From 39da5c14033bce1e33e8a087e3f9287d57781359 Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Wed, 28 Feb 2024 07:00:29 +0000 Subject: [PATCH] Auto-Update: 2024-02-28T07:00:25.443818+00:00 --- CVE-2024/CVE-2024-05xx/CVE-2024-0550.json | 59 +++++++++++++++++++++ CVE-2024/CVE-2024-227xx/CVE-2024-22723.json | 20 +++++++ README.md | 28 +++------- 3 files changed, 86 insertions(+), 21 deletions(-) create mode 100644 CVE-2024/CVE-2024-05xx/CVE-2024-0550.json create mode 100644 CVE-2024/CVE-2024-227xx/CVE-2024-22723.json diff --git a/CVE-2024/CVE-2024-05xx/CVE-2024-0550.json b/CVE-2024/CVE-2024-05xx/CVE-2024-0550.json new file mode 100644 index 00000000000..417abf28ec1 --- /dev/null +++ b/CVE-2024/CVE-2024-05xx/CVE-2024-0550.json @@ -0,0 +1,59 @@ +{ + "id": "CVE-2024-0550", + "sourceIdentifier": "security@huntr.dev", + "published": "2024-02-28T05:15:08.770", + "lastModified": "2024-02-28T05:15:08.770", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files.\n\nThe attacker would have to have been granted privileged permissions to the system before executing this attack." + } + ], + "metrics": { + "cvssMetricV30": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "cvssData": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseScore": 9.6, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 3.1, + "impactScore": 5.8 + } + ] + }, + "weaknesses": [ + { + "source": "security@huntr.dev", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-23" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17", + "source": "security@huntr.dev" + }, + { + "url": "https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6", + "source": "security@huntr.dev" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-227xx/CVE-2024-22723.json b/CVE-2024/CVE-2024-227xx/CVE-2024-22723.json new file mode 100644 index 00000000000..7d6936a2ec6 --- /dev/null +++ b/CVE-2024/CVE-2024-227xx/CVE-2024-22723.json @@ -0,0 +1,20 @@ +{ + "id": "CVE-2024-22723", + "sourceIdentifier": "cve@mitre.org", + "published": "2024-02-28T06:15:49.827", + "lastModified": "2024-02-28T06:15:49.827", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Webtrees 2.1.18 is vulnerable to Directory Traversal. By manipulating the \"media_folder\" parameter in the URL, an attacker (in this case, an administrator) can navigate beyond the intended directory (the 'media/' directory) to access sensitive files in other parts of the application's file system." + } + ], + "metrics": {}, + "references": [ + { + "url": "https://cupc4k3.medium.com/cve-2024-22723-webtrees-vulnerability-uncovering-sensitive-data-through-path-traversal-7442e7a38b68", + "source": "cve@mitre.org" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 4208a204f9e..b9d7e828c70 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2024-02-28T05:00:25.355764+00:00 +2024-02-28T07:00:25.443818+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2024-02-28T03:15:08.737000+00:00 +2024-02-28T06:15:49.827000+00:00 ``` ### Last Data Feed Release @@ -29,35 +29,21 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -239689 +239691 ``` ### CVEs added in the last Commit -Recently added CVEs: `3` +Recently added CVEs: `2` -* [CVE-2023-50735](CVE-2023/CVE-2023-507xx/CVE-2023-50735.json) (`2024-02-28T03:15:07.357`) -* [CVE-2023-50736](CVE-2023/CVE-2023-507xx/CVE-2023-50736.json) (`2024-02-28T03:15:07.657`) -* [CVE-2023-50737](CVE-2023/CVE-2023-507xx/CVE-2023-50737.json) (`2024-02-28T03:15:07.900`) +* [CVE-2024-0550](CVE-2024/CVE-2024-05xx/CVE-2024-0550.json) (`2024-02-28T05:15:08.770`) +* [CVE-2024-22723](CVE-2024/CVE-2024-227xx/CVE-2024-22723.json) (`2024-02-28T06:15:49.827`) ### CVEs modified in the last Commit -Recently modified CVEs: `13` +Recently modified CVEs: `0` -* [CVE-2022-37599](CVE-2022/CVE-2022-375xx/CVE-2022-37599.json) (`2024-02-28T03:15:06.897`) -* [CVE-2023-26136](CVE-2023/CVE-2023-261xx/CVE-2023-26136.json) (`2024-02-28T03:15:07.087`) -* [CVE-2023-46234](CVE-2023/CVE-2023-462xx/CVE-2023-46234.json) (`2024-02-28T03:15:07.220`) -* [CVE-2024-23850](CVE-2024/CVE-2024-238xx/CVE-2024-23850.json) (`2024-02-28T03:15:08.097`) -* [CVE-2024-23851](CVE-2024/CVE-2024-238xx/CVE-2024-23851.json) (`2024-02-28T03:15:08.163`) -* [CVE-2024-26582](CVE-2024/CVE-2024-265xx/CVE-2024-26582.json) (`2024-02-28T03:15:08.227`) -* [CVE-2024-26583](CVE-2024/CVE-2024-265xx/CVE-2024-26583.json) (`2024-02-28T03:15:08.287`) -* [CVE-2024-26584](CVE-2024/CVE-2024-265xx/CVE-2024-26584.json) (`2024-02-28T03:15:08.390`) -* [CVE-2024-26585](CVE-2024/CVE-2024-265xx/CVE-2024-26585.json) (`2024-02-28T03:15:08.490`) -* [CVE-2024-26593](CVE-2024/CVE-2024-265xx/CVE-2024-26593.json) (`2024-02-28T03:15:08.580`) -* [CVE-2024-26603](CVE-2024/CVE-2024-266xx/CVE-2024-26603.json) (`2024-02-28T03:15:08.647`) -* [CVE-2024-26604](CVE-2024/CVE-2024-266xx/CVE-2024-26604.json) (`2024-02-28T03:15:08.690`) -* [CVE-2024-26606](CVE-2024/CVE-2024-266xx/CVE-2024-26606.json) (`2024-02-28T03:15:08.737`) ## Download and Usage