mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-07-09 16:05:11 +00:00
Auto-Update: 2023-12-02T05:00:18.316198+00:00
This commit is contained in:
cad-safe-bot
parent
8a3d66c585
commit
62ea1d9855
@ -2,8 +2,8 @@
|
||||
"id": "CVE-2023-24023",
|
||||
"sourceIdentifier": "cve@mitre.org",
|
||||
"published": "2023-11-28T07:15:41.340",
|
||||
"lastModified": "2023-11-28T14:12:58.173",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:40:02.733",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
@ -14,15 +14,76 @@
|
||||
"value": "Los dispositivos Bluetooth BR/EDR con emparejamiento simple seguro y emparejamiento de conexiones seguras en las especificaciones principales de Bluetooth 4.2 a 5.4 permiten ciertos ataques de intermediario que fuerzan una longitud de clave corta y pueden llevar al descubrimiento de la clave de cifrado y a la inyecci\u00f3n en vivo, tambi\u00e9n conocido como BLUFFS."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
|
||||
"attackVector": "ADJACENT_NETWORK",
|
||||
"attackComplexity": "HIGH",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "HIGH",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 6.8,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 1.6,
|
||||
"impactScore": 5.2
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVD-CWE-noinfo"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bluetooth:bluetooth_core_specification:*:*:*:*:*:*:*:*",
|
||||
"versionStartIncluding": "4.2",
|
||||
"versionEndIncluding": "5.4",
|
||||
"matchCriteriaId": "FDDBC9C6-0387-47F1-B213-3AEAFD6A23C8"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://dl.acm.org/doi/10.1145/3576915.3623066",
|
||||
"source": "cve@mitre.org"
|
||||
"source": "cve@mitre.org",
|
||||
"tags": [
|
||||
"Technical Description",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
},
|
||||
{
|
||||
"url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/bluffs-vulnerability/",
|
||||
"source": "cve@mitre.org"
|
||||
"source": "cve@mitre.org",
|
||||
"tags": [
|
||||
"Vendor Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,19 +2,79 @@
|
||||
"id": "CVE-2023-2707",
|
||||
"sourceIdentifier": "contact@wpscan.com",
|
||||
"published": "2023-11-27T17:15:07.740",
|
||||
"lastModified": "2023-11-27T19:03:39.603",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:33:48.873",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento gAppointments de WordPress hasta la versi\u00f3n 1.9.5.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "HIGH",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 4.8,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 1.7,
|
||||
"impactScore": 2.7
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-79"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:gappointments:gappointments:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndIncluding": "1.9.5.1",
|
||||
"matchCriteriaId": "27537F27-51EA-40E5-8379-ACC09B1138C3"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://wpscan.com/vulnerability/e5664da4-5b78-4e42-be6b-e0d7b73a85b0",
|
||||
"source": "contact@wpscan.com"
|
||||
"source": "contact@wpscan.com",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,8 +2,8 @@
|
||||
"id": "CVE-2023-30585",
|
||||
"sourceIdentifier": "support@hackerone.com",
|
||||
"published": "2023-11-28T02:15:42.077",
|
||||
"lastModified": "2023-11-28T14:12:58.173",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:59.250",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
@ -14,11 +14,82 @@
|
||||
"value": "Se ha identificado una vulnerabilidad en el proceso de instalaci\u00f3n de Node.js (versi\u00f3n .msi), que afecta espec\u00edficamente a los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Esta vulnerabilidad surge durante la operaci\u00f3n de reparaci\u00f3n, donde el proceso \"msiexec.exe\", que se ejecuta en el contexto NT AUTHORITY\\SYSTEM, intenta leer la variable de entorno %USERPROFILE% del registro del usuario actual. El problema surge cuando la ruta a la que hace referencia la variable de entorno %USERPROFILE% no existe. En tales casos, el proceso \"msiexec.exe\" intenta crear la ruta especificada de forma insegura, lo que podr\u00eda provocar la creaci\u00f3n de carpetas arbitrarias en ubicaciones arbitrarias. La gravedad de esta vulnerabilidad se ve aumentada por el hecho de que los usuarios est\u00e1ndar (o \"sin privilegios\") pueden modificar la variable de entorno %USERPROFILE% en el registro de Windows. En consecuencia, los actores no privilegiados, incluidas entidades maliciosas o troyanos, pueden manipular la clave de la variable de entorno para enga\u00f1ar al proceso privilegiado \"msiexec.exe\". Esta manipulaci\u00f3n puede dar como resultado la creaci\u00f3n de carpetas en ubicaciones no deseadas y potencialmente maliciosas. Es importante tener en cuenta que esta vulnerabilidad es espec\u00edfica de los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Los usuarios que optan por otros m\u00e9todos de instalaci\u00f3n no se ven afectados por este problema en particular."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "NONE",
