Auto-Update: 2023-12-08T07:00:17.604590+00:00

CVE-2023/CVE-2023-261xx/CVE-2023-26158.json

@@ -0,0 +1,59 @@
+{
+  "id": "CVE-2023-26158",
+  "sourceIdentifier": "report@snyk.io",
+  "published": "2023-12-08T05:15:07.870",
+  "lastModified": "2023-12-08T05:15:07.870",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).\r\rUser controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.\r\r Workaround\r\rBy using a denylist of dangerous attributes, this weakness can be eliminated.\r\rAdd the following line in the Util.extend function:\r\rjs\rjs if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\r\r\rjs\r// src/mock/handler.js\rUtil.extend = function extend() {\r        var target = arguments[0] || {},\r            i = 1,\r            length = arguments.length,\r            options, name, src, copy, clone\r\r        if (length === 1) {\r            target = this\r            i = 0\r        }\r\r        for (; i < length; i++) {\r            options = arguments[i]\r            if (!options) continue\r\r            for (name in options) {\r            if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\r                src = target[name]\r                copy = options[name]\r\r                if (target === copy) continue\r                if (copy === undefined) continue\r\r                if (Util.isArray(copy) || Util.isObject(copy)) {\r                    if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : []\r                    if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {}\r\r                    target[name] = Util.extend(clone, copy)\r                } else {\r                    target[name] = copy\r                }\r            }\r        }\r\r        return target\r    }\r"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "report@snyk.io",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "HIGH",
+          "baseScore": 8.2,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 3.9,
+        "impactScore": 4.2
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "report@snyk.io",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-1321"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755",
+      "source": "report@snyk.io"
+    },
+    {
+      "url": "https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365",
+      "source": "report@snyk.io"
+    }
+  ]
+}

CVE-2023/CVE-2023-324xx/CVE-2023-32460.json

@@ -0,0 +1,55 @@
+{
+  "id": "CVE-2023-32460",
+  "sourceIdentifier": "security_alert@emc.com",
+  "published": "2023-12-08T06:15:45.427",
+  "lastModified": "2023-12-08T06:15:45.427",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "\nDell PowerEdge BIOS contains an improper privilege management security vulnerability. An unauthenticated local attacker could potentially exploit this vulnerability, leading to privilege escalation.\n\n"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security_alert@emc.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+          "attackVector": "LOCAL",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "CHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 8.8,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 2.0,
+        "impactScore": 6.0
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security_alert@emc.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-306"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://www.dell.com/support/kbdoc/en-us/000219550/dsa-2023-361-security-update-for-dell-poweredge-server-bios-for-an-improper-privilege-management-security-vulnerability",
+      "source": "security_alert@emc.com"
+    }
+  ]
+}

CVE-2023/CVE-2023-425xx/CVE-2023-42568.json

@@ -2,12 +2,12 @@
   "id": "CVE-2023-42568",
   "sourceIdentifier": "mobile.security@samsung.com",
   "published": "2023-12-05T03:15:17.070",
-  "lastModified": "2023-12-05T13:51:04.540",
-  "vulnStatus": "Awaiting Analysis",
+  "lastModified": "2023-12-08T05:15:08.340",
+  "vulnStatus": "Undergoing Analysis",
   "descriptions": [
     {
       "lang": "en",
-      "value": "Improper access control vulnerability in SmartManagerCN prior to SMR Dec-2023 Release 1 allows local attackers to access arbitrary files with SystemUI privilege."
+      "value": "Improper access control vulnerability in SmartManagerCN prior to SMR Dec-2023 Release 1 allows local attackers to access arbitrary files with system privilege."
     },
     {
       "lang": "es",
@@ -21,20 +21,20 @@
         "type": "Secondary",
         "cvssData": {
           "version": "3.1",
-          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
           "attackVector": "LOCAL",
           "attackComplexity": "LOW",
           "privilegesRequired": "NONE",
           "userInteraction": "NONE",
           "scope": "UNCHANGED",
-          "confidentialityImpact": "LOW",
+          "confidentialityImpact": "HIGH",
           "integrityImpact": "LOW",
           "availabilityImpact": "LOW",
-          "baseScore": 5.9,
-          "baseSeverity": "MEDIUM"
+          "baseScore": 7.3,
+          "baseSeverity": "HIGH"
         },
         "exploitabilityScore": 2.5,
-        "impactScore": 3.4
+        "impactScore": 4.7
       }
     ]
   },

CVE-2023/CVE-2023-458xx/CVE-2023-45866.json

@@ -0,0 +1,32 @@
+{
+  "id": "CVE-2023-45866",
+  "sourceIdentifier": "cve@mitre.org",
+  "published": "2023-12-08T06:15:45.690",
+  "lastModified": "2023-12-08T06:15:45.690",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue."
+    }
+  ],
+  "metrics": {},
+  "references": [
+    {
+      "url": "http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/changelog",
+      "source": "cve@mitre.org"
+    },
+    {
+      "url": "https://bluetooth.com",
+      "source": "cve@mitre.org"
+    },
+    {
+      "url": "https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675",
+      "source": "cve@mitre.org"
+    },
+    {
+      "url": "https://github.com/skysafe/reblog/tree/main/cve-2023-45866",
+      "source": "cve@mitre.org"
+    }
+  ]
+}

