From 4126332ae6b2679db47ff656663c3df510f18c3e Mon Sep 17 00:00:00 2001 From: sullo Date: Tue, 18 Apr 2023 09:53:50 -0400 Subject: [PATCH] Updates after review --- cves/2019/CVE-2019-10405.yaml | 4 ++-- cves/2020/CVE-2020-5775.yaml | 4 ++-- cves/2022/CVE-2022-46169.yaml | 2 +- exposed-panels/openx-panel.yaml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cves/2019/CVE-2019-10405.yaml b/cves/2019/CVE-2019-10405.yaml index 69a1426639..84a6120b0d 100644 --- a/cves/2019/CVE-2019-10405.yaml +++ b/cves/2019/CVE-2019-10405.yaml @@ -1,10 +1,10 @@ id: CVE-2019-10405 info: - name: Jenkins <=2.196 - Cross-Site Scripting + name: Jenkins <=2.196 - Cookie Exposure author: c-sh0 severity: medium - description: Jenkins through 2.196, LTS 2.176.3 and earlier, contains a cross-site scripting vulnerability. An attacker can print the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to inject arbitrary script in the browser of an unsuspecting user, steal cookie-based authentication credentials and launch other attacks. + description: Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue. reference: - https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505 - http://www.openwall.com/lists/oss-security/2019/09/25/3 diff --git a/cves/2020/CVE-2020-5775.yaml b/cves/2020/CVE-2020-5775.yaml index 8735a89eb5..a55a58f2cb 100644 --- a/cves/2020/CVE-2020-5775.yaml +++ b/cves/2020/CVE-2020-5775.yaml @@ -1,10 +1,10 @@ id: CVE-2020-5775 info: - name: Canvas 2020-07-29 - Blind Server-Side Request Forgery + name: Canvas LMS v2020-07-29 - Blind Server-Side Request Forgery author: alph4byt3 severity: medium - description: Canvas 2020-07-29 is susceptible to blind server-side request forgery. An attacker can cause Canvas to perform HTTP GET requests to arbitrary domains and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. + description: Canvas version 2020-07-29 is susceptible to blind server-side request forgery. An attacker can cause Canvas to perform HTTP GET requests to arbitrary domains and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. reference: - https://www.tenable.com/security/research/tra-2020-49 - https://nvd.nist.gov/vuln/detail/CVE-2020-5775 diff --git a/cves/2022/CVE-2022-46169.yaml b/cves/2022/CVE-2022-46169.yaml index 051e772333..b60cc861e2 100644 --- a/cves/2022/CVE-2022-46169.yaml +++ b/cves/2022/CVE-2022-46169.yaml @@ -2,7 +2,7 @@ id: CVE-2022-46169 info: name: Cacti <=1.2.22 - Remote Command Injection - author: Hardik-Solanki + author: Hardik-Solanki,j4vaovo severity: critical description: | Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. diff --git a/exposed-panels/openx-panel.yaml b/exposed-panels/openx-panel.yaml index d351a5b860..38c792220e 100644 --- a/exposed-panels/openx-panel.yaml +++ b/exposed-panels/openx-panel.yaml @@ -4,7 +4,7 @@ info: name: OpenX Login Panel - Detect author: pikpikcu severity: info - description: OpenX login panel was detected. + description: OpenX login panel was detected. Note that OpenX is now Revive Adserver. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N cvss-score: 0.0