|
||||
"integrityImpact": "HIGH",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVD-CWE-noinfo"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
|
||||
"versionStartIncluding": "16.0.0",
|
||||
"versionEndExcluding": "16.20.1",
|
||||
"matchCriteriaId": "7E7F6F9A-AF9F-453B-870D-1E8759567F29"
|
||||
},
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
|
||||
"versionStartIncluding": "18.0.0",
|
||||
"versionEndExcluding": "18.16.1",
|
||||
"matchCriteriaId": "3AA02CEF-5AC5-46F7-94DE-D9EA15678AE7"
|
||||
},
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
|
||||
"versionStartIncluding": "20.0.0",
|
||||
"versionEndExcluding": "20.3.1",
|
||||
"matchCriteriaId": "1CAA23E6-4930-4326-9CB0-AEE5013BFD37"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases",
|
||||
"source": "support@hackerone.com"
|
||||
"source": "support@hackerone.com",
|
||||
"tags": [
|
||||
"Vendor Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-41998",
|
||||
"sourceIdentifier": "vulnreport@tenable.com",
|
||||
"published": "2023-11-27T17:15:07.803",
|
||||
"lastModified": "2023-11-27T19:03:39.603",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:34:00.220",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "Arcserve UDP prior to 9.2 contained a vulnerability in the\u00a0com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Arcserve UDP anterior a 9.2 conten\u00eda una vulnerabilidad en la interfaz com.ca.arcflash.rps.webservice.RPSService4CPMImpl. Existe una rutina que permite a un atacante cargar y ejecutar archivos arbitrarios."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "HIGH",
|
||||
"availabilityImpact": "HIGH",
|
||||
"baseScore": 9.8,
|
||||
"baseSeverity": "CRITICAL"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 5.9
|
||||
},
|
||||
{
|
||||
"source": "vulnreport@tenable.com",
|
||||
"type": "Secondary",
|
||||
@ -35,6 +59,16 @@
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-434"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"source": "vulnreport@tenable.com",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +80,32 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*",
|
||||
"versionEndExcluding": "9.2",
|
||||
"matchCriteriaId": "DD913BA7-A48E-4406-93FB-4BD86BCD519E"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.tenable.com/security/research/tra-2023-37",
|
||||
"source": "vulnreport@tenable.com"
|
||||
"source": "vulnreport@tenable.com",
|
||||
"tags": [
|
||||
"Exploit",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,8 +2,8 @@
|
||||
"id": "CVE-2023-47831",
|
||||
"sourceIdentifier": "audit@patchstack.com",
|
||||
"published": "2023-11-22T23:15:10.440",
|
||||
"lastModified": "2023-11-24T15:24:57.673",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:33:38.013",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
@ -16,6 +16,26 @@
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "audit@patchstack.com",
|
||||
"type": "Secondary",
|
||||
@ -50,10 +70,31 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:assortedchips:drawit:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndIncluding": "1.1.3",
|
||||
"matchCriteriaId": "60C3B294-09C2-4696-9503-70FC3739C121"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://patchstack.com/database/vulnerability/drawit/wordpress-drawit-draw-io-plugin-1-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve",
|
||||
"source": "audit@patchstack.com"
|
||||
"source": "audit@patchstack.com",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,27 +2,93 @@
|
||||
"id": "CVE-2023-49028",
|
||||
"sourceIdentifier": "cve@mitre.org",
|
||||
"published": "2023-11-27T17:15:08.337",
|
||||
"lastModified": "2023-11-27T19:03:39.603",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:35:24.697",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the user parameter in the lock/lock.php file."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Vulnerabilidad de Cross Site Scripting en smpn1smg absis v.2017-10-19 y anteriores permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro de usuario en el archivo lock/lock.php."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-79"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:absis:absis:*:*:*:*:*:*:*:*",
|
||||
"versionEndIncluding": "2017.10.19",
|
||||
"matchCriteriaId": "04D29F9F-A927-4927-802B-E52FC236A569"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://gist.github.com/Chiaki2333/d132c4b169b55bd7cd50e73dbe20c410",
|
||||
"source": "cve@mitre.org"
