CWE-184
Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
CVE-2024-20278 (GCVE-0-2024-20278)
Vulnerability from cvelistv5 – Published: 2024-03-27 16:59 – Updated: 2024-08-15 16:45
VLAI
Summary
A vulnerability in the NETCONF feature of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate privileges to root on an affected device.
This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input over NETCONF to an affected device. A successful exploit could allow the attacker to elevate privileges from Administrator to root.
Severity
6.5 (Medium)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco IOS XE Software |
Affected:
17.6.1
Affected: 17.6.2 Affected: 17.6.1w Affected: 17.6.1a Affected: 17.6.1x Affected: 17.6.3 Affected: 17.6.1y Affected: 17.6.1z Affected: 17.6.3a Affected: 17.6.4 Affected: 17.6.1z1 Affected: 17.6.5 Affected: 17.6.6 Affected: 17.6.6a Affected: 17.6.5a Affected: 17.7.1 Affected: 17.7.1a Affected: 17.7.1b Affected: 17.7.2 Affected: 17.10.1 Affected: 17.10.1a Affected: 17.10.1b Affected: 17.8.1 Affected: 17.8.1a Affected: 17.9.1 Affected: 17.9.1w Affected: 17.9.2 Affected: 17.9.1a Affected: 17.9.1x Affected: 17.9.1y Affected: 17.9.3 Affected: 17.9.2a Affected: 17.9.1x1 Affected: 17.9.3a Affected: 17.9.4 Affected: 17.9.1y1 Affected: 17.9.4a Affected: 17.11.1 Affected: 17.11.1a Affected: 17.12.1 Affected: 17.12.1w Affected: 17.12.1a Affected: 17.11.99SW |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:59:41.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "cisco-sa-iosxe-priv-esc-seAx6NLX",
"tags": [
"x_transferred"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-seAx6NLX"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:cisco:ios_xe:17.6.1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.2:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.1w:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.1a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.1x:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.3:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.1y:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.1z:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.3a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.4:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.1z1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.5:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.6:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.6a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.6.5a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.7.1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.7.1a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.7.1b:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.7.2:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.10.1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.10.1a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.10.1b:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.8.1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.8.1a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.1w:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.2:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.1a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.1x:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.1y:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.3:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.2a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.1x1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.3a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.4:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.1y1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.9.4a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.11.1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.11.1a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.12.1:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.12.1w:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.12.1a:*:*:*:*:*:*:*",
"cpe:2.3:o:cisco:ios_xe:17.11.99sw:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ios_xe",
"vendor": "cisco",
"versions": [
{
"status": "affected",
"version": "17.6.1"
},
{
"status": "affected",
"version": "17.6.2"
},
{
"status": "affected",
"version": "17.6.1w"
},
{
"status": "affected",
"version": "17.6.1a"
},
{
"status": "affected",
"version": "17.6.1x"
},
{
"status": "affected",
"version": "17.6.3"
},
{
"status": "affected",
"version": "17.6.1y"
},
{
"status": "affected",
"version": "17.6.1z"
},
{
"status": "affected",
"version": "17.6.3a"
},
{
"status": "affected",
"version": "17.6.4"
},
{
"status": "affected",
"version": "17.6.1z1"
},
{
"status": "affected",
"version": "17.6.5"
},
{
"status": "affected",
"version": "17.6.6"
},
{
"status": "affected",
"version": "17.6.6a"
},
{
"status": "affected",
"version": "17.6.5a"
},
{
