admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-07-09 16:05:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2023-07-25T22:00:27.797414+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2023-07-25 22:00:31 +00:00
parent 379254fc70
commit 31cdde3852
25 changed files with 977 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
CVE-2020/CVE-2020-356xx/CVE-2020-35698.json Normal file
View File

@ -0,0 +1,20 @@
{
"id": "CVE-2020-35698",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:12.643",
"lastModified": "2023-07-25T20:15:12.643",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Thinkific Thinkific Online Course Creation Platform 1.0 is affected by: Cross Site Scripting (XSS). The impact is: execute arbitrary code (remote). The component is: Affected Source code of the website CMS which is been used by many to host their online courses using the Thinkific Platform. The attack vector is: To exploit the vulnerability any user has to just visit the link - https://hacktify.thinkific.com/account/billing?success=%E2%80%AA%3Cscript%3Ealert(1)%3C/script%3E. \u00b6\u00b6 Thinkific is a Website based Learning Platform Product which is used by thousands of users worldwide. There is a Cross Site Scripting (XSS) based vulnerability in the code of the CMS where any attacker can execute a XSS attack. Proof of Concept & Steps to Reproduce: Step1 : Go to Google.com Step 2 : Search for this Dork site:thinkific.com -www Step 3 : You will get a list of websites which are running on the thinkific domains. Step 4 : Create account and signin in any of the website Step 5 : Add this endpoint at the end of the domain and you will see that there is a XSS Alert /account/billing?success=%E2%80%AA<script>alert(1)</script> Step 6 : Choose any domains from google for any website this exploit will work on all the websites as it is a code based flaw in the CMS Step 7 : Thousands of websites are vulnerable due to this vulnerable code in the CMS itself which is giving rise to the XSS attack."
}
],
"metrics": {},
"references": [
{
"url": "https://medium.com/@rohitgautam26/cve-2020-35698-a922189c42ef",
"source": "cve@mitre.org"
}
]
}

24
CVE-2022/CVE-2022-314xx/CVE-2022-31458.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2022-31458",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:12.783",
"lastModified": "2023-07-25T20:15:12.783",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "RTX TRAP v1.0 was discovered to be vulnerable to host header poisoning."
}
],
"metrics": {},
"references": [
{
"url": "https://medium.com/@rohitgautam26/cve-2022-31458-49b7818e8ac9",
"source": "cve@mitre.org"
},
{
"url": "https://www.acunetix.com/vulnerabilities/web/host-header-attack/",
"source": "cve@mitre.org"
}
]
}

24
CVE-2022/CVE-2022-468xx/CVE-2022-46898.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2022-46898",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:12.887",
"lastModified": "2023-07-25T20:15:12.887",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Path Traversal via the \"restore SQL data\" filename. The Vocera Report Console contains a websocket function that allows for the restoration of the database from a ZIP archive that expects a SQL import file. The filename provided is not properly sanitized and allows for the inclusion of a path-traversal payload that can be used to escape the intended Vocera restoration directory. An attacker could exploit this vulnerability to point to a crafted ZIP archive that contains SQL commands that could be executed against the database."
}
],
"metrics": {},
"references": [
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/",
"source": "cve@mitre.org"
},
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html",
"source": "cve@mitre.org"
}
]
}

24
CVE-2022/CVE-2022-468xx/CVE-2022-46899.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2022-46899",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:12.997",
"lastModified": "2023-07-25T20:15:12.997",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Arbitrary File Upload. The BaseController class, that each of the service controllers derives from, allows for the upload of arbitrary files. If the HTTP request is a multipart/form-data POST request, any parameters with a filename entry will have their content written to a file in the Vocera upload-staging directory with the specified filename in the parameter."
}
],
"metrics": {},
"references": [
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/",
"source": "cve@mitre.org"
},
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html",
"source": "cve@mitre.org"
}
]
}

20
CVE-2022/CVE-2022-469xx/CVE-2022-46900.json Normal file
View File

@ -0,0 +1,20 @@
{
"id": "CVE-2022-46900",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:13.087",
"lastModified": "2023-07-25T20:15:13.087",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Path Traversal in the Task Exec filename. The Vocera Report Console contains various jobs that are executed on the server at specified intervals, e.g., backup, etc. An authenticated user has the ability to modify these entries and set the executable path and parameters."
}
],
"metrics": {},
"references": [
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/",
"source": "cve@mitre.org"
}
]
}