|
||||
"source": "cve@mitre.org",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
},
|
||||
{
|
||||
"url": "https://github.com/Chiaki2333/vulnerability/blob/main/smpn1smg-absis-XSS-lock.php-user.md",
|
||||
"source": "cve@mitre.org"
|
||||
"source": "cve@mitre.org",
|
||||
"tags": [
|
||||
"Exploit"
|
||||
]
|
||||
},
|
||||
{
|
||||
"url": "https://github.com/smpn1smg/absis",
|
||||
"source": "cve@mitre.org"
|
||||
"source": "cve@mitre.org",
|
||||
"tags": [
|
||||
"Product"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,19 +2,84 @@
|
||||
"id": "CVE-2023-5604",
|
||||
"sourceIdentifier": "contact@wpscan.com",
|
||||
"published": "2023-11-27T17:15:09.030",
|
||||
"lastModified": "2023-11-27T19:03:35.337",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:35:37.727",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Asgaros Forum de WordPress anterior a 2.7.1 permite a los administradores del foro, que pueden no ser (super)administradores de WordPress, establecer una configuraci\u00f3n insegura que permite a usuarios no autenticados cargar archivos peligrosos (por ejemplo, .php, .phtml), lo que podr\u00eda generar una ejecuci\u00f3n remota de c\u00f3digo."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "HIGH",
|
||||
"availabilityImpact": "HIGH",
|
||||
"baseScore": 9.8,
|
||||
"baseSeverity": "CRITICAL"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 5.9
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-434"
|
||||
},
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-94"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:asgaros:asgaros_forum:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndExcluding": "2.7.1",
|
||||
"matchCriteriaId": "974AB954-A6BE-486A-8319-A1D83B131933"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://wpscan.com/vulnerability/4ce69d71-87bf-4d95-90f2-63d558c78b69",
|
||||
"source": "contact@wpscan.com"
|
||||
"source": "contact@wpscan.com",
|
||||
"tags": [
|
||||
"Exploit",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,19 +2,80 @@
|
||||
"id": "CVE-2023-5611",
|
||||
"sourceIdentifier": "contact@wpscan.com",
|
||||
"published": "2023-11-27T17:15:09.083",
|
||||
"lastModified": "2023-11-27T19:03:35.337",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:35:53.547",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Seraphinite Accelerator de WordPress anterior a la versi\u00f3n 2.20.32 no tiene autorizaci\u00f3n ni controles CSRF al restablecer e importar su configuraci\u00f3n, lo que permite a los usuarios no autenticados restablecerla."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "NONE",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.3,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 1.4
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-862"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:seraphinitesolutions:seraphinite_accelerator:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndExcluding": "2.20.32",
|
||||
"matchCriteriaId": "4F7D8116-522C-4A41-990D-9162E88CCF55"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://wpscan.com/vulnerability/8cb8a5e9-2ab6-4d9b-9ffc-ef530e346f8d",
|
||||
"source": "contact@wpscan.com"
|
||||
"source": "contact@wpscan.com",
|
||||
"tags": [
|
||||
"Exploit",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,19 +2,80 @@
|
||||
"id": "CVE-2023-5620",
|
||||
"sourceIdentifier": "contact@wpscan.com",
|
||||
"published": "2023-11-27T17:15:09.137",
|
||||
"lastModified": "2023-11-27T19:03:35.337",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:36:03.177",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Web Push Notifications de WordPress anterior a 4.35.0 no impide que los visitantes del sitio cambien algunas de las opciones del complemento, algunas de las cuales pueden usarse para realizar ataques XSS Almacenados."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-79"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:webpushr:web_push_notifications:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndExcluding": "4.35.0",
|
||||
"matchCriteriaId": "893D6956-0070-406E-A957-25CB79FD76A2"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://wpscan.com/vulnerability/a03330c2-3ae0-404d-a114-33b18cc47666",
|
||||
"source": "contact@wpscan.com"
|
||||
"source": "contact@wpscan.com",
|
||||
"tags": [
|
||||
"Exploit",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,19 +2,80 @@
|
||||
"id": "CVE-2023-5641",
|
||||
"sourceIdentifier": "contact@wpscan.com",
|
||||
"published": "2023-11-27T17:15:09.183",
|
||||
