diff --git a/CVE-2023/CVE-2023-240xx/CVE-2023-24023.json b/CVE-2023/CVE-2023-240xx/CVE-2023-24023.json index 8e0c993cc3a..b32d87b2d48 100644 --- a/CVE-2023/CVE-2023-240xx/CVE-2023-24023.json +++ b/CVE-2023/CVE-2023-240xx/CVE-2023-24023.json @@ -2,8 +2,8 @@ "id": "CVE-2023-24023", "sourceIdentifier": "cve@mitre.org", "published": "2023-11-28T07:15:41.340", - "lastModified": "2023-11-28T14:12:58.173", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:40:02.733", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", @@ -14,15 +14,76 @@ "value": "Los dispositivos Bluetooth BR/EDR con emparejamiento simple seguro y emparejamiento de conexiones seguras en las especificaciones principales de Bluetooth 4.2 a 5.4 permiten ciertos ataques de intermediario que fuerzan una longitud de clave corta y pueden llevar al descubrimiento de la clave de cifrado y a la inyecci\u00f3n en vivo, tambi\u00e9n conocido como BLUFFS." } ], - "metrics": {}, + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "attackVector": "ADJACENT_NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 1.6, + "impactScore": 5.2 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "NVD-CWE-noinfo" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bluetooth:bluetooth_core_specification:*:*:*:*:*:*:*:*", + "versionStartIncluding": "4.2", + "versionEndIncluding": "5.4", + "matchCriteriaId": "FDDBC9C6-0387-47F1-B213-3AEAFD6A23C8" + } + ] + } + ] + } + ], "references": [ { "url": "https://dl.acm.org/doi/10.1145/3576915.3623066", - "source": "cve@mitre.org" + "source": "cve@mitre.org", + "tags": [ + "Technical Description", + "Third Party Advisory" + ] }, { "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/bluffs-vulnerability/", - "source": "cve@mitre.org" + "source": "cve@mitre.org", + "tags": [ + "Vendor Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-27xx/CVE-2023-2707.json b/CVE-2023/CVE-2023-27xx/CVE-2023-2707.json index 209bb419a1f..3fdad52c303 100644 --- a/CVE-2023/CVE-2023-27xx/CVE-2023-2707.json +++ b/CVE-2023/CVE-2023-27xx/CVE-2023-2707.json @@ -2,19 +2,79 @@ "id": "CVE-2023-2707", "sourceIdentifier": "contact@wpscan.com", "published": "2023-11-27T17:15:07.740", - "lastModified": "2023-11-27T19:03:39.603", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:33:48.873", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)" + }, + { + "lang": "es", + "value": "El complemento gAppointments de WordPress hasta la versi\u00f3n 1.9.5.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 1.7, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:gappointments:gappointments:*:*:*:*:*:wordpress:*:*", + "versionEndIncluding": "1.9.5.1", + "matchCriteriaId": "27537F27-51EA-40E5-8379-ACC09B1138C3" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://wpscan.com/vulnerability/e5664da4-5b78-4e42-be6b-e0d7b73a85b0", - "source": "contact@wpscan.com" + "source": "contact@wpscan.com", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-305xx/CVE-2023-30585.json b/CVE-2023/CVE-2023-305xx/CVE-2023-30585.json index 4d56782bc6f..5a81cda6884 100644 --- a/CVE-2023/CVE-2023-305xx/CVE-2023-30585.json +++ b/CVE-2023/CVE-2023-305xx/CVE-2023-30585.json @@ -2,8 +2,8 @@ "id": "CVE-2023-30585", "sourceIdentifier": "support@hackerone.com", "published": "2023-11-28T02:15:42.077", - "lastModified": "2023-11-28T14:12:58.173", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:59.250", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", @@ -14,11 +14,82 @@ "value": "Se ha identificado una vulnerabilidad en el proceso de instalaci\u00f3n de Node.js (versi\u00f3n .msi), que afecta espec\u00edficamente a los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Esta vulnerabilidad surge durante la operaci\u00f3n de reparaci\u00f3n, donde el proceso \"msiexec.exe\", que se ejecuta en el contexto NT AUTHORITY\\SYSTEM, intenta leer la variable de entorno %USERPROFILE% del registro del usuario actual. El problema surge cuando la ruta a la que hace referencia la variable de entorno %USERPROFILE% no existe. En tales casos, el proceso \"msiexec.exe\" intenta crear la ruta especificada de forma insegura, lo que podr\u00eda provocar la creaci\u00f3n de carpetas arbitrarias en ubicaciones arbitrarias. La gravedad de esta vulnerabilidad se ve aumentada por el hecho de que los usuarios est\u00e1ndar (o \"sin privilegios\") pueden modificar la variable de entorno %USERPROFILE% en el registro de Windows. En consecuencia, los actores no privilegiados, incluidas entidades maliciosas o troyanos, pueden manipular la clave de la variable de entorno para enga\u00f1ar al proceso privilegiado \"msiexec.exe\". Esta manipulaci\u00f3n puede dar como resultado la creaci\u00f3n de carpetas en ubicaciones no deseadas y potencialmente maliciosas. Es importante tener en cuenta que esta vulnerabilidad es espec\u00edfica de los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Los usuarios que optan por otros m\u00e9todos de instalaci\u00f3n no se ven afectados por este problema en