24
CVE-2022/CVE-2022-469xx/CVE-2022-46901.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2022-46901",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:13.157",
"lastModified": "2023-07-25T20:15:13.157",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is an Access Control Violation for Database Operations. The Vocera Report Console contains a websocket interface that allows for the unauthenticated execution of various tasks and database functions. This includes system tasks, and backing up, loading, and clearing of the database."
}
],
"metrics": {},
"references": [
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/",
"source": "cve@mitre.org"
},
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html",
"source": "cve@mitre.org"
}
]
}

24
CVE-2022/CVE-2022-469xx/CVE-2022-46902.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2022-46902",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:13.227",
"lastModified": "2023-07-25T20:15:13.227",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is a Path Traversal for an Unzip operation. The Vocera Report Console contains a websocket function that allows for the restoration of the database from a ZIP archive that expects a SQL import file. During the unzip operation, the code takes file paths from the ZIP archive and writes them to a Vocera temporary directory. Unfortunately, the code does not properly check if the file paths include directory traversal payloads that would escape the intended destination."
}
],
"metrics": {},
"references": [
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/",
"source": "cve@mitre.org"
},
{
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html",
"source": "cve@mitre.org"
}
]
}

26
CVE-2023/CVE-2023-205xx/CVE-2023-20593.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2023-20593",
"sourceIdentifier": "psirt@amd.com",
"published": "2023-07-24T20:15:10.237",
"lastModified": "2023-07-25T13:01:09.337",
"lastModified": "2023-07-25T21:15:10.333",
"vulnStatus": "Awaiting Analysis",
"descriptions": [
{
@ -20,6 +20,30 @@
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/1",
"source": "psirt@amd.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/12",
"source": "psirt@amd.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/13",
"source": "psirt@amd.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/14",
"source": "psirt@amd.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/15",
"source": "psirt@amd.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/16",
"source": "psirt@amd.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/17",
"source": "psirt@amd.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/5",
"source": "psirt@amd.com"

20
CVE-2023/CVE-2023-347xx/CVE-2023-34798.json Normal file
View File

@ -0,0 +1,20 @@
{
"id": "CVE-2023-34798",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:13.313",
"lastModified": "2023-07-25T20:15:13.313",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file upload vulnerability in eoffice before v9.5 allows attackers to execute arbitrary code via uploading a crafted file."
}
],
"metrics": {},
"references": [
{
"url": "https://gist.github.com/Zhu013/e5e6e03613704a2a4107cc6456f1e8e2",
"source": "cve@mitre.org"
}
]
}

16
CVE-2023/CVE-2023-359xx/CVE-2023-35936.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2023-35936",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-05T21:15:09.627",
"lastModified": "2023-07-12T18:09:09.140",
"vulnStatus": "Analyzed",
"lastModified": "2023-07-25T21:15:10.427",
"vulnStatus": "Modified",
"descriptions": [
{
"lang": "en",
@ -56,22 +56,22 @@
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
"value": "CWE-20"
}
]
},
{
"source": "security-advisories@github.com",
"source": "nvd@nist.gov",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-20"
"value": "NVD-CWE-noinfo"
}
]
}
@ -102,6 +102,10 @@
"tags": [
"Vendor Advisory"
]
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00029.html",
"source": "security-advisories@github.com"
}
]
}

59
CVE-2023/CVE-2023-372xx/CVE-2023-37257.json Normal file
View File

@ -0,0 +1,59 @@
{
"id": "CVE-2023-37257",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T20:15:13.423",
"lastModified": "2023-07-25T20:15:13.423",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, the DataEase panel and dataset have a stored cross-site scripting vulnerability. The vulnerability has been fixed in v1.18.9. There are no known workarounds."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
],
"references": [
{
"url": "https://github.com/dataease/dataease/releases/tag/v1.18.9",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/dataease/dataease/security/advisories/GHSA-7cm3-9pp6-q2fq",
"source": "security-advisories@github.com"
}
]
}

63
CVE-2023/CVE-2023-372xx/CVE-2023-37258.json Normal file
View File

@ -0,0 +1,63 @@
{
"id": "CVE-2023-37258",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T20:15:13.560",
"lastModified": "2023-07-25T20:15:13.560",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, DataEase has a SQL injection vulnerability that can bypass blacklists. The vulnerability has been fixed in v1.18.9. There are no known workarounds."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
],
"references": [
{
"url": "https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/controller/panel/AppLogController.java#L41",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/ext/ExtDataSourceMapper.java",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/dataease/dataease/security/advisories/GHSA-r39x-fcc6-47g4",
"source": "security-advisories@github.com"
}
]
}

