From 0cd2ea26ba258a039c718ea966bdf748fc6af655 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 09:32:58 +0000 Subject: [PATCH] Publish Advisories GHSA-fjcc-r94c-wxr8 GHSA-3m64-79r5-56f2 GHSA-522h-49x4-xq7r GHSA-7236-ccfq-8664 GHSA-8c78-wf5j-v7jx GHSA-cppr-hw26-jmwp GHSA-ffrw-8p66-394j GHSA-gwhh-pw54-jgx4 GHSA-gwm3-gp4w-96g7 GHSA-gx4q-m69p-mf52 GHSA-j34c-54rj-94x3 GHSA-jc5h-x77p-hhq6 GHSA-pr37-gvg2-qr9v GHSA-qj3w-6895-r5mf GHSA-qxp5-vjrm-298x GHSA-rc9f-q3jv-fx7r --- .../GHSA-fjcc-r94c-wxr8.json | 2 +- .../GHSA-3m64-79r5-56f2.json | 39 +++++++++++++++ .../GHSA-522h-49x4-xq7r.json | 38 ++++++++++++++ .../GHSA-7236-ccfq-8664.json | 38 ++++++++++++++ .../GHSA-8c78-wf5j-v7jx.json | 39 +++++++++++++++ .../GHSA-cppr-hw26-jmwp.json | 38 ++++++++++++++ .../GHSA-ffrw-8p66-394j.json | 50 +++++++++++++++++++ .../GHSA-gwhh-pw54-jgx4.json | 42 ++++++++++++++++ .../GHSA-gwm3-gp4w-96g7.json | 42 ++++++++++++++++ .../GHSA-gx4q-m69p-mf52.json | 42 ++++++++++++++++ .../GHSA-j34c-54rj-94x3.json | 38 ++++++++++++++ .../GHSA-jc5h-x77p-hhq6.json | 39 +++++++++++++++ .../GHSA-pr37-gvg2-qr9v.json | 42 ++++++++++++++++ .../GHSA-qj3w-6895-r5mf.json | 42 ++++++++++++++++ .../GHSA-qxp5-vjrm-298x.json | 47 +++++++++++++++++ .../GHSA-rc9f-q3jv-fx7r.json | 38 ++++++++++++++ 16 files changed, 615 insertions(+), 1 deletion(-) create mode 100644 advisories/unreviewed/2024/11/GHSA-3m64-79r5-56f2/GHSA-3m64-79r5-56f2.json create mode 100644 advisories/unreviewed/2024/11/GHSA-522h-49x4-xq7r/GHSA-522h-49x4-xq7r.json create mode 100644 advisories/unreviewed/2024/11/GHSA-7236-ccfq-8664/GHSA-7236-ccfq-8664.json create mode 100644 advisories/unreviewed/2024/11/GHSA-8c78-wf5j-v7jx/GHSA-8c78-wf5j-v7jx.json create mode 100644 advisories/unreviewed/2024/11/GHSA-cppr-hw26-jmwp/GHSA-cppr-hw26-jmwp.json create mode 100644 advisories/unreviewed/2024/11/GHSA-ffrw-8p66-394j/GHSA-ffrw-8p66-394j.json create mode 100644 advisories/unreviewed/2024/11/GHSA-gwhh-pw54-jgx4/GHSA-gwhh-pw54-jgx4.json create mode 100644 advisories/unreviewed/2024/11/GHSA-gwm3-gp4w-96g7/GHSA-gwm3-gp4w-96g7.json create mode 100644 advisories/unreviewed/2024/11/GHSA-gx4q-m69p-mf52/GHSA-gx4q-m69p-mf52.json create mode 100644 advisories/unreviewed/2024/11/GHSA-j34c-54rj-94x3/GHSA-j34c-54rj-94x3.json create mode 100644 advisories/unreviewed/2024/11/GHSA-jc5h-x77p-hhq6/GHSA-jc5h-x77p-hhq6.json create mode 100644 advisories/unreviewed/2024/11/GHSA-pr37-gvg2-qr9v/GHSA-pr37-gvg2-qr9v.json create mode 100644 advisories/unreviewed/2024/11/GHSA-qj3w-6895-r5mf/GHSA-qj3w-6895-r5mf.json create mode 100644 advisories/unreviewed/2024/11/GHSA-qxp5-vjrm-298x/GHSA-qxp5-vjrm-298x.json create mode 100644 advisories/unreviewed/2024/11/GHSA-rc9f-q3jv-fx7r/GHSA-rc9f-q3jv-fx7r.json diff --git a/advisories/unreviewed/2024/07/GHSA-fjcc-r94c-wxr8/GHSA-fjcc-r94c-wxr8.json b/advisories/unreviewed/2024/07/GHSA-fjcc-r94c-wxr8/GHSA-fjcc-r94c-wxr8.json index c97a47318fd19..eb1669b252340 100644 --- a/advisories/unreviewed/2024/07/GHSA-fjcc-r94c-wxr8/GHSA-fjcc-r94c-wxr8.json +++ b/advisories/unreviewed/2024/07/GHSA-fjcc-r94c-wxr8/GHSA-fjcc-r94c-wxr8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fjcc-r94c-wxr8", - "modified": "2024-07-12T15:31:25Z", + "modified": "2024-11-18T09:31:12Z", "published": "2024-07-01T21:31:14Z", "aliases": [ "CVE-2024-38472" diff --git a/advisories/unreviewed/2024/11/GHSA-3m64-79r5-56f2/GHSA-3m64-79r5-56f2.json b/advisories/unreviewed/2024/11/GHSA-3m64-79r5-56f2/GHSA-3m64-79r5-56f2.json new file mode 100644 index 0000000000000..d75f912f1f610 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-3m64-79r5-56f2/GHSA-3m64-79r5-56f2.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3m64-79r5-56f2", + "modified": "2024-11-18T09:31:14Z", + "published": "2024-11-18T09:31:14Z", + "aliases": [ + "CVE-2024-45791" + ], + "details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.\n\nThis issue affects Apache HertzBeat: before 1.6.1.