-
Notifications
You must be signed in to change notification settings - Fork 336
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3cfa409
commit ec41f98
Showing
3 changed files
with
136 additions
and
0 deletions.
There are no files selected for viewing
46 changes: 46 additions & 0 deletions
46
advisories/unreviewed/2023/10/GHSA-4qww-v3r6-7335/GHSA-4qww-v3r6-7335.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-4qww-v3r6-7335", | ||
| "modified": "2023-10-22T21:36:10Z", | ||
| "published": "2023-10-22T21:36:10Z", | ||
| "aliases": [ | ||
| "CVE-2023-46306" | ||
| ], | ||
| "details": "The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46306" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.106.pdf" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.101.pdf" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
|
|
||
| ], | ||
| "severity": null, | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": null | ||
| } | ||
| } |
47 changes: 47 additions & 0 deletions
47
advisories/unreviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-9x43-5qcq-h79q", | ||
| "modified": "2023-10-22T21:36:10Z", | ||
| "published": "2023-10-22T21:36:10Z", | ||
| "aliases": [ | ||
| "CVE-2021-46898" | ||
| ], | ||
| "details": "views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith(\"/\") but this does not consider a protocol-relative URL (e.g., //example.com) attack.", | ||
| "severity": [ | ||
|
|
||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46898" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/sehmaschine/django-grappelli/issues/975" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/sehmaschine/django-grappelli/pull/976" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853d85e00c8212968f" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
|
|
||
| ], | ||
| "severity": null, | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": null | ||
| } | ||
| } |
43 changes: 43 additions & 0 deletions
43
advisories/unreviewed/2023/10/GHSA-h454-rq3m-89rc/GHSA-h454-rq3m-89rc.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-h454-rq3m-89rc", | ||
| "modified": "2023-10-22T21:36:10Z", | ||
| "published": "2023-10-22T21:36:10Z", | ||
| "aliases": [ | ||
| "CVE-2021-46897" | ||
| ], | ||
| "details": "views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media.", | ||
| "severity": [ | ||
|
|
||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46897" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/coderedcorp/coderedcms/issues/448" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/coderedcorp/coderedcms/pull/450" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/coderedcorp/coderedcms/compare/v0.22.2...v0.22.3" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
|
|
||
| ], | ||
| "severity": null, | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": null | ||
| } | ||
| } |