67
CVE-2023/CVE-2023-374xx/CVE-2023-37460.json Normal file
View File

@ -0,0 +1,67 @@
{
"id": "CVE-2023-37460",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T20:15:13.703",
"lastModified": "2023-07-25T20:15:13.703",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-61"
}
]
}
],
"references": [
{
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"source": "security-advisories@github.com"
}
]
}

20
CVE-2023/CVE-2023-376xx/CVE-2023-37677.json Normal file
View File

@ -0,0 +1,20 @@
{
"id": "CVE-2023-37677",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T20:15:13.823",
"lastModified": "2023-07-25T20:15:13.823",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Pligg CMS v2.0.2 (also known as Kliqqi) was discovered to contain a remote code execution (RCE) vulnerability in the component admin_editor.php."
}
],
"metrics": {},
"references": [
{
"url": "https://github.com/Kliqqi-CMS/Kliqqi-CMS/issues/264",
"source": "cve@mitre.org"
}
]
}

59
CVE-2023/CVE-2023-379xx/CVE-2023-37902.json Normal file
View File

@ -0,0 +1,59 @@
{
"id": "CVE-2023-37902",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T21:15:10.550",
"lastModified": "2023-07-25T21:15:10.550",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature. Version 0.3.10 contains a patch for this issue."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-252"
}
]
}
],
"references": [
{
"url": "https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3",
"source": "security-advisories@github.com"
}
]
}

63
CVE-2023/CVE-2023-379xx/CVE-2023-37907.json Normal file
View File

@ -0,0 +1,63 @@
{
"id": "CVE-2023-37907",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T21:15:10.647",
"lastModified": "2023-07-25T21:15:10.647",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-269"
}
]
}
],
"references": [
{
"url": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq",
"source": "security-advisories@github.com"
}
]
}

55
CVE-2023/CVE-2023-379xx/CVE-2023-37919.json Normal file
View File

@ -0,0 +1,55 @@
{
"id": "CVE-2023-37919",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T21:15:10.733",
"lastModified": "2023-07-25T21:15:10.733",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner's identity. As of time of publication, no known patches or workarounds exist."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-613"
}
]
}
],
"references": [
{
"url": "https://github.com/calcom/cal.com/security/advisories/GHSA-cpf2-q635-xrwx",
"source": "security-advisories@github.com"
}
]
}

63
CVE-2023/CVE-2023-379xx/CVE-2023-37920.json Normal file
View File

@ -0,0 +1,63 @@
{
"id": "CVE-2023-37920",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T21:15:10.827",
"lastModified": "2023-07-25T21:15:10.827",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-345"
}
]
}
],
"references": [
{
"url": "https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7",
"source": "security-advisories@github.com"
},
{
"url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A",
"source": "security-advisories@github.com"
}
]
}

8
CVE-2023/CVE-2023-384xx/CVE-2023-38403.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2023-38403",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-17T21:15:09.800",
"lastModified": "2023-07-18T12:59:03.770",
"vulnStatus": "Awaiting Analysis",
"lastModified": "2023-07-25T20:15:13.897",
"vulnStatus": "Undergoing Analysis",
"descriptions": [
{
"lang": "en",
@ -31,6 +31,10 @@
{
"url": "https://github.com/esnet/iperf/issues/1542",
"source": "cve@mitre.org"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00025.html",
"source": "cve@mitre.org"
}
]
}

63
CVE-2023/CVE-2023-384xx/CVE-2023-38493.json Normal file
View File

@ -0,0 +1,63 @@
{
"id": "CVE-2023-38493",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T21:15:10.913",
"lastModified": "2023-07-25T21:15:10.913",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-863"
}
]
}
],
"references": [
{
"url": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j",
"source": "security-advisories@github.com"
}
]
}

63
CVE-2023/CVE-2023-384xx/CVE-2023-38499.json Normal file
View File

@ -0,0 +1,63 @@
{
"id": "CVE-2023-38499",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T21:15:10.997",
"lastModified": "2023-07-25T21:15:10.997",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
],
"references": [
{
"url": "https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r",
"source": "security-advisories@github.com"
},
{
"url": "https://typo3.org/security/advisory/typo3-core-sa-2023-003",
"source": "security-advisories@github.com"
}
]
}