"lastModified": "2023-11-27T19:03:35.337",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:36:11.447",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin before 1.2.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Martins Free & Easy SEO BackLink Link Building Network de WordPress anterior a 1.2.30 no sanitiza ni escapa un par\u00e1metro antes de devolverlo a la p\u00e1gina, lo que genera Cross-Site Scripting Reflejado que podr\u00eda usarse contra usuarios con privilegios elevados, como el administrador."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 6.1,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.8,
|
||||
"impactScore": 2.7
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-79"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:martinstools:seo_backlink_link_building_network:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndExcluding": "1.2.30",
|
||||
"matchCriteriaId": "8747E5D1-A7C2-4359-B08A-23003BBC6EC8"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://wpscan.com/vulnerability/c0a6c253-71f2-415d-a6ec-022f2eafc13b",
|
||||
"source": "contact@wpscan.com"
|
||||
"source": "contact@wpscan.com",
|
||||
"tags": [
|
||||
"Exploit",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,19 +2,80 @@
|
||||
"id": "CVE-2023-5738",
|
||||
"sourceIdentifier": "contact@wpscan.com",
|
||||
"published": "2023-11-27T17:15:09.333",
|
||||
"lastModified": "2023-11-27T19:03:35.337",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:36:42.670",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento WordPress Backup & Migration de WordPress anterior a 1.4.4 no sanitiza ni escapa a algunos par\u00e1metros, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como Suscriptor realizar ataques de Cross Site Scripting."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-79"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:webtoffee:backup_and_migration:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndExcluding": "1.4.4",
|
||||
"matchCriteriaId": "5983571D-9ABE-4599-9C19-E8AFA534198A"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://wpscan.com/vulnerability/7f935916-9a1a-40c7-b6d8-efcc46eb8eaf",
|
||||
"source": "contact@wpscan.com"
|
||||
"source": "contact@wpscan.com",
|
||||
"tags": [
|
||||
"Exploit",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,19 +2,80 @@
|
||||
"id": "CVE-2023-5958",
|
||||
"sourceIdentifier": "contact@wpscan.com",
|
||||
"published": "2023-11-27T17:15:09.623",
|
||||
"lastModified": "2023-11-27T19:03:35.337",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:36:54.543",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento POST SMTP Mailer de WordPress anterior a 2.7.1 no escapa del contenido del mensaje de correo electr\u00f3nico antes de mostrarlo en el backend, lo que permite a un atacante no autenticado realizar ataques XSS contra usuarios con privilegios elevados."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 6.1,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.8,
|
||||
"impactScore": 2.7
|
||||
}
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-79"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:wpexperts:post_smtp_mailer:*:*:*:*:*:wordpress:*:*",
|
||||
"versionEndExcluding": "2.7.1",
|
||||
"matchCriteriaId": "E40A03E0-E94A-431E-8C67-039F96A535BE"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
"references": [
|
||||
{
|
||||
"url": "https://wpscan.com/vulnerability/22fa478d-e42e-488d-9b4b-a8720dec7cee",
|
||||
"source": "contact@wpscan.com"
|
||||
"source": "contact@wpscan.com",
|
||||
"tags": [
|
||||
"Exploit",
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6410",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:15.497",
|
||||
"lastModified": "2023-11-30T14:48:37.600",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:29.697",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via editprofile.php in multiple parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante editprofile.php en m\u00faltiples par\u00e1metros. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6411",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:16.017",
|
||||
"lastModified": "2023-11-30T14:48:37.600",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:26.877",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via home.php in the update parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL v\u00eda home.php en el par\u00e1metro de actualizaci\u00f3n. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6412",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:16.527",
|
||||
"lastModified": "2023-11-30T14:48:37.600",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:24.357",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via photo.php in multiple parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL v\u00eda photo.php en m\u00faltiples par\u00e1metros. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6413",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:17.020",
|
||||