"status": "affected",
"version": "17.7.1"
},
{
"status": "affected",
"version": "17.7.1a"
},
{
"status": "affected",
"version": "17.7.1b"
},
{
"status": "affected",
"version": "17.7.2"
},
{
"status": "affected",
"version": "17.10.1"
},
{
"status": "affected",
"version": "17.10.1a"
},
{
"status": "affected",
"version": "17.10.1b"
},
{
"status": "affected",
"version": "17.8.1"
},
{
"status": "affected",
"version": "17.8.1a"
},
{
"status": "affected",
"version": "17.9.1"
},
{
"status": "affected",
"version": "17.9.1w"
},
{
"status": "affected",
"version": "17.9.2"
},
{
"status": "affected",
"version": "17.9.1a"
},
{
"status": "affected",
"version": "17.9.1x"
},
{
"status": "affected",
"version": "17.9.1y"
},
{
"status": "affected",
"version": "17.9.3"
},
{
"status": "affected",
"version": "17.9.2a"
},
{
"status": "affected",
"version": "17.9.1x1"
},
{
"status": "affected",
"version": "17.9.3a"
},
{
"status": "affected",
"version": "17.9.4"
},
{
"status": "affected",
"version": "17.9.1y1"
},
{
"status": "affected",
"version": "17.9.4a"
},
{
"status": "affected",
"version": "17.11.1"
},
{
"status": "affected",
"version": "17.11.1a"
},
{
"status": "affected",
"version": "17.12.1"
},
{
"status": "affected",
"version": "17.12.1w"
},
{
"status": "affected",
"version": "17.12.1a"
},
{
"status": "affected",
"version": "17.11.99sw"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-20278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T04:00:40.599661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T16:45:09.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco IOS XE Software",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "17.6.1"
},
{
"status": "affected",
"version": "17.6.2"
},
{
"status": "affected",
"version": "17.6.1w"
},
{
"status": "affected",
"version": "17.6.1a"
},
{
"status": "affected",
"version": "17.6.1x"
},
{
"status": "affected",
"version": "17.6.3"
},
{
"status": "affected",
"version": "17.6.1y"
},
{
"status": "affected",
"version": "17.6.1z"
},
{
"status": "affected",
"version": "17.6.3a"
},
{
"status": "affected",
"version": "17.6.4"
},
{
"status": "affected",
"version": "17.6.1z1"
},
{
"status": "affected",
"version": "17.6.5"
},
{
"status": "affected",
"version": "17.6.6"
},
{
"status": "affected",
"version": "17.6.6a"
},
{
"status": "affected",
"version": "17.6.5a"
},
{
"status": "affected",
"version": "17.7.1"
},
{
"status": "affected",
"version": "17.7.1a"
},
{
"status": "affected",
"version": "17.7.1b"
},
{
"status": "affected",
"version": "17.7.2"
},
{
"status": "affected",
"version": "17.10.1"
},
{
"status": "affected",
"version": "17.10.1a"
},
{
"status": "affected",
"version": "17.10.1b"
},
{
"status": "affected",
"version": "17.8.1"
},
{
"status": "affected",
"version": "17.8.1a"
},
{
"status": "affected",
"version": "17.9.1"
},
{
"status": "affected",
"version": "17.9.1w"
},
{
"status": "affected",
"version": "17.9.2"
},
{
"status": "affected",
"version": "17.9.1a"
},
{
"status": "affected",
"version": "17.9.1x"
},
{
"status": "affected",
"version": "17.9.1y"
},
{
"status": "affected",
"version": "17.9.3"
},
{
"status": "affected",
"version": "17.9.2a"
},
{
"status": "affected",
"version": "17.9.1x1"
},
{
"status": "affected",
"version": "17.9.3a"
},
{
"status": "affected",
"version": "17.9.4"
},
{
"status": "affected",
"version": "17.9.1y1"
},
{
"status": "affected",
"version": "17.9.4a"
},
{
"status": "affected",
"version": "17.11.1"
},
{
"status": "affected",
"version": "17.11.1a"
},
{
"status": "affected",
"version": "17.12.1"
},
{
"status": "affected",
"version": "17.12.1w"
},
{
"status": "affected",
"version": "17.12.1a"
},
{
"status": "affected",
"version": "17.11.99SW"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the NETCONF feature of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate privileges to root on an affected device.\r\n\r This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input over NETCONF to an affected device. A successful exploit could allow the attacker to elevate privileges from Administrator to root."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-27T16:59:12.963Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-iosxe-priv-esc-seAx6NLX",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-seAx6NLX"
}
],
"source": {
"advisory": "cisco-sa-iosxe-priv-esc-seAx6NLX",
"defects": [
"CSCwf91143"
],
"discovery": "INTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2024-20278",
"datePublished": "2024-03-27T16:59:12.963Z",
"dateReserved": "2023-11-08T15:08:07.625Z",
"dateUpdated": "2024-08-15T16:45:09.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23336 (GCVE-0-2024-23336)
Vulnerability from cvelistv5 – Published: 2024-05-01 06:27 – Updated: 2024-08-01 22:59
VLAI
Title
Incomplete disallowed remote addresses list in MyBB
Summary
MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.