particular." } ], - "metrics": {}, + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "NVD-CWE-noinfo" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", + "versionStartIncluding": "16.0.0", + "versionEndExcluding": "16.20.1", + "matchCriteriaId": "7E7F6F9A-AF9F-453B-870D-1E8759567F29" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", + "versionStartIncluding": "18.0.0", + "versionEndExcluding": "18.16.1", + "matchCriteriaId": "3AA02CEF-5AC5-46F7-94DE-D9EA15678AE7" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", + "versionStartIncluding": "20.0.0", + "versionEndExcluding": "20.3.1", + "matchCriteriaId": "1CAA23E6-4930-4326-9CB0-AEE5013BFD37" + } + ] + } + ] + } + ], "references": [ { "url": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases", - "source": "support@hackerone.com" + "source": "support@hackerone.com", + "tags": [ + "Vendor Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-419xx/CVE-2023-41998.json b/CVE-2023/CVE-2023-419xx/CVE-2023-41998.json index 5eb5fac7091..113e6035429 100644 --- a/CVE-2023/CVE-2023-419xx/CVE-2023-41998.json +++ b/CVE-2023/CVE-2023-419xx/CVE-2023-41998.json @@ -2,16 +2,40 @@ "id": "CVE-2023-41998", "sourceIdentifier": "vulnreport@tenable.com", "published": "2023-11-27T17:15:07.803", - "lastModified": "2023-11-27T19:03:39.603", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:34:00.220", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "Arcserve UDP prior to 9.2 contained a vulnerability in the\u00a0com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files." + }, + { + "lang": "es", + "value": "Arcserve UDP anterior a 9.2 conten\u00eda una vulnerabilidad en la interfaz com.ca.arcflash.rps.webservice.RPSService4CPMImpl. Existe una rutina que permite a un atacante cargar y ejecutar archivos arbitrarios." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, { "source": "vulnreport@tenable.com", "type": "Secondary", @@ -35,6 +59,16 @@ ] }, "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-434" + } + ] + }, { "source": "vulnreport@tenable.com", "type": "Secondary", @@ -46,10 +80,32 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*", + "versionEndExcluding": "9.2", + "matchCriteriaId": "DD913BA7-A48E-4406-93FB-4BD86BCD519E" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.tenable.com/security/research/tra-2023-37", - "source": "vulnreport@tenable.com" + "source": "vulnreport@tenable.com", + "tags": [ + "Exploit", + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-478xx/CVE-2023-47831.json b/CVE-2023/CVE-2023-478xx/CVE-2023-47831.json index 33d51bfcf1e..fac23a40ce5 100644 --- a/CVE-2023/CVE-2023-478xx/CVE-2023-47831.json +++ b/CVE-2023/CVE-2023-478xx/CVE-2023-47831.json @@ -2,8 +2,8 @@ "id": "CVE-2023-47831", "sourceIdentifier": "audit@patchstack.com", "published": "2023-11-22T23:15:10.440", - "lastModified": "2023-11-24T15:24:57.673", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:33:38.013", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", @@ -16,6 +16,26 @@ ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "audit@patchstack.com", "type": "Secondary", @@ -50,10 +70,31 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:assortedchips:drawit:*:*:*:*:*:wordpress:*:*", + "versionEndIncluding": "1.1.3", + "matchCriteriaId": "60C3B294-09C2-4696-9503-70FC3739C121" + } + ] + } + ] + } + ], "references": [ { "url": "https://patchstack.com/database/vulnerability/drawit/wordpress-drawit-draw-io-plugin-1-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve", - "source": "audit@patchstack.com" + "source": "audit@patchstack.com", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-490xx/CVE-2023-49028.json b/CVE-2023/CVE-2023-490xx/CVE-2023-49028.json index 5fd12d49a67..0f5c11bd508 100644 --- a/CVE-2023/CVE-2023-490xx/CVE-2023-49028.json +++ b/CVE-2023/CVE-2023-490xx/CVE-2023-49028.json @@ -2,27 +2,93 @@ "id": "CVE-2023-49028", "sourceIdentifier": "cve@mitre.org", "published": "2023-11-27T17:15:08.337", - "lastModified": "2023-11-27T19:03:39.603", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:35:24.697", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the user parameter in the lock/lock.php file." + }, + { + "lang": "es", + "value": "Vulnerabilidad de Cross Site Scripting en smpn1smg absis v.2017-10-19 y anteriores permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro de usuario en el archivo lock/lock.php." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:absis:absis:*:*:*:*:*:*:*:*", + "versionEndIncluding": "2017.10.19", + "matchCriteriaId": "04D29F9F-A927-4927-802B-E52FC236A569" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://gist.github.com/Chiaki2333/d132c4b169b55bd7cd50e73dbe20c410", - "source": "cve@mitre.org" + "source": "cve@mitre.org", + "tags": [ + "Third Party Advisory" + ] }, { "url": "https://github.com/Chiaki2333/vulnerability/blob/main/smpn1smg-absis-XSS-lock.php-user.md", - "source": "cve@mitre.org" + "source": "cve@mitre.org", + "tags": [ + "Exploit" + ] }, { "url": "https://github.com/smpn1smg/absis", - "source": "cve@mitre.org" + "source": "cve@mitre.org", + "tags": [ + "Product" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-56xx/CVE-2023-5604.json b/CVE-2023/CVE-2023-56xx/CVE-2023-5604.json index 64076588bf1..bffb6923ea1 100644 --- a/CVE-2023/CVE-2023-56xx/CVE-2023-5604.json +++ b/CVE-2023/CVE-2023-56xx/CVE-2023-5604.json @@ -2,19 +2,84 @@ "id": "CVE-2023-5604", "sourceIdentifier": "contact@wpscan.com", "published": "2023-11-27T17:15:09.030", - "lastModified": "2023-11-27T19:03:35.337", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:35:37.727", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution." + }, + { + "lang": "es", + "value": "El complemento Asgaros Forum de WordPress anterior a 2.7.1 permite a los administradores del foro, que pueden no ser (super)administradores de WordPress, establecer una configuraci\u00f3n insegura que permite a usuarios no autenticados cargar archivos peligrosos (por ejemplo, .php, .phtml), lo que podr\u00eda generar una ejecuci\u00f3n remota de c\u00f3digo." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-434" + }, + { + "lang": "en", + "value": "CWE-94" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:asgaros:asgaros_forum:*:*:*:*:*:wordpress:*:*", + "versionEndExcluding": "2.7.1", + "matchCriteriaId": "974AB954-A6BE-486A-8319-A1D83B131933" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://wpscan.com/vulnerability/4ce69d71-87bf-4d95-90f2-63d558c78b69", - "source": "contact@wpscan.com" + "source": "contact@wpscan.com", + "tags": [ + "Exploit", + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-56xx/CVE-2023-5611.json b/CVE-2023/CVE-2023-56xx/CVE-2023-5611.json index ebd254afdbf..543b22af14c 100644 --- a/CVE-2023/CVE-2023-56xx/CVE-2023-5611.json +++ b/CVE-2023/CVE-2023-56xx/CVE-2023-5611.json @@ -2,19 +2,80 @@ "id": "CVE-2023-5611", "sourceIdentifier": "contact@wpscan.com", "published": "2023-11-27T17:15:09.083", - "lastModified": "2023-11-27T19:03:35.337", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:35:53.547", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them" + }, + { + "lang": "es", + "value": "El complemento Seraphinite Accelerator de WordPress anterior a la versi\u00f3n 2.20.32 no tiene autorizaci\u00f3n ni controles CSRF al restablecer e importar su configuraci\u00f3n, lo que permite a los usuarios no autenticados restablecerla." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-862" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:seraphinitesolutions:seraphinite_accelerator:*:*:*:*:*:wordpress:*:*", + "versionEndExcluding": "2.20.32", + "matchCriteriaId": "4F7D8116-522C-4A41-990D-9162E88CCF55" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://wpscan.com/vulnerability/8cb8a5e9-2ab6-4d9b-9ffc-ef530e346f8d", - "source": "contact@wpscan.com" + "source": "contact@wpscan.com", + "tags": [ + "Exploit", + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-56xx/CVE-2023-5620.json b/CVE-2023/CVE-2023-56xx/CVE-2023-5620.json index 368bd425978..0e39349c06c 100644 --- a/CVE-2023/CVE-2023-56xx/CVE-2023-5620.json +++ b/CVE-2023/CVE-2023-56xx/CVE-2023-5620.json @@ -2,19 +2,80 @@ "id": "CVE-2023-5620", "sourceIdentifier": "contact@wpscan.com", "published": "2023-11-27T17:15:09.137", - "lastModified": "2023-11-27T19:03:35.337", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:36:03.177", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks." + }, + { + "lang": "es", + "value": "El complemento Web Push Notifications de WordPress anterior a 4.35.0 no impide que los visitantes del sitio cambien algunas de las opciones del complemento, algunas de las cuales pueden usarse para realizar ataques XSS Almacenados." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:webpushr:web_push_notifications:*:*:*:*:*:wordpress:*:*", + "versionEndExcluding": "4.35.0", + "matchCriteriaId": "893D6956-0070-406E-A957-25CB79FD76A2" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://wpscan.com/vulnerability/a03330c2-3ae0-404d-a114-33b18cc47666", - "source": "contact@wpscan.com" + "source": "contact@wpscan.com", + "tags": [ + "Exploit", + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-56xx/CVE-2023-5641.json b/CVE-2023/CVE-2023-56xx/CVE-2023-5641.json index 63b8bdfb851..2bff18d047e 100644 --- a/CVE-2023/CVE-2023-56xx/CVE-2023-5641.json +++ b/CVE-2023/CVE-2023-56xx/CVE-2023-5641.json @@ -2,19 +2,80 @@ "id": "CVE-2023-5641", "sourceIdentifier": "contact@wpscan.com", "published": "2023-11-27T17:15:09.183", - "lastModified": "2023-11-27T19:03:35.337", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:36:11.447", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin before 1.2.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin" + }, + { + "lang": "es", + "value": "El complemento Martins Free & Easy SEO BackLink Link Building Network de WordPress anterior a 1.2.30 no sanitiza ni escapa un par\u00e1metro antes de devolverlo a la p\u00e1gina, lo que genera Cross-Site Scripting Reflejado que podr\u00eda usarse contra usuarios con privilegios elevados, como el administrador." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:martinstools:seo_backlink_link_building_network:*:*:*:*:*:wordpress:*:*", + "versionEndExcluding": "1.2.30", + "matchCriteriaId": "8747E5D1-A7C2-4359-B08A-23003BBC6EC8" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://wpscan.com/vulnerability/c0a6c253-71f2-415d-a6ec-022f2eafc13b", - "source": "contact@wpscan.com" + "source": "contact@wpscan.com", + "tags": [ + "Exploit", + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-57xx/CVE-2023-5738.json b/CVE-2023/CVE-2023-57xx/CVE-2023-5738.json index 8470fcc4d82..20deedd0465 100644 --- a/CVE-2023/CVE-2023-57xx/CVE-2023-5738.json +++ b/CVE-2023/CVE-2023-57xx/CVE-2023-5738.json @@ -2,19 +2,80 @@ "id": "CVE-2023-5738", "sourceIdentifier": "contact@wpscan.com", "published": "2023-11-27T17:15:09.333", - "lastModified": "2023-11-27T19:03:35.337", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:36:42.670", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks." + }, + { + "lang": "es", + "value": "El complemento WordPress Backup & Migration de WordPress anterior a 1.4.4 no sanitiza ni escapa a algunos par\u00e1metros, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como Suscriptor realizar ataques de Cross Site Scripting." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:webtoffee:backup_and_migration:*:*:*:*:*:wordpress:*:*", + "versionEndExcluding": "1.4.4", + "matchCriteriaId": "5983571D-9ABE-4599-9C19-E8AFA534198A" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://wpscan.com/vulnerability/7f935916-9a1a-40c7-b6d8-efcc46eb8eaf", - "source": "contact@wpscan.com" + "source": "contact@wpscan.com", + "tags": [ + "Exploit", + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-59xx/CVE-2023-5958.json b/CVE-2023/CVE-2023-59xx/CVE-2023-5958.json index c295bf94067..d749e7302ed 100644 --- a/CVE-2023/CVE-2023-59xx/CVE-2023-5958.json +++ b/CVE-2023/CVE-2023-59xx/CVE-2023-5958.json @@ -2,19 +2,80 @@ "id": "CVE-2023-5958", "sourceIdentifier": "contact@wpscan.com", "published": "2023-11-27T17:15:09.623", - "lastModified": "2023-11-27T19:03:35.337", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:36:54.543", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users." + }, + { + "lang": "es", + "value": "El complemento POST SMTP Mailer de WordPress anterior a 2.7.1 no escapa del contenido del mensaje de correo electr\u00f3nico antes de mostrarlo en el backend, lo que permite a un atacante no autenticado realizar ataques XSS contra usuarios con privilegios elevados." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:wpexperts:post_smtp_mailer:*:*:*:*:*:wordpress:*:*", + "versionEndExcluding": "2.7.1", + "matchCriteriaId": "E40A03E0-E94A-431E-8C67-039F96A535BE" + } + ] + } + ] } ], - "metrics": {}, "references": [ { "url": "https://wpscan.com/vulnerability/22fa478d-e42e-488d-9b4b-a8720dec7cee", - "source": "contact@wpscan.com" + "source": "contact@wpscan.com", + "tags": [ + "Exploit", + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6410.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6410.json index 45ec7c21380..3bf6bc81b7f 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6410.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6410.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6410", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:15.497", - "lastModified": "2023-11-30T14:48:37.600", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:29.697", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via editprofile.php in multiple parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante editprofile.php en m\u00faltiples par\u00e1metros. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6411.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6411.json index 17664e283e9..83f010bbe81 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6411.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6411.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6411", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:16.017", - "lastModified": "2023-11-30T14:48:37.600", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:26.877", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via home.php in the update parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL v\u00eda home.php en el par\u00e1metro de actualizaci\u00f3n. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6412.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6412.json index 3a42589e02c..83927b9fa76 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6412.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6412.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6412", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:16.527", - "lastModified": "2023-11-30T14:48:37.600", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:24.357", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via photo.php in multiple parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL v\u00eda photo.php en m\u00faltiples par\u00e1metros. