diff --git a/2022/38xxx/CVE-2022-38119.json b/2022/38xxx/CVE-2022-38119.json index 25fdf890170..d3538fc07dd 100644 --- a/2022/38xxx/CVE-2022-38119.json +++ b/2022/38xxx/CVE-2022-38119.json @@ -1,18 +1,94 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "AKA": "TWCERT/CC", + "ASSIGNER": "cve@cert.org.tw", + "DATE_PUBLIC": "2022-11-10T02:03:00.000Z", "ID": "CVE-2022-38119", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "POWERCOM CO., LTD. UPSMON PRO - Broken Authentication" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "UPSMON PRO", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "2.57" + } + ] + } + } + ] + }, + "vendor_name": "POWERCOM CO., LTD." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "UPSMON Pro login function has insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and get administrator privilege to access, control system or disrupt service." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-287 Improper Authentication" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.twcert.org.tw/tw/cp-132-6678-e9fbe-1.html" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Contact tech support from POWERCOM CO., LTD." + } + ], + "source": { + "advisory": "TVN-202208004", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/38xxx/CVE-2022-38120.json b/2022/38xxx/CVE-2022-38120.json index 26957815787..78e4548d87e 100644 --- a/2022/38xxx/CVE-2022-38120.json +++ b/2022/38xxx/CVE-2022-38120.json @@ -1,18 +1,94 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "AKA": "TWCERT/CC", + "ASSIGNER": "cve@cert.org.tw", + "DATE_PUBLIC": "2022-11-10T02:03:00.000Z", "ID": "CVE-2022-38120", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "POWERCOM CO., LTD. UPSMON PRO - Path Traversal" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "UPSMON PRO", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "2.57" + } + ] + } + } + ] + }, + "vendor_name": "POWERCOM CO., LTD." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "UPSMON PRO’s has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to bypass authentication and access arbitrary system files." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.twcert.org.tw/tw/cp-132-6679-a0695-1.html" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Contact tech support from POWERCOM CO., LTD." + } + ], + "source": { + "advisory": "TVN-202208005", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/38xxx/CVE-2022-38121.json b/2022/38xxx/CVE-2022-38121.json index c1c90e8a9f4..968fd38badb 100644 --- a/2022/38xxx/CVE-2022-38121.json +++ b/2022/38xxx/CVE-2022-38121.json @@ -1,18 +1,94 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "AKA": "TWCERT/CC", + "ASSIGNER": "cve@cert.org.tw", + "DATE_PUBLIC": "2022-11-10T02:03:00.000Z", "ID": "CVE-2022-38121", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "POWERCOM CO., LTD. UPSMON PRO - Insufficiently Protected Credentials" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "UPSMON PRO", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "2.57" + } + ] + } + } + ] + }, + "vendor_name": "POWERCOM CO., LTD." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "UPSMON PRO configuration file stores user password in plaintext under public user directory. A remote attacker with general user privilege can access all users‘ and administrators' account names and passwords via this unprotected configuration file." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-522 Insufficiently Protected Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.twcert.org.tw/tw/cp-132-6680-af0aa-1.html" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Contact tech support from POWERCOM CO., LTD." + } + ], + "source": { + "advisory": "TVN-202208006", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/38xxx/CVE-2022-38122.json b/2022/38xxx/CVE-2022-38122.json index edb07d468f9..b3249221198 100644 --- a/2022/38xxx/CVE-2022-38122.json +++ b/2022/38xxx/CVE-2022-38122.json @@ -1,18 +1,94 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "AKA": "TWCERT/CC", + "ASSIGNER": "cve@cert.org.tw", + "DATE_PUBLIC": "2022-11-10T02:03:00.000Z", "ID": "CVE-2022-38122", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "POWERCOM CO., LTD. UPSMON PRO - Cleartext Transmission of Sensitive Information" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "UPSMON PRO", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "2.57" + } + ] + } + } + ] + }, + "vendor_name": "POWERCOM CO., LTD." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. An unauthenticated remote attacker can exploit this vulnerability to access sensitive data." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-319 Cleartext Transmission of Sensitive Information" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.twcert.org.tw/tw/cp-132-6681-e9650-1.html" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Contact tech support from POWERCOM CO., LTD." + } + ], + "source": { + "advisory": "TVN-202208007", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/39xxx/CVE-2022-39036.json b/2022/39xxx/CVE-2022-39036.json index b73f31b582d..f3142df29c8 100644 --- a/2022/39xxx/CVE-2022-39036.json +++ b/2022/39xxx/CVE-2022-39036.json @@ -1,18 +1,98 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "AKA": "TWCERT/CC", + "ASSIGNER": "cve@cert.org.tw", + "DATE_PUBLIC": "2022-11-10T02:10:00.000Z", "ID": "CVE-2022-39036", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FLOWRING Agentflow BPM - Arbitrary File Upload" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Agentflow BPM", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "4.0.0.1183.552" + } + ] + } + } + ] + }, + "vendor_name": "FLOWRING" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-434 Unrestricted Upload of File with Dangerous Type" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.twcert.org.tw/tw/cp-132-6682-21207-1.html" + }, + { + "refsource": "CONFIRM", + "url": "https://www.flowring.com/2022/09/19/%e7%94%a2%e5%93%81%e6%9b%b4%e6%96%b0agentflow-v4-0%e3%80%81v3-7%e5%a4%be%e6%aa%94%e5%8a%9f%e8%83%bd%e8%b3%87%e5%ae%89%e4%bf%ae%e6%ad%a3/" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Contact tech support from FLOWRING" + } + ], + "source": { + "advisory": "TVN-202210010", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/39xxx/CVE-2022-39037.json b/2022/39xxx/CVE-2022-39037.json index ec7f841905b..0902fa4f7ae 100644 --- a/2022/39xxx/CVE-2022-39037.json +++ b/2022/39xxx/CVE-2022-39037.json @@ -1,18 +1,98 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "AKA": "TWCERT/CC", + "ASSIGNER": "cve@cert.org.tw", + "DATE_PUBLIC": "2022-11-10T02:10:00.000Z", "ID": "CVE-2022-39037", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FLOWRING Agentflow BPM - Path Traversal" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Agentflow BPM", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "4.0.0.1183.552" + } + ] + } + } + ] + }, + "vendor_name": "FLOWRING" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Agentflow BPM file download function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.twcert.org.tw/tw/cp-132-6683-57b71-1.html" + }, + { + "refsource": "CONFIRM", + "url": "https://www.flowring.com/2022/09/19/%e7%94%a2%e5%93%81%e6%9b%b4%e6%96%b0agentflow-v4-0%e3%80%81v3-7%e5%a4%be%e6%aa%94%e5%8a%9f%e8%83%bd%e8%b3%87%e5%ae%89%e4%bf%ae%e6%ad%a3/" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Contact tech support from FLOWRING" + } + ], + "source": { + "advisory": "TVN-202210011", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/39xxx/CVE-2022-39038.json b/2022/39xxx/CVE-2022-39038.json index a8167a7eb03..46e796079ec 100644 --- a/2022/39xxx/CVE-2022-39038.json +++ b/2022/39xxx/CVE-2022-39038.json @@ -1,18 +1,98 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "AKA": "TWCERT/CC", + "ASSIGNER": "cve@cert.org.tw", + "DATE_PUBLIC": "2022-11-10T02:10:00.000Z", "ID": "CVE-2022-39038", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FLOWRING Agentflow BPM - Broken Access Control" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Agentflow BPM", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "4.0.0.1183.552" + } + ] + } + } + ] + }, + "vendor_name": "FLOWRING" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Agentflow BPM enterprise management system has improper authentication. A remote attacker with general user privilege can change the name of the user account to acquire arbitrary account privilege, and access, manipulate system or disrupt service." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-287 Improper Authentication" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.twcert.org.tw/tw/cp-132-6684-53149-1.html" + }, + { + "refsource": "CONFIRM", + "url": "https://www.flowring.com/2022/09/19/%e7%94%a2%e5%93%81%e6%9b%b4%e6%96%b0agentflow-v4-0%e3%80%81v3-7%e5%a4%be%e6%aa%94%e5%8a%9f%e8%83%bd%e8%b3%87%e5%ae%89%e4%bf%ae%e6%ad%a3/" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Contact tech support from FLOWRING" + } + ], + "source": { + "advisory": "TVN-202210012", + "discovery": "EXTERNAL" } } \ No newline at end of file