\n\nUsers are recommended to upgrade to version 1.6.1, which fixes the issue.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45791" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/jmbsfjsvrfnvosh1ftrm3ry4j3sb7doz" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/lvsczrp8kdynppmzyxtkh4ord4gpw1ph" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-522h-49x4-xq7r/GHSA-522h-49x4-xq7r.json b/advisories/unreviewed/2024/11/GHSA-522h-49x4-xq7r/GHSA-522h-49x4-xq7r.json new file mode 100644 index 0000000000000..fb00b7b12741f --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-522h-49x4-xq7r/GHSA-522h-49x4-xq7r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-522h-49x4-xq7r", + "modified": "2024-11-18T09:31:13Z", + "published": "2024-11-18T09:31:13Z", + "aliases": [ + "CVE-2024-41969" + ], + "details": "A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41969" + }, + { + "type": "WEB", + "url": "https://cert.vde.com/en/advisories/VDE-2024-047" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-7236-ccfq-8664/GHSA-7236-ccfq-8664.json b/advisories/unreviewed/2024/11/GHSA-7236-ccfq-8664/GHSA-7236-ccfq-8664.json new file mode 100644 index 0000000000000..1251bccb7e8f1 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-7236-ccfq-8664/GHSA-7236-ccfq-8664.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7236-ccfq-8664", + "modified": "2024-11-18T09:31:13Z", + "published": "2024-11-18T09:31:13Z", + "aliases": [ + "CVE-2024-41968" + ], + "details": "A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41968" + }, + { + "type": "WEB", + "url": "https://cert.vde.com/en/advisories/VDE-2024-047" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-8c78-wf5j-v7jx/GHSA-8c78-wf5j-v7jx.json b/advisories/unreviewed/2024/11/GHSA-8c78-wf5j-v7jx/GHSA-8c78-wf5j-v7jx.json new file mode 100644 index 0000000000000..13d84897bcf91 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-8c78-wf5j-v7jx/GHSA-8c78-wf5j-v7jx.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8c78-wf5j-v7jx", + "modified": "2024-11-18T09:31:14Z", + "published": "2024-11-18T09:31:14Z", + "aliases": [ + "CVE-2024-45505" + ], + "details": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating).\n\nThis vulnerability can only be exploited by authorized attackers.\nThis issue affects Apache HertzBeat (incubating): before 1.6.1.\n\nUsers are recommended to upgrade to version 1.6.1, which fixes the issue.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45505" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/gvbc68krhqhht7mkkkx7k13k6k6fdhy0" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/h8k14o1bfyod66p113pkgnt1s52p6p19" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-cppr-hw26-jmwp/GHSA-cppr-hw26-jmwp.json b/advisories/unreviewed/2024/11/GHSA-cppr-hw26-jmwp/GHSA-cppr-hw26-jmwp.json new file mode 100644 index 0000000000000..63ac74aafb3f0 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-cppr-hw26-jmwp/GHSA-cppr-hw26-jmwp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cppr-hw26-jmwp", + "modified": "2024-11-18T09:31:13Z", + "published": "2024-11-18T09:31:13Z", + "aliases": [ + "CVE-2024-22067" + ], + "details": "ZTE NH8091 product has an improper permission control vulnerability. Due to improper permission control of the Web module interface, an authenticated attacker may exploit the vulnerability to execute arbitrary commands.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22067" + }, + { + "type": "WEB", + "url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6179526095692935173" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T07:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-ffrw-8p66-394j/GHSA-ffrw-8p66-394j.json b/advisories/unreviewed/2024/11/GHSA-ffrw-8p66-394j/GHSA-ffrw-8p66-394j.json new file mode 100644 index 0000000000000..3696c37ee8682 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-ffrw-8p66-394j/GHSA-ffrw-8p66-394j.