CVE-2023/CVE-2023-489xx/CVE-2023-48928.json

@@ -0,0 +1,20 @@
+{
+  "id": "CVE-2023-48928",
+  "sourceIdentifier": "cve@mitre.org",
+  "published": "2023-12-08T05:15:08.807",
+  "lastModified": "2023-12-08T05:15:08.807",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Open Redirect. The 'path' parameter of the prefs.asp resource allows an attacker to redirect a victim user to an arbitrary web site using a crafted URL."
+    }
+  ],
+  "metrics": {},
+  "references": [
+    {
+      "url": "https://github.com/MatJosephs/CVEs/tree/main/CVE-2023-48928",
+      "source": "cve@mitre.org"
+    }
+  ]
+}

CVE-2023/CVE-2023-489xx/CVE-2023-48929.json

@@ -0,0 +1,20 @@
+{
+  "id": "CVE-2023-48929",
+  "sourceIdentifier": "cve@mitre.org",
+  "published": "2023-12-08T05:15:08.897",
+  "lastModified": "2023-12-08T05:15:08.897",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. The 'sid' parameter in the group_status.asp resource allows an attacker to escalate privileges and obtain sensitive information."
+    }
+  ],
+  "metrics": {},
+  "references": [
+    {
+      "url": "https://github.com/MatJosephs/CVEs/tree/main/CVE-2023-48929",
+      "source": "cve@mitre.org"
+    }
+  ]
+}

README.md

@@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update
 
 ```plain
-2023-12-08T05:00:17.665326+00:00
+2023-12-08T07:00:17.604590+00:00
 ```
 
 ### Most recent CVE Modification Timestamp synchronized with NVD
 
 ```plain
-2023-12-08T04:15:06.850000+00:00
+2023-12-08T06:15:45.690000+00:00
 ```
 
 ### Last Data Feed Release
@@ -29,28 +29,25 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs
 
 ```plain
-232573
+232578
 ```
 
 ### CVEs added in the last Commit
 
-Recently added CVEs: `1`
+Recently added CVEs: `5`
 
-* [CVE-2023-48122](CVE-2023/CVE-2023-481xx/CVE-2023-48122.json) (`2023-12-08T04:15:06.850`)
+* [CVE-2023-26158](CVE-2023/CVE-2023-261xx/CVE-2023-26158.json) (`2023-12-08T05:15:07.870`)
+* [CVE-2023-48928](CVE-2023/CVE-2023-489xx/CVE-2023-48928.json) (`2023-12-08T05:15:08.807`)
+* [CVE-2023-48929](CVE-2023/CVE-2023-489xx/CVE-2023-48929.json) (`2023-12-08T05:15:08.897`)
+* [CVE-2023-32460](CVE-2023/CVE-2023-324xx/CVE-2023-32460.json) (`2023-12-08T06:15:45.427`)
+* [CVE-2023-45866](CVE-2023/CVE-2023-458xx/CVE-2023-45866.json) (`2023-12-08T06:15:45.690`)
 
 
 ### CVEs modified in the last Commit
 
-Recently modified CVEs: `8`
+Recently modified CVEs: `1`
 
-* [CVE-2022-43677](CVE-2022/CVE-2022-436xx/CVE-2022-43677.json) (`2023-12-08T03:15:07.130`)
-* [CVE-2022-48560](CVE-2022/CVE-2022-485xx/CVE-2022-48560.json) (`2023-12-08T03:15:07.240`)
-* [CVE-2023-46575](CVE-2023/CVE-2023-465xx/CVE-2023-46575.json) (`2023-12-08T03:15:07.340`)
-* [CVE-2023-6508](CVE-2023/CVE-2023-65xx/CVE-2023-6508.json) (`2023-12-08T03:15:07.427`)
-* [CVE-2023-6509](CVE-2023/CVE-2023-65xx/CVE-2023-6509.json) (`2023-12-08T03:15:07.500`)
-* [CVE-2023-6510](CVE-2023/CVE-2023-65xx/CVE-2023-6510.json) (`2023-12-08T03:15:07.573`)
-* [CVE-2023-6511](CVE-2023/CVE-2023-65xx/CVE-2023-6511.json) (`2023-12-08T03:15:07.637`)
-* [CVE-2023-6512](CVE-2023/CVE-2023-65xx/CVE-2023-6512.json) (`2023-12-08T03:15:07.697`)
+* [CVE-2023-42568](CVE-2023/CVE-2023-425xx/CVE-2023-42568.json) (`2023-12-08T05:15:08.340`)
 
 
 ## Download and Usage