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6413.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6413.json index 181ddb63739..4be202654c0 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6413.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6413.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6413", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:17.020", - "lastModified": "2023-11-30T14:48:37.600", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:21.477", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via photos.php in the id and user parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL a trav\u00e9s de photos.php en los par\u00e1metros id y usuario. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -35,6 +59,16 @@ ] }, "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-89" + } + ] + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +80,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6414.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6414.json index 1bc2add8593..089bfa064fc 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6414.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6414.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6414", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:17.523", - "lastModified": "2023-11-30T14:48:37.600", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:15.630", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via perfil.php in the id and user parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL v\u00eda perfil.php en los par\u00e1metros id y usuario. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6415.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6415.json index ed061e52f71..7649e121a9a 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6415.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6415.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6415", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:18.013", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:14.333", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via signin.php in the user parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante signin.php en el par\u00e1metro usuario. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6416.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6416.json index 1695c9d2832..2b6cb083bf6 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6416.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6416.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6416", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:18.527", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:11.893", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via signup2.php in the emailadd parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante signup2.php en el par\u00e1metro emailadd. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6417.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6417.json index 2483d0a8513..556bb206088 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6417.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6417.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6417", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:18.940", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:39:08.177", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via update.php in the id parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante update.php en el par\u00e1metro id. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -35,6 +59,16 @@ ] }, "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-89" + } + ] + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +80,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6418.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6418.json index 92d1e0b09c9..883166449dd 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6418.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6418.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6418", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:19.137", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:57.207", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via videos.php in the id parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application." + }, + { + "lang": "es", + "value": "Se ha reportado una vulnerabilidad en Voovi Social Networking Script que afecta a la versi\u00f3n 1.0 y consiste en una inyecci\u00f3n SQL mediante videos.php en el par\u00e1metro id. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un atacante remoto enviar una consulta SQL especialmente manipulada al servidor y recuperar toda la informaci\u00f3n almacenada en la aplicaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6419.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6419.json index a29568f2453..49000c18d82 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6419.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6419.