63
CVE-2023/CVE-2023-385xx/CVE-2023-38500.json Normal file
View File

@ -0,0 +1,63 @@
{
"id": "CVE-2023-38500",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-07-25T21:15:11.083",
"lastModified": "2023-07-25T21:15:11.083",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization layer, malicious markup nested in a `noscript` element was not encoded correctly. `noscript` is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of TYPO3 HTML Sanitizer. Versions 1.5.1 and 2.1.2 fix the problem."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
],
"references": [
{
"url": "https://github.com/TYPO3/html-sanitizer/commit/e3026f589fef0be8c3574ee3f0a0bfbe33d7ebdb",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-59jf-3q9v-rh6g",
"source": "security-advisories@github.com"
},
{
"url": "https://typo3.org/security/advisory/typo3-core-sa-2023-002",
"source": "security-advisories@github.com"
}
]
}

6
CVE-2023/CVE-2023-387xx/CVE-2023-38745.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2023-38745",
"sourceIdentifier": "cve@mitre.org",
"published": "2023-07-25T04:15:10.633",
"lastModified": "2023-07-25T13:01:04.750",
"lastModified": "2023-07-25T21:15:11.177",
"vulnStatus": "Awaiting Analysis",
"descriptions": [
{
@ -19,6 +19,10 @@
{
"url": "https://github.com/jgm/pandoc/compare/3.1.5...3.1.6",
"source": "cve@mitre.org"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00029.html",
"source": "cve@mitre.org"
}
]
}

84
CVE-2023/CVE-2023-39xx/CVE-2023-3944.json Normal file
View File

@ -0,0 +1,84 @@
{
"id": "CVE-2023-3944",
"sourceIdentifier": "cna@vuldb.com",
"published": "2023-07-25T20:15:14.027",
"lastModified": "2023-07-25T20:15:14.027",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in phpscriptpoint Lawyer 1.6 and classified as problematic. Affected by this issue is some unknown functionality of the file page.php. The manipulation leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235400. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": {
"cvssMetricV30": [
{
"source": "cna@vuldb.com",
"type": "Secondary",
"cvssData": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4
}
],
"cvssMetricV2": [
{
"source": "cna@vuldb.com",
"type": "Secondary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "SINGLE",
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 4.0
},
"baseSeverity": "MEDIUM",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "cna@vuldb.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?ctiid.235400",
"source": "cna@vuldb.com"
},
{
"url": "https://vuldb.com/?id.235400",
"source": "cna@vuldb.com"
}
]
}

