From 49b61e4d3625de345440b2f1396b8019a245f9cf Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Tue, 17 Oct 2023 10:00:55 +0000 Subject: [PATCH] Auto-Update: 2023-10-17T10:00:52.176211+00:00 --- CVE-2023/CVE-2023-243xx/CVE-2023-24385.json | 55 +++++++++++++++++++++ CVE-2023/CVE-2023-363xx/CVE-2023-36387.json | 20 +++++--- CVE-2023/CVE-2023-424xx/CVE-2023-42497.json | 55 +++++++++++++++++++++ CVE-2023/CVE-2023-426xx/CVE-2023-42629.json | 55 +++++++++++++++++++++ CVE-2023/CVE-2023-43xx/CVE-2023-4399.json | 55 +++++++++++++++++++++ CVE-2023/CVE-2023-443xx/CVE-2023-44309.json | 55 +++++++++++++++++++++ README.md | 19 +++---- 7 files changed, 299 insertions(+), 15 deletions(-) create mode 100644 CVE-2023/CVE-2023-243xx/CVE-2023-24385.json create mode 100644 CVE-2023/CVE-2023-424xx/CVE-2023-42497.json create mode 100644 CVE-2023/CVE-2023-426xx/CVE-2023-42629.json create mode 100644 CVE-2023/CVE-2023-43xx/CVE-2023-4399.json create mode 100644 CVE-2023/CVE-2023-443xx/CVE-2023-44309.json diff --git a/CVE-2023/CVE-2023-243xx/CVE-2023-24385.json b/CVE-2023/CVE-2023-243xx/CVE-2023-24385.json new file mode 100644 index 00000000000..749f7d9a57c --- /dev/null +++ b/CVE-2023/CVE-2023-243xx/CVE-2023-24385.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-24385", + "sourceIdentifier": "audit@patchstack.com", + "published": "2023-10-17T09:15:09.960", + "lastModified": "2023-10-17T09:15:09.960", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in David Lingren Media Library Assistant plugin <=\u00a03.11 versions." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "audit@patchstack.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 1.7, + "impactScore": 3.7 + } + ] + }, + "weaknesses": [ + { + "source": "audit@patchstack.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://patchstack.com/database/vulnerability/media-library-assistant/wordpress-media-library-assistant-plugin-3-11-cross-site-scripting-xss-vulnerability?_s_id=cve", + "source": "audit@patchstack.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-363xx/CVE-2023-36387.json b/CVE-2023/CVE-2023-363xx/CVE-2023-36387.json index 100f77b445e..a791e80faab 100644 --- a/CVE-2023/CVE-2023-363xx/CVE-2023-36387.json +++ b/CVE-2023/CVE-2023-363xx/CVE-2023-36387.json @@ -2,12 +2,16 @@ "id": "CVE-2023-36387", "sourceIdentifier": "security@apache.org", "published": "2023-09-06T13:15:08.537", - "lastModified": "2023-09-11T14:25:26.437", - "vulnStatus": "Analyzed", + "lastModified": "2023-10-17T08:15:09.210", + "vulnStatus": "Modified", "descriptions": [ { "lang": "en", "value": "An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.\n" + }, + { + "lang": "es", + "value": "Un permiso de API REST predeterminado incorrecto para los usuarios de Gamma en Apache Superset hasta la versi\u00f3n 2.1.0 incluida permite que un usuario de Gamma autenticado pruebe las conexiones de la base de datos.\n" } ], "metrics": { @@ -56,22 +60,22 @@ }, "weaknesses": [ { - "source": "nvd@nist.gov", + "source": "security@apache.org", "type": "Primary", "description": [ { "lang": "en", - "value": "CWE-281" + "value": "CWE-863" } ] }, { - "source": "security@apache.org", + "source": "nvd@nist.gov", "type": "Secondary", "description": [ { "lang": "en", - "value": "CWE-918" + "value": "CWE-281" } ] } @@ -95,6 +99,10 @@ } ], "references": [ + { + "url": "https://github.com/apache/superset/pull/24185", + "source": "security@apache.org" + }, { "url": "https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3", "source": "security@apache.org", diff --git a/CVE-2023/CVE-2023-424xx/CVE-2023-42497.json b/CVE-2023/CVE-2023-424xx/CVE-2023-42497.json new file mode 100644 index 00000000000..b095ffd3f5f --- /dev/null +++ b/CVE-2023/CVE-2023-424xx/CVE-2023-42497.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-42497", + "sourceIdentifier": "security@liferay.com", + "published": "2023-10-17T08:15:09.437", + "lastModified": "2023-10-17T08:15:09.437", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.\n" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@liferay.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.6, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 2.8, + "impactScore": 6.0 + } + ] + }, + "weaknesses": [ + { + "source": "security@liferay.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497", + "source": "security@liferay.