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6419", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:19.333", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:49.127", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via editprofile.php in multiple parameters, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user." + }, + { + "lang": "es", + "value": "Se ha informado de una vulnerabilidad en Voovi Social Networking Script versi\u00f3n 1.0 que permite un XSS a trav\u00e9s de editprofile.php en m\u00faltiples par\u00e1metros, cuya explotaci\u00f3n podr\u00eda permitir a un atacante remoto enviar un payload de JavaScript especialmente manipulado y hacerse cargo parcialmente de la sesi\u00f3n del navegador de un usuario autenticado." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6420.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6420.json index 0e6c739ed82..e9d99793565 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6420.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6420.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6420", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:19.530", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:55.633", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via \n\nsignup2.php in the emailadd parameter, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user." + }, + { + "lang": "es", + "value": "Se ha informado de una vulnerabilidad en Voovi Social Networking Script versi\u00f3n 1.0 que permite un XSS a trav\u00e9s de signup2.php en el par\u00e1metro emailadd, cuya explotaci\u00f3n podr\u00eda permitir a un atacante remoto enviar un payload de JavaScript especialmente manipulado y tomar parcialmente el control de la sesi\u00f3n del navegador de un usuario autenticado." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:aatifaneeq:voovi:1.0:*:*:*:*:*:*:*", + "matchCriteriaId": "22060A40-8CD2-41B3-8A94-B1755D8998F7" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6422.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6422.json index 413008362e9..5d1d54c3630 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6422.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6422.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6422", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:19.727", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:43.790", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/patients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/patients_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*", + "matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6423.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6423.json index 04be4258161..741a9b527ac 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6423.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6423.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6423", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:19.923", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:41.237", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/events_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/events_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*", + "matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6424.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6424.json index 56dddecf5f2..4cbb5e7c104 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6424.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6424.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6424", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:20.127", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:39.837", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/disease_symptoms_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/disease_symptoms_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*", + "matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6425.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6425.json index 24dbcecab06..0369fa76f76 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6425.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6425.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6425", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:20.317", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:38.457", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Clinic Management System 2.2, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /clinic/medical_records_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_clinic_management_system:2.2:*:*:*:*:*:*:*", + "matchCriteriaId": "5CA06B87-8B3F-434E-9B67-5EC936EAAF0F" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6426.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6426.json index 5561920d93b..b737c0e891d 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6426.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6426.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6426", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:20.507", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:36.853", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/invoices_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6427.