74
README.md
View File

@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
### Last Repository Update
```plain
2023-07-25T20:00:29.768653+00:00
2023-07-25T22:00:27.797414+00:00
```
### Most recent CVE Modification Timestamp synchronized with NVD
```plain
2023-07-25T19:55:53.177000+00:00
2023-07-25T21:15:11.177000+00:00
```
### Last Data Feed Release
@ -29,59 +29,43 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
### Total Number of included CVEs
```plain
221008
221028
```
### CVEs added in the last Commit
Recently added CVEs: `15`
Recently added CVEs: `20`
* [CVE-2023-2626](CVE-2023/CVE-2023-26xx/CVE-2023-2626.json) (`2023-07-25T18:15:10.690`)
* [CVE-2023-34235](CVE-2023/CVE-2023-342xx/CVE-2023-34235.json) (`2023-07-25T18:15:10.800`)
* [CVE-2023-35929](CVE-2023/CVE-2023-359xx/CVE-2023-35929.json) (`2023-07-25T18:15:10.897`)
* [CVE-2023-35941](CVE-2023/CVE-2023-359xx/CVE-2023-35941.json) (`2023-07-25T18:15:10.993`)
* [CVE-2023-35942](CVE-2023/CVE-2023-359xx/CVE-2023-35942.json) (`2023-07-25T19:15:11.050`)
* [CVE-2023-35943](CVE-2023/CVE-2023-359xx/CVE-2023-35943.json) (`2023-07-25T19:15:11.153`)
* [CVE-2023-35944](CVE-2023/CVE-2023-359xx/CVE-2023-35944.json) (`2023-07-25T19:15:11.240`)
* [CVE-2023-35980](CVE-2023/CVE-2023-359xx/CVE-2023-35980.json) (`2023-07-25T19:15:11.327`)
* [CVE-2023-35981](CVE-2023/CVE-2023-359xx/CVE-2023-35981.json) (`2023-07-25T19:15:11.410`)
* [CVE-2023-35982](CVE-2023/CVE-2023-359xx/CVE-2023-35982.json) (`2023-07-25T19:15:11.480`)
* [CVE-2023-36806](CVE-2023/CVE-2023-368xx/CVE-2023-36806.json) (`2023-07-25T19:15:11.550`)
* [CVE-2023-36826](CVE-2023/CVE-2023-368xx/CVE-2023-36826.json) (`2023-07-25T19:15:11.640`)
* [CVE-2023-39128](CVE-2023/CVE-2023-391xx/CVE-2023-39128.json) (`2023-07-25T19:15:11.740`)
* [CVE-2023-39129](CVE-2023/CVE-2023-391xx/CVE-2023-39129.json) (`2023-07-25T19:15:11.800`)
* [CVE-2023-39130](CVE-2023/CVE-2023-391xx/CVE-2023-39130.json) (`2023-07-25T19:15:11.857`)
* [CVE-2020-35698](CVE-2020/CVE-2020-356xx/CVE-2020-35698.json) (`2023-07-25T20:15:12.643`)
* [CVE-2022-31458](CVE-2022/CVE-2022-314xx/CVE-2022-31458.json) (`2023-07-25T20:15:12.783`)
* [CVE-2022-46898](CVE-2022/CVE-2022-468xx/CVE-2022-46898.json) (`2023-07-25T20:15:12.887`)
* [CVE-2022-46899](CVE-2022/CVE-2022-468xx/CVE-2022-46899.json) (`2023-07-25T20:15:12.997`)
* [CVE-2022-46900](CVE-2022/CVE-2022-469xx/CVE-2022-46900.json) (`2023-07-25T20:15:13.087`)
* [CVE-2022-46901](CVE-2022/CVE-2022-469xx/CVE-2022-46901.json) (`2023-07-25T20:15:13.157`)
* [CVE-2022-46902](CVE-2022/CVE-2022-469xx/CVE-2022-46902.json) (`2023-07-25T20:15:13.227`)
* [CVE-2023-34798](CVE-2023/CVE-2023-347xx/CVE-2023-34798.json) (`2023-07-25T20:15:13.313`)
* [CVE-2023-37257](CVE-2023/CVE-2023-372xx/CVE-2023-37257.json) (`2023-07-25T20:15:13.423`)
* [CVE-2023-37258](CVE-2023/CVE-2023-372xx/CVE-2023-37258.json) (`2023-07-25T20:15:13.560`)
* [CVE-2023-37460](CVE-2023/CVE-2023-374xx/CVE-2023-37460.json) (`2023-07-25T20:15:13.703`)
* [CVE-2023-37677](CVE-2023/CVE-2023-376xx/CVE-2023-37677.json) (`2023-07-25T20:15:13.823`)
* [CVE-2023-3944](CVE-2023/CVE-2023-39xx/CVE-2023-3944.json) (`2023-07-25T20:15:14.027`)
* [CVE-2023-37902](CVE-2023/CVE-2023-379xx/CVE-2023-37902.json) (`2023-07-25T21:15:10.550`)