Severity
5 (Medium)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mybb/mybb/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/mybb/mybb/commit/d6a96019025de… | x_refsource_MISC |
| https://docs.mybb.com/1.8/administration/configur… | x_refsource_MISC |
| https://mybb.com/versions/1.8.38 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"lessThan": "1.8.38",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T13:48:54.371730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T14:06:34.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"
},
{
"name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"
},
{
"name": "https://docs.mybb.com/1.8/administration/configuration-file",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.mybb.com/1.8/administration/configuration-file"
},
{
"name": "https://mybb.com/versions/1.8.38",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File\u0027s _Disallowed Remote Addresses_ list (`$config[\u0027disallowed_remote_addresses\u0027]`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8\u0027 to their disallowed address list."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T06:27:37.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"
},
{
"name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"
},
{
"name": "https://docs.mybb.com/1.8/administration/configuration-file",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.mybb.com/1.8/administration/configuration-file"
},
{
"name": "https://mybb.com/versions/1.8.38",
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"source": {
"advisory": "GHSA-qfrj-65mv-h75h",
"discovery": "UNKNOWN"
},
"title": "Incomplete disallowed remote addresses list in MyBB"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23336",
"datePublished": "2024-05-01T06:27:37.987Z",
"dateReserved": "2024-01-15T15:19:19.443Z",
"dateUpdated": "2024-08-01T22:59:32.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28246 (GCVE-0-2024-28246)
Vulnerability from cvelistv5 – Published: 2024-03-25 20:00 – Updated: 2024-08-02 00:48
VLAI
Title
KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols
Summary
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Severity
5.5 (Medium)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/KaTeX/KaTeX/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/KaTeX/KaTeX/commit/fc5af64183a… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T00:04:56.873982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T00:05:12.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329"
},
{
"name": "https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "KaTeX",
"vendor": "KaTeX",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.11.0, \u003c 0.16.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX\u0027s `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) =\u003e context.protocol !== \u0027javascript\u0027`. Upgrade to KaTeX v0.16.10 to remove this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-25T20:00:17.211Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329"
},
{
"name": "https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de"
}
],
"source": {
"advisory": "GHSA-3wc5-fcw2-2329",
"discovery": "UNKNOWN"
},
"title": "KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28246",
"datePublished": "2024-03-25T20:00:17.211Z",
"dateReserved": "2024-03-07T14:33:30.036Z",
"dateUpdated": "2024-08-02T00:48:49.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30103 (GCVE-0-2024-30103)
Vulnerability from cvelistv5 – Published: 2024-06-11 17:00 – Updated: 2025-12-17 22:23
VLAI
Title
Microsoft Outlook Remote Code Execution Vulnerability
Summary
Microsoft Outlook Remote Code Execution Vulnerability
Severity
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Office 2019 |
Affected:
19.0.0 , < https://aka.ms/OfficeSecurityReleases
(custom)
|
|
| Microsoft | Microsoft 365 Apps for Enterprise |
Affected:
16.0.1 , < https://aka.ms/OfficeSecurityReleases
(custom)
|
|
| Microsoft | Microsoft Office LTSC 2021 |
Affected:
16.0.1 , < https://aka.ms/OfficeSecurityReleases
(custom)
|
|
| Microsoft | Microsoft Outlook 2016 |
Affected:
16.0.0.0 , < 16.0.5452.1000
(custom)
|
Date Public
2024-06-11 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30103",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T03:55:52.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:25:02.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Microsoft Outlook Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30103"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "19.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft 365 Apps for Enterprise",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems",
"32-bit Systems"
],
"product": "Microsoft Office LTSC 2021",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Outlook 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "16.0.5452.1000",
"status": "affected",
"version": "16.0.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
"versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
"versionStartIncluding": "19.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
"versionStartIncluding": "16.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
"versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
"versionStartIncluding": "16.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:x86:*:*",
"versionEndExcluding": "16.0.5452.1000",
"versionStartIncluding": "16.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-06-11T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Microsoft Outlook Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T22:23:41.720Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Outlook Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30103"
}
],
"title": "Microsoft Outlook Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-30103",
"datePublished": "2024-06-11T17:00:04.279Z",
"dateReserved": "2024-03-22T23:12:15.573Z",
"dateUpdated": "2025-12-17T22:23:41.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32152 (GCVE-0-2024-32152)
Vulnerability from cvelistv5 – Published: 2024-07-22 14:20 – Updated: 2025-11-04 17:20
VLAI
Summary
A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.