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6427.json index 01be4bb77fe..c0f0edf60d7 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6427.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6427.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6427", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:20.700", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:35.270", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/invoices_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -35,6 +59,16 @@ ] }, "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +80,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6428.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6428.json index c560382e991..217216eab1f 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6428.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6428.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6428", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:20.893", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:27.697", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/items_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6429.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6429.json index d69a8e2cb05..cf120fc5c00 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6429.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6429.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6429", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:21.087", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:26.040", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/clients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /invoicing/app/clients_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6430.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6430.json index 42eefadd3ce..9c4fdc5d040 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6430.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6430.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6430", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:21.277", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:09.997", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/transactions_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/transactions_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6431.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6431.json index 5ba82a09bd8..7ef02d2d0a9 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6431.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6431.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6431", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:21.473", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:07.830", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/categories_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/categories_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6432.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6432.json index 8d31577426e..2ae9ec953f8 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6432.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6432.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6432", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:21.660", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:38:05.627", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/items_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6433.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6433.json index b0d49eb6a15..9ab5aeaea82 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6433.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6433.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6433", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:21.897", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:37:58.317", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/suppliers_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/suppliers_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6434.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6434.json index d0a90a15564..2c6484a6ce7 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6434.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6434.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6434", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:23.393", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:37:56.790", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/sections_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/sections_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/CVE-2023/CVE-2023-64xx/CVE-2023-6435.json b/CVE-2023/CVE-2023-64xx/CVE-2023-6435.json index 2bd95474b40..bea11738f48 100644 --- a/CVE-2023/CVE-2023-64xx/CVE-2023-6435.json +++ b/CVE-2023/CVE-2023-64xx/CVE-2023-6435.json @@ -2,16 +2,40 @@ "id": "CVE-2023-6435", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2023-11-30T14:15:23.593", - "lastModified": "2023-11-30T14:48:32.553", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-12-02T04:37:54.727", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batches_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads." + }, + { + "lang": "es", + "value": "Se ha descubierto una vulnerabilidad en BigProf Online Invoicing System 2.6, que no codifica suficientemente la entrada controlada por el usuario, lo que genera XSS persistente a trav\u00e9s de /inventory/batches_view.php, en el par\u00e1metro FirstRecord. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario atacante almacenar payloads de JavaScript peligrosos en el sistema que se activar\u00e1n cuando se cargue la p\u00e1gina." } ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + }, { "source": "cve-coordination@incibe.es", "type": "Secondary", @@ -46,10 +70,30 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:bigprof:online_invoicing_system:2.6:*:*:*:*:*:*:*", + "matchCriteriaId": "F613FFFC-518C-4FFB-934F-4BA3D7C832AF" + } + ] + } + ] + } + ], "references": [ { "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-products", - "source": "cve-coordination@incibe.es" + "source": "cve-coordination@incibe.es", + "tags": [ + "Third Party Advisory" + ] } ] } \ No newline at end of file diff --git a/README.md b/README.md index 3b4cfef81fe..c00523048f6 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2023-12-02T03:00:19.255787+00:00 +2023-12-02T05:00:18.316198+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2023-12-02T02:15:07.197000+00:00 +2023-12-02T04:40:02.733000+00:00 ``` ### Last Data Feed Release @@ -34,23 +34,39 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### CVEs added in the last Commit -Recently added CVEs: `1` +Recently added CVEs: `0` -* [CVE-2023-49914](CVE-2023/CVE-2023-499xx/CVE-2023-49914.json) (`2023-12-02T01:15:09.050`) ### CVEs modified in the last Commit -Recently modified CVEs: `8` +Recently modified CVEs: `37` -* [CVE-2018-14628](CVE-2018/CVE-2018-146xx/CVE-2018-14628.json) (`2023-12-02T02:15:07.067`) -* [CVE-2022-27912](CVE-2022/CVE-2022-279xx/CVE-2022-27912.json) (`2023-12-02T01:15:07.923`) -* [CVE-2022-27913](CVE-2022/CVE-2022-279xx/CVE-2022-27913.json) (`2023-12-02T01:15:08.100`) -* [CVE-2022-27914](CVE-2022/CVE-2022-279xx/CVE-2022-27914.json) (`2023-12-02T01:15:08.190`) -* [CVE-2022-41717](CVE-2022/CVE-2022-417xx/CVE-2022-41717.json) (`2023-12-02T02:15:07.197`) -* [CVE-2023-39971](CVE-2023/CVE-2023-399xx/CVE-2023-39971.json) (`2023-12-02T01:15:08.287`) -* [CVE-2023-44487](CVE-2023/CVE-2023-444xx/CVE-2023-44487.json) (`2023-12-02T01:15:08.373`) -* [CVE-2023-46118](CVE-2023/CVE-2023-461xx/CVE-2023-46118.json) (`2023-12-02T01:15:08.923`) +* [CVE-2023-6433](CVE-2023/CVE-2023-64xx/CVE-2023-6433.json) (`2023-12-02T04:37:58.317`) +* [CVE-2023-6432](CVE-2023/CVE-2023-64xx/CVE-2023-6432.json) (`2023-12-02T04:38:05.627`) +* [CVE-2023-6431](CVE-2023/CVE-2023-64xx/CVE-2023-6431.json) (`2023-12-02T04:38:07.830`) +* [CVE-2023-6430](CVE-2023/CVE-2023-64xx/CVE-2023-6430.json) (`2023-12-02T04:38:09.997`) +* [CVE-2023-6429](CVE-2023/CVE-2023-64xx/CVE-2023-6429.json) (`2023-12-02T04:38:26.040`) +* [CVE-2023-6428](CVE-2023/CVE-2023-64xx/CVE-2023-6428.json) (`2023-12-02T04:38:27.697`) +* [CVE-2023-6427](CVE-2023/CVE-2023-64xx/CVE-2023-6427.json) (`2023-12-02T04:38:35.270`) +* [CVE-2023-6426](CVE-2023/CVE-2023-64xx/CVE-2023-6426.json) (`2023-12-02T04:38:36.853`) +* [CVE-2023-6425](CVE-2023/CVE-2023-64xx/CVE-2023-6425.json) (`2023-12-02T04:38:38.457`) +* [CVE-2023-6424](CVE-2023/CVE-2023-64xx/CVE-2023-6424.json) (`2023-12-02T04:38:39.837`) +* [CVE-2023-6423](CVE-2023/CVE-2023-64xx/CVE-2023-6423.json) (`2023-12-02T04:38:41.237`) +* [CVE-2023-6422](CVE-2023/CVE-2023-64xx/CVE-2023-6422.json) (`2023-12-02T04:38:43.790`) +* [CVE-2023-6419](CVE-2023/CVE-2023-64xx/CVE-2023-6419.json) (`2023-12-02T04:38:49.127`) +* [CVE-2023-6420](CVE-2023/CVE-2023-64xx/CVE-2023-6420.json) (`2023-12-02T04:38:55.633`) +* [CVE-2023-6418](CVE-2023/CVE-2023-64xx/CVE-2023-6418.json) (`2023-12-02T04:38:57.207`) +* [CVE-2023-6417](CVE-2023/CVE-2023-64xx/CVE-2023-6417.json) (`2023-12-02T04:39:08.177`) +* [CVE-2023-6416](CVE-2023/CVE-2023-64xx/CVE-2023-6416.json) (`2023-12-02T04:39:11.893`) +* [CVE-2023-6415](CVE-2023/CVE-2023-64xx/CVE-2023-6415.json) (`2023-12-02T04:39:14.333`) +* [CVE-2023-6414](CVE-2023/CVE-2023-64xx/CVE-2023-6414.json) (`2023-12-02T04:39:15.630`) +* [CVE-2023-6413](CVE-2023/CVE-2023-64xx/CVE-2023-6413.json) (`2023-12-02T04:39:21.477`) +* [CVE-2023-6412](CVE-2023/CVE-2023-64xx/CVE-2023-6412.json) (`2023-12-02T04:39:24.357`) +* [CVE-2023-6411](CVE-2023/CVE-2023-64xx/CVE-2023-6411.json) (`2023-12-02T04:39:26.877`) +* [CVE-2023-6410](CVE-2023/CVE-2023-64xx/CVE-2023-6410.json) (`2023-12-02T04:39:29.697`) +* [CVE-2023-30585](CVE-2023/CVE-2023-305xx/CVE-2023-30585.json) (`2023-12-02T04:39:59.250`) +* [CVE-2023-24023](CVE-2023/CVE-2023-240xx/CVE-2023-24023.json) (`2023-12-02T04:40:02.733`) ## Download and Usage