"lastModified": "2023-11-30T14:48:37.600",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:21.477",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via photos.php in the id and user parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL a trav\u00e9s de photos.php en los par\u00e1metros id y usuario. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -35,6 +59,16 @@
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-89"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +80,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6414",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:17.523",
|
||||
"lastModified": "2023-11-30T14:48:37.600",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:15.630",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via perfil.php in the id and user parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL v\u00eda perfil.php en los par\u00e1metros id y usuario. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6415",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:18.013",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:14.333",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via signin.php in the user parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante signin.php en el par\u00e1metro usuario. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6416",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:18.527",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:11.893",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via signup2.php in the emailadd parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante signup2.php en el par\u00e1metro emailadd. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6417",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:18.940",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:39:08.177",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via update.php in the id parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante update.php en el par\u00e1metro id. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -35,6 +59,16 @@
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-89"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +80,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6418",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:19.137",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:57.207",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via videos.php in the id parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante videos.php en el par\u00e1metro id. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH"
|
||||
},
|
||||
"exploitabilityScore": 3.9,
|
||||
"impactScore": 3.6
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6419",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:19.333",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:49.127",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via editprofile.php in multiple parameters, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha informado de una vulnerabilidad en Voovi Social Networking Script versi\u00f3n 1.0 que permite un XSS a trav\u00e9s de editprofile.php en m\u00faltiples par\u00e1metros, cuya explotaci\u00f3n podr\u00eda permitir a un atacante remoto enviar un payload de JavaScript especialmente manipulado y hacerse cargo parcialmente de la sesi\u00f3n del navegador de un usuario autenticado."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 6.1,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.8,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6420",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:19.530",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:55.633",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via \n\nsignup2.php in the emailadd parameter, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha informado de una vulnerabilidad en Voovi Social Networking Script versi\u00f3n 1.0 que permite un XSS a trav\u00e9s de signup2.php en el par\u00e1metro emailadd, cuya explotaci\u00f3n podr\u00eda permitir a un atacante remoto enviar un payload de JavaScript especialmente manipulado y tomar parcialmente el control de la sesi\u00f3n del navegador de un usuario autenticado."