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ffrw-8p66-394j", + "modified": "2024-11-18T09:31:14Z", + "published": "2024-11-18T09:31:14Z", + "aliases": [ + "CVE-2024-48962" + ], + "details": "Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48962" + }, + { + "type": "WEB", + "url": "https://issues.apache.org/jira/browse/OFBIZ-13162" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6" + }, + { + "type": "WEB", + "url": "https://ofbiz.apache.org/download.html" + }, + { + "type": "WEB", + "url": "https://ofbiz.apache.org/security.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1336" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-gwhh-pw54-jgx4/GHSA-gwhh-pw54-jgx4.json b/advisories/unreviewed/2024/11/GHSA-gwhh-pw54-jgx4/GHSA-gwhh-pw54-jgx4.json new file mode 100644 index 0000000000000..d166b209681ef --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-gwhh-pw54-jgx4/GHSA-gwhh-pw54-jgx4.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gwhh-pw54-jgx4", + "modified": "2024-11-18T09:31:12Z", + "published": "2024-11-18T09:31:12Z", + "aliases": [ + "CVE-2024-11312" + ], + "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11312" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8249-65252-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8248-8dac9-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T07:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-gwm3-gp4w-96g7/GHSA-gwm3-gp4w-96g7.json b/advisories/unreviewed/2024/11/GHSA-gwm3-gp4w-96g7/GHSA-gwm3-gp4w-96g7.json new file mode 100644 index 0000000000000..91cecaa9df68e --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-gwm3-gp4w-96g7/GHSA-gwm3-gp4w-96g7.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gwm3-gp4w-96g7", + "modified": "2024-11-18T09:31:12Z", + "published": "2024-11-18T09:31:12Z", + "aliases": [ + "CVE-2024-11313" + ], + "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11313" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8251-3455e-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8250-1837b-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T07:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-gx4q-m69p-mf52/GHSA-gx4q-m69p-mf52.json b/advisories/unreviewed/2024/11/GHSA-gx4q-m69p-mf52/GHSA-gx4q-m69p-mf52.json new file mode 100644 index 0000000000000..51a2849365170 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-gx4q-m69p-mf52/GHSA-gx4q-m69p-mf52.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gx4q-m69p-mf52", + "modified": "2024-11-18T09:31:12Z", + "published": "2024-11-18T09:31:12Z", + "aliases": [ + "CVE-2024-11314" + ], + "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11314" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8253-bc363-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8252-91d6a-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T07:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-j34c-54rj-94x3/GHSA-j34c-54rj-94x3.json b/advisories/unreviewed/2024/11/GHSA-j34c-54rj-94x3/GHSA-j34c-54rj-94x3.json new file mode 100644 index 0000000000000..de99b656cd0f5 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-j34c-54rj-94x3/GHSA-j34c-54rj-94x3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j34c-54rj-94x3", + "modified": "2024-11-18T09:31:13Z", + "published": "2024-11-18T09:31:13Z", + "aliases": [ + "CVE-2024-41967" + ], + "details": "A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41967" + }, + { + "type": "WEB", + "url": "https://cert.vde.com/en/advisories/VDE-2024-047" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-jc5h-x77p-hhq6/GHSA-jc5h-x77p-hhq6.json b/advisories/unreviewed/2024/11/GHSA-jc5h-x77p-hhq6/GHSA-jc5h-x77p-hhq6.json new file mode 100644 index 0000000000000..19caabdf125d3 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-jc5h-x77p-hhq6/GHSA-jc5h-x77p-hhq6.