Severity
CWE
- CWE-184 - Incomplete Blacklist
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ankitects:anki:24.04:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "anki",
"vendor": "ankitects",
"versions": [
{
"status": "affected",
"version": "24.04"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32152",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T14:44:22.356022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:30:56.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:20:17.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1994",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1994"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1994"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Anki",
"vendor": "Ankitects",
"versions": [
{
"status": "affected",
"version": "24.04"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B."
}
],
"descriptions": [
{
"lang": "en",
"value": "A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete Blacklist",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T17:00:07.387Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1994",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1994"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2024-32152",
"datePublished": "2024-07-22T14:20:26.096Z",
"dateReserved": "2024-05-06T16:39:15.937Z",
"dateUpdated": "2025-11-04T17:20:17.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51745 (GCVE-0-2024-51745)
Vulnerability from cvelistv5 – Published: 2024-11-05 21:09 – Updated: 2024-11-05 21:28
VLAI
Title
Wasmtime doesn't fully sandbox all the Windows device filenames
Summary
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue. Affected Windows users are recommended to upgrade.
Severity
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasmtime/secu… | x_refsource_CONFIRM |
| https://github.com/bytecodealliance/cap-std/pull/371 | x_refsource_MISC |
| https://en.wikipedia.org/wiki/ISO/IEC_8859-1 | x_refsource_MISC |
| https://learn.microsoft.com/en-us/windows/win32/f… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasmtime |
Affected:
< 24.0.2
Affected: >= 25.0.0, < 25.0.3 Affected: = 26.0.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51745",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T21:28:24.494004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T21:28:34.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wasmtime",
"vendor": "bytecodealliance",
"versions": [
{
"status": "affected",
"version": "\u003c 24.0.2"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.3"
},
{
"status": "affected",
"version": "= 26.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime\u0027s filesystem sandbox implementation on Windows blocks access to special device filenames such as \"COM1\", \"COM2\", \"LPT0\", \"LPT1\", and so on, however it did not block access to the special device filenames which use superscript digits, such as \"COM\u00b9\", \"COM\u00b2\", \"LPT\u2070\", \"LPT\u00b9\", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue. Affected Windows users are recommended to upgrade."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-67",
"description": "CWE-67: Improper Handling of Windows Device Names",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T21:09:43.943Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8"
},
{
"name": "https://github.com/bytecodealliance/cap-std/pull/371",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bytecodealliance/cap-std/pull/371"
},
{
"name": "https://en.wikipedia.org/wiki/ISO/IEC_8859-1",
"tags": [
"x_refsource_MISC"
],
"url": "https://en.wikipedia.org/wiki/ISO/IEC_8859-1"
},
{
"name": "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions",
"tags": [
"x_refsource_MISC"
],
"url": "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions"
}
],
"source": {
"advisory": "GHSA-c2f5-jxjv-2hh8",
"discovery": "UNKNOWN"
},
"title": "Wasmtime doesn\u0027t fully sandbox all the Windows device filenames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51745",
"datePublished": "2024-11-05T21:09:43.943Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-05T21:28:34.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5178 (GCVE-0-2024-5178)
Vulnerability from cvelistv5 – Published: 2024-07-10 16:23 – Updated: 2024-08-01 21:03
VLAI
Title
Incomplete Input Validation in SecurelyAccess API
Summary
ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Severity
4.9 (Medium)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://support.servicenow.com/kb?id=kb_article_v… | |
| https://support.servicenow.com/kb?id=kb_article_v… | x_login-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceNow | Now Platform |
Affected:
0 , < Utah Patch 10 Hot Fix 3
(custom)
