From 89fe53725dcc3919f2a92dfb3ddccb5732e827b9 Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Tue, 21 Jan 2025 00:58:46 +0000 Subject: [PATCH] Auto-Update: 2025-01-21T00:55:19.503759+00:00 --- CVE-2024/CVE-2024-73xx/CVE-2024-7394.json | 14 ++--- CVE-2024/CVE-2024-73xx/CVE-2024-7398.json | 14 ++--- CVE-2025/CVE-2025-240xx/CVE-2025-24014.json | 60 +++++++++++++++++++++ README.md | 12 +++-- _state.csv | 7 +-- 5 files changed, 85 insertions(+), 22 deletions(-) create mode 100644 CVE-2025/CVE-2025-240xx/CVE-2025-24014.json diff --git a/CVE-2024/CVE-2024-73xx/CVE-2024-7394.json b/CVE-2024/CVE-2024-73xx/CVE-2024-7394.json index df79596f828..fb6d52d2bc6 100644 --- a/CVE-2024/CVE-2024-73xx/CVE-2024-7394.json +++ b/CVE-2024/CVE-2024-73xx/CVE-2024-7394.json @@ -2,13 +2,13 @@ "id": "CVE-2024-7394", "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "published": "2024-08-08T17:15:20.023", - "lastModified": "2024-08-29T13:41:24.487", - "vulnStatus": "Analyzed", + "lastModified": "2025-01-21T00:15:25.357", + "vulnStatus": "Modified", "cveTags": [], "descriptions": [ { "lang": "en", - "value": "Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). \u00a0A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator \u00a0and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N . Thanks, m3dium for reporting." + "value": "Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)" }, { "lang": "es", @@ -22,11 +22,11 @@ "type": "Secondary", "cvssData": { "version": "4.0", - "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "baseScore": 1.8, - "baseSeverity": "LOW", + "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "baseScore": 4.6, + "baseSeverity": "MEDIUM", "attackVector": "NETWORK", - "attackComplexity": "HIGH", + "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", diff --git a/CVE-2024/CVE-2024-73xx/CVE-2024-7398.json b/CVE-2024/CVE-2024-73xx/CVE-2024-7398.json index d7185a22602..8d6d9939272 100644 --- a/CVE-2024/CVE-2024-73xx/CVE-2024-7398.json +++ b/CVE-2024/CVE-2024-73xx/CVE-2024-7398.json @@ -2,13 +2,13 @@ "id": "CVE-2024-7398", "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "published": "2024-09-25T01:15:45.403", - "lastModified": "2024-09-30T16:12:24.337", - "vulnStatus": "Analyzed", + "lastModified": "2025-01-21T00:15:25.530", + "vulnStatus": "Modified", "cveTags": [], "descriptions": [ { "lang": "en", - "value": "Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts.\u00a0The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N .\u00a0Thank you, Yusuke Uchida for reporting." + "value": "Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting.\u00a0CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)" }, { "lang": "es", @@ -22,11 +22,11 @@ "type": "Secondary", "cvssData": { "version": "4.0", - "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "baseScore": 1.8, - "baseSeverity": "LOW", + "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "baseScore": 4.6, + "baseSeverity": "MEDIUM", "attackVector": "NETWORK", - "attackComplexity": "HIGH", + "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", diff --git a/CVE-2025/CVE-2025-240xx/CVE-2025-24014.json b/CVE-2025/CVE-2025-240xx/CVE-2025-24014.json new file mode 100644 index 00000000000..10c66250869 --- /dev/null +++ b/CVE-2025/CVE-2025-240xx/CVE-2025-24014.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2025-24014", + "sourceIdentifier": "security-advisories@github.com", + "published": "2025-01-20T23:15:07.730", + "lastModified": "2025-01-20T23:15:07.730", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", + "baseScore": 4.2, + "baseSeverity": "MEDIUM", + "attackVector": "LOCAL", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW" + }, + "exploitabilityScore": 0.8, + "impactScore": 3.4 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-787" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 3608f3dac84..0f5b3be886a 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2025-01-20T23:00:24.468939+00:00 +2025-01-21T00:55:19.503759+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2025-01-20T21:15:21.453000+00:00 +2025-01-21T00:15:25.530000+00:00 ``` ### Last Data Feed Release @@ -33,20 +33,22 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -278157 +278158 ``` ### CVEs added in the last Commit Recently added CVEs: `1` -- [CVE-2024-13454](CVE-2024/CVE-2024-134xx/CVE-2024-13454.json) (`2025-01-20T21:15:21.453`) +- [CVE-2025-24014](CVE-2025/CVE-2025-240xx/CVE-2025-24014.json) (`2025-01-20T23:15:07.730`) ### CVEs modified in the last Commit -Recently modified CVEs: `0` +Recently modified CVEs: `2` +- [CVE-2024-7394](CVE-2024/CVE-2024-73xx/CVE-2024-7394.json) (`2025-01-21T00:15:25.357`) +- [CVE-2024-7398](CVE-2024/CVE-2024-73xx/CVE-2024-7398.json) (`2025-01-21T00:15:25.530`) ## Download and Usage diff --git a/_state.csv b/_state.csv index cfe61787617..fdc2cf26202 100644 --- a/_state.csv +++ b/_state.csv @@ -246028,7 +246028,7 @@ CVE-2024-13433,0,0,b744d44080e2e33c41984f231e71d8cc1252181c511f568444c5c86671c3e CVE-2024-13434,0,0,292fbae0324c9bc0e0a4304860c64d8e4dabea0f0444b12419bd12eebd083320,2025-01-17T05:15:09.290000 CVE-2024-1344,0,0,3c7e3680ada5d2af6c947ff7713f6316fa39154980892782020553f5d0042cd7,2024-11-21T08:50:22.543000 CVE-2024-1345,0,0,7c212e7b361746cfecf33f6e4ed924489ff6a3a938083dd73fe4da2b7b4649da,2024-11-21T08:50:22.667000 -CVE-2024-13454,1,1,e2d1844240dd5346b5a068b3df01d133d984159430edb62f356ca4bcac0bf3e6,2025-01-20T21:15:21.453000 +CVE-2024-13454,0,0,e2d1844240dd5346b5a068b3df01d133d984159430edb62f356ca4bcac0bf3e6,2025-01-20T21:15:21.453000 CVE-2024-1346,0,0,67674c75c08ebc67974102102d05a3921f8c61d1fe386fe7de33f2c37b3bc24d,2024-11-21T08:50:22.793000 CVE-2024-1347,0,0,b12a4cbf8e4f285872bf9a248874204d9208208e515ae74de2299237bb6626ad,2024-12-11T19:24:26.643000 CVE-2024-1348,0,0,1859f4ea1d00e7386fbff1ae86e38e3076d8135556fc20b2256d2f026d728722,2024-11-21T08:50:23.040000 @@ -274955,11 +274955,11 @@ CVE-2024-7389,0,0,cab381fcf4b9b71264f141b348bf1292afa8da6fe747dc8fe0784ecf6d792f CVE-2024-7390,0,0,62257d50cfac87a87bf72bf184895cbf9edf65dcbcd5b500828f71bf6dd1b693,2024-09-27T17:45:05.590000 CVE-2024-7391,0,0,2752de4ae00b5b2870d0f6d32309617f0c9e8b04345fde12d660bbbcdd1fe039,2024-12-03T21:44:10.397000 CVE-2024-7392,0,0,df337276c1b7ad5043680e2710dff50a1d97b86398705520a864550842c7662d,2024-12-03T22:17:52.127000 -CVE-2024-7394,0,0,ff8c1a258c7919bd1d4109f5e6cba098213895b35a13e19706097f3b25474770,2024-08-29T13:41:24.487000 +CVE-2024-7394,0,1,c1307b9c04d9bc8bb8442618d778b285a732aec46f3e662fdc43455a034f8f04,2025-01-21T00:15:25.357000 CVE-2024-7395,0,0,9670a510512a2d389618b6b7a9e542ec25dda208b778cea14c25d4d5f6f00cbb,2024-08-06T16:31:05.780000 CVE-2024-7396,0,0,8a875ab721388a8a38590227097961f1c28ed1bcb468d82139ba5cc1ba1722a1,2024-08-06T16:31:05.780000 CVE-2024-7397,0,0,c5a0c73547b864024bde47bf4a3a4f33e674da9347e7a5fc1f2aad14a6c74ebc,2024-08-06T16:31:05.780000 -CVE-2024-7398,0,0,0ad991756d72192e254d868fb568858b60448c6ca02e640d33768b737ad48889,2024-09-30T16:12:24.337000 +CVE-2024-7398,0,1,b2d315bc04eb5d24ade126add554db2c711000793ee5c981d953a99e703c95a9,2025-01-21T00:15:25.530000 CVE-2024-7399,0,0,c63a2f56ac97180c8eeaff7425fc4e1891afb5117e5e5ee0a06426ef5c6cec5b,2024-08-13T15:30:52.337000 CVE-2024-7400,0,0,691fe991f86a9ab7ca1113eaf257359b12516af7fe0faecee4356ed1b454ad75,2024-09-30T12:46:20.237000 CVE-2024-7401,0,0,e2be012fbde8a842c00955b5b9f4bae9e1da9213729f95b9c08073c75ce6ffc9,2024-09-05T18:34:17.433000 @@ -278155,4 +278155,5 @@ CVE-2025-23963,0,0,b25e75626ec56255a41425e6f3edd3e3aea1c19b7ee658d0d0b26b28ec1f0 CVE-2025-23965,0,0,53fb1e10aaa7ebd57bd7f00633a90cd803f03e00b4bc8c44e50c428b42627500,2025-01-16T21:15:38.023000 CVE-2025-24010,0,0,b1ad142cb0e12a44fa76d1536c3ae8cc5dc1c93205ad3e19be582c3fc492507c,2025-01-20T16:15:28.730000 CVE-2025-24013,0,0,a013478a51520d1a805dca03a3a7f43a81c8ee1d4137efd7110dbaf0e05d94c6,2025-01-20T16:15:28.877000 +CVE-2025-24014,1,1,2cffc7146974e475ed988d48da3b4c2ff6fcf00f1266e68b987745a0fb734028,2025-01-20T23:15:07.730000 CVE-2025-24337,0,0,07d30bbea6dfa209bcd4c6bc43756d477d6586721f50f7d7909041753d5deb68,2025-01-20T14:15:27.130000