* [CVE-2023-37907](CVE-2023/CVE-2023-379xx/CVE-2023-37907.json) (`2023-07-25T21:15:10.647`)
* [CVE-2023-37919](CVE-2023/CVE-2023-379xx/CVE-2023-37919.json) (`2023-07-25T21:15:10.733`)
* [CVE-2023-37920](CVE-2023/CVE-2023-379xx/CVE-2023-37920.json) (`2023-07-25T21:15:10.827`)
* [CVE-2023-38493](CVE-2023/CVE-2023-384xx/CVE-2023-38493.json) (`2023-07-25T21:15:10.913`)
* [CVE-2023-38499](CVE-2023/CVE-2023-384xx/CVE-2023-38499.json) (`2023-07-25T21:15:10.997`)
* [CVE-2023-38500](CVE-2023/CVE-2023-385xx/CVE-2023-38500.json) (`2023-07-25T21:15:11.083`)
### CVEs modified in the last Commit
Recently modified CVEs: `65`
Recently modified CVEs: `4`
* [CVE-2023-31819](CVE-2023/CVE-2023-318xx/CVE-2023-31819.json) (`2023-07-25T19:03:18.877`)
* [CVE-2023-31820](CVE-2023/CVE-2023-318xx/CVE-2023-31820.json) (`2023-07-25T19:03:34.687`)
* [CVE-2023-31822](CVE-2023/CVE-2023-318xx/CVE-2023-31822.json) (`2023-07-25T19:03:50.593`)
* [CVE-2023-31825](CVE-2023/CVE-2023-318xx/CVE-2023-31825.json) (`2023-07-25T19:04:20.037`)
* [CVE-2023-3690](CVE-2023/CVE-2023-36xx/CVE-2023-3690.json) (`2023-07-25T19:09:50.323`)
* [CVE-2023-3686](CVE-2023/CVE-2023-36xx/CVE-2023-3686.json) (`2023-07-25T19:11:35.773`)
* [CVE-2023-3687](CVE-2023/CVE-2023-36xx/CVE-2023-3687.json) (`2023-07-25T19:11:50.817`)
* [CVE-2023-3684](CVE-2023/CVE-2023-36xx/CVE-2023-3684.json) (`2023-07-25T19:12:31.023`)
* [CVE-2023-3683](CVE-2023/CVE-2023-36xx/CVE-2023-3683.json) (`2023-07-25T19:12:48.627`)
* [CVE-2023-22033](CVE-2023/CVE-2023-220xx/CVE-2023-22033.json) (`2023-07-25T19:23:31.577`)
* [CVE-2023-22008](CVE-2023/CVE-2023-220xx/CVE-2023-22008.json) (`2023-07-25T19:23:57.457`)
* [CVE-2023-22007](CVE-2023/CVE-2023-220xx/CVE-2023-22007.json) (`2023-07-25T19:24:25.677`)
* [CVE-2023-22005](CVE-2023/CVE-2023-220xx/CVE-2023-22005.json) (`2023-07-25T19:24:46.737`)
* [CVE-2023-21950](CVE-2023/CVE-2023-219xx/CVE-2023-21950.json) (`2023-07-25T19:25:20.693`)
* [CVE-2023-22053](CVE-2023/CVE-2023-220xx/CVE-2023-22053.json) (`2023-07-25T19:26:36.587`)
* [CVE-2023-22048](CVE-2023/CVE-2023-220xx/CVE-2023-22048.json) (`2023-07-25T19:26:57.163`)
* [CVE-2023-22046](CVE-2023/CVE-2023-220xx/CVE-2023-22046.json) (`2023-07-25T19:27:45.300`)
* [CVE-2023-22038](CVE-2023/CVE-2023-220xx/CVE-2023-22038.json) (`2023-07-25T19:28:07.100`)
* [CVE-2023-3685](CVE-2023/CVE-2023-36xx/CVE-2023-3685.json) (`2023-07-25T19:28:29.557`)
* [CVE-2023-22054](CVE-2023/CVE-2023-220xx/CVE-2023-22054.json) (`2023-07-25T19:30:25.787`)
* [CVE-2023-22056](CVE-2023/CVE-2023-220xx/CVE-2023-22056.json) (`2023-07-25T19:30:37.157`)
* [CVE-2023-22057](CVE-2023/CVE-2023-220xx/CVE-2023-22057.json) (`2023-07-25T19:30:48.877`)
* [CVE-2023-22058](CVE-2023/CVE-2023-220xx/CVE-2023-22058.json) (`2023-07-25T19:33:36.430`)
* [CVE-2023-29984](CVE-2023/CVE-2023-299xx/CVE-2023-29984.json) (`2023-07-25T19:45:53.773`)
* [CVE-2023-3595](CVE-2023/CVE-2023-35xx/CVE-2023-3595.json) (`2023-07-25T19:55:53.177`)
* [CVE-2023-38403](CVE-2023/CVE-2023-384xx/CVE-2023-38403.json) (`2023-07-25T20:15:13.897`)
* [CVE-2023-20593](CVE-2023/CVE-2023-205xx/CVE-2023-20593.json) (`2023-07-25T21:15:10.333`)
* [CVE-2023-35936](CVE-2023/CVE-2023-359xx/CVE-2023-35936.json) (`2023-07-25T21:15:10.427`)
* [CVE-2023-38745](CVE-2023/CVE-2023-387xx/CVE-2023-38745.json) (`2023-07-25T21:15:11.177`)
## Download and Usage