All the vulnerabilites related to unclebob - FitNesse
cve-2024-39610
Vulnerability from cvelistv5
Published
2024-11-15 05:26
Modified
2024-11-15 17:54
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:54:20.507189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:54:38.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FitNesse",
"vendor": "unclebob",
"versions": [
{
"status": "affected",
"version": "releases prior to 20241026"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T05:26:37.148Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/unclebob/fitnesse/releases/tag/20241026"
},
{
"url": "https://fitnesse.org/FitNesseDownload"
},
{
"url": "https://jvn.jp/en/jp/JVN36791327/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-39610",
"datePublished": "2024-11-15T05:26:37.148Z",
"dateReserved": "2024-11-08T02:48:13.812Z",
"dateUpdated": "2024-11-15T17:54:38.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23604
Vulnerability from cvelistv5
Published
2024-03-18 07:26
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in FitNesse all releases, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-18T18:46:13.266065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:46:08.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse"
},
{
"tags": [
"x_transferred"
],
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "FitNesse",
"vendor": "unclebob",
"versions": [
{
"status": "affected",
"version": "all releases"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in FitNesse all releases, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T07:26:06.510Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/unclebob/fitnesse"
},
{
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-23604",
"datePublished": "2024-03-18T07:26:06.510Z",
"dateReserved": "2024-03-06T08:57:21.955Z",
"dateUpdated": "2024-08-01T23:06:25.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42499
Vulnerability from cvelistv5
Published
2024-11-15 05:26
Modified
2024-11-18 15:17
Severity ?
EPSS score ?
Summary
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specific conditions.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fitnesse:fitnesse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fitnesse",
"vendor": "fitnesse",
"versions": [
{
"lessThan": "20241026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T15:17:40.598545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T15:17:46.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FitNesse",
"vendor": "unclebob",
"versions": [
{
"status": "affected",
"version": "releases prior to 20241026"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) issue exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specific conditions."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T05:26:23.645Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/unclebob/fitnesse/releases/tag/20241026"
},
{
"url": "https://fitnesse.org/FitNesseDownload"
},
{
"url": "https://jvn.jp/en/jp/JVN36791327/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-42499",
"datePublished": "2024-11-15T05:26:23.645Z",
"dateReserved": "2024-11-08T02:48:16.349Z",
"dateUpdated": "2024-11-18T15:17:46.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28039
Vulnerability from cvelistv5
Published
2024-03-18 08:13
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fitnesse:fitnesse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fitnesse",
"vendor": "fitnesse",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28039",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T18:17:30.666060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T18:17:33.329Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:47.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse"
},
{
"tags": [
"x_transferred"
],
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "FitNesse",
"vendor": "unclebob",
"versions": [
{
"status": "affected",
"version": "all releases"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML external entities (XXE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T08:13:26.248Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/unclebob/fitnesse"
},
{
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-28039",
"datePublished": "2024-03-18T08:13:26.248Z",
"dateReserved": "2024-03-06T08:57:25.310Z",
"dateUpdated": "2024-08-02T00:48:47.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28125
Vulnerability from cvelistv5
Published
2024-03-18 07:26
Modified
2024-10-10 01:46
Severity ?
EPSS score ?
Summary
FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse"
},
{
"tags": [
"x_transferred"
],
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fitnesse:fitnesse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fitnesse",
"vendor": "fitnesse",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T15:37:47.463538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T15:39:34.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FitNesse",
"vendor": "unclebob",
"versions": [
{
"status": "affected",
"version": "all releases"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T01:46:32.023Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/unclebob/fitnesse"
},
{
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-28125",
"datePublished": "2024-03-18T07:26:21.298Z",
"dateReserved": "2024-03-06T08:57:22.986Z",
"dateUpdated": "2024-10-10T01:46:32.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28128
Vulnerability from cvelistv5
Published
2024-03-18 07:31
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T15:28:48.322618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:29.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse"
},
{
"tags": [
"x_transferred"
],
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "FitNesse",
"vendor": "unclebob",
"versions": [
{
"status": "affected",
"version": "releases prior to 20220319"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T07:31:34.749Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/unclebob/fitnesse"
},
{
"url": "http://fitnesse.org/FitNesseDownload"
},
{
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"url": "https://jvn.jp/en/jp/JVN94521208/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-28128",
"datePublished": "2024-03-18T07:31:34.749Z",
"dateReserved": "2024-03-06T08:57:24.421Z",
"dateUpdated": "2024-08-02T00:48:48.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2024-000119
Vulnerability from jvndb
Published
2024-11-15 13:37
Modified
2024-11-20 11:18
Severity ?
