 18 +++++++ 4 files changed, 123 insertions(+), 5 deletions(-) create mode 100644 2023/1xxx/CVE-2023-1874.json create mode 100644 2023/29xxx/CVE-2023-29389.json diff --git a/2023/1xxx/CVE-2023-1874.json b/2023/1xxx/CVE-2023-1874.json new file mode 100644 index 00000000000..5555c6ab9a0 --- /dev/null +++ b/2023/1xxx/CVE-2023-1874.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-1874", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2023/24xxx/CVE-2023-24724.json b/2023/24xxx/CVE-2023-24724.json index 5e3b84b27e3..dbe2abfd803 100644 --- a/2023/24xxx/CVE-2023-24724.json +++ b/2023/24xxx/CVE-2023-24724.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "A stored cross site scripting (XSS) vulnerability was discovered in the user management module of the SAS 9.4 Admin Console, due to insufficient validation and sanitization of data input into the user creation and editing form fields." + "value": "** DISPUTED ** A stored cross site scripting (XSS) vulnerability was discovered in the user management module of the SAS 9.4 Admin Console, due to insufficient validation and sanitization of data input into the user creation and editing form fields. NOTE: the vendor's position is that this report \"does not contain adequate or accurate information about affected product versions or the nature of the exploit itself.\"" } ] }, diff --git a/2023/28xxx/CVE-2023-28632.json b/2023/28xxx/CVE-2023-28632.json index 4d305b980ba..1d6f0b07d44 100644 --- a/2023/28xxx/CVE-2023-28632.json +++ b/2023/28xxx/CVE-2023-28632.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-28632", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the \"forgotten password\" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-269: Improper Privilege Management", + "cweId": "CWE-269" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "glpi-project", + "product": { + "product_data": [ + { + "product_name": "glpi", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 0.83, < 9.5.13" + }, + { + "version_affected": "=", + "version_value": ">= 10.0.0, < 10.0.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x" + }, + { + "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.7", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/releases/tag/10.0.7" + }, + { + "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.13", + "refsource": "MISC", + "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.13" + } + ] + }, + "source": { + "advisory": "GHSA-7pwm-pg76-3q9x", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" } ] } diff --git a/2023/29xxx/CVE-2023-29389.json b/2023/29xxx/CVE-2023-29389.json new file mode 100644 index 00000000000..a9705cf4a38 --- /dev/null +++ b/2023/29xxx/CVE-2023-29389.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-29389", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file