Affected: 0 , < Utah Patch 10a Hot Fix 2 (custom) Affected: 0 , < Utah Patch 10b Hot Fix 1 (custom) Affected: 0 , < Vancouver Patch 6 Hot Fix 2 (custom) Affected: 0 , < Vancouver Patch 7 Hot Fix 3b (custom) Affected: 0 , < Vancouver Patch 8 Hot Fix 4 (custom) Affected: 0 , < Vancouver Patch 9 Hot Fix 1 (custom) Affected: 0 , < Vancouver Patch 10 (custom) Affected: 0 , < Washington DC Patch 1 Hot Fix 3b (custom) Affected: 0 , < Washington DC Patch 2 Hot Fix 2 (custom) Affected: 0 , < Washington DC Patch 3 Hot Fix 2 (custom) Affected: 0 , < Washington DC Patch 4 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T16:42:23.827649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T16:42:33.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:11.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1648312"
},
{
"tags": [
"x_login-required",
"x_transferred"
],
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1644293"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Now Platform",
"vendor": "ServiceNow",
"versions": [
{
"lessThan": "Utah Patch 10 Hot Fix 3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Utah Patch 10a Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Utah Patch 10b Hot Fix 1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 6 Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 7 Hot Fix 3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 8 Hot Fix 4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 9 Hot Fix 1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 1 Hot Fix 3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 2 Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 3 Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Kues"
},
{
"lang": "en",
"type": "finder",
"value": "Assetnote Attack Surface Management"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server.\u00a0The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184 Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T21:35:29.680Z",
"orgId": "303448ea-6ef3-4077-ad29-5c9bf253c375",
"shortName": "SN"
},
"references": [
{
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1648312"
},
{
"tags": [
"x_login-required"
],
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1644293"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incomplete Input Validation in SecurelyAccess API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "303448ea-6ef3-4077-ad29-5c9bf253c375",
"assignerShortName": "SN",
"cveId": "CVE-2024-5178",
"datePublished": "2024-07-10T16:23:39.270Z",
"dateReserved": "2024-05-21T16:40:28.169Z",
"dateUpdated": "2024-08-01T21:03:11.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5217 (GCVE-0-2024-5217)
Vulnerability from cvelistv5 – Published: 2024-07-10 16:28 – Updated: 2025-10-21 22:55
VLAI
Title
Incomplete Input Validation in GlideExpression Script
Summary
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Severity
9.8 (Critical)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceNow | Now Platform |
Affected:
0 , < Utah Patch 10 Hot Fix 3
(custom)
Affected: 0 , < Utah Patch 10a Hot Fix 2 (custom) Affected: 0 , < Utah Patch 10b Hot Fix 1 (custom) Affected: 0 , < Vancouver Patch 6 Hot Fix 2 (custom) Affected: 0 , < Vancouver Patch 7 Hot Fix 3b (custom) Affected: 0 , < Vancouver Patch 8 Hot Fix 4 (custom) Affected: 0 , < Vancouver Patch 9 Hot Fix 1 (custom) Affected: 0 , < Vancouver Patch 10 (custom) Affected: 0 , < Washington DC Patch 1 Hot Fix 3b (custom) Affected: 0 , < Washington DC Patch 2 Hot Fix 2 (custom) Affected: 0 , < Washington DC Patch 3 Hot Fix 2 (custom) Affected: 0 , < Washington DC Patch 4 (custom) Affected: 0 , < Washington DC Patch 5 (custom) |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "servicenow",
"vendor": "servicenow",
"versions": [
{
"lessThan": "utah_patch_10_hot_fix_3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10a_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "utah_patch_10b_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_6_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_7_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_8_hot_fix_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_9_hot_fix_1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vancouver_patch_10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_1_hot_fix_3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_2_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_3_hot_fix_2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "washington_dc_patch_5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5217",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T19:00:26.864987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-07-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5217"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:49.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5217"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-29T00:00:00.000Z",
"value": "CVE-2024-5217 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:11.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1648313"
},
{
"tags": [
"x_login-required",
"x_transferred"
],
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1644293"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Now Platform",
"vendor": "ServiceNow",
"versions": [
{