Summary
Multiple vulnerabilities in FitNesse
Details
FitNesse provided by unclebob contains multiple vulnerabilities listed below.
<ul><li>Cross-site scripting (CWE-79) - CVE-2024-39610</li>
<li>Path traversal (CWE-22) - CVE-2024-42499</li></ul>
Takeshi Kaneko of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN36791327/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-39610 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-42499 | |
| Path Traversal(CWE-22) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000119.html",
"dc:date": "2024-11-20T11:18+09:00",
"dcterms:issued": "2024-11-15T13:37+09:00",
"dcterms:modified": "2024-11-20T11:18+09:00",
"description": "FitNesse provided by unclebob contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eCross-site scripting (CWE-79) - CVE-2024-39610\u003c/li\u003e\r\n\u003cli\u003ePath traversal (CWE-22) - CVE-2024-42499\u003c/li\u003e\u003c/ul\u003e\r\nTakeshi Kaneko of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000119.html",
"sec:cpe": {
"#text": "cpe:/a:fitnesse:fitnesse",
"@product": "FitNesse",
"@vendor": "unclebob",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000119",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN36791327/index.html",
"@id": "JVN#36791327",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-39610",
"@id": "CVE-2024-39610",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-42499",
"@id": "CVE-2024-42499",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in FitNesse"
}
jvndb-2024-000032
Vulnerability from jvndb
Published
2024-03-18 14:08
Modified
2024-03-19 11:02
Severity ?
Summary
Multiple vulnerabilities in FitNesse
Details
FitNesse contains multiple vulnerabilities listed below.<ul><li>Multiple cross-site scripting (CWE-79) - CVE-2024-23604, CVE-2024-28128</li><li>Improper restriction of XML external entity references (CWE-611) -CVE-2024-28039</li><li>OS command injection (CWE-78) - CVE-2024-28125</li></ul>CVE-2024-23604, CVE-2024-28039, CVE-2024-28125
Kanta Nishitani of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-28128
Yutaka WATANABE of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN94521208/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-23604 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-28039 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-28125 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-28128 | |
| OS Command Injection(CWE-78) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000032.html",
"dc:date": "2024-03-19T11:02+09:00",
"dcterms:issued": "2024-03-18T14:08+09:00",
"dcterms:modified": "2024-03-19T11:02+09:00",
"description": "FitNesse contains multiple vulnerabilities listed below.\u003cul\u003e\u003cli\u003eMultiple cross-site scripting (CWE-79) - CVE-2024-23604, CVE-2024-28128\u003c/li\u003e\u003cli\u003eImproper restriction of XML external entity references (CWE-611) -CVE-2024-28039\u003c/li\u003e\u003cli\u003eOS command injection (CWE-78) - CVE-2024-28125\u003c/li\u003e\u003c/ul\u003eCVE-2024-23604, CVE-2024-28039, CVE-2024-28125\r\nKanta Nishitani of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2024-28128\r\nYutaka WATANABE of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000032.html",
"sec:cpe": [
{
"#text": "cpe:/a:fitnesse:fitnesse",
"@product": "FitNesse",
"@vendor": "unclebob",
"@version": "2.2"
},
{
"#text": "cpe:/a:fitnesse:fitnesse",
"@product": "FitNesse",
"@vendor": "unclebob",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "8.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2024-000032",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN94521208/index.html",
"@id": "JVN#94521208",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-23604",
"@id": "CVE-2024-23604",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-28039",
"@id": "CVE-2024-28039",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-28125",
"@id": "CVE-2024-28125",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-28128",
"@id": "CVE-2024-28128",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in FitNesse"
}