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jc5h-x77p-hhq6", + "modified": "2024-11-18T09:31:13Z", + "published": "2024-11-18T09:31:13Z", + "aliases": [ + "CVE-2024-41151" + ], + "details": "Deserialization of Untrusted Data vulnerability in Apache HertzBeat.\n\nThis vulnerability can only be exploited by authorized attackers.\n\n\nThis issue affects Apache HertzBeat: before 1.6.1.\n\nUsers are recommended to upgrade to version 1.6.1, which fixes the issue.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41151" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/oor9nw6nh2ojnfw8d8oxrv40cbtk5mwj" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/p33tg0vo5nh6kscth4262ktsqo3h5lqo" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-pr37-gvg2-qr9v/GHSA-pr37-gvg2-qr9v.json b/advisories/unreviewed/2024/11/GHSA-pr37-gvg2-qr9v/GHSA-pr37-gvg2-qr9v.json new file mode 100644 index 0000000000000..0f46cacefeac6 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-pr37-gvg2-qr9v/GHSA-pr37-gvg2-qr9v.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pr37-gvg2-qr9v", + "modified": "2024-11-18T09:31:13Z", + "published": "2024-11-18T09:31:12Z", + "aliases": [ + "CVE-2024-11315" + ], + "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11315" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8255-0bb1a-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8254-8daa2-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T07:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-qj3w-6895-r5mf/GHSA-qj3w-6895-r5mf.json b/advisories/unreviewed/2024/11/GHSA-qj3w-6895-r5mf/GHSA-qj3w-6895-r5mf.json new file mode 100644 index 0000000000000..0f10cf49ec0a2 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-qj3w-6895-r5mf/GHSA-qj3w-6895-r5mf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qj3w-6895-r5mf", + "modified": "2024-11-18T09:31:12Z", + "published": "2024-11-18T09:31:12Z", + "aliases": [ + "CVE-2024-11311" + ], + "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11311" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8247-83457-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8246-d462a-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T07:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-qxp5-vjrm-298x/GHSA-qxp5-vjrm-298x.json b/advisories/unreviewed/2024/11/GHSA-qxp5-vjrm-298x/GHSA-qxp5-vjrm-298x.json new file mode 100644 index 0000000000000..b556b812ecb0b --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-qxp5-vjrm-298x/GHSA-qxp5-vjrm-298x.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qxp5-vjrm-298x", + "modified": "2024-11-18T09:31:14Z", + "published": "2024-11-18T09:31:14Z", + "aliases": [ + "CVE-2024-47208" + ], + "details": "Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47208" + }, + { + "type": "WEB", + "url": "https://issues.apache.org/jira/browse/OFBIZ-13158" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11" + }, + { + "type": "WEB", + "url": "https://ofbiz.apache.org/download.html" + }, + { + "type": "WEB", + "url": "https://ofbiz.apache.org/security.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T09:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/11/GHSA-rc9f-q3jv-fx7r/GHSA-rc9f-q3jv-fx7r.json b/advisories/unreviewed/2024/11/GHSA-rc9f-q3jv-fx7r/GHSA-rc9f-q3jv-fx7r.json new file mode 100644 index 0000000000000..a7ee5b975de41 --- /dev/null +++ b/advisories/unreviewed/2024/11/GHSA-rc9f-q3jv-fx7r/GHSA-rc9f-q3jv-fx7r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rc9f-q3jv-fx7r", + "modified": "2024-11-18T09:31:13Z", + "published": "2024-11-18T09:31:13Z", + "aliases": [ + "CVE-2024-49574" + ], + "details": "Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49574" + }, + { + "type": "WEB", + "url": "https://www.manageengine.com/products/active-directory-audit/cve-2024-49574.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-11-18T08:15:03Z" + } +} \ No newline at end of file