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-426xx/CVE-2023-42629.json b/CVE-2023/CVE-2023-426xx/CVE-2023-42629.json new file mode 100644 index 00000000000..7d4f6b5989d --- /dev/null +++ b/CVE-2023/CVE-2023-426xx/CVE-2023-42629.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-42629", + "sourceIdentifier": "security@liferay.com", + "published": "2023-10-17T09:15:10.167", + "lastModified": "2023-10-17T09:15:10.167", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@liferay.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.0, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 2.3, + "impactScore": 6.0 + } + ] + }, + "weaknesses": [ + { + "source": "security@liferay.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629", + "source": "security@liferay.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-43xx/CVE-2023-4399.json b/CVE-2023/CVE-2023-43xx/CVE-2023-4399.json new file mode 100644 index 00000000000..81cf1ca3544 --- /dev/null +++ b/CVE-2023/CVE-2023-43xx/CVE-2023-4399.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-4399", + "sourceIdentifier": "security@grafana.com", + "published": "2023-10-17T08:15:09.553", + "lastModified": "2023-10-17T08:15:09.553", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Grafana is an open-source platform for monitoring and observability. \n\nIn Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn\u2019t call specific hosts.\n\nHowever, the restriction can be bypassed used punycode encoding of the characters in the request address.\n\n" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@grafana.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "HIGH", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "LOW", + "baseScore": 6.6, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 1.3, + "impactScore": 4.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@grafana.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-183" + } + ] + } + ], + "references": [ + { + "url": "https://grafana.com/security/security-advisories/cve-2023-4399/", + "source": "security@grafana.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-443xx/CVE-2023-44309.json b/CVE-2023/CVE-2023-443xx/CVE-2023-44309.json new file mode 100644 index 00000000000..55604561d2a --- /dev/null +++ b/CVE-2023/CVE-2023-443xx/CVE-2023-44309.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-44309", + "sourceIdentifier": "security@liferay.com", + "published": "2023-10-17T09:15:10.347", + "lastModified": "2023-10-17T09:15:10.347", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@liferay.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.0, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 2.3, + "impactScore": 6.0 + } + ] + }, + "weaknesses": [ + { + "source": "security@liferay.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309", + "source": "security@liferay.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 1e6f6d32808..e81741b6696 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2023-10-17T08:00:25.402342+00:00 +2023-10-17T10:00:52.176211+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2023-10-17T07:15:10.090000+00:00 +2023-10-17T09:15:10.347000+00:00 ``` ### Last Data Feed Release @@ -29,24 +29,25 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -228020 +228025 ``` ### CVEs added in the last Commit Recently added CVEs: `5` -* [CVE-2023-44693](CVE-2023/CVE-2023-446xx/CVE-2023-44693.json) (`2023-10-17T06:15:09.553`) -* [CVE-2023-44694](CVE-2023/CVE-2023-446xx/CVE-2023-44694.json) (`2023-10-17T06:15:09.690`) -* [CVE-2023-39456](CVE-2023/CVE-2023-394xx/CVE-2023-39456.json) (`2023-10-17T07:15:09.737`) -* [CVE-2023-41752](CVE-2023/CVE-2023-417xx/CVE-2023-41752.json) (`2023-10-17T07:15:09.960`) -* [CVE-2023-4089](CVE-2023/CVE-2023-40xx/CVE-2023-4089.json) (`2023-10-17T07:15:10.090`) +* [CVE-2023-42497](CVE-2023/CVE-2023-424xx/CVE-2023-42497.json) (`2023-10-17T08:15:09.437`) +* [CVE-2023-4399](CVE-2023/CVE-2023-43xx/CVE-2023-4399.json) (`2023-10-17T08:15:09.553`) +* [CVE-2023-24385](CVE-2023/CVE-2023-243xx/CVE-2023-24385.json) (`2023-10-17T09:15:09.960`) +* [CVE-2023-42629](CVE-2023/CVE-2023-426xx/CVE-2023-42629.json) (`2023-10-17T09:15:10.167`) +* [CVE-2023-44309](CVE-2023/CVE-2023-443xx/CVE-2023-44309.json) (`2023-10-17T09:15:10.347`) ### CVEs modified in the last Commit -Recently modified CVEs: `0` +Recently modified CVEs: `1` +* [CVE-2023-36387](CVE-2023/CVE-2023-363xx/CVE-2023-36387.json) (`2023-10-17T08:15:09.210`) ## Download and Usage