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "NONE",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 6.1,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.8,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6422",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:19.727",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:43.790",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/patients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/patients_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6423",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:19.923",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:41.237",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/events_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/events_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6424",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:20.127",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:39.837",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/disease_symptoms_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/disease_symptoms_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6425",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:20.317",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:38.457",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/medical_records_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6426",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:20.507",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:36.853",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/invoices_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6427",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:20.700",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:35.270",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/invoices_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -35,6 +59,16 @@
|
||||
]
|
||||
},
|
||||
"weaknesses": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"description": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "CWE-79"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +80,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6428",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:20.893",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:27.697",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/items_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6429",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:21.087",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:26.040",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/clients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/clients_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6430",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:21.277",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:09.997",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/transactions_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/transactions_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6431",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:21.473",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:07.830",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/categories_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/categories_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6432",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:21.660",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:38:05.627",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/items_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6433",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:21.897",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:37:58.317",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/suppliers_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/suppliers_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6434",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:23.393",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:37:56.790",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/sections_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/sections_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -2,16 +2,40 @@
|
||||
"id": "CVE-2023-6435",
|
||||
"sourceIdentifier": "cve-coordination@incibe.es",
|
||||
"published": "2023-11-30T14:15:23.593",
|
||||
"lastModified": "2023-11-30T14:48:32.553",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"lastModified": "2023-12-02T04:37:54.727",
|
||||
"vulnStatus": "Analyzed",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batches_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/batches_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
"cvssMetricV31": [
|
||||
{
|
||||
"source": "nvd@nist.gov",
|
||||
"type": "Primary",
|
||||
"cvssData": {
|
||||
"version": "3.1",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||||
"attackVector": "NETWORK",
|
||||
"attackComplexity": "LOW",
|
||||
"privilegesRequired": "LOW",
|
||||
"userInteraction": "REQUIRED",
|
||||
"scope": "CHANGED",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "LOW",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 5.4,
|
||||
"baseSeverity": "MEDIUM"
|
||||
},
|
||||
"exploitabilityScore": 2.3,
|
||||
"impactScore": 2.7
|
||||
},
|
||||
{
