Auto Generated cves.json [Fri Apr 7 19:22:52 UTC 2023] :robot:

projectdiscovery · Apr 7, 2023 · 8cd2e27 · 8cd2e27
1 parent 0806aad
commit 8cd2e27
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/cves.json b/cves.json
@@ -1237,7 +1237,7 @@
 {"ID":"CVE-2021-38704","Info":{"Name":"ClinicCases 7.3.3 Cross-Site Scripting","Severity":"medium","Description":"ClinicCases 7.3.3 is susceptible to multiple reflected cross-site scripting vulnerabilities that could allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft.","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2021/CVE-2021-38704.yaml"}
 {"ID":"CVE-2021-38751","Info":{"Name":"ExponentCMS \u003c= 2.6 - Host Header Injection","Severity":"medium","Description":"An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack vector for MITM.","Classification":{"CVSSScore":"4.3"}},"file_path":"cves/2021/CVE-2021-38751.yaml"}
 {"ID":"CVE-2021-39141","Info":{"Name":"XStream 1.4.18  - Remote Code Execution","Severity":"high","Description":"XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\n","Classification":{"CVSSScore":"8.5"}},"file_path":"cves/2021/CVE-2021-39141.yaml"}
-{"ID":"CVE-2021-39144","Info":{"Name":"XStream - Remote Code Execution","Severity":"high","Description":"XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n","Classification":{"CVSSScore":"8.5"}},"file_path":"cves/2021/CVE-2021-39144 .yaml"}
+{"ID":"CVE-2021-39144","Info":{"Name":"XStream - Remote Code Execution","Severity":"high","Description":"XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n","Classification":{"CVSSScore":"8.5"}},"file_path":"cves/2021/CVE-2021-39144.yaml"}
 {"ID":"CVE-2021-39146","Info":{"Name":"XStream - Arbitrary Code Execution","Severity":"high","Description":"XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n","Classification":{"CVSSScore":"8.5"}},"file_path":"cves/2021/CVE-2021-39146.yaml"}
 {"ID":"CVE-2021-39152","Info":{"Name":"Xstream  - Server Side Request Forgery","Severity":"high","Description":"XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8.\n","Classification":{"CVSSScore":"8.5"}},"file_path":"cves/2021/CVE-2021-39152.yaml"}
 {"ID":"CVE-2021-39211","Info":{"Name":"GLPI 9.2/\u003c9.5.6 - Information Disclosure","Severity":"medium","Description":"GLPI 9.2 and prior to 9.5.6 is susceptible to information disclosure via the telemetry endpoint, which discloses GLPI and server information. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.","Classification":{"CVSSScore":"5.3"}},"file_path":"cves/2021/CVE-2021-39211.yaml"}
@@ -1692,6 +1692,7 @@
 {"ID":"CVE-2023-0942","Info":{"Name":"Japanized For WooCommerce \u003c 2.5.5 - Cross Site Scripting","Severity":"medium","Description":"Japanized For WooCommerce \u003c 2.5.5 is vulnerable to Reflected Cross-Site Scripting via the tab parameter in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2023/CVE-2023-0942.yaml"}
 {"ID":"CVE-2023-0968","Info":{"Name":"Watu Quiz \u003c 3.3.9.1 - Cross Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape some parameters ((such as email, dn, date and points) before outputting then back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2023/CVE-2023-0968.yaml"}
 {"ID":"CVE-2023-1080","Info":{"Name":"GN Publisher \u003c 1.5.6 - Cross Site Scripting","Severity":"medium","Description":"GN Publisher plugin \u003c 1.5.6 vulnerable to Reflected Cross-Site Scripting via the tab parameter in versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2023/CVE-2023-1080.yaml"}
+{"ID":"CVE-2023-1177","Info":{"Name":"mlflow \u003e 2.2.1 - Local File Inclusion","Severity":"high","Description":"Path Traversal '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2023/CVE-2023-1177.yaml"}
 {"ID":"CVE-2023-23488","Info":{"Name":"WordPress Paid Memberships Pro \u003c2.9.8 - Blind SQL Injection","Severity":"critical","Description":"WordPress Paid Memberships Pro plugin before 2.9.8 contains a blind SQL injection vulnerability in the 'code' parameter of the /pmpro/v1/order REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2023/CVE-2023-23488.yaml"}
 {"ID":"CVE-2023-23489","Info":{"Name":"WordPress Easy Digital Downloads 3.1.0.2/3.1.0.3 - SQL Injection","Severity":"critical","Description":"WordPress Easy Digital Downloads plugin 3.1.0.2 and 3.1.0.3 contains a SQL injection vulnerability in the s parameter of its edd_download_search action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2023/CVE-2023-23489.yaml"}
 {"ID":"CVE-2023-23492","Info":{"Name":"Login with Phone Number - Cross-Site Scripting","Severity":"high","Description":"Login with Phone Number, versions \u003c 1.4.2, is affected by an reflected XSS vulnerability in the login-with-phonenumber.php' file in the 'lwp_forgot_password()' function.\n\nNote that CVE-2023-23492 incorrectly describes and scores this as SQL injection vulnerability.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"cves/2023/CVE-2023-23492.yaml"}

diff --git a/cves.json-checksum.txt b/cves.json-checksum.txt
@@ -1 +1 @@
-3ab9b6d2ad2fc671811998476552c078
+6ce90d2b4ff929b5da49f918188c907c