"lessThan": "Utah Patch 10 Hot Fix 3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Utah Patch 10a Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Utah Patch 10b Hot Fix 1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 6 Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 7 Hot Fix 3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 8 Hot Fix 4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 9 Hot Fix 1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Vancouver Patch 10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 1 Hot Fix 3b",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 2 Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 3 Hot Fix 2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "Washington DC Patch 5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Kues"
},
{
"lang": "en",
"type": "finder",
"value": "Assetnote Attack Surface Management"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform.\u00a0The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184 Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T22:29:22.478Z",
"orgId": "303448ea-6ef3-4077-ad29-5c9bf253c375",
"shortName": "SN"
},
"references": [
{
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1648313"
},
{
"tags": [
"x_login-required"
],
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1644293"
},
{
"url": "https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incomplete Input Validation in GlideExpression Script",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "303448ea-6ef3-4077-ad29-5c9bf253c375",
"assignerShortName": "SN",
"cveId": "CVE-2024-5217",
"datePublished": "2024-07-10T16:28:32.649Z",
"dateReserved": "2024-05-22T18:36:08.570Z",
"dateUpdated": "2025-10-21T22:55:49.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52595 (GCVE-0-2024-52595)
Vulnerability from cvelistv5 – Published: 2024-11-19 21:27 – Updated: 2024-11-20 15:19
VLAI
Title
HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
Summary
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like `<svg>`, `<math>` and `<noscript>`.
Severity
7.7 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fedora-python/lxml_html_clean/… | x_refsource_CONFIRM |
| https://github.com/fedora-python/lxml_html_clean/… | x_refsource_MISC |
| https://github.com/fedora-python/lxml_html_clean/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fedora-python | lxml_html_clean |
Affected:
< 0.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:18:41.666822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:19:10.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lxml_html_clean",
"vendor": "fedora-python",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `\u003csvg\u003e`, `\u003cmath\u003e` and `\u003cnoscript\u003e`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents\u0027 tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like `\u003csvg\u003e`, `\u003cmath\u003e` and `\u003cnoscript\u003e`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-83",
"description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T21:27:08.871Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f"
},
{
"name": "https://github.com/fedora-python/lxml_html_clean/pull/19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedora-python/lxml_html_clean/pull/19"
},
{
"name": "https://github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808"
}
],
"source": {
"advisory": "GHSA-5jfw-gq64-q45f",
"discovery": "UNKNOWN"
},
"title": "HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52595",
"datePublished": "2024-11-19T21:27:08.871Z",
"dateReserved": "2024-11-14T15:05:46.768Z",
"dateUpdated": "2024-11-20T15:19:10.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54149 (GCVE-0-2024-54149)
Vulnerability from cvelistv5 – Published: 2024-12-09 20:54 – Updated: 2024-12-10 17:13
VLAI
Title
Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion
Summary
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models.
Severity
8.5 (High)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/wintercms/winter/security/advi… | x_refsource_CONFIRM |
| https://github.com/wintercms/winter/commit/fb88e6… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T16:11:07.059128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:13:11.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.7"
},
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 1.1.11"
},
{
"status": "affected",
"version": "\u003c 1.0.476"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T20:54:41.797Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-xhw3-4j3m-hq53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-xhw3-4j3m-hq53"
},
{
"name": "https://github.com/wintercms/winter/commit/fb88e6fabde3b3278ce1844e581c87dcf7daee22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/fb88e6fabde3b3278ce1844e581c87dcf7daee22"
}
],
"source": {
"advisory": "GHSA-xhw3-4j3m-hq53",
"discovery": "UNKNOWN"
},
"title": "Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-54149",
"datePublished": "2024-12-09T20:54:41.797Z",
"dateReserved": "2024-11-29T18:02:16.756Z",
"dateUpdated": "2024-12-10T17:13:11.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Strategy: Input Validation
Description:
- Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-182: Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.