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"type": "Secondary",
|
||||
@ -46,10 +70,30 @@
|
||||
]
|
||||
}
|
||||
],
|
||||
"configurations": [
|
||||
{
|
||||
"nodes": [
|
||||
{
|
||||
"operator": "OR",
|
||||
"negate": false,
|
||||
"cpeMatch": [
|
||||
{
|
||||
"vulnerable": true,
|
||||
"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*",
|
||||
"matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products",
|
||||
"source": "cve-coordination@incibe.es"
|
||||
"source": "cve-coordination@incibe.es",
|
||||
"tags": [
|
||||
"Third Party Advisory"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
42
README.md
42
README.md
@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
|
||||
### Last Repository Update
|
||||
|
||||
```plain
|
||||
2023-12-02T03:00:19.255787+00:00
|
||||
2023-12-02T05:00:18.316198+00:00
|
||||
```
|
||||
|
||||
### Most recent CVE Modification Timestamp synchronized with NVD
|
||||
|
||||
```plain
|
||||
2023-12-02T02:15:07.197000+00:00
|
||||
2023-12-02T04:40:02.733000+00:00
|
||||
```
|
||||
|
||||
### Last Data Feed Release
|
||||
@ -34,23 +34,39 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
|
||||
|
||||
### CVEs added in the last Commit
|
||||
|
||||
Recently added CVEs: `1`
|
||||
Recently added CVEs: `0`
|
||||
|
||||
* [CVE-2023-49914](CVE-2023/CVE-2023-499xx/CVE-2023-49914.json) (`2023-12-02T01:15:09.050`)
|
||||
|
||||
|
||||
### CVEs modified in the last Commit
|
||||
|
||||
Recently modified CVEs: `8`
|
||||
Recently modified CVEs: `37`
|
||||
|
||||
* [CVE-2018-14628](CVE-2018/CVE-2018-146xx/CVE-2018-14628.json) (`2023-12-02T02:15:07.067`)
|
||||
* [CVE-2022-27912](CVE-2022/CVE-2022-279xx/CVE-2022-27912.json) (`2023-12-02T01:15:07.923`)
|
||||
* [CVE-2022-27913](CVE-2022/CVE-2022-279xx/CVE-2022-27913.json) (`2023-12-02T01:15:08.100`)
|
||||
* [CVE-2022-27914](CVE-2022/CVE-2022-279xx/CVE-2022-27914.json) (`2023-12-02T01:15:08.190`)
|
||||
* [CVE-2022-41717](CVE-2022/CVE-2022-417xx/CVE-2022-41717.json) (`2023-12-02T02:15:07.197`)
|
||||
* [CVE-2023-39971](CVE-2023/CVE-2023-399xx/CVE-2023-39971.json) (`2023-12-02T01:15:08.287`)
|
||||
* [CVE-2023-44487](CVE-2023/CVE-2023-444xx/CVE-2023-44487.json) (`2023-12-02T01:15:08.373`)
|
||||
* [CVE-2023-46118](CVE-2023/CVE-2023-461xx/CVE-2023-46118.json) (`2023-12-02T01:15:08.923`)
|
||||
* [CVE-2023-6433](CVE-2023/CVE-2023-64xx/CVE-2023-6433.json) (`2023-12-02T04:37:58.317`)
|
||||
* [CVE-2023-6432](CVE-2023/CVE-2023-64xx/CVE-2023-6432.json) (`2023-12-02T04:38:05.627`)
|
||||
* [CVE-2023-6431](CVE-2023/CVE-2023-64xx/CVE-2023-6431.json) (`2023-12-02T04:38:07.830`)
|
||||
* [CVE-2023-6430](CVE-2023/CVE-2023-64xx/CVE-2023-6430.json) (`2023-12-02T04:38:09.997`)
|
||||
* [CVE-2023-6429](CVE-2023/CVE-2023-64xx/CVE-2023-6429.json) (`2023-12-02T04:38:26.040`)
|
||||
* [CVE-2023-6428](CVE-2023/CVE-2023-64xx/CVE-2023-6428.json) (`2023-12-02T04:38:27.697`)
|
||||
* [CVE-2023-6427](CVE-2023/CVE-2023-64xx/CVE-2023-6427.json) (`2023-12-02T04:38:35.270`)
|
||||
* [CVE-2023-6426](CVE-2023/CVE-2023-64xx/CVE-2023-6426.json) (`2023-12-02T04:38:36.853`)
|
||||
* [CVE-2023-6425](CVE-2023/CVE-2023-64xx/CVE-2023-6425.json) (`2023-12-02T04:38:38.457`)
|
||||
* [CVE-2023-6424](CVE-2023/CVE-2023-64xx/CVE-2023-6424.json) (`2023-12-02T04:38:39.837`)
|
||||
* [CVE-2023-6423](CVE-2023/CVE-2023-64xx/CVE-2023-6423.json) (`2023-12-02T04:38:41.237`)
|
||||
* [CVE-2023-6422](CVE-2023/CVE-2023-64xx/CVE-2023-6422.json) (`2023-12-02T04:38:43.790`)
|
||||
* [CVE-2023-6419](CVE-2023/CVE-2023-64xx/CVE-2023-6419.json) (`2023-12-02T04:38:49.127`)
|
||||
* [CVE-2023-6420](CVE-2023/CVE-2023-64xx/CVE-2023-6420.json) (`2023-12-02T04:38:55.633`)
|
||||
* [CVE-2023-6418](CVE-2023/CVE-2023-64xx/CVE-2023-6418.json) (`2023-12-02T04:38:57.207`)
|
||||
* [CVE-2023-6417](CVE-2023/CVE-2023-64xx/CVE-2023-6417.json) (`2023-12-02T04:39:08.177`)
|
||||
* [CVE-2023-6416](CVE-2023/CVE-2023-64xx/CVE-2023-6416.json) (`2023-12-02T04:39:11.893`)
|
||||
* [CVE-2023-6415](CVE-2023/CVE-2023-64xx/CVE-2023-6415.json) (`2023-12-02T04:39:14.333`)
|
||||
* [CVE-2023-6414](CVE-2023/CVE-2023-64xx/CVE-2023-6414.json) (`2023-12-02T04:39:15.630`)
|
||||
* [CVE-2023-6413](CVE-2023/CVE-2023-64xx/CVE-2023-6413.json) (`2023-12-02T04:39:21.477`)
|
||||
* [CVE-2023-6412](CVE-2023/CVE-2023-64xx/CVE-2023-6412.json) (`2023-12-02T04:39:24.357`)
|
||||
* [CVE-2023-6411](CVE-2023/CVE-2023-64xx/CVE-2023-6411.json) (`2023-12-02T04:39:26.877`)
|
||||
* [CVE-2023-6410](CVE-2023/CVE-2023-64xx/CVE-2023-6410.json) (`2023-12-02T04:39:29.697`)
|
||||
* [CVE-2023-30585](CVE-2023/CVE-2023-305xx/CVE-2023-30585.json) (`2023-12-02T04:39:59.250`)
|
||||
* [CVE-2023-24023](CVE-2023/CVE-2023-240xx/CVE-2023-24023.json) (`2023-12-02T04:40:02.733`)
|
||||
|
||||
|
||||
## Download and Usage
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user